Feeds

Vista's EULA product activation worries

Walking on thin ice?

Providing a secure and efficient Helpdesk

There were many other cases in the late 80s and early 90s involving software developers either putting drop-dead code in their products or remotely disabling code when they thought the other party was in breach.

Thus, a Dallas medical device software developer was sued in 1989 (the case was settled) for using a phone line to deactivate software that compiled patients' lab results. In 1990, during a dispute about the performance of a piece of code, the developer simply logged in and removed the code, until the licensee released the developer from any liability. The licensee claimed that the general release was signed under duress, since he was being held economic hostage. This was Art Stone Theatrical Corp v Technical Programming and Support Systems, Inc 549 N.Y.S.2d 789 (App. Div. 1990).

In another case widely reported, a small software developer, Logisticon, Inc, installed malware within software delivered to cosmetic company Revlon, which paralysed Revlon's shipping operations for three days (losses were about $20m US) when the developer claimed that Revlon breached the contract. Logisticon simply claimed that this was an "electronic reposession". The case was settled out of court.

In the 1991, the case of Clayton X-Ray Co v Professional Systems Corp, 812 S.W.2d 565 (Mo. Ct. App. 1991), a company likewise involved in a payment dispute, logged into the licensee's computer and disabled the software which they owned. When the licensee tried to log on to see their files, all they saw was a copy of the unpaid bill. A jury awarded the licensee damages, partly because the existence of the logic bomb was not disclosed.

Finally, in Werner, Zaroff, Slotnick, Stern and Askenazy v Lewis 588 N.Y.S.2d 960 (Civ. Ct. 1992), a law firm contracted with a company to develop billing and insurance software. When the software reached a certain number of bills (and when the developer decided it had not been paid) it shut down, disabling access to the law firm's files. The law firm successfully sued, and got punitive damages.

So what is the lesson from all of these cases? First, if you exercise "self help" without telling the purchasor, you may open yourself up to damages. Does the Microsoft EULA adequately tell you what will happen if you don't activate the product or if you can't establish that it is genuine? Well, not exactly. It does tell you that some parts of the product won't work - but it also ambiguously says that the product itself won't work. Moreover, it allows Microsoft, through fine print in a generally unread and non negotiable agreement, to create an opportunity for economic extortion. Remember, all the cases from the 80s and 90s involved sophisticated parties (on both sides) who negotiated individual license agreements - not mass market software.

Balancing the rights of all parties

After this series of cases, many states considered reforming the Uniform Commercial Code to specifically cover those situations when a software developer can resort to self-help. As a result of these efforts, two states, Maryland and Virginia enacted versions of the Uniform Computer Information Transactions Act (UCITA).

The Maryland version of the statute allows the software vendor to obtain a court order that allows it to disable the software, or "[o]n material breach of an access contract or if the agreement so provides, [to] discontinue all contractual rights of access of the party in breach..." In other words, the software vendor can only terminate access to the software if there has been a material breach, if doing so does not result in a breach of the peace, if there is no foreseeable risk of personal injury or significant physical damage to information or property.

The UCITA also provides a procedure for "electronic self-help" - that is, the termination of access or use of the software without a court order. The first thing to note is that, in Maryland at least, the law expressly notes that, "electronic self-help is prohibited in mass-market transactions".

Microsoft's EULA is undoubtedly a mass-market transaction, and therefore Microsoft may be prohibited from exercising self-help in Maryland. Moreover, even in non mass-market transactions, before you can resort to self-help, the contract must provide notice that self help will be used, who will be told about the exercise of self help, and provide other notice.

The Maryland law also provides that "electronic self-help may not be used if the licensor has reason to know that its use will result in substantial injury or harm to the public health or safety or grave harm to the public interest substantially affecting third persons not involved in the dispute".

Thus, the harm to Microsoft (not getting a license fee) may be disproportionate to the harm to the licensee in having their systems completely shut down. This is particularly true if Vista is being used for a system providing medical treatment, controlling a power plant, or other such critical infrastructure. The Maryland law expressly provides that the "rights or obligations under this section may not be waived or varied by an agreement..."

Microsoft may have some trouble if it tries to enforce its EULA terms in a court in Washington State - especially if that court is running a computer using Vista. You see, all software license agreements with the courts in Washington State contains a "no self-help code" warranty where the vendor warrants that there is no "back door, time bomb, drop dead device, or other software routine designed to disable a computer program automatically with the passage of time or under the positive control of a person other than a licensee of the Software". Thus, the Vista EULA terms would not apply to the Washington State courts!

Microsoft will invariably deny that what they are doing is "self-help". More likely, it will claim that the disabling provisions of the software are mere "features" of the software. It will also argue that the licensee controls whether or not the code disables by either registering, or "getting Genuine".

But what the boys in Redmond are really doing is deciding that you have not followed the terms of a contract (the EULA) and punishing you unless and until you can prove that you have complied.

And what if Microsoft is wrong, and it disables your software erroneously? Well, you can keep buying and activating their software until you are successful. And that means more fees to Redmond. Or, following the movie Happy Feet, you can decide to find software with a little penguin on it.

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
'Windows 9' LEAK: Microsoft's playing catchup with Linux
Multiple desktops and live tiles in restored Start button star in new vids
iOS 8 release: WebGL now runs everywhere. Hurrah for 3D graphics!
HTML 5's pretty neat ... when your browser supports it
Mathematica hits the Web
Wolfram embraces the cloud, promies private cloud cut of its number-cruncher
Mozilla shutters Labs, tells nobody it's been dead for five months
Staffer's blog reveals all as projects languish on GitHub
'People have forgotten just how late the first iPhone arrived ...'
Plus: 'Google's IDEALISM is an injudicious justification for inappropriate biz practices'
SUSE Linux owner Attachmate gobbled by Micro Focus for $2.3bn
Merger will lead to mainframe and COBOL powerhouse
iOS 8 Healthkit gets a bug SO Apple KILLS it. That's real healthcare!
Not fit for purpose on day of launch, says Cupertino
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.