Original URL: http://www.theregister.co.uk/2006/11/22/vista_eula_worries/

Vista's EULA product activation worries

Walking on thin ice?

By Mark Rasch

Posted in Operating Systems, 22nd November 2006 11:40 GMT

The terms of Microsoft's End User License Agreement (EULA) for its upcoming Vista operating system raises the conflict between two fundamental principles of contract law. The first, and more familiar, is that parties to a contract can generally agree to just about anything, as long as what they agree to doesn't violate the law and isn't "unconscionable".

The second principle is that the law generally disfavours the remedy of "self-help". That is to say that, if there is a violation of the terms of a contract, you usually have to go to court, prove the violation, and then you are entitled to damages or other relief.

The terms of the Vista EULA, like the current EULA related to the Windows Genuine Advantage, allows Microsoft to unilaterally decide that you have breached the terms of the agreement, and they can essentially disable the software, and possibly deny you access to critical files on your computer without benefit of proof, hearing, testimony, or judicial intervention.

In fact, if Microsoft is wrong, and your software is, in fact, properly licensed, you probably will be forced to buy a license to another copy of the operating system from Microsoft just to be able to get access to your files, and then you can sue Microsoft for the original license fee. Even then, you wont be able to get any damages from Microsoft, and may not even be able to get the cost of the first license back.

Product activiation in the Vista license

Suppose you buy a new computer after January 2007, or purchase an early upgrade for one of the various flavors of Vista. The first problem is, you may think you bought a copy of the operating system. Actually, the OS is still owned by Microsoft. You may own a physical DVD, but what you have "bought" is the right to use the software subject to any of the terms and conditions of the End User License Agreement (EULA), which you may or may not have access to at the time you buy the computer or disk.

Typically, the EULA will be contained in micro-print on the outside of a DVD, or may be on a splash screen that prompts you to unequivically declare, "I agree..." as a condition precedent to installing or booting the software. Courts have pretty much established that this manner of acquiescence is okay, provided there is some way for you to get your money back if you don't agree to the EULA.

The Vista EULA informs the licensee that Vista will automatically send information about the version, language and product key of the software, the user's Internet protocol address of the device, and information derived from the hardware configuration of the device.

The EULA ominously warns that: "Before you activate, you have the right to use the version of the software installed during the installation process. Your right to use the software after the time specified in the installation process is limited unless it is activated. This is to prevent its unlicensed use. You will not be able to continue using the software after that time if you do not activate it."

What does this mean? Essentially, if you buy a license to the software from a reputable dealer, but choose not to transmit information to Microsoft, you forfeit your ability to use the licensed software.

What is interesting is not whether you have the right to use unactivated-but-properly-purchased software, but how Microsoft enforces its right. What Microsoft says is that the software will simply stop working. So, where is the proof that the software is not activated? Who has the burden of proof? What if you assert that you did activate the product, but Microsoft claims you did not? What if you attempt to activate the product, but Microsoft’s servers are down, or they provide improper information, or their servers are hacked and give you bad activation information?

What the contract states is that unless you can activate the product (irrespective of whose fault it is that you cannot activate), you forfeit your right to use the product, and therefore access to any of the information on any computers using the product.

The license is also silent on what happens after you fail to activate the product. Is there a mechanism for you to at least open the product to allow you to activate it, or do you get a Blue Screen of Death? Since their objective is to ensure that the product is activated, presumably they will allow you to at least get an internet connection and take you to an activation screen.

Once you activate the product, then you would assume that you are golden to go ahead and use the product, right? Wrong.

You see, even after you activate the software it will, according to the EULA, "from time to time validate the software, update or require download of the validation feature of the software". It will once again "send information about the...version and product key of the software, and the internet protocol address of the device".

Here's where it gets hairy again. If for some reason the software "phones home" back to Redmond, Washington, and gets or gives the wrong answer - irrespective of the reason - it will automatically disable itself. That's like saying definitively, "I'm sorry Dave, I'm afraid I can't do that..."

Unless you can prove to the satisfaction of some automoton that the software is "genuine", or more accurately, that under the relevant copyright laws that you have satisfied the requirements of the copyright laws and all of the terms of the End User License Agreement, the software will, on its own, go into a "protect Microsoft" mode. Besides placing an annoying "Get Genuine" banner on the screen, and limiting your ability to get upgrades, the EULA warns that "you may not be able to use or continue to use some of the features of the software". The EULA itself does not state which features these are, but the website advises that, unless you can show that you are genuine, you won't be able to use Windows ReadyBoost(tm), which lets users use a removable flash memory device; the Windows Aero(tm) 3D visual experince; or the Windows Defender anti-spyware program.

But the contract doesn't limit Microsoft to these disabling attributes. It just says they have the right to limit your ability to use features - pretty much any features they decide to at any date. And guess what. You agreed to it.

EULAs and the legal term "self help"

Now let's face it: lots of software products contain features that disable themselves upon some condition. For example, trial software will work for a period of time - say 30 days, and then stop. And you agree to that when you download and/or install it. It says so right in the EULA.

Spyware contains EULAs where you agree not to disable or delete it. Are you bound by that contract as well? As discussed previously, the answer is not so clear. Sony got into trouble by putting very restrictive EULA terms on its music/data CDs, which gave it a bunch of rights just cause you decided to listen to music - including your agreeing never to listen to the music overseas. As I noted earlier, the terms of an EULA are generally considered to be enforceable even if you didn't read it, understand it, or have any ability to negotiate it.

However, there is another principle in the law. If a contract (for example, an EULA) is breached, you have to right to sue and to collect damages. Generally, you would have the burden of proving a breach of the contract, and prove the existence of some damages, and then possibly the right to obtain other kinds or relief - like an injunction or other court order.

In addition, other statutes, like the US or international copyright laws may give companies like Microsoft other rights and remedies, including access to federal court and statutory damages, and even possible criminal enforcement by the FBI.

Now if Microsoft breaches the contract it wrote, the Vista EULA, what are your rights? Well, according to the terms of the agreement you agreed to, "you can recover from Microsoft and its suppliers only direct damages up to the amount you paid for the software. You cannot recover any other damages, including consequential, lost profits, special, indirect or incidental damages".

So if your entire network is shut down, and access to all your files permanently wiped out, you get your couple of hundred bucks back - at most. And, as far as I can tell, there are no warranties on the license, no assurance (like the kind you would get on a toaster oven or a lamp) that the thing actually works or does any of the things advertised. What is worse, if you just want to get your money back (assuming Microsoft doesn't want to give it to you) then you have to file a lawsuit (probably in Redmond, Washington) under the laws of Washington State, and if (and only if) you can prove your case, and your damages, can you get your money back.

You aren't entitled to, upon your belief that there was a breach of contract, simply walk up to the cash register at your local Fry's or Best Buy and take a couple of hundred bucks from the till. This is called "self help" (or theft) and is not generally allowed as a contract remedy.

But the Microsoft Vista EULA, like many other software license agreements, gives the owner of the software (remember that's Microsoft because you didn't buy it, you just licensed it) the right of self-help. They have the right to unilaterally decide that you didn't keep up your end of the contract, for example you didn't properly register the product, you weren't able to demonstrate that it was genuine, and so on, and therefore they have the right to shut you off or shut you down. So, what gives them the right? Apparently, the very contract they now claim you violated.

Case law examples of software being disabled after a dispute

In the early days of computers, there were several cases where software developers determined that licensees didn't make appropriate payments and therefore shut down the computer programs.

In 1988 in Franks & Sons, Inc v Information Solutions, Inc the software developer installed a "drop-dead" code in the program. When the customer failed to pay as promised, the developer activated (or allowed to be activated) the drop-dead code, which kept the customer from accessing the software as well as any stored information. The problem was that the customer didn't know about the drop dead code. Under those circumstances, the court found that it would be "unconscionable" to allow the software developer to hold the licensee ransom, essentially using self-help to shut down the business until he was paid. The court noted:

Public policy favours the non-enforcement of abhorrent contracts. Here, without the knowledge of plaintiff, defendants have included a surprise in their product which chills the functioning of any business whose operation is a slave to the computer. If the plaintiff had known about this device at the time it entered into the contract with the defendant then the result would be different. Here it would be unconscionable for the Court to give credence to this economic duress.

However, it wasn't clear whether the sole problem in that case was the fact that the "drop-dead" software was not disclosed, or that the developer, by using the undisclosed code, was holding the licensee hostage.

In 1991, in American Computer Trust Leasing v Jack Farrell Implement Co, 763 F Supp. 1473 (D. Minn 1991) the software developer, in a dispute over payment for the software, remotely deactivated the software. The contract provided that the developer, who owned the software, could remotely access the licensee's computer in order to service the software and that if the licensee defaulted, the agreement was cancelled. When the licensee didn't pay, the developer told them that they were going to deactivate the program - which they promptly did. The licensee's lawsuit for damages failed because, the court noted, the deactivation was "merely an exercise of [the developer'] rights under the software license agreement..." This was true even though the agreement did not specifically state that self-help was a proposed remedy.

There were many other cases in the late 80s and early 90s involving software developers either putting drop-dead code in their products or remotely disabling code when they thought the other party was in breach.

Thus, a Dallas medical device software developer was sued in 1989 (the case was settled) for using a phone line to deactivate software that compiled patients' lab results. In 1990, during a dispute about the performance of a piece of code, the developer simply logged in and removed the code, until the licensee released the developer from any liability. The licensee claimed that the general release was signed under duress, since he was being held economic hostage. This was Art Stone Theatrical Corp v Technical Programming and Support Systems, Inc 549 N.Y.S.2d 789 (App. Div. 1990).

In another case widely reported, a small software developer, Logisticon, Inc, installed malware within software delivered to cosmetic company Revlon, which paralysed Revlon's shipping operations for three days (losses were about $20m US) when the developer claimed that Revlon breached the contract. Logisticon simply claimed that this was an "electronic reposession". The case was settled out of court.

In the 1991, the case of Clayton X-Ray Co v Professional Systems Corp, 812 S.W.2d 565 (Mo. Ct. App. 1991), a company likewise involved in a payment dispute, logged into the licensee's computer and disabled the software which they owned. When the licensee tried to log on to see their files, all they saw was a copy of the unpaid bill. A jury awarded the licensee damages, partly because the existence of the logic bomb was not disclosed.

Finally, in Werner, Zaroff, Slotnick, Stern and Askenazy v Lewis 588 N.Y.S.2d 960 (Civ. Ct. 1992), a law firm contracted with a company to develop billing and insurance software. When the software reached a certain number of bills (and when the developer decided it had not been paid) it shut down, disabling access to the law firm's files. The law firm successfully sued, and got punitive damages.

So what is the lesson from all of these cases? First, if you exercise "self help" without telling the purchasor, you may open yourself up to damages. Does the Microsoft EULA adequately tell you what will happen if you don't activate the product or if you can't establish that it is genuine? Well, not exactly. It does tell you that some parts of the product won't work - but it also ambiguously says that the product itself won't work. Moreover, it allows Microsoft, through fine print in a generally unread and non negotiable agreement, to create an opportunity for economic extortion. Remember, all the cases from the 80s and 90s involved sophisticated parties (on both sides) who negotiated individual license agreements - not mass market software.

Balancing the rights of all parties

After this series of cases, many states considered reforming the Uniform Commercial Code to specifically cover those situations when a software developer can resort to self-help. As a result of these efforts, two states, Maryland and Virginia enacted versions of the Uniform Computer Information Transactions Act (UCITA).

The Maryland version of the statute allows the software vendor to obtain a court order that allows it to disable the software, or "[o]n material breach of an access contract or if the agreement so provides, [to] discontinue all contractual rights of access of the party in breach..." In other words, the software vendor can only terminate access to the software if there has been a material breach, if doing so does not result in a breach of the peace, if there is no foreseeable risk of personal injury or significant physical damage to information or property.

The UCITA also provides a procedure for "electronic self-help" - that is, the termination of access or use of the software without a court order. The first thing to note is that, in Maryland at least, the law expressly notes that, "electronic self-help is prohibited in mass-market transactions".

Microsoft's EULA is undoubtedly a mass-market transaction, and therefore Microsoft may be prohibited from exercising self-help in Maryland. Moreover, even in non mass-market transactions, before you can resort to self-help, the contract must provide notice that self help will be used, who will be told about the exercise of self help, and provide other notice.

The Maryland law also provides that "electronic self-help may not be used if the licensor has reason to know that its use will result in substantial injury or harm to the public health or safety or grave harm to the public interest substantially affecting third persons not involved in the dispute".

Thus, the harm to Microsoft (not getting a license fee) may be disproportionate to the harm to the licensee in having their systems completely shut down. This is particularly true if Vista is being used for a system providing medical treatment, controlling a power plant, or other such critical infrastructure. The Maryland law expressly provides that the "rights or obligations under this section may not be waived or varied by an agreement..."

Microsoft may have some trouble if it tries to enforce its EULA terms in a court in Washington State - especially if that court is running a computer using Vista. You see, all software license agreements with the courts in Washington State contains a "no self-help code" warranty where the vendor warrants that there is no "back door, time bomb, drop dead device, or other software routine designed to disable a computer program automatically with the passage of time or under the positive control of a person other than a licensee of the Software". Thus, the Vista EULA terms would not apply to the Washington State courts!

Microsoft will invariably deny that what they are doing is "self-help". More likely, it will claim that the disabling provisions of the software are mere "features" of the software. It will also argue that the licensee controls whether or not the code disables by either registering, or "getting Genuine".

But what the boys in Redmond are really doing is deciding that you have not followed the terms of a contract (the EULA) and punishing you unless and until you can prove that you have complied.

And what if Microsoft is wrong, and it disables your software erroneously? Well, you can keep buying and activating their software until you are successful. And that means more fees to Redmond. Or, following the movie Happy Feet, you can decide to find software with a little penguin on it.

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus