The state of PC piracy in 2016

The DRM arms race

For Overkill and the other pirates on r/CrackStatus, a new player is messing up their system. Released in 2014, Denuvo Anti-Tamper has emerged as a new anti-piracy tool for developers—and a topic of conversation that now dominates r/CrackStatus. Numerous posts bemoan Denuvo’s resistance to cracking, with several commenters forecasting the death of piracy itself. At the top of the subreddit, a list of games employing Denuvo has been compiled alongside a tag reading, “Not Cracked.”

“Here is an important point: anti-tamper is not DRM—we don’t manage any rights.” Reinhard Blaukovitsch, chief executive and co-founder of Denuvo, tells me this after I repeatedly referred to his company’s main product as DRM. “This is done by the game platform as an industry-standard one-time authentication… The security lies in making it harder to circumvent this DRM with our anti-tamper security layer on top.

”Basically, Steam or Uplay is the DRM for games purchased through those storefronts. When you run a game, the Steam application on your PC checks in with Steam servers and verifies that yes, you did buy a copy of this game. When pirates successfully crack a game, they’re tricking Steam servers with an invalid proof of purchase. It’s this falsified communication that Denuvo works to stop.

2016's Doom currently sits on the list of yet-to-be-cracked Denuvo games.

Though Blaukovitsch tells me that Denuvo is a completely new product based on a new architecture, many of the minds behind it helped create SecuROM, one of PC gaming’s most unpopular DRM schemes. Over the years, PC gamers have settled into the idea that DRM usually comes with some kind of consequence for paying customers that pirates neatly avoid—that’s one reason CD Projekt and GOG earn so much goodwill for championing DRM-free releases. As Overkill summarized, “[P]rotection like Denuvo is harming even legit customers because they suffer from lower frame rates and have random activation errors and such.”

Early rumors seemed to confirm this fear when users claimed that Denuvo wrote and re-wrote large volumes of encryption data and damaged hard drives. These rumors turned out to be false by all accounts. As for causing lower frame rates, Blaukovitsch disagrees.

“While we put a lot of effort into making sure that anti-tamper cannot be easily cracked, even more important is that the paying customer is not affected,” Blaukovitsch said. “There are some misconceptions that copy protection will always add an overhead to protected games. Some people say that this is a given fact because you add security code to the game and this must result in a performance loss… We only alter parts of the game that are not executed during active gameplay, like loading screens or during startup of a game. By this approach the code of the actual gameplay stays untouched ... resulting in no performance loss."

Whatever the consequences for paying customers, real or imagined, Denuvo seems to be working really, really well. The list of uncracked Denuvo games on r/CrackStatus is growing. And it’s in this unlikely place that I find an area where Blaukovitsch and Overkill agree on something: Denuvo’s dominance won’t last forever.

“[C]rackers are hard at work trying to crack [Denuvo’s] protection and have gotten really good results and are moving up strong... People should understand that piracy will never die,” Overkill says near the end of our interview. “It might take a while for it to come back, but it'll come back stronger than ever.”

After almost a year of stalemate, the arms race between Denuvo and pirate communities is accelerating again.

“Although there is [talk] that we might prevent piracy completely going forward,” Blaukovitsch says, “we have a more realistic view: our focus is to help publishers to secure the initial sales windows of their games, hence delaying piracy.” 

Blaukovitsch’s statement ended up being more prophetic than he thought. A few days after our interview, a cracker named Voski found an exploit that simply bypassed Denuvo, making pirated versions of Doom and Inside playable for the group. Within a day or so, Denuvo had fixed the exploit.

As this article is published, news is circulating that Denuvo has been cracked, this time for Rise of the Tomb Raider, which was released in January. After almost a year of stalemate, the arms race between Denuvo and pirate communities is accelerating again. To celebrate, the moderators of r/CrackStatus changed the flair on the list of Denuvo games from “Not Cracked” to “Cracked.” The subreddit has been flooded with new links and joy over this possibly minor victory.

In some ways, though, even the arms race is going according to Denuvo’s rules. Denuvo and publishers aren’t trying to end all piracy forever. If Denuvo can protect major publishers from cracking through initial launch windows and the months immediately following, publishers will have protected their launch revenue. “We can see many posts in piracy forums like Reddit, etc. of people stating that they bought the game as no crack was available—we see this for every game we protect,” Blaukovitsch says. “This is direct and very good feedback for us and shows that we [are doing] something right.”

Piracy as publicity

Denuvo and projects like it are gaining ground among big game publishers eager to protect high-value investments. But in the years since digital distribution reorganized the game development world, big publishers are no longer the entire picture. Indie games and small studios are responsible for a huge explosion of ideas and creativity in games. Some of these games are released for free or for a token payment, and the potential success for indie stardom can be huge. Indie developers have even more of an incentive to protect their work.

However, most indie developers don’t have the bandwidth to think about DRM, according to Rami Ismail, co-founder of indie dev team Vlambeer. One- or two-person dev teams don’t want to provide customer support for stolen copies, and they don’t want to spend any of their precious time inventing a new DRM system. Instead, they just go with the default: releasing a game on an online store usually comes with that store’s DRM protection.

Third-party DRM schemes like Denuvo are cost-prohibitive for indie teams, Ismail tells me. “DRM in general exists to convince people to not wait for the crack, not to stop piracy,” he says. “It's something that changes the value proposition: do you want to play now, or do you want to play free? For AAA titles, the launch day is huge. For indies, the launch day is one of the many small spikes they get out of launch, sales, video content, online communities, etc. DRM just wasn't built for that.”

Nuclear Throne, from Ismail's Vlambeer.

If you’ve spent millions of dollars developing a game, thousands of people getting your $60 game for free is a revenue nightmare. Advertising budgets big enough to force Liam Neeson to grumble through a half-assed rendition of his Taken monologue for a Super Bowl commercial tend to reach everyone, even people who don’t play games or don’t care about your game in particular.

But indie game developers don’t live in that universe. For small developers, thousands of people getting your game, playing it, and talking about it isn’t a nightmare, it’s the publicity that dreams are made of and ad budgets can’t buy. In that lens, torrent sites can look a lot like the most effective marketing apparatus ever assembled.

“With how difficult gaining visibility is, it has been argued [piracy is] probably even for the best—I never know how to feel about that idea,” Ismail says. “I think it's up to the developer to figure out how they feel about piracy. Personally, we acknowledge that we make games in a global market, with wildly different economies for different people—if someone genuinely can't afford our games, we don't want to get in their way.”

Some developers have gone so far as giving the piracy ecosystem a little nudge. Just to get the ball rolling, as it were. “It isn't unusual,” Ismail says when I ask him about developers uploading their own games to piracy hubs or torrent clients. “Hotline Miami did that, McPixel did that—a lot of indie developers are rather aware of the power of piracy. I've heard people argue that ‘a game isn't a success until there's a torrent,’ and there's one really easy way of ensuring there is.”

Growing word-of-mouth and a broad gesture of goodwill has helped these small developers become larger developers. CD Projekt has seen its sales rise dramatically with each new installment of the Witcher series, something that Iwiński attributes to fans’ goodwill. “Did the fact that it’s easier to pirate our game increase our audience? I don’t know,” Iwiński says. “However, I am pretty convinced that making games packed with content, easy to install and update, and working without an online connection, sure did… [A] lot of trust has been established thanks to our DRM-free approach and strong post-release support of both The Witcher 2 and The Witcher 3. We sold six million units of The Witcher 3 in the first six weeks—that’s a lot of gamers out there trusting us with their money.”

Even as it's grown, CD Projekt RED has stuck to its DRM-free roots.

Engaging with customers this way and building trust over time is slower and harder to explain to a board of directors, Iwiński says, but it’s worth it in the long run for CD Projekt to try. “[Engagement is] the protection of the future and there are more and more companies thinking this way—carrot, not the stick. We will always go for the carrot.”

Of course, not all small developers choose to embrace piracy, and becoming a vocal supporter of a game does not, in and of itself, make loud piracy more OK than silent piracy. Indie developers need champions, but exposure doesn’t automatically pay the rent through increased legitimate sales. Piracy in 2016 is now entangled with another issue: key reselling, which often involves the selling of “stolen” game codes purchased with fraudulently obtained credit cards. The keys resold on marketplaces like G2A and Kinguin are paid for, but if the original purchase was fraudulent, the end result for developers is mostly the same as piracy.

The need for legitimate, salary-paying game sales is the crux of the matter. Though piracy looks different in 2016 than it did in 1999, the central tension has stayed the same: in order to make great games, people need to be paid to spend time making them. No matter what technology defeats or replaces Denuvo in the future, that fact is going to continue being true.