Anti-piracy Protection Options/Help

Hi everyone,

I am hoping to do a little brainstorming regarding anti-piracy options for an upcoming game I will be releasing in several months. I've never worried too much about piracy before, despite having had my games pirated, because my previous games have all been released on CD, and I don't believe in inconveniencing customers. This game, however, will be downloadable, and so I feel an obligation to put SOME kind protection in it.

The game will feature a "free to play" model with purchasable premium content. What I am trying to determine now is the best way to handle said content. I am hoping to achieve a good balance between piracy protection and ease-of-use. I have come up with three options, ranging from full protection to none, but I am not thrilled with them. So, I'm looking for additional input and ideas.

The options I have so far are:

1. ONLINE VERIFICATION - Customers must register an online account to purchase content. When content is purchased, that content is "activated" on that user account. Every time the player runs the game with installed premium content, the game connects to a server which verifies whether the account is active and has purchased the content.

PROS:
- The most secure method--of course the EXE itself will be vulnerable, but this is the case with all installable games.

CONS:
- Inconvenience to players, as they will need an active internet connection to play the game and need to keep an online account
- I will also have to keep up with pirated copies of the game to continually "ban" accounts on the server.


2. ONE-TIME VERIFICATION - Similar to Option 1, except that the game only connects to the server once when new content is installed. This method is obviously used often for games and applications.

PROS:
- Still reasonably secure
- No constant internet connection needed

CONS:
- Players still need online accounts
- I will still have to keep up with pirated copies of the game to continually "ban" serial numbers.
- Once premium content is installed, it will be playable on that PC, even if I later find out it has been pirated, so some pirated copies will seep through


3. NO ANTI-PIRACY - I give up on worrying about piracy and trust that there will be enough honest customers to earn a profit on the game. When players buy premium content, they can instantly download an installer that installs the content and run it any time.

PROS:
- Extremely easy for customers to use
- No internet connection needed
- Automated--I don't need to keep up with pirated content

CONS:
- Easy to pirate--just share the installer!


My ideal choice would be to somehow prevent "casual pirates" with little technical knowledge from sharing installable EXEs while also not inconveniencing legitimate customers too much by requiring an internet connection. Perhaps I could have a series of valid serial numbers and continually update the main program EXE to block pirated ones? I'm not sure how secure this would be, though, since users would never HAVE to update the main program.

So I come to you, the community, to come up with a better option! Any ideas?

Two last things: first, note that this is a project from someone who already has multiple commercially-published games, so please no sarcastic comments about anti-piracy not being an issue unless the game is worth pirating. Second, please don't turn this into a debate about whether or not games should use DRM or protection, since that's a discussion for another thread. :)

Thanks in advance for your time and help! :D

Personally, I'd go with 1;

Users will be required to use a serial number, which they only type in once at the installation, and every time the game boots up, the serial number will be varified online. Serial number valid? Game continue. Serial number invalid? Game closes. Also, every time a serial number is being verified, the data+time and IP address should be logged.

All you'll need is a database with a crapton of serial numbers, and software that will keep track of all the serial numbers and logs. This way, you'll be able to find out if a single serial number is being used multiple times, simultaneously, over different IPs. And if it is, you can simply delete it from the database! Making the serial invalid instantly.

No accounts needed. You can have people purchase the game online with their Paypal account. Which is linked to an email address!
No software updates needed when a serial/user is being removed.
Yes, an active internet connection is required. But who nowadays isn't online 24/7?

The biggest downside is the fact that if the serial number database can't be accessed (host is down, hacked, errors, etc...), users won't be able to play. :(


Anyway, that's my input. ;)

Quote:

---

Second, please don't turn this into a debate about whether or not games should use DRM or protection, since that's a discussion for another thread.

---

How can I possibly have an opinion what you should chose, without talking about DRM moethods in general.

By adding online activation, or one time verification, you punish your legal users who have paid to play the game, and the game will still be just as easy to crack anyway.

There's a good reason that many big indie productions (big as in World of Goo, Osmos, Eufloria, and so on) are DRM free, and also make a point out of it at the website. Thanks to Saira being DRM free I got it included in a DRM-free bundle that boosted the sales a lot, and I didn't miss out the potential customers who think like me and don't buy DRM'ed products (I know plenty of people who think like me there). A company should not authorize if I can play a game I have paid for. The fact that companies can go bankrupt or the activation servers can go down means that there's always a chance the users will have to use crack the game just to play it when they want to, or even at all. If people get the option to either pirate the product, or purchase it knowing that in the future they might have to do something illegal to run it, guess which choice that makes most sense.

Offline serials are OK, because you can just keep the serial and can install the product whenever you want without having to be online. DRM however have a bad reputation, it signals you want to stop piracy more than that you care for your legal customers - and it doesn't work. If people can crack Spore and 3D Studio Max, your game will also be avaliable on pirate bay with a simple crack.

Whatever you do, don't go for #1, unless you want to get the same type of criciticism as Assassins Creed 2 got. Even most "big" companies does not dare to try this solution. #2 is acceptable and a solution many companies chose, though you will miss out many potential customers (such as myself).

Thanks both of you for your fast and helpful input!

No worries, Nifflas--I'm pretty sure I'll sooner go completely free of any kind of protection than go with option 1. I made a promise to my customer base several years ago that I would never include any kind of DRM that inconveniences them. I agree with you that it punishes customers.

Right now, I'm leaning toward going with a basic serial number tied to a person's name. It's not too protective, but it will scare off some of the more casual pirates. I envision it working as follows:

1. Customer buys content (through Paypal) and gets access to the install EXE, along with a custom-generated serial number, which is a combination of a random key (chosen from a list on a server) and the customer's full name.

2. When the customer installs the content, s/he must enter the name used to purchase the content into the installer, along with the serial that s/he received. The installer derives the original key by removing the customer's name from the serial behind-the-scenes and compares it against a list of valid numbers. If it's valid, the content installs.

The downside is that customers can still share valid serials with one another, but at least I would be able to determine the name of the person who pirated the content from the serial...at least until the EXE is cracked! :)

Sounds good to me, but if you want to skip the list of serials you can go for a serial directly based off the name itself. A lot of products with serials does this. You can for example use part of an md5 hash based on the username together with a salt. It'll work until someone creates a key generator.

Yes, that does make sense, and it's easier to implement.

What's nice is, using this method, I can still generate a unique key for every single piece of premium content, so that a separate keygen will be required for each piece of content. Might as well multiply the time it takes for pirates to crack the software by the number of pieces of content that are available!

Thanks again! :)

Well you could also just go the route of tying the digital downloads to an online account. Basically your users would create an account online in order to buy the premium content. Any content they purchase would then be linked to that account via some database entries.

Then the user can download that premium content from special links inside their account page. You could track the downloads to see just how many times the content has been downloaded from any particular account. So you could easily spot a suspicious account that's being shared by someone. Since nobody would need to download the same premium content dozens and dozens of times... it would be like a red flag.

I'm also a fan of this account locked method because it means the only way other people can download the content or the latest updates is to get someone's account... The first thing that happens when account info is given out is... you guessed it, somebody gets greedy and changes the login info so nobody else can get in. So basically the pirates become their own worst enemy.

Of course, this really doesn't prevent people from downloading the content and then uploading the content somewhere else for others to take... but it does provide a bit of protection...

Just the hassle of having to wait for the new content/updates to show up in pirate sites would be enough reason to just get an account and buy the stuff.

But again, this isn't really going to keep out anyone who is determined to steal your game or whatever... But really, I'm not too big of a fan of any security... My take is that if people want to pay for your game, they will. If they don't, they won't. The people pirating your game most likely weren't going to ever pay for it anyway, even if they had no other choice. They just wouldn't play it.

But just as a side note: If you did the account method and someone downloaded the content to then reupload somewhere else, you could always plant a little flag in the user's downloads, so if you go to a pirating site and download that content, you could use some sort of method to find out what user account is distributing it... Then you could shut down their account. =P But that's probably the most evil thing to do.

In regards to logging IP's I would be careful in what you ban. For instance, I would steer away from banning more than one IP if it's from the same locale. If someone just wanted to take it over to a friend's house or something, they could have their serial banned, which I personally think is wrong.

So you'll need a method to keep track of that. I would mainly worry about either A). simultaneous activations B). activations from more than one country, or in the case of the US, more than one state, etc. But I realize that can become a pain very quickly. An even worse pain though would be banning people for silly reasons like taking it to a friend's house to play (Note: Letting friends play is NOT sharing with "online friends"). Also, a person technically could have multiple IP's in one home if they so chose for some reason. A friend of mine did that when we were rooming together. Cost a little extra to have, but we did it because some games had conflict with us playing online from the same IP.

In regards to the DRM, I agree that DRM should only be there to prevent casual piracy for the people who aren't too computer savvy. It helps keep honest people honest. But trying to prevent hard core piracy is a losing battle. Not even top publishers in the game industry can stop it so it's a futile effort.

Some companies like CD Projekt release games with zero DRM. Games you buy from them on gog.com have no DRM at all. Even their upcoming release of The Witcher 2. It works fine for them apparently. They know their games are being pirated, but they would be pirated regardless of any DRM scheme they can come up with. It also serves as a way to generate positive publicity because of all the backlash against DRM lately. So given that, it is something to consider on whether you should have any DRM at all. I personally agree with Nifflas on not having any DRM at all, but it's ultimately up to you.

Best way to prevent piracy:

* Keep the price tag low (definitely under £10 for a klik game),
* Provide a free demo without too many limitations,
* Make it easy to pay, and make sure the buyer has instant access to the game as soon as they have bought it.

Do that, and you remove most of the incentive to use illegal copies.

What I would do, is have a single game download (instead of separate downloads for the demo and full version).
To activate the extra features, the user would need to enter a serial, which would be checked against a list of banned serials online (just once).
Don't bother creating user accounts or logging IPs or anything - just google for illegal serials every few months, and blacklist any you come across.

Noone's going to bother creating cracks or keygens for a cheap Klik game - it's not worth their effort.

Muddy is right I think...

Why does amyone pirate anything wether it be a CD, DVD or game? Mainly because they hate being ripped off in the first place.

Produce a good quality product that the user will want to purchase and allow the user to purchase it at a sensible price.

Whatever you do, someone could and probably will find a way around it so why bother? If the big boys cant beat the pirates click products cirtainly cant.

The App that I am building at present could easily retail in excess of £100 but I'm going to set it below £30. Not be gready and still make some decebt money out of it.