When people started complaining about the Google Chrome EULA, it seemed obvious to me that it was a copy and paste error- old language, copied into a new situation where it didn’t quite fit. But after Google explained that they had just reused language from other licenses, Gizmodo noted:
It’s not that I don’t trust Google, but the Ctrl+C, Ctrl+V explanation .. seems like an odd oversight for a product in secret, heavy development for close to two years.
Explaining why it isn’t that odd might give people a little better understanding about how corporate lawyers work, and maybe even what this does (and doesn’t) teach us about Google and privacy.
First thing this teaches us: Lawyers (like programmers) copy and paste whenever they can. On the plus side, a document that is copied is usually battle-tested- so you know you’re getting something that covers all the bases, generally does the right thing, and has no known errors. If you wrote it from scratch, you might forget or overlook something, and that would be a problem. And lawyers are expensive- so if the copy and paste saves them time, it saves you money. On the down side, a copied and pasted document sometimes doesn’t fit the new situation perfectly; for example, old language could take on new meaning when the software grows new functionality- which appears to be what bit Google here. Given lawyers’ love of ctl+c and ctl+v, this doesn’t seem that odd.
(Corporate lawyers in particular are notorious for copying and pasting, to the point that some venture capital groups provide their own legal documents, since they figure your lawyers are going to be copy and pasting anyway.)
Second thing this teaches us: lawyers are human too. Your eyes glaze over after reading just one of these EULAs, and corporate lawyers who work in this area can easily read hundreds of these, all very, very similar. This doesn’t excuse the mistake that happened here- lawyers are well paid to avoid exactly this kind of problem. But at the end of the day we’re only human- after reading the same phrases a thousand times, it isn’t too ‘odd’ that sometimes we miss the wrinkle that gives the same old sentence an entirely different meaning like it did here.
Third thing this teaches us: among lawyers, programmers are notorious for doing things first and asking the lawyers to check it over later, even the night before (or the day after!) the release. I have no idea if that is what happened here- it could well be that the lawyers were consulted from day one, and Google generally seems well-organized about this sort of thing. But it is quite possible that even in a two year project like this one the lawyers were called only weeks, days, or hours before the website went live- obviously increasing the odds of a mistake like this one. Again, lawyers are well paid to do things under pressure- so this shouldn’t have happened- but it isn’t too surprising.
What this doesn’t do is teach us much about Google, Chrome, and privacy.
First, we still don’t have a great idea what other privacy problems there are with Chrome. Google may no longer be claiming to own everything you publish on the web, but there is still a lot of data going from you to them, and I for one still haven’t seen a good analysis of that.
Second, some people have claimed that this shows us that when there is a public outcry, Google will respond, and therefore there is no need for government privacy regulation. I’m not convinced government privacy regulation is a good idea, and Google may well be very responsive to market forces. But the idea that this incident shows that Google reacts to the market is fairly ludicrous- remember, what we’re talking about here is correcting a copy and paste error. So, yes, we’ve proven that when a Google lawyer accidentally gives them the ability to do something they have no intention to do, they’ll fix the lawyer’s accident. But this tells us nothing about how they’ll respond when they actually consciously choose to collect data- they famously did nothing when there were huge complaints gmail and privacy, and their response when people actually take them to court seems to be that “complete privacy does not exist.”
So was this mistake odd? Not really. But it tells us a lot more about how lawyers work than it tells us about Google, Chrome, and privacy.
for the cash but we’re going to mess your machine up in a way you can’t fix, becuase we think you may be a thief but not one smart enough to actually get round the harm we’re doing.” EA calls you dishonest and dumb, even after these “concessions”.My comment on Luis Villa’s Blog / what you can (and can’t) learn from Google’s EULA mistakeKeeping a note of my comment, because I think this is an important point both for my client/colleagues and for others. By the way, Luis, I wish your blog kept the name entered when OpenID is used to authenticate.
My observation is that in addition to preferring to just copy/paste, lawyers tend to be maximalists when doing the copy/paste. That makes it so that not only do they have battle tested wording, but as you noted it also means they avoid the blank document problem where something they would have liked to have in the new agreement got left out because they forgot to copy and paste it.
So it is entirely possible that, without paying too much attention to the particular service in question, the lawyers responsible for the Chrome EULA just put all the boilerplate in to cover all possible bases.
In a normal contract negotiation the inappropriateness/ridiculousness/heinousness gets negotiated out up front, but when you’re doing it in a EULA, you get to do the dance in public.
There seems to be one pretty good analysis of the Chrome security issue at the Security Now podcast http://twit.tv/sn161 Highly recommended.
[…] about how lawyers work than it tells us about Google, Chrome, and privacy. Post a comment — Trackback URI RSS 2.0 feed for these comments This entry (permalink) was posted on Thursday, September 18, 2008, […]
“there is no need for government privacy regulation”
Only works if the entities eroding your privacy have a strong commercial incentive to play nice with you which is not the general case.
You missed the most important point actually entirely. It was that it was a grave usability bug. Who cares about eulas (which are legally void in most of the countries anyways) and the rest of BOOOHOOO that there has been on ignorant forums such as /. What matters is the user.
rawsausage: and that is different from all other eulas how? (serious question; I’m not seeing why this is different or what it teaches us that we didn’t already know, which is the point of the whole thing.)
nicholas: the point of the linked article is that this demonstrates that the reaction to the outcry means that there is a strong commercial incentive. I obviously disagree, or at least, I disagree that this incident proves that to be the case.
I didn’t say it was different. They are all moot, and when presented to the user, usability bugs. That’s how the whole thing should have been handled: a bug report.
[…] Villa: What you can (and can�t) learn from Google�s EULA mistake. “So, yes, we�ve proven that when a Google lawyer accidentally gives them the ability to do […]
[…] Luis Villa’s Blog / what you can (and can’t) learn from Google’s EULA mistake "So was this mistake odd? Not really. But it tells us a lot more about how lawyers work than it tells us about Google, Chrome, and privacy." (tags: luisvilla google chrome privacy legal lawyers eula) […]
I’m afraid I have to disagree with your generalisation, Luis. When lawyers are working on bilateral agreements, I agree with you that this is exactly what happens. And I agree with you too that when lawyers are creating normal EULAs this is pretty normal – it’s effectively a “mass bilateral” situation, with the corporation at the “hub” and the consumer-victims at the “spokes”. But when you’re dealing with a community, in a mashed-relationship context, behaviour like this is a clear sign of disdain for the community if it’s repeated.
I know because it used to happen on Java licensing. The licenses were written on a “mass bilateral” basis, with concern only for what Sun got out of the deal. But that stopped with open source. We no longer use a legal document just because the lawyer said it was right. They may build it with cut & paste, but we exhaustively review all the terms used, and we show everyone on the leadership team – including developers – to get their view. We try to include community members too, and we even approach outsiders when possible. The resulting agreements are always the product of team review to make sure everyone is treated fairly. We still make mistakes, but they are normally subtle ones these days.
I hope the Chrome mess-up was indeed a one-off and a lesson learned. Development in the community needs a different attitude, and that includes the legal agreements. If you respect your community, you don’t make mistakes like this. Not twice, at any rate.
it’s funny, the more i use Chrome (for windows), the more unstable it seems to get… crashes a lot more, can’t handle sites with flash, hangs every time i close a tab… all that to say, i’m switching back to Firefox
[…] get round the harm we’re doing.” EA calls you dishonest and dumb, even after these “concessions”.My comment on Luis Villa’s Blog / what you can (and can’t) learn from Google’s EULA mistake Keeping a note of my comment, because I think this is an important point both for my […]
[…] What you can (and can’t) learn from Google’s EULA mistake (Luis Villa is with the Columbia Law School!) “Lawyers (like programmers) copy and paste whenever they can.” […]
webmink: I didn’t have space to put it in this piece, but it does seem that they made this mistake previously with Google Code. It does seem that they need better review processes for their legal work; but I still think the core error here is sloppiness rather than ‘disdain’ or some kind of malicious intent.
[…] post: dh.util._load(); what you can (and can’t) learn from Google’s EULA mistake When people started complaining about the Google Chrome EULA, it seemed obvious to me that it […]
[…] educate me otherwise (please). My principal hope following this incident – and the Google Chrome EULA mishap that preceded it – is that the software industry feels compelled to take a harder look at the […]
An interesting comparison is the community outrage over Mozilla’s initial insistence on an EULA when Firefox 3.1 starts. People wouldn’t stand for it, and Mozilla backed down. (That they never figured it would result in the reaction it got is more than a little surprising, but anyway …)
[…] safety watchdog, B2fxxx, 12:01 Norwegian test case to open iTunes drm, B2fxxx, 10:42 what you can (and can?t) learn from Google?s EULA mistake, Groklaw NewsPicks, 08:54 WiMax World: At the Hotel Cass, Sidecuts Report, 07:13 Online […]
[…] what you can (and can�t) learn from Google�s EULA mistake […]
[…] My comment on Luis Villa’s Blog / what you can (and can’t) learn from Google’s EULA mistake SAVE Keeping a note of my answer, because I think this is an important point both for my client/colleagues and for others. […]
[…] The document has moved here. […]