At the heart of the spyware problem lies the question of what constitutes proper notice and consent. As we all know, spyware purveyors claim the right to do anything as long as they give "notice" of what their software actually does somewhere in a long EULA, and their victim gives "consent" by clicking OK without reading it. So it seems a little strange to me that the Anti-Spyware Coalition would ignore this issue in its initial draft of spyware definitions.
Yesterday the Anti-Spyware Coalition -- a rather imposing collection of software companies and public interest groups - released the first draft of its Spyware Definitions consensus document designed to give anti-spyware vendors standard categorizations of unwanted software. While a noble effort, I was somewhat disappointed that the document didn't at least take a stab at defining what proper notice and consent of spyware ought to be. After all, it's the lack of a consensus on that issue that has stymied legislative attempts to come up with an effective anti-spyware law, so it would seem like one of the first issues the coalition would need to deal with.
It's not that the document ignores the problem of spyware EULAs altogether. In fact, one of the defined terms is EULA:
"End User License Agreement (EULA): An agreement between a producer and a user of computer software that specifies the parameters of use granted to the user. The software producer specifies these parameters and limitations on use, which can become part of a legally binding contract. Some companies use the EULA as the sole means of disclosure of a program's behaviors or bundling."
In a similar vein, the document's "Anti-Spyware Safety Tips" section for consumers includes a warning to read all the fine print:
"Whenever you install something on your computer, make sure you carefully read all disclosures, including the license agreement and privacy statement. Sometimes important information such as aggressive installs or the inclusion of unwanted software in a given software installation is documented, but it may be found only in the EULA. The fine print may be the only place consumers can find notice of potentially unwanted technologies. Unfortunately, careful consumers must read all the fine print."
Well, that's true enough, of course, but it's also completely useless advice from the point of view of dealing with spyware. If everyone would read and understand every 10,000-word spyware EULA and privacy policy, there wouldn't be a spyware problem. There wouldn't be much of anything, because we'd all be too busy reading all the EULAs and all the privacy policies that we're confronted with every day. After all, you don't know it's a spyware EULA until you've read it.
Since Microsoft, Symantec, and some other big supporters of the sanctity of the EULA are members of the coalition, I suppose it's not really surprising that the definitions leave the impression that spyware EULAs are perfectly valid. As I've pointed out before, the software industry is conflicted over spyware EULAs because spyware companies aren't the only ones who like to hide the real nature of the deal deep in the fine print. If spyware vendors are required to give real notice and get real consent, so might others in the technology business.
The simple fact is that the sanctity of the EULA is going to have to take a hit if the spyware plague is ever to be brought under control. Consumers can't and won't read all the fine print - they need real notice of what they're dealing with so they can give true consent. And if the Anti-Spyware Coalition is to be any more effective than previous industry-led attempts to curb the spyware menace, it's going to have to start by defining what that really means.
Read and post comments about this story here.
9:56:05 PM 
|
|
