September 20, 2020

Virus With a EULA

Rob Lemos at reports on a new “greeting card” virus that protects its author by using a EULA (End User License Agreement):

The FriendGreetings electronic greeting card has all the hallmarks of a mass-mailing computer virus.

The e-mail misleads a victim into downloading an application–ostensibly to view a Web card–and then sends itself to every e-mail address in the victim’s Outlook contacts file. At least a few systems administrators have complained in Usenet postings that the mass-mailing e-card was to blame for swamping their network.

Yet the creators–Permissioned Media, a company apparently based in Panama–will be hard to prosecute: The viral card is protected by a license agreement that tricks unsuspecting users into clicking “Yes” and consenting to have the program send itself to all their e-mail contacts.

This exploits the well-known fact that people don’t actually read EULAs, but just click “I Accept.”

The theory underlying the validity of long, hard-to-read EULAs (if indeed they are valid) is that companies that use misleading EULAs will get bad publicity – if BadCorp’s EULAs are evil, somebody will notice this, and when this information is spread BadCorp will lose business. This is all well and good when BadCorp is a company that wants to do business for an extended period.

This virus-with-a-EULA is a challenge to that theory. The virus spreads so rapidly that it does all of its damage before the news about the bad EULA can spread. And the virus’s author is a company that nobody has ever heard of. Having spread the virus, the author-company can close up shop, so the damage to its reputation doesn’t matter.

If the law says that this kind of EULA actually makes a virus legal, then we’re in a tough spot. We can ask every user to read, understand, and evaluate every EULA he sees. But that’s not going to happen. People can decide not to accept EULAs, except those from well-known companies. That isn’t a very satisfying answer either. Or people can settle on a few standardized EULAs, and we can rely on software tools to recognize non-standard EULAs so that we can reject them.

This recapitulates a debate that the research community had about mobile code security. The problem there is that little programs are arriving on people’s computers, and somebody has to decide what those programs are allowed to do. One approach is just to ask the user to decide in every case; but users get “dialog box fatigue” and start agreeing to everything without reading it. Another method is to apply a standardized one-size-fits-all policy to all programs, but that policy is either too restrictive for legitimate programs, or too lax for malicious programs, or both. In the end, no fully satisfactory solution was found, but everybody agreed that a well-engineered system would limit the harm that bad programs could do. How to apply that lesson to the EULAs isn’t immediately clear.