Digg this story   Add to del.icio.us   (page 1 of 2 ) next 
The click-wrap conundrum
Mark Rasch, 2005-10-24

Suppose you are setting up a website to deliver the latest software, product, or service. Before the site goes live, you go to your lawyer (of course you do, don't you?) who reviews your online privacy policy, your online security policy, and your policy regarding collecting information from or about children. Your lawyer reviews the site overall for anything that might be considered or interpreted a fraudulent or deceptive practice. Of course, if it were up to lawyers, the only content on the Internet would be in the form of disclaimers.

In turn, your lawyer helps you draft an End User License Agreement (EULA) which covers the terms and conditions under which a user may download and use the content of the site or the software that you are making available.

Of course, since you and your organization are the ones who wrote the EULA, it essentially says that you make no representations about whether the software will work, that it is fit for any particular or specific use, that it may crash the downloader's hard drive, erase all the data, and that not only do they agree not to sue you (and specifically agree to lawsuits only in the Cayman Islands, for example, and only in the winter) but also that the downloader agrees to indemnify and hold you harmless if you are sued by anyone else. Then there is a note in 8-point typeface that says, "by downloading this software [or using the website] you are agreeing to abide by these terms and conditions."

Are you bound by this EULA? A recent lawsuit by the U.S. Federal Trade Commission against purveyors of spyware essentially argues that you may not be.

Spyware EULA examples

On October 6, 2005, the United States Federal Trade Commission initiated a civil action in New Hampshire against a company called Odysseus Marketing, Inc. and its owner Walter Rines for distributing spyware which inserted itself into people's computers when they thought they were installing a type of P2P software. The software captured personal information, and was essentially difficult if not impossible to remove - typical spyware. Users were enticed to download a program called "Kazanon," which would allow you to use any peer-to-peer file sharing utility anonymously. It promoted the service by saying, "don't let the record companies win." The website prompted the user to download an executable file, and required users to check a box agreeing to the "Terms and Conditions" contained on a hyperlink to the download page. The website allowed but did not require users to click on the Terms and Conditions, but did require that users agree to them before downloading.

The FTC has gone after spyware distributors before. For example, in another case the agency alleged that a company engaged in "drive-by" downloads to install their software without consumer consent, and have also alleged that software that installs adware and pop-ups which collects personal information was unfair. Finally, the FTC has alleged in two cases that by distributing spyware and then charging $30 to $40 for removal software to remove that spyware, spyware purveyors were engaged in "extortion." In addition, last week the New York Attorney General reached a settlement with a spyware distributor that they cease and desist distribution. What makes this case different is the existence of a pretty explicit software license agreement.

Here is the problem. The "Terms and Conditions" of the End User License Agreement (EULA) on the website contained statements like "the user understands... and gives express permission…for the application and/or associated components to collect personal information, including but not limited to, name, demographic data, interests, profession, education, marital status, sex, age, income, and any other information Odysseus Marketing, Inc. decides to collect regarding user, at its sole discretion." The user also acknowledges that the program will download other programs, that it will communicate with other programs, that it will alter Internet browsing and computer user experiences "in a manner acceptable to Odysseus Marketing" including things like changing search engine results, display pop-up ads, changing home pages, adding bookmarks, and any other alterations or modifications. Oh, and as a final matter, the EULA on the Terms and Conditions page also said that the software probably wouldn't make them anonymous anyway. The EULA might just as well have read "abandon all home ye who download this."

Story continued on Page 2 

Mark D. Rasch is an attorney and technology expert in the areas of intellectual property protection, computer security, privacy and regulatory compliance. He formerly worked at the Department of Justice, where he was responsible for the prosecution of Robert Morris, the Cornell University graduate student responsible for the so-called Morris Worm and the investigations of the Hannover hackers featured in Clifford Stoll’s book, "The Cuckoo’s Egg."
    Digg this story   Add to del.icio.us   (page 1 of 2 ) next 
Comments Mode:
The click-wrap conundrum 2005-10-24
Todd Knarr (1 replies)
Re: The click-wrap conundrum 2005-10-24
Mark Rasch (1 replies)
Re: Re: The click-wrap conundrum 2005-10-25
Cigarettes 2005-10-24
The click-wrap conundrum 2005-10-25
The click-wrap conundrum 2005-10-25
Dan S. (1 replies)
Understanding 2005-11-01


Privacy Statement
Copyright 2010, SecurityFocus