Sage accused of strong-arming customers into subscriptions
Dated TLS offered as reason why users need to move off some perpetually licensed products already paid for
Accounting software vendor Sage is under fire from some customers over sweeping changes to its software licence model that they say is forcing them to repay for wares they already own or lose access to them.
Like many vendors, Sage is attempting to execute a shift from perpetual to subscription licensing. However, its methods are heavy-handed and unfair, customers claim.
In a statement last updated July 12, Sage addresses the migration path for Sage 50 Accounts and Sage 50cloud Accounts v26.2 (published 2020) or below. This is accounting software aimed at companies with 100 employees or fewer.
Sage argues that because the packages use TLS 1.0 and 1.1 – dated versions of the security protocol – to confirm licensing compliance, customers will need to migrate to its subscription licensing model if they first bought a perpetual licence.
"By 30 September 2022, we will switch off TLS 1.0 and 1.1 for our remaining services, Auto Update and Sage License Server, following the latest industry standards.
"Once we switch off, anyone using Sage 50 Accounts or Sage 50cloud Accounts v26.2 or below will no longer be able to access their software."
This, we're told, leaves customers with the option to pay up for the subscription or face having to re-key their historic raw data into a new system.
Customers and partners have expressed their frustration at the move.
One forum commentator said: "The reference to TLS is a deliberate red herring – in that everything [Sage] states is correct but misleading… In this case [Sage has] taken the decision (presumably on commercial grounds) NOT to develop a simple routine that would allow the continued use of most of [its] 'perpetual licence' desktop products... but it is NOT a decision being imposed on Sage!"
On the forum, a Sage representative said: "We are supportive of the decision to protect you, and your data, to eradicate any risks, which could be detrimental to your business. We are contacting all impacted customers with options available to them, under no circumstances is anyone obliged to move to our fully cloud solution Sage Accounting."
But others were quick to point out that Sage 50cloud is not a cloud product, it is a desktop or server product with a subscription license and some online connectivity. Sage's argument was therefore more about licensing than hosting, they said.
- UK's Ministry of Defence awards Boxxe multimillion Microsoft license deal
- Judge rejects another Microsoft appeal against surplus license reseller suit
- Trio accused of selling $88m of pirated Avaya licenses
- Altair pays off $79m owed to SAS in software license spat, will sell rival product
The Register spoke to an IT support professional specializing in SMEs. He said: "The issue here is that we're not talking about people willingly moving to a subscription model. What we're talking about is people who own valid – and in some cases very recently purchased – perpetual licenses being dropped off a cliff."
It gets worse for Sage. Tests have shown that at least since Sage 50 Accounts v24, the perpetual license product actually does use TLS 1.2 for communication other than license verification. It seems unlikely then that it is impossible to patch or update v26.2 or below to allow use of TLS 1.2 for software license verification without forcing customers to move from perpetual to subscription licenses, we're told.
"It seems highly likely that they could patch the later version. They could then offer people with the versions that are compromised the option of continuing to use their software. It's not going to have any more features which is fair enough. Nobody's asking for free features, all people are asking for is to use the features that they paid to use."
The history of TLS also raises questions about how Sage has employed it in Sage 50cloud Accounts. TLS v1.0 was standardized in 1999 while TLS v1.1 was standardized in 2006. Customers and partners want to understand why Sage was using such a dated protocol – already more than a decade old – in products it was shipping in 2018 and 2020. It was common for the majority of desktop applications to use TLS v1.2 by 2010, one expert pointed out to The Register.
We asked the company why Sage 50 Accounts or Sage 50cloud Accounts v24 to v26.2 (released in 2018 and 2020) use a protocol which was already more than 10 years old when it was introduced.
A spokesperson told us:
"Transport Layer Security (TLS) v1.0 and v1.1 is an industry-wide security protocol that is used to facilitate privacy and data security for communications over the internet. The stability and security of the protocol is the core focus, not the age of it. The need to amend to a new protocol occurred following the launch of our products and after the Internet Engineering Task Force (IEFT) formally discouraged the use of it."
They added: "Sage communicated with its customers about this, the action they needed to take, and how we could support them. We will always prioritize the security of our products and protect customer data in accordance with the latest industry standards, today and for the future."
We asked why Sage can't update v24 and after to use TLS1.2 to verify software licensing, and were told: "We recognize that due to these changes to the TLS Protocol, our customers will be impacted in different ways. Providing temporary patches is not the most effective solution in this instance, but ensuring that the systems provided by Sage are continually up to date is key for businesses to operate effectively and securely. The change required is a simple process for customers on the latest versions of our software, and we are ready to support all customers to make the changes so they are secure and have the best experience."
When asked whether customers would lose access to their data, the spokesperson said: "No. We have communicated with customers about the options available to them. If the customer upgrades to a compatible version of Sage 50 Accounts, they will continue to access their data. If they do not wish to upgrade, they can export their data before the cut-off date in September. We appreciate this will impact customers in different ways and our customer contact team is happy to discuss needs on an individual basis." ®