Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Lysa Myers
Lysa Myers
Connect Directly
E-Mail vvv

The Case for Transparency in End-User License Agreements

Why it behooves technology companies to consider EULAs as an opportunity to accurately inform customers about privacy issues and other important information.

Imagine walking into your favorite coffee shop to make an order. Due to recent legislation, your baristas are now obligated to give you a 60-page booklet about the dangers of substances commonly found in caffeinated beverages. This includes lengthy warnings about caffeine, lactose, dairy substitutes, and flavored sugar syrups, among other things. You must agree to accept these risks before they can even begin grinding the beans.

The booklets are thick with medicolegal jargon; they're intended to cover the shop's compliance responsibilities more than they're meant to help you make informed dietary decisions. You initially intend to read all the way through the booklet, but due to pressure from a crowd of cranky and undercaffeinated customers building up behind you, you'll just skim a few paragraphs before giving up.

After that first visit, you'll likely just hastily wave the booklet away to speed up the process and the arrival of your much-needed brew.

If you are in the cybersecurity business (or even if you're not), it shouldn't take a great leap to figure out I am making an analogy about end-user license agreements (EULAs) and how useless they are for gaining actual, informed consent about giving up potentially sensitive information. But let's consider another example.

If you've had any sort of medical procedure done in the US during the last decade or so, you're probably aware that you'll be required to sign a scary-looking consent form first. The paperwork is all about informing you of the risk of medical procedures and may list possible negative outcomes or your after-care responsibilities.

On one level, they are meant to protect doctors against the risk of malpractice suits. Some doctors present these without any explanation at all, which can result in varying, sometimes terrifying, reactions depending on the seriousness of the procedure. But not all doctors leave it at this.

Better doctors will have someone explain these documents to you before you sign them. They'll rephrase the document using easily understood language. They'll include some context for the actual risk levels. Then, they'll make sure all your questions are answered so that you fully understand what you're agreeing to. When patients understand the situation completely, they are more likely to have a successful outcome.

Towards a Better EULA
As we're seeing with the many recent privacy gaffes by global mega corporations, EULAs written only to be read or understood by lawyers are causing massive consumer distrust. These companies are fulfilling compliance obligations at the expense of their customers' ability to fully understand what they're agreeing to. While this may be a good corporate legal strategy, the approach makes many of us (myself included) unwilling to participate fully with their products.

The biggest problem with EULAs is that they are simply not readable. Part of this is due to their length, but even the shortest EULA can be written inscrutably. Formulas, such as the Flesch-Kincaid readability test, use the total number of words per sentence and syllables per word to score text. My first draft of the previous sentence was rated "grade 20," which indicates it was written at a post-graduate level of complexity. It's now rated "grade 11."

I don't have a graduate degree, much less a post-graduate degree, so this doesn't indicate that I had initially applied some sort of master's degree mojo. My first draft was just really convoluted. The score simply measures the complexity of a sentence and assigns a grade level that represents how challenging it is to understand. So, in applying readability to the creation of a sensible EULA, it is important to take under consideration the many variables that can affect people's ability to comprehend text. For example:

  • Harry Potter books are written at a 7thto 9th grade level.
  • Newspapers typically are written at an 11th grade level.
  • Time magazine is written at undergraduate level.
  • Harvard Law Review is written at a graduate level.

Depending on the target audience, it's entirely appropriate to vary the level of readability to the EULA audience. A variety of different organizations and industries already use these standards to evaluate text before it's published. This usually occurs when there's a specific concern for the reader's welfare or understanding, such as with insurance policies and federal tax guides.

Right now. most people view EULAs both as meaningless and as a way to secretly "pull one over" on consumers. It would behoove more companies, particularly the largest and most omnipresent ones, to consider EULAs as an opportunity to accurately inform customers about privacy issues and other important information. This transparency could go a long way toward regaining the public's trust.

It would be naive to think legalistic EULAs will ever completely disappear, but it's my hope that one day the adversarial interaction we now have will cease to be a customer's first impression of a new software product, application, or service. Technology has the power to make people's lives better; we tech providers should interact with potential customers as if we believe that is the unequivocal truth.

Related Content:



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-18
An issue was discovered on ASUS DSL-N14U-B1 devices. An attacker can upload arbitrary file content as a firmware update when the filename Settings_DSL-N14U-B1.trx is used. Once this file is loaded, shutdown measures on a wide range of services are triggered as if it were a real update, r...
PUBLISHED: 2021-01-18
Affected versions of Atlassian Fisheye & Crucible allow remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory. The affected versions are before version 4.8.5.
PUBLISHED: 2021-01-17
An issue was discovered in Quali CloudShell 9.3. An XSS vulnerability in the login page allows an attacker to craft a URL, with a constructor.constructor substring in the username field, that executes a payload when the user visits the /Account/Login page.
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...