Underdone: Autopsy of an OverDrive EULA

Background: OverDrive and its Media Console

This post is the long one.  If you don’t want all the details and legalese, you might prefer the executive summary.

OverDrive is stuck in the middle between various library systems/consortia and publishers (i.e. content providers).  Tension between libraries and publishers is nothing new, but when OverDrive’s letter announced new DRM content license terms limiting the total circulations of a given eBook, librarians were deeply and vocally perturbed.  Many focused their response on the publisher pushing the changes, identified as HarperCollins, even calling for a total boycott of their titles.  (Despite my local paper’s total misquote, I was not one of them.)

Simultaneously, many library folks — myself included — started to ask if OverDrive was adequately representing our interests.  Are they a reliable agent for the kind of changes we want?  To that end, I decided to evaluate the other licenses OverDrive created, namely those applied to their freely available software, OverDrive Media Console (OMC).  As I see it, OverDrive’s potential customers and the existing “Library Partners” addressed in their letter are ethically obligated to review this software, even if they themselves do not use a given app (e.g. OMC for Android), inasmuch as libraries are acquiring, advertising and supporting the availability of content that is accessed exclusively via OMC.  No other means to get the content is provided, and patrons will naturally extend the trust they have in the library to the software required to access the library’s collection.  Our selection constitutes an endorsement.

It’s like buying books for a collection to be housed at a new 3rd party location: you would want to know exactly what kind of availability, security, conditions for access, and overall service your patrons will encounter there.  Also, as a pragmatic concern, when a patron asks “Can I read this on my [x]?”, it would be good to have an answer and some informed expectations about OMC functionality, compatibility, etc.

Of the six OMC platforms supported, I started with the current OMC for Windows, version 3.2.  I found some remarkable and troubling things.  But first, more dry background.

Background: EULAs

EULAs are legally unsettled territory, attempting to bind a software user to restrictions on installation, use, environment, number of users, distribution, sale, resale, etc.  Diverging U.S. Court opinions aside, EULA’s are common commercial practice, despite or perhaps precisely because most users never read them.  At core they attempt to change software from a sold product to a contracted service… with various essentially arbitrary conditions.  This is structurally similar to the change now being attempted with the transition of content from printed products to DRM-licensed eBook/eContent services.  Unlike users, libraries do not enjoy the luxury of being able to ignore license issues, even if they have until now.

That being said, here I’m trying to focus on problems specific to this one EULA (installed as the file MediaConsoleEULA.rtf), rather than the big systematic issues.  Unless otherwise noted, all quotes are from that document.

Analysis

And now the troubling part.  The OMC EULA is the product of obvious cut-and-paste composition and questionable original language.  It repeats and contradicts itself and contains nonsensical references.  More seriously, it disqualifies OMC from all pertinent uses, levies prohibitions against libraries specifically, attempts to obligate the user to illegal or impractical conditions, and indicates an unlicensed open-source dependency.  You might do well to read that again.

That is: there’s nothing you can use it for, especially not in libraries, it’s a liability, and it’s stolen.

Structural Problems

nothing in this Agreement gives you the right, title or interest in Software except for your limited express rights granted pursuant to Section 1 of this Software License Agreement

This is clearly pasted from another document.  There is no Section 1: the OMC EULA does not have numbered sections.

 

Licensor grants [license]… for evaluation and testing purposes only.

This statement alone disqualifies use in production or for regular use by patrons.  As reiterated explicitly later:

Licensor has advised you that you may use Version 3.2 of the Software to test and evaluate its use but may not rely on Version 3.2 release of the Software for any commercial purpose whatsoever… You agree to limit your use of Version 3.2 of the Software to activities that are evaluation and testing related and not for any production purposes.

So consider: when you last paid your content subscription/renewal, did it feel like it was just an experimental beta-test?   Or when your patron is reading a popular title, which purpose is it: evaluation and/or testing?  It’s neither, meaning our intended use is already outside the scope of this license.

This is the type of clause I would expect to see in a totally different software model: shareware, where the software disables itself automatically after a set number of days unless purchased/unlocked.  Regardless of the purpose of the full version of the software, the purpose of the shareware version is just testing and evaluation.  Paid/unlocked versions often come with a superseding license covering production use and conferring a different level of support.  OMC needs a license that supports actually using it.

Library-Specific Prohibitions

The Software is for your personal, non-commercial use. You shall not download and/or install the Software on public Internet terminals and/or computers, without prior written permission from OverDrive.

According to some early OverDrive implementers, the motivation here was apparently to drive sales of OverDrive Download Station, originally sold installed as a turnkey system at the wishful price of $10,000.

In practice, this means a patron who finds interesting content at your OPAC terminal must leave your library and go home, log back in to your OPAC (or OverDrive’s site, selecting your library), search for the same item, access the same content actually paid for by the library they just left, having installed the same software this clause prevents you from providing them.  Does this seem like a reasonable service to you?

Forced Upgrades

IMPORTANT: During the term of this License Agreement, Licensor may make available to you upgrades and revisions to the Software including the production version of the Software. In the event Licensor releases and makes available by posting on Licensor’s website at www.overdrive.com any upgraded or replacement version of the Software, you shall obtain such newer version and cease use of the prior release of the Software… You are advised that Version 3.2 of the Software may contain bugs and may change during the Version 3.2 rendering the Software incompatible with other software.

This section’s header is apt: it is IMPORTANT.  Under these terms, utilizing this software obligates you, at unknown and arbitrary times to immediately stop using the existing installed version and get the new one, intending to force you to the next release.  However, that means that the rollout cannot be controlled like any other normal upgrade process.  You cannot stay on the stable version while you wait for a particular bug your library cares about to be fixed, certain features to be completed, testing in your network environment, testing on your hardware, preparation of additional documentation, etc.  Upgrades could include severely negative changes, like dropping support for certain formats, or just break, completely failing to install or not running at all on your deployed operating systems.

The forced upgrade is totally unnecessary from a technical perspective.  If OverDrive wants to mandate upgrades of clients that are too old, all they need to do is have their server reject connections from those versions.  Then minor releases can be posted without burdening every last user of the old version(s) to drop everything and upgrade.  A contractual killswitch expecting users to obsessively check their site is not a valid approach.

More the to point, the license terms associated with the next version are unknown.  Since the license is version-number-specific, the future license explicitly cannot be the same one.  Also unspecified: cost.  With this provision, a user is essentially agreeing to a contract where the other party can not only terminate the contract, but also replace it with entirely new terms.  This sort of overreach is prima facie unconscionable, i.e. illegal.  We wouldn’t agree to it when buying a car or selecting an ILS, and we shouldn’t ask our patrons to agree to it here.

 

Test and Evaluate What?

In case you missed the implication: you are limited to testing and evaluation, but when the new version comes out, you will get zero time to test and evaluate.  But it gets worse:

You shall not use the Software to develop any software or other technology having the same primary function as the Software, including but not limited to using the Software in any development or test procedure that seeks to develop like software or other technology, or to determine if such software or other technology performs in a similar manner as the Software.

This is not just a reverse-engineering clause (that appears elsewhere).  We have an explicit interest in “other technology” with the same “primary function”, namely to retrieve and display/play remote content, optionally copying it to portable devices.  For example, imagine a hypothetical “iTunes for Libraries”,  ”Amazon MyLibrary” or Hathi companion plug-in for Chrome, etc.  If followed, this clause would prevent us from even making simple feature comparisons between OMC and it, or any other possible competing (or even supplementing) technologies.  Acceptance would constitute a permanent prejudicial preference for OverDrive in purchasing: on a technical level, we would not be allowed to compare OMC head-to-head or profile its performance.  Clearly no administrator in public office could agree to such a condition.

So no time to test and we cannot evaluate against anything, not even against other versions of OMC.  By my count, that effectively excludes the last remaining legitimate allowed uses of OMC: by its own terms, it is good for ∅.

 

Content Restrictions

In order to secure content from publishers, OverDrive is expected to maintain the protections publishers apply to it.  Some terms acceptable to one library might be refused by another.

The “DIGITAL CONTENT” section and the final section are modified incompatible versions of each other.  The “RESTRICTIONS” section and the final section are modified incompatible versions of each other.  Problems include:

  • The term “Content” is defined multiple times, one seemingly including the Software and remote services.
  • “personal, non-commercial use” vs. “personal, non-commercial, entertainment use”:  The former may be acceptable to most, but insisting on entertainment use excludes government, technical, reference, creative and educational uses.  I don’t think libraries intend that limitation on patrons for any part of their collections.
  • “You will not redistribute, transmit, assign, sell, broadcast, rent, share, lend, modify, adapt, edit, sub-license or otherwise transfer the Content.” vs. ”You may copy, store, transfer and burn the Digital Content”:  Which is it?  Can we transfer or not?  TransferWizard.exe suggests transfer is intended.
  • “You will not redistribute, transmit, assign, sell, broadcast, rent, share, lend, modify, adapt, edit, sub-license or otherwise transfer or use the Content.”: yes, those blocked actions are listed again with one discrete difference.  You agree not to USE the Content. End of sentence.

What a disaster.  To be fair, a version of that restriction that makes sense does appear in a different section: “The Content and any other copyrighted material may not be modified, copied, distributed, shared, displayed, emailed, transmitted, sold or otherwise transferred, conveyed or used, in a manner inconsistent with the Agreement, or rights of the copyright owner.”   This is far different than the unconditional prohibitions.

The takeaway here is that license to use the software is not enough: your patrons need to be enabled for all non-infringing uses of Content as well.  This EULA provides neither.

 

Mozilla License Violation

Each platform’s OMC is essentially a dedicated browser for retrieving files from OverDrive’s servers, with desktop version accompanied by various plug-ins for connecting to portable devices.  Writing a robust, speedy graphical browser is a complex and difficult task.  For reliability and speed of development, I would not be surprised to see that OverDrive started with Mozilla, the mostly widely used open source browser engine in the world.  In fact, in the “THIRD PARTY ACKNOWLEDGEMENTS” section, they specify:

Portions of the Software utilize or include materials that are subject to the Mozilla Public License Version 1.1. (“License”). You may obtain a copy of the License at www.mozilla.org/MPL/.

OK.  Defining “License” here is not helpful, because it isn’t used in the document subsequently.

But more importantly, none of the MPL 1.1 conditions were followed: specifically, for example, sections 3.63.23.3, 3.5, etc.  The Covered Code is not identified, the changes are not described, and the source code is not made available.  Each of these is a dealbreaker.

Without the required disclosure it is unclear what code is MPL-licensed, so we don’t know how much of the application is implicated or where it came from (further analysis required).  It could be a lingering mistake, or it could be they appropriated the entire browser engine.  Until fixed, it is invalid for anyone to use or distribute OMC.

Conclusion

Although it has been in use since April 2010, it is unclear whether any party involved has taken this EULA seriously yet.  But about now we are going to have to: libraries can neither use nor recommend using OMC 3.2, and OverDrive cannot legally distribute it.

As the rest of this post demonstrates, this is not just a question of MPL-compliance.  The EULA is unacceptable and plain erroneous on at least a half dozen other counts.   The common principles libraries must insist on are:

  • stable production-release for real use,
  • no (contractually) forced updates,
  • preserve users’ rights to all non-infringing uses of Content,
  • contractual coherence, and
  • contractual completeness, covering all included code.

These should be unobjectionable because none limits the legitimate rights of OverDrive or content providers.  But it will likely take sustained attention from OverDrive’s major customers to produce an agreeable document.  Similar scrutiny should be applied to the OMC code and licenses for other platforms: Android, iPhone, BlackBerry, Mac OS and Windows Mobile.

In separate post(s), Library Hacker will look at the strategic ramifications of the problem.

About Joe Atzberger

Joe Atzberger (atz) is a library hacker in Columbus, Ohio. He worked with Galen at both LibLime and Equinox Software, Inc. as an open source developer on Koha and Evergreen. Joe maintains several modules related to library system integration, including Business::EDI on CPAN and the problematic SIPServer repo on github.

3 Responses to Underdone: Autopsy of an OverDrive EULA

  1. Pingback: Executive Summary: Autopsy of an OverDrive EULA | Library Hackers Unite!

  2. Alicia says:

    Brilliant! Kudos to you for actually reading this shoddy excuse for a license agreement (though aren’t they all?) How can we trust a vendor that cuts and pastes and publishes such a document to represent our interests? Or one who appropriates, without proper attribution, Open Soure software as its own intellectual property? Librarians, caveat emptor!

  3. Joe Tho says:

    Well done, Joe. I rarely read *all* of a eula, and this one was a great one for you to dissect. Well done! -Joe Tho