,
Suppose you are setting up a website to deliver the latest software, product, or service. Before the site goes live, you go to your lawyer (of course you do, don't you?) who reviews your online privacy policy, your online security policy, and your policy regarding collecting information from or about children. Your lawyer reviews the site overall for anything that might be considered or interpreted a fraudulent or deceptive practice. Of course, if it were up to lawyers, the only content on the Internet would be in the form of disclaimers.
In turn, your lawyer helps you draft an End User License Agreement (EULA) which covers the terms and conditions under which a user may download and use the content of the site or the software that you are making available.Of course, since you and your organization are the ones who wrote the EULA, it essentially says that you make no representations about whether the software will work, that it is fit for any particular or specific use, that it may crash the downloader's hard drive, erase all the data, and that not only do they agree not to sue you (and specifically agree to lawsuits only in the Cayman Islands, for example, and only in the winter) but also that the downloader agrees to indemnify and hold you harmless if you are sued by anyone else. Then there is a note in 8-point typeface that says, "by downloading this software [or using the website] you are agreeing to abide by these terms and conditions."
Are you bound by this EULA? A recent lawsuit by the U.S. Federal Trade Commission against purveyors of spyware essentially argues that you may not be.
Spyware EULA examples
On October 6, 2005, the United States Federal Trade Commission initiated a civil action in New Hampshire against a company called Odysseus Marketing, Inc. and its owner Walter Rines for distributing spyware which inserted itself into people's computers when they thought they were installing a type of P2P software. The software captured personal information, and was essentially difficult if not impossible to remove - typical spyware. Users were enticed to download a program called "Kazanon," which would allow you to use any peer-to-peer file sharing utility anonymously. It promoted the service by saying, "don't let the record companies win." The website prompted the user to download an executable file, and required users to check a box agreeing to the "Terms and Conditions" contained on a hyperlink to the download page. The website allowed but did not require users to click on the Terms and Conditions, but did require that users agree to them before downloading.
The FTC has gone after spyware distributors before. For example, in another case the agency alleged that a company engaged in "drive-by" downloads to install their software without consumer consent, and have also alleged that software that installs adware and pop-ups which collects personal information was unfair. Finally, the FTC has alleged in two cases that by distributing spyware and then charging $30 to $40 for removal software to remove that spyware, spyware purveyors were engaged in "extortion." In addition, last week the New York Attorney General reached a settlement with a spyware distributor that they cease and desist distribution. What makes this case different is the existence of a pretty explicit software license agreement.
Here is the problem. The "Terms and Conditions" of the End User License Agreement (EULA) on the website contained statements like "the user understands... and gives express permission…for the application and/or associated components to collect personal information, including but not limited to, name, demographic data, interests, profession, education, marital status, sex, age, income, and any other information Odysseus Marketing, Inc. decides to collect regarding user, at its sole discretion." The user also acknowledges that the program will download other programs, that it will communicate with other programs, that it will alter Internet browsing and computer user experiences "in a manner acceptable to Odysseus Marketing" including things like changing search engine results, display pop-up ads, changing home pages, adding bookmarks, and any other alterations or modifications. Oh, and as a final matter, the EULA on the Terms and Conditions page also said that the software probably wouldn't make them anonymous anyway. The EULA might just as well have read "abandon all home ye who download this."
The FTC's enforcement action alleges that the company failed to adequately disclose the fact that downloading the program would also install other programs, that it could not be uninstalled, and that it frankly didn't actually work as an anonymizer at all. For their efforts, I applaud them. I personally hate spyware, and currently have three different anti-spyware programs running on my home PC (please don't challenge their effectiveness - I have enough problems.) But the FTC's enforcement actions do raise the question of what every company can - and can not - put into the terms of an End User License Agreement, and whether users who agree to terms and conditions can escape their provisions just by asserting that they didn't read them, or that they are unfair.
Some observations about EULAs
First, nobody put a gun to the downloader's head and forced them to download the executable. In fact, based on the advertised purpose of the program, those who did think it actually worked likely wanted the software so they could illegally get copyrighted digital content (such as music, movies, and so on) without fear of the RIAA and MPAA. It's like buying one of those "brand new" Rolex watches out of the back of a truck for $20, and then complaining that it isn't genuine.
Second, and as a general matter, either the terms of a EULA are enforceable or they are not. In other words, either there was a contract or there wasn't. Look, if I want to install software that goobers up my machine, shouldn't I be allowed to do so? People "give away" personal information all the time, both with and without consent. If I want to install software that acts as a key logger and downloads all sorts of other programs, plus is impossible to remove and doesn't really do what is advertised, why can't I do that? If I wanted to sell such a program (or give it away) how would I notify customers?
Let's face it. People don't read EULAs. Lawyers don't read EULAs. EULAs are next to impossible to read. Yet they set out all the terms and conditions for the use of the software, and have generally been found to be enforceable, unless the terms of the agreement are "unconscionable" or void against public policy. There is nothing here to suggest that the voluntary download of a program which does exactly what the EULA says it will do is against public policy. Indeed, the Odysseus EULA is more explicit about what the program does than is most commercial software EULAs. There is nothing in, for example, the Microsoft Windows XP Home EULA that gives me any idea what the software does, or how to remove its components.
The FTC's apparent insistence that the terms of the clickwrap agreement not be enforced can effectively eviscerate the ability of companies to contract online. For example, America Online just announced a change in its privacy policy allowing it to capture all the places the user goes online and what the user does as a means of providing "enhanced service" to the customer. Would such a policy be deceptive or unfair? Isn't my recourse to simply find another ISP? If the Terms and Conditions are unfairly hidden, difficult to find, or impossible to understand (aren't they all? After all, they are written by lawyers) then they may be unenforceable. Unfortunately, this is not what the courts have been saying.
The fact that you didn't understand what you were doing by downloading and installing the software doesn't mean you weren't bound. After all, how many consumers understand the difference between mandatory arbitration and mediation, or choice of law and choice of venue?
The crunchy frog analogy
In an old Monty Python sketch, two constables complain to the manufacturer of the Whizzo Quality Chocolate Assortment about the unfair sale of such confections as "spring surprise," which causes springs to shoot out of the consumer's cheeks, and "crunchy frog" made from "the finest baby frogs," as well as the ram's bladder cup, made with "lark's vomit." The chief Inspector notes that despite the fact that "lark's vomit" appears on the list of ingredients on the bottom of the box (right next to MSG), he says, "I think it would be more appropriate if the box bore a large red label -- WARNING LARK'S VOMIT."
What the FTC is really saying in these spyware prosecutions is that there are some things software does that is so dangerous and malicious that mere notice or ability to be aware of the fact that it does these things is not enough. Essentially, there should be a large red label stating "WARNING - SPYWARE. THIS WILL DESTROY YOUR COMPUTER AND POSSIBLY YOUR LIFE" which should appear before you download, and then again before you install the software and ask you five times in 12 different languages, "Do you agree?" and "Are you sure?" Even then, you know that people will still download and install the stuff. The real problem here is that it is possible to demonstrate assent to the terms of a EULA, but not true consent. And this problem exists for all people who want to contract online.
Finally, there was one dead giveaway to anyone who downloaded software from Odysseus Marketing, Inc., by considering the origin of the company name itself. As any follower of Homer can tell you, Odysseus (Ulysses) was the guy who came up with the idea of a particularly nasty contraption called the Trojan horse.