The recent uproar over Sony BMG's ''rootkit-like'' software, Microsoft's
WMF defect and such got me thinking about the software on my computers.
The audacity of these companies to put such unwanted filth on my
But truth be told, I've probably inadvertently allowed them to do so by
the fine print in their End User License Agreement (EULA), right?
So what recourse do I have? That's when I was hit with a ''wouldn't it be
cool if'' moment that I want to share with you all in the form of an open
letter to software producers, whether they be open or closed source,
commercial or freeware.
Dear Software Producer:
First and foremost, this is my computer, and the data on it belongs to
I purchased (or freely and legally downloaded) your software to use on my
computer. But make no mistake about it... it is my computer and your
software is a digital guest here. As such, I have a few basic and fair
rules of conduct I require you to follow. They are as follows:
Your software may be installed in the location(s) I designate and
nowhere else. All of the components of your software must remain
completely visible to me. That also means you may not install anything
without my permission, including ''rootkit-type'' software technologies
to hide your software or any component of it, making it difficult for me
When and if I remove your software, I want to remove every single
digital remnant of it, but not my own data. My computer should be
essentially identical before I install your software as after I remove
it. Every file, every environment variable, every registry key, etc.,
must be removed when I remove your software;
Your software may not open pop-up windows, advertisements, etc.,
without my permission. Any and all advertising needs to be ''opt in'' and
not ''opt out'';
My data belongs to me. It is not yours to peruse, include in debug
dumps, etc. You will treat my data with the respect a good guest would
treat my belongings in my home;
You may not ''phone home''. If you have a requirement to connect to
the mother ship for some reason, then I want to be informed and
explicitly consent to it. And even then, I want to have visibility into
and veto authority over every single byte that goes between your software
and your company's computers. If I haven't explicitly allowed it, then
consider it forbidden;
If you have an on-line software registration form to fill out, you
may only provide the information I voluntarily enter for you. You may not
provide any system configuration information, etc., unless you've shown
me what you want to send back and I've explicitly approved it;
Updates and security patches are fine (thank you), but I want to be
fully informed and asked if it's OK to proceed. In the event of a
security or functionality patch, I want to be provided with detailed
information on the nature of the problem and how it may impact me before
I approve its installation. If a patch then causes me grief -- for
whatever reason -- I need to be able to quickly and painlessly uninstall
If I choose to not install your patch, I need to be able to easily
isolate and disable the affected component(s) of your software, and you
need to let me know what impact that decision will have on the operation
of your software;
When you find out about a security defect in your product, I require
timely notification of the problem, how it may impact me, what I need to
do to protect myself in the interim between my notification and your
producing a patch, and when I should expect the patch.
In exchange for abiding by these rules of decent and honorable behavior,
I agree to use only legally licensed copies of your software in
compliance with your customary terms.
This is, after all, my computer and my data.
Now, you're probably thinking I've gone completely nuts. Perhaps you're
right, but are these terms and conditions really all that unreasonable?
I don't think they are at all.
If every software producer treated their customers' computers and data as
though their products are in fact guests in the computer, then I firmly
believe we'd have far fewer security problems.
For starters, Sony BMG would never have considered using ''rootkit''
technologies to hide its code. Better still, software developers would
consider these terms as they're designing their software, which is likely
to have precluded Microsoft's design flaw in its WMF code. (Executable
code would never have been allowed to be transmitted and run via an
arbitrary image file.)
Since we're pretty much forced to live with the vendors' EULAs, then they
should have to live with ours. I'm reminded of Arlo Guthrie's Alice's
Restaurant. If just one of us takes this letter to our software
vendors, they'll think he's nuts. But if we all do it, then they may just
think it's some kind of movement. (With due apologies to Arlo...)
I, for one, think it's about time we stand up for our software consumer