[Infowarrior] - Vista's EULA Product Activation Worries

[Richard Forno]

 Vista's EULA Product Activation Worries
Mark Rasch
 http://www.securityfocus.com/print/columnists/423,

Mark Rasch looks at the license agreement for Windows Vista and how its
product activation component, which can disable operation of the computer,
may be like walking on thin ice.

The terms of Microsoft¹s End User License Agreement (EULA) for its upcoming
Vista operating system raises the conflict between two fundamental
principles of contract law. The first, and more familiar, is that parties to
a contract can generally agree to just about anything, as long as what they
agree to doesn¹t violate the law and isn¹t ³unconscionable.² The second
principle is that the law generally disfavors the remedy of ³self-help.²
That is to say that, if there is a violation of the terms of a contract, you
usually have to go to court, prove the violation, and then you are entitled
to damages or other relief.

The terms of the Vista EULA, like the current EULA related to the ³Windows
Genuine Advantage,² allows Microsoft to unilaterally decide that you have
breached the terms of the agreement, and they can essentially disable the
software, and possibly deny you access to critical files on your computer
without benefit of proof, hearing, testimony or judicial intervention. In
fact, if Microsoft is wrong, and your software is, in fact, properly
licensed, you probably will be forced to buy a license to another copy of
the operating system from Microsoft just to be able to get access to your
files, and then you can sue Microsoft for the original license fee. Even
then, you wont be able to get any damages from Microsoft, and may not even
be able to get the cost of the first license back.
Product activiation in the Vista license

Suppose you buy a new computer after January 2007, or purchase an early
upgrade for one of the various flavors of Vista. The first problem is, you
may think you bought a copy of the operating system. Actually, the OS is
still owned by Microsoft. You may own a physical DVD, but what you have
³bought² is the right to use the software subject to any of the terms and
conditions of the End User License Agreement (EULA), which you may or may
not have access to at the time you buy the computer or disk. Typically, the
EULA will be contained in micro-print on the outside of a DVD, or may be on
a splash screen that prompts you to unequivically declare, ³I agree..² as a
condition precedent to installing or booting the software. Courts have
pretty much established that this manner of acquiescence is okay, provided
that there is some way for you to get your money back if you don¹t agree to
the EULA.

The Vista EULA informs the licensee that Vista will automatically send
information about the version, language and product key of the software, the
user's Internet protocol address of the device, and information derived from
the hardware configuration of the device.


The EULA ominously warns that ³Before you activate, you have the right to
use the version of the software installed during the installation process.
Your right to use the software after the time specified in the installation
process is limited unless it is activated. This is to prevent its unlicensed
use. You will not be able to continue using the software after that time if
you do not activate it. ² What does this mean? Essentially, if you buy a
license to the software from a reputable dealer, but choose not to transmit
information to Microsoft, you forfeit your ability to use the licensed
software.

What is interesting is not whether you have the right to use
unactivated-but-properly-purchased software, but how Microsoft enforces its
right. What Microsoft says is that the software will simply stop working.
So, where is the proof that the software is not activated? Who has the
burden of proof? What if you assert that you did activate the product, but
Microsoft claims you did not? What if you attempt to activate the product,
but Microsoft¹s servers are down, or they provide improper information, or
their servers are hacked and give you bad activation information? What the
contract states is that unless you can activate the product (irrespective of
whose fault it is that you cannot activate), you forfeit your right to use
the product, and therefore access to any of the information on any computers
using the product.

The license is also silent on what happens after you fail to activate the
product. Is there a mechanism for you to at least open the product to allow
you to activate it, or do you get a Blue Screen of Death? Since their
objective is to ensure that the product is activated, presumably they will
allow you to at least get an Internet connection and take you to an
activation screen.

Once you activate the product, then you would assume that you are golden to
go ahead and use the product, right? Wrong.

You see, even after you activate the software it will, according to the
EULA, ³from time to time validate the software, update or require download
of the validation feature of the software.² It will once again ³send
information about the . . . version and product key of the software, and the
Internet protocol address of the device.²

Here¹s where it gets hairy again. If for some reason the software ³phones
home² back to Redmond, Washington, and gets or gives the wrong answer -
irrespective of the reason - it will automatically disable itself. That's
like saying definitively, ³I¹m sorry Dave, I¹m afraid I can¹t do that...²
Unless you can prove to the satisfaction of some automoton that the software
is ³Genuine,² or more accurately, that under the relevant copyright laws
that you have satisfied the requirements of the copyright laws and all of
the terms of the End User License Agreement, the software will, on its own,
go into a ³protect Microsoft² mode. Besides placing an annoying ³Get
Genuine² banner on the screen, and limiting your ability to get upgrades,
the EULA warns that ³you may not be able to use or continue to use some of
the features of the software.² The EULA itself does not state which features
these are, but the website advises that, unless you can show that you are
genuine, you won¹t be able to use Windows ReadyBoost(tm), whcih lets users
use a removable flash memory device; the Windows Aero(tm) 3D visual
experince; or the Windows Defender anti-spyware program.

But the contract doesn¹t limit Microsoft to these disabling attributes. It
just says that they have the right to limit your ability to use features -
pretty much any features they decide to at any date. And guess what. You
agreed to it.


EULAs and the legal term ³self help²

Now let¹s face it: lots of software products contain features that disable
themselves upon some condition. For example, trial software will work for a
period of time - say 30 days, and then stop. And you agree to that when you
download and/or install it. It says so right in the EULA. Spyware contains
EULAs where you agree not to disable or delete it. Are you bound by that
contract as well? As discussed previously, the answer is not so clear. Sony
got into trouble by putting very restrictive EULA terms on its music/data
CDs, which gave it a bunch of rights just cause you decided to listen to
music - including your agreeing never to listen to the music overseas. As I
noted earlier, the terms of an EULA are generally considered to be
enforceable even if you didn¹t read it, understand it, or have any ability
to negotiate it.

However, there is another principle in the law. If a contract (for example,
an EULA) is breached, then you have to right to sue and to collect damages.
Generally, you would have the burden of proving a breach of the contract,
and prove the existence of some damages, and then possibly the right to
obtain other kinds or relief - like an injunction or other court order. In
addition, other statutes, like the U.S. or international copyright laws may
give companies like Microsoft other rights and remedies, including access to
federal court and statutory damages, and even possible criminal enforcement
by the FBI.

Now if Microsoft breaches the contract it wrote, the Vista EULA, what are
your rights? Well, according to the terms of the agreement you agreed to,
³you can recover from Microsoft and its suppliers only direct damages up to
the amount you paid for the software. You cannot recover any other damages,
including consequential, lost profits, special, indirect or incidental
damages.² So if your entire network is shut down, and access to all your
files permanently wiped out, you get your couple of hundred bucks back - at
most. And, as far as I can tell, there are no warranties on the license, no
assurance (like the kind you would get on a toaster oven or a lamp) that the
thing actually works or does any of the things advertised. What is worse, if
you just want to get your money back (assuming Microsoft doesn¹t want to
give it to you) then you have to file a lawsuit (probably in Redmond,
Washington) under the laws of Washington State, and if (and only if) you can
prove your case, and your damages, can you get your money back. You aren¹t
entitled to, upon your belief that there was a breach of contract, simply
walk up to the cash register at your local Fry¹s or Best Buy and take a
couple of hundred bucks from the till. This is called ³self help² (or theft)
and is not generally allowed as a contract remedy.

But the Microsoft Vista EULA, like many other software license agreements,
gives the owner of the software (remember that's Microsoft because you
didn¹t buy it, you just licensed it) the right of self-help. They have the
right to unilaterally decide that you didn¹t keep up your end of the
contract, for example you didn¹t properly register the product, you weren¹t
able to demonstrate that it was genuine, and so on, and therefore they have
the right to shut you off or shut you down. So, what gives them the right?
Apparently, the very contract that they now claim you violated.
Case law examples of software being disabled after a dispute

In the early days of computers, there were several cases where software
developers determined that licensees didn¹t make appropriate payments and
therefore shut down the computer programs.

In 1988 in Franks & Sons, Inc. v. Information Solutions, Inc. the software
developer installed a ³drop-dead² code in the program. When the customer
failed to pay as promised, the developer activated (or allowed to be
activated) the drop-dead code, which kept the customer from accessing the
software as well as any stored information. The problem was that the
customer didn¹t know about the drop dead code. Under those circumstances,
the court found that it would be ³unconscionable² to allow the software
developer to hold the licensee ransom, essentially using self-help to shut
down the business until he was paid. The court noted:

    Public policy favors the non-enforcement of abhorrent contracts. Here,
without the knowledge of Plaintiff, Defendants have included a surprise in
their product which chills the functioning of any business whose operation
is a slave to the computer. If the Plaintiff had known about this device at
the time it entered into the contract with the Defendant then the result
would be different. Here it would be unconscionable for the Court to give
credence to this economic duress.

However, it wasn¹t clear whether the sole problem in that case was the fact
that the ³drop-dead² software was not disclosed, or that the developer, by
using the undisclosed code, was holding the licensee hostage.

In 1991, in American Computer Trust Leasing v. Jack Farrell Implement Co.,
763 F. Supp. 1473 (D. Minn. 1991) the software developer, in a dispute over
payment for the software, remotely deactivated the software. The contract
provided that the developer, who owned the software, could remotely access
the licensee¹s computer in order to service the software and that if the
licensee defaulted, the agreement was cancelled. When the licensee didn¹t
pay, the developer told them that they were going to deactivate the program
- which they promptly did. The licensee¹s lawsuit for damages failed
because, the court noted, the deactivation was "merely an exercise of [the
developer¹s] rights under the software license agreement . . . ." This was
true even though the agreement did not specifically state that self-help was
a proposed remedy.


There were many other cases in the late 80¹s and early 90¹s involving
software developers either putting drop-dead code in their products or
remotely disabling code when they thought the other party was in breach.
Thus, a Dallas medical device software developer was sued in 1989 (the case
was settled) for using a phone line to deactivate software that compiled
patients¹ lab results. In 1990, during a dispute about the performance of a
piece of code, the developer simply logged in and removed the code, until
the licensee released the developer from any liability. The licensee claimed
that the general release was signed under duress, since he was being held
economic hostage. This was Art Stone Theatrical Corp. v. Technical
Programming & Support Systems, Inc. 549 N.Y.S.2d 789 (App. Div. 1990).

In another case widely reported, a small software developer, Logisticon,
Inc., installed malware within software delivered to cosmetic company
Revlon, which paralyzed Revlon's shipping operations for three days (losses
were about $ 20 million U.S.) when the developer claimed that Revlon
breached the contract. Logisticon simply claimed that this was an
³electronic reposession.² The case was settled out of court.

In the 1991, the case of Clayton X-Ray Co. v. Professional Systems Corp.,
812 S.W.2d 565 (Mo. Ct. App. 1991), a company likewise involved in a payment
dispute, logged into the licensee¹s computer and disabled the software which
they owned. When the licensee tried to log on to see their files, all they
saw was a copy of the unpaid bill. A jury awarded the licensee damages,
partly because the existence of the logic bomb was not disclosed.

Finally, in Werner, Zaroff, Slotnick, Stern & Askenazy v. Lewis 588 N.Y.S.2d
960 (Civ. Ct. 1992), a law firm contracted with a company to develop billing
and insurance software. When the software reached a certain number of bills
(and when the developer decided it had not been paid) it shut down,
disabling access to the law firm¹s files. The law firm successfully sued,
and got punitive damages.

So what is the lesson from all of these cases? First, if you exercise ³self
help² without telling the purchasor, you may open yourself up to damages.
Does the Microsoft EULA adequately tell you what will happen if you don¹t
activate the product or if you can¹t establish that it is genuine? Well, not
exactly. It does tell you that some parts of the product won¹t work - but it
also ambiguously says that the product itself won¹t work. Moreover, it
allows Microsoft, through fine print in a generally unread and non
negotiable agreement, to create an opportunity for economic extortion.
Remember, all the cases from the 80¹s and 90¹s involved sophisticated
parties (on both sides) who negotiated individual license agreements - not
mass market software.
Balancing the rights of all parties

After this series of cases, many states considered reforming the Uniform
Commercial Code to specifically cover those situations when a software
developer can resort to self-help. As a result of these efforts, two states,
Maryland and Virginia enacted versions of the Uniform Computer Information
Transactions Act (UCITA).

The Maryland version of the statute allows the software vendor to obtain a
court order that allows it to disable the software, or ³[o]n material breach
of an access contract or if the agreement so provides, [to] discontinue all
contractual rights of access of the party in breach. . . ² In other words,
the software vendor can only terminate access to the software if there has
been a material breach, if doing so does not result in a breach of the
peace, if there is no foreseeable risk of personal injury or significant
physical damage to information or property.

The UCITA also provides a procedure for ³electronic self-help² - that is,
the termination of access or use of the software without a court order. The
first thing to note is that, in Maryland at least, the law expressly notes
that, ³electronic self-help is prohibited in mass-market transactions.²
Microsoft¹s EULA is undoubtedly a mass-market transaction, and therefore
Microsoft may be prohibited from exercising self-help in Maryland. Moreover,
even in non mass-market transactions, before you can resort to self-help,
the contract must provide notice that self help will be used, who will be
told about the exercise of self help, and provide other notice. The Maryland
law also provides that ³electronic self-help may not be used if the licensor
has reason to know that its use will result in substantial injury or harm to
the public health or safety or grave harm to the public interest
substantially affecting third persons not involved in the dispute.²

Thus, the harm to Microsoft (not getting a license fee) may be
disproportionate to the harm to the licensee in having their systems
completely shut down. This is particularly true if Vista is being used for a
system providing medical treatment, controlling a power plant, or other such
critical infrastructure. The Maryland law expressly provides that the
³rights or obligations under this section may not be waived or varied by an
agreement. . .²

Microsoft may have some trouble if it tries to enforce its EULA terms in a
court in Washington State - especially if that court is running a computer
using Vista. You see, all software license agreements with the courts in
Washington State contains a ³no self-help code² warranty where the vendor
warrants that there is no ³back door, time bomb, drop dead device, or other
software routine designed to disable a computer program automatically with
the passage of time or under the positive control of a person other than a
licensee of the Software.² Thus, the Vista EULA terms would not apply to the
Washington State courts!

Now Microsoft will invariably deny that what they are doing is ³self-help.²
More likely, they will claim that the disabling provisions of the software
are mere ³features² of the software. They will also argue that the licensee
controls whether or not the code disables by either registering, or ³getting
Genuine.² But what the boys in Redmond are really doing is deciding that you
have not followed the terms of a contract (the EULA) and punishing you
unless and until you can prove that you have complied.

And what if Microsoft is wrong, and they disable your software erroneously?
Well, you can keep buying and activating their software until you are
successful. And that means more fees to Redmond. Or, following the movie
³Happy Feet,² you can decide to find software with a little penguin on it.