Last week it was revealed that Ubisoft’s Uplay browser plug-in, a relatively straightforward piece of code designed to allow you to conveniently launch your Ubisoft games created a gaping security hole in your PC’s flanks. For a few terrifying hours (and probably for a while before the weakness was discovered), a maleficent cyber-goon could slip some malicious code into a website to force Uplay to launch any executable on your system, effectively handing control of your PC over to anybody who requests it.
Uplay was swiftly patched (not before having been blocked by Firefox) and while there are no reports of any damage having been caused, the question must still be asked: who would be liable for that damage, were it to occur? If a developer creates and publishes some shoddily written code, and that code harms your PC or destroys your data, who is at fault?
Can you guess who the EULA points the finger at? Of course you can: it’s you.
In a survey of the EULAs of all the major digital download platforms, it’s clear that the industry standard is to absolve the publisher of any damage caused by malfunctioning software. EA, Valve, Impulse and Ubisoft all carry similar statements.
Ubisoft’s online privacy statement is some 7,000 words long, and includes the terms of use of Ubisoft’s sites and software to which, prior to registering a Uplay account, you must agree. Here are the key points made in those terms about Ubisoft’s liability for any damage caused to your machine by using their sites and software.
- Ubisoft make no representations about the suitability, reliability, availability, lack of viruses or other harmful components of the software. Their services are provided “as is” and without warranty.
- You specifically agree that Ubisoft are not responsible for unauthorised access to or alteration of your transmissions, communications or data made through any of their sites.
- In no event will Ubisoft be liable for any damages or loss of data or profits arising from the use of their sites or software, even if that damage is a result of their negligence, and even if Ubisoft has been advised of the possibility of damages.
- If you’re dissatisfied with any of these terms, your sole and exclusive remedy is to discontinue using the site.
Point three is crucial here, as it was a piece of badly penned code that turned Uplay from a game launcher into a potential ticking timebomb. Ubisoft have given themselves the legal elbow room to make mistakes, given that the software is free and you’re opting to use it with some understanding that it might be a little bit broken. But this shirking of responsibility for the security of downloaded software isn’t exclusive to Ubisoft. In fact, it’s the standard limitation of liability clause built into most EULAs to protect publishers from all manner of problem.
Realistically, it’s not possible for any software developer, large or small, to absolutely guarantee that their code won’t introduce some hidden security vulnerabilities. Nor is it practical for publishers to be liable for any and all damage caused by using their software. Especially not when their software relies on an interlocking web of smaller chunks of third-party software, each one a potential weak link and, therefore, a potential lawsuit-in-waiting.
But it’s not such a low standard that we hold other manufacturers to. There is a small but perhaps not insignificant chance that your kettle will one day explode and pepper your face in molten shrapnel – and you could be fairly sure that Morphy Richards would pop round your house holding more than just a refund in that instance. Anybody providing a product or service must take reasonable steps to ensure that it’s safe, well-made, not prone to exploding and unlikely to cause damage. Shouldn’t the same be true of software, free or otherwise?
We reached out to Ubisoft to comment on their EULA, but didn’t receive a response.
Ubisoft aren’t the only software developer to embed a get-out-of-jail free card in their EULA.
Let’s say for example, Origin goes haywire tomorrow and corrupts half of your hard-drive, somehow overheats your PSU and sets fire to your house, here’s precisely how responsible EA would be: “In no event shall EA, its subsidiaries or its affiliates be liable to you for any personal injury, property damage, lost profits, cost of substitute goods or services, loss of data, loss of goodwill, work stoppage, computer failure or malfunction or any form of direct or indirect, special, incidental, consequential or punitive damages from any causes of action arising out of or related to this license or the application [Origin]”.
The stipulations then continue identically to those set out by Ubisoft, even including the disclaimer that even the publisher’s own negligence doesn’t constitute a responsibility for the damage caused. We’re in definite caveat emptor territory here. Compare this hypothetical situation to, say, a hardware manufacturer selling you a faulty power supply that subsequently caught fire and destroyed your PC. The hardware manufacturer would be liable for those damages. The software manufacturer would not.
The GameStop-owned Impulse service enforces a disclaimer of warranties that effectively warns that, because the software is free, you are installing and using it at your own risk. “the software is provided “as is and with all faults”. GameStop and the third party providers disclaim all other warranties…including the implied warranties of merchantability, fitness for a particular purpose and non-infringement. Without limitation to the foregoing, GameStop and the third-party providers do not warrant that (a) the software will be error-free, (b) your use of the software will be uninterrupted or error-free.”
Steam repeats the same limitation of liability seen in Ubisoft and EA’s terms of service, again including that odd line about negligence: “Neither Valve, its licensors, nor their affiliates shall be liable in any way for loss or damage of any kind resulting from the use or inability to use Steam.” Later, it specifies: “even in the event of fault”. That’s right, even when it’s Valve’s fault, it’s still your fault.
Valve last week updated their terms of service to disallow the bringing of class action lawsuits against them, thereby forcing wronged consumers to sue as individuals. But should Steam somehow obliterate your data or become an unwitting backdoor for malware, you wouldn’t even get as far as filing a suit, en masse or otherwise, under Steam’s current terms of service. By using Steam, you’re agreeing that, as long there’s no malicious intent, Valve just aren’t responsible for what it might accidentally do.
So what protections exist? And are EULAs actually enforcable?
The European Union offers some additional legal protection for EU consumers, overriding some of these limitations of liability. The Unfair Terms in Consumer Contracts Regulations 1999 (UTCCR) provide that any term which is unfair (framed as being to the detriment of the consumer contrary to the requirement of good faith) is not binding on the consumer. More specifically in England, the Unfair Contract Terms Act 1977 (UCTA) also applies to clauses which seek to restrict or exclude liability.
And, just in case you’re genuinely worried that the bizarre should come to pass and your download clients might one day somehow physically harm you, under UCTA death or personal injury caused by negligence can never be excluded or restricted by a contract term.
But what is fair and what isn’t fair to the consumer is, like in so many legal cases, a grey area. Terms that limit a publisher’s liability must satisfy a ‘reasonableness test’ in court, meaning that the term must have been “a fair and reasonable one to be included having regard to the circumstances which were, or ought reasonably to have been, known to or in the contemplation of the parties when the contract was made”.
So a publisher could argue that the average PC user should have some understanding of the inherent risks in downloading software, and have taken some steps to protect their PC from malware. This isn’t, after all, a conspiracy against the consumer. Don’t think for a moment that Valve and Ubisoft and EA aren’t serious about secure software, this is simply the accepted reality of installing free software on the internet.
The reality is that, according to the legal experts we spoke to, no-one will ever know if a particular term in anEULA is enforceable until a test-case is brought in front of the courts. Then a judge must decide whether the case can be heard.
Steam, Impulse, Uplay, Origin – they’re all protecting themselves as they must, while trading on the message that security is their priority. Not so much of a priority that they’d ever dream of guaranteeing it of course, but just enough of a priority to reassure customers and maintain a good reputation in a competitive marketplace. “Ubisoft takes security issues very seriously,” commented Ubisoft in response to the recent Uplay security flaw, “and we will continue to monitor all reports of vulnerabilities within our software and take swift action to resolve such issues.”
Reputation alone binds publishers to the obligation to ensure they’re creating decent, secure software. While it seems no customers were harmed by Ubisoft’s shonky browser plug-in, perhaps it’s Ubisoft who’ll find themselves damaged and their service undermined by the public outing of their temporarily vulnerable software.