Piracy and Malware: There’s No Free Lunch

by and

For years, those of us who study the effects of piracy have focused on two main questions. First, does it hurt creators, by reducing demand for what they produce? Here the answer is clearly yes: the vast majority of peer-reviewed studies have found that piracy hurts demand and overall firm profitability, and that anti-piracy measures can cause some consumers to return to legal channels. Second, does piracy benefit consumers, by providing them access to products they wouldn’t have paid to consume? This question is asked less frequently than the first, but the growing consensus answer seems to be no: several recent studies (for example, here and here) suggest that piracy can hurt consumers by reducing the incentives for producers to invest in and create new products.

However, while these questions have been studied widely, there’s another one worth asking: Does piracy also hurt consumers by exposing them to malware and other malicious software?

The problem is real. For users to access and download pirated content, someone has to make it available, and most of the sites that make pirated content available are in it for the money. The people who run these sites typically make money by displaying advertisements—and, in some cases, by hosting or linking to content that contains malware. Designed to gather data from users’ computers, or even to control them, malware can be very profitable, and as a result it’s a danger that users of pirated material regularly have to contend with.

But does using pirated materials increase a user’s risk of being infected with malware? Or are users smart enough to protect by installing anti-virus software and firewalls, and by avoiding clicking on risky links?

To answer these questions, we conducted a study on a unique dataset of close to 250 users who form part of an IRB-approved panel within CMU’s Security Behavior Observatory project. The user’s machines were instrumented with various sensors that allowed us to monitor their activities. With detailed controls in place, we observed what websites these users visited, whether they had any anti-virus software or firewalls installed, whether they downloaded any files from pirate sites, and, most importantly, whether their machines ended up showing any evidence of malware intrusion.

The results were clear. The more our users visited piracy sites, we found, the more often their machines got infected with malware. Specifically, whenever they doubled the time they spent on piracy sites, they increased the number of malware processes running on their machines by 20 percent. And those who visited pirate sites more heavily, we discovered, were no more careful about protecting themselves from malware.

These results strongly suggest that if we want to evaluate the harm done by piracy, we need to consider how it degrades the health of users’ computer security—and what the ultimate cost of that degradation is. There’s an important lesson here. Many users, of course, don’t worry about the harm that piracy does to content creators, but they should still be concerned about the harm it can do—to themselves. Piracy, once again, turns out not to offer the free lunch that it appears to.