Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Squid T-Shirts |
| Insect-Based Terrorism »
May 17, 2010
Software Liabilities in the UK
The British High Court ruled that a software vendor's EULA -- which denied all liability for poor software -- was not reasonable.
I wrote about software liabilities back in 2003.
Posted on May 17, 2010 at 6:18 AM
• 26 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Not that this event really relates to your argument. You argued that vendors should have liability, in general. This ruling says that in one case in particular, where a vendor missold software, they were liable for its failure to perform as they indicated.
As far as I can tell this isn't software liability, it's sales liability. The court didn't rule on whether an EULA can say "you acknowledge that the software might not do what you expect", it rules that the EULA can't say "you acknowledge that our sales staff are lying toads, and that you formed no expectations of the product's performance based on what they showed and told you".
The point seemed more that while the vendor claimed that it was a product selection that was made by the buyer, the vendor did not provide 'appropriate' demonstrations and documentation to the buyer BEFORE they made the decision.
The fact that the product was not 'fit for purpose' was IMHO incidental...
A little like GS selling bonds that it knew were junk but then claiming that they were just market makers who allowed buyers to take on the risks they wanted...
I would not rely to much on a UK court and software...
Usually the first question that probably arises as to if it was "fit for purpose" under the sale of goods act, thben if it was missold. Then there is a "distance selling cooling off period to consider, then other cooling off periods.
I'm not aware of a software "agreement" ever being tested in court, of those I know that understand the legal side in the UK they talk of snow balls and hell as to the chances...
Yes, but what's to stop a consumers from expecting/demanding that features such as 'security' function as well? MS advertises security features all day. If they are directly bypassed, then they failed to deliver as advertised. This will force the issue of 'truth in advertising' where the vendor will not be able to make claims of security (thus, not signal a differentiating quality) unless they can stake their revenue on it. It will most likely raise the point that the software isn't secure, and while a corresponding awareness campaign creates an appetite for 'secure software' we might just see a change in the market.... Maybe...
This ruling is newsworthy, interesting at the very least, and a step in the right direction.
This is a little off topic but something I’ve been curious about. Let’s assume for a minute that EULA's in general are contracts that would hold up in court and you clicking I Agree during install indicates you signature. What if I wrote a custom installer that did not include the EULA. What if the vendors installer used a text file to populate the EULA screen and I replace it with the text “This software has no restrictions do whatever you like”, or I did a similar trick with a memory editor etc. What If I select I Disagree and manually enable the Next button with a debugger or something like that. Would I then not be bound by the EULA b/c I didn’t “sign” the contract.
In Security parlance, the SWAT* metric of a subject, is expressed as the number of years that have elapsed since Bruce Schneier first wrote about it.
The SWAT of software EULAs is approximately 6.5.
* SWAT: Schneier Wrote About This. cf. Schneier Blogging Template: http://www.schneier.com/blog/archives/2010/03/...
That would be equivalent to simply stealing the software - you only have a right to use it if you agree to their license terms.
This case came about because of a recent Eu ruling that said EULA's couldn't void normal sale-of-goods act consumer protection.
At the time there was a great outcry that it meant users would be able to demand bug free software or perpetual security patches. In fact it just means that you can't have a Eula which says you have no rights and then ship someone an empty box.
Whie NobodySpecial is right that you'd be "stealing" the software, you'd be hardpressed to show that it happened that way out of the box.
I'm still not sure why software vendors are allowed to get away with things like this, but manufactures of physical goods cannot. I know there were laws in place to allow for moving software development further -- but isn't it time to revist those?
I think this is a good step in the right direction. I do respect Marcus Ranum's counterpoint that software liability would just benefit lawyers and not consumers. This is a possibility in many cases. However, the mere existence of liability for any company often ensures a baseline of quality across the board. Just look at retail stores and their wet floor signs. Many small ones think of it as optional, but big companies with deep pockets *always* put one down. They don't want to be sued for damage they cause, so they prevent the damage.
The software liability would have to be done more carefully. For instance, an advertised security feature being bypassed shouldn't count against the manufacturer. That's an issue of assurance and guaranteeing that is still an open research problem. I think the liability should focus on the claims made: does it have this feature? does it perform like this in the real world or only Linpack? does it run on this hardware? is it compatible with this platform?
These are examples of questions that I've asked, gotten answers, and then found that they were totally full of crap. When they weren't full of crap, their quality assurance methods had failed and the software didn't work as expected. I believe some of these products were barely tested at all. Aside from implementing quality assurance across the lifecycle, the best way for companies to make low-liability software is usage-based testing. Identify how software would be used, common actions, etc. and make tests that correspond to them. If there are bugs, the user probably won't see them by production time. This is what Cleanroom methodology does, among other things, and it consistently produces low-defect software.
The bigger point is that we *have* to deal with this problem. Government keeps talking about "cyberwar." They are mostly hyping it, but they are hitting a real problem: most of the systems in our infrastructure are exploitable with ease. The government and important civilian applications are increasingly moving from paper to digital, but the software that's being used is untrustworthy. I just see a huge problem relying on an industry that says "we don't give a shit what happens from here & you can't sue us if we devastate your business with exaggerated claims." It's time to take a stand. It's time to hold them accountable.
I’m not suggesting pirating the software, but going to the store/website paying full price for the physical cd or the downloaded bits, and not being locked in to one sided arbitration agreements, or you can't tell anyone our software sucks agreements, or we can collect any personal data you and do whatever we want with it agreements. Suppose I go to the store and buy a physical software cd. I'm not a lawyer but at this point I haven’t agreed to any terms and conditions in fact I haven’t even been given a chance to see them. The only thing I’ve agreed to is to pay a certain price for the sale of the software which I have done. Now at this point I should own the software, not in the copyright sense but in the “I own this physical cd sense”. The same as if I bought a book. I can’t Xerox the book and sell it for half price b/c the contents of the book are copywrited, but I could legally burn the book, tear it in half, use it for purposes other than its intent for example to hold a wobbly table leg up, highlight pages of the book, take a pen and write in extra words or scratch out words I don’t like etc. Why couldn’t I legally do the same for the data on a cd remember I haven’t yet agreed to any terms or conditions so I should be able to do whatever I want? And I can use the software I paid for without hitting I Agree “singing the contract” why should I be held to a contract I didn’t agree to?
This is scary. What exactly deems a piece of software to have "failed"? Is the client's poor vetting procedure sufficient to declare the software to have failed?
Fortunately in this case, the vendor didn't provide the client with all of the information required to make a proper decision, so the contract was null and void for that. But had they provided the documentation, or done a proper trial run, then hopefully the case would have gone the other way.
Perhaps I'm too jaded, but clients tend to find fault with minor inconveniences that they consider to be catastrophic. Or they complain when the software doesn't fix their input mistakes.
The problem with your analysis is that although you may have purchased a CD with software on it, you don't actually have the right to use that software until you and the software publisher agree on your license to use it. Buying software is best viewed as two transactions: One with the retailer that gets you a CD, and one with the publisher that establishes your right to use the software on the CD.
The logic most courts follow is that the software box says that the license terms are enclosed, so you "know" when you buy the software that the sale is subject to those additional terms. If you don't like the terms when you see them, you're supposed to return the software and get your money back (in some courts, that might be true even if you didn't know about the license agreement until you opened the box). But if you see the terms, don't like them, and try to change them through a bit of electronic manipulation, you and the publisher still haven't agreed on a license allowing you to use the software. In the absence of an agreement, you have no rights to use the software on the CD you just bought. Why? Because you can't run the software without copying it, and only the publisher has that right—which it hasn't granted.
That's one possible outcome. Another possible outcome is that a court could decide that you saw the license terms ("If you use the software, you agree to give us your firstborn"), knew that using the software would be acceptance of those terms, and then consented by using the software. Whether or not you clicked "I agree" may be irrelevant, especially if the publisher had a halfway competent lawyer draft the license agreement (take a look at a random software license agreement. Does it say that you agree to the terms when you click "I agree," or that you agree when you install or use the software?). Changing the wording of the agreement doesn't change that any more than adding three zeros to a $1 check would entitle you to $1000.
Now, much of this is controversial and depends on the state you're in. IANAL and TINLA, but I think the odds of a court saying, "Oh, he edited the license agreement, he gets to use what he put instead" are slim to none, though I'll admit I haven't checked for case law to the contrary. Nonetheless, I still think odds are greatly in favor of a court saying, "Nice try, kid. The license is binding."
As a developer I could take full responsibility, but I'd do that by buying insurance and passing this cost to the customer.
I would also consider restricting how my software is used, and I probably wouldn't let customers to install and configure it themselves.
I would have to refuse to sell my software to users who have potentially-destructive 3rd party software installed (and that's going to be long list, including every anti-virus product) or use system versions other than ones I tested on.
Overall it would be pain for me and customers.
Where do you get that from? I don't find anything in US Copyright that says you need their permission to use. In terms of contract, the requirement is knowing in advance (meeting of minds). Many stores don't take back opened software, so return is not an option.
If I buy a can of soda in a store, Coke can put on it conditions that they want (if you drink this, you'll send us 10% of your income for life), but that doesn't mean I have a contract.
Look up Contracts of Adhesion - most of those "contracts" on the back of parking lot receipts are NOT valid for that reason.
Further, 17 USC specifically states that copying software into memory to use it is an allowed copy.
I am not up to date with software and the sale of goods act; the case comes v close to saying the act applies to off the shelf software. If so, this puts a significant onus on vendors - certainly as regards security.
It would be interesting to see how/if it applied to suppliers of services e.g. credit card checks for web sales.
Jim G is responding in an argument that is assuming EULAs are legitimate. You are arguing that EULAs are illegitimate.
Under UK law, can't the Judge now be sued for slander and the burden of proof be on him because he said something out loud?
The average software EULA reminds me of the FAA regulation concerning fuel gauges (pilots are taught from day 1 never to rely on fuel gauges, but to calculate what the fuel consumption is based on the way they have been flying - this rule may be why) which states that fuel gauges ONLY need to be ACCURATE when the tank is EMPTY. To me, this seems like I could just leave out all the machinery and simply paint on a needle in the "E" position. It would be way off when the tanks were full, but then its not required to be accurate there. When the tank is empty it will be an accurate indication of fuel quantity.
Besides, once the tank is empty I suspect I will be able to figure that fact out pretty quickly when the big fan in front shuts off and the cockpit suddenly gets real warm.
EULA: and what about, at the beginning of installing Windows on a empty PC, the pop-up window asking if I want to answer "yes" to all the following questions?
The questions (about video driver, sound driver, ethernet driver, wireless and all formats to display their documentations (acrobat...) EULA) were not even displayed!
And if you buy a PC pre-installed with windows, all these other EULA dissapear?
If you are using windows and you do not know that the sound/video card has a different license (most of them are different) and you have never seen it, nor had a way to check, is it still binding?
Not saying that you have to use the video card to see the license of the video card driver... so it is too late.
Responding to his statement "Because you can't run the software without copying it, and only the publisher has that right—which it hasn't granted. "
17 USC 117 specifically grants:
(a) Making of Additional Copy or Adaptation by Owner of Copy.— Notwithstanding the provisions of section 106, it is not an infringement for the owner of a copy of a computer program to make or authorize the making of another copy or adaptation of that computer program provided:
(1) that such a new copy or adaptation is created as an essential step in the utilization of the computer program in conjunction with a machine and that it is used in no other manner, or
(2) that such new copy or adaptation is for archival purposes only and that all archival copies are destroyed in the event that continued possession of the computer program should cease to be rightful.
Also, contract law in the US normally requires (IANAL, but do have a class in business law) requires agreement before the transaction. Terms & Conditions inside the box hardly qualify.
First, I apologize for the length of this reply (and to Bruce for using so much reply space for an issue tangential to his original post). You asked a law student a question about a somewhat complex and interesting area of the law. The risk in doing so is that you might get a reply that resembles the answer to an essay exam.
Regarding permission to use: the reason you need the copyright holder's permission to run software is that making a copy in RAM is considered a "copy." You won't find this in the statute; it's from case law—specifically, MAI Systems, Inc. v. Peak Computer, Inc. The court in this case said that making a copy in RAM is a "copy" meets all the requirements for protection under the copyright code (fixation, originality, etc.).
What about 17 U.S.C. § 117? Short answer: it doesn't help. Take a close look at the language. The "owner" of a copy can make copies as an essential step to using the program. But who is the "owner" of a copy of software? The same case I cited above said that the publisher, not the user, owns a copy of software that is sold subject to a license. So when you "buy" software, you don't actually own it; you license it, and § 117 doesn't give you a right to run the program.
If that doesn't make sense, well, that's because it's sort of a stretch. There's a difference between owning a copy and owning the software on the copy, and I personally think the MAI court got the two confused. Nevertheless, several courts have followed MAI and said—in substance, if not explicitly—that § 117(a)(1) doesn't actually give an end user any rights beyond those contained in the license agreement. Other courts have disagreed, so it depends on what jurisdiction you're in.
In the end, it may not matter much what copyright law says because any rights you have to use the software are modified by contracts (i.e., the license agreements) between you and the publisher. So the big issue in terms of kog999's original question is whether a contract exists when someone buys software in the store, takes it home, sees a license agreement, modifies it, and then clicks "I agree."
First, note that "meeting of the minds" is not the standard; it's too subjective. The famous case on this involves people at a bar. After too many drinks, one person offered to buy the other person's farm. They signed an agreement (on a cocktail napkin, as I recall) and everything. When everyone had sobered up, one person said he was only joking, but in the inevitable lawsuit, the court said it was a valid contract. There was no "meeting of the minds" because one person thought it was a joke and the other was serious. But there had been "manifestation of mutual assent" because it would appear to the outside observer that both parties agreed to the same thing. "Manifestation of mutual assent" is in fact the modern test.
That doesn't change your observation, of course. There's no more a "manifestation of mutual assent" at the time of retail purchase than there is a "meeting of the minds." But note that I said "at the time of purchase." One of the ways courts may find a valid contract in a shrinkwrap license situation is to say that the transaction doesn't actually complete until you use the software. Here's the outline of the argument: the person making a contract offer is the "master of the offer," which means he can to decide (within limits) how the person receiving an offer can accept. So the reasoning goes that a software publisher selling a box of software subject to a license has proposed a contract that invites acceptance by using the software after having an opportunity to review the license. The contract isn't complete until you manifest your assent by using the software. The two big cases on this are ProCD v. Zeidenberg and Hill v. Gateway 2000. ProCD was about a software shrinkwrap license, and Hill was about a license included in the box with a mail-order computer. Both cases held that the licenses were valid.
But these cases aren't universally followed. Another case, Step-Saver Data Systems v. Wyse, held that a shrinkwrap license wasn't binding. The court in that case said that the acts of ordering, shipping, and paying for software ordered by phone demonstrated the existence of a contract, and that an included shrinkwrap license was merely an offer to modify the contract; the customer was free to reject that modification offer.
The result is a jurisdictional split on whether or not a shrinkwrap license is valid. I personally think the ProCD/Hill approach is iffy. When I walk out of a store with a box of software after having paid someone for it, I think I just completed the transaction. But many courts still hold the shrinkwrap license valid.
By the way, I think you're right about returning the software. It seems like a legal fiction to say that the customer can take the software back. Perhaps the idea is that you could return the software to the publisher (not the retailer) for a refund. I'm unaware of any case where someone tried to return software because they disagreed with the license agreement. Either (a) stores or the publisher will take the software back for this reason, or (b) no one has tried it.
These cases all applied to printed licenses on paper. None of them required clicking "I agree" on a computer screen. I'm honestly not sure what the migration of these agreements to electronic form changes, if anything. Surely if I had a paper copy of a license and struck out language I didn't like, I could not claim to have modified the license agreement. Would striking that language in electronic form before clicking "I agree" be any different from that? I don't think so, but sillier arguments have been attempted in court.
Incidentally, this is an example of why it's often a very bad idea to rely on what "the law" is based purely on reading a statute. Statutes are just the start. The real law comes from case decisions and knowing how courts have interpreted what the statutes say. If you read a statute but not cases that have interpreted that statute, odds are good that you misunderstand the law—and probably think the law is much simpler than it really is. You don't think IT security folks invented the "it depends" answer, do you?
Thanks, Jim G this was the kind of law opinion i was interested in very detailed response. Though I don’t plan it personally putting it to the test any time soon.
"By the way, I think you're right about returning the software. It seems like a legal fiction to say that the customer can take the software back. Perhaps the idea is that you could return the software to the publisher (not the retailer) for a refund. I'm unaware of any case where someone tried to return software because they disagreed with the license agreement. Either (a) stores or the publisher will take the software back for this reason, or (b) no one has tried it."
It’s pretty much impossible to return opened software to Best Buy or similar stores (same with music cd’s or video games). I guess they assume people would just install the software and then claim they didn’t accept the license and get a refund effectively getting the software for free. If you bought it from the manufactures website it’s hit or miss but for bigger companies mostly miss. I don’t know if there are any actual lawsuits over this but this but I’ve heard of a case with windows that came preinstalled with a Dell computer. A customer didn’t want to use windows and installed linux instead, they called dell enough times and eventually got a refund of like $40.
@ Jim G.
Thanks for a more detailed explanation of US practice in this field. Anyway in *my* opinion (IANAL) it indicates that either the US legal system or the current practice has a major flaw. It seems the judges are more likely to consider the exact phrase ('the letter') and not the intent of the provision ('the spirit').
If you take the term 'Owner of the Copy' from the cited paragraph, as you have indicated courts do, as meaning the owner of the copyright (e.g. the software publishing house) the provision in the § 117 makes no sense at all. The owner of the copyright already has all rights to make copies, for any purpose whatsoever. Therefore granting him extra copying rights for strictly limited purposes by USC 117 is completely pointless and redundant. The logical (for me) conclusion is that the intent of the Congress (or whatever body that has passed this law) is that the 'Owner of the Copy' means someone else than the copyright owner.
In my jurisdiction (far detached from USA, both geographically and by the legal tradition) the Copyright Act has exactly the same provisions as USC 117 (as far as I can understand English text) yet they are treated as the rights of whoever holds a legally obtained copy, not the owner of the copyright.
Indeed, how do you Americans perform backup copies of your hard drives without landing in jail? :-P
Had to look up MAI systems. Actually, that court case predates 17 USC 117, and led to 17 USC 117 - to remedy the problem you mention.
In terms of returning software -the problem is this: the "return the software to the place of purchase" is in the license from the publisher. The place of purchase (Best Buy for example) will tell you the agreement is with the publisher, not them. The publisher (MS for example) will tell you the directions say return to the place of purchase. So no one takes it back.
I'll have to look up the other cases, although the first one does indicate that, within 7th circuit, shrink wrap MAY be enforceable (see above on non-returnability, which ProCD depended on).
If I recall correctly, only part of 17 U.S.C. § 117 predates MAI. Paragraphs (a) and (b) already existed when MAI was decided. After MAI, Congress amended the statute to add (c) and (d). In other words, the provision allowing the "owner" of a computer program to make copies necessary to run the program or make backups already existed when MAI was decided. The amendments addressed situations where a computer service tech was technically violating copyright by booting up a client's machine (whether or not the end-user is the "owner" of the software on his computer, a third-party support person clearly is not). The amendments overturned MAI's result (but not its logic) by saying that running an "authorized copy" of the software for maintenance purposes is okay.
FWIW, here's the MAI court's entire analysis of the ownership issue (in a footnote, no less): "Since MAI licensed its software, the Peak customers do not qualify as 'owners' of the software and are not eligible for protection under § 117." I agree that this doesn't make a lot of sense and makes § 117(a) moot. But there we are. The only consolation is that not all courts follow this logic.
By the way, the Ninth Circuit Court of Appeals has three cases before it right now that turn on the definition of "owner"—Vernor v. Autodesk; UMG v. Augusto, and MDY v. Blizzard. In a year or so, we'll know a lot more about what (one circuit thinks) "owner" means.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.