Taking Action Against a Global Counterfeiting Syndicate: the Microsoft experience in China

09/15/2008WIPO - GenevaLaurent MassonEMEA Director-Anti-Piracy & Internet Safety

IntroductionWorldwide counterfeiting rates Counterfeiting & Software Piracy

The Chine Syndicate case Case Summary Building the case MS Team The July 2007 Actions PR Coverage

Worldwide Counterfeiting And Software Piracy Rates

Tier 1 - Tier 1 - Piracy Rate Below 50%Piracy Rate Below 50% Tier 2 - Tier 2 - Piracy Rate 50% to 80%Piracy Rate 50% to 80% Tier 1 - Tier 1 - Piracy Rate Above 80%Piracy Rate Above 80%

California is Center of California is Center of U.S. Counterfeiting U.S. Counterfeiting IndustryIndustry

Guandong Center of Guandong Center of China Counterfeiting China Counterfeiting IndustryIndustry

MS Strategy and approach

•Intelligence•Enforcement•Internal/External PR• Awareness and Education• Governement outreach

Software protection and IPRs

• Copyright•Patent•Trademark•Know-how•Secret and confidentiality

Counterfeiting & Software PiracyThe Most Common Types of Piracy

END USER COPYING

MISCHANNELINGHARD-DISK LOADING

INTERNET PIRACY (CDs/DVDs and digital downloads)

COUNTERFEITING (low quality / high quality)

Syndicates Manufacturing and Distribution Model

Asia

Asia

Lat

Am

Centra

lized

in T

aiw

an

Sing

apor

e &

Hon

g K

ong

Wor

ldw

ide

Man

y

Man

y

Organizers/Financiers

Counterfeit Manufacturers

Exporters and Brokers

Distributors

Resellers

End Customers

Case Summary

The most significant crackdown on software piracy according to industry executives

Microsoft’s LCA investigative team has been tracking the syndicate since 1999 and is the largest operation ever investigated

First identified after influx of Win 98 and Office 2000 counterfeits bearing a “legitimate” Security features appeared in the market

Various enforcement actions over the years took out some key players but never completely dismantled the organization

2003 organization move from Taiwan to S. China increased complexity of case

Investigators and forensic experts continued target surveillance and evidence gathering in hopes of convincing law enforcement to accept case

In 2006, MS Investigators and attorneys presented case to the US Dept. of Justice resulting in subsequent high level meetings between FBI and Chinese authorities

Resulting in Major Action A June 2007 meeting between FBI Los Angeles and

Chinese authorities resulted in swift action against Syndicate targets Actions took place July 6 to July 16 2007 24 searches in 3 cities 25 arrests Seizure of $500 M of counterfeit software and

components including:22 master replication disks70K units of counterfeit Vista, Windows XP and Office 2007 250K counterfeit Certificate of Authenticity labels (“COAs”)60K units of user guides, product cases and security labelsCounterfeit production equipment and other raw materials

Building the Case

6 Years of investigation…

Microsoft’s Involvement prior to the raids in China

The Chinese syndicate is the largest operation Microsoft has ever investigated

Microsoft’s 75-member antipiracy team had been tracking the syndicate since May 2001

• Prior to the July 2007 raids, Microsoft obtained nearly 290K copies of counterfeit software from test purchases, seizures by law enforcement and customs and submissions made by customers and partners

Acquisitions from 27 countries, 13 titles, 8 languages Forensic examination revealed at least 30 unique production lines Estimated value of counterfeit Microsoft software produced by

this syndicate is $2 billion

Microsoft provided intelligence and evidence to law enforcement and supported their efforts to take legal steps against the syndicate

Proliferation of Syndicates Counterfeits

Units by Country

100,000 to 400,000

10,000 to 99,999

1,000 to 9,999

100 to 999

0 to 99

OCO Products 2 Product Types

40% full packaged product E2E and IMBH only versions

60% stand alone COA labels Old TDRL pink imbedded thread 3M clear-de-cyan DLR Porthole Porky and retail

19 Product Lines 75% Windows OS 22% Office 3% Windows Server

11 Languages Although English made up the

majority of finds an ever expanding range of languages was being identified.

Counterfeit Title % of WW Acquisitions

Windows XP Professional 37%Windows 98 SE 20%Windows 2000 Professional 10%Office 2003 Professional 7%Office 2007 Professional 7%Office 2000 Professional 4%Windows 2003 Server 3%Office 2003 SBE 2%Windows XP Home 2%Windows Vista Business 2%Windows XP Professional x64 1%Windows Me 1%Windows Vista Ultimate <1%Office 2000 SBE <1%Windows 98 (Original) <1%Office 2000 Premium <1%Windows 2003 Small Business Server <1%Windows 2000 Advanced Server <1%Windows 2000 Server <1%

Auction Sites used as distribution vehicle by syndicate

• MS investigated 21,568 units of software from 2,033 auctions originating from 17 countries– 86 % counterfeit/infringing

software. – 38% of all counterfeit software

from China Syndicate• Dramatic increase YOY in the

number of OCO counterfeit software auctions as syndicate attempts to access developed markets through domestic online auctioneers.

High Quality• Syndicate responsible for the

manufacture and distribution of the highest quality counterfeits on the market

• Significant investment made by syndicate to simulate Microsoft’s anti-piracy security features including:

• Holograms• Imbedded threads• Product activation

• Most customers did not realize they have been “duped” until they failed the Validation process

• Prices were very similar to genuine product by the time product got to final market destination.

Range of Products and Components

Extensive investigations by Microsoft identified the major targets

17

Mr BIG

Taking action Microsoft Team

12 employees dedicated

Combination of expertise : Business analysts, forensic experts, investigators, attorneys….in several countries

Key points : product identification and tracing; understanding of the distribution channels; coordination with LE in the US and in China.

The Raids in China

July 2007 Action in China A June 2007 meeting between FBI Los Angeles and

Chinese authorities resulted in swift action against Syndicate targets Actions took place July 6 to July 16 2007 24 searches in 3 cities 25 arrests Seizure of $500 M of counterfeit software and

components including:22 master replication disks70K units of counterfeit Vista, Windows XP and Office 2007 250K counterfeit Certificate of Authenticity labels (“COAs”)60K units of user guides, product cases and security labelsCounterfeit production equipment and other raw materials

Raid uncovered massive stocks of components ready for assembly.

Microsoft Investigators analyze and inventory seized product

Security Thread for new COAs 1000s of mylar “E2E” labels

Security thread for old COAs

Counterfeit COAs

Deceiving the Customer: Mylar Label• The use of the Mylar label is what distinguishes these counterfeits for all other

counterfeit producersThe simulated Mylar label is very deceptive to end-users and law enforcement

agentsComponents seized on raid showed how syndicate had continued to improve

manufacturing process

Scratch off version

“Peelable” label w/ lip

Spindle of counterfeit Win XP Pro

Deceiving the Customer: COA w/ Thread

• Simulated security thread to high level• Port-hole security feature adequately simulated; good enough to fool customer

Deceiving the Customer: Product Activation

Keys found on Windows XP Pro COAs are typically keygen VL keys created using illicit tools on the internet. These keys will bypass activation but will fail validation.

The first Office 2003 Pro COA keys were Windows XP Home keys that customers used in a “phantom” or fake activation – the actual key used is a leaked volume license key that was baked into bits by the counterfeiters. This product will bypass activation and since the leaked key is NOT blocked, will also pass validation

Keys found on Windows XP Home COA are authentic royalty OEM keys – this one traces to ACER. These keys will generally pass both activation and validation.

These Vista COA keys are actually Windows XP Pro keygen VL keys. They will not work for Vista and the customer will fail both activation and validation after 30 days. The counterfeiters tried to provide users access to a server that would allow for activation and validation, but this server has been removed and will not work. (No keygen Vista keys available due to implementation of SPP)

The second version of Office 2003 COA used keygen VL keys. These keys will bypass activation but will fail validation

Keys found on Office 2007 COAs are also keygen VL keys. Office did not create a stronger product key like Vista so keygen keys for 2007 were immediately available to the counterfeiters. They will bypass activation but fail validation.

A joint success by Chinese and US police

Thank You for your Attention!