Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

3/13/2019
10:30 AM
Lysa Myers
Lysa Myers
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Case for Transparency in End-User License Agreements

Why it behooves technology companies to consider EULAs as an opportunity to accurately inform customers about privacy issues and other important information.

Imagine walking into your favorite coffee shop to make an order. Due to recent legislation, your baristas are now obligated to give you a 60-page booklet about the dangers of substances commonly found in caffeinated beverages. This includes lengthy warnings about caffeine, lactose, dairy substitutes, and flavored sugar syrups, among other things. You must agree to accept these risks before they can even begin grinding the beans.

The booklets are thick with medicolegal jargon; they're intended to cover the shop's compliance responsibilities more than they're meant to help you make informed dietary decisions. You initially intend to read all the way through the booklet, but due to pressure from a crowd of cranky and undercaffeinated customers building up behind you, you'll just skim a few paragraphs before giving up.

After that first visit, you'll likely just hastily wave the booklet away to speed up the process and the arrival of your much-needed brew.

If you are in the cybersecurity business (or even if you're not), it shouldn't take a great leap to figure out I am making an analogy about end-user license agreements (EULAs) and how useless they are for gaining actual, informed consent about giving up potentially sensitive information. But let's consider another example.

If you've had any sort of medical procedure done in the US during the last decade or so, you're probably aware that you'll be required to sign a scary-looking consent form first. The paperwork is all about informing you of the risk of medical procedures and may list possible negative outcomes or your after-care responsibilities.

On one level, they are meant to protect doctors against the risk of malpractice suits. Some doctors present these without any explanation at all, which can result in varying, sometimes terrifying, reactions depending on the seriousness of the procedure. But not all doctors leave it at this.

Better doctors will have someone explain these documents to you before you sign them. They'll rephrase the document using easily understood language. They'll include some context for the actual risk levels. Then, they'll make sure all your questions are answered so that you fully understand what you're agreeing to. When patients understand the situation completely, they are more likely to have a successful outcome.

Towards a Better EULA
As we're seeing with the many recent privacy gaffes by global mega corporations, EULAs written only to be read or understood by lawyers are causing massive consumer distrust. These companies are fulfilling compliance obligations at the expense of their customers' ability to fully understand what they're agreeing to. While this may be a good corporate legal strategy, the approach makes many of us (myself included) unwilling to participate fully with their products.

The biggest problem with EULAs is that they are simply not readable. Part of this is due to their length, but even the shortest EULA can be written inscrutably. Formulas, such as the Flesch-Kincaid readability test, use the total number of words per sentence and syllables per word to score text. My first draft of the previous sentence was rated "grade 20," which indicates it was written at a post-graduate level of complexity. It's now rated "grade 11."

I don't have a graduate degree, much less a post-graduate degree, so this doesn't indicate that I had initially applied some sort of master's degree mojo. My first draft was just really convoluted. The score simply measures the complexity of a sentence and assigns a grade level that represents how challenging it is to understand. So, in applying readability to the creation of a sensible EULA, it is important to take under consideration the many variables that can affect people's ability to comprehend text. For example:

  • Harry Potter books are written at a 7thto 9th grade level.
  • Newspapers typically are written at an 11th grade level.
  • Time magazine is written at undergraduate level.
  • Harvard Law Review is written at a graduate level.

Depending on the target audience, it's entirely appropriate to vary the level of readability to the EULA audience. A variety of different organizations and industries already use these standards to evaluate text before it's published. This usually occurs when there's a specific concern for the reader's welfare or understanding, such as with insurance policies and federal tax guides.

Right now. most people view EULAs both as meaningless and as a way to secretly "pull one over" on consumers. It would behoove more companies, particularly the largest and most omnipresent ones, to consider EULAs as an opportunity to accurately inform customers about privacy issues and other important information. This transparency could go a long way toward regaining the public's trust.

It would be naive to think legalistic EULAs will ever completely disappear, but it's my hope that one day the adversarial interaction we now have will cease to be a customer's first impression of a new software product, application, or service. Technology has the power to make people's lives better; we tech providers should interact with potential customers as if we believe that is the unequivocal truth.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-6486
PUBLISHED: 2020-07-10
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2012. Notes: none.
CVE-2012-6487
PUBLISHED: 2020-07-10
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2012. Notes: none.
CVE-2012-6488
PUBLISHED: 2020-07-10
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2012. Notes: none.
CVE-2012-6489
PUBLISHED: 2020-07-10
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2012. Notes: none.
CVE-2012-6490
PUBLISHED: 2020-07-10
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2012. Notes: none.