Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Lysa Myers
Lysa Myers
Connect Directly
E-Mail vvv

The Case for Transparency in End-User License Agreements

Why it behooves technology companies to consider EULAs as an opportunity to accurately inform customers about privacy issues and other important information.

Imagine walking into your favorite coffee shop to make an order. Due to recent legislation, your baristas are now obligated to give you a 60-page booklet about the dangers of substances commonly found in caffeinated beverages. This includes lengthy warnings about caffeine, lactose, dairy substitutes, and flavored sugar syrups, among other things. You must agree to accept these risks before they can even begin grinding the beans.

The booklets are thick with medicolegal jargon; they're intended to cover the shop's compliance responsibilities more than they're meant to help you make informed dietary decisions. You initially intend to read all the way through the booklet, but due to pressure from a crowd of cranky and undercaffeinated customers building up behind you, you'll just skim a few paragraphs before giving up.

After that first visit, you'll likely just hastily wave the booklet away to speed up the process and the arrival of your much-needed brew.

If you are in the cybersecurity business (or even if you're not), it shouldn't take a great leap to figure out I am making an analogy about end-user license agreements (EULAs) and how useless they are for gaining actual, informed consent about giving up potentially sensitive information. But let's consider another example.

If you've had any sort of medical procedure done in the US during the last decade or so, you're probably aware that you'll be required to sign a scary-looking consent form first. The paperwork is all about informing you of the risk of medical procedures and may list possible negative outcomes or your after-care responsibilities.

On one level, they are meant to protect doctors against the risk of malpractice suits. Some doctors present these without any explanation at all, which can result in varying, sometimes terrifying, reactions depending on the seriousness of the procedure. But not all doctors leave it at this.

Better doctors will have someone explain these documents to you before you sign them. They'll rephrase the document using easily understood language. They'll include some context for the actual risk levels. Then, they'll make sure all your questions are answered so that you fully understand what you're agreeing to. When patients understand the situation completely, they are more likely to have a successful outcome.

Towards a Better EULA
As we're seeing with the many recent privacy gaffes by global mega corporations, EULAs written only to be read or understood by lawyers are causing massive consumer distrust. These companies are fulfilling compliance obligations at the expense of their customers' ability to fully understand what they're agreeing to. While this may be a good corporate legal strategy, the approach makes many of us (myself included) unwilling to participate fully with their products.

The biggest problem with EULAs is that they are simply not readable. Part of this is due to their length, but even the shortest EULA can be written inscrutably. Formulas, such as the Flesch-Kincaid readability test, use the total number of words per sentence and syllables per word to score text. My first draft of the previous sentence was rated "grade 20," which indicates it was written at a post-graduate level of complexity. It's now rated "grade 11."

I don't have a graduate degree, much less a post-graduate degree, so this doesn't indicate that I had initially applied some sort of master's degree mojo. My first draft was just really convoluted. The score simply measures the complexity of a sentence and assigns a grade level that represents how challenging it is to understand. So, in applying readability to the creation of a sensible EULA, it is important to take under consideration the many variables that can affect people's ability to comprehend text. For example:

  • Harry Potter books are written at a 7thto 9th grade level.
  • Newspapers typically are written at an 11th grade level.
  • Time magazine is written at undergraduate level.
  • Harvard Law Review is written at a graduate level.

Depending on the target audience, it's entirely appropriate to vary the level of readability to the EULA audience. A variety of different organizations and industries already use these standards to evaluate text before it's published. This usually occurs when there's a specific concern for the reader's welfare or understanding, such as with insurance policies and federal tax guides.

Right now. most people view EULAs both as meaningless and as a way to secretly "pull one over" on consumers. It would behoove more companies, particularly the largest and most omnipresent ones, to consider EULAs as an opportunity to accurately inform customers about privacy issues and other important information. This transparency could go a long way toward regaining the public's trust.

It would be naive to think legalistic EULAs will ever completely disappear, but it's my hope that one day the adversarial interaction we now have will cease to be a customer's first impression of a new software product, application, or service. Technology has the power to make people's lives better; we tech providers should interact with potential customers as if we believe that is the unequivocal truth.

Related Content:



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the han...
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of GE Reason RPV311 14A03. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware and filesystem of the device. The firmware and filesystem contain hard-...
PUBLISHED: 2021-06-16
Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This...
PUBLISHED: 2021-06-16
Apollos Apps is an open source platform for launching church-related apps. In Apollos Apps versions prior to 2.20.0, new user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within th...
PUBLISHED: 2021-06-16
FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).