Always read the EULAAARGH: Part 1

Always read the EULAAARGH: Part 1

Last November, I gave a talk in Ireland at the fantastic IRISSCON, a huge annual security conference which covers everything from social engineering and use of language to the criminal underground and heart hacking.

My talk was all about EULAs, or at least, it used EULAs as a starting point before quickly moving into the land of mobile and the crazy assortment of Privacy Policies on offer.

What is a EULA?

The EULA is an End User License Agreement and generally sets out things like your ability to use, copy (or indeed, not copy) the product sitting in front of you. More often than not, there’ll be a Terms of Service which explains what you can do while using the product, a sort of “what you can reasonably expect to take place while the wheels are in motion”. These can be more important in mobile land than on a desktop, where apps and software as a service reign supreme.

The last piece of the puzzle is the Privacy Policy, which explains what happens to your PII, where it is stored, and what the company responsible for it will do to safeguard the information. These are often very, very important where mobile is concerned – indeed, on the pages of Google Play you’ll very rarely see a EULA listed, whereas the Privacy Policies are always on the page, visible and linked (if you do see a EULA, it’ll probably pop up at install in the app itself). Here’s an example of a Privacy Policy linked on a Play Store app page:

Links to Privacy Policy


Where this gets interesting is that Privacy Policies are typically all about the adverts, tracking, and analytics you can expect to run into on your travels. Just like websites, ads are usually how free games make their money – regardless of whether or not they use in-app purchases. I’ve written about Advergaming many times – here’s 5 blogs for you to get your teeth into:

Part 1: Introduction Part 2: The Location and Design of In-Game Advertisements Part 3: The Gamification of Gamers Part 4: Hotfixes and Notfixes Part 5: EULAs and You

Previously, device owners could try and bypass adverts on their devices through all manner of antics – here’s people using OpenDNS to block Xbox dashboard ads – so it was inevitable that adverts would eventually become something you can’t get around anymore. Behold, the advert as a game mechanic:


Yeah, there’s no way to dodge that. There’s a weird grey area where parents let their kids download / play all manner of things on their devices, or buy tablets specifically for the children to use, so they’re “theirs” but the data on the device is a mashup of both parent and child. Some games need registration, logins, permission from an adult over 13 years of age and so on. With that in mind, it’s quite important to ensure you know where your data is going, which is probably why Privacy Policies are such a big deal.

I’m not sure how many successful EULA challenges have passed muster in a court of law, but anything involving leakage/theft/bad things in general related to PII never tend to go well for the offending party. That’s probably why we end up with such a headache when trying to deal with companies attempting to cover themselves from unwarranted blame, because that way lies madness – and lots of words.

The problem with words

In an ideal world, the perfect EULA would combine the EULA, ToS, and Privacy Policy in one bundle of amazing and look like this:

EULA, done and dusted

Unfortunately, this isn’t possible.

Most mobile games make use of multiple advertisers/networks, and some are region specific so what you see in country A won’t be what you see in country B. As a result, you end up flowing down a river of “here’s two more links to two more policies – and both of those links to some of their partners, so here’s a few more – and this – and that – and one of these”.

Essentially, the EULA is the bit you get out of the way to introduce the meaty privacy policy, and beyond the “Agree/Disagree” it functions as little more than a gateway to the complicated stuff.

Here is your 2017 experience:

oh no

LOL indeed.

Incredibly important information about what’s happening to your data is often not placed in the app itself, because the app maker wants you to get right into the act of making them some money and tons of words would be a bit of a distraction, and worse still, the app maker is relying on the ad network/provider/whoever to actually have the correct information available, online, in an easy to digest format. Effectively, you’re seeing a EULA at app launch, but the PII references are all sitting on a website somewhere – or, even more confusingly, a whole bunch of third-party websites.

Did you read it all? Of course you did.

At time of writing (well, at time of putting together the slide deck) the top games on the Play store were as follows:

Design Home: 2147 word Privacy Policy Taps to Riches: 1245 words Block! Hexa Puzzle: 678 words Rolling Sky: 586 words Pineapple Pen: No privacy policy listed on Google Play or the developer’s own homepage. This surprised me, as I was under the impression every app needed one listed. The best I could come up with is the below text taken from the Play developer’s information portal:

No policy

Essentially, if it’s decided that the app doesn’t handle what is considered to be PII, then it doesn’t need to list anything. You can see the problem here; without any form of information whatsoever with regards what the app is doing with said data (outside of notifications related to what device functions it may make use of), there is no way for the consumer to make an informed decision.

In the last few days, Google Play has now decided to purge apps with no Privacy Policy on offer – one fears for the health of those pineapples.

Elsewhere, we have Privacy Policies ranging from 500 words to just over 2,000. There are various readability tests which will try to establish how complicated a piece of text is; these can take in very complicated mathematical equations, or look at what % of words contain more or less than 7 letters, or compare the whole text against a set of a couple of thousand “common” words, and increase the complexity score every time words appear which aren’t listed.

There are plenty of online readability score checkers you can run text through [1], [2], [3], and typically you’ll find the scores peg the Privacy Policies at close to (or above) graduate level.

This makes sense – it’s legalspeak, and legalspeak is complicated. Sites and services have occasionally tried to tackle this particular beast, with mixed results – for our part, we offer non-legal, hopefully easy to understand text next to the complicated bits in our own Privacy Policy.

Unfortunately, in certain circumstances there may just be too many words to deal with to gain a firm understanding of exactly what you happen to be dealing with. In the follow-up post, you’ll see exactly what I mean.

Bring some background music, a soft bedside light and a large pair of reading glasses.

You’ll need them.


Christopher Boyd


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.