It Pays To Read License Agreements

I have a deal for you. In exchange for a free piece of software that helps you keep track of your passwords and other log-in information, I’m going to install other programs on your PC that will track your web surfing and display advertising that pops-up on your screen. There will also be other types of ads on your computer based on information we collect.

Does that sound like a good deal to you? Well, if you’re one of the many Windows users who have installed eWallet software from Gain Publishing that’s exactly what you agreed to do. But you already know that because you read the End User License Agreement or “EULA” that was available prior to installing the program. You did read it right? Of course, you did; before you could install the software you had to check a box certifying that you read the agreement. Legally speaking, that’s the same thing as signing a contract with pen and ink.

OK, let’s be honest. You didn’t really read the EULA. How do I know? Because hardly anyone does. To prove that point, PC Pitstop included a clause in one of its own EULAs that promised anyone who read it, a “consideration” including money if they sent a note to an email address listed in the EULA. After four months and more than 3,000 downloads, one person finally wrote in. That person, by the way, got a check for $1,000 proving, at least for one person, that it really does pay to read EULAs.

Is anyone reading this? PC Pitstop offered a financial incentive in its EULA, and it took four months before anyone responded.

Although this is not a scientific sample, it does prove a point. People don’t read EULAs. When we download and install software, we’re usually in a hurry to take advantage of whatever it offers. That EULA is just one more thing to spend time on, and we’re not just talking about a couple of minutes. The December 2004 End User License Agreement that accompanies eWallet and other programs from the GAIN network is 2,550 words long–that’s seven printed pages. To its credit, not everything in Gain’s EULA is in legalese. You don’t have to pay a Harvard law graduate $300 an hour to understand the first paragraph:

“GAIN Publishing offers some of the most popular software available
on the Internet free of charge (“GAIN-Supported Software”) in exchange for your agreement to also install GAIN AdServer software (“GAIN”), which will display Pop-Up, Pop-Under, and other types of ads on your computer based on the information we collect as stated in this Privacy Statement. We refer to consumers who have GAIN on their system as ‘Subscribers.’ “

The rest of GAIN’s EULA is also pretty clear. If you take the time to read it, you’ll realize that you’re giving the company permission to install software that “collects certain non-personally identifiable information about your Web surfing and computer usage.” This, according to the agreement, “includes the URL addresses of the Web pages you view and how long you view Web pages; non-personally identifiable information on Web pages and forms including the searches you conduct on the Internet; your response to online ads; Zip code/postal code; country and city; standard web log information and system settings; what software is on the computer.”

So what’s the harm in collecting “non-personally identifiable information?” After all, isn’t that done all the time? Well, there are certainly examples of such collection. Many legitimate websites, for example, keep track of the number of visitors and where they go to the site. This information is used to inform advertisers about a site’s popularity and to give the site owners a better understanding of what parts of the site are doing well and what sites are now.

Advertisers, of course, want to know how many people have viewed their ad as well as “clickthrough” rates and other information. But there is a big difference between collecting non-personal information about what visitors are doing on your own site and tracking “the URL addresses of the (other) Web pages you view and how long you view Web pages.”Real live brick-and-mortar department stores, for example, do collect statistics about what sections of the store people are visiting, how long they spend there, and what they buy. It’s basic research. But imagine if you visited a store one day and they planted a bug on your person that followed you around to all the other stores you visited?

While they were at it, they tracked your reading behavior, what TV shows you watched, and maybe even who you talked with. They’re not writing down your name, but they are following you around. Would this be legal? It might be if they had you sign a contract specifically allowing it before they let you in the store.

And by the way, they’re not just following you around. They’re also getting in your way, making it harder for you to walk from place to place. Making it harder to start your car and slowing it down once you start it. They might even cause you to stumble now and then. That’s a lot like spyware and adware; it takes up hard drive space, memory, and other resources. Also, it can significantly degrade your Internet connection because spyware is going out over the Internet to get information to display and, in some cases, sending out information from your PC. In other words, it is using your resources–resources that you paid for.

GAIN is far from the only company that asks you to “sign” an agreement with serious implications. Marketscore, which bills itself as an Internet marketing research company, offers a service that, it claims, can speed up your web surfing and protect you from viruses. Whether or not it actually speeds up your service is debatable, but one thing is for sure. If you read Marketscore’s privacy policy you’ll learn that the company “monitors all of your Internet behavior, including both the normal web browsing you perform, and also the activity you may have through secure sessions, such as when filling a shopping basket or filling out an application form that may contain personal financial and health information.”

The company says that it has all sorts of procedures in place to “restrict the third party’s use of the information we provide.” That’s all well and good, but even if the company is as sincere and diligent as it says it is, things can change. And, if the company does decide to change its policy on how it handles personally identifiable information, it “will notify you by posting proposed changes to this Privacy Statement and on our web site.” Those changes “will be effective immediately upon such posting.

And don’t think that can’t happen. Even if the current owners are committed to keeping information private, there is no guarantee that the company won’t be sold. If it goes bankrupt, there is even the possibility of your information being sold to pay off creditors.

You may wonder whether these licenses are legal. Most of them do hold up in court as long as they are reasonably clear, according to Parry Aftab, an attorney specializing in Internet privacy and security law (www.aftab.com). “The courts have said that if you click on something saying ‘I agree’ then it’s legal consent.” There are exceptions, however. “If it’s not legally clear enough, you haven’t given consent to anything because there is no meeting of the minds. It goes back to basis of contract law from 500 years ago. You have to both agree on what you are agreeing on.” In other words, if the agreement is incomprehensible, it may be unenforceable,
according to Aftab.

Another exception has to do with minors. “Kids,” according to Aftab, “are under state contractual age which is sometimes 16 and sometimes 18. If the site requires the person to make an affirmative representation that they are over the age of 18, it may keep the company out of trouble but it’s still not enforceable.”

This is an important distinction because a lot of spyware and adware is bundled with programs that are marketed to children and teenagers.

The fact that a EULA might not be legally enforceable is of little solace because it is being enforced on you whether you like it or not. Once the program is installed on your PC, the damage is being done and it doesn’t even matter if the contract that you or your child agreed to may be invalid. Simply by using your computer, you’re upholding your part of that contract by giving up information.

Attorney Aftab says that even though the courts have ruled on the legality of EULAs, there are still some grey areas that need to be ironed out. And, of course, the courts are basing their rulings on current law. There are some in Congress who alarmed at the growth of spyware and a number of bills have been discussed that could impact the way these EULAs are written, agreed to, and enforced.

In the meantime, it’s “user beware.” A click of the mouse, like a stroke of a pen, can get you into a heap of trouble. Be careful, be aware, and read those EULAs.

Larry Magid is a syndicated technology columnist and broadcaster for two decades and contributes to CBS News, the New York Times, U.S. News & World Report, and other publications.

Stop Responding to Threats.
Prevent Them.

Want to get monthly tips & tricks?

Subscribe to our newsletter to get cybersecurity tips & tricks and stay up to date with the constantly evolving world of cybersecurity.

Related Articles

Botnets, Now What?

Just when I was becoming accustomed to using spyware removal tools and running the occasional Pitstop virus scan (few people keep their antivirus current these days), something new comes along.

Have you ever wondered why your machine seems like it’s operating in mud or is just ignoring you? Well that’s probably because it’s operating just fine for someone else. Yep, we’re talking Botnets. Botnets are using your CPU, draining your memory, just waiting to be told what to do by someone making money from your investment. You don’t mind do you?

Read More

PC Pitstop Top 25 Spyware and Adware

PC Pitstop has long been a source of information about unwanted software and how it spreads. Now we’re using our test results database to give you weekly updates about which programs are the most prolific. The prevalence numbers indicate the percent of PCs tested at PC Pitstop where we detected that file running. Our detection works by file name, so some products may be listed multiple times if they consist of two or more files. To check for spyware, adware, unneeded programs, and many other common PC problems, try PC Pitstop Exterminate or our full system scan.

Read More