EULA: What Are You Signing Away?
Jul 24, 2007 4:00 AM PT
When consumers buy software, they typically don't spend much time reading through the rather long, tortuous legalese that makes up the end user licensing agreement (EULA) or terms of service (TOS) agreement that users must agree to before getting access to a product or service.
However, distributed applications, social networks and Web services enable a growing number of vendors to access the innards of users' machines and possibly make use of their private data and personal property, often in ways unknown and with consumers unaware they are doing so.
A Legal Blizzard?
Software developers and vendors have used standard "boilerplate" contracts to protect themselves, their products and services, and to set the terms of agreements with customers.
However, in doing so they often set legally binding terms and conditions that consumer advocacy groups would argue oversteps the bounds of what should be expected or permissible. Some have gone so far as to set private terms and conditions that defy and breach established laws.
EULAs have been used "to require users to sign away their fair use rights, such as the right to reverse engineer," Electronic Frontier Foundation (EFF) staff attorney Corynne McSherry told the E-Commerce Times. "Essentially, companies are using contract law to trump basic IP (Internet protocol) protections for users -- often without users' knowledge."
Moreover, "most EULAs disclaim any responsibility for any damage that may occur to your systems, files and/or privacy as a result of product use, even if the manufacturer knew beforehand that such damage could occur," added Dave Moore, of Dave Moore Computers and creator of the EULA Hall of Shame Web site.
Clauses prohibiting any alteration of software -- whether for reverse engineering, optimizing performance or even benchmarking -- are common elements of software vendor EULAs.
Limiting Innovation and Consumer Choice
The case of Blizzard v. BnetD revolved around three software programmers who created the open source BnetD game server, which was used to interoperate with Blizzard's Battle.net online service, and whether or not this so was in violation of the Digital Millennium Copyright Act(DMCA) and Blizzard Games' end user license agreement.
Serving as counsel for the defendants, the EFF and the law firm of Day, Casebeer, Madrid & Batchelder argued that programmers should be allowed to create free software designed to work with commercial products because it benefited consumers and helped promote innovation.
A judge in the U.S. Eighth District Court of Appeals disagreed, ruling that reverse engineering and emulating the Blizzard software were illegal. Subsequent criticisms of the decision contend that that it makes it impossible to create new programs that interoperate with older ones and severely limits consumer choice by essentially allowing companies to outlaw competing products that interact with their own.
"Scientists, software programmers, hobbyists, hackers and just plain curious folks will always be taking things apart to see how they work. That's just human nature, and it will never stop," Moore told the E-Commerce Times. "Until the general public decides that they've had enough and there are some Supreme Court decisions on the subject, there will be more lawsuits, fines and stupid EULAs."
Courts have come down on different sides of the reverse engineering debate in different situations.
"There are a few cases where courts have refused to enforce reverse engineering or benchmarking provisions and a few cases where they have enforced them. There appears to be little rhyme or reason to the distinction," Mark Rasch, attorney and head of FTI Consulting's technology practice, told the E-Commerce Times. "When they refuse to enforce it, it is because the law permits reverse engineering for particular purposes -- for example, compatibility -- and the EULA was not explicit or well publicized."
What's Going On in There?
More troubling than prohibitions within EULAs are potential invasions of privacy and threats to the integrity of data, as well as the functioning of a user's machine. Also, the likelihood of such things occurring is increasing along with the growing use of distributed Web services and on demand applications.
The use of spyware has been especially troubling. It has been used by free P2P file sharing services -- such as Sharman Networks' Kazaa application -- to obtain private information from end users.
"Any use of spyware is wrong. There have been some high-profile cases, such as the Sony rootkit debacle," said Moore. "Regarding alterations to end users' computer systems, the practice is rampant. Most end users have no idea how certain programs take control of their systems, especially when it comes to graphics/photo programs and music/video media players."
Networked applications represent another avenue for compromise, as the target computer is trained to trust the application, Rasch added.
"Hackers have seen the automatic update as one of the Holy Grails of compromise, because it allows you to execute code on many different machines, and even force a reboot of the machine to execute the code," he said. "The digital signatures inherent in most automatic updates have worked pretty well at keeping that threat in abatement. Again, it's a cat and mouse thing. The more networked a machine is, the more vulnerable it is," Rasch noted.
No Wonder We Don't Read Them
EULAs are not negotiated or negotiable, they are rarely read, and they are frequently difficult to obtain, said Rasch. "I just bought an iPhone and couldn't even see the TOS until I opened the box, synched the iPhone and then agreed to the TOS -- and had to pay a restocking fee and activation fee if I disagreed," Rasch commented.
Furthermore, EULAs and TOS almost invariably limit consumer rights, according to Rasch.
"They dictate the remedies the consumer has for breach of contract, limit warranties, limit damages, require arbitration and may require the consumer to pay for arbitration, dictate jurisdiction and venue, allow the drafter of the TOS or EULA to terminate service on their own," he said.
They also allow companies to determine what is acceptable behavior on the part of end users and to determine what to do with users' or consumers' personal information and other data, he continued.
"They also are frequently used to limit consumers' copyright rights and remedies and to expand the copyright holders' rights and remedies," Rasch explained. "Thus, EULAs or TOS may provide for no reverse engineering for any purposes, no access to source code, no alteration or modification even for personal use, no export -- even for personal use -- and may provide things like liquidated damages, injunctive relief or other remedies that are not in the copyright law. ... The Sony/BMG case is a classic example -- embedded EULA in a music CD."
Is Ownership a Thing of the Past?
EULAs and TOS agreements are being used for many things and their use is by no means limited to computer software, Rasch noted. With chips and software embedded in so many everyday consumer products, using those also includes agreeing to EULAs or TOS.
"Examples include buying a printer, or ink for it, or a garage door opener," Rasch said. "You don't just buy the product, you license the embedded software pursuant to a EULA. ... You don't own the book on CD, you license it -- with limitations on your right to share it. The EULA and the DMCA essentially allows a rewrite of the Fair Use Doctrine," he explained.
There are constraints on vendors' willingness and ability to enforce EULA terms too strictly and bring cases to court. The potential to alienate customers is one big constraint.
Also, the vendor, if willing, may have difficulty initiating legal action. "There is a huge difference between having TOS or EULAs, and being able to enforce them," Rasch said.
"First, you have to know of a specific violation by a specific person and then initiate litigation. Most of the time, a 'cease and desist' letter will help ensure compliance," Rasch explained. "The interesting thing about EULAs for software is that they convert an ordinary contract breach claim into a copyright infringement claim in federal court. This because the copyrighted material is conditioned on agreeing to the EULA, and therefore a breach of contract constitutes an unlicensed use of the copyrighted material, hence an infringement."
Indeed, consumers, as Moore advised, would do well to heed the old market adage, "Caveat emptor, my friend."