Tests and Scans
It Pays To Read License Agreements
I have a deal for you. In exchange for a free piece of software that helps you keep track of your passwords and other log on information, I'm going to install other programs on your PC that will track your web surfing and display advertising that pops-up on your screen. There will also be other types of ads on your computer based on information we collect.
Does that sound like a good deal to you? Well, if you're one of the many Windows users who have installed eWallet software from Gain Publishing that's exactly what you agreed to do. But you already know that because you read the End User License Agreement or "EULA" that was available prior to installing the program. You did read it right? Of course you did; before you could install the software you had to check a box certifying that you read the agreement. Legally speaking, that's the same thing as signing a contract with pen and ink.
OK, let's be honest. You didn't really read the EULA. How do I know? Because hardly anyone does. To prove that point, PC Pitstop included a clause in one of its own EULAs that promised anyone who read it, a "consideration" including money if they sent a note to an email address listed in the EULA. After four months and more than 3,000 downloads, one person finally wrote in. That person, by the way, got a check for $1,000 proving, at least for one person, that it really does pay to read EULAs.
Is anyone reading this? PC Pitstop offered a financial incentive in its EULA, and it took four months before anyone responded.
Although this is not a scientific sample, it does prove a point. People don't read EULAs. When we download and install software, we're usually in a hurry to take advantage of whatever it offers. That EULA is just one more thing to spend time on, and we're not just talking about a couple of minutes. The December 2004 End User License agreement that accompanies eWallet and other programs from the GAIN network is 2,550 words long--that's seven printed pages.
To its credit, not everything in Gain's EULA is in legalese. You don't have to pay a Harvard law graduate $300 an hour to understand the first paragraph:
"GAIN Publishing offers some of the most popular software available on the Internet free of charge ("GAIN-Supported Software") in exchange for your agreement to also install GAIN AdServer software ("GAIN"), which will display Pop-Up, Pop-Under, and other types of ads on your computer based on the information we collect as stated in this Privacy Statement. We refer to consumers who have GAIN on their system as 'Subscribers.' "
The rest of GAIN's EULA is also pretty clear. If you take the time to read it, you'll realize that you're giving the company permission to install software that "collects certain non-personally identifiable information about your Web surfing and computer usage." This, according to the agreement, "includes the URL addresses of the Web pages you view and how long you view Web pages; non-personally identifiable information on Web pages and forms including the searches you conduct on the Internet; your response to online ads; Zip code/postal code; country and city; standard web log information and system settings; what software is on the computer."
Gator's eWallet EULA is contained in this small box but it is 7 printed pages long.
So what's the harm in collecting "non-personally identifiable information?" After all, isn't that done all the time? Well there are certainly examples of such collection. Many legitimate web sites, for example, keep track of the number of visitors and where they go the site. This information is used to inform advertisers about a site's popularity and to give the site owners a better understanding of what parts of the site are doing well and what sites are now. Advertisers, of course, want to know how many people have viewed their ad as well as "clickthrough" rates and other information.
But there is a big difference between collecting non-personal information about what visitors are doing on your own site and tracking "the URL addresses of the (other) Web pages you view and how long you view Web pages."
Real live brick and mortar department stores, for example, do collect statistics about what sections of the store people are visiting, how long they spend there and what they buy. It's basic research. But imagine if you visited a store one day and they planted a bug on your person that followed you around to all the other stores you visited? While they were at it, they tracked your reading behavior, what TV shows you watched and maybe even who you talked with. They're not writing down your name, but they are following you around. Would this be legal? It might be, if they had you sign a contract specifically allowing it before they let you in the store.
And by the way, they're not just following you around. They're also getting in your way, making it harder for you to walk from place to place. Making it harder to start your car and slowing it down once you start it. They might even cause you to stumble now and then. That's a lot like spyware and adware; it takes up hard drive space, memory, and other resources. Also, it can significantly degrade your Internet connection because spyware is going out over the Internet to get information to display and, in some cases, sending out information from your PC. In other words, it is using your resources--resources that you paid for.
The company says that it has all sorts of procedures in place to "restrict the third party's use of the information we provide." That's all well and good, but even if the company is as sincere and diligent as it says it is, things can change. And, if the company does decide to change its policy on how it handles personally identifiable information, it "will notify you by posting proposed changes to this Privacy Statement and on our web site." Those changes "will be effective immediately upon such posting.
And don't think that can't happen. Even if the current owners are committed to keeping information private, there is no guarantee that the company won't be sold. If it goes bankrupt, there is even the possibility of your information being sold to pay off creditors.
You may wonder whether these licenses are legal. Most of them do hold up in court as long as they are reasonably clear, according to Parry Aftab, an attorney specializing in Internet privacy and security law (www.aftab.com). "The courts have said that if you click on something saying 'I agree' then it's legal consent." There are exceptions however. "If it's not legally clear enough, you haven't given consent to anything because there is no meeting of the minds. It goes back to basis of contract law from 500 years ago. You have to both agree on what you are agreeing on." In other words, if the agreement is incomprehensible, it may be unenforceable, according to Aftab.
Another exception has to do with minors. "Kids," according to Aftab, "are under state contractual age which is sometimes 16 and sometimes 18. If the site requires the person to make an affirmative representation that they are over the age of 18, it may keep the company out of trouble but it's still not enforceable."
This is an important distinction because a lot of spyware and adware is bundled with programs that are marketed to children and teenagers.
The fact that a EULA might not be legally enforceable is of little solace because it is being enforced on you whether you like it or not. Once the program is installed on your PC, the damage is being done and it doesn't even matter if the contract that you or your child agreed to may be invalid. Simply by using your computer, you're upholding your part of that contract by giving up information.
Attorney Aftab says that even though the courts have ruled on the legality of EULAs, there are still some grey areas that need to be ironed out. And, of course, the courts are basing their rulings on current law. There are some in Congress who alarmed at the growth of spyware and a number of bills have been discussed that could impact the way these EULAs are written, agreed to and enforced.
In the mean time, it's "user beware." A click of the mouse, like a stroke of a pen, can get you into a heap of trouble. Be careful, be aware and read those EULAs.
Larry Magid is a syndicated technology columnist and broadcaster for two decades, and contributes to CBS News, the New York Times, U.S. News & World Report and other publications.