End-user license agreement - threat to information security: a real life experiment Žygimantas Kaupas Jonas Čeponis Faculty of Informatics Faculty of Informatics Kaunas University of Technology Kaunas University of Technology Kaunas, Lithuania Kaunas, Lithuania e-mail: zygimantas.kaupas@ktu.edu e-mail: jonas.ceponis@ktu.lt Abstract—This paper analyses end-user license agreement products. However, it can become a tool against the final user (EULA) and its impact on security of information and too [3]. information technologies. Popular opinion suggests that people tend to accept EULA legal statements without good Multiple parameters have to be defined in order to evaluate understanding of potential impact on their confidential data. To if the user understood the license agreement before he have a clear picture about current situation, real life experiment consented to it. The most important objective variable R with specifically created license text was conducted. The results indicates the total amount of document readings. An additional reveal serious information security flaws. subjective variable – understanding (U) – can be applied, however, it is too ambiguous to use without extensive Keywords—end-user license agreement; EULA; acceptance questionnaires after the experiment. It is expected that for this without reading EULA research the ratio between R and D (total amount of program downloads) will be at least 1/2. This would indicate I. INTRODUCTION that more than half of participants read the license agreement text. As more and more data is stored online and the number of internet users is constantly increasing, creators of malicious software are persistently looking for some innovative ways to A. Ways of accepting the EULA and its drawbacks acquire valuable confidential information. There are number of methods how a user might accept the EULA (sometimes even without knowledge of doing so) [2]: When recent malware, spyware, ransomware and other digital attacks were disclosed publicly and attracted a lot of  by clicking on “I agree” button during the software attention [1], common trust in online information decreased installation; notably. It is a commendable general practice to use an antivirus solution, do not open suspicious links or give your  by opening the shrink wrap on the package; confidential data to an untrusted source. However, one attack  by breaking the seal on the case; vector is often forgotten.  by sending a special card back to the software Digital world is no longer imaginable without countless publisher; number of various software. Almost all of it asks the user to accept the end-user license agreement (EULA) before the start  by executing a downloaded file (applicable more to of an installation process. Following part is frequently UNIX systems); overlooked by most of the users, even though real security  by using the software. threats might be hidden there. Users trust in the information found online will be tested This work analyses the concept of EULA and its with the first of the above-mentioned methods, since it is the drawbacks. Users trust in the information found online is tested most common one used in practice nowadays. with a software, which is made for this experiment and has a specifically designed EULA text. Obtained results enable From the acceptance methods list it is already obvious that identification of the problem scope and propose actions, which notifying the user about EULA terms is the least important could help in closing this security gap. objective for the software developers. Even more, this drawback is only the first one of many criticism objects related II. END-USER LICENSE AGREEMENT ANALYSIS to this document. End-user license agreement is a legal contract between a One of the most criticized aspects of EULA is its length [4]. software application author or publisher and the user of that On average, it reaches 3000 words (11 pages with double application [2]. This document should be used for protecting spacing), but on some cases this number is more than 10 times software creators from copyright infringements and liabilities bigger (in 2012 PayPal EULA contained 36 275 words [5]). when something goes wrong because of the mistakes in their Copyright © 2017 held by the authors 55 Unfortunately, there is no data available how many (if any) confidential information except when the user is informed and users read these documents at all. gave his agreement [10]. Similar principles are echoed in other legal documents about access to personal data. EULA perfectly In addition, difficult legal terminology is always used in fits the aforementioned principle – inform and receive a EULA language. This significantly decreases documents’ consent. readability and contradicts the main idea, that all people should be able to read and understand it. Also, terms that may be Situation in European Union is very similar to Lithuania’s – harmful to user system or information confidentiality can be there is still a shortage of court decisions related to the well hidden among those legal phrases. discussed document. According to E-commerce directive [11], each member state could exclude electronic agreement from B. Common Harmful EULA Terms binding documents list. However, as of 2011, none has selected Even well-known companies use EULA for specific this option and no information is present that it is chosen by purposes. User monitoring is very often mentioned in this anyone today [12]. document. For example, in order to have a fully functional user Finally, even birthplace of EULA – USA – has no common assistant Cortana in Microsoft Windows 10 operating system, verdict regarding legal obligations of this document. Related agreement on user data (installed programs, browsing history, judgements are always made ad hoc. However, statistics are in etc.) collection by default is included into EULA. These favor of EULA and some widely-publicized trials ended in settings can be disabled later, but that would cost some time, supporting this document and thus strengthened its legal power knowledge and effort for the end user [6]. even more [13]. Facebook on the other hand claims that it can use any digital content posted by its users for any companies’ D. EULA’s research and known solutions. objectives as long as this media is not deleted from the website. There is not a lot of academic attention to this document Users’ photos or videos could be included in an advertising neither in Lithuania nor in the world. No published research material without any official notifications [7]. could be found in Lithuanian language where EULA is the main analysis object. This document is seldom mentioned only The restriction to criticize the software or compare it with in the context of intellectual property protection, but nowhere similar products can be also found in EULA text. Even though the potential threat of the software license agreement to in 2003 global computer security company McAfee was confidential information or IT infrastructure is discussed. penalized for forbidding benchmark publications in such way, today well-known software products like Microsoft SQL Somewhat more research was done regarding the user Server or VMware Workstation still use similar restrictions in familiarity with EULA text (before accepting it) worldwide. their EULA [8]. It is obvious that some terms are so desirable, One of the most famous and extensive experiments was made that even financial punishment does not frighten software in 2010 by Rainer Böhme and Stefan Köpsell [14]. They creators. evaluated 80 000 respondents and concluded that less than 8% of them spent enough time to read the presented EULA text Finally, some IT giants like Microsoft or Google granted before clicking the accept button. themselves the right to change users operating system state (uninstall programs, change settings, etc.) based on EULA. Other experiments gave similar results. In 2005 antivirus Officially this could be easily explained as a basic user company PC Pitstop included information about the 1000$ protection; however, it does not exclude a possibility to delete prize in their EULA text. It was granted to the first responder some unwanted software or change required settings without who will write them a letter about it. The winner showed up any warning or justifying cause. Furthermore, Google allows only after 4 months and 3000 downloads [15]. Similar results itself to change EULA without a warning at any time. The occurred when cyber security solutions company F-Secure underlying presumption is that user will check the latest decided to do a Wi-Fi experiment and gave free public access version of this document from time to time [9]. Even though to a specific hotspot only if the user agreed to give away his authors do not think that these well-known companies would firstborn child [16]. In only 30 minutes 33 connections were risk their good name to exploit terms mentioned above, but made and there were no complaints about that tricky clause there are number of those, who certainly would. whatsoever. On the other hand, there are just a few solutions to evaluate C. Legal EULA Analysis and automatically guard yourself against potential threats There are many discussions online where EULA’s legal written in EULA. In the middle of 2012 the project called obligations are debated. Usually people tend to think that this “Terms of Service; Didn't Read” started with a lot of public document is like an informational message or standard attention [17]. It rated and labeled websites terms & privacy instruction, despite its usual start with the words “important policies into five groups and specified pros and cons from their legal agreement”. Situation is even more complicated in agreements. Sadly, the last entry is dated July 2014 and it Lithuania, since there are no judicial practices related to this appears as the project is no longer active. Similar situation is question and even the EULA document itself most of the time with an application that automatically analyses EULA – is written in English language. “EULAlyzer” [18]. Though this program is still the best The Republic of Lithuania Law on Electronic solution at the moment, it is also no longer developed and left Communications states that it is forbidden to gather any digital with very limited functionality. 56 III. EXPERIMENT OF USERS TRUST IN THE EULA unknown simple application would bother to use native language in its license agreement. A. Research environment and collected data Other details were selected according to the standard This experiment was performed at the end of 2016. 653 license agreement: length of 3000 words, difficult legal first year students of Informatics faculty of Kaunas University language, liability limitations of software developer, etc. of Technology were selected for this investigation. The defined Several specific statements were created to trigger reader’s scope helped in achieving several goals: attention and placed in the middle of EULA document text.  to have a limited and known respondents number; The first statement was labeled “Technical assistance” and  to make sure that users do have greater than minimum had an active link to the application’s support page. When computer literacy skills; visiting it, user could get an access to the desired bonus content without installing malicious application. Users who entered this  to analyze the behavior of users which have a page during the experiment and downloaded resources from it, motivation to participate. were categorized as those who have read the EULA. Experiment was carried out in the form of knowledge The next specific statement was a mixture of indications testing application for a specific university course. Students that this document is not a standard sample. One piece stated received a link to the downloadable application Quizza via an that “user data will be sent to the developer to have a better email from the course lecturer. It was specifically stated that application security” (without any detailed explanation why or this program is a personal project with potential programming what exactly will be shared). Another part was a reference to errors. If the student answered more than 50% of test questions the Republic of Lithuania Law On Legal Protection Of correctly, he received a link to the bonus material. No other Personal Data [20] and data collection for scientific reasons. information about the experiment was given in the email text. Finally, the last statement advised to cancel the installation and Even though the email sender in this case was not fake (in real- visit technical assistance page if the user does not agree with life phishing scenarios attacker tries to mimic the valid source), the license text. publication method and the fact that Quizza program was presented only once (no references were made during live C. Applications for Windows and Android operating systems lectures) should have raised at least some mistrust. Two environment options were presented for the users in When user wanted to install the testing application on either the experiment: Windows .msi or Android .apk installer files of Windows operating system machine or Android mobile device, a Quizza application. Both operating systems are the most it prompted the EULA to be accepted otherwise installation popular in their domain with highest usage count [21]. will be canceled. Every step of this experiment was made to In the Windows environment EULA usually has an replicate real world scenario as close as possible. additional dialog window where “Next” or “I agree” button has If users accepted the specifically modified EULA to be pressed in order to proceed. One common safeguard was document, the installed software not only performed expected added in our experiment to stop the user from automatically and visible functions, but also collected and sent some data pressing the same button (usually “Next”) throughout all from the machine it was running in. Actions with personal data installation process: additional agreement checkbox had to be are very restrictive and in most cases need various user selected before continuing to the next step. approvals even for research purposes, therefore only a limited The unsophisticated testing environment would be loaded set of parameters for data collecting was chosen, which afterwards, where users have to answer five out of ten demonstrated access possibilities and security risks, but did not questions correctly in order to get the desired extra content. allow the exact person identification. This set included number Experimental application for devices running Windows was of attached memory devices (hard drive, USB, CD/DVD), developed using Java programming language. It is a very letter assigned to each drive (in Windows operating system) lightweight solution where minimal code complexity is added and the amount of free/occupied space. For the software to only because of GUI (JavaFX package was used for its access these parameters it needs to have high privileges in the development). During the test user received a random question system. In comparison, it would be impossible to get this from a .txt file where the list of 30+ of them is present. Final information by using a malicious web application. score was counted after 10 questions. If minimal amount of 5 points is not reached, user can retry the attempt with another B. Design of special EULA random set of questions. Specific EULA text was developed for this experiment. In parallel to this activity, Quizza application used standard Antivirus software Kaspersky license agreement was selected Java libraries to collect information about memory devices and as a base model [19]. One difference from the standard EULA third party email client Gmail to send data to the mailbox sample was that this time the document was written in prepared for this experiment. None of the existing user’s Lithuanian language. Such modification made the EULA accounts were used for this process – the mail address of the compliant to the country’s law. It also helped evaluating sender was also created for this project and hardcoded into the whether the language does any difference to the readability of application. EULA and if that raises some questions for end users, why an 57 From the architectural point of view, two classes in Main quizza.tk page during the whole experiment displayed application were separate and not connected to the quiz type notification “Site under maintenance. We’ll be back soon”. functionality. SpaceIO class had 4 variables (driveLetter, This fraud was applied in order to save time needed for a driveType, driveTotalSpace and driveFreeSpace) and detailed website creation herewith creating a false expectation calculateSpace() method. If the method succeeded without any that such page really exists. In addition, it removed the exceptions, all these 4 parameters were passed to Email class possibility of navigation inside the page, which was needed to and sendEmail() method was invoked. monitor how many students visited one or another link (prevented browsing through all the resources at once). This class had several variables already hardcoded, like username, password, recipient, port, host, etc. Such solution Furthermore, information about applications and website enables keeping all code execution within an application. No was sent from the mailbox of course instructor to all students. calls to other programs or services are required. From this short In our case, the sender was not falsified, but nowadays it is description is obvious that experimental application is very quite straightforward to alter this data and present it as coming simple and could be created by anyone having even limited from non-related legit source. Multiple links (separate for programming skills. Still even this is enough to gather Windows and Android applications) were included in the email important data or invoke malicious code inside another user message. In practice, such method (well know source and some system. references to additional material) is commonly used for fraud purposes. Android application did not have any major differences neither with respect to functionality, nor related to hidden All links had a server side PHP script, which monitored processes. Its Application Programming Interface (API) how many times each of these references were clicked by the enables accessing many system parameters, however to do so it user. Three counters were set-up for each application to have asks the user to grand rights in a special “App permissions” versatile results of the experiment: how many times it was dialog before installing the application. During the testing stage downloaded, how many people read the EULA and visited the it was noticed that Android version is more stable and reliable “technical assistance page”, how many students agreed with because mobile devices usually do not have any antivirus or the license, solved the test and downloaded bonus content other security software, which could block the outbound traffic. afterwards. Compared to Windows version, Android Quizza application is even less complicated, because GUI and part of IV. RESULTS OF THE EXPERIMENT system resources could be manipulated directly. In the Android From the initial email with details about these programs environment it is easy to track whether the user has already until the disclosure of the experiment two weeks were given for accepted the EULA for a specific program version even after it students. is reinstalled many times in the same system. This enables the reduction of the amount of data being sent to the “attacker” and As it is observable from Table I, more than a half of removes all possibilities of information duplication. downloads ended up with application being installed and test passed. However, this statistic does not mean that similar On one hand, there are almost no obstacles for malicious number of students read the EULA and reached extra content processes to perform hidden actions once the program is via different link. Alternative route has not been visited at all, installed in the Android device. On the other hand, special so EULA has not been read even once. What is more, almost permission window is displayed to the user before successful 80% of those who passed the test shared their system data application installation. If the user pays attention to this dialog unknowingly. and has an idea how the program should work, any unnecessary privileges included in the list would certainly cause suspicion. This might result in user terminating the TABLE I. WINDOWS PROGRAM STATISTICS process before the attacker gathers any valuable data from that Times Test Data about device. EULA read downloaded passed devices received 245 130 103 0 D. Distribution environment of created programs For the successful experiment, one needs to have not only prepared applications, but also the way to share them without Biggest interest in experimental application was during the causing any doubt about their legitimacy. Having this in mind, next day after the announcement – data about 62 devices (60% a bogus website quizza.tk was created. Only free services were from total amount) was received. As it was expected, not only used for its creation: .tk domain name and free Lithuanian hard drives, but also USB devices and CDs/DVDs were hosting provider. Similar approach would allow an attacker to monitored. Even though during the testing stage, some make a number of identical copies/alternatives of the antivirus solutions proved that they would stop “malicious” distribution environment without spending a cent. In addition, traffic from leaving user computer, other ones did the opposite. during the registration for these services no real personal For example, specific Avast versions even inserted additional information was entered and no trackable financial payments text to the email that was sent without user awareness – “--- were made thus allowing the real owner to stay hidden. This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus”. Even after experiment disclosure was made, 13 students used the 58 application and thus shared their data to the author (1 from lessons from 5 thousand years’ legend about Trojan Horse are those even after 1.5 month from that date). It looks like people still not learned. Why bother breaking down multiple security still trust the program despite knowing that it did things with layers if the user himself will take you inside? their machine without their awareness. Result of Android application experiment are presented in REFERENCES Table II. In general they are very similar to Windows version, [1] M. Ward, “'Alarming' rise in ransomware tracked”. Available: however even less students who downloaded the application http://www.bbc.com/news/technology-36459022 [Accessed: 22 February 2017]. bothered to finish the test with required result (probably they wanted just to see the application’s appearance, expected to get [2] M. Rouse, “End User License Agreement (EULA)”. Available: http://searchcio.techtarget.com/definition/End-User-License-Agreement different practice questions or just installed it on multiple [Accessed: 21 February 2017]. various devices). Surprisingly that even though there are [3] J. Newman, “Top EULA Gotchas: Website Fine-Print Hall of Shame”. usually no security solutions in the mobile environment, 10% Available: less (70% on Android compared to 80% on Windows) data was http://www.pcworld.com/article/249396/top_eula_gotchas_website_fine successfully gathered from this malicious application. Overall, _print_hall_of_shame.html [Accessed: 22 February 2017]. none of the students bothered to read the EULA and check the [4] R. W. Gomulkiewicz, “Getting Serious about User-Friendly Mass link included in its text. Market Licensing for Software” George Mason Law Review, vol. 12, pp. 687-718, 2014. [5] S. Jary, “Apple iTunes T&Cs 10% longer than Shakespeare’s Macbeth”. TABLE II. ANDROID APPLICATION STATISTICS Available: http://www.pcadvisor.co.uk/feature/apple/apple-itunes-tcs- 10-longer-than-shakespeares-macbeth-3346281/ [Accessed: 22 February Times Test Data about 2017]. EULA read downloaded passed devices received [6] D. Goldman, “Is Windows 10 really a privacy nightmare?” Available: http://money.cnn.com/2015/08/17/technology/windows-10-privacy/ 155 73 50 0 [Accessed: 22 February 2017]. [7] Facebook Statement of Rights and Responsibilities. Available: https://www.facebook.com/legal/terms [Accessed: 22 February 2017]. V. CONCLUSIONS [8] A. Newitz, “Dangerous Terms: A User's Guide to EULAs”. Available: https://www.eff.org/wp/dangerous-terms-users-guide-eulas [Accessed: In conclusion, the conducted experiment confirmed that 22 February 2017]. users tend to skip the EULA and agree with any text written in [9] Google Chrome Terms of Service. Available: it. The expected R/D ratio of 1/2 was not reached as nobody https://www.google.lt/intl/eng/chrome/browser/privacy/eula_text.html accessed the alternative link in license agreement text thus [Accessed: 22 February 2017]. setting this ratio to the lowest minimum - 0. [10] The Republic of Lithuania Law on Electronic Communications. Available: https://www.e-tar.lt/portal/en/legalAct/TAR.82D8168D3049 Since this agreement is a legal document, all included terms [Accessed: 21 February 2017]. must meet strict law regulations. However, even official [11] Directive on electronic commerce. Available: http://eur- applications could collect considerable amount of confidential lex.europa.eu/legal-content/en/ALL/?uri=CELEX:32000L0031 [Accessed: 21 February 2017]. data or track user behavior without breaking any laws. [12] M. Webber, L. Rubin, “Liability matters under end user licence In addition, this experiment showed more alarming IT agreements”. E-Commerce Law and Policy, vol. 13(4), 2011. security trends. First of all, if the attacker manages to trick the [13] N. Anderson, “No, you don’t own it: Court upholds EULAs, threatens digital resale”. Available: https://arstechnica.com/tech- user with the initial source validity, other steps to the complete policy/2010/09/the-end-of-used-major-ruling-upholds-tough-software- control over his system might be very easy. More than 60% of licenses/ [Accessed: 22 February 2017]. data received came within the first 24 hours from the start of [14] R. Böhme, S. Köpsell, “Trained to accept?: a field experiment on the experiment. This tendency favors zero-day exploits or new consent dialogs” CHI '10 Proceedings of the SIGCHI Conference on fraud schemas and as it was visible no home antivirus solutions Human Factors in Computing Systems, pp. 2403-2406, 2010. provide sufficient protection against data theft. [15] “It Pays To Read License Agreements (7 Years Later)”. Available: http://techtalk.pcpitstop.com/2012/06/12/it-pays-to-read-license- Furthermore, received data disclosed that home users do agreements-7-years-later/ [Accessed: 21 February 2017]. not benefit by virtualization technology to increase their [16] “Tainted Love: How Wi-fi betrays us”. Available: systems security. During the experiment malicious application https://fsecureconsumer.files.wordpress.com/2014/09/wi-fi- experiment_uk_2014.pdf [Accessed: 21 February 2017]. has monitored hard drives with plenty of storage accessible. [17] “Terms of Service; Didn't Read”. Available: https://tosdr.org/ Also, in many instances connected external USB flash drives [Accessed: 22 February 2017]. were detected when user installed this untrusted application. [18] “EULAnalyzer”. Available: https://www.brightfort.com/eulalyzer.html That could be easily used for further spread of the malware. [Accessed: 21 February 2017]. Finally, data from 17 new devices was received after the [19] Kaspersky EULA. Available: disclosure of this experiment. It shows that either information http://www.kaspersky24.lt/kis/Licence%20agreement%20LT.pdf [Accessed: 22 February 2017]. does not reach all parties even in a relatively small group or [20] Republic of Lithuania Law on Legal Protection of Personal Data. some people still use digital resources after their malicious Available: https://www.e-tar.lt/portal/lt/legalAct/TAR.5368B592234C behavior (potentially only one of many) is known. [Accessed: 22 February 2017]. There are lots of security solutions from the simplest free [21] “Operating System Market Share Worldwide”. Available: http://gs.statcounter.com/os-market-share [Accessed: 22 February 2017]. versions to expensive professional programs, yet it seems that 59 60