Meh… EULAs
It is impressive how EULAs and other T&Cs can contain so much crap, without any clarity on what is legal or not. I would think that good lawyers could put a hole through this particular one, but in general the field is full of gray.
Security software vendor Malwarebytes has highlighted what it says is an increasing trend for malware authors to embed Bitcoin mining into things like browser toolbar helpers and search agents. That's not so new, but its latest observation is that the malware-peddlers are trying to tie up suckers with their license agreements …
"People seem to think that if something is in the EULA, it must be binding. - If you agreed in an EULA to kill your first-born, guess which response would be legal?"
Everything in a EULA is absolutely binding unless there is a constrasting local, state, federal, international or other law or legal allowance. Killing your first born, or, obtaining money by deception is covered. So they *could* in theory put it in there, but it's not legally enforeable.
However, stealing IOPS by deception is not covered by any other law, so they're allowed to do that. The EULA stands. It's slimey, but it stands.
"Everything in a EULA is absolutely binding unless there is a constrasting local, state, federal, international or other law or legal allowance. "
I doubt that. Instead of killing your first born, try "I owe Microsoft one million dollars for every second I use this product". Giving money is legal, but I don't think it would fly either.
"I doubt that. Instead of killing your first born, try "I owe Microsoft one million dollars for every second I use this product". Giving money is legal, but I don't think it would fly either."
No, you perhaps don't understand. The EULA isn't the place for pricing, nor the licence agreement. But if you said something along the lines of "you allow us to charge your credit card for in-app purchases", and bury the actual prices somewhere else in a two point font that's hard to read because of the background, that's legal.
Take for instance the CandyCrush (children's iPhone and Android game) scam that's being run now on TV. By law, they're required to state their fine print on screen. They do, with an intentional low resolution still image, where the text is so far obscured due to a small font that it's undreadable, in front of a background that makes it even less readable. So you go to their website where EVERYTHING works perfectly as you'd expect - except the "Terms And Conditions" link, which is obscured behind some odd java. Working past that and reading it reveals their host company is a gambling outfit. Yep, they're trying to start them young.
But too late, your six year old badgered you into buying into it - and you didn't read a damn thing.
In Australia, there is provision for getting out of contracts you (technically) agreed to, if you were "badgered" into it. This was primarily to allow for the rouge power retailers and long distance phone setups that became well-known for berating pensioners into buying their wares.
But that doesn't work if your six year old was the one in your ear....
"However, stealing IOPS by deception is not covered by any other law, so they're allowed to do that."
IANAL but I'd guess that the law against Abstracting Electricity might stand a chance against them. After all, it is not the stolen IOPs that you care about., It is in the excess electricity that those IOPs used, and that you had to pay for, where you can demonstrate that you have been bilked.
> Everything in a EULA is absolutely binding
Really? Where and when did I sign the contract? And if I didn't sign, how is it a contract at all?
In most of the civilized world, EULA's are not considered contracts, and we should all pray that it remains that way.
My favorite EULA is the one Sony bundled with all their audio CD's back in the day when they also added stealth-installed spyware in their audio CD's, a 17 kilobyte monstrosity Sony has since DMCA'd off the net -- but I still keep a copy to show people how absurd EULA's are. That particular EULA is brimming with illegal terms, like that you may never sell the CD, you can not sue Sony ever, for any reason, can only communicate with Sony through the court of Orange County, USA... and if you make a copy of a Sony audio CD, Sony owns your entire CD collection.
Under UK contract law there is a clear statement that an "unfair" contract, even if it has been voluntarily agreed to by all of the parties, cannot be enforced. The gotcha here is that what constitutes "unfair" has to be left to a judges discretion; he might agree that these terms are unfair (on the basis you are having your processor, and hence electricity, used for a purpose that you cannot gain any material or immaterial benefit from), but there again he might decide otherwise.
You'd think good lawyers would do that, but the problem is the nature of the civil suit system. What happens is, someone gets a lawyer to lodge a suit, the company then ums and ahs about it, and before it gets to trial they settle. So, you never end up with a legal ruling.
Which means no-one ever gets any decent guidance on what would be legal or not in T&Cs.
"WBT uses a custom installer, Monitor.exe, which it serves up from Amazon"
While I have no connection with Amazon other than as an occasional customer, I feel this is a little unfair to them. Unless I have completely misunderstood the Malwarebytes PDF referenced in the article, this PUP is stored on Amazon's cloud, not dished up with any software you might download from Amazon themselves.
Chris Cosgrove
Drunk? You're past drunk and into "posting in the wrong thread".
evil KOSer: bitcoin mining works by finding a hash value between 0 and the publicly-known "target" for that round. Each hash attempt processes (among other things) a link to the previous "block" in the bitcoin transaction database and new transactions to be added to the database. Hashes are "mathematical calculations". The target value is set to be positive, but low enough that it is difficult to find a desired hash value, thus increasing the security of the protocol. Once transactions have been included in a new block with hash value below the target value, they are considered to be confirmed.
@MondoMan and @AC : thanks for the explanations. I see now how "confirm transactions and increase security" relate to the bitcoin activity.
The thing is, though, it makes no mention of that activity and to any reasonable reader of the EULA the words relate to the expressed functionality of the tool being installed.
So to my mind agreement to the EULA does not constitute agreement to the bitcoin mining, and that activity should be considered an offence under the appropriate laws (eg UK Computer Misuse Act).
Justakos, its not obvious, but its not misleading, they are just explaining the background as opposed to advertising their reward... no toolbar is 'free' and the fact that they are making money for authenticating the bitcoin chain is no different to them making money selling your search results or supplying advertising....
One of the advantages of metro internet explorer is the death of the 3rd party toolbar!
@Matt_payne666 :
I don't really think 'misleading' is enough. There would be no need to mention the processing at all if it was just for explanation. I think it is an attempt to get the user to approve processing that they are unaware of.
The way it is written, with no mention of the purpose of the processing, the user is left with the impression that it is a necessary part of the tool that they are installing.
I think deceit isn't too strong a word.
The process of mining a bitcoin involves solving a reverse hash problem on the bitcoin transaction chain. A valid solution to the problem allows the latest transactions at the head of the chain to be confirmed and consolidated into the ongoing chain. So that description does pretty much describe the process of mining.
Well, to be honest he does change the oil for free; I don't see much of a difference between this and innundating the user with ads or selling your data for market analysis. All are evil(TM) way of retributing "free" crapware (the alternate POV is that the free crapware is a disguise to distribute money-making infections, à la "$CELEB nude pics screensaver" ). Just another reason to forbid stoolbars, and to keep the LART at hand for the lusers who do download them.
The question then becomes, how long will it be before the big players start doing the exact same thing? It seems to me the lines could be injected into any EULA including ones from Apple, Google or Microsoft and it could be written into the OS or worse, anything produced with Xcode, Visual Studio, etc.
It's not even worthwhile on large GPU arrays now, with the ASIC miners out there.
There's no real reason for this stuff to mine BTC. But other random cryptocurrencies that still have relatively low burden and possible trading use? Sure.
Even then, only really if the machine has a decent graphics card..
The mining will be so slow that you will never win the "race" to the next successful hash. Since it's a first-past-the-post system, you get nothing, as each time just dividing the work among your army of very slow bitzombies will take more time than others use to actually complete their solution with their compact high-power miners and win the round.
You know that. I know that. Typical readers of El Reg know that.
But many people don't. Many people don't even know what one is, even AFTER it's been installed on their computer as part of the process of installing something else because they didn't see/understand the pre-ticked box, and the toolbar has, as a result, appeared at their browser.
All they know is "all the extra buttons just appeared" at some point - often more than one lot at different times - making the browser window smaller, and now they've noticed the computer's a bit slow accessing the web.
I'm a long time unix hacker, and hate Windows as much as the next guy, but are you really complaining about pro-MS bias here at the Reg? !!
Besides, in all fairness, if this was an article about a toolbar program on Linux, and someone blamed the OS, I'm sure you'd soon call foul
I cleaned about 10 various toolbars, and a few more 'download helpers' off my sister-in-law's PC last night. When I turned it on, there were 86 processes running, after I'd run Malwarebytes, there were 60 left.
I can't remember the last time I looked at a friend's PC for them and didn't find some toolbar they knew nothing about and never used. Even though most of the time it's just the Google one. The Google Toolbar and Chrome load themselves onto people's computers just like malware. Although at least Chrome has some use - I've no idea what the Google toolbar is for.
Apple stopped bunging Safari out this way, so I guess there's still hope for Google.
This post has been deleted by its author
This post has been deleted by its author
@Christian Berger:
"I mean seriously, what do you expect to happen if you download software the creator refuses to give you the source code? Why would anybody keep the source code from you other than wanting to defraud you?"
What earthly use is the bloody source code to someone who has no clue about programming?
People who can read source code and understand what it does – and who also happens to have lucked-out in becoming expert[1] in the same programming language(s) as the original developer – are unlikely to be ignorant enough to install such malware in the first place!
However, NOBODY can be an expert in every field of human endeavour. IT is just one field among many. How would you like to be told that you got exactly what was coming to you every damned time your ignorance of a particular subject betrayed you? How would you like it if every time you failed to make a multinational corporation compliant with the likes of Sarbanes-Oxley and ISO 20001, you saw someone pointing and laughing at your ignorance and calling you a "n00b"?
So much for your accusation of naïveté: We are ALL ignorant. We're just ignorant about different things.
Most people don't want to build their cars from scratch, nor do they particularly care how they work. They'll happily buy a Ford Fiesta, or a BMW, or whatnot, and simply drive the thing. All cars share one common feature: their core user interface. Some details will change from car to car, but if you've learned to drive in a Vauxhall Astra, it's a fair bet you can work out how to drive a FIAT Punto or any other make and model of car built since the 1950s.
For every James May, who could cite chapter and verse from the relevant Haynes manual for each car, there are a hundred Jeremy Clarksons, who couldn't give a toss how the bloody machine actually works. Yet most developers still believe everyone who has any contact at all with a computer should be like James May.
The IT industry has moved on quite a bit since the 1960s and '70s.
Open Source has become an anachronism. It is very much part of the problem, not the solution. Forget GNU, Stallman and the FOSS movements: they're yesterday's causes. The problem today isn't source code, but interfaces[2].
Not just in the software, but across the entire chain – from box art to silicon chip, from API to documentation – it's all about interfaces, not code.
End users should not be required to read complicated EULAs to determine whether the code they've downloaded actually does what it says on the tin. Why shouldn't they be able to pay for virtual gatekeepers to screen such things on their behalf? This is exactly why companies like Apple and Amazon have opted to provide such "gated communities[3]" for their users.
Developers – and the IT community in general – really have only themselves to blame for this: you'll have massive flamewars over trivialities like tabs vs. spaces, while criticising the poor bloody users who have to put up with the ill-designed, barely usable, and barely-supported tripe you expect them to learn how to use. And then you think nothing of bundling in someone else's crap with your "free" software, because your definition of "free" isn't the same as the one in the dictionary.
The IT industry's problems aren't Apple's, Google's, Microsoft's or anyone else's fault but yours. You've had half a century of power, but you've chosen to ignore all the responsibilities that come with it. It's time that changed.
[1] There is a veritable Babel of programming languages out there, and merely reading some books and tinkering about with each of them does not make you an expert.
[2] This will come as a shock, but some of you clearly haven't understood what the "I" in "API" actually stands for. Or the purpose of good documentation. Similarly, a published data format is also an interface. Interfaces are everywhere.
[3] Google Play is the only "walled garden" out there. It has gardeners who react to problems after they've happened, not gatekeepers who stop the problems getting in in the first place.
I think the OP comments about source code is wrong, but I disagree with several of your points too.
Open source does have the benefit that even if I don't understand the source code, there are many independent people who do. (So, for an on-topic example, trusting the official bitcoin clients because they are open source).
Developers and the IT community include those that work for the big multinational companies, so it's unclear who you're arguing for or against here - you can't really separate into two distinct groups.
For "gatekeepers" vs "walled gardens", i.e., pre vs post approval, each has their pros and cons. It's unclear that one is more secure than the other: gatekeepers may miss exploits until they are reported - certainly this has happened with things like copyright violations (e.g., VLC on IOS) which have then had to be dealt with the same as on Google Play. On Apple, the gatekeepers have abused the power to block all sorts of things, nothing to do with stopping malware. On Amazon, the gate means far fewer people put their software there at all. All reported malware on Android have AFAIK not been hosted on Google Play.
I think people should be free to choose a moderated (whether pre or post) application site - indeed, that's why it's best of all if people have the choice. So on Android, if you think Amazon is more secure, you can do so; but a Kindle Fire user can't decide to use Google Play. On platforms like Windows and Linux, you have your pick of sites and communities to download from.
I don't see that this has anything to do with EULAs though - you're right, users shouldn't have to read complicated EULAs, but IOS's software site has its own EULA/TOS that is required to be placed on all applications. Indeed, the Open Source you criticise is one of the few examples of software that does not require you to agree to anything (unfortunately some apps do insist you agree to the GPL, but the GPL explicitly states you don't have to - it's a licence, not a contract).
With respect to your point 2, whilst a contract must have consideration a license is not the same thing. You may well enter in to a separate contract for the procurement of the goods which are in turn subject to a separate license which dictates how those goods may be used. Therefore a license is still valid without consideration; else why do we have the wide variety of Open Source license agreements for products which are often provided free of any charge?
Secondly consideration is not always monetary in nature, consideration is simply the provision of something of value in return for something of allegedly similar value. Therefore it could be argued that the consideration in this instance would be that the permission to allow the software to mine Bitcoins is provided in return for the provision of the functionality in the toolbar.
However, there in England and Wales there may be a number of legal points on which the user could argue against having accepted the license terms such as the fact that the mining of Bitcoins is not linked to the purpose of the toolbar. Where there is a gap in the relationship between the purpose of the software and the license then a court may rule those elements of the EULA which are not relevant to the use of the toolbar are void. English law also takes a dim view of EULAs that seek to introduce terms which the user cannot challenge or negotiate out so again the court may rule in favour of the individual. Finally, if the user incurs charges that were not made clear at the point that the contract was struck (e.g. additional power charges, wear and tear on the computer, use of bandwidth, etc) then this would be a potential breach of the Sale of Goods and or Services legislation and therefore unenforceable in law.
Please note I am not a lawyer but have an understanding of elements of commercial and contract law.
to make them no longer than an A4 page of text, with bullet points only, and large font.
The reason no one reads them is because they are so ridiculously long worded and full of ambiguous language that could basically mean anything when applied in any context.
Edit: Spelling :|
This post has been deleted by its author
I recall an amusing EULA for an independent software package - it was the usual box that you had to scroll through fifty pages of in order to get it to let you click 'OK'. If you did this too rapidly, it would pop up a box saying, "You just read that whole EULA in 1.7 seconds. Would you like to go back and have another look?" or something similar.
I didn't go back to have another look, but I had to give the guy credit for hanging a lantern on the absurdity.
This belongs to Amazon the same way that all Windows Updates belong to Akamai. The downloads are hosted on Amazon servers, but the software itself is written and maintained by someone else entirely.
From the article:
"According to this post, the miner in question is jhProtominer, and it's being installed by a crowd called We Build Toolbars (WBT).
WBT uses a custom installer, Monitor.exe, which it serves up from Amazon, to start up the Bitcoin miner on the user's system"
In this case you want to be ranting about "We Build Toolbars" :)