Dangerous Terms: A User's Guide to EULAs
By Annalee Newitz
We've all seen them – windows that pop up before you install a new piece of software, full of legalese. To complete the install, you have to scroll through 60 screens of dense text and then click an "I Agree" button. Sometimes you don't even have to scroll through to click the button. Other times, there is no button because merely opening your new gadget means that you've "agreed" to the chunk of legalese.
They're called End User License Agreements, or EULAs. Sometimes referred to as "shrinkwrap" or "click-through" agreements, they are efforts to bind consumers legally to a number of strict terms – and yet you never sign your name. Frequently, you aren't even able to see a EULA until after you've purchased the item it covers.
Although there has been some controversy over whether these agreements are enforceable, several courts have upheld their legitimacy.1 These days, EULAs are ubiquitous in software and consumer electronics -- millions of people are clicking buttons that purport to bind them to agreements that they never read and that often run contrary to federal and state laws. These dubious "contracts" are, in theory, one-on-one agreements between manufacturers and each of their customers. Yet because almost every computer user in the world has been subjected to the same take-it-or-leave-it terms at one time or another, EULAs are more like legal mandates than consumer choices. They are, in effect, changing laws without going through any kind of legislative process. And the results are dangerous for consumers and innovators alike.
It's time that consumers understood what happens when they click "I Agree." They may be inviting vendors to snoop on their computers, or allowing companies to prevent them from publicly criticizing the product they've bought. They also click away their right to customize or even repair their devices. This is a guide for the "user" in EULA, the person who stands to lose the most by allowing companies to assert that these click-through agreements count as binding contracts.
Common EULA Terms That Harm Consumers
There are countless terms written into EULAs that could potentially harm consumers, or that may be downright unlawful. Here we offer an overview of some of the most common of these terms, and include sample legal language to help consumers become more EULA-savvy.
1. "Do not criticize this product publicly."
Hidden within the terms of many EULAs are often serious demands asking consumers to sign away fundamental rights. Many agreements on database and middleware programs forbid the consumer from comparing his or her product with another and publicly criticizing the product. This obviously curtails free speech2, and makes it more difficult for consumers to get accurate information about what they're buying by inhibiting professional watchdog groups like Consumer Reports from conducting independent reviews.
How does this happen? People click "I Agree" to EULAs that attempt to forbid "benchmarking" -- the process of measuring the performance of hardware or software in a controlled and defined environment. McAfee (a.k.a. Network Associates) was sanctioned in 2003 for including in its EULA the condition, "The customer shall not disclose the results of any benchmark test to any third party without Network Associates' prior written approval."3 And yet anti-benchmarking and anti-public criticism terms exist in many EULAs to this day.
According to terms in several Microsoft EULAs, including those for MS XML and the SQL Server, you "may not without Microsoft's prior written approval disclose to any third party the results of any benchmark test."4 Similar terms appear in EULAs for countless other applications, including one for the VMware Desktop Software, which reads, "You may not disclose the results of any benchmark test of the Software to any third party without VMware's prior written approval.5
Not only do terms like these prevent people from engaging in free speech, but they also undermine fair competition in the marketplace. Microsoft, for example, can publish benchmarks comparing its database products to open source alternatives. And yet their EULA terms suggest that the authors of open source products cannot publish the results of their own comparisons. What this means is that the only information consumers have access to is extremely one-sided and potentially biased.
2. "Using this product means you will be monitored."
Many products come with EULAs with terms that force users to agree to automatic updates – usually by having the computer or networked device contact a third party without notifying the consumer, thus potentially compromising privacy and security.6
Section 2.1 of the Windows XP Home Edition EULA7 includes a Digital Rights Management (DRM) Notice, which contains the following terms:
"If the DRM Software's security has been compromised, owners of Secure Content ("Secure Content Owners") may request that Microsoft revoke the DRM Software's right to copy, display and/or play Secure Content. Revocation does not alter the DRM Software's ability to play unprotected content. A list of revoked DRM Software is sent to your computer whenever you download a license for Secure Content from the Internet. You therefore agree that Microsoft may, in conjunction with such license, also download revocation lists onto your computer on behalf of Secure Content Owners."
Note that by clicking through the EULA for Windows XP, you are also agreeing to let Microsoft download software onto your computer on behalf of third parties, identified only as the "Secure Content Owners."
The Windows license, however, is less invasive than the terms of Pinnacle's Studio 9 movie-making software. See the DRM-related provisions in Section 6 of the Pinnacle EULA8 :
"You acknowledge and agree that in order to protect the integrity of certain third party content, Pinnacle and/or its licensors may provide for Software security related updates that will be automatically downloaded and installed on your computer. Such security related updates may impair the Software (and any other software on your computer which specifically depends on the Software) including disabling your ability to copy and/or play ‘secure' content, i.e. content protected by digital rights management."
Clicking through this EULA appears to allow Pinnacle to install software automatically from third parties onto your computer – software which the vendor admits may "impair" the program ("the Software") you have just purchased, as well as "any other software on your computer which specifically depends on the Software."
Another disturbing "automatic update" style term appears in McAfee's EULA – it's an automatic subscription renewal clause which says that the company might just charge your credit card an "automatic" fee when your subscription runs out. Agreeing to this EULA seems to mean you may be a McAfee subscriber forever: "Upon expiration of your subscription to the Software, the Company may automatically renew your subscription to the Software at the then prevailing price using credit card information you have previously provided."9
3. "Do not reverse-engineer this product."
Some EULA terms harm people who want to customize their technology, as well as inventors who want to create new products that work with the technology they've bought. "Reverse-engineering," which is often forbidden in EULAs, is a term for taking a machine or piece of software apart in order to see how it works. This kind of tinkering is explicitly permitted by federal law – it is considered a "fair use" of a copyrighted item. Courts have held that the fair use provisions of the US Copyright Act allow for reverse-engineering of software when the purpose is to create a non-infringing interoperable program.10
And yet, most EULAs take away the rights granted by this federal sanction. This has far-reaching implications. Without reverse-engineering, consumers are unable to tailor software and devices to their liking – they can't create a custom version of a gadget so that it can work with other electronics they own. They can't turn off features that they don't like. Even worse, EULAs that forbid reverse-engineering also threaten healthy competition in the marketplace by forbidding people from creating innovative new products that enhance older ones. Essentially, these terms create consumer lock-in – you must use the product as-is, without any modifications, and no one else may develop add-ons to the product that you might enjoy.
Consider this EULA from Intel, which states simply, "You may not reverse engineer, decompile, or disassemble the Software."11 Napster users must click through a similar EULA that advises they are not to "modify, alter, decompile, disassemble, reverse engineer or emulate the functionality, reverse compile or otherwise reduce to human readable form, or create derivative works of the Software without the prior written consent of Napster or its licensors, as applicable."12 These kinds of anti-reverse-engineering clauses – which are incredibly common – seek to undermine the lawfulness of many types of reverse-engineering,13 and thus wind up discouraging innovation, creativity, and exploration.
Section 4 of the Windows XP Home Edition EULA14 manages to acknowledge federal copyright law while nevertheless trying to impress upon consumers that they really shouldn't reverse-engineer anyway:
"LIMITATIONS ON REVERSE ENGINEERING, DECOMPILATION, AND DISASSEMBLY. You may not reverse engineer, decompile, or disassemble the Software, except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation."
Here, Microsoft has expressly nodded to fair use protections for reverse-engineering, but unless those reading the EULA are familiar with how "such activity" is "permitted by applicable law," they are likely to get the impression that most kinds of tinkering are unlawful.
4. "Do not use this product with other vendor's products."
Vendors use EULAs to make consumers agree that they won't use products that evaluate the performance of the software they've bought, or that can be used to uninstall all or part of the program. Essentially, clicking "I Agree" to such a EULA means that you're not supposed to reconfigure your computer to touch or remove the software you've just installed. These kinds of EULA terms have become popular lately because many vendors support free versions of their products by packaging them with third-party programs that serve ads or gather information about consumer habits for marketing companies. If users uninstalled such ride-along programs at will, the vendors might lose revenue. For example, Claria (formerly Gator) is a company that delivers pop-up ads and pays to have its GAIN software bundled in free versions of popular file-sharing program Kazaa. The Claria EULA warns:
You agree that you will not use, or encourage others to use, any unauthorized means for the removal of the GAIN AdServer, or any GAIN-Supported Software from a computer . . . Any use of a packet sniffer or other device to intercept or access communications between GP and the GAIN AdServer is strictly prohibited.15
In other words, users are threatened with a suit if they use "unauthorized" programs to remove Claria's product.16 Also, users are told not to use a common network diagnostic tool, the packet sniffer, to figure out what kinds of actions the GAIN AdServer is taking on the network, even if their intent is to fix a problem with their computer or their network. Worst of all, the EULA actually claims to prohibit the user from "encouraging" others to use removal programs, meaning that according to Claria, even suggesting to a friend that use of such a program might improve their computer performance is illegal.
Kazaa echoes these terms when it warns users that they can't use products that might "monitor or interfere" with the operations of Kazaa's software:
You may not use, test or otherwise utilize the Software in any manner for purposes of developing or implementing any method or application that is intended to monitor or interfere with the functioning of the Software.17
What this means is that you can't run any programs (like packet sniffers) that analyze the performance of Kazaa, evaluate what it's doing, or change the way it operates on your computer. Kazaa reserves the right to tell you what you can and cannot do with the program on your own machine.
5. "By signing this contract, you also agree to every change in future versions of it.
Oh yes, and EULAs are subject to change without notice."
In its Service Agreement for iTunes, Apple informs consumers:
Apple reserves the right, at any time and from time to time, to update, revise, supplement, and otherwise modify this Agreement and to impose new or additional rules, policies, terms, or conditions on your use of the Service. Such updates, revisions, supplements, modifications, and additional rules, policies, terms, and conditions (collectively referred to in this Agreement as "Additional Terms") will be effective immediately and incorporated into this Agreement. Your continued use of the iTunes Music Store following will be deemed to constitute your acceptance of any and all such Additional Terms. All Additional Terms are hereby incorporated into this Agreement by this reference.18
Put simply, this means that when you install iTunes, you are not only agreeing to all the onerous terms in the box, but you are also agreeing to future terms that may appear in the iTunes Terms of Service months or years from now. These terms are subject to change without notice, and you don't even get a chance to click through this future "contract" and agree. Mere "continued use of the iTunes Music Store" constitutes your agreement to contractual terms that you may not be aware exist. These kinds of terms are ubiquitous in EULAs and in Terms of Service for countless products.
Even the Mirar Toolbar, an advertising program similar to Gator, has these terms in its EULA. Agreeing to the EULA, which "will be changed without further notice," covers any future changes in terms:
Installation and use of this software signifies acceptance of the EULA inclusive of any future updates. 19
6. "We are not responsible if this product messes up your computer."
The disclaimer of liability for faulty software is perhaps the most important function of a EULA from the manufacturer's perspective. And it's bad news for the consumer. This term purports to supplant traditional consumer protection and products liability law. Clicking yes on EULAs containing this common clause means that the consumer cannot file class-action lawsuits against the vendor for faulty products, or for products that do not do all the things that the company advertised they would.
This kind of agreement would seem absurd if applied to other kinds of consumer electronics. If you buy a microwave, there's a large body of common law and statute that gives you rights against its manufacturer if it blows up, burns you, or singes your countertop. You can hold the manufacturer liable for "foreseeable" malfunctions or injuries, or for the product's failure to work as advertised. But if you buy a piece of software, the EULA often disclaims all that prior law, without putting alternate consumer protections in its place.
Here is a typical clause, from the Windows XP EULA:
Except for any refund elected by Microsoft, YOU ARE NOT ENTITLED TO ANY DAMAGES, INCLUDING BUT NOT LIMITED TO CONSEQUENTIAL DAMAGES, if the Software does not meet Microsoft's Limited Warranty, and, to the maximum extent allowed by applicable law, even if any remedy fails of its essential purpose.20
While the Limited Warranty itself only lasts for 90 days, the language above purports to shield Microsoft even if a crash costs you a massive amount of data during the Warranty period. But at least you only have to pay shipping for the new version of XP:
You will receive the remedy elected by Microsoft without charge, except that you are responsible for any expenses you may incur (e.g. cost of shipping the Software to Microsoft).
A warranty disclaimer is generally found in most EULAs despite the fact that it runs counter to the very basis of products liability law.
The Trouble with EULAs
EULAs started as a way for companies to limit warranties on goods and disclaim liability. These documents became widespread in the mid-1980s, when the growing popularity of software programs led vendors to seek new ways of limiting people's ability to copy their products. Also, many early EULAs prohibited reverse-engineering to prevent people from creating knockoff products that they would sell competitively. Eventually, the EULA became the choke-collar that it is today, limiting people's ability to talk about products, take them apart, and even remove them from their computers.
In a 2004 case, Blizzard Entertainment and Vivendi Universal Games sued the makers of a free software program called BnetD because people could use it to play Blizzard games online without Blizzard's approval. The game company argued that BnetD's developers had violated several terms in the Blizzard EULA because they reverse-engineered a protocol in order to make the BnetD server interoperate with Blizzard videogames.21
EULAs make millions of consumers into potential victims of frivolous lawsuits. They also lead to problems with interoperability, since reverse-engineering to develop those interoperable products is often prohibited. In addition, they allow consumers' security to be compromised.
Many vendors won't let consumers look at the EULA before purchasing an item,22 which means people can't make informed decisions about what they're buying. Sometimes companies make their EULA so hard to find and difficult to read that even conscientious consumers feel at a loss to understand the terms to which they've agreed.
Fight the EULA
There is hope. Consumers, lawmakers, and activists can take action to reform EULAs. Like other consumer rights struggles, such as the push to make food companies label their products, fighting EULAs will require grassroots organizing and legislative change. As the public learns more about how EULAs deprive them of basic rights they take for granted, challenges to these anti-consumer "agreements" are likely to become more common.
Many attorneys and policymakers have suggested that federal consumer protection and copyright laws ought to prohibit or preempt some of the more egregious terms set forth in EULAs. EFF lawyers defending the developers of BnetD raised this point when they argued that federal copyright laws expressly permit reverse-engineering.23
Consumers can also use state consumer protection laws to demonstrate that they are being harmed by having to agree to terms in EULAs that limit freedom of expression and entrepreneurial initiative. In 2003, a California woman filed a class-action suit against Microsoft, Symantec, and several retail outlets, claiming unfair business practices because consumers can't read EULAs before buying a product, and can't return them if they decide they don't like the EULA's terms. The case was settled when the named vendors and retailers agreed to make their EULAs available for people to read before purchase.24
Consumer activism will be crucial to reforming EULAs. Obviously, a first step is to educate consumers about the potential dangers of clicking through a EULA without reading it carefully first. The readers of Ed Foster's GripeLog, a blog partly devoted to analyzing EULAs, have formed an active community of EULA busters whose public complaints have helped remove some of the most damaging terms from certain EULAs.25
Boycotts, combined with write-in campaigns, have proven effective in the past. In 1999, when Yahoo purchased the free website-hosting company Geocities, Yahoo changed the usage agreement for Geocities. The new agreement said that all content on Geocities would belong exclusively to Yahoo.26 After a well-orchestrated boycott and publicity campaign run by Geocities users, Yahoo changed the terms and restored ownership of website content to Geocities' users.27
Organizational efforts like these demonstrate that companies can and do respond to public pressure to reform their EULAs. Bringing together the organizational potential of consumer activist groups, blogs, and online communities with legal and legislative challenges, consumers can regain the rights they lost the first time they clicked "I Agree."
The EULA Strikes Back
Today's high-tech products are often built with networking capabilities, and as a result we are seeing the rise another species of clickwrap contract: the Terms of Service (TOS) agreement. Like EULAs, TOS attempt to bind online users without a signature. Sometimes they have a click-through component, and sometimes online service providers bury them in a tiny link at the bottom of a website or portal. TOS agreements attempt to govern the way consumers use online services such as webmail, social networking websites, game servers, wireless hotspots, chat software, and more. Many consumer electronics products, such as Microsoft's Xbox, can be used both on- and offline. Such products arguably subject their users to the terms of both EULAs and TOS agreements.
Many terms are shared between EULAs and TOS agreements. But typical TOS agreements also include terms that forbid vaguely defined forms of behavior and communication. Some state that all communications via an online service will be monitored. As TOS agreements become more common, we are likely to see their reach extend off the network and onto consumers' private machines. It's very likely that we will begin to see more and more TOS agreements that forbid consumers from using products to discuss certain socially stigmatized topics, or that assign to the vendor ownership of all consumer data stored with its service. And because many online services also install software or store data on consumers' computers, TOS agreements may claim to govern user activity on private computers, too.
Many people treat EULAs with the same reverence they do the tags on mattresses that say, "Do not remove this tag under penalty of law." They scoff at the idea that anyone could enforce such a bizarre rule. Increasingly, however, we are seeing consumers and software developers threatened with lawsuits for engaging in the digital equivalent of ripping tags off a mattress.
With consumer activism, as well as actions that push our legislatures and courts to change consumer protection laws, we can prevent corporations from taking away our rights one mouse click at a time.
If you have been harmed by a EULA, or threatened with legal action because of one, EFF wants to hear your story. E-mail us at EULAharm@eff.org.
For Further Reading
Americans for Fair Electronic Commerce Transactions (AFFECT), an organization that opposes unfair clickwrap terms and organizes consumer and legal campaigns.
Ed Foster's GripeLog weblog has a section devoted to consumer rights and EULAs:
The Bureau of Consumer Protection, a division of the FTC that enforces consumer protection laws enacted by Congress:
"PC Invaders," a 2002 article from C|Net on EULAs from a consumer rights perspective:
"Software User's Rights" by DJ Bernstein:
David Nimmer, Metamorphosis of Contract into Expand, 87 Cal. L. Rev. 17 (1999)
Mark Lemley, Beyond Preemption, 87 Calif. L. Rev. 111 (1999)
Lydia Loren, Slaying the Leather-Winged Demons in the Night, 30 Ohio Northern University Law Review (2004)
David A Rice, Copyright and Contract: Preemption After Bowers v. Baystate, 9 Roger Williams L. Rev. 595 (2004)
Robert W.Gomulkiewicz, The License is the Product: Comments on the Promise of Article 2B for Software Information Licensing, 13 Berkeley Tech., L.J. 891 (1998)
David McGowan, Free Contracting, Fair Competition, and Article 2B: Some Reflections on Federal Competition Policy, Information Transactions, and "Aggressive Neutrality," 13 Berkeley Tech., L.J. 1173 (1998)
Michael J. Madison, Legal-Ware: Contract and Copyright in the Digital Age, 67 Fordham L. Rev. 1025 (1998)
Proceedings from a 1998 conference at Berkeley's Boalt Law School called "Intellectual Property and Contract Law in the Information Age."
See, for example, ProCD, Inc. v. Zeidenberg, a case challenging the validity of clickwrap contracts in which the Seventh Circuit court of appeals decided in 1996 that contract terms displayed on a computer screen after purchase did constitute a valid contract. Read the ruling at http://laws.lp.findlaw.com/7th/961139.html. Other court cases about the enforceability of EULAs often cite ProCD.
Lydia Pallas Loren makes a persuasive argument about EULA's anti-benchmarking and public criticism terms curtailing free speech in her article "Slaying the Leather-Winged Demons in the Night: Reforming Copyright Owner Contracting with Clickwrap Misuse" in Ohio Northern University Law Review (2004). View the paper at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=582402.
In People of the State of New York v. Network Associates, the chief of Attorney General Eliot Spitzer’s Internet Bureau persuaded the Court to prevent Network Associates from selling software under conditions that prohibited consumers from disclosing the results of benchmark tests or from publishing reviews of Network Associates' products without permission.
For an interesting analysis of the privacy and security issues around automatic update terms in EULAs, see "Check the Fine Print" http://www.infoworld.com/articles/op/xml/02/02/11/020211opfoster.html.
§1201 of the Copyright Act allows anyone who lawfully obtains a copy of a computer program to reverse-engineer the program to determine the functional components of the code necessary to make compatible programs. The right to reverse-engineer includes the ability to circumvent technological protections that stop users from accessing these functional elements. See http://www.copyright.gov/title17/92chap12.html#1201.
See Claria license at http://www.benedelman.org/spyware/claria-license/license-112504.html. Ben Edelman also has a thorough analysis of the license at http://www.benedelman.org/news/112904-1.html.
It's also worth noting that this kind of license term sets a trap for anti-spyware vendors like LavaSoft, since Claria could go to court and claim that LavaSoft's tools intentionally interfere with GAIN.
Section 3.4 from the Kazaa EULA http://guide.kazaa.com/eula.htm.
See section 20, http://www.apple.com/support/itunes/legal/terms.html.
For more information about this case, see "Blizzard v. BnetD" http://www.eff.org/IP/Emulation/Blizzard_v_bnetd/
See http://www.gripe2ed.com/scoop/story/2005/1/11/1939/04481 for Ed Foster's discussion of how several vendors refused to allow consumers access to their EULAs until after purchase. A class-action lawsuit changed this practice in some cases, but not all.
See the Appellant's Brief in the case: http://www.eff.org/IP/Emulation/Blizzard_v_bnetd/20050112_Opening_Brief_of_Defendants.pdf
See "Lawsuit Challenges Software Licensing" http://news.com.com/2100-1001-983988.html?tag=fd_top or read the complaint at http://www.techfirm.com/Baker-Final.pdf
You can find Ed Foster's EULA-related blog entries at http://www.gripe2ed.com/scoop/section/Eula. Foster reports that reader outcry was responsible for Hilton.com removing several privacy-unfriendly terms from its website usage agreement.
http://www.wired.com/news/technology/0,1282,20472,00.html and "Yahoo Relents on Geocities Terms" http://news.com.com/2100-1023-227916.html?legacy=cnet.