Microsoft Media Player "Security Patch" Changes EULA Big Time

MobyTurbo writes "In an article on BSD Vault a careful reader posts that in the latest Windows Media Player security patch, the EULA (the "license agreement" you click on) says that you give MS the right to install digital rights management software, and the right to disable any other programs which may circumvent DRM on your computer." So if you want your machine secure, you also want microsoft to have free reign on your PC.

Security Patches are the getting worse

[peterdaly]

I thought it was bad recently when a "Critical" IE6 security path completetly broke the ability to view TIFF images in a browser without hacking the registry by hand. I maintain a web site that basically sells access to TIFF imaged documents. All of a sudden we had about a hundred pissed off customers (some not wanting to pay their bill) because _WE_ broke access to the information that runs their businesses. As each customer ran windows update, our website broke. Of course they all say they have not installed any new software, which makes it all the more difficult to troubleshoot until the problem was figured out.

MS is without a doubt throwing non-security things into "security patches", and I for one don't like the unadvertised "featues" one bit.

-Pete

Re:extortion

[rabtech]

No, because most companies reserve the "right" to change the terms of the EULA, without notification, at ANY TIME.

The whole concept of the EULA is so silly... I really hope it gets tossed out of court ASAP. Where else can the manufacturer of a product hold you under a contract you did not sign, and change the terms of that contract at any time without notifying you or getting your agreement on the changes?

Corporate users can't install that

[Animats]

If you're in a large company, contact your legal department immediately. That's a serious issue, because it gives Microsoft the unlimited right to destroy any software on your machine. That's not something the individual employee is authorized to agree to.

Scary

[scotfl]

These security related updates may disable your ability to copy and/or play Secure Content and use other software on your computer.

Now there's a particularly nasty line. It starts off with DRM for 'Secure Content' (which I guess is M$'s new term for protected IP), but then it expands into 'Other Programs'. Which means, MS is now reserving the right to disable any program they don't like.

Furthermore, the patch that disables the program will "will be automatically downloaded onto your computer," without your knowledge. But, the real kicker is this one (my favourite line):

If we provide such a security update, we will use reasonable efforts to post notices on a web site explaining the update.

So even if they send out patches killing off all non-MS software, they can bury a notice so deep in microsoft.com that no one will ever find it, and claim (correctly) they are going above and beyond the EULA. Damn, I'm glad I use Macs and NetBSD.

Legality of EULA

[javacowboy]

Where else can the manufacturer of a product hold you under a contract you did not sign, and change the terms of that contract at any time without notifying you or getting your agreement on the changes?

This is an interesting point. How legally binding *IS* the EULA? It's generally accepted that in internet transactions involving credit card numbers, a customer can at any time deny having made the transaction. Without a signature, there's no way to PROVE that the customer made the transaction: they can't take that customer to court. This is why there is a much larger allowance for bad debts on online credit card transactions. In a real-life transaction with a carbon copy, all they need is your signature to prove that you made the transaction, and they can sue you.

In that vein, how can the EULA possibly be legally binding? I can see how the signature on the invoice for their computer or copy of Windows, they could be held liable. However, how can I user clicking on "OK" in a upgrade screen be legally binding?

I don't understand how the judicial/legislative system has allowed them to get away with this, whereas credit card companies are screwed on fraudulent online transactions. This doesn't make any sense to me. Some court somewhere should be able to strike down the EULA as non-binding contracts, due to the lack of a customer signature or any other proof that the customer entered the transaction.

Things Microsoft might do under this EULA

[Animats]

Some things to expect that Microsoft might do, and would now be allowed to do.

• Register all file types understood by Microsoft Media Player (.avi, .mp3, etc.) to Media Player and not let go. Prevent any assignment of those types to another player. This enforces the "requirement" that content be played through a "DRM compliant" player. (That's a likely plan; Microsoft software has been notorious for grabbing control of file types. So far, you've usually been able to make it let go.)
• Compute a digital fingerprint of played content and check with a Microsoft server to see if it's pirated. This would make the RIAA and MPAA very happy. (Isn't this already being done for audio CDs, to get the title info?)
• Check for "pirate" file sharing clients and turn them off. (Probably not for a while, but possible.)

This is the stuff the RIAA has been asking Congress for, but Congress hasn't gone along with it. Now it's coming in through the back door.

And notice that this system includes a back door, through which Microsoft can secretly install new software that takes away functions or spies on you.

Re:Two questions

[birder]

You can remove wmplayer.exe and rename mplayer2.exe (in the same directory) to wmplayer.exe

That's a start

Re:Brownie Points with DRM advocates

[kawika]

Yep. Take a look here to see Microsoft's plans for cozying up to the DRM folks. The strange thing is that the final presentation on "Mercury" isn't available. That was the most interesting one. It was about how the DRM software would manage rights for portable media players over the Internet using public/private keys. And of course, Microsoft runs this whole DRM infrastructure for a nice fee.

I was there for most of the live presentation, and during the Q&A someone got up and asked what would happen if the keys were compromised, for example someone found a way to hack the unique id in a player. The MS guy indicated that the keys for an entire brand/model of player could be shut off if necessary. The next question, of course, was how the buyers of those players would feel when their expensive players became useless. The MS guy said that the decision to shut off access wouldn't be Microsoft's, but they could do so on a court order, for example.

Why would someone want to buy a portable media player (or desktop media player for that matter) that could become worthless a few months later because someone else hacked it and rendered the DRM insecure? You wouldn't. Why would a manufacturer want to take the chance that they'd be involved in a messy class-action suit from customers because their portable media player now can't play music? They wouldn't.>/b>

I just can't see how this can come to pass.

Re:extortion

[donutello]

No, because most companies reserve the "right" to change the terms of the EULA, without notification, at ANY TIME.

Horseshit! You can't change a EULA without notification. This is Contract Law 101. You can't change a contract unilaterally. Show me a EULA which reserves the right to change itself without notice and I'll show you a EULA that has no feet to stand on.

The whole concept of the EULA is so silly... I really hope it gets tossed out of court ASAP. Where else can the manufacturer of a product hold you under a contract you did not sign, and change the terms of that contract at any time without notifying you or getting your agreement on the changes?

The concept of a EULA is not silly. A paper signature is only one way to prove that you actually indulged in the transaction. It is not necessary to prove that you actually did. And nowhere can anyone change the terms of a contract without notifying you or getting your agreement on the changes. It hasn't happened in this instance and won't happen ever.

How to take a stand and have it count

[Arcturax]

We can go through the courts but there is no guarantee you will win. In fact, if anything, you may do the opposite, set a precident that EULA's are legally binding.

So instead, you will just have to stop using Microsoft software. People bitch and moan and gripe but at the end of the day they sit down and load up Windows.

Well, if you really want an effective protest, you are going to have to change. There are some options and they are not as bad as they seem once you adjust!

First off, there is Linux.
Pros: Keep old hardware, plenty of free software available, WINE may let you play some Windows only games, large community of geeks who will likely help you for free if you get into trouble (a million places to go for "support"). EULA, if any, is not the work of the devil.
Cons: Limited number of games, some only available through WINE, need to learn UNIX (big curve for some people), some hardware may not work right or at all, ease of use is not all there yet. No office but there are alternatives which are getting better by the month.

There is also the Macintosh:
Pros: Extremely easy to use, rock solid OS which matches or exceeds the windows experience when it comes to user interface, cd burning from the desktop and overall user experience. Plug and play far superior to Windows and Linux. Good and rapidly growing supply of games and other software. OS is based on open source software (NetBSD) and Linux/UNIX software can and is being ported over (you can even replace your UI with Gnome or KDE if you wish!). Microsoft office is available as well as the open source alternatives ported to Mac OS X. Large fanatic user base who will often help out other Mac users in distress for free.
Cons: Not as many games/software choices as Windows, though this has improved imensely in the last 4 years. EULA may be the work of the devil, check Steve Job's receding hairline to see if horns are exposed. Mac OS X still a young OS and there will be bumps in the road. Last but not least, you will need a new computer and the hardware is a bit more expensive though this is made up for quality and an average usable lifetime of 4 years compared to 2 for a PC.

So you may have to make some sacrifices and changes, but you can give M$ the finger and still have a usable computing solution in your home or office.

On patch, EULA doesn't display

[KMSelf]

Patching a number of systems at the office (my desktop's Debian GNU/Linux, but others suffer...), I noticed that the EULA dialog (digression #2: HTF is someone supposed to be able to read the text in a dialog that shows ~8 lines x 20 columns?) didn't present the EULA by the time I'd clicked the "Accept" button. This several times. And though we're running some older systems, this included a set of newer 1 GHz+ boxen.

What's the legal status of a contract which disappears "on approval" before it's been read?

There are conflicting versions of the EULA!!!

[Robber+Baron]

If you retreive the patch via windowsupdate(only works with IE), the EULA doesn't say ANYTHING about DRM or crippling your ability to access secure content!

What the hell? I thought the BSD article was a troll, but to be sure I checked out his links and sure enough, THAT version of the patch contains the paragraph about DRM etc...

Well now we have two versions of the same EULA with conflicting conditions, both of which are posted in VERY public places! Now I'm no expert on contract law, but with two publicly posted conflicting versions, as far as I'm concerned, we can safely ignore both! Way to go Bill!