Imagine walking into your favorite coffee shop to make an order. Due to recent legislation, your baristas are now obligated to give you a 60-page booklet about the dangers of substances commonly found in caffeinated beverages. This includes lengthy warnings about caffeine, lactose, dairy substitutes, and flavored sugar syrups, among other things. You must agree to accept these risks before they can even begin grinding the beans.
The booklets are thick with medicolegal jargon; they're intended to cover the shop's compliance responsibilities more than they're meant to help you make informed dietary decisions. You initially intend to read all the way through the booklet, but due to pressure from a crowd of cranky and undercaffeinated customers building up behind you, you'll just skim a few paragraphs before giving up.
After that first visit, you'll likely just hastily wave the booklet away to speed up the process and the arrival of your much-needed brew.
If you are in the cybersecurity business (or even if you're not), it shouldn't take a great leap to figure out I am making an analogy about end-user license agreements (EULAs) and how useless they are for gaining actual, informed consent about giving up potentially sensitive information. But let's consider another example.
If you've had any sort of medical procedure done in the US during the last decade or so, you're probably aware that you'll be required to sign a scary-looking consent form first. The paperwork is all about informing you of the risk of medical procedures and may list possible negative outcomes or your after-care responsibilities.
On one level, they are meant to protect doctors against the risk of malpractice suits. Some doctors present these without any explanation at all, which can result in varying, sometimes terrifying, reactions depending on the seriousness of the procedure. But not all doctors leave it at this.
Better doctors will have someone explain these documents to you before you sign them. They'll rephrase the document using easily understood language. They'll include some context for the actual risk levels. Then, they'll make sure all your questions are answered so that you fully understand what you're agreeing to. When patients understand the situation completely, they are more likely to have a successful outcome.
Towards a Better EULA
As we're seeing with the many recent privacy gaffes by global mega corporations, EULAs written only to be read or understood by lawyers are causing massive consumer distrust. These companies are fulfilling compliance obligations at the expense of their customers' ability to fully understand what they're agreeing to. While this may be a good corporate legal strategy, the approach makes many of us (myself included) unwilling to participate fully with their products.
The biggest problem with EULAs is that they are simply not readable. Part of this is due to their length, but even the shortest EULA can be written inscrutably. Formulas, such as the Flesch-Kincaid readability test, use the total number of words per sentence and syllables per word to score text. My first draft of the previous sentence was rated "grade 20," which indicates it was written at a post-graduate level of complexity. It's now rated "grade 11."
I don't have a graduate degree, much less a post-graduate degree, so this doesn't indicate that I had initially applied some sort of master's degree mojo. My first draft was just really convoluted. The score simply measures the complexity of a sentence and assigns a grade level that represents how challenging it is to understand. So, in applying readability to the creation of a sensible EULA, it is important to take under consideration the many variables that can affect people's ability to comprehend text. For example:
- Harry Potter books are written at a 7thto 9th grade level.
- Newspapers typically are written at an 11th grade level.
- Time magazine is written at undergraduate level.
- Harvard Law Review is written at a graduate level.
Depending on the target audience, it's entirely appropriate to vary the level of readability to the EULA audience. A variety of different organizations and industries already use these standards to evaluate text before it's published. This usually occurs when there's a specific concern for the reader's welfare or understanding, such as with insurance policies and federal tax guides.
Right now. most people view EULAs both as meaningless and as a way to secretly "pull one over" on consumers. It would behoove more companies, particularly the largest and most omnipresent ones, to consider EULAs as an opportunity to accurately inform customers about privacy issues and other important information. This transparency could go a long way toward regaining the public's trust.
It would be naive to think legalistic EULAs will ever completely disappear, but it's my hope that one day the adversarial interaction we now have will cease to be a customer's first impression of a new software product, application, or service. Technology has the power to make people's lives better; we tech providers should interact with potential customers as if we believe that is the unequivocal truth.
- 7 Privacy Mistakes That Keep Security Pros on Their Toes
- The "Typical" Security Engineer: Hiring Myths & Stereotypes
- Lessons from My Strange Journey into InfoSec
- Living with Risk: Where Organizations Fall Short
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.