April 23, 2014

avatar

Taming EULAs

Most software programs, and some websites, are subject to End User License Agreements (EULAs). EULAs are long and detailed and apparently written by lawyer-bots. Almost everybody agrees to them without even reading them. A EULA is a contract, but it’s not the result of a negotiation between the vendor and the user. The vendor writes the EULA, and the user can take it or leave it. Most users just accept EULAs without thinking.

This has led to any number of problems. For example, some EULAs give the software vendors permission to install spyware – and most users never realize they have granted that permission.

Why don’t users pay more attention to EULAs? Rational ignorance is one possibility – it may be that the cost of accepting a bad EULA every now and then is lower than the cost of actually reading EULAs and making careful decisions. If so, then a rational cost-minimizing user won’t read EULAs.

And there are a few oddballs who read EULAs. When these people find a particularly egregious provision, they spread the word. Occasionally the press will report on an extreme EULA. So rationally ignorant consumers get a little information about popular EULAs, and there is some pressure on vendors to keep their EULAs reasonable.

In domains where rational ignorance is common, tools often spring up to help people make decisions that are more rational and less ignorant. If it’s not worth your time to research your senator’s voting record, you can look at how he is rated by the Environmental Defense Fund or the NRA, or you can see who has endorsed him for reelection. None of these sources captures the nuances of an individual voting record. But if you’re not going to spend the time to examine that record, these crude tools can be valuable.

When it comes to EULAs, we don’t have these tools. So let’s create them. Let me suggest two useful tools.

The first tool is a service, provided via a website, that rates EULAs in the same way that political advocacy groups rate legislators. I’m not talking about a detailed explanation – which rationally ignorant users wouldn’t bother to read – but a simple one-dimensional rating, such as a grade on an A-to-F scale. Products whose EULAs get good scores might be allowed to display a trademarked “Our EULA got an A-” logo.

Naturally, reducing a complex EULA to a single rating is an oversimplification. But that’s exactly the point. Rationally ignorant users demand simplification, and if they don’t get it they’ll decide based on no information at all. The site could offer more details for users who want them. But let’s face it: most users don’t.

The second tool is a standardized template for writing EULAs, akin to the structure of Creative Commons licenses. You’d have some core EULA language, along with a set of modules that could be added at the vendor’s discretion. Standardized EULAs can be displayed concisely to the user, by listing the modules that are included. They could be expressed easily in machine-readable form, so various automated tools could be created.

The main benefit of standardization is that users could re-use what they had learned about past licenses, so that the cost of learning about a license could be amortized over more decisions. Standardization would also seem to benefit those companies who have more likable EULAs, since it would help users notice the substantive differences between the EULAs they see.

Will either of these things happen? I don’t know. But I would like to see somebody try them.

Comments

  1. Onorio Catenacci says:

    This is certainly an interesting concept. I would like to see this sort of thing too.

    I used to read and try to understand EULA’s till I realized that what may seem like plain language to me may have a whole different meaning when reviewed by lawyers.

    I think this is the nexus of the matter for many of us. We can’t figure out the meaning of the EULA’s and we want to use the software so we just consent to whatever they say.

  2. joe says:

    We’re starting to see EULAs in physical objects… ones that apparently you no longer are allowed to “own” but only to “license” along with restrictions on their use…

    http://sims.berkeley.edu/~jhall/nqb/archives/000007.html

  3. Aaron Swartz says:
  4. paul says:

    The first tool is a service, provided via a website, that rates EULAs in the same way that political advocacy groups rate legislators. I’m not talking about a detailed explanation — which rationally ignorant users wouldn’t bother to read — but a simple one-dimensional rating, such as a grade on an A-to-F scale. Products whose EULAs get good scores might be allowed to display a trademarked “Our EULA got an A-” logo.

    I just forwarded this on to a law professor I know who is working on just this: former MSFT attorney, specializing on licensing issues, lots of law review articles on open source and licensing.

  5. Seth Finkelstein says:

    Such a service for EULA’s does not exist, because except in egregious cases, they do not differ in any material way.

    And thus, they are standardized. The legalize is just compiled code. You’re saying you want source code instead. That’s pretty simple:

    1) You don’t own this, you only license it
    2) You can’t reverse-engineer it
    3) If it breaks, it’s your own fault, don’t come crying to us.

    Colloquially, that is the “Creative Commons” version of just about every EULA I’ve ever seen.

    The rest is “legal assembly language” and various exception-handling.

    Nobody is going to vary from these conditions, except if they get very bad PR or sued.

  6. Seaan says:

    I’ve recently been thinking about the relationship between contract law (including EULA) and trusted-computing. The obvious connection is that DRM can be used to enforce EULA clauses (ignoring the bugs and side-effects; that was what Intuit tried to do with TurboTax). The crux of the issue is that use of DRM allows companies to “effectively enforce” policies that are not legally enforceable (just like copyright companies can eliminate fair-use using DRM and the DMCA).

    My libertarian fellows tend to see nothing wrong in this, and believe that the “market” will eventually “correct” the problem. In their view, the trusted-computer (DRM) is just enforcing the promises (contracts) made between the two parties. In the very long run they may be right (although a counter-example is that we are still waiting for the market to correct the current EULA abuses); but they are ignoring the reason why the contract clauses would be legally unenforceable in the first place.

    Contract law over the years has built-up a lot of “defaults” and “limitations” (IANAL, and I’d be interested in knowing the proper terms for these). Examples of limitations abound, for example employee non-compete clauses have almost no effect in California. Employers may (and do) still put them in employment contracts, but they have no legal force. Defaults are a bit trickier (both to explain, and to depend upon legally), and are typically fairly specialized. The best known example is probably UTICA, which was an attempt to change the defaults and limitations in contracts involving software.

    These measures serve a very important purpose of curbing the worst abuses of contracts in the past (obviously they are not fool proof, and you can still sign some pretty one-sided legal contracts). They lower the cost of each transaction, and improve market efficiency. Imagine what would happen if every contract you entered into had vast potential negative effects (buying this software gives us the right to impound your car). The average person would need a team of lawyers every time they bought things, and that would have a huge dampening effect upon commerce.

    As it happens now, individuals tend not to use (and maybe not even need) lawyers for very complex transactions (here I’m thinking about buying or selling a house, a process that takes 30-60 minutes just to sign all the papers, to say nothing of legally comprehending them). They recognize that they have little individual bargaining power, but have confidence that the law will protect them from worst. Contract law (like all law) has a lot of gray areas, but in theory the courts will help protect both sides of the transaction (ignoring the drive toward arbitration clauses, where more than 90% of decisions favor the big company over the small guy).

    The EULA is the “wild west” of contract law. Many of the clauses are still “gray” (either because they have not come up in court or because of contradictory rulings). Companies often put-in claims they know are unenforceable, just because they might have some minor benefit when dealing with unknowledgeable customers. They also attempt to hide the EULA, and even change the EULA terms on a regular basis (patch downloads, etc.). A lot of this contract abuse can be safely ignored, so long as they just rely upon the law to enforce it (my favorite example: Microsoft’s patch that claims they have some right to stop me from publishing .Net benchmarks).

    I believe the reason most people have an innate distrust of Trusted-Computing is because of the industry’s bad history of abusive EULA contracts (there are a number of other valid reasons for concern, but I think this is the primary reasons that causes us to look for those other negatives). Imagine the abuses that these crazy EULA creators could come-up with when they have both trusted-computing and anti-circumvention laws on their side. Personally at this point, I would not buy a trusted-computing application unless I had a team of lawyers (and most people would need technologists as well) checking it over for loopholes and gotchas.

    The advocates of trusted-computing will find that people have great reluctance to let software companies experiment on them (probably rightfully so, given the historical uses of DRM). EULA abuse is not good for the industry, and frankly the software industry will have to clean up their act before they deserve any trust.

  7. seaan says:

    Funny thing, Seth’s comment on EULA kind of makes my point about why consumers can ignore normal EULAs. His summary of a EULA:

    1) You don’t own this, you only license it

    The “license not sale” statements have only a minor effect. My reading indicates the case law is somewhat contradictory, but for the most part mass transaction defaults make this an invalid clause. In other words you can safely ignore it!

    2) You can’t reverse-engineer it

    The reverse engineering clause also has a mixed history. It typically won’t apply to a shrink-wrap purchase, but can have some legal force in a formal one-on-one purchase contract. Bottom line: get legal help on this one.

    3) If it breaks, it’s your own fault, don’t come crying to us.

    This statement has some legal force, but only up to a point. This is a complex area because different states have different rules. Bottom line, this statement has some legal value but is greatly affected by various defaults and limitations in the law.

    So of the three standard EULA clauses – a consumer could pretty much ignore one; rely upon state laws for another; leaving only a rarely used clause that might cause you to seek the help of a lawyer.

  8. Adam Rice says:

    This is good. Adding specific red flags (eg “the InterWeb 3000 license entitles the licenser to collect your liver at any time”) would be helpful

  9. Andre Lehovich says:

    The Debian Project have an explicit list of guidelines that a program’s EULA must satisfy before they will distribute it.

  10. Bug says:

    Honestly, I don’t read EULAs because I don’t see them having any practical effect on my life. The legal enforcability is dubious at best (in all but two states), and the practical enforcability is even lower. And since we’re typically talking about software that’s $100 or lower I figure the worst that could happen is the manufacturer gets into a big snit and deactivates my software, and in return I get into a snit and complain to Slashdot.

    If I start buying $1000 software or start reading about people getting sued for millions because they violated a EULA then I’ll change my tune. Until then isn’t it more an academic than a practical question?

  11. Arthur_Dent says:

    The only EULA’s I will read are ones from “free” software (non-open source). This software has a higher likelihood that it will contain some right to install spyware/adware that I do not want. If it is a company that I recognize then I blithely click away.

  12. Esme V says:

    Interesting idea but I don’t think it will make people pay more attention to what is inside a EULA. It is also a daunting project that requires time (and money). I am an intellectual property lawyer so I am one of those few people who actually read the EULA, but more out of curiousity about what software companies are putting in them these days. I do this only for EULAs for novels types of software/services. I learn a lot from them so that when I do draft license agreements for clients, I use the ideas I gleaned from those EULAs.

  13. Steve @ PM-Style.com says:

    This is interesting to me because I’ve been examining alternative regulatory schemes to existing copyright law. One of the questions that comes out of this examination is, “Are there alternative royalty mechanics?”

    In my review of copyright law, I’ve been examining the goals of the legislation in comparison to the economic and social regulatory levers available. When you evaluate the legislative goals against the available mechanisms, one of the big issues for comparison is transactional cost (and who bears it).

    If one could demonstrate a weakness in the transactional cost of the EULAs or in the effectiveness of the EULAs at accomplishing the legislative goals, you could use this in a push for a change in regulatory scheme.

  14. TM Lutas says:

    There are a few problems with a simple rating system. First, unlike political ratings, this is legal advice. Providing legal advice usually comes under more regulations than providing political advice.

    Second, there is a problem that jurisdictions vary. If an egregious EULA clause is legal in your jurisdiction, a particular EULA might rate an F. If the clause is not valid in your jurisdiction, it might rate an A. Thus the same EULA can have various effective ratings based on the applicable jurisdiction (example, some states don’t allow you to disclaim warranties, others do, most EULA’s have warranty disclaimers).

    Third, how are you going to pay for all this? You need a legal staff to analyze all these contracts and figure out the various license interactions. The situation is only going to get worse as time goes on and licenses proliferate. So where’s the funding going to come from.

    I’ve been thinking for years on how to make just such an organization to do this but on a somewhat different model. First, forget about a one letter grade. Instead imagine going through a questionnaire when you sign on for the service (paying a sufficient fee to keep the thing running). You get asked all sorts of common clause questions. When you finish your questionnaire, you start entering in product names. Products with EULA’s already analyzed will immediately come up with a response. Product X (like, say Windows XP Professional) has a EULA with 54 clauses. 37 clauses are green (your questionnaire responses indicate that you would find these acceptable), 5 clauses are yellow (you want these flagged for individual inspection), 4 are red (you said these clauses would be unacceptable) and 2 are white (clauses that are rarities that are not in the standard questionnaire).

    You end up with a color code system that evaluates a EULA in a realistic way, does not impose an organizational opinion, does not provide legal advice but just filters what the client told you he wants, is financially sustainable, and will be a powerful force for eliminating idiotic EULA situations where you can’t read it prior to agreeing to the EULA.

    Why am I not running this business? Insufficient startup capital and lack of a supporting team.

  15. Flit(tm) says:

    Rating EULAs

    Edward Felten talks about creating a EULA rating service. In comments I already spilled the beans on my four odd years of mentally tinkering with just such a service (EF’s got the basics down but his variant won’t work for…

  16. Jay Sulzberger says:

    The Microsoft EULA is not taken seriously by Microsoft. Microsoft, and its partners in a long continued combination in restraint of trade, simply refuse to honor the terms of the EULA, whenever they please. Further, Microsoft and its partners are willing to spend money on lawyers to fight enforcement of the EULA whenever it looks as though a precedent might be set for enforcement of terms that Microsoft and its partners do not like.

    For information please see the transcript of Adam Kosmin’s action for payment of the refund owed him under the refund clause of the Microsoft EULA. A high executive of Toshiba American Information Systems, and arm of Toshiba, came into court and claimed that he had never heard of the Microsoft EULA, which supposedly governs the licensing of every copy of the Microsoft OS in every Toshiba laptop offered by Toshiba for sale to individuals.

    Look for the transcript at

    http://www.windowsrefund.net

    So since it is clear that the EULA does not bind the licensor, it is reasonable of the licensee to ignore it, except in special cases, where the EULA might be enforced against the licensor in ways the licensor would not cognizant of, without reading the EULA.

    If the refund clause of the Microsoft EULA were enforced Palladium would be harder to force into every new home computer.

    Jay Sulzberger
    Member of New Yorkers for Fair Use

  17. brian says:

    As a practical matter, I’m envisioning a standard XML schema for these things, allowing the user to apply his own priorities to the interpretations. For that matter, I’m surprised not to have seen by now the use of XML for composing contracts anyway – all that incorporation by reference, etc. just cries for that kind of a document model.

    Perhaps the attorneys wouldn’t care to have their art reduced to this level?

  18. Freedom to Tinker says:

    Gator’s Egregious EULA

    Ben Edelman offers a nice dissection of the latest End User License Agreement (EULA) from Gator. It has to one of the worst EULAs ever written. Below are some highlights; see Ben’s post if you want more details. [Background about Gator: Many people say…

  19. Copyfight says:

    When EULAs Bite

    Ben Edelman bites back. Later: James Grimmelman: “This agreement, whether characterized as a ‘license’ to use Gator’s copyrighted software or a ‘contract’ between you and Gator, is still a manipulative, low-down, dirty, no-good document.” Later #2: Edw…

  20. Copyfight says:

    Who Let the Dogs Out?

    Edward Felten, responding to Ben Edelman’s analysis of the now notorious Gator spyware End User License Agreement (EULA): There are two solutions to this overEULAfication problem. A court could throw out this kind of egregious EULA, or at least narrow…

  21. Copyfight says:

    When EULAs Bite

    Ben Edelman bites back. Later: James Grimmelman: “This agreement, whether characterized as a ‘license’ to use Gator’s copyrighted software or a ‘contract’ between you and Gator, is still a manipulative, low-down, dirty, no-good document.” Later #2: Edw…

  22. Copyfight says:

    Who Let the Dogs Out?

    Edward Felten, responding to Ben Edelman’s analysis of the now notorious Gator spyware End User License Agreement (EULA): There are two solutions to this overEULAfication problem. A court could throw out this kind of egregious EULA, or at least narrow…