Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Raising the "Creep Factor" in License Agreements - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Raising the "Creep Factor" in License Agreements

When I started in this biz back in the 80's, I was brought up short when I read my first EULA (End User License Agreement).  Back then, software was basically wrapped in the EULA (yes, like a Christmas present), and nobody read them then either.  Imagine my surprise at the time that I hadn't actually purchased the software, but was granted the license to use the software, and ownership remained with the vendor (Microsoft, Lotus, UCSD and so on).

Well, things haven't changed much since then, and the concept of ownership has been steadily creeping further and further into information "territory" that we don't expect.  Google, Facebook and pretty much any other free service out there sells any information you post, as well as any other metadata that they can scrape from photos, session information and so on.  The common proverb in those situations is "if the service is free, then YOU are the product".  Try reading the Google, Facebook or Twitter terms of service if you have an hour to spare and think your blood pressure is a bit low that day

The frontier of EULA's, and the market where you seem to be giving up the most private information you don't expect however seems to be in home appliances - in this case Smart Televisions.  Samsung recently posted their EULA for their SmartTV here:
https://www.samsung.com/uk/info/privacy-SmartTV.html

They're collecting the shows you watch, internet sites visited, IP addresses you browse from, cookies, "likes", search terms (really?) and all kinds of other easy to collect and apparently easy to apologize for (in advance) information.  With this information, so far I'm pretty sure I'm not hooking up my TV to my home wireless or ethernet, but I'm not surprised - pretty much every Smart TV vendor collects this same info.

But the really interesting passage, where the "creep factor" is really off the charts for me is:
"Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition."

No word of course who the "third partys" are, and what their privacy policies might be.

Really and truly a spy in your living room.  I guess it's legal if it's in a EULA or you work for a TLA?  And it's morally OK as long as you "apologize in advance?"

=====================================

https://www.facebook.com/legal/terms
https://www.facebook.com/about/privacy/
http://www.google.com/intl/en/policies/terms/
http://www.google.com/intl/en/policies/privacy/

===============
Rob VandenBrink
Metafore

Rob VandenBrink

516 Posts
ISC Handler
Wait until these "speakers" are in every room of your home!

Voice Services: You control Amazon Echo with your voice. Amazon Echo streams audio to the cloud when you press and hold the talk button on your Amazon Echo remote, press the wake button on your Amazon Echo, or when Amazon Echo detects the wake word, including a fraction of a second of audio before the wake word. Amazon Echo processes and retains your voice input and other information, such as your music playlists and your to-do and shopping lists, in the cloud to respond to your requests and improve our services.

Amazon Echo Terms of Use
www.amazon.com/gp/help/customer/display.html?nodeId=201625490
Anonymous
Rob, it appears as though big business is taking a clue from government. Not only are the companies you have noted up to this, others, such as http://www.winbeta.org/news/using-windows-10-technical-preview-microsoft-might-be-watching-your-every-move-help-feedback appear to be taking advantage of the current laissez faire attitude towards privacy. Thank you for bringing this out in the open.
Anonymous
Very salient post. I wonder if the other tv vendors do this but simply do not notify purchasers and users about it.
A few weeks ago I bought a piece of software and had 57 pages of EULA.
Anonymous
Great conversation starter that made me look at others and your are right, the creep factor sets in quickly.

Another example is LinkedIn that proudly boasts of the security features of SSL (linkedin.com/legal/… ) only to include the following jewel -

"However, since the Internet is not a 100% secure environment, we cannot ensure or warrant the security of any information that you transmit to us. There is no guarantee that information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards."

Russell
Russell

97 Posts
ISC Handler
The ones that really get my goat are where at the end, after reading through a horrifying EULA, you find a quote like. "We reserve the right to change the terms of this agreement at any time without any notice" or something along those lines. What's the point of even having an agreement when one of the terms of the agreement is "we can change the rules whenever we like and without telling you."

The first time I found one of those was in the agreement for one of those stupid "loyalty" cards at a grocery store. They went to great lengths to explain how they promised not to sell your purchasing habits to anyone (honest injun!) but then at the end they said "but we reserve the right to change this agreement at any time" and that they weren't required to even tell you that the agreement had changed. Nice.

But ever since then, now that I look for that sort of "we reserve the right to change the rules" clause, I find it in a lot of other "agreements" too.
Brent

120 Posts
"Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition."

I don't suppose Samsung has a model called the "Telescreen"?
Brent
2 Posts
I work in Healthcare.
Physicians at home, taking a patient call after hours, with Samsung listening in... Sounds to me as though the argument could be made that the doctor is in violation of HIPAA. As an extension, how many doctors have an iPhone in their pocket? The medical apps are becoming more and more ubiquitous. Is Siri listening in? When Siri first came out I read the EULA and promptly shut her down. If you haven't read it you might consider a look; unless it's changed, you give Apple access to everything on your phone. (How else is Siri going to know who Fred is when you ask the phone to call him.)
Tom D

1 Posts
There are two kinds of "creep" factors in evidence here. The first (and I believe this is what Rob V meant, is is a verb or participle embodied in the term "creeping incrementalism" (yes, that's as redundant as "continuing on" but is unfortunately in common usage). The second is a noun, referring to individuals who may be fairly described as "creeps". I offer the examples of the shills in the (so-called) IT media (cough, Larry Dignan) who attempt to curry favor with advertisers by minimizing the Samsung TV eavesdropping issue by claiming that a) we all made a conscious trade-off of privacy for lower cost (debatable - where is the log of those negotiations kept?), b) other companies are doing it, and c) it can be turned off (never heard of the concept named opt-in, evidently) and personal security and privacy hostiles like William Hughes Murray. I fondly recall a time when the "IT press" at least attempted to appear to be objective. I have no idea why anyone like Hughes is a paid commentator on SANS Newsbytes, regardless of his technical qualifications. Should we look forward to being blessed with James "The Big Crapper" Clapper next?
Tom D
10 Posts

Sign Up for Free or Log In to start participating in the conversation!