It is easy to minimize the importance of End User License Agreements (EULAs) because they are so commonplace. They are regularly seen as the pop-ups on our e-device’s screens at the beginning of almost every software down-loading process. A person whose profession does not involve IT Asset Management reacts to a EULA quite differently from a professional. During the process of downloading software, an average person will click I agree without much thought about what the EULA says. For those people, agreeing to the terms and conditions is just something that must be done to finish the download; and the faster the better.
Since the average user cannot change the terms of the EULA, their thought process might be to ask themselves: “why should I care what the terms and conditions are? If I don’t accept them here and now, I can’t proceed with the download. Besides, I paid for the program I’m downloading (or it might be free), and I’m not sharing it with anyone, so I must be meeting all the terms and conditions.”
The part of that statement concerning the capability to download is true; non-acceptance of the EULA means no download. Yet assumptions about the terms and conditions without reading and understanding them can be dangerous. Depending on the circumstances, the user could become non-compliant without even knowing it. There really is more to understand about these click-to-accept license agreements.
IAITAM’s Certified Software Asset Manager (CSAM) manual defines the EULA generally as:
…an End User License Agreement determines the end users’ rights over the product. No intellectual rights are normally offered. The language used indicates that vendors offer the use of the product on their own terms, and that it is up to end users to agree at their own risk. It is also used to indicate the number of computers/devices which are permitted to use the product under a particular license. The license restricts end users from attempting to reverse-engineer, resell, or modify the product. There can be numerous terms and conditions in a EULA that probably affect users in a negative way.
Understanding the consequence of accepting the EULA begins by understanding the language in the document.
Digging into EULA Terms and Conditions
Let’s use Google® Apps as an example of why a EULA might not be fully read and understood before clicking on the accept box to allow the download. Before we continue, let’s be clear that I chose Google® as an example because most have clicked through this EULA and it is a good example of EULA language.
In the case of Google Apps, the terms of service are lengthy, but not out of line with other EULAs that I have reviewed. The opening paragraph is a brief introduction to Google including their line of Services, and a warning that whoever is downloading the software must agree to the terms and conditions, policies, guidelines or amendments as presented in the EULA and that may be presented to the user from time to time as Program Policies and Legal Notices (collectively, the Terms). There is a hyperlink posted within the paragraph to the newest Terms of this contract.
Nineteen sections of terms and conditions follow the introduction and are summarized in Figure 1. Notice that the language is about giving or limiting permission and protecting Google. The indemnification, warranty and liabilities sections are good examples of language that is common in EULAs and that can have significant consequences if the user experiences an unfortunate event.
USE OF SERVICES
- Describes who may use the services, and their responsibilities during use
- States that the content is that of other parties. Filtering tools are available including Safe Search tools. A hyperlink is provided to further customize filters
- The user agrees to regulate their own conduct in accordance with the written terms, using services only as permissible and legal (are permissions and legalities defined?)
- The user agrees to comply with their organization’s data usage and privacy policies
- Persons outside the United States must comply with their own local rules regarding online conduct and acceptable content, including laws regulating the export of data to and from the United States or their country of residence
- Basic information plus a hyperlink to Google’s full privacy statement
- Full description of Google’s rights, and the end user’s rights
SOFTWARE AND AUTOMATIC UPDATES
- Google may at their discretion introduce diagnostic information and may automatically download upgrades, enhance and further develop Google services, including providing bug fixes, patches, enhanced functions, missing plug-ins and new versions
POLICIES REGARDING COPYRIGHT AND TRADEMARKS
- Covers infringement issues and compliance with the United States’ Digital Millennium Copyright Act or other applicable laws and the possibility of terminating the accounts of repeat infringers. Also provides hyperlink to the DMCA
- Describes use of Google’s trade names, trademarks, service marks, logos, domain names, and other distinctive brand features
GENERAL PRACTICES REGARDING USE AND STORAGE
- Google has no responsibility for the deletion or failure to store any Content and other communications maintained or transmitted by Google services. Also covers account termination and actions upon notification of user’s death
PERSONAL NON-COMMERCIAL USE
- User must agree to not to reproduce, duplicate, copy, sell, trade, resell or exploit for any commercial purposes, any portion of Google services
MODIFICATIONS TO SERVICE
- Google holds no liability for any modifications to service
- User can terminate services at any time. Google may terminate user’s services at any time they deem valid and justified
- Some Google services are supported by advertising revenue. User must agree that Google may place these ads and will not be responsible for resultant damages
- Google services and/or third parties may provide, links to other World Wide Web sites or resources. Google does not endorse and is not responsible or liable for any Content, advertising, products, or other materials on or available from such sites or resources
The user agrees to hold harmless and indemnify Google, and its subsidiaries, affiliates, officers, agents, employees, advertisers, licensors, suppliers or partners, (collectively “Google and Partners”) from and against any third party claim arising from or in any way related to your use of Google services, violation of the Terms or any other actions connected with use of Google services, including any liability or expense arising from all claims, losses, damages (actual and consequential), suits, judgments, litigation costs and attorneys’ fees, of every kind and nature. In such a case, Google will provide you with written notice of such claim, suit or action. (In summary, most entities are afforded protection except the end user)
DISCLAIMER OF WARRANTIES
- This and the next two sections are printed using all CAPITAL LETTERS to stress the importance of the message. The main context is that whomever uses Google services does so at their own risk
LIMITATION OF LIABILITY
- The user expressly understands and agrees that Google and partners shall not be liable for any direct, indirect, incidental, special, consequential or exemplary damages…etc., etc.
EXCLUSIONS AND LIMITATIONS
- Nothing in this agreement is intended to exclude or limit any condition, warranty, right or liability which may not be lawfully excluded or limited
NO THIRD PARTY BENEFICIARIES
- The user agrees that, except as otherwise expressly provided in the Terms, there shall be no third party beneficiaries to the Terms
- Notice of notification avenues from Google to the user
- Entire Agreement. Covers anything that might have been missed in any way
- Choice of law and forum
- Waiver of severability of terms
- Statute of limitations
If the EULA language is not understood and followed, the end user may become non-compliant or not have expected protections for themselves or the organization. Individuals should take the time to at least scan through it. ITAM professionals need to manage these documents and potentially limit the number of ways that EULAs come into the organization’s portfolio of assets.
IAITAM’s training materials identify the following examples of terms and conditions found in EULAs:
Agree to not reverse engineer: Reverse engineering refers to the breakdown of a product (hardware/software) into parts to learn how a particular product functions. This understanding can be used to build another product with amendments in features, and does not violate the US Copyright Act. Reverse engineering is also done when attempting to diagnose a problem in the software. However, if such a term is included in a EULA, users are prohibited reverse engineering.
Do not publicly criticize software: This condition is included in most of the EULAs and forbids the user from publicly criticizing the product purchased whether online or offline. The user is also forbidden from comparing this product with others in order to criticize and degrade the product with respect to other similar products. This user is, in a way, signing away the right to free speech. In most cases, the user is allowed to conduct benchmark tests, but is not permitted to reveal the results to the general public WITHOUT THE VENDOR’S PRIOR WRITTEN APPROVAL (in most cases).
You will be monitored: A large number of products have the facility for receiving automatic updates if connected to the internet. This benefit may also be dangerous to the user as it is not necessary that the software vendor ask before connecting to a third party online if this clause is in the EULA. It is also possible that the installed software automatically records online activities and sends them to a third party without user prior approval EXCEPT FOR THE EULA. Depending on the nature and scope of how the software is used, this functionality can pose serious security threats, as highly-classified information can also move freely outside the organization, in such a way that NO LEGAL ACTIONS CAN BE TAKEN AGAINST THE VENDOR.
Subscription will automatically renew upon expiration: This condition can be dangerous depending on the exact wording used in the EULA. Some vendors have a clause that allows them to re-charge a credit card once the subscription expires. The renewal can happen without informing the user and may be at a different rate, such as the latest subscription price, depending on the wordings in the EULA. It is not uncommon to be charged at a higher, current rate for the automatic renewal. Canceling the renewal often requires notification to the vendor within a specified time frame. The limitation on cancelation is a valid reason to become familiar with the EULA.
Changing an EULA
Are EULA terms and conditions set in stone or can they change? There are occasions when the EULA can be altered either through negotiations or supersession. For the negotiation scenario, envision Microsoft® as the software producer, and organizations such as IBM®, Dell®, and HP® as the prospective buyers. These organizations are large and powerful enough to sway the software publisher to negotiate the language. A software publisher might consider EULA changes because of the end user’s name or position in the marketplace. It makes good business sense when negotiating with an influential consumer such as Walmart® whose name is known throughout the world; organizations of all sizes know their buying power has value.
In the case of supersession, the EULA might be amended by negotiating an additional contract with changes that modify or supersede the original language. The original EULA remains unchanged, but is supplemented by an additional contract (sometimes referred to as a rider). This approach limits the impact of the changes to what is specified in the document.
An organization in a position to negotiate can take advantage of this opportunity depending on the experience of the IT Asset Manager and the extent of preparation in the selection phase. It is important to know what items to negotiate for and which specific terms or conditions are unacceptable. Before entering negotiations, prepare by generating a chart that shows (at a minimum): the original terms and conditions, must-have organizational terms and conditions, unacceptable terms and conditions, and a final column with preferred language.
Also, there are smaller software publishers. When considering the opportunity to negotiate EULA language, the perceived value of the requesting organization will dictate how receptive the vendor is to altering the original EULA for a sale.
What is Not in the EULA May Hurt You
Everything up to this point suggests that the EULA provides all of the information about using the software and the only way for things to go wrong is when the end user does not take the time to fully comprehend the information available to them; sadly, sometimes this is just not true. Sometimes, software programs do more than what is openly professed in the EULA. Recent data highlights this issue with mobile devices (such as smart phones).
Mobile devices offer the freedom to download apps at will, but not every EULA has exposed the full nature of the app. Mobile device software presents a major vulnerability associated with collecting location data to track the individual.
Bob Sullivan, a columnist for NBC News cites examples found by researchers at Carnegie Mellon University. Researchers at the school’s Human-Computer Interaction Institute studied both the data gathered by the 100 most popular programs in Google’s Android app store, and how surprised (the) users were when told what the apps were (actually) doing:
Almost no one was surprised that Google Maps accessed location information, for example, but respondents had a strong negative reaction when they learned that the “Brightest Flashlight®” app tracked their location, said Jason Hong, an associate professor at the school.
“There’s no sensible reason why a flashlight app would need your location,” Hong said. “That was the biggest surprise to people — 95 percent were surprised it used location data.”
The article lists 10 common app downloads that provide information about the user to the software provider including device ID, location, and sometimes even contact information. This is a serious privacy and information security risk that may or may not be documented in the EULA.
As IT Asset Managers, we must educate on the legal aspects of copyright and encourage awareness of the significance of electronically signing for apps without reading and preserving the EULA. Understanding the documentation is the only way to have a chance of maintaining compliance or preventing unexpected consequences such as privacy risk.
The Greek term caveat emptor or let the buyer beware has strong meaning for all who download software on any device.