Introduction

According to many analysts, the video game industry generates more revenue than Hollywood each year. However, little public research and attention is directed toward video game piracy. This is not because piracy does not occur, however. The Business Software Alliance (BSA) estimated that in 2003, $29 billion worth of illegal software was installed on computers worldwide, an estimate that does include console games (BSA). If we look specifically at the game industry, in 2004 sales of video games in the U.S. set a record at $7.3 billion (ESA), while the industry lost more than $1.8 billion to global piracy (IIPA). As both the industry and piracy rates continue to grow, game producers and researchers are increasingly interested in addressing the issues surrounding piracy.

The term “video game piracy” covers a variety of different attacks that unfortunately are routinely conducted. These attacks include illegal copying, counterfeiting, and distribution. Preventing piracy is of equal interest to game developers and hardware manufacturers. It is common practice for console producers to sell their devices for a loss and instead draw profit from software sales. In an attempt to prevent piracy, the video game industry has utilized a variety of hardware and software-based protection techniques. These techniques often rely on proprietary information, however once that information is discovered by a pirate, it can be easily exploited to circumvent the protection mechanism. In this article, I will describe both past and present techniques for protecting video games, including the legal aspects of protecting game software through patents and copyright laws. Although no single solution will ever be able to prevent piracy completely, the best chance for protecting the video game industry is to try to devise a combination of software and hardware protection techniques stealthy enough to deter hackers.

Understanding Piracy

The issues associated with video game piracy are not obvious to everyone, which is due in part to the non-exclusionary nature of games. To illustrate, suppose Alice has a copy of a popular game on her computer. Alice can make a copy of the game and give it to Bob so he can play it on his computer. Now both Alice and Bob own copies of the game, which means that the game is non-exclusionary. On the other hand, Alice and Bobʼs computers are exclusionary objects because only one of them can own each computer at a time. In legal terms, the exclusionary nature of the physical computer makes it clear to whom the property belongs. This is not the case with intellectual property such as video games.

Piracy affects the entire gaming community. The obvious victims are game publishers, however, there are peripheral victims as well. For example, in September of 2003 a significant portion of the source code for Half-Life 2 (2004) was stolen. The theft occurred prior to the release of the game, and subsequently further delayed the titleʼs release. This delay likely caused graphics card company ATI to lose money. ATI had planned to distribute free versions of the game with their latest graphics cards as a marketing scheme. Since the game was not ready when ATI released their product, they were unable to use it to entice consumers to upgrade. Hardware producers such as ATI rely on video game players to consistently buy the newest, fastest, and most expensive products to play the newest games.

Due to rampant piracy, the video game industry must also contend with retailers who feel a lack of incentive to sell legitimate copies of games. Unscrupulous retailers are able to significantly increase their profit margin by producing and selling illegal copies. While a legitimate copy of a game may cost a retailer $42, they can only competitively sell it for $49—a profit of $7 per unit sold. By contrast, that same retailer could simply buy one hundred blank CDs for $20, and then create one hundred illegal copies of the $42 game, selling each one for $10 to $20 a piece. Such a strategy would not only allow the retailer to more than double her or his per-unit profit margin, but would also likely increase sales volume because consumers would be attracted to the lower prices.

The question of how software should be protected under the law has been debated for many years. For a body of work to be protected under copyright law, it must be original, nonfunctional, and fixed in a tangible medium. In other words, an inventor cannot copyright an idea; s/he can only copyright the tangible expression of that idea. Unfortunately, computer software is not exactly fixed in a tangible medium like literary works, for example. Computer software is written using programming languages that can be easily interpreted by people. To make a program understandable to a computer, the programʼs source code is compiled to a machine-readable format, which is often called a “binary” or “executable.” In 1909, U.S. copyright law was amended to address the newly developed technology of the player piano. The amendment specified that for an idea to be copyrighted, it must be expressed in a form that was visually readable by people. Since the music roll was only readable by the piano, it did not violate the songʼs copyright. Because software is often distributed in executable format, which is not visually readable by humans, the application of copyright to software is problematical, and originally meant that software was ineligible for copyright protection.

In contrast to copyright, patents are used to protect an invention, which software appears to be. However, a program is also similar to an algorithm, which is a series of steps and thus not typically eligible for patent protection. For many years, it was unclear whether software should be protected by copyright, patent, or trademark, and thus was not protected at all. Today, there are various ways software can be protected under these laws. However, because the application of the laws is inconsistent, it is still unclear whether those protections are viable for software. In addition, since games and other personal computer software run on personal systems (which are not monitored by an external entity), detecting that copyright, patent, and trademark violation is difficult. To aid the enforcement of intellectual property laws, a variety of technology-based solutions have been developed. The goals of these solutions range from making software more difficult to reverse engineer, to enabling the tracing of piracy after it has occurred.

Hardware-Based Prevention Techniques

Historically, the game industry has used a variety of hardware-based techniques in piracy prevention. These techniques typically provide a higher level of protection than software-based techniques; however, they are more cumbersome for the user and more expensive for the software vendor.

A common hardware-based technique used to be the dongle. A dongle is a device distributed with a piece of software, and possession of the device proves ownership. A dongle typically connects to an input/output port and computes the output of a secret function. Periodically, the software queries the dongle. If the result of the query is incorrect, the software reacts by producing incorrect results or causing the program to fail entirely.

Dongles have several drawbacks, one of the most important being cost. Each dongle costs around $10, which increases the per-unit cost of the software it is bundled with. Second, dongles limit innovative distribution techniques. For example, when a game is sold and distributed over the Internet, including a dongle is not feasible. Furthermore, dongles are often “cracked” shortly after they are released. This is generally accomplished by first disassembling a gameʼs code, identifying the calls it makes to the dongle, and then bypassing those calls. Once the dongleʼs code has been broken, a patch can be distributed so that any user can play the game without the dongle. This is precisely what happened with Robocop 3 (1992) for the Amiga. The anti-piracy dongle had to be connected to one of the joystick ports for the game to run. A few days after its release in April of 1992, the dongle was cracked.

Another privacy prevention technique is “tamperproof hardware.” Tamperproof hardware involves securing a part or parts of the computerʼs hardware (such as a computer chip) from being observed by a hacker, creating what is called a secure context or secure data storage. Executing software in a secure context prevents a would-be pirate from gaining access to the softwareʼs code. This technique prevents the attacker from observing the behavior of the software, which means that s/he cannot identify the right portions of the software to remove. Tamperproof hardware is a feasible protection technique for console-based systems, since a user must purchase a console to even play the game. Tamperproofing is not particularly viable for PC game development, however, because of the additional cost of requiring all PC game users to run the same hardware.

One of the ways hackers violate tamperproof hardware is by “modding” it. Modding is the process of adding special chips to a game console that modifies or disables the consoleʼs security mechanisms; this is one of the most popular ways to attack the Xbox and PlayStation2. As a matter of fact, Microsoft has taken action to prevent modded consoles from engaging in Xbox Live online play. When an Xbox Live user logs on, their system is checked for the presence of mod chips. If mod chips are detected, the unitʼs serial number is recorded, and the device is permanently banned from the network.

Software-Based Prevention Techniques

The success of online games has led to a new set of concerns for the game industry. These concerns revolve around maintaining a fair and consistent gaming environment so that players will participate. If players are able to modify their games—for example, by making their characters immortal—the gaming experience of other players can suffer. One technique that has been explored by researchers and that could be used to aid in the prevention of game modifications is “code obfuscation.” Code obfuscation is a technique used to protect a secret in the softwareʼs code. The secret can vary from the design of the software, special algorithms embedded within the software, or important data such as cryptographic keys. Obfuscation works by transforming yet preserving the original functionality of software code in order to make it more difficult to read, understand, and reverse engineer. The idea is to make the protected program so difficult to read that it is more costly for the attacker to reverse engineer the program than to simply purchase or recreate it. There are three general classifications of obfuscations:

• Layout obfuscations alter information that is unnecessary to the execution of the application such as identifier names and source code formatting.
• Data obfuscations alter data structures used by the program. For example, a two-dimensional array could be folded into a one-dimensional array.
• Control flow obfuscations are used to disguise the true control flow of the application, for example, by inserting dead or irrelevant code, or merging functions.1

The level of protection provided by code obfuscation varies with program size and structure. Additionally, obfuscation increases a programʼs overhead, which can have adverse effects on performance. Since performance is critical in most video games, the degree to which a game can be obfuscated is probably limited. Furthermore, code obfuscation does not provide complete protection. Given enough time, a determined adversary will be able to “see through” the obfuscation. However, code obfuscation can be used to extend the period of time before the software is pirated. Because the majority of video games have an extremely short shelf life, extending that shelf life would increase profit potential.

One of the real challenges in preventing video game piracy is being able to enforce intellectual property laws. Not only can it be difficult for small game developers to prove authorship if their intellectual property is stolen, but it is also extremely difficult to trace the source of an illegal distribution. Software watermarking makes it possible to address these difficulties (Qu and Potkonjak; Collberg and Thomborson; Stern et al.; Venkatesan et al.; Collberg et al.). Watermarking works to discourage piracy by attaching an identificatory mark to a piece of software. An authorship mark, for example, is embedded in every copy of a given program, and can be used by a developer to prove ownership of pirated software. A fingerprint mark, by contrast, is unique to each copy of a program, and can thus be used to trace a specific act of piracy. Like obfuscation, watermarking functions by transforming a programʼs code. To illustrate, a very simple watermarking technique would be to add a new variable to a program whose value is a string of characters such as “Copyright 2005, ABC Software Corporation.” By embedding this particular authorship mark, a developer would be asserting ownership. A watermark might also be added when a consumer purchases the software. The developer could embed into the software a unique identifier—such as a credit card number—that would effectively fingerprint that particular program. Piracy could be confirmed by proving that a suspected copy is marked with the fingerprint. Of course, in order for watermarking to be a viable form of copy protection, the watermark must be able to ward off a variety of attacks. The simple watermarking technique described above is not robust enough to prevent piracy because an attacker could simply reverse engineer the program and identify and remove the mark.

A common security feature in many video games is the inclusion of a license check. License checks can be used to verify the validity of a game, or to prevent the use of a game after a specific date. Tamperproofing techniques can be used to prevent a dishonest player from removing the license check, though they must be able to detect that the software has been altered, and there must be a mechanism that causes the protected program to fail. For the tamperproofing to be successful, the software failure must be stealthy and not alert the attacker to the location of the failure-inducing code. This can be accomplished by separating the detection and response mechanisms in both space and time (Aucsmith; Chang and Atallah).

Currently, many video game console systems make use of their own proprietary CD or DVD format. When new console systems are released, software for them is written on CD or DVD formats that standard burners cannot copy. For example, the Xbox uses DVD-9 format which is a single-sided, dual layer media format. Nintendo also took this approach with the GameCube, using a unique, smaller-than-normal disc. This type of protection technique is usually effective against the occasional copier, but it is not normally unbreakable for long. In fact, when these sorts of protection mechanisms are broken, it can be fatal to a company. One famous example was the proprietary CD format used by the Sega Dreamcast, GD-ROM. The GD-ROM format was designed so that it could not be copied using standard CD or DVD burners. In 2000, a German hacker group found a back door inside the Dreamcastʼs mask-ROM BIOS that allowed the Dreamcast to boot from a standard CD-ROM. This hack turned out to be one of the fatal blows that forced Sega out of the console business.

Conclusion

Legal deterrents to piracy, such as patents and copyright laws are only effective when enforceable, and detecting and isolating pirates is very difficult. Most piracy occurs within playersʼ homes, making it extremely costly to investigate and enforce intellectual property laws, and many of the current technological anti-piracy solutions rely on proprietary information that once broken can easily be exploited by all. However, new protection techniques such as fingerprinting promise to identify pirates faster, thereby helping hold hackers accountable for their actions. Piracy is a problem that has plagued the game industry for years. Software watermarking, code obfuscation, and other techniques that do not draw their strength from proprietary information may yet help cure that plague

Endnotes:

1. For further details regarding obfuscation techniques, see Collberg, et al. (1998).

Works Cited:

Aucsmith, David. “Tamper Resistant Software: An Implementation.” Information Hiding Workshop (May 1996): 317-333.
Business Software Alliance (BSA). “First Annual BSA and IDC Global Software Piracy Study.” July 2004. BSA. 21 Feb. 2005 <http://www.bsa.org/globalstudy/loader.cfm?url=/commonspot/security/getfile.cfm&pageid=16947&hitboxdone=yes>.
Chang, Hoi, and Mikhail Atallah. “Protecting Software Code by Guards.” Digital Rights Media Workshop (November 2001): 160-175.
Collberg, Christian, Ed Carter, Saumya Debry, Andrew Huntwork, John Kececioglu, Cullen Linn, and Mike Stepp. “Dynamic Path-Based Software Watermarking.” Conference on Programming Language Design and Implementation. ACM SIGPLAN. Fairmont Hotel, Washington, DC. June 2004.
Collberg, Christian, and Clark Thomborson. “Software Watermarking: Models and Dynamic Embeddings.” Proceedings for the 1999 Symposium on Principles of Programming Languages. ACM SIGPLAN-SIGACT. Menger Hotel, San Antonio, TX. January 1999. 311-324.
Collberg, Christian, Clark Thomborson, and Douglas Low. “Breaking Abstractions and Unstructuring Data Structures.” Proceedings for the IEEE International Conference on Computer Languages. IEEE Computer Society. Loyola University, Chicago. May 1998. 28-38.
Entertainment Software Association (ESA). “Computer and Video Game Software Sales Reach Record $7.3 Billion in 2004.” January 2005. TheESA.com. 21 Feb. 2005 <http://www.theesa.com/pressroom.html>.
International Intellectual Property Alliance (IIPA). “2005 Special 301 Report on Global Copyright Protection and Enforcement.” 10 February 2005. Special 301. 21 Feb. 2005.< http://www.iipa.com/special301.html>.
Qu, Gang and Miodrag Potkonjak. “Hiding Signatures in Graph Coloring Solutions.” Proceedings from the 1999 Information Hiding Workshop. Hotel Elbflorenz, Dresden, Germany. September 1999. 348-367.
Stern, Julian P., Gael Hachez, Francois Koeune, and Jean-Jacques Quisquater. “Robust Object Watermarking: Application to Code.” Proceedings from the 1999 Information Hiding Workshop. Hotel Elbflorenz, Dresden, Germany. September 1999. 368-378.
Venkatesan, Ramarathnam, Vijay Vazirani, and Saurabh Sinha. “A Graph Theoretic Approach to Software Watermarking.” Proceedings from the 2001 Information Hiding Workshop. Pittsburg, PA. April 2001. 157-168.