=Paper=
{{Paper
|id=Vol-1856/p11
|storemode=property
|title=End-user license agreement - threat to information
security: a real life experiment
|pdfUrl=https://ceur-ws.org/Vol-1856/p11.pdf
|volume=Vol-1856
|authors=Žygimantas Kaupas,Jonas Čeponis
}}
==End-user license agreement - threat to information
security: a real life experiment==
https://ceur-ws.org/Vol-1856/p11.pdf
End-user license agreement - threat to information
security: a real life experiment
Žygimantas Kaupas Jonas Čeponis
Faculty of Informatics Faculty of Informatics
Kaunas University of Technology Kaunas University of Technology
Kaunas, Lithuania Kaunas, Lithuania
e-mail: zygimantas.kaupas@ktu.edu e-mail: jonas.ceponis@ktu.lt
Abstract—This paper analyses end-user license agreement products. However, it can become a tool against the final user
(EULA) and its impact on security of information and too [3].
information technologies. Popular opinion suggests that people
tend to accept EULA legal statements without good Multiple parameters have to be defined in order to evaluate
understanding of potential impact on their confidential data. To if the user understood the license agreement before he
have a clear picture about current situation, real life experiment consented to it. The most important objective variable R
with specifically created license text was conducted. The results indicates the total amount of document readings. An additional
reveal serious information security flaws. subjective variable – understanding (U) – can be applied,
however, it is too ambiguous to use without extensive
Keywords—end-user license agreement; EULA; acceptance questionnaires after the experiment. It is expected that for this
without reading EULA research the ratio between R and D (total amount of
program downloads) will be at least 1/2. This would indicate
I. INTRODUCTION that more than half of participants read the license agreement
text.
As more and more data is stored online and the number of
internet users is constantly increasing, creators of malicious
software are persistently looking for some innovative ways to A. Ways of accepting the EULA and its drawbacks
acquire valuable confidential information. There are number of methods how a user might accept the
EULA (sometimes even without knowledge of doing so) [2]:
When recent malware, spyware, ransomware and other
digital attacks were disclosed publicly and attracted a lot of by clicking on “I agree” button during the software
attention [1], common trust in online information decreased installation;
notably. It is a commendable general practice to use an
antivirus solution, do not open suspicious links or give your by opening the shrink wrap on the package;
confidential data to an untrusted source. However, one attack by breaking the seal on the case;
vector is often forgotten.
by sending a special card back to the software
Digital world is no longer imaginable without countless publisher;
number of various software. Almost all of it asks the user to
accept the end-user license agreement (EULA) before the start by executing a downloaded file (applicable more to
of an installation process. Following part is frequently UNIX systems);
overlooked by most of the users, even though real security
by using the software.
threats might be hidden there.
Users trust in the information found online will be tested
This work analyses the concept of EULA and its
with the first of the above-mentioned methods, since it is the
drawbacks. Users trust in the information found online is tested
most common one used in practice nowadays.
with a software, which is made for this experiment and has a
specifically designed EULA text. Obtained results enable From the acceptance methods list it is already obvious that
identification of the problem scope and propose actions, which notifying the user about EULA terms is the least important
could help in closing this security gap. objective for the software developers. Even more, this
drawback is only the first one of many criticism objects related
II. END-USER LICENSE AGREEMENT ANALYSIS to this document.
End-user license agreement is a legal contract between a One of the most criticized aspects of EULA is its length [4].
software application author or publisher and the user of that On average, it reaches 3000 words (11 pages with double
application [2]. This document should be used for protecting spacing), but on some cases this number is more than 10 times
software creators from copyright infringements and liabilities bigger (in 2012 PayPal EULA contained 36 275 words [5]).
when something goes wrong because of the mistakes in their
Copyright © 2017 held by the authors
55
�Unfortunately, there is no data available how many (if any) confidential information except when the user is informed and
users read these documents at all. gave his agreement [10]. Similar principles are echoed in other
legal documents about access to personal data. EULA perfectly
In addition, difficult legal terminology is always used in fits the aforementioned principle – inform and receive a
EULA language. This significantly decreases documents’ consent.
readability and contradicts the main idea, that all people should
be able to read and understand it. Also, terms that may be Situation in European Union is very similar to Lithuania’s –
harmful to user system or information confidentiality can be there is still a shortage of court decisions related to the
well hidden among those legal phrases. discussed document. According to E-commerce directive [11],
each member state could exclude electronic agreement from
B. Common Harmful EULA Terms binding documents list. However, as of 2011, none has selected
Even well-known companies use EULA for specific this option and no information is present that it is chosen by
purposes. User monitoring is very often mentioned in this anyone today [12].
document. For example, in order to have a fully functional user Finally, even birthplace of EULA – USA – has no common
assistant Cortana in Microsoft Windows 10 operating system, verdict regarding legal obligations of this document. Related
agreement on user data (installed programs, browsing history, judgements are always made ad hoc. However, statistics are in
etc.) collection by default is included into EULA. These favor of EULA and some widely-publicized trials ended in
settings can be disabled later, but that would cost some time, supporting this document and thus strengthened its legal power
knowledge and effort for the end user [6]. even more [13].
Facebook on the other hand claims that it can use any
digital content posted by its users for any companies’ D. EULA’s research and known solutions.
objectives as long as this media is not deleted from the website. There is not a lot of academic attention to this document
Users’ photos or videos could be included in an advertising neither in Lithuania nor in the world. No published research
material without any official notifications [7]. could be found in Lithuanian language where EULA is the
main analysis object. This document is seldom mentioned only
The restriction to criticize the software or compare it with in the context of intellectual property protection, but nowhere
similar products can be also found in EULA text. Even though the potential threat of the software license agreement to
in 2003 global computer security company McAfee was confidential information or IT infrastructure is discussed.
penalized for forbidding benchmark publications in such way,
today well-known software products like Microsoft SQL Somewhat more research was done regarding the user
Server or VMware Workstation still use similar restrictions in familiarity with EULA text (before accepting it) worldwide.
their EULA [8]. It is obvious that some terms are so desirable, One of the most famous and extensive experiments was made
that even financial punishment does not frighten software in 2010 by Rainer Böhme and Stefan Köpsell [14]. They
creators. evaluated 80 000 respondents and concluded that less than 8%
of them spent enough time to read the presented EULA text
Finally, some IT giants like Microsoft or Google granted before clicking the accept button.
themselves the right to change users operating system state
(uninstall programs, change settings, etc.) based on EULA. Other experiments gave similar results. In 2005 antivirus
Officially this could be easily explained as a basic user company PC Pitstop included information about the 1000$
protection; however, it does not exclude a possibility to delete prize in their EULA text. It was granted to the first responder
some unwanted software or change required settings without who will write them a letter about it. The winner showed up
any warning or justifying cause. Furthermore, Google allows only after 4 months and 3000 downloads [15]. Similar results
itself to change EULA without a warning at any time. The occurred when cyber security solutions company F-Secure
underlying presumption is that user will check the latest decided to do a Wi-Fi experiment and gave free public access
version of this document from time to time [9]. Even though to a specific hotspot only if the user agreed to give away his
authors do not think that these well-known companies would firstborn child [16]. In only 30 minutes 33 connections were
risk their good name to exploit terms mentioned above, but made and there were no complaints about that tricky clause
there are number of those, who certainly would. whatsoever.
On the other hand, there are just a few solutions to evaluate
C. Legal EULA Analysis and automatically guard yourself against potential threats
There are many discussions online where EULA’s legal written in EULA. In the middle of 2012 the project called
obligations are debated. Usually people tend to think that this “Terms of Service; Didn't Read” started with a lot of public
document is like an informational message or standard attention [17]. It rated and labeled websites terms & privacy
instruction, despite its usual start with the words “important policies into five groups and specified pros and cons from their
legal agreement”. Situation is even more complicated in agreements. Sadly, the last entry is dated July 2014 and it
Lithuania, since there are no judicial practices related to this appears as the project is no longer active. Similar situation is
question and even the EULA document itself most of the time with an application that automatically analyses EULA –
is written in English language. “EULAlyzer” [18]. Though this program is still the best
The Republic of Lithuania Law on Electronic solution at the moment, it is also no longer developed and left
Communications states that it is forbidden to gather any digital with very limited functionality.
56
� III. EXPERIMENT OF USERS TRUST IN THE EULA unknown simple application would bother to use native
language in its license agreement.
A. Research environment and collected data
Other details were selected according to the standard
This experiment was performed at the end of 2016. 653 license agreement: length of 3000 words, difficult legal
first year students of Informatics faculty of Kaunas University language, liability limitations of software developer, etc.
of Technology were selected for this investigation. The defined Several specific statements were created to trigger reader’s
scope helped in achieving several goals: attention and placed in the middle of EULA document text.
to have a limited and known respondents number; The first statement was labeled “Technical assistance” and
to make sure that users do have greater than minimum had an active link to the application’s support page. When
computer literacy skills; visiting it, user could get an access to the desired bonus content
without installing malicious application. Users who entered this
to analyze the behavior of users which have a page during the experiment and downloaded resources from it,
motivation to participate. were categorized as those who have read the EULA.
Experiment was carried out in the form of knowledge The next specific statement was a mixture of indications
testing application for a specific university course. Students that this document is not a standard sample. One piece stated
received a link to the downloadable application Quizza via an that “user data will be sent to the developer to have a better
email from the course lecturer. It was specifically stated that application security” (without any detailed explanation why or
this program is a personal project with potential programming what exactly will be shared). Another part was a reference to
errors. If the student answered more than 50% of test questions the Republic of Lithuania Law On Legal Protection Of
correctly, he received a link to the bonus material. No other Personal Data [20] and data collection for scientific reasons.
information about the experiment was given in the email text. Finally, the last statement advised to cancel the installation and
Even though the email sender in this case was not fake (in real- visit technical assistance page if the user does not agree with
life phishing scenarios attacker tries to mimic the valid source), the license text.
publication method and the fact that Quizza program was
presented only once (no references were made during live C. Applications for Windows and Android operating systems
lectures) should have raised at least some mistrust. Two environment options were presented for the users in
When user wanted to install the testing application on either the experiment: Windows .msi or Android .apk installer files of
Windows operating system machine or Android mobile device, a Quizza application. Both operating systems are the most
it prompted the EULA to be accepted otherwise installation popular in their domain with highest usage count [21].
will be canceled. Every step of this experiment was made to In the Windows environment EULA usually has an
replicate real world scenario as close as possible. additional dialog window where “Next” or “I agree” button has
If users accepted the specifically modified EULA to be pressed in order to proceed. One common safeguard was
document, the installed software not only performed expected added in our experiment to stop the user from automatically
and visible functions, but also collected and sent some data pressing the same button (usually “Next”) throughout all
from the machine it was running in. Actions with personal data installation process: additional agreement checkbox had to be
are very restrictive and in most cases need various user selected before continuing to the next step.
approvals even for research purposes, therefore only a limited The unsophisticated testing environment would be loaded
set of parameters for data collecting was chosen, which afterwards, where users have to answer five out of ten
demonstrated access possibilities and security risks, but did not questions correctly in order to get the desired extra content.
allow the exact person identification. This set included number Experimental application for devices running Windows was
of attached memory devices (hard drive, USB, CD/DVD), developed using Java programming language. It is a very
letter assigned to each drive (in Windows operating system) lightweight solution where minimal code complexity is added
and the amount of free/occupied space. For the software to only because of GUI (JavaFX package was used for its
access these parameters it needs to have high privileges in the development). During the test user received a random question
system. In comparison, it would be impossible to get this from a .txt file where the list of 30+ of them is present. Final
information by using a malicious web application. score was counted after 10 questions. If minimal amount of 5
points is not reached, user can retry the attempt with another
B. Design of special EULA random set of questions.
Specific EULA text was developed for this experiment.
In parallel to this activity, Quizza application used standard
Antivirus software Kaspersky license agreement was selected
Java libraries to collect information about memory devices and
as a base model [19]. One difference from the standard EULA
third party email client Gmail to send data to the mailbox
sample was that this time the document was written in
prepared for this experiment. None of the existing user’s
Lithuanian language. Such modification made the EULA
accounts were used for this process – the mail address of the
compliant to the country’s law. It also helped evaluating
sender was also created for this project and hardcoded into the
whether the language does any difference to the readability of
application.
EULA and if that raises some questions for end users, why an
57
� From the architectural point of view, two classes in Main quizza.tk page during the whole experiment displayed
application were separate and not connected to the quiz type notification “Site under maintenance. We’ll be back soon”.
functionality. SpaceIO class had 4 variables (driveLetter, This fraud was applied in order to save time needed for a
driveType, driveTotalSpace and driveFreeSpace) and detailed website creation herewith creating a false expectation
calculateSpace() method. If the method succeeded without any that such page really exists. In addition, it removed the
exceptions, all these 4 parameters were passed to Email class possibility of navigation inside the page, which was needed to
and sendEmail() method was invoked. monitor how many students visited one or another link
(prevented browsing through all the resources at once).
This class had several variables already hardcoded, like
username, password, recipient, port, host, etc. Such solution Furthermore, information about applications and website
enables keeping all code execution within an application. No was sent from the mailbox of course instructor to all students.
calls to other programs or services are required. From this short In our case, the sender was not falsified, but nowadays it is
description is obvious that experimental application is very quite straightforward to alter this data and present it as coming
simple and could be created by anyone having even limited from non-related legit source. Multiple links (separate for
programming skills. Still even this is enough to gather Windows and Android applications) were included in the email
important data or invoke malicious code inside another user message. In practice, such method (well know source and some
system. references to additional material) is commonly used for fraud
purposes.
Android application did not have any major differences
neither with respect to functionality, nor related to hidden All links had a server side PHP script, which monitored
processes. Its Application Programming Interface (API) how many times each of these references were clicked by the
enables accessing many system parameters, however to do so it user. Three counters were set-up for each application to have
asks the user to grand rights in a special “App permissions” versatile results of the experiment: how many times it was
dialog before installing the application. During the testing stage downloaded, how many people read the EULA and visited the
it was noticed that Android version is more stable and reliable “technical assistance page”, how many students agreed with
because mobile devices usually do not have any antivirus or the license, solved the test and downloaded bonus content
other security software, which could block the outbound traffic. afterwards.
Compared to Windows version, Android Quizza
application is even less complicated, because GUI and part of IV. RESULTS OF THE EXPERIMENT
system resources could be manipulated directly. In the Android From the initial email with details about these programs
environment it is easy to track whether the user has already until the disclosure of the experiment two weeks were given for
accepted the EULA for a specific program version even after it students.
is reinstalled many times in the same system. This enables the
reduction of the amount of data being sent to the “attacker” and As it is observable from Table I, more than a half of
removes all possibilities of information duplication. downloads ended up with application being installed and test
passed. However, this statistic does not mean that similar
On one hand, there are almost no obstacles for malicious number of students read the EULA and reached extra content
processes to perform hidden actions once the program is via different link. Alternative route has not been visited at all,
installed in the Android device. On the other hand, special so EULA has not been read even once. What is more, almost
permission window is displayed to the user before successful 80% of those who passed the test shared their system data
application installation. If the user pays attention to this dialog unknowingly.
and has an idea how the program should work, any
unnecessary privileges included in the list would certainly
cause suspicion. This might result in user terminating the TABLE I. WINDOWS PROGRAM STATISTICS
process before the attacker gathers any valuable data from that Times Test Data about
device. EULA read
downloaded passed devices received
245 130 103 0
D. Distribution environment of created programs
For the successful experiment, one needs to have not only
prepared applications, but also the way to share them without Biggest interest in experimental application was during the
causing any doubt about their legitimacy. Having this in mind, next day after the announcement – data about 62 devices (60%
a bogus website quizza.tk was created. Only free services were from total amount) was received. As it was expected, not only
used for its creation: .tk domain name and free Lithuanian hard drives, but also USB devices and CDs/DVDs were
hosting provider. Similar approach would allow an attacker to monitored. Even though during the testing stage, some
make a number of identical copies/alternatives of the antivirus solutions proved that they would stop “malicious”
distribution environment without spending a cent. In addition, traffic from leaving user computer, other ones did the opposite.
during the registration for these services no real personal For example, specific Avast versions even inserted additional
information was entered and no trackable financial payments text to the email that was sent without user awareness – “---
were made thus allowing the real owner to stay hidden. This email has been checked for viruses by Avast antivirus
software. https://www.avast.com/antivirus”. Even after
experiment disclosure was made, 13 students used the
58
�application and thus shared their data to the author (1 from lessons from 5 thousand years’ legend about Trojan Horse are
those even after 1.5 month from that date). It looks like people still not learned. Why bother breaking down multiple security
still trust the program despite knowing that it did things with layers if the user himself will take you inside?
their machine without their awareness.
Result of Android application experiment are presented in REFERENCES
Table II. In general they are very similar to Windows version, [1] M. Ward, “'Alarming' rise in ransomware tracked”. Available:
however even less students who downloaded the application http://www.bbc.com/news/technology-36459022 [Accessed: 22
February 2017].
bothered to finish the test with required result (probably they
wanted just to see the application’s appearance, expected to get [2] M. Rouse, “End User License Agreement (EULA)”. Available:
http://searchcio.techtarget.com/definition/End-User-License-Agreement
different practice questions or just installed it on multiple [Accessed: 21 February 2017].
various devices). Surprisingly that even though there are [3] J. Newman, “Top EULA Gotchas: Website Fine-Print Hall of Shame”.
usually no security solutions in the mobile environment, 10% Available:
less (70% on Android compared to 80% on Windows) data was http://www.pcworld.com/article/249396/top_eula_gotchas_website_fine
successfully gathered from this malicious application. Overall, _print_hall_of_shame.html [Accessed: 22 February 2017].
none of the students bothered to read the EULA and check the [4] R. W. Gomulkiewicz, “Getting Serious about User-Friendly Mass
link included in its text. Market Licensing for Software” George Mason Law Review, vol. 12,
pp. 687-718, 2014.
[5] S. Jary, “Apple iTunes T&Cs 10% longer than Shakespeare’s Macbeth”.
TABLE II. ANDROID APPLICATION STATISTICS Available: http://www.pcadvisor.co.uk/feature/apple/apple-itunes-tcs-
10-longer-than-shakespeares-macbeth-3346281/ [Accessed: 22 February
Times Test Data about 2017].
EULA read
downloaded passed devices received [6] D. Goldman, “Is Windows 10 really a privacy nightmare?” Available:
http://money.cnn.com/2015/08/17/technology/windows-10-privacy/
155 73 50 0
[Accessed: 22 February 2017].
[7] Facebook Statement of Rights and Responsibilities. Available:
https://www.facebook.com/legal/terms [Accessed: 22 February 2017].
V. CONCLUSIONS [8] A. Newitz, “Dangerous Terms: A User's Guide to EULAs”. Available:
https://www.eff.org/wp/dangerous-terms-users-guide-eulas [Accessed:
In conclusion, the conducted experiment confirmed that 22 February 2017].
users tend to skip the EULA and agree with any text written in [9] Google Chrome Terms of Service. Available:
it. The expected R/D ratio of 1/2 was not reached as nobody https://www.google.lt/intl/eng/chrome/browser/privacy/eula_text.html
accessed the alternative link in license agreement text thus [Accessed: 22 February 2017].
setting this ratio to the lowest minimum - 0. [10] The Republic of Lithuania Law on Electronic Communications.
Available: https://www.e-tar.lt/portal/en/legalAct/TAR.82D8168D3049
Since this agreement is a legal document, all included terms [Accessed: 21 February 2017].
must meet strict law regulations. However, even official [11] Directive on electronic commerce. Available: http://eur-
applications could collect considerable amount of confidential lex.europa.eu/legal-content/en/ALL/?uri=CELEX:32000L0031
[Accessed: 21 February 2017].
data or track user behavior without breaking any laws.
[12] M. Webber, L. Rubin, “Liability matters under end user licence
In addition, this experiment showed more alarming IT agreements”. E-Commerce Law and Policy, vol. 13(4), 2011.
security trends. First of all, if the attacker manages to trick the [13] N. Anderson, “No, you don’t own it: Court upholds EULAs, threatens
digital resale”. Available: https://arstechnica.com/tech-
user with the initial source validity, other steps to the complete policy/2010/09/the-end-of-used-major-ruling-upholds-tough-software-
control over his system might be very easy. More than 60% of licenses/ [Accessed: 22 February 2017].
data received came within the first 24 hours from the start of [14] R. Böhme, S. Köpsell, “Trained to accept?: a field experiment on
the experiment. This tendency favors zero-day exploits or new consent dialogs” CHI '10 Proceedings of the SIGCHI Conference on
fraud schemas and as it was visible no home antivirus solutions Human Factors in Computing Systems, pp. 2403-2406, 2010.
provide sufficient protection against data theft. [15] “It Pays To Read License Agreements (7 Years Later)”. Available:
http://techtalk.pcpitstop.com/2012/06/12/it-pays-to-read-license-
Furthermore, received data disclosed that home users do agreements-7-years-later/ [Accessed: 21 February 2017].
not benefit by virtualization technology to increase their [16] “Tainted Love: How Wi-fi betrays us”. Available:
systems security. During the experiment malicious application https://fsecureconsumer.files.wordpress.com/2014/09/wi-fi-
experiment_uk_2014.pdf [Accessed: 21 February 2017].
has monitored hard drives with plenty of storage accessible.
[17] “Terms of Service; Didn't Read”. Available: https://tosdr.org/
Also, in many instances connected external USB flash drives [Accessed: 22 February 2017].
were detected when user installed this untrusted application. [18] “EULAnalyzer”. Available: https://www.brightfort.com/eulalyzer.html
That could be easily used for further spread of the malware. [Accessed: 21 February 2017].
Finally, data from 17 new devices was received after the [19] Kaspersky EULA. Available:
disclosure of this experiment. It shows that either information http://www.kaspersky24.lt/kis/Licence%20agreement%20LT.pdf
[Accessed: 22 February 2017].
does not reach all parties even in a relatively small group or
[20] Republic of Lithuania Law on Legal Protection of Personal Data.
some people still use digital resources after their malicious Available: https://www.e-tar.lt/portal/lt/legalAct/TAR.5368B592234C
behavior (potentially only one of many) is known. [Accessed: 22 February 2017].
There are lots of security solutions from the simplest free [21] “Operating System Market Share Worldwide”. Available:
http://gs.statcounter.com/os-market-share [Accessed: 22 February 2017].
versions to expensive professional programs, yet it seems that
59
�60
�