0

I want to make a downloads managing system on my website, that when you purchase a download, you can always re-download it again for free. (i have read that Steam does something similar)

The problem is, that someone would be able to create a account, purchase something and then give the account password to friends and family, so they can all download copies for free.

Is there a way to prevent this? Or is it impossible.

JoJo
  • 103
  • 4
  • 2
    Possible? To a good approximation, yes. Worthwhile in terms of effort vs. business value? Probably not. A dedicated adversary will always be able to fool your PC-detecting routine. – Kilian Foth Aug 25 '14 at 15:07
  • @KilianFoth do you have a idea how it happens on steam? (i don't know because i don't use it). Or does Steam have the same problem? – JoJo Aug 25 '14 at 15:10
  • 3
    Steam has the same problem. DRM is security through obscurity. You're introducing more hoops to jump, and this will deter *some* people, but not the most determined. You can't give someone encrypted content *and* the decryption key and expect to control the encrypted content. – Doval Aug 25 '14 at 15:15
  • Potentially helpful, related sort of question: http://programmers.stackexchange.com/questions/214158/how-would-i-implement-a-self-destruct-feature-into-the-free-trial-version-of-m – BrianH Aug 25 '14 at 15:57
  • Could your friends and family buy games as well? That's one reason not to give out this information. What do you do when they put your files on a USB stick and pass it around? – JeffO Aug 25 '14 at 16:41
  • @JeffO you are right, but that is not only a problem for me, but for almost every software/game. – JoJo Aug 25 '14 at 16:58

3 Answers3

2

In the age of the Internet, copy protection is a fool's errand, and it's never worth your time and effort to even try.

Consider Microsoft, who spends more resources on R&D in a single month than you'll ever have in your entire life put together. They're obsessive about copy protection, and yet the latest version of Windows had a crack available before RTM. If they can't pull it off, why would you ever think you have a chance?

The deck is stacked against you from the beginning. First, we have the theory. You can frame the basic issue here as the fundamental problem of cryptography: Alice wants to send a message to Bob, and ensure that Charlie is not able to read it even if it should fall into his hands. Except in this case, Bob and Charlie are the same person.

Now we have the details. If your system downloads something when a person gives the right account credentials, then a person with the right account credentials can download it. It's really that simple, and any additional complexity you introduce will cause unhappy customers.

A central server makes sure that you're logged in properly before the software will launch? Nice going, bozo. Now anyone with a flaky Internet connection can't use what they legitimately bought and paid for.

A server ensures the user isn't logged in twice at the same time? You just tossed a dozen very useful testing scenarios out the window.

Fingerprint the computer so they can't re-download to a different system? Sounds great, right up until that computer dies and they get a new one.

Bottom line: don't even try. It doesn't work. Never has, never will, never can. All you end up doing is wasting money, annoying your customers, and driving them away. There is one and only one way to make money in software, and that's basic market economics: Sell your product for less than what the prospective buyer sees as its value to him, and he will pay for it.

Mason Wheeler
  • 82,151
  • 24
  • 234
  • 309
  • Thank you for this very useful answer. You are absolutely right! – JoJo Aug 25 '14 at 15:32
  • 2
    Yes, but let's be realistic for a second. Something like 80% of users will be deterred by the same old basic, well-known copy protection routines that have been known for decades; you can't do anything about the rest of them. – Casey Aug 25 '14 at 15:42
  • @emodendroket: Considering that [something like 80% of people are honest anyway,](http://www.nytimes.com/2004/06/06/magazine/what-the-bagel-man-saw.html), what that's actually saying is that the same old basic, well-known copy protection routines *do nothing at all to deter the dishonest ones*, which is the point I was making. ;) – Mason Wheeler Aug 25 '14 at 16:21
  • 1
    @MasonWheeler I'd argue that just a little bit of fiddling might make it feel more illicit than if you could just copy it and give it to someone with no protection at all. – Casey Aug 25 '14 at 16:55
  • 2
    Plus it would also dissuade users who don't have the technical sophistication to defeat whatever protection you put in place (which is probably most of them; many people cannot even successfully use programs as intended). – Casey Aug 25 '14 at 17:05
  • @emodendroket: That's where my point about copy protection being worthless *in the age of the Internet* comes into play. That used to be enough; most users didn't know how to crack software. But today, the rules are different. You don't need to know how to crack software; you just need to know how to *find* cracked software to achieve the same effect. Which means the author's real task is not to prevent "most users" from cracking it, but to prevent *every user everywhere forever* from cracking it, because as soon as the first person *anywhere* uploads a crack to the Web, the game's over. – Mason Wheeler Aug 25 '14 at 17:24
  • Well, yes, that's true, but surely a significant portion of users are going to be dissuaded by having to head to dodgy Web sites and download cracks of unknown provenance -- which is the case for all but a very select group of users who would like to pirate things. The people who aren't bothered by that at all likely didn't have money to buy your product in the first place. :) – Casey Aug 25 '14 at 17:56
  • @emodendroket: If you're going to make a claim that directly contradicts empirical data, you'll have to back it up with something a little bit stronger than "yes, but surely people will behave this way." – Mason Wheeler Aug 25 '14 at 18:28
  • @MasonWheeler OK, to spell it out, I contend that your bagel example is not a good one because there is absolutely nothing protecting the bagels at all. Would those same people have jimmied food out of a vending machine, or tried to trick a vending machine with a coin on a string, or something like that? I'd guess that the rate of theft would go down pretty significantly if you had to do that, and you can pretty easily see how this theory would apply to software too. Even your own article suggests the cheats in the story would be unlikely to walk out of a restaurant without paying. – Casey Aug 25 '14 at 18:31
  • @emodendroket: And if that's all you look at, sure, it looks great. If the bagel man put his bagels in a vending machine, though, first off he would need to buy/build a vending machine, which directly cuts into his profit margin, and second, it would not only reduce theft, *it would also reduce sales.* Both points apply equally well to software. Copy protection is a losing game and always has been. – Mason Wheeler Aug 25 '14 at 19:07
  • OK, but the cost of copy protection of any sort is pretty marginal after you implement it once (unlike a vending machine) and it doesn't have to be onerous; just something like asking for a license key probably works. I doubt that would lead to lost sales; it's not very onerous and I can't think of many people who would be fine with whipping out their credit cards but consider entering in a license key a bridge too far. – Casey Aug 25 '14 at 20:11
1

The best thing I can think of is to detect if someone has logged in to the user account from multiple locations at the same time. If you detect that UserA has logged in from ComputerA, and then again from ComputerB, without logging out from ComputerA first, it's possible that two different people are both useing the account of UserA. In that case, you can prevent the login from ComputerB, until the account is logged out from ComputerA (or the session expires after a period of time). You'd have to identify the different computers by IP address or something like that.

Of course, it's also possible that the legitimate owner of UserA's account is using two machines near each other, but somehow appearing to connect to your server from two different locations. Maybe a home PC connected to the internet via an ISP, and a smartphone in their hand that's connected via the wireless phone company, not the same network as the PC.

And then there's also the problem of users behind a NAT sharing the account: you might only be able to identify two logins from the same IP address... what then? Is it two machines or one?

You could require the user change their password every now and then, but the owner of the account will just share that new password with their friends, and this could make the system even less convenient to use, and people might not want to use it.

I don't think there's any technological solution to this problem that can work 100%, so you'll have to think of another way to discourage users from doing this.

Maybe by offering users the chance to "gift" a few free files to their selected friends now and then (and maybe how much a user can gift is based on how much they spend ;) ), they'll be less discouraged to sharing full access to their accounts.

FrustratedWithFormsDesigner
  • 46,105
  • 7
  • 126
  • 176
  • 1
    Very useful. The gift idea is pretty good! thank you! if i could upvote i would have done it ;) – JoJo Aug 25 '14 at 15:33
1

You might limit the number of downloads allowed per purchased item to prevent the scenario you describe. This won't prevent piracy, of course, but it will prevent people from copying the game in large numbers by sharing accounts. You might set a limit of 5 or 10 downloads (only count finished downloads), and then require they contact tech support if for some reason they need more than that.

I agree with others - you're not going to stop piracy. All it takes is one copy out on a torrent site and anyone who wants it can have it. So the best strategy, imo, is to make casual copying of the program inconvenient enough to encourage people to purchase.

GrandmasterB
  • 37,990
  • 7
  • 78
  • 131
  • also a very good idea! thank you! it would maybe even better that this number gets resetted every month... so you can for example only download it 2 times/mo – JoJo Aug 25 '14 at 16:48
  • @JoJo if you track each download (as a row in a table), you could enforce X per month without having to reset any values at the beginning of each month by just querying for the number of downloads in the last 30 days. – GrandmasterB Aug 25 '14 at 17:33