Schneier on Security

Jim G • May 17, 2010 1:21 PM

@kog999:

The problem with your analysis is that although you may have purchased a CD with software on it, you don’t actually have the right to use that software until you and the software publisher agree on your license to use it. Buying software is best viewed as two transactions: One with the retailer that gets you a CD, and one with the publisher that establishes your right to use the software on the CD.

The logic most courts follow is that the software box says that the license terms are enclosed, so you “know” when you buy the software that the sale is subject to those additional terms. If you don’t like the terms when you see them, you’re supposed to return the software and get your money back (in some courts, that might be true even if you didn’t know about the license agreement until you opened the box). But if you see the terms, don’t like them, and try to change them through a bit of electronic manipulation, you and the publisher still haven’t agreed on a license allowing you to use the software. In the absence of an agreement, you have no rights to use the software on the CD you just bought. Why? Because you can’t run the software without copying it, and only the publisher has that right—which it hasn’t granted.

That’s one possible outcome. Another possible outcome is that a court could decide that you saw the license terms (“If you use the software, you agree to give us your firstborn”), knew that using the software would be acceptance of those terms, and then consented by using the software. Whether or not you clicked “I agree” may be irrelevant, especially if the publisher had a halfway competent lawyer draft the license agreement (take a look at a random software license agreement. Does it say that you agree to the terms when you click “I agree,” or that you agree when you install or use the software?). Changing the wording of the agreement doesn’t change that any more than adding three zeros to a $1 check would entitle you to $1000.

Now, much of this is controversial and depends on the state you’re in. IANAL and TINLA, but I think the odds of a court saying, “Oh, he edited the license agreement, he gets to use what he put instead” are slim to none, though I’ll admit I haven’t checked for case law to the contrary. Nonetheless, I still think odds are greatly in favor of a court saying, “Nice try, kid. The license is binding.”

Jim G • May 18, 2010 10:07 PM

@anon:

First, I apologize for the length of this reply (and to Bruce for using so much reply space for an issue tangential to his original post). You asked a law student a question about a somewhat complex and interesting area of the law. The risk in doing so is that you might get a reply that resembles the answer to an essay exam.

Regarding permission to use: the reason you need the copyright holder’s permission to run software is that making a copy in RAM is considered a “copy.” You won’t find this in the statute; it’s from case law—specifically, MAI Systems, Inc. v. Peak Computer, Inc. The court in this case said that making a copy in RAM is a “copy” meets all the requirements for protection under the copyright code (fixation, originality, etc.).

What about 17 U.S.C. § 117? Short answer: it doesn’t help. Take a close look at the language. The “owner” of a copy can make copies as an essential step to using the program. But who is the “owner” of a copy of software? The same case I cited above said that the publisher, not the user, owns a copy of software that is sold subject to a license. So when you “buy” software, you don’t actually own it; you license it, and § 117 doesn’t give you a right to run the program.

If that doesn’t make sense, well, that’s because it’s sort of a stretch. There’s a difference between owning a copy and owning the software on the copy, and I personally think the MAI court got the two confused. Nevertheless, several courts have followed MAI and said—in substance, if not explicitly—that § 117(a)(1) doesn’t actually give an end user any rights beyond those contained in the license agreement. Other courts have disagreed, so it depends on what jurisdiction you’re in.

In the end, it may not matter much what copyright law says because any rights you have to use the software are modified by contracts (i.e., the license agreements) between you and the publisher. So the big issue in terms of kog999’s original question is whether a contract exists when someone buys software in the store, takes it home, sees a license agreement, modifies it, and then clicks “I agree.”

First, note that “meeting of the minds” is not the standard; it’s too subjective. The famous case on this involves people at a bar. After too many drinks, one person offered to buy the other person’s farm. They signed an agreement (on a cocktail napkin, as I recall) and everything. When everyone had sobered up, one person said he was only joking, but in the inevitable lawsuit, the court said it was a valid contract. There was no “meeting of the minds” because one person thought it was a joke and the other was serious. But there had been “manifestation of mutual assent” because it would appear to the outside observer that both parties agreed to the same thing. “Manifestation of mutual assent” is in fact the modern test.

That doesn’t change your observation, of course. There’s no more a “manifestation of mutual assent” at the time of retail purchase than there is a “meeting of the minds.” But note that I said “at the time of purchase.” One of the ways courts may find a valid contract in a shrinkwrap license situation is to say that the transaction doesn’t actually complete until you use the software. Here’s the outline of the argument: the person making a contract offer is the “master of the offer,” which means he can to decide (within limits) how the person receiving an offer can accept. So the reasoning goes that a software publisher selling a box of software subject to a license has proposed a contract that invites acceptance by using the software after having an opportunity to review the license. The contract isn’t complete until you manifest your assent by using the software. The two big cases on this are ProCD v. Zeidenberg and Hill v. Gateway 2000. ProCD was about a software shrinkwrap license, and Hill was about a license included in the box with a mail-order computer. Both cases held that the licenses were valid.

But these cases aren’t universally followed. Another case, Step-Saver Data Systems v. Wyse, held that a shrinkwrap license wasn’t binding. The court in that case said that the acts of ordering, shipping, and paying for software ordered by phone demonstrated the existence of a contract, and that an included shrinkwrap license was merely an offer to modify the contract; the customer was free to reject that modification offer.

The result is a jurisdictional split on whether or not a shrinkwrap license is valid. I personally think the ProCD/Hill approach is iffy. When I walk out of a store with a box of software after having paid someone for it, I think I just completed the transaction. But many courts still hold the shrinkwrap license valid.

By the way, I think you’re right about returning the software. It seems like a legal fiction to say that the customer can take the software back. Perhaps the idea is that you could return the software to the publisher (not the retailer) for a refund. I’m unaware of any case where someone tried to return software because they disagreed with the license agreement. Either (a) stores or the publisher will take the software back for this reason, or (b) no one has tried it.

These cases all applied to printed licenses on paper. None of them required clicking “I agree” on a computer screen. I’m honestly not sure what the migration of these agreements to electronic form changes, if anything. Surely if I had a paper copy of a license and struck out language I didn’t like, I could not claim to have modified the license agreement. Would striking that language in electronic form before clicking “I agree” be any different from that? I don’t think so, but sillier arguments have been attempted in court.

Incidentally, this is an example of why it’s often a very bad idea to rely on what “the law” is based purely on reading a statute. Statutes are just the start. The real law comes from case decisions and knowing how courts have interpreted what the statutes say. If you read a statute but not cases that have interpreted that statute, odds are good that you misunderstand the law—and probably think the law is much simpler than it really is. You don’t think IT security folks invented the “it depends” answer, do you?

Jim G • May 20, 2010 11:33 AM

@anon:

If I recall correctly, only part of 17 U.S.C. § 117 predates MAI. Paragraphs (a) and (b) already existed when MAI was decided. After MAI, Congress amended the statute to add (c) and (d). In other words, the provision allowing the “owner” of a computer program to make copies necessary to run the program or make backups already existed when MAI was decided. The amendments addressed situations where a computer service tech was technically violating copyright by booting up a client’s machine (whether or not the end-user is the “owner” of the software on his computer, a third-party support person clearly is not). The amendments overturned MAI’s result (but not its logic) by saying that running an “authorized copy” of the software for maintenance purposes is okay.

FWIW, here’s the MAI court’s entire analysis of the ownership issue (in a footnote, no less): “Since MAI licensed its software, the Peak customers do not qualify as ‘owners’ of the software and are not eligible for protection under § 117.” I agree that this doesn’t make a lot of sense and makes § 117(a) moot. But there we are. The only consolation is that not all courts follow this logic.

By the way, the Ninth Circuit Court of Appeals has three cases before it right now that turn on the definition of “owner”—Vernor v. Autodesk; UMG v. Augusto, and MDY v. Blizzard. In a year or so, we’ll know a lot more about what (one circuit thinks) “owner” means.