Cory Doctorow on Shrinkwrap Licenses

An anonymous reader writes "Web privacy advocate Cory Doctorow is on about shrinkwrap licenses, in his latest essay. They've always been onerous. Now, Doctorow says the new EULA in Vista and even the MySpace user agreement could put users at risk of being sued. He closes with: 'By reading this article, you agree, to release me from all obligations and waivers arising from any and all [everything].'"

Reading the what?

By reading this article, you agree, to release me from all obligations and waivers arising from any and all [everything].'

This shouldn't be an issue here.

Do we have fair-use rights to EULAS?

Kinda off-topic, but I was wondering. Given that a EULA contains a huge amount of intellectual property, and that the lawyers who drafted it thus have the right to permt/allow/deny every instance of its use, is it legal to quote from EULAs?

Shouldn't there be something you have to click through before reading a EULSA.. something that says basically "you cannot view/use/think about this EULA except under the terms define below... "

Re:Do we have fair-use rights to EULAS?

we are allowed to quote things to make our point.

Most EULAs are boilerplate

Given that a EULA contains a huge amount of intellectual property...

Actually most EULAs consist of the same language used in other EULAs. In that sense they are full of what in copyright is referred to as "scenes a faire," or components that are common to a particular type of work. For example, a movie about the Middle Ages might show some poor wretch gnawing on a piece of stale bread. This is so common that that particular scene in itself has no special creativity.

EULAs have at best a thin layer of creativity in the selection of certain stock phrases in order to compose a whole. In that sense they are probably akin to literary compilations, which have a very thin layer of copyright over the selection and presentation of the collected works. In the case of EULAs, I think it would be difficult to say that "You agree to indemnify and hold harmless..." and other stock phrases are anything more than scenes a faire.

I was talking with a rather high-powered copyright lawyer about this a few months ago, and he agreed with my assessment. There doesn't see to be any real pertient caselaw on this, so all opinions are equal until someone finds reason to bring suit for copying of EULA terms. I can't really see why any company would bother with it though. The language of a EULA is not something worth protecting, because in itself it does not produce revenue.

Are they actually binding?

I suspect a court wouldn't find most such licenses binding.

Re:Are they actually binding?

The whole point of the EULA is to ensure that there are so many conditionals that you'll be snagged by at least one or two unpalatable in any given jurisdiction. It doesn't matter if 95% or more of the EULA is outright illegal in your state or country; there'll still be enough leftover to have you by the short 'n' curlies.

Re:Except for all the country...

... where, if part of the contrat is illegal, then the whole contract is made null. In other word for all those country, making statement for example to make user sign up their basic right, or even consumer-protection right, is illegal, would simply nullify the EULA. So... The left over won't do shit in such case.

That's an intresting (wrong) interpretation.

Actually courts will usually do what they can to save a contract within interpretation - and will nullfy portions of the contract that cannot be enforced. But no, writing a contract so that it includes clauses which are unenforceable (ie giving up your basic human rights) does not void (the correct term) the contract.

An illegal contract - one that is a contract to commit a crime (ie Rob that bank and I'll help you sell the gold for a 50/50 cut of all proceeds) is - yes - null and void in all states I don't think there are any EULAs out there in the main stream that include contract for crime though - so points for getting one legal principle correct, losses for applying it to the wrong case.

-GiH
(No, not a lawyer, just a law student).

Not legally binding anyways ...

In many countries shrinkwrap licenses or license agreements that you can only agree to after actually buying the product, or that are "implicitly agreed upon" are not legally binding and are contrary to public policy. None of the things included in those "contracts" are legally binding and that includes the exclusion of warranties etc., even if written in all upper case.

Re:Not legally binding anyways ...

Not to mention that with a click-through license, there is no way of knowing who agreed to the "contract". I could get my underage kid to agree to the licensing terms, and he will not be legally obligated to abide by them because he is not allowed to enter into a contract at his age. And I can use the computer afterward without having agreed to any terms at all.

Re:Not legally binding anyways ...

Here's the news: EULAs are bullshit. They always have been (except in a few benighted countries)... they were always meant to muddy the legal waters rather than enforce their ridiculous conditions.

Microsoft's dream has always been to enforce EULA restrictions by *technical *means. This means no need to deal with legal matters... want to change things, or enforce patently bullshit restrictions, then they just change them. This is why they started the TCPA, subsequently the TCG (Trusted Computing Group), and spent time designing their dream hardware along with the likes of IBM, Sun, HP etc etc: they call it Trusted Computing, and the hardware is a "TPM"... which will now be installed in every PC (and is already in the Apple Mac). The hardware gives Microsoft (and Apple) the ability to actually enforce the EULA by technical mans... read your EULA, read the specs, and criticisms [cam.ac.uk], and be afraid.

Clickwraps and shrinkwraps are binding in US

In the United States, both forms of license agreement are binding. However, they must be presented in such a way that the mythical "reasonable person" would find them before using the product or service being licensed. For example, you can't place the shrinkwrap license on page 52 of the user manual for that new Dell. It has to be obvious, easily-spotted, and not buried in the box. With clickwraps, the Specht v. Netscape [wikipedia.org] case established that they must be presented in a fashion such that it is clear and obvious that there is a license involved. You as the end user can elect not to read it, but you have been presented the opportunity to read it, so the law assumes that you have.

However, contract law in the United States still provides that bizarre terms in a licensing agreement will be held invalid. That does not mean that the entire contract is invalid, just that the offending sections would be. For example, if I buy a new iPod and the license agreement states that the first $10k I make next year will be sent to Apple in order to fund their 2007 New Years Eve party, such a term would be found by a court to be outside the boundaries of a license relating to an iPod purchase.

None of this means that EULAs aren't a pain in the ass. They are a pain to deal with, even for lawyers. I worked on one a while back, and I can see why they become so complicated. Corporate lawyers want to protect themselves from users who see juicy targets in successful companies. For example, EULAs relating to Internet services always have sections dealing with reliability of service. Companies have to expressly say that they are not guaranteeing 100% uptime, or someone will come out of the woodwork and sue them, saying they had a reasonable expectation of 100% uptime because the company marketed itself as a very reliable provider. Companies put in a lot of redundant language because they are trying to make it abundantly clear as to what they are not agreeing to and not guaranteeing. That way they they can defend themselves in court by saying that anyone who had even glanced over the EULA would understand that the company went out of its way to inform the user.

Unfortunately the effect is a complicated, hard to read document. Contract lawyers are slowly starting to change their approach. I've seen a few EULAs that use far less language, in an attempt to make the contract more intellible. Their argument in court would then be that although they didn't put in redundant language, their language was brief and clear enough that it was more likely to be read. I personally think this is a smarter, more common-sense way to go.

Are we really surprised here?

OMG companies really care more about themselves than they do about us? They want their rights to surpass ours? Surely it's because fundamentally we are all pirates, hackers and thieves just waiting for a chance to steal, defraud and otherwise screw them over. This should come as a surprise to NO ONE. They behave as though it's us versus them, thereby making it us versus them.

Asimov to sue Doctorow...

...for stealing his book title:

http://craphound.com/?p=189 [craphound.com]

Good job there's no shrinkwrap on books eh?

I wonder ...

I think some of these EULA is not really to sue the customer and those who click the accept button. If is more like telling the wall street crowd and their sugar dadday investors that the operators of the dotcom or the website "we have take adequate provisions and we seriously discourage our users from engaging in piracy. Just look at what our customers have agree to by clicking our EULA".

But still softwar installations have become very painful for many reasons. Everyone installs a link in the every user's menu, in the system tray in the desktop, install programs that run all the time when the computer boots, keep looking for updates bug your for upgrades etc etc.

Contracts of Adhesion

It isn't a new problem. Consumer credit contracts and insurance policies used to be terrible for the amount of impenetrable language and user-hostile terms. Don't fool yourself, most courts enforced those contracts, even if they were very one-sided. Legislation and regulatory action were required to eliminate the worst abuses.

By reading this subject line

1) I am your master
2) You are my slave, you shall obey my every command directed to you.
3) You will on every Dec 26th starting at noon stand on one foot in a shopping mall or other crowded public place and howl 3 times, each howl being at least 6 seconds long, with a pause of at least 3 seconds between howls, and the howl being loud enough to be heard by at least 5 strangers 5 metres away. And you will try to get your friends to do the same thing as well.
4) In event you are not capable of doing 3), you shall disregard all EULAs by other parties and not create any yourselves.
5) This being on Slashdot, any offers to sacrifice your first born will be laughed at and dismissed.

This *is* something to be worried about

Many of the posters in this topic seem to have adopted the "that'll never happen" mentality. After all, there's no real chance of a corporation *successfully* suing people over these outrageous EULAs, is there?

I would like to remind those posters of the methodology used by the RIAA - threaten, harass, sue, and in the unlikely case that the victim actually puts up a fight, drop the case and run away.

Consider how many people, in the face of a mere *threat* to sue from the RIAA, have rolled over and paid the amount that the RIAA was demanding? Perhaps these people are cowards. More likely, they simply calculated that paying up would be much cheaper than hiring an attorney and fighting it out.

A EULA troll could exploit the same methods.

And the only thing that could put a stop to it would be a firm ruling by the courts that EULAs are in fact non-enforceable. A ruling which the trolls would avoid like the plague by using the cut-and-run tactic whenever faced with somebody who appears inclined to fight.

After reading TFA, I sat back and attempting to count just how many of those EULAs I had clicked through without bothering to read (after all, everyone *knows* that they are non-enforceable, don't they?). I can't be sure, but the number is most certainly at least three digits.

I suspect that most *present* EULAs simply don't contain anything that could be used for this purpose. That doesn't mean that *future* EULAs won't include them *deliberately*.

How long before Wiki has an entry titled "EULA bomb"?

How long before spyware and virus start using them

How long before spyware and virus start using them to sue users, anit virus apps, anit spyware apps, and so on for removing them and how long before that start using DRM and the DMCA as well?

How do they even prove you agreed to it?

Because the software "requires" you to? Not even remotely good enough. I've installed lots of software on my computer that "required" an EULA agreement that I wasn't interested in reading so I bypassed it and got the software installed anyways. There are dozens of ways that this is accomplishable, one of the most least technical ones involving one of my cats that likes to play with my computer keyboard if I leave it pulled out from my desk and I'm not sitting at my computer.

Linux + GPL + Virtualization = Defense

Imagine this hypothetical:

  I realize I had inadvertently agreed to an EULA after installing some software. But as you can see, I was prepared for this action. Because I was emulating a real (Windows) PC in a virtual environment, I was preparing myself for future situations. You see, my real host (primary) OS is a free, open source OS, and I use open source virtualization. This combined with proper snapshots, ensures my due diligence in making sure I can accurately restore said PC to such a state of where it was before I agreed to a n EULA I didn't agree with. (end of hypothetical)

Even if you've pirated the guest OS ... what's the worse that will happen? You'll delete one file? I'm not condoning piracy. I'm just saying with virtulization, I can try your crappy software, and once I realize it's crappy, I can undo any "damage" or consequences you threaten me with (spyware, viruses) by either having 20 identical clones around or at least weekly snapshots.

In the meantime, I'll stick with software I can *prove* isn't crappy... you know the kind you can freely overlook the source and change it if you'd like.

If work wants to provide me with a MS OS-based laptop (along with plenty of licenses as they're a partner), all the better.

Otherwise, I'm more than happy to free the OS from the hardware.

Wait a minute...

There are people out there who license their shrinkwrap? That doesn't make any sense. I just buy mine in rolls from the office supply store. I can understand licensing something less tangible like software, but shrinkwrap?

Shameless Self-Promotion

This is an essay [vwh.net] I wrote over ten years ago on the subject of shrinkwrap "licenses". Were I writing the essay today, I'd probably spend some time drawing a distinction between end-user "licenses" and the GPL. But my opinion remains essentially unchanged.

I never thought I was alone in my wholesale rejection of such "contracts," but it's nice to see validation from industry luminaries from time to time.

Schwab

Stupid, pointless article.

All he's got are some general, highly exaggerated stereotypes to spout out. Just two actual examples, which aren't that significant, and sure as hell don't lead him to the conclusion that you're going to be sued (when MICROSOFT goes out of business and sells their rights to a patent troll??? What?)

Anybody who bothered to read a clickwrap or shrinkwrap agreement would never install any software, click on any link on the Web, open an account with anyone, or even shop at many retail stores.

I have, and do. I'm a meticulous person that way. It hasn't stopped me from doing any of the above.

1) No sane person would agree to its text, and

I do believe I'm sane... License terms are reasonable for 90% of everything out there, and just what you'd expect before even reading it. ie. You agree we aren't liable if this doesn't work, You agree to sue us in our county or state, etc.

It's only that last 10% of software that I absolutely refuse to install. Usually there's only a passing mention of software from some different company, in one line, near the end, to indicate a dozen pieces of spyware bundled with your program. With that, I "opt out" and delete the program/installer, and look elsewhere.

2) Even if you disagree, no one will negotiate a better agreement with you?

For software that more than a handful of people would ever want to use, there's always some other alternative, with a license that isn't so incredibly underhanded.

Certainly, Windows XP and Vista qualifies. So long as my copy of 2000 (or NT4, 98, 95, Win 3.11, Dos 6) works for the Windows-only software I only occasionally need to use, I'm not even going to CONSIDER upgrading. And no more machines pre-loaded, either. I can go to pricewatch find a fully customizable, no-OS system cheaper anyhow.

have you seen the fine print on their credit-card slips?

Since I don't use credit cards... No. Nor do I care.

When returning products to Best Buy, however, I do stand at the front of the line, reading the paper they want me to sign... verbatim. They ALWAYS tell me it's just a standard form, and that they'll give me a copy to read later... AFTER I sign it. I'm more than happy to hold up their line, since they insist I agree to the legalese they've thrust upon me, for no good reason.

Cory's closing quote - Original and Link

READ CAREFULLY. By [accepting this material|accepting this payment|accepting this business-card|viewing this t-shirt|reading this sticker] you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.

Put this at the bottom of your emails; print it on your stationery...

The Small Print Project [netzoo.net] via Boing Boing [boingboing.net]

If you can't beat them, join them

After I closed my paypal account, I had some spam from a market research company about paypal. I did not do their research, but emailed back with a rant (if it keeps an employee busy for even a few minutes, then I've managed to successfully waste some company money). Of course, I formatted the email like a n00b (i.e. the reply above the quoted text), but I made up a disclaimer below the text (hoping they would miss it):

Disclaimer. Acceptance by the recipient's mail server to this message is acceptance of these terms by the recipient, as is any reply (including any "auto-response" or similar). Each and every further communication to/cc/bcc any [My Domain] address will be charged an administrative fee of £1000 (one thousand pounds sterling) by the email administration. Any terms on the ends of your emails are invalidated and over ruled by these terms. Attachment or inclusion of any type of "disclaimer" is acceptance of this policy, and this disclaimer is final (i.e. cannot be overridden or invalidated by any past or future disclaimers). [My Domain] decision is final over any matter, and you may not sue or take any legal action over future or past communications/contact.

I never got any reply, but if I did I might have posted them some kind of invoice. It'd be a win/win situation - either I get a grand or a court rules that email disclaimers or EULAs aren't legally binding (OK, maybe I'm being a little optimistic).

More Doctorow extremism

... designed to play on the fears of people who haven't actually bothered to read the licenses they are agreeing to.

I read (or at least skim) any license attached to any software I run. It's usually the basic stuff, and while a little bit lawyerese (in other words, precise), it's usually not that hard to understand. It's also usually reasonable, given what the software can do.

For instance, Doctorow specifically notes that an MS EULA makes sure you grant permission for Defender to delete files on your PC. Guess what: that's the whole point of Defender: to delete malware, which could be in (gasp!) any file! Oh noes!

EULAs exist for basically two reasons:

1) To limit the legal exposure of the company providing the content (music/movies/software/whatever). And, err ... duh, that's a good thing, for both the company and you. If that company had no way to limit its legal exposure, it wouldn't be able to do business. The risk would be too large; it would only be a matter of time before some angry user had sued the business principals into the poorhouse for some perceived slight.

2) To explain the terms under which the content is sold/licensed/rented/whatever to you. You may not agree with those terms, but there they are, and you are given the choice. You may not bother to read the terms and excercise the choice, but you were at least given it.

Are Doctorow and the other EULA-haters in this thread suggesting they'd rather not know what their choices are? Or are they suggesting any entity that wants to release content for money or for free should have no rights or choices in the matter, just tossing their content over the wall and letting the rest of the world do whatever they want with it?

Re:Microsoft suing users?

I know, I know, RTFA is so passe... but the point the guy was making was not that Microsoft was going to do this. The point was that some company is going to go bankrupt, and their obligations & contracts will get bought by somebody with the mentality of a patent troll. And that's when people will start getting sued. And if he/she/it's successful, it will encourage others to do the same.

Re:Microsoft suing users?

You haven't read the article, have you? (I know, I know, this is Slashdot)

He wasn't talking about Microsoft, he was talking about the equivalent of patent trolls. He was talking about being sued by someone who buys a failed company with whom you have such an agreement.

Re:Microsoft suing users?

I can't imagine Microsoft suing a customer over some small print in the EULA. That's just dumb.

Then why is it there?

I hope you don't agree to a lot of contracts relying on a belief that they won't be enforced because "it's just dumb".

This latest corporate fad for retaining a claim to sue while offering a soothing "pledge" not to under vague, unenforceable conditions is lame in the extreme.

Re:Microsoft suing users?

I can't imagine Microsoft suing a customer over some small print in the EULA. That's just dumb.

Like Microsoft would never do anything as dumb as giving Internet Explorer kernel blasting access and enabling ActiveX similarly and including it as a core part of the browser? Oh and didn't they just make a statement they would be enforcing their licenses strongly with small business? The list of dumb moves by Microsoft would be staggering if listed completely, but why bother, they don't get punished for their dumb moves, we do. Wonder if when they sue us we can give free software to schools to pay them off?

hominem called, it wants its ad back (n.t)

n/t

Re:2000 called...it wants its legal issues back.

Cory has written stories that I enjoy. You haven't. I have a suggestion as to where you can stick your "SuperBanana".

Re:Microsoft suing users?

I'm sorry, but suggesting that Microsoft could sue users is one of the most absurd things I've read this morning

Bullshit - Microsoft is one of the biggest funders of the BSA - and I don't mean the "Boy Scouts of America". They threaten their customers with audits all the time.