Interesting points Dan.

I have also often doubted that click-wrapping even indicates assent. There are two problems. The first is that in most cases, I've already paid for the software before I even get a chance to view the EULA. Now IANAL but I do recall from a civics class long ago that conditions written on the back of a car park receipt (consisting of a disclaimer of any and all liability) were held to be unenforceable when someone's car was destroyed (by a collapsing wall, IIRC) because they were not part of the contract, being visible only after the contract had been completed. It seems to me that the same thing applies to click wrapping; I'm not entering a contract when I click on the little button, I already entered it when the cashier took my money.

The second problem is that there is absolutely no evidence that I did indicate assent by clicking anyway. When a contract is "signed, sealed and delivered", my signature is taken as evidence of assent because of at least three factors:
a) it is generally understood, or should be understood, that signing a contract indicates assent to it;
b) my signature cannot be formed involuntarily; and
c) it is presumed very difficult for my signature to be made except by me.
Thus the presence of my signature indicates (with high probability) that I made the signature, that I did so deliberately, and that I understood, or should have understood, that by doing so I was assenting to a contract.

All of these conditions fail in the case of click-wrap EULAs:
a) they are extremely confusing and generally not well understood in our culture. Many people of normal intelligence but limited technical skills are in the same position as a simpleton signing a paper contract; having no ability to understand what is going on they can hardly be claimed to be assenting to it. This is particularly the case with EULAs which are not even displayed unless you take some additional action.
b) worse, there is no strong relationship between my will and what happens on my computer! A button could be "clicked" due to a hardware or software flaw. It could be clicked by malicious software. Some EULAs even have the ability to ignore the whole clicking process if started in a particular way (generally called "unattended mode" or something similar). The mere fact that the software has installed cannot be taken as evidence that I intended to indicate assent by clicking on a button.
c) Worse and worse, even if the button was clicked by a person, it could have been anyone. On the overwhelming majority of modern computers there is simply no way of indicating in even a general way as to who clicked the button. Even if the operating system has strong multi-user security setup, I know of no EULAs that actually bother to record who was logged in at installation time -- indeed, on such systems it is usually necessary to change accounts to the (effectively anonymous) administrative account in order to install software. And even if the system is locked down, the software is installed under a particular user, and the installer logs which account was active when the EULA was clicked, even in that case the evidence is weak that I was person who did the clicking. I might have left my desk for a second, and coworker who disliked me decided that it would be amusing to install some filthy spyware on my machine. In short, unlike paper signatures impersonation is often trivial.

So all in all i can't see how a EULA is worth the paper it's written on.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/365/32626#32626