Thought Leadership

Security Tip – Reviewing End-User License Agreements

Information Security by Mainstream Technologies“Reviewing End-User License Agreements” is redistributed from US Cert as a service of Mainstream Technologies. 

What is an end-user license agreement?

An end-user license agreement (EULA) is a contract between you and the software’s vendor or developer. Some software packages state that by simply removing the shrink-wrap on the package, you agree to the contract. However, you may be more familiar with the type of EULA that is presented as a dialog box that appears the first time you open the software. It usually requires you to accept the conditions of the contract before you can proceed. Software updates and patches may also include new or updated EULAs that have different terms than the original. Some EULAs only apply to certain features of the software, so you may only encounter them when you attempt to use those features.

Unfortunately, many users don’t read EULAs before accepting them. The terms of each contract differ, and you may be agreeing to conditions that you later consider unfair or that expose you to security risks you didn’t expect.

What terms may be included?

EULAs are legal contracts, and the vendor or developer may include almost any conditions. These conditions are often designed to protect the developer or vendor against liability, but they may also include additional terms that give the vendor some control over your computer. The following topics are often covered in EULAs:

  • Distribution – There are often limitations placed on the number of times you are allowed to install the software and restrictions about reproducing the software for distribution.
  • Warranty – Developers or vendors often include disclaimers that they are not liable for any problem that results from the software being used incorrectly. They may also protect themselves from liability for software flaws, software failure, or incompatibility with other programs on your computer.

The following topics, while not standard, are examples of other conditions that have been included in EULAs. They present security implications that you should consider before accepting the agreement.

  • Monitoring – Agreeing to the EULA may give the vendor permission to monitor your computer activity and communicate the information back to the vendor or to another third party. Depending on what information is being collected, this type of monitoring could have both security and privacy implications.
  • Software installation – Some agreements allow the vendor to install additional software on your computer. This may include updated versions of the software program you installed (the determination of which version you are running may be a result of the monitoring described above). Vendors may also incorporate statements that allow them or other third parties to install additional software programs on your computer. This software may be unnecessary, may affect the functionality of other programs on your computer, and may introduce security risks.

Author

Mindi McDowell

  • Industry

  • Category

  • Regulation

  • Solution