Last month I wrote about a dispute between the Federal Trade Commission and a spyware distributor where the FTC alleged that an End User License Agreement, which essentially told downloaders that they were downloading spyware, was a false and deceptive trade practice. Two events cause me to revisit this issue. First, the FTC has gone after another spyware distributor, and second, Sony Corporation has caused the surreptitious installation of a rootkit-type program to enforce its digital rights management on its music CDs, claiming authority to do so under an End User License Agreement.
On November 10, 2005, the FTC filed a lawsuit in federal court in Los Angeles against Enternet Media and others. It was your typical anti-spyware lawsuit - you know, the program was installed without the user's knowledge, added dozens of other programs, captured personal information, was impossible to remove - yadda yadda yadda. This fact was considered to constitute a fraudulent and deceptive trade practice by the FTC. What is interesting in the complaint is the fact that the FTC argues that the terms of Enternet Media's End User License Agreement are not enforceable noting that, "Although the EM defendants do have a EULA, they do not require, let alone encourage, consumers to review it prior to downloading and installing the EM code. The EM defendants' installation boxes, when clicked on, automatically install the EM code, with no requirement that a consumer agree to terms and conditions."
The FTC complaint goes on to note that "[n]or can a consumer, having installed the EM code, reasonably avoid its effects by uninstalling or removing it. In most cases, the EM defendants' own instructions do not remove all of the EM code, and the EM code does not appear in the Add/Remove feature of the Windows operating system. Often, all or some of the EM code remains on consumers' computers even after repeated attempts to uninstall the code." This, among other things, according to the FTC, constituted a deceptive representation about the software.
Sony stands in the spotlight
Of course, no large and reputable company would act this way. Enter the Sony BMG fiasco. As reported in Security Focus Sony made thousands of music CD's with embedded digital rights management code. People thought they were buying a music CD with some sort of copy protection. What they were actually doing was licensing software subject to an End User License Agreement. The terms of the EULA, like those of the spyware distributor cited by the FTC, were not visible simply by playing the music, at least not on regular CD player. The EULA provided that "this CD will automatically install a small proprietary software program (the "SOFTWARE") onto YOUR COMPUTER" but did not describe what the software did, where it was installed, or how to get rid of it. The EULA also provided that your right to listen to the music existed only for as long as you retained possession of the purchased (or more accurately, licensed) CD, that you could only make copies of the CD on personal home computers that you owned (theoretically, leased or borrowed computers were out), that you could not export the software (hence play the music) outside the country, that you agreed to install any updates to the software (sound like spyware?) and that Sony's liability to you was capped at five bucks - irrespective of what the software does. Other fun provisions of the EULA as noted by the Electronic Frontier Foundation include the fact that your right to listen to the music terminates if you file for bankruptcy, that you can't transfer the music on your computer, even with the original CD, and that you can't change, alter, or make derivative works from the music on your computer - all things you ordinarily could do under copyright law.