I posted the question on Twitter the other day: “How does the SPA have the authority to audit software license use? In thousands of licenses I’ve never given them that right.”
I was looking for some insight that I might have missed. In the world of contracts, your license actually will specifically state who has the ability to audit your license usage (if they have the right at all). And in the world of law, the term “standing” is used to show who actually is allowed to raise a particular issue (via the courts, etc). So the SPA/BSA/SIIA (SIIA is their current incarnation) (or any other third-party “enforcer”) wouldn’t have the legal right to ever come in and audit your software license use unless there’s language in the license that allows for such audit.
Even general audit language is probably safe to prevent the SIIA from knocking on your door one day. Typical audit provisions include:
- explanation of who can come to audit (it usually says that the vendor has the right to audit)
- time-frame of any audits (I typically am very clear to limit audits to 1 time per calendar year)
- notice for audits (even bad audit language usually says that the vendor has to notify the licensee of the intent for an audit)
- who besides the vendor can come audit (if 3rd parties are allowed, I limit to a “big-four” accounting firm and have NEVER been challenged on this limit)
The result is that even with not-so-favorable audit language, I simply don’t see how the SIIA has any right to come and perform an audit, let alone try to sue a licensee for license violations (again, any license that has “no third-party beneficiary” language in it could be used to very clearly show that the SIIA doesn’t have any rights with respects to the license).
Additionally, it’s been suggested that there are two other routes to allow such an audit: the “source” (the licensee’s employee who reports a violation) and the potential for an assignment of audit rights. As for the source person, unless they’re also the person in the company who can allow someone to come in, that individual probably doesn’t have internal authorization to allow the audit to happen – so I find this unlikely. The assignment of audit rights potential does exist, and contracts that have poor assignment language could potentially allow the vendor to assign their rights to someone else (and, in fact, it appears that the SIIA attempts to use an assignment of rights in this manner). So it’s conceivable, but I’ve never seen the language used in that way.
At the end of the day, the lesson is this:
- Have strong audit language which clearly states who can perform the audit, on what time basis they can audit and what the results would mean (ie: usually you don’t have to pay any form of penalty unless usage exceeds 10% of the licensed quantity – but you’ll always have to pay for the difference in usage). Include notice provisions and be very clear about whether the vendor can outsource their auditing… many will use large auditors, which is fine, but you don’t want Andy’s Audit Shack to be performing the audit. Lastly, if you’re maintaining any kind of uber-confidential information (like SSN’s, bank account numbers, etc), then I would also be clear about what kinds of auditing tools can be used to complete the audit, as many vendors like to install their own auditing software onto your network.
- Have clear assignment language which prevents EITHER party from assigning the agreement without the other party’s consent (not to be unreasonably withheld, if you so choose): “Neither party may assign or otherwise transfer this Agreement or any of the rights hereunder, without the prior written consent of the other, which consent will not be unreasonably withheld or delayed.”.
OK – so you’ve done the prior two things and the SIIA comes knocking (physically or with a letter requesting/demanding an audit). What do you do? Simple. Deny them access – in writing. They’ll threaten, similar to the Big Bad Wolf, to huff and puff and to blow your house down. But if you’ve got things properly documented, the SIIA simply doesn’t have the legal right to audit. It doesn’t matter whether the vendor they’re supposedly auditing for is a SIIA member. It doesn’t matter if they claim to have permission. (Oh, and interestingly enough, if they name names and tell you which vendor sent them to you, I would check your license agreement with that vendor because many vendors like to include confidentiality restrictions which prohibit either party from even identifying the other.)
Now, regardless of everything I’ve just told you, I also firmly believe that you should always be 100% compliant with your contractual obligations. So use some form of license management tool to know that you’re only using what you’re licensed to use.