Global — A new multi-jurisdiction research report has reportedly confirmed what a growing population of paying software customers has, for several years, attempted to articulate to friends, family, and three separate customer service agents: that the only users currently enjoying a quiet, uninterrupted, dignified relationship with their software are the ones who did not pay for it. The finding, published this week by the Institute for Acceptable Consumer Punishment and corroborated by independent observers at four privacy research groups, has been characterized in early industry coverage as “disturbing,” “structurally embarrassing,” and, in one trade publication’s phrasing, “the most legible diagram of contemporary product management ever produced by accident.”
CLASSIFICATION: CONSUMER SURVEILLANCE ASYMMETRY ANALYSIS
DISTRIBUTION: Consumer Software Buyers, Enterprise Procurement Officers, Antitrust Observers, Anyone Who Has Recently Been Asked To Verify Their Device, Their Identity, Their Subscription, And Their Emotional Availability Before Opening A Calculator
PREPARED BY: The Externality Research Division
DATE: May 2026
The report, formally titled Asymmetric Treatment of Legitimate and Unauthorized Users in Consumer Software Environments: A Longitudinal Field Study, runs to 312 pages, of which 47 are devoted entirely to summarizing the privacy policies of the eleven applications under review. Researchers note, in a footnote that has since been circulated independently of the rest of the document, that the privacy policies were “significantly longer than the report describing them.”
“The paying customer is treated as a potential criminal. The actual criminal receives a lightweight, offline, no-nonsense product experience.”
— Dr. Malcolm Voss, Institute for Acceptable Consumer Punishment
Dr. Voss, who has spent the better part of a decade studying the institutional conditions under which consumers are asked to disclose, verify, accept, agree, register, opt in, opt back in, and reauthenticate, described the finding as “a troubling asymmetry,” though he conceded, when pressed, that the word troubling was a compromise reached after his initial draft used the word insultingin seven consecutive sentences.
The Finding
The study tracked 12,847 users across a representative sample of professional design tools, productivity suites, operating systems, creative applications, and one piece of software that was originally a calculator. Half of the cohort had purchased legitimate licenses through approved channels. The other half had obtained the same products through, in the report’s diplomatic phrasing, “non-commercial acquisition pathways.”
The results, summarized in the report’s executive abstract, were as follows:
- License verification events: Legitimate users encountered an average of 14.3 verification prompts per month. Pirated users encountered zero.
- Forced sign-ins: Legitimate users were prompted to sign in to between three and seven separate cloud accounts before reaching the product’s primary interface. Pirated users opened the program.
- Telemetry payloads transmitted per session: Legitimate users transmitted an average of 247 distinct usage signals to vendor servers. Pirated users transmitted none, on the institutional grounds that their software did not know where to send them.
- Launcher updates required before product launch: Legitimate users encountered an average of 2.4 sequential launcher updates per session. Pirated users encountered no launcher.
- Marketing emails received per quarter: Legitimate users received 84.2 emails. Pirated users received none, on the grounds that they had not been issued a receipt.
- Time elapsed between double-clicking the icon and using the software: Legitimate users, a median of 4 minutes 17 seconds. Pirated users, 1.2 seconds.
The report concludes, in a sentence that has since been printed on at least one piece of unofficial merchandise, that “the differential cannot be explained by the price paid; it can only be explained by the relationship implied.”
The Trust Inversion Model
Researchers describe the underlying architecture as a trust inversion model, under which the act of legal ownership triggers institutional suspicion and the act of unauthorized use triggers, by contrast, institutional disinterest. Under the model, the paying customer is the party that the software company is required, by its own internal compliance procedures, to investigate; the pirate is the party that the software company, having no record of, does not investigate at all.
The asymmetry is reportedly preserved across categories. A user who purchases a $599 professional design tool through an authorized reseller is, on average, required to revalidate their entitlement six times across the first thirty days of ownership. A user who acquires the same tool through a forum thread is, across the same period, never asked to revalidate anything, on the structural ground that there is nothing for them to revalidate.
“I paid $599. The cracked version would have respected me more.”
— Legitimate user, identified in the report as Subject 04417
Subject 04417, a freelance designer based in a mid-sized American city, reportedly purchased the tool to use during a client presentation. The product, according to the report, “could not verify entitlement” midway through the second slide, displayed a modal advising her to reconnect to the internet, and then displayed a second modal advising her that her session had timed out while she had been attempting to dismiss the first modal. The presentation was rescheduled.
Researchers note that the cracked build of the same tool, which Subject 04417 has since installed on a secondary laptop “for emergencies,” has not displayed a modal of any kind in fourteen months.
Industry Response
Software vendors approached for comment uniformly rejected the framing of the report, while declining to contest any of its specific findings. Several executives reiterated, in language researchers describe as “remarkably consistent across firms,” that telemetry, license verification, and onboarding prompts exist exclusively to improve the user experience.
“We value privacy deeply.”
— Software executive, standing in front of a dashboard showing every time a customer had moved their mouse
The executive, who agreed to be interviewed on the condition that the wall of monitors behind him would not be described, went on to clarify that privacy was, in his company’s view, “an outcome we produce on the user’s behalf, rather than a setting we make available to them.” Pressed for elaboration, he gestured at one of the monitors, on which a separate user was attempting, for the third time, to dismiss a request to enable cloud backup.
A second executive, representing a different firm but reading from what observers described as “visibly the same talking points,” explained that telemetry collection is essential for improving the user experience — in particular, the experience whereby a user, having just declined an improvement, is offered the same improvement a second time, then a third time, then a fourth time, then finally a fifth time framed as a security recommendation.
A third executive added, without prompting, that the company’s product was also fully committed to user choice, provided the user chose the option that the company had pre-selected on their behalf.
The Onboarding Funnel
The report devotes an entire chapter to what it calls the onboarding funnel, which researchers describe as “the set of sequential consent events that must be navigated before a user is permitted to use a product they have already purchased.” A representative funnel, reconstructed from timestamped logs of a single user opening a single application, reads in part as follows:
Step 1: Log in to your vendor account.
Step 2: Verify your device.
Step 3: Accept cookies.
Step 4: Accept the updated terms of service.
Step 5: Accept the updated terms of service again, because the first acceptance occurred before the most recent update, which occurred during Step 4.
Step 6: Enable cloud backup (recommended).
Step 7: Decline cloud backup.
Step 8: Confirm that you understand the implications of declining cloud backup.
Step 9: Confirm that you have read a 47-page privacy policy.
Step 10: Agree to analytics.
Step 11: Register your emotional availability.
Step 12: Launch the calculator.
Researchers note that the user under observation reached Step 12 after 41 minutes and 18 seconds. Researchers further note that a pirated build of the same calculator, installed on an identical machine in the laboratory next door, opened in 0.8 seconds and asked nothing of anyone.
The 47-Page Privacy Policy
The privacy policy referenced in Step 9 of the funnel has been independently reviewed by the report’s authors, who describe it as “written by a committee of lawyers and what appears to be at least one sleep paralysis demon.” The policy reportedly contains 47 instances of the phrase we may, 31 instances of the phrase among other purposes, and one passage, in section 14.2, which the report characterizes as “syntactically valid English that nevertheless does not appear to mean anything.”
Asked to summarize the policy in lay terms, the firm’s deputy general counsel reportedly produced the following one-sentence translation, which was not approved for public release but which a researcher later recovered from a discarded notebook:
“We are going to do whatever we want, and you have been informed.”
The deputy general counsel, contacted for comment, declined to confirm the quote but did not deny it. He added, separately, that the policy was “rigorously reviewed” and that any concerns about its length were “a separate department’s problem.”
The Cracked Build Comparison
The report includes, as Appendix C, a side-by-side comparison of the legitimate and unauthorized installations of a single popular creative application. The comparison is reproduced here, in part, for the benefit of readers who have ever paid for software:
LEGITIMATE BUILD | UNAUTHORIZED BUILD
Sign-in required. | Opens.
Telemetry: enabled. | Telemetry: not addressed.
License check: every 14 days. | License check: not present.
Launcher: required. | Launcher: removed.
Cloud sync: nudged. | Cloud: unmentioned.
Account recovery: prompted. | Account recovery: there is no account.
Marketing emails: 17/month. | Marketing emails: 0/month.
Privacy policy: 47 pages. | Privacy policy: a README.
Boot time: 4m 17s. | Boot time: 1.2s.
Researchers note that the README accompanying the unauthorized build, recovered for analysis, contains six sentences. The first five describe how to install the software. The sixth, attributed to an anonymous contributor identified only by the handle caspar.rip, reads:
“Don’t connect this to the internet. It will only get sad.”
Privacy advocates have described the sentence as “the single most considerate piece of user-facing documentation produced in the consumer software industry in the past fifteen years,” and the report notes, without commentary, that it was written by a person whose primary contribution to the software ecosystem is theft.
The Reframed Motive
Industry analysts who reviewed the report in advance of publication say that it represents the first large-scale documentation of a phenomenon previously discussed only in informal settings: that contemporary software piracy is, in a meaningful and growing share of cases, no longer primarily motivated by the desire to avoid payment.
Surveyed pirates, interviewed under conditions of anonymity, reported a range of motivations. The most commonly cited, accounting for 38 percent of responses, was “I did not want to sign in.” The second most commonly cited, at 27 percent, was “I wanted the product to open when I double-clicked the icon.” A further 19 percent reported that they had, in fact, paid for the software, but had then installed the unauthorized version anyway because the unauthorized version did not ask them to log in.
The remaining 16 percent declined to characterize their motive in detail, though one respondent reportedly offered the following:
“This is no longer theft. It is unauthorized self-defense against subscription onboarding.”
— Anonymous respondent, recorded in field notes
Researchers, asked whether they regarded the respondent’s characterization as accurate, declined to comment, on the grounds that they were academics rather than lawyers and that the question of what constituted self-defense in the context of a launcher update was, at present, “not a thing the literature has reached consensus on.”
The Industry’s Counterproposal
In response to the report, several major software companies have reportedly announced, individually and in coordinated press releases, a slate of new anti-piracy measures intended to restore what one trade group described as “the proper balance of inconvenience between paying and non-paying users.”
The announced measures include:
- Mandatory facial recognition at every launch event. Users will be required to confirm their identity to a camera that does not store the image, except for the purposes outlined in sections 7.4 through 7.9 of the updated privacy policy.
- Emotional compliance scoring, in which the application monitors the user’s facial expression during the EULA acceptance flow and revokes the license if, at any point, the user “visibly hesitates.”
- The Freedom of Ownership prompt, a new feature that pauses the application every twelve minutes to ask the user whether they are enjoying the freedom of ownership. Users who answer “no, actually” are returned to the sign-in screen.
- Loyalty Reauthentication, a daily check-in in which the application asks the user to briefly explain, in their own words, why they purchased the software, and silently scores the response.
- Trust Score Display, a persistent on-screen indicator showing the user’s current standing with the vendor, on a scale from verified to investigated.
The trade group emphasizes that none of these measures will apply to pirated installations, on the structural grounds that the vendor has no relationship with the user and is therefore not in a position to impose one.
The Enterprise Footnote
The report includes a brief, almost reluctant aside on enterprise customers, who, researchers note, occupy a peculiar position in the asymmetry. Enterprise customers pay substantially more for the same software, sign substantially longer agreements, accept substantially broader telemetry, and are, in return, granted substantially better support, the existence of which they are unlikely to ever require.
Enterprise IT administrators, interviewed for the report, described their environments as “reasonably calm,” on the grounds that enterprise deployment removed most of the consumer-facing prompts. Pressed on whether the prompts had been replaced by anything, several administrators paused before gesturing, with what one researcher described as “the resigned weariness of a person who has signed a Master Services Agreement,” toward a separate, internal dashboard whose contents they were contractually prohibited from describing.
Economic Implications
The report’s authors are careful to emphasize that they take no position on the legality of software piracy, which remains, in every jurisdiction studied, a violation of the relevant copyright statute. They do, however, note that the apparent willingness of paying customers to seek out unauthorized builds “in order to avoid being treated like the people who would have sought out the same builds for non-payment reasons” represents a potentially significant economic signal.
Markets analysts contacted for comment offered varying interpretations. One described the phenomenon as “a category error,” in which a customer-acquisition pipeline had been mistakenly built on top of a customer-management pipeline. A second described it as “the predictable result of any system in which the only group treated like adults is the group the system has formally classified as criminals.” A third declined to characterize it and asked the interviewer if they would mind closing the door on the way out.
A Final Observation
At the time of publication, the report’s authors were unable to confirm whether several of the legitimate customers profiled in the study had managed to launch the software they purchased for inclusion in the experiment. One participant, identified as Subject 09112, had been waiting, at the time the report was sent to press, for approximately six and a half hours, having successfully completed the verification flow but having since been informed, by a popup, that the verification flow had been updated and would need to be completed again.
Subject 09112 was, at the same moment, observing on a secondary laptop, in a non-experimental capacity, that a pirated copy of the same product had opened immediately on the first attempt and had not, in the intervening six and a half hours, requested anything of anyone.
Researchers note that Subject 09112 has, at no point during the study, expressed an intention to switch to the unauthorized version. Researchers further note that Subject 09112 has, at no point during the study, expressed any intention not to.
“At press time, legitimate customers were still waiting for their software to launch after successfully proving they were not the people who pirated it.”
— Report, closing sentence
The Bottom Line
The report does not recommend piracy. It does, however, document the conditions under which a paying customer may, with no change in personal ethics whatsoever, find themselves reading installation instructions written by a person whose handle ends in .rip, and discovering that the instructions are kinder than anything they have received from a vendor in eleven years.
One legitimate customer, asked for a closing comment, declined to provide one, on the grounds that they were still waiting for their software to launch.
Update: Following the report’s publication, three of the eleven vendors profiled in the study issued statements clarifying that they take privacy “very seriously,” and that any suggestion to the contrary would be addressed by their legal teams “in due course,” via an automated email that the recipient would be required to log in to read.
Editor’s Note: This article was written using a legitimately purchased word processor. It was completed, with some difficulty, between launcher updates.
¹ All quotes are fictional. Any resemblance to actual modal dialogs is coincidental and exhausting.
² No software was pirated in the writing of this article. The author did, however, briefly consider it.
³ The Institute for Acceptable Consumer Punishment does not exist. Its findings remain, regrettably, accurate.
⁴ Subject 09112 has, since press time, been informed that their session has expired.