Debunking BSA’s piracy-malware link

The latest fear-mongering report from the Business Software Alliance claims there’s a link between software piracy and malware, but it’s proven with some pretty shoddy statistics.

This is the second year that the BSA has released an “Internet Piracy Report,” (PDF via Wired) intended to illustrate “the scale and serious negative impacts of online software piracy, including … a resource for those who wish to avoid the pitfalls of illegal software on the Internet.”

I’m not sure what resources are provided other than a suggestion that you buy some software, but the BSA warns that there’s “significant evidence to link software piracy with the frequency of malware attacks.” The damning evidence, supposedly, is in this graph:


Generally, you see that the higher a country’s piracy rate, the bigger the malware infection rate. That seemed pretty straightforward until I looked at the source material.

See, the first thing that got my attention was the United States. According to the BSA’s own research (PDF), America has the lowest piracy rate in the world at 20 percent, but a slightly above-average malware rate of 9.1 percent, according to Microsoft’s Security Intelligence Report.

Meanwhile, China, which has one of the world’s highest piracy rates at 80 percent, has an 11.4 percent malware rate — not much different than the United States. Same goes for Guatemala, which has an 81 percent piracy rate and a 13.9 percent malware rate.

But the real whopper is Vietnam, one of the hotbeds for piracy at 85 percent. Microsoft says Vietnam’s malware rate is 1.3 percent, the lowest rate on its list. Many of the countries on the BSA’s piracy hot list don’t even appear in Microsoft’s report, because they didn’t have at least 1 million monthly malware executions in the second half of 2008.

The BSA merely chose a handful of countries where malware rates were particularly high, checked to make sure the piracy rate was considerable — but certainly not the world’s highest — and stacked them up against a few countries where the opposite is true. That’s not statistics, that’s cherry picking.

Look, I’m not saying all pirated software and warez sites are free of malicious code. I just wanted to check the facts, so the next time the BSA makes a ridiculous claim, we can all point to this and other examples, and have a good laugh.