First Worm with a EULA?

ErikRed1488 writes "There is a new virtual postcard from Friend Greetings, owned by Permissioned Media that prompts you to install their software to view the card. You are then presented with a EULA granting them permission to e-mail all the Contacts in your Outlook Address Book. Those people are presented with an e-mail from you telling them they have a greeting card to pick up. So, this thing spreads like a worm, but includes a EULA that 95% of users won't take the time to read. Symantec isn't detecting this as a virus, but does have information about it on their site. In addition to the worm-like way it spreads, it also installs spyware designed to deliver ads to your computer. You also give them permission to install further software any time they want. In my opinion this is completely nasty, but it's all clearly in the EULA that you must agree to before it installs the software."

The First Worm Written By a Microsoft Lawyer...

Need I say more?

Re:For perspective...

speaking of lawyers... are eula's treated like contracts, legally speaking? if so (and i'm pulling from a business law class from several years ago), illegal or unethical points of a contract are null and unenforcable by default, regardless of what you sign. i.e. - if you sign a contract to mow my lawn, and it states that if you cut down my roses, i get to kill your firstborn in a satanic ritual - well, that's just not enforcable.

too bad online legislation moves so slowly... i think i'm going to register for every spam list i can with my representatives' email addresses, and see if that gets things moving along... umm.. just kidding, secret service guy reading this over my shoulder.

a

Re:For perspective...

EULAs try to be contracts -- but think back to your business law class, and look at the requirements for that contract:

- The parties must give the appearance that they're serious about signing a contract (one party can't be obviously joking).

- The parties must be competant (old enough, sane enough, sober enough).

- There must be consideration (both parties must gain something or force some new obligation on the other party).

- The purpose of the contract must be legal.

The third element doesn't matter if one doesn't get past the second: In your average software purchase, what does the EULA give you that you wouldn't otherwise have, or restrict the other party from doing that they otherwise could?

Now, if it's a free download, and you're only offered the download if you click through the EULA, that's an entirely different matter: there's clear consideration in that you're being allowed the download at all. On the other hand, if you purchase the software without the EULA being a condition of the purchase, unless the EULA offers some further consideration it may not be binding at all.

Another question raised: What if you aren't competant to agree to the EULA for a piece of software (due to being drunk, or insane, or a minor, etc)? Well, if the situation is such that you really have no right to use the software without agreeing to the EULA (which is likely the case with a free download conditional on clicking through the EULA, but unlikely to be the case if you purchased the software from a 3rd-party vendor who didn't make you agree to the EULA before the purchase), then you're using it illegally. If, on the other hand, you had the right to use the software even without agreeing to the EULA (say, because you purchased it from a 3rd-party vendor who didn't force you to agree to the EULA beforehand) then the EULA is invalid in any case because of the lack of consideration (unless, of course, the EULA gives you some other rights you didn't have before agreeing to it, or some obligations to the vendor which they didn't have beforehand) and you can still use the software even if you don't agree to the EULA -- and even if the EULA is legally binding (say because it obligates the software manufacturer to provide phone support which they wouldn't otherwise be obligated to provide), if you have the right to use the software without agreeing you can legally skip the EULA (say, by tricking the installer) and go your merry way -- but don't try to pretend you agreed to the EULA when calling for that phone support! That's the theory, anyhow. Before relying on it working that way in practice, talk to a real IP lawyer licensed in your jurisdiction, and hope you get a reeeal friendly judge. :)

Coming back to this particular case: Is sending email to everyone in your address book illegal? Probably not (though of course this may vary on your jurisdiction). Hence, is this EULA invalid due to the illegal-purpose clause? Once again, probably not.

New kind of LAN party...

To invalidate all of those pesky EULA's through points 1 and 2 (be serious and sober) get together with friends and thoroughly wasted before installing the worst offenders. If the software actually makes it onto the computer it's a nice bonus, otherwise it's the typical plus of a keg party.

Problem solved, you were boisterously drunk at the time of install.

Re:The First Worm Written By a Microsoft Lawyer...

Warning someone that you're going to do something sleezy doesn't excuse you for doing it.

It's also common knowledge that EULA's aren't read (by gurus and newbies alike). They might as well put the warning in a locked filing cabinet stored in a disused lavatory with a sign on the door that says "beware of the leopard".

AOL?

How is this any different then AOL?

Re:AOL?

I don't think it is. People need to take the time to read things before double click-installing them.

Ignorance never counted as an excuse, it shouldn't be different online.

Re:AOL?

You hit the nail on the head.

If I find one of these on our network (and I know I will, our l-users being what they are), I will have them sent to HR for fiolation of their terms of employment, namely, agreeing to violate their confidentiality clause, which states that they will not under any circumstances provide any company information to a third-party without prior approval from management.

They might even get fired for clicking on the EULA.

And that's what we really want.

Re:AOL?

How is this any different then AOL?

It's free, does what it says and it won't kill your system?

Re:AOL?

AOL isn't self-propagating. 8-)

Then why does my collection of disks keep piling up? I don't bring any more into the house, yet there are always a couple more around. The damn things are breeding, I tell ya!

Re:LOL...

Can you really count it as a virus if it preys on people's lack of regard for Internet safety precautions? :P

What, you mean like every-other-worm-out-there?

Re:LOL...

No. This one is opt-in.

Re:LOL...

Can you really count it as a virus if it preys on people's lack of regard for Internet safety precautions? :P

Almost all virii spread because of people's lack of regard for Internet safety precautions. If you have a firewall, you don't run unknown executables, and you have some decent anti-virus software, you should be safe. But many people don't follow those three simple rules, and they get infectected.

Re:LOL...

Funnily enough, I don't have any anti-virus software, and yet I've never been virused, because I follow the first two rules (and I don't run mal-ware that auto-runs everything waved in it's general direction). Also, I really hope you're talking about a hardware firewall, not snake oil [samspade.org]. Mind you, even that's not necessary. You only need a firewall if you've got open ports; if you're going for a software solution, it's nmap [insecure.org] and a clue-by-four.

Beautiful

Just beautiful. The more insane EULAs get, the more people will start taking a harder look at all of the ones they currently sign their souls over to.

This can only be good for Open Source.

Re:Beautiful

ok... I'm writing the next one of these. It has no purpose, but here's the functionallity. operates just this last one, but emails everyone in your contact list the follwoing statment, "I'm a security risk, I'm a bigger security risk then most crackers. I don't read, and /or understand EULAs that I agree to. In the EULA that I just agreed to, I accepted the fact that I'm a moron, and give full permission to everyone to abuse me." dumb asses!

Re:I disagree

No, but it doesn't require every user to read the terms. But as more take notice, more who run sites about computer games, hardware reviews/overclocking, and lots of other Internet circles, will pick up stories about things like this, raising public awareness through word of mouth, as it were. Or, perhaps, through "word of word"?

It all leads to more and more bad press, and eventually makes an impression on the legal system, as EULAs are still unproven. Imagine if someone at Microsoft slipped in an extra requirement into the next version of windows right as the CD was about to be mastered.

By agreeing to the terms of this software you are also bound to slaughter your
first born son, drain his blood, and send it to:

The Master of all Evil
c/o Bill Gates
One Microsoft Way
Redmond WA, 98052

so that the lord of the underworld may feast on your childs soul.

It would obviously be caught by someone, but how many people will not read it and click "accept" before that happens? Probably hundreds of thousands. Will that hold up in court? Unlikely. But why not... where is the line?

There is no line. It hasn't been set yet. As we are a democracy, public opinion (currently uneducated in this area) has an effect on where the line is drawn. This only helps our side, in the long war.

Re:EULAs, and karma

No! The GPL is not an EULA.

The GPL has nothing to say about how you can use the software. It places _no_ restrictions on your right to use the software or how you plan on using the software.

The GPL _does_ have something to say on how you might redistribute the software. That is it. It is a copyright notice which _grants_ you the right to redistribute after meeting a few requirements. Once again, it does not restrict what you can _do_ with the software.

Re:EULAs, and karma

The GPL is not an EULA!

The GPL does not require an end user to agree to a license before using the software. It is a copyright license. That is it. It _grants_ the abillity to copy and redistribute once certain criteria are met. The two are fundamentally different.

The EULA is a matter of contract law.

The GPL is a matter of copyright law.

Understand?

Re:what if it also installed it's source?

The GPL is *not* an EULA. EULAs take away what rights you have to use a program. The GPL adds them.

Additionally, last time I read the GPL, I don't recall it saying anything about e-mailing itself to everyone in my ~/.mailrc.

Re:what if it also installed it's source?

Ok, like I have stated in other places,

The EULA is a matter of contract law.

while ...

The GPL is a matter of copyright law

The two are fundamentally different. The EULA places _restrictions_ on what you can _do_ with the software.

The GPL _grants_ you the right to redistribute (which would normally not be there, because of copyright law) once certain criteria are met. The GPL does not impose any restrictions on what you can _do_ with the software.

In the absence of the EULA you would be allowed to do anything you saw fit with the software (short of illegal acts and within the copyright clause).

Re:what if it also installed it's source?

You are wrong. I have many friends who are lawyers or in law school, and I have had this discussion several times with some of them, though IANAL. Clearly, the GPL is a document, an agreement between the recipient and the author of a program, which grants a set of rights, provided a set of conditions are met. This is a classic contract - you are receiving something in exchange for some consideration. If you reject the terms (the consideration) than the contract is likely to be null and void (with certain exceptions - like promissory estoppel, though that is unlikely to ever occur in any GPL/Open Source or shrinkwrap software license disputes).

Of course, if the contract is null and void, you are still bound to the standard law regarding copyrighted material with respect to a GPL work. In other words, you can look at it, but you don't have any right to redistribute, modify, etc. etc. etc., all the nice rights that the GPL grants you THROUGH your acceptance of a contract, IN EXCHANGE FOR consideration. So it is clearly only possible as a result of BOTH copyright law and contract law that the GPL can exist. An EULA generally refers to a consumer good (a piece of binary software), that is also admittedly under copyright protection, and there is generally no "contract" that I think should be legally acceptable, because, as you point out, it restricts what you can do and offers you no consideration in return (though click-through licenses apparently offer you the consideration of being able to use software you already paid for - ROFL).

Summary: GPL depends on a combination of contract law and copyright law. Shrinkwrap EULAs depend on a serious misinterpretation of contract law to restrict rights that you have as a result of common law and copyright law (i.e. first sale doctrine, etc.). Clearly we can all agree that EULAs restrict freedoms, and most Free/Open Source Licenses, GPL included, grant rights you wouldn't otherwise have.

No surprise

This may be a cynical thing to say, but I think it was only a matter of time before some shady software like this was made.

I would remark "How could the makers of such a thing sleep at night?" - but I already know the answer: they sleep just fine. People like that don't believe that they're doing anything wrong.

This may be the type of thing we need

to help force the govt to evaluate the merits of EULAs. While it can be argued..."you shouldve read the license before you agreed"

I would rather say "There shouldn't exist any such licensing format. And we as the people should not allow it to ever exist."

Re:This may be the type of thing we need

Agreed, EULAs need some regulation. This is like having a clause in your apartment lease that says your landlord can break into your place once a week just to kick you in the balls.

That's rich...

The company is called permissionedmedia! Well, they did ask for permission first...

GPL

And they said the GPL was like a virus...

I think this should actually shield the virus-writer from any sort of prosecution, shouldn't it? I suppose you could do all sorts of nasty stuff and be completely protected so long as you could prove the user clicked "ok" to the license.

Maybe this will be the tool which turns the tide on the EULA.

RIP: Senator Paul Wellstone.

Good could come from this

This points out the absolute absurdity of click-through EULAs. Hopefully, a case against them could be used as a legal defense against other badly-licensed software.

Re:Good could come from this

Wait ... so you're saying that this ought to be illegal?

IMO, if you click "yes", you deserve exactly what you get.

complete control

I am workin on a EULA that gives me power of attorney over for the user.

subterfuge

for kicks, we (and by "we", I mean somebody else) need to have an EULA that contains and absurd clause (firstborn child upon installation), then try to collect. It'd be like challenging the concept of EULAs, but from the other side. Try real hard to get sued.