Attorney Steve® - Software Audit & Licensing Essentials - "PHONE-HOME" SOFTWARE – IS IT LEGAL?
Stuxnet, a digital worm designed to spread amongst computers and “phone home” each time a new machine was infected, was discovered by a computer security firm in Iran. It is notorious for infiltrating the Iranian nuclear program and destroying almost a fifth of their nuclear centrifuges. You might not be using your computer to enrich uranium, but similar, phone-home software could be exposing confidential information stored on your computer.
In short, phone-home technology refers to when a client computer/device relays information to a server. Most commonly, it's used so that a client's machine can transmit information such as error reports, authorization keys, and usage statistics to servers. For example, a “CRASH REPORT” may send home information to companies like Microsoft or Autodesk.
If you ever get one of these messages, your device is basically asking your permission if it can “phone-home” to the software company that developed the software, purportedly, so they can analyze the bug and fix it. As you will see, similar technology allows software companies like VB Conversion, Siemens, Vero, Solidworks and others to track illegal pirated software. When you logon to unlicensed software, a beacon implanted in the software can “send signals” home that there is unauthorized software being used – this can lead to a piracy lawsuit or a software audit demand letter.
The basic “Phone Home” setup - How does it work?
For starters, phone-home technology requires an internet connection. Without a network connection, a client machine has no way of reaching a server machine to communicate information. If you do have an internet connection, phone-homes like may occur like this:
- You launch an application. Upon launch, the application is programmed to transmit an authorization key to a server to verify your machine is properly licensed. When an unauthorized (pirated) key is noted, it is logged as an “instance” of piracy. Many software companies will let you hit their software many times (to build up a bigger case) before finally sending the audit demand letter, often from a law firm.
- You use open source academic software. Your machine sends your usage statistics to a server for developers to pool and use in justifying grant proposals to receive funding.
- You install a theft-recovery software on your laptop. Someone jacks your laptop and establishes an internet connection, so the software tells a server information like its current location.
These are just a few examples. Basically, the software publisher has a portal into your company. Most of my client's tell me NO, but when I asked if they read their EULA (End User License Agreement), they are usually surprised to find that the EULA discusses how the software publisher may monitor you for purposes of protecting their intellectual property. When you clicked “I agree” you agreed to this data collection. But, what did you actually agree to? That is something a copyright piracy law firm like our can help you review.
Phone-home software can be useful to software developers in updating/maintaining their software, analyzing usage data, and verifying product licenses. For example, Adobe Creative Cloud applications all “phone” a server to verify their license during launch. Back when you were using Windows 7, Windows Genuine Advantage had to be installed on your machine to verify your OS copy was licensed via phoning home or else you could not install Windows updates.
THIS IS NOT TO SAY THE TECHNOLOGY IS PERFECT. Many argue that this type of data collection is intrusive and creates data privacy concerns and some software developers have abused their abilities to collect data, and phone-home software could endanger the integrity or security of a client's network if the server is breached.
So, is all this legal?
The Computer Fraud and Abuse Act (CFAA), passed in 1986 and amended numerous times through 2008, prohibits intentionally accessing data on a computer without authorization. Using the example above, this tells us that unless the consumer authorizes Adobe to do so, it would be illegal for them to access information on their computer. Thus, Adobe Photoshop's installer will not allow installation to proceed unless the consumer grants it this authorization by accepting their End User License Agreement (EULA) as noted above.
In Adobe's EULA, we find:
Every software that LEGALLY phones home with information from a client machine will usually have been authorized to do so by the client's agreeing to the EULA. However, some of these companies' EULA's sneak in the right to poke around inside a client's machine in places or areas where the client might not want them to.
I reviewed a few EULA's from companies that are NOTORIOUSLY AGGRESSIVE in using their abilities to gather evidence of software piracy from client's machines here: https://www.vondranlegal.com/beware-of-software-phone-home-technology.
Here is a look at Adobe terms
Other Legislation that may impact “phone-home” privacy technology
Regarding phone home technology, other, newer legislation has really only reinforced the CFAA's prohibition of unauthorized data collection. Things such as the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) serve the primary purpose of regulating what is done with the data AFTER it is collected. If you want to learn more about the GDPR, the CCPA, and your rights to know what data has been collected on yourself, check out my other blog here: https://www.vondranlegal.com/litigation-alert-businesses-are-you-ready-to-comply-with-obligations-of-the-new-california-privacy-law
In February of 2012, the Obama administration released a Consumer Privacy Bill of Rights. This was never passed as binding law, but it did lay out the expectations of private companies regarding handling consumer data. It emphasized that data was collected securely, transparently, and consensually and that data only be shared with certain third parties in a secure fashion.
Two important pieces of legislation on data privacy that HAVE been enacted are the European General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). The long and short of these two are that, if a business is collecting data from its users, those users have:
- The right to know what data the company has collected and what the data is used for
- The right to know whether the data is being shared with third parties
- The right to access the data collected on themselves and use it for themselves (this is a big right that means companies have to have a way to show you all the data they have collected from you across their entire organization, which can include web logs, accounting records, sales contacts, marketing communications and other personal information they collect, store, maintain and in some circumstances sell for profit)
- The right to have their data erased, in certain circumstances (see our blog at com)
Dangers of Phoning-Home
As soon as your client machine phones home to a server machine, it opens a line of communication which can be both hard-to-detect and insecure (creating security holes and vulnerabilities).
When a client machine “phones home,” it often includes the machine's IP Address, MAC address, browser type (ex. Chrome, Safari, Firefox), location and other user account information. However, the application phoning home can encrypt this data, making it near impossible to verify which data is being transmitted. Servers on the receiving end could use this information to detect software usage in excess of your license (violations of the EULA resulting in unlicensed software), and covertly conducting a “software audit” that you had no knowledge was even going on.
Some questionable, “Trojan” type software, like Pushdo, can disguise its purpose as a useful application to install on your computer, but will actually serve the purpose of phoning-home information about your computer. The home server will respond to your client machine with instructions to install malicious spyware that can steal and/or leak your confidential information. Creating ransomware problems is another issue of concern.
Phone-home software can result in exposing personal private information and think twice before you send back “the crash report.”
Also, think twice before agreeing to a software program that uses a portal into your network for its own intellectual property protection. While understandable, this could create risks to your network security. Worse, it can lead to a costly license compliance audit. If a software company knocks on your door (some will actually call you) alleging wrongdoing or infringement usually these letters can come with high demands or threaten as much as $150,000 per infringement, call us, we are a leader in copyright software licensing and dispute resolution in the United States and we have help hundreds of companies navigate the choppy waters of facing a privacy allegation. We can be reached at (877) 276-5084 or email us through our contact form and we will call you.
This blog written by University of Arizona student Chris Gonzales. Edited by Attorney Steve®