Last November, I gave a talk in Ireland at the fantastic IRISSCON, a huge annual security conference which covers everything from social engineering and use of language to the criminal underground and heart hacking.
My talk was all about EULAs, or at least, it used EULAs as a starting point before quickly moving into the land of mobile and the crazy assortment of Privacy Policies on offer.
What is a EULA?The EULA is an End User License Agreement and generally sets out things like your ability to use, copy (or indeed, not copy) the product sitting in front of you. More often than not, there'll be a Terms of Service which explains what you can do while using the product, a sort of "what you can reasonably expect to take place while the wheels are in motion". These can be more important in mobile land than on a desktop, where apps and software as a service reign supreme.
Where this gets interesting is that Privacy Policies are typically all about the adverts, tracking, and analytics you can expect to run into on your travels. Just like websites, ads are usually how free games make their money - regardless of whether or not they use in-app purchases. I've written about Advergaming many times - here's 5 blogs for you to get your teeth into:
Previously, device owners could try and bypass adverts on their devices through all manner of antics - here's people using OpenDNS to block Xbox dashboard ads - so it was inevitable that adverts would eventually become something you can't get around anymore. Behold, the advert as a game mechanic:
Yeah, there's no way to dodge that. There's a weird grey area where parents let their kids download / play all manner of things on their devices, or buy tablets specifically for the children to use, so they're "theirs" but the data on the device is a mashup of both parent and child. Some games need registration, logins, permission from an adult over 13 years of age and so on. With that in mind, it's quite important to ensure you know where your data is going, which is probably why Privacy Policies are such a big deal.
I'm not sure how many successful EULA challenges have passed muster in a court of law, but anything involving leakage/theft/bad things in general related to PII never tend to go well for the offending party. That's probably why we end up with such a headache when trying to deal with companies attempting to cover themselves from unwarranted blame, because that way lies madness - and lots of words.
Unfortunately, this isn't possible.
Most mobile games make use of multiple advertisers/networks, and some are region specific so what you see in country A won't be what you see in country B. As a result, you end up flowing down a river of "here's two more links to two more policies - and both of those links to some of their partners, so here's a few more - and this - and that - and one of these".
Here is your 2017 experience:
Incredibly important information about what's happening to your data is often not placed in the app itself, because the app maker wants you to get right into the act of making them some money and tons of words would be a bit of a distraction, and worse still, the app maker is relying on the ad network/provider/whoever to actually have the correct information available, online, in an easy to digest format. Effectively, you're seeing a EULA at app launch, but the PII references are all sitting on a website somewhere - or, even more confusingly, a whole bunch of third-party websites.
Did you read it all? Of course you did.
At time of writing (well, at time of putting together the slide deck) the top games on the Play store were as follows:
Essentially, if it's decided that the app doesn't handle what is considered to be PII, then it doesn't need to list anything. You can see the problem here; without any form of information whatsoever with regards what the app is doing with said data (outside of notifications related to what device functions it may make use of), there is no way for the consumer to make an informed decision.
Elsewhere, we have Privacy Policies ranging from 500 words to just over 2,000. There are various readability tests which will try to establish how complicated a piece of text is; these can take in very complicated mathematical equations, or look at what % of words contain more or less than 7 letters, or compare the whole text against a set of a couple of thousand "common" words, and increase the complexity score every time words appear which aren't listed.
Unfortunately, in certain circumstances there may just be too many words to deal with to gain a firm understanding of exactly what you happen to be dealing with. In the follow-up post, you'll see exactly what I mean.
Bring some background music, a soft bedside light and a large pair of reading glasses.
You'll need them.