I Agreed to What? The Devil is in the Details with EULA’s [PODCAST]

by · March 22, 20134 comments

Welcome to the latest episode of Explore Marketing Uncensored, Social Media Explorer’s official podcast. Explore Marketing Uncensored is your one-way ticket into the twisted minds of some of the greatest digital marketing and social media thought leaders around. The goal: to provide marketing executives with the knowledge they need to be rock stars in their organization.

In this week’s episode, hosted by Jason Spooner and SME President Nichole Kelly, Philip Alexander takes us down the rabbit hole of End User License Agreements and sheds some light on what exactly you’re agreeing to when you join a social networking platform. As founder of Data Privacy Network, Philip has spent the last two decades working with business owners and non-profits to protect sensitive data and intellectual property. Fair warning, after listening to this podcast you’ll never look at an “I Accept” button the same way again.

Don’t miss an episode Explore Marketing Uncensored! Subscribe to the podcast through iTunes and receive the latest episode on your preferred podcast listening device.

Show notes

Data Privacy Network – Philip Alexander’s company website

Facebook Terms & Conditions – Link to Facebook’s terms and conditions

Ron Swanson Quotes – What else would a cuckoo’s clock that poured whiskey recite?

Game Station’s April Fool’s EULA  – Game Station’s well-known April Fool’s joke. An immortal soul clause was inserted in its end user license agreement.

Scroogled – Outlook’s response to Google scanning personal emails

Can’t Listen Right Now? Complete Transcript below:

Announcer: You’re listing to Explore Marketing Uncensored: everything you need to know about marketing, and a few things you didn’t. Now, here’s your host, Jason Spooner.

Spooner: Welcome to Explore Marketing Uncensored. I am your host, Jason Spooner. Joining me today is Nichole Kelly. Nichole, how are you doing?

Nichole: I am awesome. How are you?

Spooner: Fantastic. Thanks for being here again.

Nichole: Thank you.

Spooner: Joining also, special guest star Philip Alexander. Philip, how are you doing?

Philip: I’m doing great, thank you.

Spooner: Fantastic. Philip is the founder of Data Privacy Network, dataprivacynetwork.com, and an expert with user license agreements, those multi-paragraph things that I always click on when I agree to whatever it is I’m downloading that I never read. Philip, you’re the guy that knows the ins and outs of all the horrible things I’m agreeing to. Am I right there?

Philip: Right. Well, it’s not only the things that you’re agreeing to. It’s what we’re all agreeing to when we sign up for social networking sites, buy things online, join an online membership site. You can be surprised what you’re agreeing to.

Spooner: I think everyone is—they’re really impatient. They just downloaded, they don’t really care to read the data privacy thing, and there’s some pretty crazy stuff in there. I mean, Philip, you’re an expert in this space. You’ve seen it all. Let’s just talk briefly, real fast, with just some of the—even the Facebook, some of the agreements I’m making on Facebook when I join and sign up for that social media platform. ‘Cause we’re all in the social media space. We’ve all signed up for these, to be a part of these networks: LinkedIn, Facebook, Twitter. Just with Facebook alone, what am I agreeing to sometimes in regards to my privacy?

Philip: Well, when you sign up on Facebook, for example, you’re agreeing that they, Facebook, can sell your photos, uploads, any videos. Even beyond that, any intellectual property. So if you’re a business and you have the next great invention, don’t be talking about it on Facebook, ’cause they can sell those things without your direct knowledge, and they don’t have to pay you for it. In the agreement, in their privacy agreement, when you join.

Spooner:  So they can sell—if I have an idea, say my idea is a cuckoo’s clock that also pours whiskey, right?

Philip: Which I would buy.

Spooner: I think there’s a market for it.

Philip: Absolutely.

Nichole: Will it also cook bacon?

Spooner: It does. It does it all. And it recites Ron Swanson quotes. So if I have this idea and I post it to a friend on my wall, or I tag him in the post and the two of us have a public conversation, Facebook can take that idea and sell it or disclose it to another company. Is that correct?

Philip: That is correct. That is in their data use policy or their privacy policy.

Spooner: Wow. What if it’s in a private message? Does that change anything or—

Philip: Not really, ’cause really the privacy, just between friends, is exposure to the Internet. Like if you and I friend each other on Facebook, our conversations, you know, in theory are between you and I, and not free to people who we don’t friend on Facebook. However, you post it and they look at it. They can use it any way they want to, whether it’s just between friends or not. It’s on their site.

Nichole: So Philip, this brings up a really interesting point, because I think that there are concerns that we as consumers should have about what these terms and conditions and license agreements say. But there’s a bigger concern for business, and businesses who are allowing their employees to be on social. And personally, I don’t want to get to a place where we tell businesses not to be involved in social, ’cause I think that social is a really great place to be, and I think there’s a lot of great opportunities there. But how can businesses protect themselves?

Philip: Right. Well, social media is great for business—they can use it for marketing, they can use it for positive PR. But here again, be careful what you put on there. If you don’t want it free for the taking for anyone, don’t post it online. It’s not just—you have a user group on a Facebook site just for your business. Understand that here again, Facebook can use anything you post on there. So don’t—if it’s confidential business conversation or business data, don’t have that conversation online. Keep it within the business itself.

Nichole: What about—obviously Facebook most of the time, we’re using it for external networking. And there’s certainly some probably internal groups that have been created on Facebook. But what about a network like Yammer, which is a very common network that’s used for internal networking?

Philip: What I’ve seen is, most sites out there are—give themselves a fair amount of liberties on how they can use the data posted on there. [CROSSTALK] I’m sorry, go ahead.

Nichole: It’s OK. I was just going to say, so if I’m a business owner or I’m an executive in a company, tell me five things that I should be on the lookout for in end user agreements.

Philip: Ownership of things that are posted, whether like we said earlier, photos, videos, intellectual property. What—beyond information posted, are they gathering information about user? Some sites—I’ll use Facebook again—they’re gathering information about the computer you’re using, the particular internet browser you’re using, the operating system. Now where this can be troubling, ’cause that information—all different pieces of software have their own weaknesses, and that information gathered could expose—makes your company easier to hack. So they should know that if people from inside their company using work companies are on, say, Facebook—and not just Facebook, other social networking sites as well—that the technical information is also being gathered. Many of the sites also track where you’re going on the Internet. So they’re tracking that about you as well. So I would say, be careful what you post. Be careful, knowing that the very system that you’re on, they’re going to track technical information about that. They’re also going to track your whereabouts, where you’re going online. So all that information that you may want to keep, that is sensitive to your business, won’t be if you’re using work computers for social networking purposes.

Spooner:: Wow. That’s—I mean, you think about that and you think that, especially the part that got to me was it’s going to make it easier for hackers to get into my business. I would never think that, because I’m logged in to Facebook, that they would be tracking enough information about my system and my IP address and all that information, to make it easier for someone to get into the system.

Philip: Well sure. For example, different web surfing programs have different vulnerabilities. Different for Internet Explorer or Safari or Firefox. And they’ll track which one you’re using. And they have known vulnerabilities, and that will make the hacker give them information they need to make it easier to hack you.

Spooner: Now, Philip, I’ve got a question. I go on the Facebook and I see all of my friends putting a status update that says something along the lines of, “I reserve the right to my own data. Facebook can’t touch my stuff. Yadda, yadda, yadda.” Does that have any actual weight?

Philip: Not really. I mean, I guess it may give them a sense of security. It’s more of a false sense of security, because the use agreement, or EULA, end user license agreement, that they agree to and sign in order to establish a Facebook account, that’s the overriding agreement. Not a little statement, “Hey, I reserve this as my personal data.”

Nichole: So I’m sorry. It’s taking me a second to just process everything. But now that I’m thinking about this in terms of what businesses need to be worried about, I’m stepping back a little bit and saying, “OK, so Facebook says that they own everything you post on Facebook, and we as consumers and businesses need to be careful that we’re not sharing proprietary knowledge.” Now, the reality is, most companies are going to have a policy that says that anyway. Where I’m more concerned though is not that Facebook is going to sell that information or give it away, because frankly, what would Facebook—how would they benefit from that? And it could really hurt their reputation in the space if that were found out. Not saying that it couldn’t happen, but I’m saying from a probability standpoint, that’s pretty low. What I’m more concerned about is Twitter getting hacked or Facebook getting hacked, which has happened recently. And that’s where I’m starting to say, “Hmm. Now I’m concerned.” Because now if Facebook gets hacked, the data mining that could be done on my company could—if I’m a Bank of America, for example, or one of these bigger organizations, that might actually be something that someone could use against us.

Philip: That’s another excellent point. You know, there are companies—banks, hospitals, certainly certain government networks that spend an enormous amount of time, money, and effort securing their networks. And yet, all the time in the news, you hear they got hacked, they got breached. Data was stolen, what have you. And if companies at that level are vulnerable, it’s fair to assume that they have much more stringent standards than a Facebook or an Instagram. And you’re right. So even if Facebook is not going to sell your intellectual property, for the negative PR, and there is validity to that statement—but you’re right. Just how secure is that network?

Nichole: And I think that there’s another issue. And I’m sorry, Spooner. I know you probably want to talk, but now I’m going to go on for a little bit. I think there’s another issue, and I think this is something that we don’t think about, and that’s privacy in terms of our passwords. And you know, I’m seeing more and more that you can sign in to multiple networks, multiple banking sites and other things, where you can use your Twitter login, you can use your Facebook login. Is that opening up a whole ‘nother level of risk that we haven’t addressed?

Philip: That’s an excellent point. It is. The accounts are interconnected, like you say. Like Facebook and Twitter and other things like that. You know, and I tell people. Most people out there use the same email address for not only social networking, but they shop online, say at an Amazon, or they bank online. It’s the same email address throughout. And in some cases it might be the same password throughout. So if that gets hacked in one site, you have people who could be going to different sites and doing identity theft or financial fraud.

Nichole: Or just think about how much time and energy you put into your Twitter password as an individual, your Facebook passwords, versus the time and energy you put into a banking password or any kind of password that has financial implications behind it. We usually think about that a little bit differently than we would for Twitter or Facebook. But if now I can log in to all of these websites using oAuth or some other technology that allows me to use Twitter or Facebook, now all someone needs to do is steal my Twitter or Facebook password and they could have access to my entire life.

Philip: Right. And that’s the back door. And what I find interesting about that, certain sites like—most online banking sites, if you try to log in and guess a password, after several attempts, anywhere from three to five on average, the account locks out. And they have steps for you to unlock your account. Well, a lot of these social network sites don’t. And I can just keep trying to guess your password, and keeping hitting it and hitting it and hitting it until I finally break it. In fact, there are automated tools that will just keep sending random passwords until ultimately I just break your password and I have your Facebook account.

Spooner: I feel like we should’ve had this podcast on Halloween, because this is some of the scariest stuff I think we’ve ever talked about.

Nichole: I think so too. [CROSSTALK] And this is what’s really scary about it for me, is that—I mean, companies have come so far into finally accepting social and really trying to make forward steps. And I’m terrified that this kind of information is really going to give those people who are trying not to do it, or the companies who have already taken that leap an impetus to pull back drastically on it. And is that ultimately what’s best for the organization in the long run? So I guess my biggest question for you is, what do we do as companies and as individuals to make sure that these license agreements that we know exactly what we’re signing, and if there is something that is ridiculous in there, then we pull back? ‘Cause when you’re talking about Facebook owning photos and being able to sell them, this is exactly what Instagram put into their license agreement that had so many people up in arms. And I bet you no one realizes that’s exactly what Facebook says too.

Philip: Right. Well, I think it does take public awareness. And a push back from the public. ‘Cause that’s their customer base. And even beyond that, to be a savvy user. I’m not advocating people don’t—and even businesses, for that matter—do not use Facebook or not be on Twitter. There is a lot of value to using those services. But be forewarned, be an educated user.

Spooner: Right. I want to switch gears just a little bit, because we were talking a lot about social. And I want to talk about email. Because just like in Facebook, and just like on these social platforms or—the data’s being scanned and being stored. I don’t think a lot of people are aware that that’s happening a lot with their email as well. Anything that’s on the Google platform or the Gmail platform, Philip, I think you were talking about this a little bit beforehand. And I’d love it if you talked a little bit on the podcast about this too. How Gmail scans the emails.

Philip: Right. Gmail has in their user agreement that they can scan your emails. And what—how they—they say they use the information, they look for—to bring things to your Gmail page that you might be interested in buying, so it’s advertising purposes. But then again, there’s a privacy concern. You think an email between you and I on Gmail’s private, between you and me. And it’s not. They say they can and they do scan them.

Spooner: Right. And that—I mean, that’s personal email. But there are plenty of businesses that are on the Gmail, the Google platform for their business email as well.

Philip: Right. Because for a lot of companies, to have their own quote-unquote email domain is very expensive. So a lot of them will have business name @gmail.com. They understand that they’re under the same scanning, and any business emails they send using Gmail, Google can scan.

Nichole: What about Google Apps? I mean, a lot of businesses run email off of Google Apps. Social Media Explorer, we run off of Google Apps since inception. So is that under the same terms and conditions?

Philip: Right. I don’t necessarily know that they scan those, but I would say two things. When you post something on the Internet, if your thought is to keep it confidential, don’t post it on the Internet. And another point we talked earlier in the podcast was—and what if they get hacked? So I would take a serious pause before I put any what I consider sensitive—or may sometimes determine is confidential documents on a Google Docs or any online storage, for that matter.

Nichole: So what does that do for small businesses who are trying to compete with larger guys? It’s not like small businesses can have server rooms to run every Internet application that they have. What do you recommend in terms of that?

Philip: Well, for one thing, not all data in a given business is sensitive, is confidential. Some of the data, it’s public data, and if it’s on the Internet and someone finds it who maybe shouldn’t, fine. No harm, no foul. And that’s a good use, for example, of Google Docs. But if you have your sensitive information, it takes an awareness. What data is sensitive? Do we have employee files? Do we have our business plan? Things like that. Our social security numbers of customers. Those are good examples of things you do not want to be posting on the Internet.

Spooner: I would say—I would add to that also anything that would be falling under a regulatory body.

Philip: Absolutely. HIPPA for health information. Credit card information under PCI, and other lists. Think through, what kind of data do you have? And things that are very sensitive. They’re worth protecting, and putting some controls around them.

Spooner: Right. So Philip, maybe just to lighten up the mood just a smidge, I’m sure that you’ve read probably more end user license agreements than anyone else on this podcast. I’m going to go out on a limb and say that. [CROSSTALK] What’s the craziest thing you’ve seen in a EULA?

Philip: Right. Well, this is my personal favorite. It was done by a company actually based in the UK called Game Station. It was back in 2010, and they did it as an April Fool’s joke, so yes, it was in April. They had in their end user license agreement an immortal soul clause. [LAUGHTER] Which basically said they can send you an email saying that within five days, they own your immortal soul. [LAUGHTER] —for several weeks, and people were just saying, “OK, fine.” Click, click.

Nichole: Wow, that is insane. And I know there’s another issue in terms of, how do you—say we go and we look at all of these EULAs and we decide we don’t want to comply to what they say anymore. How do we cancel?

Philip: That’s interesting too. You know, some say, “I just won’t use it.” And I guess to a point, you could do that. What I’ve found interesting is, for example, Facebook says if you want to stop using—you want to cancel your account, you need to provide them, you need to upload a piece of government ID, and they give examples of, it can be a passport, a driver’s license, a military ID, or a credit card. Now, in fairness, they do recommend you cover, maybe with a piece of tape, any of the sensitive information. I found it very interesting that in order to cancel my Facebook account, I would need to upload my credit card, which I didn’t have to use to establish it in the first place. Or my passport.

Spooner: Or your ID. And my question for that is, great. That cancels it, so what happens to all the photos and the data that I posted before I canceled it? Are they going to delete that?

Philip: Right. I didn’t really—they didn’t really specify that in their cancellation agreement. But—and here’s where things get, at a technical level, difficult. Depending on how they back up their data, they may say they delete it, but it could be on backup tapes stored in some offsite storage facility. So they can back up what’s active, but think how long you’ve had your Facebook account. I doubt they’re going to go through the time and effort to go through backup tapes or offsite storage facilities and look for everything under, say, my name: Philip Alexander, to delete everything ever tied to me.

Nichole: So it brings up a lot of interesting points for me. #1, if you look at these license agreements, they’re not, in my opinion, written in any language that most people can understand. While they can be translated and be in English or French or anything like that, the language that’s being used is very legal. And we’re not in a legal capacity when we’re reviewing that information, nor are most people having a lawyer actually review that. Which is obviously a bit of a concern. The other thing is, what should we be asking for these—all of these companies and these social networks and anyone? Gmail, all of these different companies. What should we, as consumers and as businesses, be demanding they do?

Philip: You know, Gmail, I’m going to stick with that, ’cause that’s a good example. Microsoft is actually leveraging that. Like you said earlier, they have “Don’t get screw-gled.” And they’re launching an Internet version of their Outlook client. And they say in their privacy statement they will not scan your email. So I think here, for the savvy entrepreneur, that there’s an opportunity here. A social networking site that respects your user privacy, that will not sell your photos, use your intellectual property, use your videos, and respects your privacy. And I think—’cause to leverage that, or people en masse start saying, “We’re going to be very cautious how we use Facebook or other sites, because we’re concerned about our privacy and how our data could potentially be used.”

Nichole: And should we also be asking for more data security around their networks?

Philip: You know, we could, but even— I mean, that’s a good point. But even for companies with much higher profile and highly regulated, such as banks and hospitals, even with them, in terms of understanding best standards, and—I think it’s going to be a catch up period. For social networking sites to have the type of requirements that banks and hospitals, who currently are under. But one thing that could make that process go quicker. Here in the United States, most of the states have data breach disclosure laws. And they say, if you collect certain pieces of information about a resident of that state, and your network is hacked and that data is breached, that the company can face fines. That could be existing laws that could force—at least them to strengthen their network. Not so much their data use policy. But can strengthen the security of the network itself.

Spooner: That’s interesting, though. The company would be fined, but did they say anything about the compensation for the individual whose data was stolen?

Philip: The laws vary from state to state. A lot of them, they have fines. And some of the state data breach laws will say things like, “and you must provide credit monitoring for a year.” So that’s how it helps protect the resident who was potentially a victim of the breach, whose data was breached.

Spooner: That’s interesting.

Nichole: But see, I feel like we have a solution to—we have a part. I think this is a two-pronged problem. There is what’s in the end user license agreement, but then there’s also the data privacy and making sure that their network is secure. And to me, we already have the solution for making sure their data is secure that we’re using for credit card processing right now. If you think about the context of all of the different types of information you’re posting on social networks, the information that someone could get about your entire life and everything about you in terms of being able to figure out what your security questions are and things like that is pretty concerning. I mean, isn’t it as simple as saying that social networks should be following PCI compliance standards that credit card companies, or anyone who processes credit cards, has to follow?

Philip: I would agree. You know, you collect sensitive information, treat it as such. To protect the identities and the credit card information of your customers. I would agree with that.

Nichole: So maybe it’s something that we should be fighting, that PCI compliance should start covering social networks.

Philip: Well, on one point I’d agree. But not every company that processes credit cards is also PCI-compliant, is required to be PCI-compliant. But I think if there’s enough public outcry and expectation, that we expect our data, when it’s on the Internet, especially for companies with certainly the resources to provide that level of protection, to respect our privacy and to protect the network accordingly.

Spooner: Right. I don’t know if PCI’s the right body, but I agree 100% with what Nichole’s saying here, is that if it’s not PCI, then maybe some other regulatory body gets created, or some other compliancy gets created that’s just for social networking. Because you’re not going after what the modern day definition of secure information is, which is your credit card or social security numbers or any of your health information. But it’s still technically information that you don’t want to get out there. Your mother’s maiden name, your last name, your friends, your preferences. And that’s just completely different definitions of what is secure information. We need to build up a system that accepts those data points as quote-unquote secure, and that they should be regulated and guarded and complied to through a set protocol.

Philip: Right. And then keep in mind, now I’m going to argue on behalf of the social networking sites for a moment. If they’re going to be required to keep certain data secure, that doesn’t stop you, the end user, from posting on—let’s stick with Facebook. I post my credit card number on Facebook. I don’t care how secure it is in this Facebook network. The fact that I just posted it online. ‘Cause there are companies, you can take a picture of your cat and put it on your credit card. If you post it online to show your personalized credit card, I don’t care how secure the Facebook network is. You’re the one who just exposed your credit card number online.

Nichole: We can’t solve stupidity, can we?

Philip: That is very true. [LAUGHTER]

Spooner: If only we could.

Philip: If only we could.

Nichole: There’s got to be a pill for that.

Spooner: Awesome. Philip, thanks so much for coming on the show today. Before we say our final goodbye, we’re going to ask you the lighting round questions.

Philip: Uh-oh. OK.

Spooner: Everyone’s favorite part of these podcasts. Four simple questions. Off the top of your head, I want you to give your response. Don’t think about it, don’t give us a paragraph. Just a simple one-word or phrase answer is going to be great. Are you ready?

Philip: Sure.

Spooner: All right. Question 1: what do you think really works in marketing right now?

Philip: Knowing your target audience.

Spooner: Question 2: what do you think is broken in marketing right now?

Philip: I’ll say the “one size fits all,” which it doesn’t.

Spooner: Question 3: if you could advise a CMO to focus on improving on part of their business, what part of the business would you choose?

Philip: What are they trying to promote? What’s their niche? That’s what they should promote.

Spooner: And question 4: what gets you excited when you think of the future of marketing?

Philip: That with the Internet, literally the sky’s the limit. I mean, you can touch literally hundreds of millions of people with the click of a mouse.

Spooner:  I love it. Those were all great responses.

Philip: Thank you.

Spooner: Philip, again I want to thank you for coming on to the podcast today on Explore Marketing Uncensored. You gave us a lot to think about and you might have caused a couple sleepless nights also, but it’s all good. We all need to be a little bit more aware of what we’re agreeing to in those end user license agreements.

Philip: Thanks for having me. It was my pleasure.

Spooner: Fantastic. Nichole Kelly, always a pleasure to have you on the podcast.

Nichole: Thank you so much, and thank you, Philip.

Philip: Thank you. My pleasure.

Spooner: My name is Jason Spooner. Everyone, have a great day.

Did you enjoy this blog post? If so, then why not:Leave Comment Below | Subscribe To This Blog | Sign Up For Our Newsletter |

About Jason Spooner

Jason Spooner

Jason Spooner is the Director of Client Services for SME Digital, the digital marketing extension of Social Media Explorer. During his career as a digital strategist, Jason has worked with a variety of large and small companies including: NAPA AUTO PARTS, NASCAR, Kraft, Wal-Mart and Wrangler. His passion: creating powerful digital marketing strategies that drive results. Oh, and he does improv comedy. Follow his antics @jaspooner.

Other posts by

Comments & Reactions

Comments Policy

Comments on Social Media Explorer are open to anyone. However, I will remove any comment that is disrespectful and not in the spirit of intelligent discourse. You are welcome to leave links to content relevant to the conversation, but I reserve the right to remove it if I don't see the relevancy. Be nice, have fun. Fair?