Vista's EULA product activation worries

Walking on thin ice?

High performance access to file storage

There were many other cases in the late 80s and early 90s involving software developers either putting drop-dead code in their products or remotely disabling code when they thought the other party was in breach.

Thus, a Dallas medical device software developer was sued in 1989 (the case was settled) for using a phone line to deactivate software that compiled patients' lab results. In 1990, during a dispute about the performance of a piece of code, the developer simply logged in and removed the code, until the licensee released the developer from any liability. The licensee claimed that the general release was signed under duress, since he was being held economic hostage. This was Art Stone Theatrical Corp v Technical Programming and Support Systems, Inc 549 N.Y.S.2d 789 (App. Div. 1990).

In another case widely reported, a small software developer, Logisticon, Inc, installed malware within software delivered to cosmetic company Revlon, which paralysed Revlon's shipping operations for three days (losses were about $20m US) when the developer claimed that Revlon breached the contract. Logisticon simply claimed that this was an "electronic reposession". The case was settled out of court.

In the 1991, the case of Clayton X-Ray Co v Professional Systems Corp, 812 S.W.2d 565 (Mo. Ct. App. 1991), a company likewise involved in a payment dispute, logged into the licensee's computer and disabled the software which they owned. When the licensee tried to log on to see their files, all they saw was a copy of the unpaid bill. A jury awarded the licensee damages, partly because the existence of the logic bomb was not disclosed.

Finally, in Werner, Zaroff, Slotnick, Stern and Askenazy v Lewis 588 N.Y.S.2d 960 (Civ. Ct. 1992), a law firm contracted with a company to develop billing and insurance software. When the software reached a certain number of bills (and when the developer decided it had not been paid) it shut down, disabling access to the law firm's files. The law firm successfully sued, and got punitive damages.

So what is the lesson from all of these cases? First, if you exercise "self help" without telling the purchasor, you may open yourself up to damages. Does the Microsoft EULA adequately tell you what will happen if you don't activate the product or if you can't establish that it is genuine? Well, not exactly. It does tell you that some parts of the product won't work - but it also ambiguously says that the product itself won't work. Moreover, it allows Microsoft, through fine print in a generally unread and non negotiable agreement, to create an opportunity for economic extortion. Remember, all the cases from the 80s and 90s involved sophisticated parties (on both sides) who negotiated individual license agreements - not mass market software.

Balancing the rights of all parties

After this series of cases, many states considered reforming the Uniform Commercial Code to specifically cover those situations when a software developer can resort to self-help. As a result of these efforts, two states, Maryland and Virginia enacted versions of the Uniform Computer Information Transactions Act (UCITA).

The Maryland version of the statute allows the software vendor to obtain a court order that allows it to disable the software, or "[o]n material breach of an access contract or if the agreement so provides, [to] discontinue all contractual rights of access of the party in breach..." In other words, the software vendor can only terminate access to the software if there has been a material breach, if doing so does not result in a breach of the peace, if there is no foreseeable risk of personal injury or significant physical damage to information or property.

The UCITA also provides a procedure for "electronic self-help" - that is, the termination of access or use of the software without a court order. The first thing to note is that, in Maryland at least, the law expressly notes that, "electronic self-help is prohibited in mass-market transactions".

Microsoft's EULA is undoubtedly a mass-market transaction, and therefore Microsoft may be prohibited from exercising self-help in Maryland. Moreover, even in non mass-market transactions, before you can resort to self-help, the contract must provide notice that self help will be used, who will be told about the exercise of self help, and provide other notice.

The Maryland law also provides that "electronic self-help may not be used if the licensor has reason to know that its use will result in substantial injury or harm to the public health or safety or grave harm to the public interest substantially affecting third persons not involved in the dispute".

Thus, the harm to Microsoft (not getting a license fee) may be disproportionate to the harm to the licensee in having their systems completely shut down. This is particularly true if Vista is being used for a system providing medical treatment, controlling a power plant, or other such critical infrastructure. The Maryland law expressly provides that the "rights or obligations under this section may not be waived or varied by an agreement..."

Microsoft may have some trouble if it tries to enforce its EULA terms in a court in Washington State - especially if that court is running a computer using Vista. You see, all software license agreements with the courts in Washington State contains a "no self-help code" warranty where the vendor warrants that there is no "back door, time bomb, drop dead device, or other software routine designed to disable a computer program automatically with the passage of time or under the positive control of a person other than a licensee of the Software". Thus, the Vista EULA terms would not apply to the Washington State courts!

Microsoft will invariably deny that what they are doing is "self-help". More likely, it will claim that the disabling provisions of the software are mere "features" of the software. It will also argue that the licensee controls whether or not the code disables by either registering, or "getting Genuine".

But what the boys in Redmond are really doing is deciding that you have not followed the terms of a contract (the EULA) and punishing you unless and until you can prove that you have complied.

And what if Microsoft is wrong, and it disables your software erroneously? Well, you can keep buying and activating their software until you are successful. And that means more fees to Redmond. Or, following the movie Happy Feet, you can decide to find software with a little penguin on it.

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

High performance access to file storage

More from The Register

next story
Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
Pre-Update versions of new Windows version will no longer support patches
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Windows XP still has 27 per cent market share on its deathbed
Windows 7 making some gains on XP Death Day
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
US taxman blows Win XP deadline, must now spend millions on custom support
Gov't IT likened to 'a Model T with a lot of things on top of it'
prev story


Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.