Thursday 25 November 2010

When was the last time you read an EULA?

Most if not all of us will by default approve the end user licence agreement and never give it another thought. I am the same, however the other day I happened to download a dictation app for the iPhone and decided to read through the EULA and here are my findings:

As part of the service the provider can;

  • "collect and use the contact names that appear in your address book"

  • "You allow (company name) to do so by enabling the Service."

It is then your responsibility to know they have done this and to update the software settings to prohibit this access. Once done the provider will;

  • "delete all contact names that it has collected from your address book."

The first question has to be why do they need my contacts? Secondly, why is this an opt out process that attempts to close the barn door after the horse has bolted?

On the positive side;

  • "will not use the data you provide to contact any of the contact names that appear in your address book for any reason, nor will (company name) share contact names you provide with any third party."

Oh, that's ok then, nothing to worry about, but wait! Within the EULA is a URL link to a further page that states -

  • "(company name) would like its software to send speech data to (company name) to improve the accuracy of this and future products or services. We do this because our software and other offerings can learn from experience about the language you use. “Speech Data” means the audio files, associated transcriptions and log files provided by you hereunder or generated in connection with the product or service. By clicking the “ACCEPT” button when installing the software, you agree to the collection and processing of such Speech Data as set out in this privacy policy."

Ok, so now they have my contacts and take copies of my audio files to keep? I hope I never say anything bad about one of those people in my phone book! So who has access to this information?

  • "The only people with access to this data will be our employees, research partners, permitted agents, sub-contractors etc. on a need to know basis, all of whom are bound by obligations of confidentiality to keep the data strictly confidential."

Oh ok, everyone then, and where will this data reside?

  • "will transfer the personal data to its data collection sites. These may be located outside of the European Economic Area (EEA). However, (company name) shall ensure that any such transfer is compliant with the European Union Data Protection Directive."

So the transfer of data will be compliant with the EUDPD, how about the processing and storage of this data? Not to mention the lack of any discussion around information security for the data collection sites.

In summary, I have no reason to presume that this organisation has any intention to treat my personal data in a malicious or evil manner or that they are doing anything wrong / unethical. The reason for the blog is to highlight that we shouldn't blindly trust organisations and that we should be more aware of the contractual rights you are placing when accepting EULAs.

To that end I made a personal decision to not click 'accept' and I removed the app from the iPhone.

Back to old school note taking.

No comments:

Post a Comment