NEWS A leading spyware expert has hit out at legitimate organisations who use wordy, confusing and over-long end-user licensing agreements (EULAs) to get users to download adware and spyware.
Increasing competition among adware authors and "ad-herders" is forcing them to look at new and innovative ways to get such applications onto users' machines and for many their activities are blurring the lines between what is and isn't acceptable.
Computer Associates maintains a growing database of thousands of items of spyware and adware and the company claims the two most prolific sources of spyware in this grey area are Claria, which produces Gator and Gain software, and Grokster.
In the all-important eyes of the law these companies are doing nothing wrong, but nor are they doing anything to encourage users to know exactly what they are accepting onto their machines which creates a dangerous opportunity for less-legitimate businesses.
Roger Thompson, director of content research for CA's eTrust Pest Patrol and Anti-Spyware solutions, said: "When users install Grokster they get a dialogue box and will have to page down 131 times to read the EULA."
"Eventually, after scrolling down users get to a passage which reads: 'GP may from time to time, either automatically or through other means, distribute an update to the Licensed Materials and/or may replace Licensed Materials with newer versions thereof and/or otherwise modify or add to the Licensed Materials'."
That line appears almost 4,500 words into the 6,600-plus word terms and conditions which ship with the free software.
And users need to realise what rhetorically applies for lunches also often applies for a piece of software - 'there is no such thing as a free one'. Often they will fund themselves through what they find about their users. The software is offered for free because there is often more value in the data they spy on once installed.
Thompson expressed concern that while Grokster may regard such agreements responsibly this level of ambiguity in the wording means other companies will inevitably use such ploys to legitimise the installation and modification of spyware on a user's machine.
"You're giving the fox the keys to the hen house," said Thompson. "Users shouldn't be allowing any of this stuff onto their systems because they don't know how it is going to be used."
Typically users' first realisation they have been infected by an item of commercial spyware will be the interruption of a web session - by an unusually high volume of pop-up ads, a change to their homepage or the unwitting redirection to other websites.
Many companies distributing these kinds of application are aware of the moves afoot to defeat them. Thompson said many will be deliberately difficult to remove while others expressly state they cannot be removed.
The EULA issued by Gain states: "You agree that you will not use, or encourage others to use, any unauthorised means for the removal of the GAIN AdServer, or any GAIN-Supported Software from a computer."
It also strictly forbids users from using spyware scanning tools such as "a packet sniffer or other device to intercept or access communications between GP and the GAIN AdServer".
"These companies are all after your desktop," warned Thompson.
Comments
There are 5 comments. Join the discussion
1. Dave Howe
The EULA issued by Gain states: "You agree that you will not use, or encourage others to use, any unauthorised means for the removal of the GAIN AdServer, or any GAIN-Supported Software from a computer."
erm - or what? you lose the right to run the software you are trying to remove?
2. Robert Myers
I don't see a difference here. Can you?
Part of EULA from Spyware:
'GP may from time to time, either automatically or through other means, distribute an update to the Licensed Materials and/or may replace Licensed Materials with newer versions thereof and/or otherwise modify or add to the Licensed Materials'
Part of EULA from Windows XP:
'Security Updates. Content providers are using the digital
rights management technology ("Microsoft DRM") contained
in this SOFTWARE to protect the integrity of their
content ("Secure Content") so that their intellectual
property, including copyright, in such content is not
misappropriated. Owners of such Secure Content ("Secure
Content Owners") may, from time to time, request MS,
Microsoft Corporation or their subsidiaries to provide
security related updates to the Microsoft DRM components
of the SOFTWARE ("Security Updates") that may affect
your ability to copy, display and/or play Secure Content
through Microsoft software or third party applications
that utilize Microsoft DRM.
YOU THEREFORE AGREE THAT, IF YOU
ELECT TO DOWNLOAD A LICENSE FROM
THE INTERNET WHICH ENABLES YOUR USE
OF SECURE CONTENT, MS, MICROSOFT
CORPORATION OR THEIR SUBSIDIARIES
MAY, IN CONJUNCTION WITH SUCH
LICENSE, ALSO DOWNLOAD ONTO YOUR
COMPUTER SUCH SECURITY UPDATES THAT
A SECURE CONTENT OWNER HAS REQUESTED
THAT MS, MICROSOFT CORPORATION OR
THEIR SUBSIDIARIES DISTRIBUTE. MS,
Microsoft Corporation or their subsidiaries will not
retrieve any personally identifiable information, or
any other information, from your COMPUTER by downloading
such Security Updates.'
3. Troy Hoskison
Under UK copyright law you can only grant permission to use the material. You cannot revoke or deny rights. so the statement in the Gain EULA doesn't have a legal leg to stand on.
4. Phil Blackburn
Interesting use of the word 'legitimate'. It's not the word my customers use about Grokster when they have to call me in to clean up the mess it's made of their PC.
GAIN/Gator/Claria at least are reasonably easy to remove, once you realise that is where the problems are coming from. I see a lot of their utilities on peoples' PCs, but have never yet found anyone who knew what they were signing up for when they installed them, or who think they are worth the hassle of the intrusive adverts.
5. Dave
To Robert Myers: The difference is that with the MS agreement, the words "If you elect..." are present. If you do not want the security update, you can't have the content, yet you still retain all rights to the content you already have.
This is inevitable as hackers (sorry, information freedom fighters) crack the security mechanisms on copyrighted material. No record label is going to let you distribute content with a faulty DRM mechanism. I appreciate you're probably just MS-bashing, but all the other major players do exactly the same. Just look at Apple - how many variants of ITunes are there? What enhancements specifically did 4.7.1 bring over 4.7.0? Although it wasn't an 'enforced' update for ITunes, you couldn't access the music store without it, so were left with a fairly cheesy MP3 player and your existing downloaded music files.
With the first EULA, you must grant a continuing permission for the company to download and install updates. They will not seek your permission for all subsequent updates.