twitter
facebook 
| Patch Licenses Pose Hard Choices |
| Sep. 16, 2002 |
With its new focus on security, Microsoft has been encouraging customers to install service packs, security roll-ups, and patches to fix Windows security bugs. But before customers can install these updates, they must agree to their supplemental End User License Agreements (EULAs), which often place new terms and conditions on the use of the software being patched. These Supplemental EULAs increasingly pose a dilemma for customers: agree to a contract that they may not fully understand, that removes rights that they previously had, and that they might not be able to comply with or continue to live with a security vulnerability. While Microsoft cannot wholly eliminate Supplemental EULAs, the company could take several steps to ease the dilemma they pose. A Contract for Rights to Software At the core of the dilemma is the EULA, a contract between the customer or user and Microsoft that governs the customer’s use of Microsoft software. The fundamental task of the EULA is to protect Microsoft's intellectual property, which in turn is central to its ability to do business. For example, every Microsoft operating system (OS) includes a base or initial Product EULA covering the OS—typically, Microsoft includes a notice on the box or with the distribution media (such as the CD-ROM or diskette) indicating that customers must accept the enclosed license agreement (the Product EULA) before using the OS. There is also typically a written copy of this Product EULA in the box or accompanying the distribution media. During the initial stages of installation, a user can scroll through the complete text of the Product EULA, but the user cannot install the OS before clicking a button indicating agreement with the Product EULA. In the case of the first installation, a copy of the Product EULA is typically copied to a known location within the system directory. (For details, see the "Resources" section in this article.) A Change of Terms Problems arise because an OS Product EULA is not the end of the matter. For example, a customer installing the security patch for a bug in Windows must agree to a Supplemental EULA that comes with the patch. These Supplemental EULAs do not merely reinforce the Product EULA. Instead, they frequently appear to make substantial changes to the user's contract with Microsoft. For instance, the Supplemental EULA of one recent Windows Scripting Host patch downloaded from Microsoft’s security Web pages (microsoft.com/security) requires that the patch be separately downloaded to each patched computer from the site. One could easily interpret this clause as eliminating the customer’s ability to use Microsoft software deployment tools such as Systems Management Server (SMS) or the Software Update Service (SUS) to efficiently and consistently distribute and apply the patch to all the computers they manage. Other Supplemental EULA clauses from service packs and patches seem to have little to do with the software being installed and appear to substantially reduce a customer's rights. For some specific examples, see the chart "Notable EULA Clauses". Supplemental EULAs accumulate. A customer who starts with Windows 2000 and installs all the currently available service packs and security roll-ups, as well as all the additional patches still not in a service pack but identified as critical by Windows Update and the Baseline Security Analyzer (Microsoft’s patch detection tools), ends up agreeing to at least 15 Supplemental EULAs. In most cases, the Supplemental EULA contains new and often confusing clauses, drops other sets of clauses, and appears to change the affected set of products that the agreements apply to. Moreover, after agreeing to a Supplemental EULA, customers usually have no record of what they agreed to: many Supplemental EULAs cannot be printed and are not stored on the user’s computer. This often makes it impossible to determine the final set of legal terms governing a user’s software. It's not clear why Supplemental EULAs need to say more than reiterate the terms of the Product EULA. (Indeed, at least one Windows 2000 patch has no Supplemental EULA.) Occasionally service packs do add new features or replace existing features, such as Windows 2000 Service Pack 3, which supplies a new version of the Windows Installer, and in these cases a Supplemental EULA might be required to reflect those changes. But Supplemental EULAs sometimes range far a field. For example, a security update to Internet Explorer 5, which does not appear to use the .NET Framework, prohibits the user from disclosing benchmark results related to .NET Framework-based components. Just a Misunderstanding? Microsoft contends that the problems posed by Supplemental EULAs are less serious than they might appear. First, the company says that the Supplemental EULA does not supersede the Product EULA, but (a) the Supplemental EULA only applies to bits being installed, and (b) in some cases when bits being installed include new functionality, new terms are included that cover the new functionality. Furthermore, the company suggests that some apparently problematic clauses are not as serious as they appear. For example, according to Microsoft, the Windows Scripting Host patch Supplemental EULA clause that appears to demand that the patch be downloaded separately to each computer does not apply to organizations using SUS to deploy patches. That's because SUS has a separate corporate catalog of patches, and the Supplemental EULAs that accompany patches from that catalog provide the necessary rights for distribution with SUS. Finally, the company suggests that Supplemental EULAs do not apply to all customers. In particular, most corporate customers have some form of volume licensing agreement with Microsoft, and for these customers, Microsoft summarizes rights and restrictions in a "Product Use Rights" (PUR) document updated quarterly. (For more information on how corporations can license Microsoft’s products, see the June 2002 Research Report, "Understanding Microsoft Licensing.") Some at Microsoft say only the PUR applies to volume customers. However, even customers with volume licensing agreements will be asked, when installing updates or security patches, to agree to a Supplemental EULA, and they are unable to install such updates and patches unless they do so. This could lead customers to conclude that when they agree to a legal contract in order to secure their software, they are bound by that contract, volume licensing agreement or not. Furthermore, the PUR specifically says that its terms can be superseded by "other terms" if they are provided along with an "update or supplement." Indeed, some Microsoft sources say that Supplemental EULAs and PURs both apply to volume license customers. Steps for Clarity By the time a customer has applied a series of patches and service packs, it is virtually impossible to understand the net effect of all these agreements, especially since the customer must go out of his way even to print or keep a copy of the Supplemental EULAs. Eliminating Supplemental EULAs is probably not an option for Microsoft, as it would place its intellectual property at risk. Nevertheless, the company could make some of the following changes to help customers better understand what they are agreeing to:
Resources A text version of the OS Product EULA for Windows is stored at Systemroot\System32\eula.txt. Typically, Systemroot would be c:\windows or c:\winnt. The licensing help file is stored at Systemroot\help\license.chm. |
