Gator’s EULA Gone Bad

Gator has recently taken steps to portray itself as a model citizen among what it calls "adware" companies. Gator proudly announced support for California’s new anti-spyware law. (But see my criticism of the law as ineffective.) Earlier this year, Gator hired a former FTC staff attorney to serve as Gator’s chief privacy officer, participated (PDF) in the FTC‘s spyware workshop, and even joined CDT‘s "consumer software working group" committee. (See recommendations document (PDF) signators list, final page.)

Has Gator turned over a new leaf? For insight, I turned to Gator’s license agreements, to see how Gator currently presents itself to ordinary users.

It’s not often that I sit down to read Gator’s license agreements. At 5,936 words, the license stretches to 63 on-screen pages as presented by the current Kazaa installer (bundling Gator). (See screen-shots of the Gator license as presented in June 2004, then requiring 56 on-screen pages.) Here are some notable sections of the license:

Prohibition against automated removal tools

Nearly three thousand words into its license, Gator proclaims:

You agree that you will not use, or encourage others to use, any unauthorized means for the removal of the GAIN AdServer, or any GAIN-Supported Software from a computer."

Gator proceeds to list the "authorized means" for removing Gator — prominently failing to authorize use of popular tools, such as Ad-Aware, Spybot, and Web Sweeper, which millions of users count on to remove unwanted software from their PCs.

In recent press releases, Gator has claimed to favor "consumer … choice" and has argued that what occurs on users’ computers is "users’ choice." So long as consumers are (supposedly) choosing to run Gator software, Gator vigorously defends user choice. But when a consumer chooses to use third-party software to remove Gator, Gator instead specifically prohibits that choice.

If Gator were easy to uninstall, users might not need to resort to third-party removal programs. But Gator makes its software hard to remove. Browse to Add/Remove Programs on a computer with Gator installed, and there’s often no entry for Gator. Instead, users are required to identify, find, and remove all programs that bundle Gator, and only then is Gator’s software designed to uninstall. This unusual removal procedure — unique among all programs I’ve ever encountered — makes Gator difficult for users to remove.

Removing Gator becomes even harder, using Gator’s official removal procedure, as a result of Gator’s cross-promotion of its various products. After a user receives Gator’s GAIN advertising-display software, Gator often shows pop-ups that encourage installation of other Gator programs, such as clock synchronizers and weather monitors. As a result, many users run multiple "Gator-supported" applications, each of which must be separately identified and removed in order to use Gator’s official removal procedure. Facing Gator’s lengthy and complicated removal procedure, it’s no wonder many users look to third-party removal programs for help.

Prohibition against viewing or recording what Gator software says about its users over users’ own Internet connections

About four thousand words through its license, Gator demands:

"Any use of a packet sniffer or other device to intercept or access communications between GP and the GAIN AdServer is strictly prohibited."

Network structure for monitoring

As shown in the diagram at right, network monitors (or "packet sniffers") are devices that inspect and report Internet transmissions from a local network. Sniffers are the ordinary and usual method of observing what data test computers send to and from the Internet. The transmissions from Gator’s software to its servers are sent from users’ PCs over users’ own Internet connections. But according to Gator’s license, users cannot take steps to observe what data Gator is collecting about them. Users must take Gator at its word as to Gator’s privacy policy, because users would violate Gator’s license agreement if they monitored Gator’s transmissions to confirm what data Gator sends.

Beyond constraining ordinary users, this license provision also blocks legitimate academic research. In "Measurement and Analysis of Spyware in a University Environment" (PDF), three University of Washington computer scientists used packet sniffers to measure the prevalence of Gator software and to detect security holes in Gator software. If Gator’s then-current license was as quoted above, their research would seem to constitute a violation. My own past work might also be prohibited, because I have used packet sniffers in multiple projects testing Gator software: In comments to the FTC (PDF, pages 4-6), I reported the precise personal information transmitted by Gator. I previously built a system to report what ads Gator shows where, simply by repeating the format of requests made by ordinary Gator software. (See Documentation of Gator Advertisements and Targeting.)

Gator might be pleased to stop users and researchers from knowing the personal information Gator transmits, tracking the prevalence of Gator’s software, finding Gator’s security holes, and analyzing what ads Gator shows where. But should Gator be able to achieve these results merely by adding an extra sentence to its license agreement?

Getting Gator’s license

A Claria drive-by download prompt -- allowing the user to press 'Yes' and have software installed, without first seeing Claria's license agreement.A Claria drive-by download prompt — allowing the user to press ‘Yes’ and have software installed, without first seeing Claria’s license agreement.

It’s not always easy to read Gator’s license. For one, some Gator ActiveX "drive-by download" installers include defective license agreements. I have repeatedly observed (and have preserved in video recordings) Gator installers where a user’s specific request for the Gator license (by clicking on the "after accepting our agreements…" hyperlink) yields no license at all. In other instances, the license request yields only the first few lines of a license, presented in a web page that lacks scroll bars with which to view the rest of the license. In these circumstances, even users who specifically ask for Gator licenses do not receive them.

The Kazaa bundle also makes it difficult to review Gator’s license. For example, the current license agreement is longer than ever: The license takes 63 screens to display, compared to 56 in my screenshots of earlier this year.

The 'printable version' link, present in old Kazaa installers but no longer available.The ‘printable version’ link, present in old Kazaa installers but no longer available.

Gator has also made its license less accessible by removing one-click access to the full text of the license. In the past, Kazaa’s Gator install screen included a "Printable Version" link (see inset at right and screenshot) which opened the license in a separate text viewer, complete with print, search, and resize functions. However, the "Printable Version" link is omitted from Kazaa’s current Gator installer (screenshot). Users wanting a printable version of Gator’s license have no obvious direct way to get it.

In addition, Gator’s current license merges section headings with body text, making the license harder to read. Gator’s license (as shown by Kazaa earlier this year) previously included nearly three dozen section headings, each using bold type and/or blank lines to help separate and identify a license section. The left screen shot below depicts one such heading. But the current license (right image below) eliminates all but one instance of bold type and also omits the line breaks following all but four (of 37) section headings. With Gator’s section headings effectively indistinguishable from the license text, even determined users can’t readily find the sections of particular interest.

Representative image from Gator’s June 2004 Kazaa installer
   (with section headings) (red highlighting added)
Representative image from Gator's June 2004 Kazaa installer - with section headings included, with line breaks and bold type

The corresponding section of today’s Gator/Kazaa installer
   (note section heading merged into body text)
The corresponding section of today's Kazaa/Gator installer - without line breaks or bold type to separate section headings from their body text

What the License Doesn’t Say

In 5,900+ words of text, there’s no shortage of space for Gator to describe itself in terms that ordinary users can understand. But a search of the license shows Gator has failed even to mention the words and phrases most users associate with Gator’s products.

Although Gator is in the pop-up advertising business, Gator uses these terms infrequently. The license first mentions the word "pop-up" at page 18 of 63. The phrase "pop-up ad" appears only once in the license, at page 27, where the phrase is used to refer to pop-up surveys from Gator’s Feedback Research division. Gator’s pop-up ads are repeatedly described not as "advertisements" but, euphemistically, as "pop-up windows" and "floating images on top other windows" (sic). Nowhere in Gator’s license does Gator use the phrase "pop-up ad" to refer to the Gator pop-ups that cover web sites with advertisements for the sites’ competitors.

Gator calls itself an "adware" company, while critics often call Gator spyware. But neither "adware" nor "spyware" appears anywhere in Gator’s license agreement.

And On and On

I don’t claim to have found all the nuggets of controversy in Gator’s license agreement; there are surely additional problematic sections. Send suggestions for addition to this page.