Feeds

Vista's EULA product activation worries

Walking on thin ice?

SANS - Survey on application security programs

EULAs and the legal term "self help"

Now let's face it: lots of software products contain features that disable themselves upon some condition. For example, trial software will work for a period of time - say 30 days, and then stop. And you agree to that when you download and/or install it. It says so right in the EULA.

Spyware contains EULAs where you agree not to disable or delete it. Are you bound by that contract as well? As discussed previously, the answer is not so clear. Sony got into trouble by putting very restrictive EULA terms on its music/data CDs, which gave it a bunch of rights just cause you decided to listen to music - including your agreeing never to listen to the music overseas. As I noted earlier, the terms of an EULA are generally considered to be enforceable even if you didn't read it, understand it, or have any ability to negotiate it.

However, there is another principle in the law. If a contract (for example, an EULA) is breached, you have to right to sue and to collect damages. Generally, you would have the burden of proving a breach of the contract, and prove the existence of some damages, and then possibly the right to obtain other kinds or relief - like an injunction or other court order.

In addition, other statutes, like the US or international copyright laws may give companies like Microsoft other rights and remedies, including access to federal court and statutory damages, and even possible criminal enforcement by the FBI.

Now if Microsoft breaches the contract it wrote, the Vista EULA, what are your rights? Well, according to the terms of the agreement you agreed to, "you can recover from Microsoft and its suppliers only direct damages up to the amount you paid for the software. You cannot recover any other damages, including consequential, lost profits, special, indirect or incidental damages".

So if your entire network is shut down, and access to all your files permanently wiped out, you get your couple of hundred bucks back - at most. And, as far as I can tell, there are no warranties on the license, no assurance (like the kind you would get on a toaster oven or a lamp) that the thing actually works or does any of the things advertised. What is worse, if you just want to get your money back (assuming Microsoft doesn't want to give it to you) then you have to file a lawsuit (probably in Redmond, Washington) under the laws of Washington State, and if (and only if) you can prove your case, and your damages, can you get your money back.

You aren't entitled to, upon your belief that there was a breach of contract, simply walk up to the cash register at your local Fry's or Best Buy and take a couple of hundred bucks from the till. This is called "self help" (or theft) and is not generally allowed as a contract remedy.

But the Microsoft Vista EULA, like many other software license agreements, gives the owner of the software (remember that's Microsoft because you didn't buy it, you just licensed it) the right of self-help. They have the right to unilaterally decide that you didn't keep up your end of the contract, for example you didn't properly register the product, you weren't able to demonstrate that it was genuine, and so on, and therefore they have the right to shut you off or shut you down. So, what gives them the right? Apparently, the very contract they now claim you violated.

Case law examples of software being disabled after a dispute

In the early days of computers, there were several cases where software developers determined that licensees didn't make appropriate payments and therefore shut down the computer programs.

In 1988 in Franks & Sons, Inc v Information Solutions, Inc the software developer installed a "drop-dead" code in the program. When the customer failed to pay as promised, the developer activated (or allowed to be activated) the drop-dead code, which kept the customer from accessing the software as well as any stored information. The problem was that the customer didn't know about the drop dead code. Under those circumstances, the court found that it would be "unconscionable" to allow the software developer to hold the licensee ransom, essentially using self-help to shut down the business until he was paid. The court noted:

Public policy favours the non-enforcement of abhorrent contracts. Here, without the knowledge of plaintiff, defendants have included a surprise in their product which chills the functioning of any business whose operation is a slave to the computer. If the plaintiff had known about this device at the time it entered into the contract with the defendant then the result would be different. Here it would be unconscionable for the Court to give credence to this economic duress.

However, it wasn't clear whether the sole problem in that case was the fact that the "drop-dead" software was not disclosed, or that the developer, by using the undisclosed code, was holding the licensee hostage.

In 1991, in American Computer Trust Leasing v Jack Farrell Implement Co, 763 F Supp. 1473 (D. Minn 1991) the software developer, in a dispute over payment for the software, remotely deactivated the software. The contract provided that the developer, who owned the software, could remotely access the licensee's computer in order to service the software and that if the licensee defaulted, the agreement was cancelled. When the licensee didn't pay, the developer told them that they were going to deactivate the program - which they promptly did. The licensee's lawsuit for damages failed because, the court noted, the deactivation was "merely an exercise of [the developer'] rights under the software license agreement..." This was true even though the agreement did not specifically state that self-help was a proposed remedy.

3 Big data security analytics techniques

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Oh no, Joe: WinPhone users already griping over 8.1 mega-update
Hang on. Which bit of Developer Preview don't you understand?
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
IRS boss on XP migration: 'Classic fix the airplane while you're flying it attempt'
Plus: Condoleezza Rice at Dropbox 'maybe she can find ... weapons of mass destruction'
Ditch the sync, paddle in the Streem: Upstart offers syncless sharing
Upload, delete and carry on sharing afterwards?
New Facebook phone app allows you to stalk your mates
Nearby Friends feature goes live in a few weeks
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.