How to stay safe when signing EULAs

Kevin Townsend 30 Jul 2020

Do rights go missing in the space between product and service?

End user license agreements (EULAs) and other contracts between consumers and vendors, such as terms and conditions (T&Cs), privacy policies, and acceptable use policies, are a ubiquitous part of life online. We need to agree to a EULA, and often a privacy policy, every time we install a new product or sign up to an online service. It’s likely that all of us are currently bound by dozens – maybe hundreds – of these agreements at any given moment. But despite being governed by them, not many of us know what we’ve agreed to. A 2017 study showed that fewer than 10% of North Americans read such agreements before clicking through and automatically accepting them.

License agreement, not ownership agreement

Whether we read them or not, these license agreements are legally binding, and have been upheld in court. The cornerstone of this legality is that software and other digital products are provided as a license to use, not an outright purchase to own. This means that legally, the products remain the property of the vendor; we merely pay for the right to access and use them under the terms of the EULA.

The precedent for this was set in 2010. U.S. courts ruled in favor of Autodesk when an eBay seller asked the courts to stop the software company shutting down eBay sales of old, unused copies of the AutoCAD software. Autodesk won the case on the grounds that the license agreement prohibited resale of the software, even if the copies had been unused. Although the copies of AutoCAD had been obtained legally, without recourse to piracy of any kind, the license agreement was determined to render any resale attempts illegal. The case itself might appear to be little more than a legal footnote, but it holds great significance; the ruling solidified the nature of software licenses as legally excluding the user from full ownership of the product.

We must stop thinking of digital products as items we buy, and start thinking of them -- more accurately -- as services we rent under the conditions specified in the EULA. When we buy a physical product, we have certain rights, guaranteed by the state, which protect us as consumers, mandate that the goods be fit for purpose, entitle us to refunds under reasonable circumstances and so on. These rights do not transfer to services we rent under a specific contract (the EULA).

Signing away your rights?

This does not mean that software users have no consumer rights. Europe's GDPR and California's CCPA are both laws designed to protect the consumer in the online world. Where EULA conditions conflict with state legislation such as these, the law of the land will prevail. However, whether an 'illegal' clause invalidates the whole EULA contract or just the offending clause has not been unambiguously settled by legal precedent.

Nevertheless, most license agreements seek to protect the interests of the company publishing the software above the rights or wellbeing of the user – even to the extent of trying to evade or bypass state or national laws. For example, it’s common to find arbitration clauses in license agreements. These may prohibit the user from taking the business in question to court for any reason or from joining class action suits against the company.

HTC is an example of a prominent company that has adopted such a clause. The terms and conditions for HTC’s Viveport app store specify that users in North or South America waive the right to have any claim made against HTC, either individually or as part of a class action, settled in court. Disputes must instead be settled by “one or more persons charged with reviewing the Dispute and making a final and binding determination”. Since HTC is responsible for selecting this arbiter, the resolution to any dispute against the company is in their own hands.

A clause for concern

Although license agreements must respect the basic rights of a country’s citizens, there have been instances of conditions with the potential to cause harm to the user, or which violate some of these basic rights. As well as the increasingly common arbitration and indemnity clauses, there are examples of terms that seek to have the user sign away their right to privacy, their consumer rights and even their intellectual property. Interestingly, the majority of the most controversial EULAs are found in the sphere of video gaming.

Recently, the developer Blizzard came under fire following the release of Warcraft III: Reforged. For context, a player-made modification to the original release of Warcraft III, named Defense of the Ancients, became very popular among gamers and sparked an independent sequel – known as DOTA 2 – which has become one of the most popular, lucrative and long-standing e-sports titles in the world. A clause within the EULA of Warcraft III: Reforged now states that any content made within the game becomes the exclusive intellectual property of Blizzard.

Specifically, it says, “Custom Games are and shall remain the sole and exclusive property of Blizzard. Without limiting the foregoing, you hereby assign to Blizzard all of your rights, title, and interest in and to all Custom Games, including but not limited to any copyrights in the content of any Custom Games.” This means that if the original DOTA had been made under the new terms, Blizzard would be the legal owners of the entire franchise.

Nintendo has also included legally questionable terms in its refund policy; stating that Nintendo is simply “unable to provide refunds” on mistaken or unwanted purchases.

EU laws allow for a refund on online orders returned within 14 days “for any reason and without a justification”; but this is not so clear-cut on a digital distribution platform. Nintendo’s standpoint seems to be the idea that the customer does not pay for the product, but for the delivery of the product. Nintendo interprets this service of delivery as complete when any digital download from its storefront begins. Court cases in Norway and Germany upheld this interpretation earlier this year, but the cases are currently being appealed.

Red Shell and data protection

Even personal cybersecurity has been jeopardized by video game EULAs. In 2018, Take 2 Interactive, publishers of the Civilization series, removed a piece of software called Red Shell from their games after strong pressure from users. Red Shell is a data gathering and analytics application used by some publishers to gather advertising information on their users. Although much of the data collected by Red Shell is anonymized and the website claims that it only tracks information on devices, not users, many customers and publications refer to Red Shell as spyware. This is not helped by the fact that Red Shell installs quietly alongside games which use it, and is given permission to operate on the user’s system thanks to terms buried in the game’s EULA.

Take 2 has removed the Red Shell software from its games, but the license agreement and privacy policy still ask the player to agree to having their data harvested. In 2019, the license agreement for Civilization 6 was updated to greatly increase the scope of what data users would agree to have collected. Although Red Shell had been removed, the license agreement allows Take 2 to collect a user’s “age, gender, date of birth, zip code, hardware configuration, console ID, software products played, survey data, purchases, IP address and the systems you have played on.” The agreement goes further: “We may combine the information with your personal information and across other computers or devices that you may use.”

It is hard to see a gaming business model requirement to collect this amount of personal data, which makes the legality questionable under, for example, GDPR. However, there is precedent for EULAs being upheld in courts when users break the terms within them.

In theory, a customer’s statutory rights always supersede any terms in a license agreement, privacy policy or terms and conditions document. However, the agreement being a license rather than ownership muddies the waters significantly, and with digital distribution further blurring the distinction between product and service, there could be more to lose by clicking “I Agree” than we assume.

Sign in safety

Ideally, to protect ourselves against potentially harmful agreements, we would read each one carefully before installing a product and reject those with any terms which could be harmful to us. However, in today’s cyber environment, this approach is as good as impossible. First is the length of the documents – even in 2012, some online T&Cs were longer than Shakespeare plays, and we would need to read a new one of these not only for every new software we install, but each time they are updated or changed.

In many cases, there is also no reasonable alternative but to agree, even if there are undesirable clauses within the EULA. For example, Adobe products like Photoshop and Illustrator and software included in Microsoft’s Office suite are industry standards, and in a professional or collaborative environment may be necessary for work. If an update to the license agreements for such software began to infringe on a user’s privacy, there would be no realistic choice but to accept the terms or prepare for a career change.

Fortunately, strongly anti-consumer clauses within license agreements tend to create controversy; so, if you keep an eye on the news it should be easy to know what to avoid. Business can often be pressured into modifying their agreements to be more acceptable, as with Take 2 removing Red Shell from its software in 2018. Even if undesirable or invasive software does sneak onto your machine alongside legitimate programs, a good antivirus can help keep you safe. Avast Free Antivirus will detect PUPs – potentially unwanted programs – and give you the option to remove them, as well as keeping you protected from outright malware and harmful applications.

--> -->