Do you remember? A gym contract? A receipt for a toaster?
Chances are it was a EULA: an End-User License Agreement. Those long scrolling block of text that you never read, but just click "Agree"? Those are EULAs. The world's most widely unread legally binding documents.
Vendors need EULAs to clarify issues with their customers (that's the end-users, otherwise known as you and me). But what are you agreeing to, exactly? Online privacy issues have never been more important--Facebook's ominously-named Beacon "feature" broadcasted that message (along with its users' private information) to the world. And there's a Silicon Valley startup called NebuAd that intends to serve targeted ads by tracking Netizens via their ISPs. This means they can bypass other means of tracking browsing behavior (browser-cookies, for example) and, according to an Associated Press story: "examine many of the sites people visit, what they do there and what they hunt for on search engines."
Sounds kind of "NebuLous" to me. The NebuAd CEO declared in the AP story that his firm never creates a database, or compiles lists of sites that people visited and what they did online. Which begs the question: if they don't do any of that, precisely what value do they add? How do they pitch venture capitalists?
And this is where the EULA comes into play: what does your ISP's EULA stipulate about protecting your privacy? Fortunately, here in Hong Kong we have the Personal Data (Privacy) Ordinance, an essential piece of protective legislation. We see public service announcements in various media reminding us to protect our ID card numbers and beware of identity-theft. And Hong Kong premier ISP, PCCW, cleaves to the Ordinance when it comes to customers' privacy rights-check their policy at http://www.pccw.com/eng/TermsofUse/PrivacyPolicyStatement.html
Still, Internet technologies tend to move faster than legal processes. In 2005 we were hit with Sony BMG's DRM (Digital Rights Management) rootkit, which installed itself unseen and unbidden at the root-level of PCs when a legally purchased Sony BMG CD was inserted into the machine (an estimated 15 million music CDs were issued with the rootkit).
Security consultant Bruce Schneier covered the fallout in his blog : "On Nov. 11, Sony announced it was temporarily halting production of that copy-protection scheme. That still wasn't enough-on Nov. 14 the company announced it was pulling copy-protected CDs from store shelves and offered to replace customers' infected CDs for free."
According to Schneier, "Sony rolled out this incredibly invasive copy-protection scheme without ever publicly discussing its details, confident that its profits were worth modifying its customers' computers. When its actions were first discovered, Sony offered a 'fix' that didn't remove the rootkit, just the cloaking...on Nov. 4, Thomas Hesse, Sony BMG's president of global digital business, demonstrated the company's disdain for its customers when he said, 'Most people don't even know what a rootkit is, so why should they care about it?' in [a radio] interview." The rootkit saga ended in May 2006 when a US federal judge gave final approval to a class action lawsuit brought against Sony-three separate class action lawsuits were consolidated into the settlement.
Suppose a EULA (preferably in the form of a fluorescent orange sticker) had been on the CD sleeve: "Warning! Inserting this CD into a personal computer will install a rootkit that may harm your computer's basic operations." Would that have been an accurate statement? Would it have hurt CD sales? Because the publicity over the Sony BMG rootkit fiasco has cost the music-industry giant ill-will among the tech-savvy. The Sony BMG rootkit may have cost thousands of dollars in coding and implementation, but it likely cost far more in brand-image and lost CD sales.