brian_erdelyi
February 14th, 2006, 06:43 PM
I would appreciate any feedback on this idea. If you know of others working on something similar I would love to hear about it/them or if you could forward it along.
This weekend I started thinking about how www.stopbadware.org and www.antipywarecoalition.org define spyware and otherwise potentially unwanted technologies. Both propose when software obtains informed consent about terms of use and how it behaves that it should not be considered spyware or potentially unwanted. Software that is deceptive will still be considered spyware. I want to accept this consensus (if it changes, I'll support whatever they agree to).
I do agree that a EULA may be the most appropriate way to inform users and obtain consent. However, I believe that EULAs are currently too complex and inconsistent for a regular consumer to understand or ultimately provide meaningful consent when they merely click through. This is the problem I plan to address.
I want to propose the idea of a common EULA framework that would be applicable to the majority of EULAs. I'm not suggesting what clauses constitute fair, rather, I'm trying to identify common issues that a EULA could and/or should address. Third-party organizations could recommend a fair EULA following this common framework. Once a consistent and standard framework is devised for representing a EULA (or at least major components) I envision that it could facilitate the development of an XML schema to embed the EULA within the software in a system readable format similar in idea to the Platform for Privacy Preferences Project (P3P, www.w3.org/p3p). User agents could be developed to read these EULAs, compare with a consumer’s predefined preferences (possibly even loaded from templates from other organisations) and take specified actins based on the results (advise/warn, prompt, accept, halt). These policies could be read on-demand (including initiating a scan to detect EULAs), during installation or when launching software for use.
Based on reviewing other EULAs, I believe that statements (terms and clauses) that impact the user most fall into the following groups (I haven't formally defined the purpose or objective of each section yet). I’ve provided a few statements in each section that could help illustrate the idea a bit while I decide if it’s worth pursuing and formally documenting (likewise, the statements may appear cryptic and I do intend on formally defining each and acceptable values/attributes for each).
Grant of License
License.Type=(CPU | NAMED USER | FLOATING USER | DEVICE)
License.Volume=(0...N | UNLIMITED)
License.Hosted=(YES | NO)
Copyright
License Restrictions
Restrictions.Resale=(YES | NO)
Restrictions.Rental=(YES | NO)
Restrictions.Hosting=(YES | NO)
Restrictions.ReservationOfRights
Information Disclosure
Restrictions.BenchmarkTesting=(YES | NO)
Restrictions.Vulnerabilities=(YES | NO)
Restrictions.Downgrades=(YES | NO)
Restrictions.ReverseEngineering=(YES | NO)
Restrictions.Removal=(?)
Restrictions.OtherSoftware=(PACKET SNIFFER)
Transferability
Consent to Use of Data
Data.Financial
Data.Health
Data.Demographic
Data.PhysicalContact
Data.OnlineContact
Data.UniqueIdentifiers
Data.ComputerInfo
Data.Preferences
[etc, following P3P data definitions]
Product Features
Governing Law and Dispute Resolution
Termination and Expiration
Third-Party Acknowledgements
Disclaimer of Warranties
Limitation of Liability
Miscelanous
Misc.ChangeTerms=(YES | NO)
Some EULAs may include more sections, but for now I'll start with this and keep it flexible by allowing a traditional EULA to be referenced for more detail since it cannot be completely defined following the common framework. I want a framework that would allow me to focus/prioritize on statements that have greater impact and potential harm to consumers.
Any thoughts about the idea and outline of the framework to adequately cover important areas of a EULA? Any terms or clauses you'd like to suggest be included (if possible, give some sample attributes for the clause).
This weekend I started thinking about how www.stopbadware.org and www.antipywarecoalition.org define spyware and otherwise potentially unwanted technologies. Both propose when software obtains informed consent about terms of use and how it behaves that it should not be considered spyware or potentially unwanted. Software that is deceptive will still be considered spyware. I want to accept this consensus (if it changes, I'll support whatever they agree to).
I do agree that a EULA may be the most appropriate way to inform users and obtain consent. However, I believe that EULAs are currently too complex and inconsistent for a regular consumer to understand or ultimately provide meaningful consent when they merely click through. This is the problem I plan to address.
I want to propose the idea of a common EULA framework that would be applicable to the majority of EULAs. I'm not suggesting what clauses constitute fair, rather, I'm trying to identify common issues that a EULA could and/or should address. Third-party organizations could recommend a fair EULA following this common framework. Once a consistent and standard framework is devised for representing a EULA (or at least major components) I envision that it could facilitate the development of an XML schema to embed the EULA within the software in a system readable format similar in idea to the Platform for Privacy Preferences Project (P3P, www.w3.org/p3p). User agents could be developed to read these EULAs, compare with a consumer’s predefined preferences (possibly even loaded from templates from other organisations) and take specified actins based on the results (advise/warn, prompt, accept, halt). These policies could be read on-demand (including initiating a scan to detect EULAs), during installation or when launching software for use.
Based on reviewing other EULAs, I believe that statements (terms and clauses) that impact the user most fall into the following groups (I haven't formally defined the purpose or objective of each section yet). I’ve provided a few statements in each section that could help illustrate the idea a bit while I decide if it’s worth pursuing and formally documenting (likewise, the statements may appear cryptic and I do intend on formally defining each and acceptable values/attributes for each).
Grant of License
License.Type=(CPU | NAMED USER | FLOATING USER | DEVICE)
License.Volume=(0...N | UNLIMITED)
License.Hosted=(YES | NO)
Copyright
License Restrictions
Restrictions.Resale=(YES | NO)
Restrictions.Rental=(YES | NO)
Restrictions.Hosting=(YES | NO)
Restrictions.ReservationOfRights
Information Disclosure
Restrictions.BenchmarkTesting=(YES | NO)
Restrictions.Vulnerabilities=(YES | NO)
Restrictions.Downgrades=(YES | NO)
Restrictions.ReverseEngineering=(YES | NO)
Restrictions.Removal=(?)
Restrictions.OtherSoftware=(PACKET SNIFFER)
Transferability
Consent to Use of Data
Data.Financial
Data.Health
Data.Demographic
Data.PhysicalContact
Data.OnlineContact
Data.UniqueIdentifiers
Data.ComputerInfo
Data.Preferences
[etc, following P3P data definitions]
Product Features
Governing Law and Dispute Resolution
Termination and Expiration
Third-Party Acknowledgements
Disclaimer of Warranties
Limitation of Liability
Miscelanous
Misc.ChangeTerms=(YES | NO)
Some EULAs may include more sections, but for now I'll start with this and keep it flexible by allowing a traditional EULA to be referenced for more detail since it cannot be completely defined following the common framework. I want a framework that would allow me to focus/prioritize on statements that have greater impact and potential harm to consumers.
Any thoughts about the idea and outline of the framework to adequately cover important areas of a EULA? Any terms or clauses you'd like to suggest be included (if possible, give some sample attributes for the clause).