Microsoft Media Player "Security Patch" Changes EULA Big Time

MobyTurbo writes "In an article on BSD Vault a careful reader posts that in the latest Windows Media Player security patch, the EULA (the "license agreement" you click on) says that you give MS the right to install digital rights management software, and the right to disable any other programs which may circumvent DRM on your computer." So if you want your machine secure, you also want microsoft to have free reign on your PC.

extortion

[s20451]

How can it be that they can change the EULA in order to disseminate a security patch? Isn't this essentially extortion? If I disagree with the EULA, and someone exploits the security hole the patch was designed to fix, can Microsoft be held liable?

Re:extortion

[rabtech]

No, because most companies reserve the "right" to change the terms of the EULA, without notification, at ANY TIME.

The whole concept of the EULA is so silly... I really hope it gets tossed out of court ASAP. Where else can the manufacturer of a product hold you under a contract you did not sign, and change the terms of that contract at any time without notifying you or getting your agreement on the changes?

Corporate users can't install that

[Animats]

If you're in a large company, contact your legal department immediately. That's a serious issue, because it gives Microsoft the unlimited right to destroy any software on your machine. That's not something the individual employee is authorized to agree to.

Re:Corporate users can't install that

[BurritoWarrior]

If you're in a large company and individual users have the rights/permissions to install software/patches on their machines -- short your own stock, you're in more trouble than just a EULA. :)

Scary

[scotfl]

These security related updates may disable your ability to copy and/or play Secure Content and use other software on your computer.

Now there's a particularly nasty line. It starts off with DRM for 'Secure Content' (which I guess is M$'s new term for protected IP), but then it expands into 'Other Programs'. Which means, MS is now reserving the right to disable any program they don't like.

Furthermore, the patch that disables the program will "will be automatically downloaded onto your computer," without your knowledge. But, the real kicker is this one (my favourite line):

If we provide such a security update, we will use reasonable efforts to post notices on a web site explaining the update.

So even if they send out patches killing off all non-MS software, they can bury a notice so deep in microsoft.com that no one will ever find it, and claim (correctly) they are going above and beyond the EULA. Damn, I'm glad I use Macs and NetBSD.

Re:Hmm

[ryanr]

mmm...Troll food. I'll answer anyway.

Most companies' idea of DRM limits you as to where you can put your music. And that measn not allowing it go go on a device that doesn't support the right flavor if DRM, if it supports it at all.

So, example scenarios:

You buy a $500 MP3 player device. It works great for a while hooked up to your Windows box. MS kicks on DRM one day, and you can't upload music to it anymore. It might be your rightfully-owned music, mind you... you could have ripped them all yourself from your own CDs.

Microsoft decides that MP3 files can't properly support DRM like WMA files can. So, they turn off the ability to play MP3, or maybe they delete them, or convert them to WMA. Since your portable player doesn't support WMA, you're screwed. Oh, and MS just happens to benefit financially since they control the WMA format, codecs, etc...

Maybe they do something really silly like force you to put the physical music CD in your drive whenever you want to play a digital song that was ripped from that album. Sounds stupid, I know, but what was the last game you played on CD that didn't require the disk in the drive to run?

The basic problem is that someone else's idea of what is reasonable to do with digital music will rarely match up with mine. I want to take a CD I bought, and pretty much use the music on any device I have that can play music. The problem is, of course, that the ability to do so also gives me the ability to share music on Kazaa if I choose.

I'm not neccessarily trying to argue that sharing music is legal or right (though I do believe the music companies are idiots for their handling of the situation.) I'm just saying that if I'm to retain my ability to play my music on any device that I want, I will also retain my ability to share it, that's just how it works.

Fortunatly, the cat is well out of the bag, and it's just not possible from a technical standpoint to prevent someone who can code and build their own machines from doing so. There are just too many MP3, Ogg, whatever players out there, and too many free OSes to stop it.

They would have to make it illegal to have hardware that would cooperate with the software of your choice. They would have to make it illegal to reverse-engineer systems in the privacy of my own home for my own use. They would have to make it illegal to attempt to bypass copy protection mechanisms, or even discuss it. They would have to give the copyright holders what amounts to police powers to show up at any time, and demand to see your license documentation under penalty of decades in prison.

Oh, wait...

Re:MS/Borg

[uncoveror]

Time to kick media player to the curb, and use winamp, quicktime, realone, or anything else. Just take steps not to install the spyware if you use real. Do a custom install, not the quick install, and uncheck the things you don't need.

Legality of EULA

[javacowboy]

Where else can the manufacturer of a product hold you under a contract you did not sign, and change the terms of that contract at any time without notifying you or getting your agreement on the changes?

This is an interesting point. How legally binding *IS* the EULA? It's generally accepted that in internet transactions involving credit card numbers, a customer can at any time deny having made the transaction. Without a signature, there's no way to PROVE that the customer made the transaction: they can't take that customer to court. This is why there is a much larger allowance for bad debts on online credit card transactions. In a real-life transaction with a carbon copy, all they need is your signature to prove that you made the transaction, and they can sue you.

In that vein, how can the EULA possibly be legally binding? I can see how the signature on the invoice for their computer or copy of Windows, they could be held liable. However, how can I user clicking on "OK" in a upgrade screen be legally binding?

I don't understand how the judicial/legislative system has allowed them to get away with this, whereas credit card companies are screwed on fraudulent online transactions. This doesn't make any sense to me. Some court somewhere should be able to strike down the EULA as non-binding contracts, due to the lack of a customer signature or any other proof that the customer entered the transaction.

Re:Legality of EULA

[sjames]

How is this interesting? When you sign or accept a contract, you are bound to it, whether you read and understand it or not. If you don't understand it, don't agree to it until you do understand it.

I note that most EULAs reservie the right to change the EULA at any time without notice. How about if when I click 'I Agree', I also say I hereby claim the right to alter this agreement at any time by posting notice in my underwear drawer!

Why not, it's just as fair. If the corporations don't like it, they shouldn't accept my money. If the courts have any sense of fairness left in them, they will either uphold both or rule both to be invalid.

Re:Legality of EULA

[Arandir]

How legally binding *IS* the EULA?

The unfortunate state of civilization today is that it is governed by men and not by laws. Thus it doesn't matter whether a EULA (any EULA) is legally binding or not. All that matters is that enough people think they are.

In terms of the law, most EULAs are completely invalid. Exercise of pre-existing rights is considered assent. There is a total lack of consideration. And there is no way to verify that a particular "licensee" has even seen the contract.

In terms of Rule by Fallible Human Beings, EULAs are completely valid if you can get enough people to believe that they are valid. But even if you can't, you can still take them to court and draw out the process to bleed them dry until the give in and settle.

I don't understand how the judicial/legislative system has allowed them to get away with this, whereas credit card companies are screwed on fraudulent online transactions.

The difference is easy. The average person cares about losing money. But the average person is very ignorant about their legal rights with regards to copyrightable materials, especially when it concerns software.

Wait until some large company starts putting the screws to enough people. Then the situation will change. Bankrupt enough grandmas in court for EULA violations, and the public opinion will change.

Things Microsoft might do under this EULA

[Animats]

Some things to expect that Microsoft might do, and would now be allowed to do.

• Register all file types understood by Microsoft Media Player (.avi, .mp3, etc.) to Media Player and not let go. Prevent any assignment of those types to another player. This enforces the "requirement" that content be played through a "DRM compliant" player. (That's a likely plan; Microsoft software has been notorious for grabbing control of file types. So far, you've usually been able to make it let go.)
• Compute a digital fingerprint of played content and check with a Microsoft server to see if it's pirated. This would make the RIAA and MPAA very happy. (Isn't this already being done for audio CDs, to get the title info?)
• Check for "pirate" file sharing clients and turn them off. (Probably not for a while, but possible.)

This is the stuff the RIAA has been asking Congress for, but Congress hasn't gone along with it. Now it's coming in through the back door.

And notice that this system includes a back door, through which Microsoft can secretly install new software that takes away functions or spies on you.

Re:MS/Borg

I pirated all my Microsoft software... does the EULA still apply to me?

Re:Brownie Points with DRM advocates

[kawika]

Yep. Take a look here to see Microsoft's plans for cozying up to the DRM folks. The strange thing is that the final presentation on "Mercury" isn't available. That was the most interesting one. It was about how the DRM software would manage rights for portable media players over the Internet using public/private keys. And of course, Microsoft runs this whole DRM infrastructure for a nice fee.

I was there for most of the live presentation, and during the Q&A someone got up and asked what would happen if the keys were compromised, for example someone found a way to hack the unique id in a player. The MS guy indicated that the keys for an entire brand/model of player could be shut off if necessary. The next question, of course, was how the buyers of those players would feel when their expensive players became useless. The MS guy said that the decision to shut off access wouldn't be Microsoft's, but they could do so on a court order, for example.

Why would someone want to buy a portable media player (or desktop media player for that matter) that could become worthless a few months later because someone else hacked it and rendered the DRM insecure? You wouldn't. Why would a manufacturer want to take the chance that they'd be involved in a messy class-action suit from customers because their portable media player now can't play music? They wouldn't.>/b>

I just can't see how this can come to pass.

Re:Hmm

[carambola5]

They would have to make it illegal to have hardware that would cooperate with the software of your choice.

Microsoft is well on their way to making hardware do this by itself. Then, all they have to do is invest a little more in America (ie: buy a few more Congressmen) and, voila, every computer in America has one of these suckers. Goodbye Linux. Goodbye ability to do whatever you want with your own music.

How to take a stand and have it count

[Arcturax]

We can go through the courts but there is no guarantee you will win. In fact, if anything, you may do the opposite, set a precident that EULA's are legally binding.

So instead, you will just have to stop using Microsoft software. People bitch and moan and gripe but at the end of the day they sit down and load up Windows.

Well, if you really want an effective protest, you are going to have to change. There are some options and they are not as bad as they seem once you adjust!

First off, there is Linux.
Pros: Keep old hardware, plenty of free software available, WINE may let you play some Windows only games, large community of geeks who will likely help you for free if you get into trouble (a million places to go for "support"). EULA, if any, is not the work of the devil.
Cons: Limited number of games, some only available through WINE, need to learn UNIX (big curve for some people), some hardware may not work right or at all, ease of use is not all there yet. No office but there are alternatives which are getting better by the month.

There is also the Macintosh:
Pros: Extremely easy to use, rock solid OS which matches or exceeds the windows experience when it comes to user interface, cd burning from the desktop and overall user experience. Plug and play far superior to Windows and Linux. Good and rapidly growing supply of games and other software. OS is based on open source software (NetBSD) and Linux/UNIX software can and is being ported over (you can even replace your UI with Gnome or KDE if you wish!). Microsoft office is available as well as the open source alternatives ported to Mac OS X. Large fanatic user base who will often help out other Mac users in distress for free.
Cons: Not as many games/software choices as Windows, though this has improved imensely in the last 4 years. EULA may be the work of the devil, check Steve Job's receding hairline to see if horns are exposed. Mac OS X still a young OS and there will be bumps in the road. Last but not least, you will need a new computer and the hardware is a bit more expensive though this is made up for quality and an average usable lifetime of 4 years compared to 2 for a PC.

So you may have to make some sacrifices and changes, but you can give M$ the finger and still have a usable computing solution in your home or office.

Forget the EULA, watch for the *next* patch

[schmaltz]

This EULA's a precurser to M$ actually installing DRM and anti-anti-DRM software on your computer as part of the next security patch.

My friend, it's called UCITA

[DaveWood]

IANAL, but until very recently, your suspicions were basically correct; company lawyers have their field day with shrink-wrap licenses but they're very very careful not to test the more exotic provisions in court.

That is, until they're safely set up inside a UCITA-adopting state.

Why, you ask? What's this UCITA anyway? Not another acronym. I'm too lazy to write another letter. Trying to keep my phone bill down. And I can never keep my boycotts straight once I get to the store.

From the mouth of the beast...

And on a slightly more ethical tip...

The FSF's writeup

And the CPSR's writeup...

Google will give you more.

Think your EULA's not binding? UCITA gives it all that 100%-All-American Bought and Paid For Congressional Stamp of Approval. Some democracy we have, huh?

-David

Use GDIVX and Tiny Personal Firewall 3

[Hyperhaplo]

People:
GDIVX runs on XP etc and is better (in my opinion) than the Media Player. There are heaps of players out there.

There is a nice program out there for Windows users called Tiny Personal Firewall. This wonderful little program is not just a firewall ... it has this WONDERFUL new addition: It tracks and protects your Windows (TM) from nasty software running.

It has default restrictions available and it sets itself up for standard windows programs like Office, IE, etc.

The cool part: When you install a new program TPF3 not only asks you if you want the program to execute, it also asks you what level of execution to grant. For example: Internet explorer (by default) can ONLY download into the c:\download directory.

So... if I'm on a box with XP I install TPF3 and nothing gets by it. Is your Media player trying to contact the Internet? block it! Is your media player trying to install something? Block it! Easy as that. Give it a go.