how-to block ads
|
bruzzes
Premium
join:2001-04-26
Euclid, OH
 ·RoadRunner Cable
| EULA Privacy Statements.
Bouyed by the tremendous responses and great advice given in this topic:
http://www.broadbandreports.com/forum/remark,8573406~root=security,1~mode=flat
I have another simple question to ask.
When downloading software from the net, What are the sentences (or essence of sentences) one needs to search in order to avoid spyware and malware from being installed?
I realize that the answer is not as simple as the question, and that spyware and malware are two seperate issues.
But is their some guidelines on what constitutes an assurance that the program is clean?
I ask, not only for myself, but because (MOST) people do not read the Privacy statement due to the complexity and legalese used. Perhaps if there was a small set of guidelines, one could peruse the agreement by searching for keywords like "3rd party" software, or the like.
Any suggestions?
Sorry if this has been asked before...
--
"Where am I" I asked. "Your on the Island of Conclusions" he replied. "How did I get here?" said I. "Why you jumped here, of course" | |
dave
Premium,MVM
join:2000-05-04
not in ohio
 ·Verizon Online DSL
 ·Verizon FIOS
| I think there is no short answer. The EULA is, in essence, a contract. Would you sign any contract without reading and understanding it, but instead simply look for 'key phrases'?
In the case of most scumware, I assume the scum acually want you to skip over the EULA without reading it, while being able to claim (if necessary, in a court of law) that they told you everything. Thus, I'd conclude that looking for obvious phrases is a non-starter, because using obvious phrases is counter to the scum's goals.
I don't even see that it's required for anyone to tell you who wrote the software (hence '3rd party' is not likely to appear).
The important thing, for me, is knowing what information is gathered (and gathering anything at all, past the installation phrase, should be a red flag). | |
eburger68
Premium,MVM
join:2001-04-28
| reply to bruzzes
bruzzes:
This is an excellent question (or set of questions).
I'm assuming that you're concerned about classic bundled adware -- i.e., software that piggybacks on other software (host software). The classic example of this is KaZaA, so let's take a look at KaZaA's EULA (»www.kazaa.com/us/terms.htm)
said by KaZaA EULA:
7. Sharman's Right to Run Advertising without Payment to Users
7.1 Sharman reserves the right to run advertisements and promotions on the Kazaa Media Desktop.
7.2 By accepting the terms of this Licence, you agree that we have the right to run such advertisements and promotions without compensation to you.
7.3 The timing, frequency, placement and extent of advertising by us within the pages comprising kazaa.com or the Kazaa Media Desktop is subject to change and shall be determined by us at our sole discretion.
7.4 Your correspondence or business dealings with, or participation in promotions of, advertisers found on or through the Kazaa web site or Kazaa Media Desktop, including payment and delivery of related goods or services, and any other terms, conditions, warranties or representations associated with such dealings, are solely between you and such advertiser.
7.5 You agree that Sharman is not responsible or liable for any loss or damage of any sort incurred as the result of any such dealings or as the result of the presence of such advertisers on the Kazaa Media Desktop and/ or the Kazaa web site.
8. Links to Third-Party Sites and Channels
8.1 Sharman may provide links to or frame various third party web sites or frame within such sites through the Software or on kazaa.com, including co-branding and other relationships that offer e-commerce and other services and features to users. Any third-party sites, including channels, to which kazaa.com or the Kazaa Media Desktop may link or frame are not under control of Sharman. Sharman does not have any responsibility or liability for any information, data, communications or materials available on such third-party sites. These linked and framed sites are only for your convenience and you therefore access them at your own risk.
The company grants itself the right to inundate you with advertisements, make money off those advertisements, junk your computer with those advertisements, all without incurring any responsibility to you.
You'll find that this is a frequent theme in these EULAs: we have all kinds of rights but no responsibilities; you have all kinds of responsibilities but absolutely no rights.
said by KaZaA EULA:
9. Third Party Software
9.1 During the process of installing Kazaa Media Desktop, you must install software from third party software vendors pursuant to licences or other arrangements between such vendors and yourself ("Third Party Software"), including without limitation those software components noted in Section 9.4 below. Please note that the Third Party Software may be subject to different licences or other arrangements, which you should read carefully. By installing and using this Third Party Software you accept these Third Party Software licences or other arrangements and acknowledge that you have read them and understand them. Sharman does not sell, resell, or license any of this Third Party Software, and Sharman disclaims to the maximum extent permitted by applicable law, any responsibility for or liability related to the Third Party Software. Any questions, complaints or claims related to the Third Party Software should be directed to the appropriate vendor.
9.2 Sharman makes no representations or warranties of any kind concerning the quality, safety or suitability of this software, either express or implied, including without limitation any implied warranties of merchantability, fitness for a particular purpose, or non-infringement to the maximum extent permitted by applicable law, in no event will Sharman be liable for any indirect, punitive, special, incidental or consequential damages however they may arise and even if Sharman has been previously advised of the possibility of such damages.
9.3 There are inherent dangers in the use of any software available for downloading on the Internet, and Sharman cautions you to make sure that you completely understand the potential risks before agreeing to install any of the Third Party Software. You are solely responsible for adequate protection and backup of the data and equipment used in connection with any of the Third Party Software, and Sharman will not be liable for any damages that you may suffer in connection with using, modifying or distributing any of the Third Party Software.
9.4 Embedded Third Party Software
9.4.1 Cydoor. The Software includes a Cydoor Technologies advertising delivery program, which may display web content such as banner ads, e-commerce offers, news headlines and other value-added content. The Cydoor component uses your Internet connection to update its selection of available ads and stores them on your hard drive. For information on Cydoor Technologies and their software, go to »www.cydoor.com. For information on their privacy policy, go to »www.cydoor.com/Cydoor/Company/Co···vacy.htm.
9.4.2 Topsearch. The Software includes the Topseach software provided by Altnet. The Topsearch component regularly downloads an index of available Altnet content through your Internet connection. This index contains a list of available rights managed files which can be displayed in your search results. For information on Altnet and their software, go to »www.altnet.com. For information on their privacy policy, go to »www.altnet.com/privacy/.
9.4.3 Bullguard P2P. The Software comes with a virus protection feature provided by Bullguard Technology, which is designed to guard your computer from virus attacks by quarantining and deleting files downloaded via P2P that may have a virus. The BullGuard P2P component will update its virus definition file through your Internet connection. . For information on Bullguard and their software, go to »www.bullguard.com. For information on their privacy policy, go to »www.bullguard.com/privacypolicy.aspx
9.4.4 GAIN AdServer. Kazaa Media Desktop incorporates a software component called the GAIN AdServer, which is provided by GAIN Publishing. The GAIN AdServer software identifies your interests based on some of your computer usage and uses that information to deliver advertising messages to you. This software helps keep Kazaa Media Desktop free. The GAIN AdServer is provided pursuant to the GAIN Publishing End User License Agreement and Privacy Statement (located at »www.gainpublishing.com/help/psdo···p51.html), which you acknowledge that you have read and accept. If you would like to stop receiving advertisements through the GAIN AdServer, you will need to remove all GAIN supported software from your computer, including Kazaa Media Desktop, using the Add/Remove Programs Control Panel. For further information on GAIN Publishing and the GAIN AdServer, go to »www.gainpublishing.com/.
9.4.5 PerfectNav. Kazaa Media Desktop comes with a software program called PerfectNav, which is provided by eUniverse, Inc. PerfectNav is designed to redirect your URL typing errors to PerfectNav's web page. This software helps keep Kazaa Media Desktop free. The PerfectNav software is provided pursuant to the PerfectNav End User License Agreement (located below as Exhibit A), which you acknowledge that you have read and accept. For further information on eUniverse, go to »www.euniverse.com/.
And here are the terms notifying you of the installation of a whole host of third-party software. Notice that in agreeing to this agreement, you're effectively agreeing to the terms of agreement with at least five other software makers, which they name and link to. So, you'll have at least five other agreements whose terms you'll be bound by. You'll find that those other agreements are just as exploitative as this one. And once again, the company exempts itself from any and all responsibilities for this third-party software (even though they're making money off it).
KaZaA (Sharman Networks) also provides a privacy policy, which you can read here:
»www.kazaa.com/us/privacy/privacy.htm
It's not much of a privacy policy, though, as it pretty much says that Sharman Networks will collect massive amounts of data, use it however it wants, and that's just your tough luck.
Rather than run through the terms of other EULAs and privacy policies, let me give you links to some classic examples:
GAIN (Gator) EULA
»www.gainpublishing.com/help/app_···est.html
GAIN (Gator) Privacy Policy
»www.gainpublishing.com/help/psdo···e51.html
FunWeb EULA
»www.funwebproducts.com/eula/
FunWweb Privacy Policy
»www.funwebproducts.com/privacy/
eAnthology (Stop-Sign) EULA
»www.eanthology.net/legal/?pg=sto···e&rfx=na
eAnthology (Stop-Sign) Privacy Policy
»www.eacceleration.com/privacy/?p···e&rfx=na
KeenValue EULA/Privacy Policy
»www.keenvalue.com/privacy.htm
IE Plugin EULA/Privacy Policy
»www.ieplugin.com/terms.html
SearchEnhancement EULA
»www.searchenhancement.com/terms.html
SearchEnhancement Privacy Policy
»www.searchenhancement.com/privacy.html
NewDotNet EULA
»www.new.net/policies_software.tp
NewDotNet Privacy Policy
»www.new.net/policies_software_privacy.tp
Note that some of these EULAs and privacy policies are for classic bundled adware -- products that are bundled with host apps like KaZaA -- and others are standalone products that are installed off the web, often by drive-by-downloads. Some of the apps covered here fall under both categories.
For a discussion of Privacy Policies and why they're generally worthless as guarantees of privacy (including links to news articles and a line-by-line analysis of Yahoo's policy), see this page:
»www.staff.uiuc.edu/~ehowes/priv-pol.htm#that
For a breakdown of what constitutes "crapware," "hijackware," "spyware," and other unwanted software, see these pages:
»www.staff.uiuc.edu/~ehowes/crap-count.htm
»security.kolla.de/index.php?lang···etpolicy
»www.spywareguide.com/category_list_full.php
Unfortunately, there isn't a simple set of guidelines on what to look for. The best thing to do is to read a good sample of EULAs and privacy policies. In doing so, you'll become familiar with the terms that are almost universal to all such agreements and you'll be able to spot more quickly those that are unique to any one particular EULA or Privacy Policy.
Hope the above has been of some help.
Best,
Eric L. Howes | |
mens rea
Premium
join:2002-01-31
Canada
·Shaw
| reply to bruzzes
After having read some of Eric's posted EULA's etc. some quick observations that may help you sort through the "legalese" or least give you some things to watch out for. For the most part each EULA/Privacy Policy seems to make use of pervasive provisions which are less than favourable to the user. Hopefully when you see the following pitfalls you can avoid being taken advantage of by "FoistwareInc".
1. Firstly take the time to read the EULA. Frequently, as Eric's post above illustrates, the EULA will inform you directly that by downloading their product you are also implicitly consenting to the installation of third party software and are consenting to the terms and conditions that go with that software. Coincidentally those terms and conditions are usually not present in the EULA you are reading. Human nature being what it is, most people won't even read the EULA in the first place, much less interrupt a software installation to determine just what else they may have consented to. Guess what FoistwareInc is counting on.
2.Beware of terms or conditions that allow the software provider to unilaterally change the EULA, or privacy policy with little or no notice to you. For example, "FoistwareInc may at anytime for the better use of their product, modify the terms of the above license"....or "Posting at Foistware.com shall constitute notice to all users...". In other words we can change the terms of our agreement anytime we darn well please, the only condition being that it benefits us.
3.Does the company even have a Privacy Policy? They usually do, for what its worth, so have a look at it. This is particularly important if that policy has been "incorporated by reference" into the EULA. Again what you read in the EULA may not be the entirety of the agreement. And again be leery of vague or broadly worded language. The use of the word "may" in such a context where the software provider will benefit in some form can usually be construed to mean "will". For instance, "Foistware, in order to provide you with better service, may collect data as to the use of our product...and distribute that data to 3rd parties in order for them to provide appropriate material to further enhance the use of our product". A quick translation: "What is yours is now ours, and about to be theirs".
4.Be leery of privacy statements that reference and use third party service providers, and then deny any responsibility for the conduct of those providers ie "Foistware, in order to provide user specific advertisements may make use of and read third party cookies placed on our behalf. Foistware takes no other responsibility for the setting, access and use of that material, which is governed by the privacy policy of the third party providers." This is one of my favourites, talk about wide open. In this scenario the user has not only consented to the download of material from "Foistware", but as a result of that agreement with Foistware, literally opened his/her pc to the world and whim of third party affiliates of Foistware, and Foistware conveniently abrogates all responsibility for their conduct. What a laugh.
5.Finally don't be fooled by loaded language. The examples I have given above, for FoistwareInc while not direct quotes from the the various EULA's/Privacy Policies makes use of similar loaded terminology which is pretty much meaningless, and in reality no doubt intended to be that way. Frequently used terms like "enhance","experience" and "opportunity" are used to place a positive spin on the exploitation of your pc and your privacy.
Just some quick observations;) | |
bruzzes
Premium
join:2001-04-26
Euclid, OH
·RoadRunner Cable
| reply to eburger68
Another comprehensive answer that is informative, concise, and broken down into simple layers for novices such as myself in this area.
For some reason I feel apologetic for asking such simple
almost naive questions, but sometimes those are the most important questions to ask.
Dave's answer is also important. However, it is BECAUSE most people don't read the EULA, that I had asked for some guideline.
So it is safe to say that the following terms can be found that warrants caution:
Right to Run Advertising without Payment to Users
By accepting the terms of this Licence, you agree that we have the right to run such advertisements and promotions without compensation to you.
May provide links to or frame various third party web sites or frame within such sites through the Software
Embedded Third Party Software
Again, thanks for an informative answer.
--
"Where am I" I asked. "Your on the Island of Conclusions" he replied. "How did I get here?" said I. "Why you jumped here, of course" | |
eburger68
Premium,MVM
join:2001-04-28
2 edits | reply to mens rea
mens rea:
Excellent post with very helpful advice. I want to amplify a few of the things you pointed out about these privacy policy.
said by mens rea:
Beware of terms or conditions that allow the software provider to unilaterally change the EULA, or privacy policy with little or no notice to you.
This kind of language is almost ubiquitous in these kinds of EULAs and Privacy Policies, and it's why I advise people that as privacy guarantees, these documents are well nigh worthless. The kind of clause mens rea describes is a "get out of jail free" card for the company; it effectively undercuts what few protections you were given in those EULAs or privacy policies.
There's another very similar clause that often (but not always) appears in these documents -- it usually runs something like this:
"From time to time FoistwareInc may update the functionality of its software and install those updates without prior notice on your computer through a remote network connection. You consent to the installation of all future updates and agree to abide by the terms of any license agreements that may come with those updates."
Coupled with the "we can modify this policy/EULA at will" clause from above, this second clause essentially gives FoistwareInc the key to the front door and carte blanche to install anything on your computer without any notice whatsoever. I've said before and I'll say it again: it's increasingly the case that the only difference between classic malware such as trojans or worms and commercial crapware is a EULA. That's it. Beyond that EULA (which a worm or trojan will never show you), the functionality is essentially similar.
said by mens rea:
Frequently used terms like "enhance","experience" and "opportunity" are used to place a positive spin on the exploitation of your pc and your privacy.
Yes, this is classic. If the company's trying to do a sales job in the License Agreement, you can be certain that something fishy is going on. Most License Agreements read like attorneys wrote them because, in fact, attorneys did write them. If you're reading a License Agreement and you start to get the sense that some flack in Public Relations had a hand in it, that's because the company has something to hide, and when companies have something to hide (in plain sight!), they turn to Public Relations.
The classic example of this is the kind of language that often leads off Privacy Policies. It usually reads something like this:
"FoistwareInc takes your privacy seriously and is devoted to protecting your privacy and enhancing your customer experience."
Rest assured that nothing in what follows will be devoted to protecting your privacy; almost everything that follows will be describing all the ways that FoistwareInc will be exploiting your privacy. Does the company take your privacy seriously? You bet they do: they'll be seriously devoting themselves to exploiting it because it can make them a serious pile of money. And the only thing that's going be "enhanced" is their bottom line.
Thanks once again, mens rea, for the informative post.
Best,
Eric L. Howes | |
ross
join:2000-08-16 | reply to bruzzes
EULA
Definition; "'EU' Lose All" control over your PRIVACY. | |
mens rea
Premium
join:2002-01-31
Canada
·Shaw
| reply to bruzzes
What I find most frustrating in all of this is that if anyone were to have a run at most of these boilerplate EULA's etc. the court would probably throw them out as unconscionable. The reality is, who is going to sue over a free software program, particularly when it would be very difficult to quantify your damages ie I was inundated with ads and my pc seemed to be a lot slower. Pretty much user beware. | |
eburger68
Premium,MVM
join:2001-04-28
2 edits | reply to bruzzes
Hi:
I've been mulling over this all afternoon. A couple more clauses that we're starting to see in EULAs and Privacy Policies ought to be mentioned. Both of these clauses are driven by the desire of crapware companies to get some legal leverage against apps like Ad-aware and SpyBot S&D.
The first clause specifies that the user agrees not to use "unauthorized uninstallation methods" -- in other words, you can't use a third-party app like Ad-aware or SpyBot S&D to scrub your PC clean of their garbage. Here's a good example from the GAIN (Gator) EULA ( »www.gainpublishing.com/help/app_···est.html ):
said by GAIN EULA:
Access and Interference. You agree that you will not use, or encourage others to use, any unauthorized means for the removal of the GAIN AdServer, or any GAIN-Supported Software from a computer. For a list of authorized means for the removal of GAIN-Supported Software, view »webpdp.gator.com/gain/51/about-gain-01.html. You also agree that you will not use, or encourage others to use, any robot, spider, other automatic or non-automatic manual device or process intended to interfere or attempt to interfere with the proper working of any GPI Supplied Materials, or third party GAIN-Supported Software. You agree not to use any means to avoid the display of any GAIN Ads while retaining the ability to use any GAIN-Supported Software other than purchasing a license to all GAIN Supported Software.
Another clause that I've starting seeing is one that authorizes the company to remove software from your computer that "interferes" with their service and software. What might that be? It could easily mean anti-crapware apps like Ad-aware and SpyBot S&D -- those are obvious targets. But couldn't it also mean a firewall that you've configured to deny internet access to their apps? How about the new NAV 2004 that targets their app for removal?
You can think of this clause as the "Radlight clause" in honor of the software that caused a furor during the spring of 2002 when it uninstalled Ad-aware without notice or warning. Radlight took a beating for that move. These companies would still very much like to bite back at Ad-aware and other similar apps, but they're much more careful to cover their backsides.
Here's an example of that clause from CommonName ( »www.commonname.com/eng/help/poli···ence.asp ):
said by CommonName EULA:
2. USE
(...)To enable our service to operate, it may be necessary to override or remove software from your computer that performs a similar function or tries to override or hinder our service. By choosing to download CommonName you authorise us to take this step.
CommonName will do its best to continue offering the services “as is”, but may be required for various reasons, within or not within our control to alter any part of its services. By choosing to download CommonName you authorise us to make any amendments that we deem appropriate or are required to make.
You'll notice the language that mens rea and I mentioned earlier which gives the company carte blanche to push whatever software and modifications it desires onto your computer.
Folks, these are not companies or applications that you want to have any business with.
Best,
Eric L. Howes | |
mens rea
Premium
join:2002-01-31
Canada
·Shaw
| Eric, I had read those conditions with some interest, and in fact referred to them in your post concerning Dell and spyware removal: »Dell does not support the removal of spyware. Personally, I would not hesitate to use a third party program to remove such offending software, particularly where there has been no notice by the crapware company that the installation of their product may in fact impact upon the performance of my pc.
I suppose crapware may (and I do emphasize may) have some sort of leg to stand on if the removal program merely strips the offending component and otherwise leaves the software intact and usable, since it has now been altered for use. Simple solution, have it break completely, and good riddance. | |
|
