Schneier on Security
A blog covering security and security technology.
« Evading Airport Security |
| Heartwave Biometric »
December 5, 2013
The Problem with EULAs
Some apps are being distributed with secret Bitcoin-mining software embedded in them. Coins found are sent back to the app owners, of course.
And to make it legal, it's part of the end-user license agreement (EULA):
COMPUTER CALCULATIONS, SECURITY: as part of downloading a Mutual Public, your computer may do mathematical calculations for our affiliated networks to confirm transactions and increase security. Any rewards or fees collected by WBT or our affiliates are the sole property of WBT and our affiliates.
This is a great example of why EULAs are bad. The stunt that resulted in 7,500 people giving Gamestation.co.uk their immortal souls a few years ago was funny, but hijacking users' computers for profit is actually bad.
Posted on December 5, 2013 at 6:58 AM
• 25 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Not like its even profitable! The current network hash rate is ~6 PHash/s, driven by ASICs. Even the botnets have given up on Bitcoin mining.
Why is this actually bad? It's just another form of payment. It's a surprising clause (and that can be forbidden in some jurisdictions, i.e. Germany or perhaps the whole of EU), but if people willingly accept this???
Seems like the quoted EULA doesn't cover bitcoin, though. How does solving the problem for profit either confirm transactions or increase security? And why would a reasonable person read that clause and think anything like bitcoin?
Ok I will admit its sort of sleazy, but its not illegal and if you listen to Seymour Rubinstein, the inventor of the EULA on Triangulation episode 128: http://twit.tv/show/triangulation/128 you will see that he was forced to invent the EULA to preserve his ability to make money from writing software, in a climate that thought software purchase was software ownership not licence to use.
So fast forward nearly 40 years and you have companies writing 'freeware' (not open source) and endeavouring to make a profit from their work. So far they have tried bundling, redirection, popup adds etc. This is just another way for the user to 'pay' for their free software.
That said, I am thinking that the inclusion of the 'Computer Calculation Security' clause in this EULA opens an interesting door for a counter claim. That of billing the vendor for the extra used resources (power, wear-and-tare etc) used outside of the admitted and disclosed functioning of the software.
Not that a bill for a few dollars would be a problem, but perhaps many thousands of individual invoices would cause them to think of a better way to make money.
The mutualpublic miner I encountered was actually mining primecoin, not bitcoin, so CPU mining is still feasible.
See link for a zip file containing the executables taken from c:\temp and c:\program files, and a screenshot showing the mining process while running. I assume the readers of this blog know how to handle such files.
s -- obviously there's no one who willingly accepts this, because no one reads EULAs. The court decisions that let "terms of service", EULAs, et al. have the same power as conventionally signed contracts was terrible law and actual legislation should be put in place to bar these from having any force whatsoever.
Another story about adhesion contracts from earlier this year at http://www.dailymail.co.uk/news/article-2387954/...
- Dmitry Argarkov, 42, made his own alterations to a credit card contract
- He gave himself 0% interest, unlimited credit and exemption from fines
- Mr Argarkov sent the amended contract back to Tinkoff Credit Systems which sent him a credit card without noticing the changes
- The company tried to sue Mr Argarkov two years later for late payments
- But a court ruled Mr Argarkov only had to pay the balance owed but not the interest or late fees as per the terms in his contract
- Mr Argarkov is now suing the bank for breaching the terms of the contract
As I go over all the bills and statements and announcements and changes to this or that plan or arrangement or contract that have flooded into my mailbox recently, it occurs to me that this is a form of concerted action. Corporate managers have collectively determined to overwhelm us with fine print. We can't possibly read all this crap, much less meditate like some 18th century aristocrat on the implications of the content. Yet we can't do so much as download an update to Adobe Acrobat without "signing" a contract. We are conclusively presumed to have read, understood, and agreed to every lawyer-drafted word, and yet everybody knows that none of us reads this. Not even Ron Paul -- so don't start with me. And the more of these contracts we get, the less likely it is that we will read any of them. So corporations have an incentive to send more of them and make them longer and more verbose. This is a collective decision on their part, and it is working, and they know it.
- Evan McKenzie ( who is a lawyer and law professor )
"The Fine Print Society"
December 22, 2011
"Nobody reads EULAs" has been _almost_ true for quite a while. In one Usenet discussion (back before Usenet became just alt.torrent), I mentioned some particularly nasty bit from a Microsoft EULA, and was challenged for hyperbole by a MSFT lawyer, who stated that no such term existed. Then I posted title, platform and version, and got a "Well I'll be darned" from him. Seems even MSFTs own lawyers didn't read the EULAs.
As for the purpose being to numb us all, I'd say that has a grain of truth, OTOH, every time some bank sends me a "privacy notification" that says, basically "We will do whatever the heck we want with your data and you can tell us to stop but that will only apply until the next time we change our procedures which you agree we can do at any time without notice or permission", I have to assume that it is because some "we must do something" legislation is behind it. _Effective_ notice is something that will never exist as long as corporations have vastly more resources and more legislators on the payroll than any consumer group can hope for.
I particularly like the part where they say something to the effect that "We won't do anything nasty as long as you object _and_ it's illegal for us to do so". Why not work the logic and plainly state: "We will do what we want as long as we can buy the legislation to make it legal".
This sort of heavy computational lifting costs each person a fair chunk of change for electricity and cooling. Plus it runs the computers very hot, and they tend to die vastly faster. It's about getting consumers to spend hundreds or thousands so the software maker can make pennies.
Oh, and it's commonplace for folks to run mathematical computations in the background to verify computers are working correctly. (A disturbing number fail.) So it can be a little hard to spot the criminals.
You might consider how you feel about this when the software is required by your kid's school, or by employers or government agencies. It's just a matter of time...
@MikeA - the court knows this and generally sides with the party with the least power.
That's why Dmitry won over the bank. The court decided that the bank had all the power, its lawyers drafted the original agreement and it is expected to have lawyers who understand them.
The court is unlikely to decide that downloaders of a toolbar expected it to run their machines 24x7 to mine bitcoins or would have a reasonable expectation of searching the Eula for such demands.
I don't think that this is ever intended to go to court at all. Most of the people who would download the various things mentioned (which, from what I recall, are all "toolbars" and other such things that have no legitimate IT use, but instead are marketed at, frankly, those who are expected to be entirely inept with computers) are not likely to notice anything other than "my computer is slow" and assume that "a virus" got on there.
In all likelihood, it's not "just" bitcoin that's being used for this; as others have mentioned, there's other cryptocurrencies that are being used as well. Further, the way it's written, any kind of "mathematical calculations" could be "solved" and be in accordance with the terms, which, given that CPU instructions are entirely made of math, can frankly be anything at all that they choose to run, whether it's a password cracker or a spam relay.
The UK has a law covering unfair terms in contracts which are not negotiable.
As such if I had an immortal soul and accepted game station EULA then I'd keep my soul.
I'm not sure if mining is unreasonable in a legal sense, I don't know how if the court would expect consumers to consider how it is funded.
What if this were a willing transaction, would it still be bad?
What if Microsoft demanded you to mine to use their Office software? Metering and mining could be a new economy.
No, the problem with EULAs is that they are so long and ridiculous that no one reads them. You've just found a symptom of the problem.
A comment in the linked article mentioned this book:
The Fine Print: How Big Companies Use "Plain English" to Rob You Blind
In Europe, this sort of deceptive trade practices is regulated by EU Directive 2005/29/EC on unfair business-to-consumer commercial practices, and which all member states are required to translate into national law.
Since it is impossible for anyone to understand from the EULA that the machine will be used for bitcoin mining and what this means, the clause is illegal. In a court of law, this can be invoked to void the contract, claim punitive damages and convict the vendor for deceptive trade practices, possibly carrying an additional fine or jail time. To cut a long story short: in the EU, it's not because something is in a EULA and an unwitting customer has accepted terms he has no way of understanding that they can be enforced just like that.
Every state in North America (USA, Mexico and Canada), has a distinct Sale of Goods Act. I have read a few of them and they were all very similar. These EULAs are pretty much all moot.
In a court of law, this can be invoked to void the contract, claim punitive damages and convict the vendor for deceptive trade practices, possibly carrying an additional fine or jail time.
Only the 'little people' go to jail.
@Dirk Praet , @herman
In Germany, in special, ALL these EULAs which are only readable AFTER sales are void..
Here they are called AGbs (Allgemeine Geschäftsbedingungen) and there are pretty strict rules rendering them void if they have a form of "immoral contract" (Verstoss gegen die guten Sitten).
So, screwing someone with EULAs is at least more difficult here, but...
..."no complaint, no redress", or latin "Nullum ius sine actione"
See also: Digsby, a freeware multiprotocol IM client, which uses your computer for distributed computation, and was pretty sneaky about it originally. (I think it wasn't in their original TOS.)
Miramon - In fact, EU law deliberately puts EULA's at a lower legal level than conventional agreements, for that reason.
The "cute" example of this was, incidentally, PC Pitstop's clause that the first person to contact the makers and quote the clause would get a monetary reward.
It wasn't claimed for several months.
The English common law position on adhesion contracts, followed as well in common-law Canada, was that the contracts were binding, but if there were any surprising terms in them, they would have to be pointed out very clearly. That kind of reasoning has led (in the US too, of course) to rental car contracts where the customer has to initial a few of the particularly important (and onerous) clauses, like the cost of extra insurance (or the fact that it's not taken), the cost of a refill if the rental agency has to do it, and one or two other things. The rest is basically boilerplate that you don't have to read: you know that if you bring the car back and pay for it, you're OK, and if not, you're in trouble. You don't need the details for most purposes.
Ditto the average EULA - the key is that you're not buying whatever it is, you're licensing it. So you can't do a bunch of stuff. Provisions like permitting the mining of bitcoins or the sale of one's soul (enforcement being beyond the jurisdiction of the secular courts) would not be binding without special notice, and some terms are unconscionable even at common law.
It is true that EU laws on unfair contract provisions have pushed back even further, but we're not defenceless in North American either.
I don't see a legal problem: if it's spelled out publicly in the terms, it seems there would be no fraud.
As for protecting users from shady practices, that's why we have app stores, app reviews, people who summarize EULAs, etc.
If there was only a site where all the software you can download had their licenses vetted according to a well-defined set of ethical guidelines. And if most of the software even came under the same terms so that you would only have to familiarize yourself with a few different license texts.
Oh wait ...
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.