taking action against a global counterfeiting syndicate: the microsoft experience in china...
TRANSCRIPT
Taking Action Against a Global Counterfeiting Syndicate: the Microsoft experience in China
09/15/2008WIPO - GenevaLaurent MassonEMEA Director-Anti-Piracy & Internet Safety
IntroductionWorldwide counterfeiting rates Counterfeiting & Software Piracy
The Chine Syndicate case Case Summary Building the case MS Team The July 2007 Actions PR Coverage
Worldwide Counterfeiting And Software Piracy Rates
Tier 1 - Tier 1 - Piracy Rate Below 50%Piracy Rate Below 50% Tier 2 - Tier 2 - Piracy Rate 50% to 80%Piracy Rate 50% to 80% Tier 1 - Tier 1 - Piracy Rate Above 80%Piracy Rate Above 80%
California is Center of California is Center of U.S. Counterfeiting U.S. Counterfeiting IndustryIndustry
Guandong Center of Guandong Center of China Counterfeiting China Counterfeiting IndustryIndustry
MS Strategy and approach
•Intelligence•Enforcement•Internal/External PR• Awareness and Education• Governement outreach
Software protection and IPRs
• Copyright•Patent•Trademark•Know-how•Secret and confidentiality
Counterfeiting & Software PiracyThe Most Common Types of Piracy
END USER COPYING
MISCHANNELINGHARD-DISK LOADING
INTERNET PIRACY (CDs/DVDs and digital downloads)
COUNTERFEITING (low quality / high quality)
Syndicates Manufacturing and Distribution Model
Asia
Asia
Lat
Am
Centra
lized
in T
aiw
an
Sing
apor
e &
Hon
g K
ong
Wor
ldw
ide
Man
y
Man
y
Organizers/Financiers
Counterfeit Manufacturers
Exporters and Brokers
Distributors
Resellers
End Customers
Case Summary
The most significant crackdown on software piracy according to industry executives
Microsoft’s LCA investigative team has been tracking the syndicate since 1999 and is the largest operation ever investigated
First identified after influx of Win 98 and Office 2000 counterfeits bearing a “legitimate” Security features appeared in the market
Various enforcement actions over the years took out some key players but never completely dismantled the organization
2003 organization move from Taiwan to S. China increased complexity of case
Investigators and forensic experts continued target surveillance and evidence gathering in hopes of convincing law enforcement to accept case
In 2006, MS Investigators and attorneys presented case to the US Dept. of Justice resulting in subsequent high level meetings between FBI and Chinese authorities
Resulting in Major Action A June 2007 meeting between FBI Los Angeles and
Chinese authorities resulted in swift action against Syndicate targets Actions took place July 6 to July 16 2007 24 searches in 3 cities 25 arrests Seizure of $500 M of counterfeit software and
components including:22 master replication disks70K units of counterfeit Vista, Windows XP and Office 2007 250K counterfeit Certificate of Authenticity labels (“COAs”)60K units of user guides, product cases and security labelsCounterfeit production equipment and other raw materials
Building the Case
6 Years of investigation…
Microsoft’s Involvement prior to the raids in China
The Chinese syndicate is the largest operation Microsoft has ever investigated
Microsoft’s 75-member antipiracy team had been tracking the syndicate since May 2001
• Prior to the July 2007 raids, Microsoft obtained nearly 290K copies of counterfeit software from test purchases, seizures by law enforcement and customs and submissions made by customers and partners
Acquisitions from 27 countries, 13 titles, 8 languages Forensic examination revealed at least 30 unique production lines Estimated value of counterfeit Microsoft software produced by
this syndicate is $2 billion
Microsoft provided intelligence and evidence to law enforcement and supported their efforts to take legal steps against the syndicate
Proliferation of Syndicates Counterfeits
Units by Country
100,000 to 400,000
10,000 to 99,999
1,000 to 9,999
100 to 999
0 to 99
OCO Products 2 Product Types
40% full packaged product E2E and IMBH only versions
60% stand alone COA labels Old TDRL pink imbedded thread 3M clear-de-cyan DLR Porthole Porky and retail
19 Product Lines 75% Windows OS 22% Office 3% Windows Server
11 Languages Although English made up the
majority of finds an ever expanding range of languages was being identified.
Counterfeit Title % of WW Acquisitions
Windows XP Professional 37%Windows 98 SE 20%Windows 2000 Professional 10%Office 2003 Professional 7%Office 2007 Professional 7%Office 2000 Professional 4%Windows 2003 Server 3%Office 2003 SBE 2%Windows XP Home 2%Windows Vista Business 2%Windows XP Professional x64 1%Windows Me 1%Windows Vista Ultimate <1%Office 2000 SBE <1%Windows 98 (Original) <1%Office 2000 Premium <1%Windows 2003 Small Business Server <1%Windows 2000 Advanced Server <1%Windows 2000 Server <1%
Auction Sites used as distribution vehicle by syndicate
• MS investigated 21,568 units of software from 2,033 auctions originating from 17 countries– 86 % counterfeit/infringing
software. – 38% of all counterfeit software
from China Syndicate• Dramatic increase YOY in the
number of OCO counterfeit software auctions as syndicate attempts to access developed markets through domestic online auctioneers.
High Quality• Syndicate responsible for the
manufacture and distribution of the highest quality counterfeits on the market
• Significant investment made by syndicate to simulate Microsoft’s anti-piracy security features including:
• Holograms• Imbedded threads• Product activation
• Most customers did not realize they have been “duped” until they failed the Validation process
• Prices were very similar to genuine product by the time product got to final market destination.
Range of Products and Components
Extensive investigations by Microsoft identified the major targets
17
Mr BIG
Taking action Microsoft Team
12 employees dedicated
Combination of expertise : Business analysts, forensic experts, investigators, attorneys….in several countries
Key points : product identification and tracing; understanding of the distribution channels; coordination with LE in the US and in China.
The Raids in China
July 2007 Action in China A June 2007 meeting between FBI Los Angeles and
Chinese authorities resulted in swift action against Syndicate targets Actions took place July 6 to July 16 2007 24 searches in 3 cities 25 arrests Seizure of $500 M of counterfeit software and
components including:22 master replication disks70K units of counterfeit Vista, Windows XP and Office 2007 250K counterfeit Certificate of Authenticity labels (“COAs”)60K units of user guides, product cases and security labelsCounterfeit production equipment and other raw materials
Raid uncovered massive stocks of components ready for assembly.
Microsoft Investigators analyze and inventory seized product
Security Thread for new COAs 1000s of mylar “E2E” labels
Security thread for old COAs
Counterfeit COAs
Deceiving the Customer: Mylar Label• The use of the Mylar label is what distinguishes these counterfeits for all other
counterfeit producersThe simulated Mylar label is very deceptive to end-users and law enforcement
agentsComponents seized on raid showed how syndicate had continued to improve
manufacturing process
Scratch off version
“Peelable” label w/ lip
Spindle of counterfeit Win XP Pro
Deceiving the Customer: COA w/ Thread
• Simulated security thread to high level• Port-hole security feature adequately simulated; good enough to fool customer
Deceiving the Customer: Product Activation
Keys found on Windows XP Pro COAs are typically keygen VL keys created using illicit tools on the internet. These keys will bypass activation but will fail validation.
The first Office 2003 Pro COA keys were Windows XP Home keys that customers used in a “phantom” or fake activation – the actual key used is a leaked volume license key that was baked into bits by the counterfeiters. This product will bypass activation and since the leaked key is NOT blocked, will also pass validation
Keys found on Windows XP Home COA are authentic royalty OEM keys – this one traces to ACER. These keys will generally pass both activation and validation.
These Vista COA keys are actually Windows XP Pro keygen VL keys. They will not work for Vista and the customer will fail both activation and validation after 30 days. The counterfeiters tried to provide users access to a server that would allow for activation and validation, but this server has been removed and will not work. (No keygen Vista keys available due to implementation of SPP)
The second version of Office 2003 COA used keygen VL keys. These keys will bypass activation but will fail validation
Keys found on Office 2007 COAs are also keygen VL keys. Office did not create a stronger product key like Vista so keygen keys for 2007 were immediately available to the counterfeiters. They will bypass activation but fail validation.
A joint success by Chinese and US police
Thank You for your Attention!