Unauthorised software: Navigating the spectrum of software piracy and compliance action

Introduction
 

Indian businesses today operate in technology-intensive environments where proprietary software forms the core of their commercial and creative workflows. Architectural firms rely on advanced Computer-Aided Design applications (‘CAD’); engineering companies work with modelling programs; as do design, manufacturing and production houses, which use sophisticated visualisation suites. It is therefore essential for businesses to maintain licences for all software used in operations.
 

Industry data illustrates intensified enforcement efforts to detect the use of unlicensed or pirated software, with India being identified as the third-most impacted market in terms of alleged use of unauthorised software, after China and Russia[1]. This data explains the increasingly common trend where Indian businesses receive heightened scrutiny from licensors through compliance specialists.  It is necessary to study these global patterns to evolve a comprehensive response that effectively combats piracy and fosters a measurably robust IP regime.
 

The purpose of this article is to examine these instances and assess how to build guardrails that align legal rights with ground realities to fortify the regime in India.
 

The legal standard
 

In India, software falls within the realm of literary work[2] in which Copyright would subsist[3]. Licensing is a commercial arrangement[4] forming the legal foundation that distinguishes authorised use from infringing usage. Infringement is deemed to arise when a copyright article is used or reproduced without license[5] and is tested on the anvil of originality[6] and substantial similarity[7].
 

While the test of ‘originality’ is often self-evidentiary[8], there is no singular test framed in India for determining substantial similarity in non-literal elements of software. Drawing from copyright doctrines such as merger, scènes à faire, and public domain, foreign jurisprudence has popularised the three-pronged approach of Abstraction-Filtration-Comparison. Abbreviated as the ‘AFC’ test,[9] the elements of an infringing software would have to be,
 

1. first, abstracted: separated in the order of generality of aspects, say object code or user interface;
2. then, filtered: the abstracted aspects would be filtered between copyrightable and non-copyrightable elements, and 
3. then, compared: the filtered copyrightable elements of the infringing work would be checked for substantial similarity with the copyrightable elements of the protected work. 
    

The AFC approach for ascertaining substantial similarity was endorsed by the Hon’ble Bombay High Court when Tata Consultancy Services was appointed as an expert Court Commissioner to report on whether the allegedly infringing software was substantially similar to the claimed product[10]. That apart, Indian Courts have consistently held that infringement must be established through evidence of conscious and commercial deployment of the programme, and that punitive liability arises only where intentional misuse and commercial benefit therefrom is demonstrated[11]. 
 

The ‘POSAR’ test (Planning, Operationalization, Separation, Analysis and Reporting) has been proposed as an alternative methodology with which to assess software similarity. Scholars anticipate that POSAR may reduce misclassification of functional similarity as copyright infringement. As on date, POSAR has not been applied in Indian or American jurisprudence, and Courts continue to rely predominantly on the AFC test.[12]
 

In a bid to safeguard their rights, software licensors prefer compliance-monitoring for tracking any misuse or overuse. A combination of anecdotal sales reports, software audits and telemetry-based detection data (technical artefacts, file signatures, registry entries, device identifiers, timestamps, usage traces, etc.) collected by embedded tools or remote verification mechanisms used by software publishers have been cited as irrefutable proof of piracy. A question arises if detection data must be treated as iron-wrought evidence, as Licensors tend to? What then, of situations where the person using the software had no intent nor any knowledge of the validity of the software being operated on their systems? What of refurbished devices and inherited systems where technical residue exists, unbeknownst to an unwitting user?
 

The grey zone: Accidental, legacy and inherited use
 

Statistics from detection data reveal a significant set of situations that idle in the ‘grey zone’: technical residue that shows use or installation on systems without any intentional or deliberate act on part of the business. This grey zone arises in multiple ways. 
 

For one, devices may have been purchased second-hand or refurbished. Such devices often contain remnants of previously installed software registry entries, configuration files, cached libraries or leftover executables which persist even after factory resets. Another common scenario arising for architectural, design and engineering businesses involves employees (be it full-time or interns or contract workers) or freelancers who installed unauthorised software on Company-owned machines or on personal devices being used within Company networks. Similarly, system restorations, data migration and cloud-based synchronisations may reinstate old programme folders without the user’s express permission(s). In some instances, expired trial versions of software are interpreted by detection data as cracked versions of the software, even if the software was never used beyond the trial period. 
 

The commonality in all these situations is that these artefacts may not be of utility to the business, yet they create an appearance of culpability on behalf of the Company, regardless of knowledge or intent. Licensors, however, routinely treat these traces as incontrovertible evidence of piracy.
 

Indian Courts have recognised the need to distinguish inadvertent situations from deliberate misuse. Rightly recognising the myriad scenarios that may exist in an increasingly circular economy, Courts have consciously lowered the threshold at the interim stage. Technical residue from in-built security mechanisms, ‘phone-home’ technology and telemetry-enabled audits are admissible as primary evidence of infringement for granting interim protection[13].
 

Courts have cautioned against arbitrarily treating technical traces as establishing liability and emphasized on the proportionality doctrine[14]. Courts require proof of volitional use, knowledge and commercial benefit before granting damages unto the software licensors, showing that damages will follow only where unauthorised commercial use is clearly proved. The precedential principle remains that a licensor cannot demand a licence fee ‘for regularising unauthorised use’ or damages ‘to compensate for illegal use’ without showing commercial benefit derived from the so-claimed unauthorised use[15].
 

While the ethical and legal obligations of businesses to ensure full compliance cannot be overstated, it is necessary to train focus on discerning between inadvertent instances and wilful violations, so that actual incidences of infringement are met with due rigor. The grey zone, therefore, underscores the need for fact-sensitive, evidence-based enforcement.
 

Unintended consequences of compliance monitoring
 

Although licensors have an indisputable right to protect their intellectual property, compliance specialists tend to be overzealous in their outreach, revealing concerning patterns that merit particular attention.
 

1. First, many communications assume infringement as a fait accompli based solely on detection data, rarely offering meaningful transparency. 
2. Second, the timeline for ‘regularisation’ is so stringent that the business/user flagged for alleged unauthorised use is left with no opportunity to verify, assess or redress the core problem.
    

The combined effect is a steep discounting of the alleged end-user’s right to investigate the situation and respond appropriately while also trivialising the gravity of the infraction, as if mere regularisation would remedy the wrong. This feeds into a far more systemic problem, tending only to the symptoms instead of addressing the malaise of piracy. From a legal perspective, this could potentially endanger the entire regime for incentivising and protecting intellectual property.
 

In short, enforcement must necessarily be transparent, fact-sensitive and proportionate. When enforcement communication fails to fairly provide clarity on detection data, it restricts meaningful investigation and crosses over into the domain of overreach. Shockingly, this heightens risk for both licensors and recipients.
 

The need of the hour is for companies to systematise compliance by default. Businesses should institute a ‘Standard Operating Protocol’ and could also hardline a zero-tolerance approach in Employment Contracts, cautioning strict action against any misuse of Company assets and domain credentials.  Periodic Sanitation checks to audit asset registers could be another way to immunise Company assets from being misused.
 

Conclusion
 

The intersection of Information Technology and intellectual property presents a fertile ecosystem for economic and technological advancement while navigating a dynamic legal environment. Businesses must formulate a judicious approach to ensure compliance that fortifies their technological infrastructure. Ensuring lawful licensing is a foundational obligation and even unintentional misuse must be course-corrected. At the same time, enforcement practices should reflect the highest of ethical and legal standards. When technical remnants do not reflect volitional use, outreach must be proportionately calibrated.
 

[The authors are Associate Partner and Associate, respectively, in Commercial Disputes practice at Lakshmikumaran & Sridharan Attorneys, Chennai]

[1] Revenera, ‘Monetization Monitor: Software Compliance and Piracy Trends 2025’ - Revenera 2024, See here,  accessed 9 Dec 2025.

[2] The Copyright Act 1957, s 2(o), Microsoft Corporation v. K Mayuri [2007 SCC OnLine Del 662].

[3] The Copyright Act 1957, ss 13–14.

[4] The Copyright Act 1957, s 30.

[5] The Copyright Act 1957, ss 51 and 63.

[6]  n 3

[7] Computer Associated International Inc v. Altai Inc. [982 F 2d 693 (2d Cir 1992)]

[8] Eastern Book Company v. D.B. Modak (2008) 1 SCC 1

[9] n 7 

[10] Maraekat Infotech Ltd. v. Naylesh V. Kothari [2016 SCC OnLine Bom 2369]

[11] MSC Software Corporation v. S. Ramanathan [2018 SCC OnLine Del 12542]

[12] P V Bhattathiripad, ‘Forensics of Software Copyright Infringement Crimes: The Modern POSAR Test Juxtaposed with the Dated AFC Test’ (2014) 9 Journal of Digital Forensics, Security and Law 55, See here.

[13] Dassault Systemes & Anr v. Kamaldeep Singh & Ors. [Delhi High Court, Order dated 13 July 2017]

[14] Ibid

[15] n 11