Everyone likes a bargain – but some are prepared to go further than others.  People have a sliding moral scale.  Few will smash-and-grab at a jewellery store, but if an insurance firm accidentally paid us twice for a watch stolen out of a gym locker, many of us may overlook the bonus.  Sadly for digital entrepreneurs, the perceived moral transgression of gaining unauthorised access to a web product is pretty low.  It’s also carried out in private, where everyone’s scruples are liable to slip a little.  I wouldn’t walk into a car dealership, pick up a free coffee, and walk out.  Online?  That’s a very different matter.

There are many ways to get free digital services.  Users can share logins, create multiple trial accounts, or sniff out hacks on the web.  You may naturally think that keeping security high is the best solution.  You can certainly work at barring those who try to use your firm’s products for free.  Who wants to have their products or services stolen by scumbags?

Actually, the answer may not be as clear cut.  In a world where most digital services have little or no marginal cost of supply, it technically doesn’t cost you much (if anything) to be the “victim” of a theft.  Someone ripping a CD doesn’t actually harm the music label’s profits.  The only damage is done if that person otherwise would have bought the product.  And here’s the rub: if I rip a CD that I wouldn’t otherwise have bought, it allows me to get closer to the band.  I might buy another CD, go to a gig, or tell a friend.

Bringing the example up to date, we can apply these lessons to SaaS products.  You may want all your users to pay £19.99 per month for your whizz-bang service.  But some of those customers are cheapskates, and they’re going to try and get access for free, or at least for cheap.  And many don’t care if they way they do this is legitimate, or not.  So what should you do?

One way is to lock down.  You can treat every instance of petty pinching as a personal affront, akin to picking your pocket.  However, this means that you’ll divert resources away from other activities, which may be much more productive.  Furthermore, you will drive away many users who wouldn’t have paid.  Making these cheapskate users stick around can benefit you.  Eventually, they may pay in full, pay a little, or tell others about your product.  All of these outcomes are often better than losing their engagement altogether.

So, how do you secretly encourage the skinflints and thieves?  Remember: if you go too far, you risk turning all your users into a feral mob feeding off your firm’s twitching corpse.  The solution is ultimately fairly simple: make it hard to steal, but not too hard.  Corporate users are typically paying with someone else’s money.  For them, the hassle of hacking the product, the risk of getting no support with a mission-critical application, and the potential legal penalties if unmasked, are all far too much to bear.  For a bedroom business, these may be a risk worth taking.  Accordingly, you may want to ensure that Mr. Bedroom Business finds it hard, but not too hard, to get in for free.

You can, and should, do this the legitimate way.  Maybe you can leave a few voucher codes lying around the web, or flyer them at events.  Maybe you create a student-only login, which requires an academic email address. You can set up a free usage tier, which works for small users only.  But maybe you should instead just allow yourself to get a bit careless with security?  Does it really matter if IP addresses from 122 countries are using the same login?  That’s a decision you should make very carefully.  These cheapskate users will almost certainly be getting a degraded service in some way, eg by lacking personal support.  You can deliberately degrade the service further – such as by requiring users to enter their address manually every time the country of login changes, or putting a time delay in before the product opens fully.  Alternatively, you can find such transgressions, and challenge them intermittently – but maybe not too aggressively.  For example, if a shoplifter’s shared login doesn’t work after 3 months of unrestricted use, there’s a real chance he’ll take the prompt to upgrade to a paying account.  Without allowing his petty theft, you may never have had the opportunity to sign him up for real.