Hard to believe it has been 4 years since one lucky PC Pitstop Optimize user won $1,000 by simply reading our End-User License Agreement (EULA)!
Our EULA had a clause offering money to anyone who contacted us, but it took five months and more than 3,000 sales before the first person, Doug Heckman, dropped us a line asking about the clause.
Larry Magid, our guest columnist who authored the original article of the danger of unread EULAs (below) – brought this experiement up again in his December 13th column about Facebook privacy.
Original PC Pitstop article published in Feb 2005
It Pays To Read License Agreements
by Larry Magid
I have a deal for you.
In exchange for a free piece of software that helps you keep
track of your passwords and other log on information,
I’m going to install other programs on your PC that will track your web
surfing and display advertising that pops-up on your screen.
There will also be other types of ads on your computer based on information we collect.
Does that sound like a good deal to you? Well, if you’re one of the many Windows
users who have installed eWallet software from Gain Publishing that’s exactly what you
agreed to do. But you already know that because you read the End User License Agreement
or “EULA” that was available prior to installing the program. You did read it right? Of
course you did; before you could install the software you had to check a box
certifying that you read the agreement.
Legally speaking, that’s the same thing as signing a contract with pen and ink.
OK, let’s be honest. You didn’t really read the EULA.
How do I know? Because hardly anyone does.
To prove that point, PC Pitstop included a clause in one of its own
EULAs that promised anyone who read it, a “consideration” including money
if they sent a note to an email address listed in the EULA.
After four months and more than 3,000 downloads, one person finally wrote in.
That person, by the way, got a check for $1,000 proving, at least for one person,
that it really does pay to read EULAs.
Is anyone reading this? PC Pitstop offered a financial incentive in its EULA,
and it took four months before anyone responded.
Although this is not a scientific sample, it does prove a point.
People don’t read EULAs.
When we download and install software, we’re usually in a hurry to take advantage
of whatever it offers.
That EULA is just one more thing to spend time on, and we’re
not just talking about a couple of minutes.
The December 2004 End User License agreement
that accompanies eWallet and other programs from the GAIN network
is 2,550 words long–that’s seven printed pages.
To its credit, not everything in Gain’s EULA is in legalese.
You don’t have to pay a Harvard law graduate $300 an hour to understand the first paragraph:
“GAIN Publishing offers some of the most popular software available
on the Internet free of charge (“GAIN-Supported Software”) in exchange for
your agreement to also install GAIN AdServer software (“GAIN”), which will
display Pop-Up, Pop-Under, and other types of ads on your computer based
on the information we collect as stated in this Privacy Statement.
We refer to consumers who have GAIN on their system as ‘Subscribers.’ ”
The rest of GAIN’s EULA is also pretty clear. If you take the time to read it, you’ll realize that you’re giving the company permission to install software that “collects certain non-personally identifiable information about your Web surfing and computer usage.” This, according to the agreement, “includes the URL addresses of the Web pages you view and how long you view Web pages; non-personally identifiable information on Web pages and forms including the searches you conduct on the Internet; your response to online ads; Zip code/postal code; country and city; standard web log information and system settings; what software is on the computer.”
Gator’s eWallet EULA is contained in this small box but it is 7 printed pages long.
So what’s the harm in collecting “non-personally identifiable information?”
After all, isn’t that done all the time?
Well there are certainly examples of such collection.
Many legitimate web sites, for example, keep track of the number of
visitors and where they go the site.
This information is used to inform advertisers about a site’s popularity
and to give the site owners a better understanding of what parts of
the site are doing well and what sites are now.
Advertisers, of course, want to know how many people have viewed
their ad as well as “clickthrough” rates and other information.
But there is a big difference between collecting non-personal information
about what visitors are doing on your own site and tracking
“the URL addresses of the (other) Web pages you view and how long you view Web pages.”
Real live brick and mortar department stores, for example, do collect statistics
about what sections of the store people are visiting, how long they spend
there and what they buy. It’s basic research.
But imagine if you visited a store one day and they planted a bug on your
person that followed you around to all the other stores you visited?
While they were at it, they tracked your reading behavior,
what TV shows you watched and maybe even who you talked with.
They’re not writing down your name, but they are following you around.
Would this be legal? It might be, if they had you sign a contract specifically
allowing it before they let you in the store.
And by the way, they’re not just following you around.
They’re also getting in your way, making it harder for you to walk from place to place.
Making it harder to start your car and slowing it down once you start it.
They might even cause you to stumble now and then.
That’s a lot like spyware and adware; it takes up hard drive space, memory,
and other resources.
Also, it can significantly degrade your Internet connection because spyware is
going out over the Internet to get information to display and, in some cases,
sending out information from your PC.
In other words, it is using your resources–resources that you paid for.
GAIN is far from the only company that asks you to “sign” an agreement with
serious implications.
Marketscore, which bills itself as an Internet marketing research company,
offers a service which, it claims, can speed up your web surfing
and protect you from viruses.
Whether or not it actually speeds up your service is debatable, but one thing is for sure.
If you read Marketscore’s privacy policy you’ll learn that the company
“monitors all of your Internet behavior, including both the normal
web browsing you perform, and also the activity you may have through
secure sessions, such as when filling a shopping basket or filling out an
application form that may contain personal financial and health information.”
The company says that it has all sorts of procedures in place to
“restrict the third party’s use of the information we provide.”
That’s all well and good, but even if the company is as sincere and diligent
as it says it is, things can change.
And, if the company does decide to change its policy on how it handles
personally identifiable information, it “will notify you by posting proposed
changes to this Privacy Statement and on our web site.”
Those changes “will be effective immediately upon such posting.
And don’t think that can’t happen.
Even if the current owners are committed to keeping information private,
there is no guarantee that the company won’t be sold.
If it goes bankrupt, there is even the possibility of your information
being sold to pay off creditors.
You may wonder whether these licenses are legal. Most of them do
hold up in court as long as they are reasonably clear, according to Parry Aftab, an
attorney specializing in Internet privacy and security law
(www.aftab.com).
“The courts have said that if you click on something saying ‘I agree’ then it’s legal consent.”
There are exceptions however.
“If it’s not legally clear enough, you haven’t given consent to anything
because there is no meeting of the minds.
It goes back to basis of contract law from 500 years ago.
You have to both agree on what you are agreeing on.”
In other words, if the agreement is incomprehensible, it may be unenforceable,
according to Aftab.
Another exception has to do with minors.
“Kids,” according to Aftab, “are under state contractual age which is sometimes
16 and sometimes 18.
If the site requires the person to make an affirmative representation
that they are over the age of 18, it may keep the company out of trouble
but it’s still not enforceable.”
This is an important distinction because a lot of spyware and adware is
bundled with programs that are marketed to children and teenagers.
The fact that a EULA might not be legally enforceable is of little solace
because it is being enforced on you whether you like it or not.
Once the program is installed on your PC, the damage is being done and
it doesn’t even matter if the contract that you or your child agreed to may be invalid.
Simply by using your computer, you’re upholding your part of that contract
by giving up information.
Attorney Aftab says that even though the courts have ruled on the legality of EULAs,
there are still some grey areas that need to be ironed out.
And, of course, the courts are basing their rulings on current law.
There are some in Congress who alarmed at the growth of spyware and a
number of bills have been discussed that could impact the way these EULAs are written,
agreed to and enforced.
In the mean time, it’s “user beware.”
A click of the mouse, like a stroke of a pen, can get you into a heap of trouble.
Be careful, be aware and read those EULAs.
Larry Magid is a syndicated technology columnist and broadcaster for two decades,
and contributes to CBS News, the New York Times, U.S. News & World Report
and other publications.