Tag Archives: GNU gpl

EULA Obscurity

This is why you read the Terms of Agreement [click for source]

End User License Agreements, Terms of Agreement, and Privacy Policies. Just click “agree” and carry on, right? While it seems that practically nobody reads these (and understandably), they remain an integral piece of the user experience. EULAs are legal contracts between the “licensor” and purchaser of the product (in this case, the piece of software). While usually easily available to the user, these documents commonly contain very vague terms and conditions as well as often confounding terminology. It’s safe to say that the everyday user will almost never take the time to become familiar enough with this type of documentation.

Recently, a couple of popular mobile app featured in the Google Play store came under fire when they were found to be using the user phones to mine a cryptocurrency known as Dogecoin (yeah, not even Bitcoin, but Dogecoin).

Here is a screenshot of the EULA for the previously mentioned coin-mining app, known as Prized:

Note here, that you are giving your phone’s CPU the permission to “run calculations and process data without limitations” – perhaps a giveaway that there could be a hidden catch to streaming your music with the service. In this case, there was. But really, even to someone who has a generally keen knowledge on how software operates, this part can be unclear. It’s obvious that data is going to be processed through a music streaming service, but with vague language like this who knows what else might be at hand.

This is far from the only instance of irksome material included within a policy. Name any type of software and there is bound to be a program out there with an ambiguous EULA bound to it.

Even the terms of agreement behind antivirus clients has been seen as suspect. Avast!, for example, one of the most popular clients of its kind. And even having such notoriety, its intentions with personal data use have come under questioning from many privacy-conscious individuals. Read the following excerpt from the ‘Privacy; Processing of Personal Information section of the free client’s EULA:

8. Privacy; Processing of Personal Information
The Software automatically and from time to time may collect certain information, which may include personally identifiable information, from the computer on which it is installed, including:

8.1 URLs of visited websites that the Software identifies as potentially infected, together with the information on the nature of identified threats (e.g. viruses, Trojans, tracking cookies and any other forms of malware) and URLs of several sites visited before the infection was identified to ascertain the source of the infection;
8.2 Information and files (including executable files) on your computer identified by the Software as potentially infected, together with the information about the nature of identified threats;
8.3 Information about the sender and subject of emails identified by the Software as potentially infected, together with the information on the nature of identified threats;
8.4 Information contained in emails reported by you as spam or as incorrectly identified as spam by the Software;
8.5 Copies of the files identified by the Software as potentially infected or parts thereof may be automatically sent to AVAST for further examination and analysis;
8.6 Certain information about your computer hardware, software and/or network connection;
8.7 Certain information about the installation and operation of the Software and encountered errors or problems;
8.8 Statistical information about threats detected by the Software; and
8.9 If your version of the Software includes the Website reputation function, which provides information on reputation of web sites as potential sources of malware, and you set the Website reputation function to active, the Software may send AVAST the URLs of all websites you want to visit and the results of your web searches through search engines.

While most of these seem relatively reasonable, spelling out that specifically items and activity that sets off Avast’s triggers will be collected and sent to the folks at “headquarters”, but again we are met with some seriously vague language, specifically here:

8.6 Certain information about your computer hardware, software and/or network connection;

“Certain information” could mean any number of things, really, especially in the context of your network connection. while point number 8.9 makes it clear that the websites and searches you make will be logged if you choose to enable the in-browser reputation function, however 8.6 fails to elaborate. For all we know, avast could be vacuuming up IP addresses and retaining them for large periods of time. Of course, this isn’t likely, but if there were a clearer and more definite explanation of what is at hand, users would need not worry about being so paranoid.

In the earlier linked forum post (here it is again, as its worth reading through for those interested), discussion continued, including arguments against the casual use of words such as “generally” and “some” in the Avast! EULA. Some posters responded to these skepticisms with an “if you don’t trust it, just don’t use it” frame of mind. While this is truly an option, it goes against the grain of an opposite school of thought – keeping software (and the terms behind it) “for the people”. In other words, it is one thing to read through the license and find things that you might disagree with, but a further step would be to voice your opinion – that is, if you find yourself invested in the product as a user. This argument states “software is intended to fit a users needs and desires after all, isn’t it?”

Some might find this ideology silly, idealistic, or over zealous. But as we arrive back to the initial problem of slogging through incredibly dense EULAs that could mean serious consequences for users if they are not comprehended (or even read through in the first place) one might find that there is reason for investigation and eventual action after all.

The popular technology-focused youtube channel ‘Computerphile‘ had a video segment titled ‘Blindly Accepting Terms & Conditions?’ that was created earlier this year. In it – after Professor Tom Rodden shares similar sentiments on the state of confusing software Terms of Agreement –  a useful application was offered to explore EULA’s more thoroughly. This particular tool is a Chrome browser extension called Literatin, which basically allows users to “explore the complexity” of a piece of text – in this case, a program’s EULA – providing them with a word count and comparison in length as well as complexity level to a famous piece of classic literature.

The Literatin extension utilizes an algorithm that the developers refer to as Smog (Simple Metric of Gobbledigook), which is used to measure how “complex and dense” the text at hand is. This is then mapped to pre-existing statistics from UK education levels – “how much education would you have had to complete in order to read a document that complex”, as professor Rodden puts it in the video. This takes into account things such as the length of sentences included, amount of secondary clauses, and other metrics that are not clearly mentioned in the video or on the official website for the extension. All in all it seems like a relatively nice meter in how intense an EULA might be, but it would be nice to see the actual algorithms and source behind the ‘Readability Statistics’.

In order to get a better idea on just how much of a mess it is to get through EULAs for commonly used software, I went out to explore some of them myself using Literatin. I began with two programs just about everyone is familiar with: iTunes and the Chrome Browser. The respective results were as follows:

Full iTunes EULA ran through the Literatin Extension.

Full iTunes EULA ran through the Literatin extension.

While the overall length of the iTunes legal document was only around eight pages (along the level of ‘Green Eggs and Ham’, Literatin told me), the complexity of the text was allegedly staggering. The adult literacy level was “suitable only for a graduate-level audience” and Literatin compared its complexity to Nietzsche’s ‘Beyond Good and Evil’. This seems like it could be an exaggerated comparison, but after reading through random sections from each one, the thought doesn’t seem to farfetched.

Full Chrome EULA ran through the Literati Extension.

Full Chrome EULA ran through the Literatin extension.

As for Chrome’s terms of service document, the length was 6,552 total words (around 374 sentences) – almost as long as ‘Sleepy Hollow’ – and had an adult literacy level that weighed equivalent to a couple of Washington Irving’s classics. It just so happens that Google has come under quite a controversy in 2007 concerning its Chrome EULA… and in 2008.

Collectively, its safe to say that these license agreements are very complex to the common user. This again understands that the average user is even reading these before clicking “Agree and Continue” anyways. We’re at a point now where we’re met with an entire series of possible struggles to be dealt with:

  1. Intentional or non-intentional use of vague language that could lead to privacy/data concerns
  2. Long and/or very complex language (as in double-digit-paged documents that look as if they were written by James Joyce)
  3. Terms and conditions constantly changing (with new version releases, change in ownership, etc)

In 1989, Richard Stallman wrote the first draft of the GNU General Public License (GPL), a free software license intended to retrofit to any piece of software and give the user as close to complete freedom as possible in terms of use and sharing. This licensing is used very often by open source programs and projects and has been reviewed before revised many times over. Having said that, it is still very long and heavy with terminology (24 pages long, 5,921 total words, 1105 of them considered “complex” by Literatin, which gave the EULA a 20.62 Smog Rating). While this user-friendly license is deemed as more trustworthy, it is still hard to follow and can still be confusing to the curious reader.

So is there any alternative that can put absolute ease to the inquiring mind? There’s got to be something out there that cuts through the legal speak and gives a clear cut, concise set of terms to adhere by.

There is. Its another public license, known as the WTFPL – the Do What The Fuck You Want License. The title may seem a bit over the top, but upon reading the entirety of the WTFPL, its fitting:

                    Version 2, December 2004 

 Copyright (C) 2004 Sam Hocevar <sam@hocevar.net> 

 Everyone is permitted to copy and distribute verbatim or modified 
 copies of this license document, and changing it is allowed as long 
 as the name is changed. 



That’s it. A license where you practically need no more after looking at the title. Now, of course I realize the comedy behind this, and understand that you might as well not use a license at all if you’re going to implement this. But there is the explicit paragraph there that can be used as reference.

While dangers will always lurk behind certain software license agreements and privacy policies, there seems to be a generally wider understanding of these threats as well as a push from those open source developers and proponents to enforce fair terms for users. Having said this, at the end of the day, it is up to the user to stay vigilant. Scroll through carefully, and absorb as much as possible. Stay curious and do your research. You have the entire internet at your disposal – if you see something, search something.

Leave a comment

Filed under Uncategorized