[eropple]

1. The user is not ever made aware that their registration attempt will involve sending out information over the Internet. The application is therefore surreptitiously phoning home.

It's 2012. This should be assumed. Mentioning it explicitly is nice to do, but at this point it feels like it should be taken for granted that a registration key will be checked against an auth server. There's not really anything that you can categorize in good faith as "surreptitious" about it. It reads more like you just want to harsh on the guy.

2. There is no reason to keep logs such as the OP currently has -- the kind that enables him to segregate people into buckets like "honest", "pirate", "converted" and then crow about it online.

Why not? Should a developer not keep track of the number of times a key (valid or not) is active? Why? It's his software. It's his business. I can't think of an argument why it wouldn't be his job to keep that data.