Client Access Issues in BSA-Initiated Software Audits

BSA | The Software Alliance audit may extend beyond software products

Businesses targeted for software audits by the Business Software Alliance (BSA) often learn that the BSA typically extends the scope of its audit requests to more than just software products and often requests information regarding client access to server products. Before disclosing this information to the BSA, it is important for a targeted business to understand the effect that such a disclosure can have on the resolution of the audit matter.

Questions regarding client access most often arise in relation to installations of certain server-based Microsoft products, such as SQL Server database software, Exchange Server messaging software, and the Windows Server operating system software. License agreements often (though not always) require that business purchase two types of licenses for these products: one license for the server product installation and client access licenses (CALs) for each user or networked device accessing that product. In other words, a Windows-based file server in a network with ten workstations accessing shared files on that server would require one product license for the server installation and ten device CALs to allow the workstations to connect to and access information on the server.

During audit investigations, the BSA usually requests that targeted businesses disclose the number of server product installations, the number of workstations or users accessing those installations, and the number of CALs purchased by the businesses (with proofs of purchase for all licenses claimed). However, that information is essentially inconsistent with the stated aim of most audit engagements, in that a client access instance is not a software product that can be copied – it is, rather, a mechanism that Microsoft uses to increase its revenue from server product licensing based on the nature of a particular product deployment. Unlike the unauthorized installation and use of a software product, which in most cases constitutes copyright infringement, access to a server product without a CAL can only serve as the basis for a claim of copyright infringement to the extent that the CAL rules constitute conditions on the product license or restrictions on the license scope. Were the matter to be litigated, that issue likely would turn into a fact question.

The Ninth Circuit has summarized the legal issue as follows:

Whether this is a copyright or a contract case turns on whether the [license provisions at issue] help define the scope of the license. Generally, a copyright owner who grants a nonexclusive license to use his copyrighted material waives his right to sue the licensee for copyright infringement and can sue only for breach of contract. If, however, a license is limited in scope and the licensee acts outside the scope, the licensor can bring an action for copyright infringement.

Sun Microsystems, Inc. v. Microsoft Corp., 188 F.3d 1115, 1121 (1999).

There is no doubt that the BSA and Microsoft would (and do) argue that the CAL provisions constitute a restriction on the scope of the server product license. However, those arguments likely would not be dispositive at trial, and a court would (or, at least, should) look to other factors, such as the facts that the Microsoft EULAs are essentially one-sided, non-negotiable contracts of adhesion and that the interests protected by the provisions are revenue-oriented, rather than intellectual property-oriented.

However, it is possible that none of those finer legal points will result in significant traction during a BSA investigation and that the BSA will refuse to provide a release at settlement (if necessary) for server product installations without client access information. At this stage, it is essential for a targeted business to carefully weigh the pros and cons of disclosing the CAL information. For larger environments, an absence of documentation for CALs could result in significantly higher exposure at settlement, possibly making a refusal to disclose client access information, even in the face of not receiving a release for the server products, a preferable option. This is an analysis in which the opinion of a knowledgeable and experienced attorney often will be exceptionally valuable.