I've been reading through the recent thread on MorphOS and the regular criticism of their business model for locking licenses down to individual hardware. This brings up an interesting subject (for me), which I'd like to share some thoughts, and also get some feedback on...
There’s nothing more annoying (and off-putting) than having to manually contact the developer / vendor to activate your license or feel like you are pestering them to provide you with a license for software on a replacement machine (and in some cases, provide evidence that your old hardware is actually cactus). Each time I've had to call Microsoft to transfer a software license to a new PC, they have always been good at just handing out the codes, but it's a pain to have to call them to do this in the first place.
Then there is the reality of a company closing their doors and your software not ever being available to activate again as pointed out by @bunnspecial. I once had a great menu bar app called Snippet by a company called (something like) Fuel Software. However, it stopped working on PowerPC simply because the server which the activation process used no longer supported the outdated SSL libraries on Tiger/Leopard. The developer continued moving forward with the OS iterations, but ignored the fact that the older software versions, although completely compatible with the older OS, couldn't be reinstalled due to the updated activation server. As it was the web server and not their software, they wiped their hands of it and said there was nothing they could do.
Anyway, as some of you may be aware, I am in the process of developing indie Mac software. I intend to cover a wide range of Mac hardware. To do this, I intend to distribute / license via both the Mac App Store (10.6.6+) and direct via my upcoming website (10.4+). As such, I am looking at various licensing and copy protection methods for use outside of the MAS.
Ultimately, the methods used will need to cover the intended hardware/software range of OS X 10.4 through macOS 10.13. This means limiting older / incompatible SSL communication on pre-Lion and on Lion+, remain within Gatekeeper and Sandbox rules.
Here’s where I am at...
Licensing - Keep it simple:
1. Individual use - An unlimited install, single user license. Allows the user to install on any number of Macs for personal use.
2. Business use - single machine license. One license per machine / installation.
Serial numbers are to be generated / matched against a personal or company name. By matching names and serials, individuals are gently encouraged to buy their own license and not to share with friends/family unless they really choose to. If they do, the name on the license will always be a (subtle) reminder it was shared and may encourage a change of heart at some stage.
I have no intention of programming any kind of policing method for this. A simple user agreement is enough IMO. I don't think anybody has ever liked being kicked out of Microsoft Office because another user on the LAN (or even worldwide?) is using the same serial number. Did Adobe do this too? I can't remember.
Activation - Online or offline?
I’m undecided here. Should activation require an online validation on a central database or remain an offline process? I know I prefer software which uses offline activation and I don’t like software phoning home without my knowledge. However, if the user is shown the exact shared information during the activation process, then would that be acceptable?
1. Online activation - The serial and licensee name is validated with a central license database/service. The current IP, Operating System version, software version and simple hardware profile (Machine ID, architecture, CPU, RAM, VRAM) could be sent along with it. The hardware profile would be useful for future updates and/or projects to tailor features and understand the typical lowest common denominator - although after thinking this point through, this is completely redundant as I am already intentionally writing software to run on any Mac built within the last 20 years (G3, 10.4+. Maybe even 603/604 given @LightBulbFun's work).
2. Offline activation - The serial is generated using a private encryption key encapsulating the licensee's name/company name. The serial can then be validated against this private key and the software is activated without ever needing to call home. The downside here is releasing a degree of copy protection (control) and record keeping, while also missing out on the opportunity to gather hardware info, plus the recording of the user's IP to maintain a history of activations of a given serial number (and the opportunity to approximate a user's geographic location based on the IP).
Just thinking it through as I type here... User privacy needs to be realistically reconsidered. In my opinion, the best way to honour an individual's privacy is to not gather data from them in the first place (are you listening Zuck'?).
Given the scale of my independent efforts, I am leaning toward the offline activation option. Plus it just feels more ethical to give a user the freedom of choice... However this doesn't do anything to deter piracy (which could be my undoing? Or is that just paranoid?)
It's muddy water... Apply too much control to protect the creator/developer/vendor from piracy at the cost of (possibly) annoying the user, or release a degree of control to keep it simple for the user?
Does anyone have any thoughts and/or experience on the subject? Any other anecdotes of software lost to the activation void?
-AphoticD
There’s nothing more annoying (and off-putting) than having to manually contact the developer / vendor to activate your license or feel like you are pestering them to provide you with a license for software on a replacement machine (and in some cases, provide evidence that your old hardware is actually cactus). Each time I've had to call Microsoft to transfer a software license to a new PC, they have always been good at just handing out the codes, but it's a pain to have to call them to do this in the first place.
Then there is the reality of a company closing their doors and your software not ever being available to activate again as pointed out by @bunnspecial. I once had a great menu bar app called Snippet by a company called (something like) Fuel Software. However, it stopped working on PowerPC simply because the server which the activation process used no longer supported the outdated SSL libraries on Tiger/Leopard. The developer continued moving forward with the OS iterations, but ignored the fact that the older software versions, although completely compatible with the older OS, couldn't be reinstalled due to the updated activation server. As it was the web server and not their software, they wiped their hands of it and said there was nothing they could do.
Anyway, as some of you may be aware, I am in the process of developing indie Mac software. I intend to cover a wide range of Mac hardware. To do this, I intend to distribute / license via both the Mac App Store (10.6.6+) and direct via my upcoming website (10.4+). As such, I am looking at various licensing and copy protection methods for use outside of the MAS.
Ultimately, the methods used will need to cover the intended hardware/software range of OS X 10.4 through macOS 10.13. This means limiting older / incompatible SSL communication on pre-Lion and on Lion+, remain within Gatekeeper and Sandbox rules.
Here’s where I am at...
Licensing - Keep it simple:
1. Individual use - An unlimited install, single user license. Allows the user to install on any number of Macs for personal use.
2. Business use - single machine license. One license per machine / installation.
Serial numbers are to be generated / matched against a personal or company name. By matching names and serials, individuals are gently encouraged to buy their own license and not to share with friends/family unless they really choose to. If they do, the name on the license will always be a (subtle) reminder it was shared and may encourage a change of heart at some stage.
I have no intention of programming any kind of policing method for this. A simple user agreement is enough IMO. I don't think anybody has ever liked being kicked out of Microsoft Office because another user on the LAN (or even worldwide?) is using the same serial number. Did Adobe do this too? I can't remember.
Activation - Online or offline?
I’m undecided here. Should activation require an online validation on a central database or remain an offline process? I know I prefer software which uses offline activation and I don’t like software phoning home without my knowledge. However, if the user is shown the exact shared information during the activation process, then would that be acceptable?
1. Online activation - The serial and licensee name is validated with a central license database/service. The current IP, Operating System version, software version and simple hardware profile (Machine ID, architecture, CPU, RAM, VRAM) could be sent along with it. The hardware profile would be useful for future updates and/or projects to tailor features and understand the typical lowest common denominator - although after thinking this point through, this is completely redundant as I am already intentionally writing software to run on any Mac built within the last 20 years (G3, 10.4+. Maybe even 603/604 given @LightBulbFun's work).
2. Offline activation - The serial is generated using a private encryption key encapsulating the licensee's name/company name. The serial can then be validated against this private key and the software is activated without ever needing to call home. The downside here is releasing a degree of copy protection (control) and record keeping, while also missing out on the opportunity to gather hardware info, plus the recording of the user's IP to maintain a history of activations of a given serial number (and the opportunity to approximate a user's geographic location based on the IP).
Just thinking it through as I type here... User privacy needs to be realistically reconsidered. In my opinion, the best way to honour an individual's privacy is to not gather data from them in the first place (are you listening Zuck'?).
Given the scale of my independent efforts, I am leaning toward the offline activation option. Plus it just feels more ethical to give a user the freedom of choice... However this doesn't do anything to deter piracy (which could be my undoing? Or is that just paranoid?)
It's muddy water... Apply too much control to protect the creator/developer/vendor from piracy at the cost of (possibly) annoying the user, or release a degree of control to keep it simple for the user?
Does anyone have any thoughts and/or experience on the subject? Any other anecdotes of software lost to the activation void?
-AphoticD
Last edited:
