Common EULA framework

Discussion in 'EULAlyzer Forum' started by brian_erdelyi, Feb 14, 2006.

Thread Status:
Not open for further replies.
  1. brian_erdelyi

    brian_erdelyi Registered Member

    Feb 14, 2006
    I would appreciate any feedback on this idea. If you know of others working on something similar I would love to hear about it/them or if you could forward it along.

    This weekend I started thinking about how and define spyware and otherwise potentially unwanted technologies. Both propose when software obtains informed consent about terms of use and how it behaves that it should not be considered spyware or potentially unwanted. Software that is deceptive will still be considered spyware. I want to accept this consensus (if it changes, I'll support whatever they agree to).

    I do agree that a EULA may be the most appropriate way to inform users and obtain consent. However, I believe that EULAs are currently too complex and inconsistent for a regular consumer to understand or ultimately provide meaningful consent when they merely click through. This is the problem I plan to address.

    I want to propose the idea of a common EULA framework that would be applicable to the majority of EULAs. I'm not suggesting what clauses constitute fair, rather, I'm trying to identify common issues that a EULA could and/or should address. Third-party organizations could recommend a fair EULA following this common framework. Once a consistent and standard framework is devised for representing a EULA (or at least major components) I envision that it could facilitate the development of an XML schema to embed the EULA within the software in a system readable format similar in idea to the Platform for Privacy Preferences Project (P3P, User agents could be developed to read these EULAs, compare with a consumer’s predefined preferences (possibly even loaded from templates from other organisations) and take specified actins based on the results (advise/warn, prompt, accept, halt). These policies could be read on-demand (including initiating a scan to detect EULAs), during installation or when launching software for use.

    Based on reviewing other EULAs, I believe that statements (terms and clauses) that impact the user most fall into the following groups (I haven't formally defined the purpose or objective of each section yet). I’ve provided a few statements in each section that could help illustrate the idea a bit while I decide if it’s worth pursuing and formally documenting (likewise, the statements may appear cryptic and I do intend on formally defining each and acceptable values/attributes for each).

    Grant of License
    License.Volume=(0...N | UNLIMITED)
    License.Hosted=(YES | NO)
    License Restrictions
    Restrictions.Resale=(YES | NO)
    Restrictions.Rental=(YES | NO)
    Restrictions.Hosting=(YES | NO)
    Information Disclosure
    Restrictions.BenchmarkTesting=(YES | NO)
    Restrictions.Vulnerabilities=(YES | NO)
    Restrictions.Downgrades=(YES | NO)
    Restrictions.ReverseEngineering=(YES | NO)
    Restrictions.OtherSoftware=(PACKET SNIFFER)
    Consent to Use of Data
    [etc, following P3P data definitions]
    Product Features
    Governing Law and Dispute Resolution
    Termination and Expiration
    Third-Party Acknowledgements
    Disclaimer of Warranties
    Limitation of Liability
    Misc.ChangeTerms=(YES | NO)

    Some EULAs may include more sections, but for now I'll start with this and keep it flexible by allowing a traditional EULA to be referenced for more detail since it cannot be completely defined following the common framework. I want a framework that would allow me to focus/prioritize on statements that have greater impact and potential harm to consumers.

    Any thoughts about the idea and outline of the framework to adequately cover important areas of a EULA? Any terms or clauses you'd like to suggest be included (if possible, give some sample attributes for the clause).
  2. MikeNash

    MikeNash Security Expert

    Jun 9, 2005
    Sydney, Australia
    Apologies to Javacool for popping into his forum, but I just have to say that think your idea definitely has a lot of merit.

    I'm not sure whether or not software vendors would use it - but if they did, it would be an excellent win for consumers.

  3. brian_erdelyi

    brian_erdelyi Registered Member

    Feb 14, 2006
    Thank you for the support.

    I think it's win-win. I sincerely believe that vendors do not want to be deceptive. Ultimately, a vendor wants a consumer to be informed of the EULA (otherwise, how can a consumer consent to and follow terms they don't understand or know about). Until some guidelines exist about what they should or could disclose they may not.

    The vendor has a responsibility to inform and the consumer has a responsibility to accept (or not accept) a license agreement.

    I believe a vendor can promote their adherence to a voluntary guideline to gain consumer trust. I am reviewing many EULAs in the wild and will determine a way to represent common terms. I will leave it up to another group to recommend what terms are fair or not far. I'm trying to be unbiased and agnostic about specific practices.
  4. brian_erdelyi

    brian_erdelyi Registered Member

    Feb 14, 2006
    EULAlyzer Suggestions

    I've been working on a project to help make sense of EULAs at

    I'd appreciate your thoughts on the ideaand would also like to offer my symbols for various caracteristics to be used by EULAlyzer.

    Brian Erdelyi
  5. Bubba

    Bubba Updates Team

    Apr 15, 2002
    Hello Brian,

    Since it appears your latest thread made today is an extension of the thread you started in Feb....I have taken the liberty to merge the 2 threads.

  6. brian_erdelyi

    brian_erdelyi Registered Member

    Feb 14, 2006

    The idea had evolved significantly since than... they aren't really the same thing any more.

    I'd prefer a separate thread.
Thread Status:
Not open for further replies.