Configuration paralysis

I made a mistake last night helping set up a WordPress blog for my wife (and shamelessly, I’m offering up a link to it). Since this is the first time she’s used WordPress, after getting the domain and installing the software, I sat down with her to go through the configuration options. General settings, easy. Commenting settings, easy. Permalink settings, easy (gotta keep those URIs cool). Then we moved on to picking a theme.

Oops.

As of this writing, WordPress has over 1,300 themes. Two-column? Three-column? Graphics-heavy? Light? Take your pick. Furthermore, many themes have configuration options of their own.

We quickly realized that she could easily have spent the next few hours, or days even, agonizing over picking the right theme, then tweaking it until it was just perfect. But even after all that, how could she be sure she had got it right? Design decisions are always at least a bit uncertain.

But for most people, the point of blogs isn’t the design, it’s the writing. Time spent tweaking the theme is time not spent using the software for its customary purpose, posting. And especially for a first-time blogger, you can’t really know if you want a particular widget or plugin until you’ve spent some time in the trenches. Consequently, we backed off, stuck with the default WordPress theme, and my wife started writing. The only change we made to the appearance was replacing the header graphic.

There are no doubt some people whose optimal learning style is to go through all of the configuration options first. However, I suspect is far more common for people to learning software effectively by using it. Show too many options up front, and you risk paralyzing their decision-making.

Executive Summary: Autopsy of an OverDrive EULA

I examined the (EULA) software license for the freely available application OverDrive Media Console (OMC) version 3.2 on Windows, released almost exactly one year ago.  It is required for library staff and patrons to use some version of OMC to access content from OverDrive, so when we buy OverDrive content, we are endorsing use of OMC.  We aren’t buying that software per se, but we have an interest in it’s soundness and legitimacy.  Unfortunately, upon examination I concluded it is neither sound nor legitimate.

The EULA is poorly composed with nonsensical references, contradictions and copy/paste sloppiness.  In fact, many prevent the user from practical use (see the full writeup for details).  But the top major issues are:

  • OMC is explicitly not “production” software.  Use is restricted to “testing and evaluation”.  This provision is typical of shareware, not mature client applications.  Library patrons and staff need license to actually use OMC for real.
  • Forced upgrades: the user is obligated to upgrade immediately when OverDrive posts a new version.  Besides being impractical, the license, functionality and potential cost of the future version are not specified.  Therefore, the EULA constitutes a “contract of adhesion”.
  • Mozilla Public License violation: OMC includes code from 3rd parties, including some licensed under Mozilla Public License (MPL) version 1.1.  But the terms of that open source license are not fulfilled, meaning it is invalid for anyone to use or distribute OMC.  It is unclear what code is MPL-licensed, so we don’t know how much of the application is implicated (further analysis required).  It could be a lingering mistake, or it could be they appropriated the entire browser engine.

There are both practical and strategic implications for OverDrive customers.  At a minimum, OverDrive will be notified and given a chance to fix things.  They must stop distributing OMC 3.2.  In order to have a satisfactory subsequent release, they must revise the EULA and probably overhaul some code.  They can choose MPL-compliance or no MPL code.  However, libraries would do well to see their other issues addressed in the next release as well.  The MPL issue is not the only dealbreaker.

On a broader level, I think some libraries will interpret this as a character finding against OverDrive.  They are the agents we are trusting to negotiate content licenses with publishers.  For their EULA terms to be so inadequate and haphazard while their software fails to live up to its own license requirements suggests they are not well suited for the task.

Of course, that we haven’t noticed these problems for an entire year doesn’t reflect well on libraries either.  If we are going to be well suited to the task, the time to get serious is now.

Underdone: Autopsy of an OverDrive EULA

Background: OverDrive and its Media Console

This post is the long one.  If you don’t want all the details and legalese, you might prefer the executive summary.

OverDrive is stuck in the middle between various library systems/consortia and publishers (i.e. content providers).  Tension between libraries and publishers is nothing new, but when OverDrive’s letter announced new DRM content license terms limiting the total circulations of a given eBook, librarians were deeply and vocally perturbed.  Many focused their response on the publisher pushing the changes, identified as HarperCollins, even calling for a total boycott of their titles.  (Despite my local paper’s total misquote, I was not one of them.)

Simultaneously, many library folks — myself included — started to ask if OverDrive was adequately representing our interests.  Are they a reliable agent for the kind of changes we want?  To that end, I decided to evaluate the other licenses OverDrive created, namely those applied to their freely available software, OverDrive Media Console (OMC).  As I see it, OverDrive’s potential customers and the existing “Library Partners” addressed in their letter are ethically obligated to review this software, even if they themselves do not use a given app (e.g. OMC for Android), inasmuch as libraries are acquiring, advertising and supporting the availability of content that is accessed exclusively via OMC.  No other means to get the content is provided, and patrons will naturally extend the trust they have in the library to the software required to access the library’s collection.  Our selection constitutes an endorsement.

It’s like buying books for a collection to be housed at a new 3rd party location: you would want to know exactly what kind of availability, security, conditions for access, and overall service your patrons will encounter there.  Also, as a pragmatic concern, when a patron asks “Can I read this on my [x]?”, it would be good to have an answer and some informed expectations about OMC functionality, compatibility, etc.

Of the six OMC platforms supported, I started with the current OMC for Windows, version 3.2.  I found some remarkable and troubling things.  But first, more dry background.

Background: EULAs

EULAs are legally unsettled territory, attempting to bind a software user to restrictions on installation, use, environment, number of users, distribution, sale, resale, etc.  Diverging U.S. Court opinions aside, EULA’s are common commercial practice, despite or perhaps precisely because most users never read them.  At core they attempt to change software from a sold product to a contracted service… with various essentially arbitrary conditions.  This is structurally similar to the change now being attempted with the transition of content from printed products to DRM-licensed eBook/eContent services.  Unlike users, libraries do not enjoy the luxury of being able to ignore license issues, even if they have until now.

That being said, here I’m trying to focus on problems specific to this one EULA (installed as the file MediaConsoleEULA.rtf), rather than the big systematic issues.  Unless otherwise noted, all quotes are from that document.

Analysis

And now the troubling part.  The OMC EULA is the product of obvious cut-and-paste composition and questionable original language.  It repeats and contradicts itself and contains nonsensical references.  More seriously, it disqualifies OMC from all pertinent uses, levies prohibitions against libraries specifically, attempts to obligate the user to illegal or impractical conditions, and indicates an unlicensed open-source dependency.  You might do well to read that again.

That is: there’s nothing you can use it for, especially not in libraries, it’s a liability, and it’s stolen.

Structural Problems

nothing in this Agreement gives you the right, title or interest in Software except for your limited express rights granted pursuant to Section 1 of this Software License Agreement

This is clearly pasted from another document.  There is no Section 1: the OMC EULA does not have numbered sections.

 

Licensor grants [license]… for evaluation and testing purposes only.

This statement alone disqualifies use in production or for regular use by patrons.  As reiterated explicitly later:

Licensor has advised you that you may use Version 3.2 of the Software to test and evaluate its use but may not rely on Version 3.2 release of the Software for any commercial purpose whatsoever… You agree to limit your use of Version 3.2 of the Software to activities that are evaluation and testing related and not for any production purposes.

So consider: when you last paid your content subscription/renewal, did it feel like it was just an experimental beta-test?   Or when your patron is reading a popular title, which purpose is it: evaluation and/or testing?  It’s neither, meaning our intended use is already outside the scope of this license.

This is the type of clause I would expect to see in a totally different software model: shareware, where the software disables itself automatically after a set number of days unless purchased/unlocked.  Regardless of the purpose of the full version of the software, the purpose of the shareware version is just testing and evaluation.  Paid/unlocked versions often come with a superseding license covering production use and conferring a different level of support.  OMC needs a license that supports actually using it.

Library-Specific Prohibitions

The Software is for your personal, non-commercial use. You shall not download and/or install the Software on public Internet terminals and/or computers, without prior written permission from OverDrive.

According to some early OverDrive implementers, the motivation here was apparently to drive sales of OverDrive Download Station, originally sold installed as a turnkey system at the wishful price of $10,000.

In practice, this means a patron who finds interesting content at your OPAC terminal must leave your library and go home, log back in to your OPAC (or OverDrive’s site, selecting your library), search for the same item, access the same content actually paid for by the library they just left, having installed the same software this clause prevents you from providing them.  Does this seem like a reasonable service to you?

Forced Upgrades

IMPORTANT: During the term of this License Agreement, Licensor may make available to you upgrades and revisions to the Software including the production version of the Software. In the event Licensor releases and makes available by posting on Licensor’s website at www.overdrive.com any upgraded or replacement version of the Software, you shall obtain such newer version and cease use of the prior release of the Software… You are advised that Version 3.2 of the Software may contain bugs and may change during the Version 3.2 rendering the Software incompatible with other software.

This section’s header is apt: it is IMPORTANT.  Under these terms, utilizing this software obligates you, at unknown and arbitrary times to immediately stop using the existing installed version and get the new one, intending to force you to the next release.  However, that means that the rollout cannot be controlled like any other normal upgrade process.  You cannot stay on the stable version while you wait for a particular bug your library cares about to be fixed, certain features to be completed, testing in your network environment, testing on your hardware, preparation of additional documentation, etc.  Upgrades could include severely negative changes, like dropping support for certain formats, or just break, completely failing to install or not running at all on your deployed operating systems.

The forced upgrade is totally unnecessary from a technical perspective.  If OverDrive wants to mandate upgrades of clients that are too old, all they need to do is have their server reject connections from those versions.  Then minor releases can be posted without burdening every last user of the old version(s) to drop everything and upgrade.  A contractual killswitch expecting users to obsessively check their site is not a valid approach.

More the to point, the license terms associated with the next version are unknown.  Since the license is version-number-specific, the future license explicitly cannot be the same one.  Also unspecified: cost.  With this provision, a user is essentially agreeing to a contract where the other party can not only terminate the contract, but also replace it with entirely new terms.  This sort of overreach is prima facie unconscionable, i.e. illegal.  We wouldn’t agree to it when buying a car or selecting an ILS, and we shouldn’t ask our patrons to agree to it here.

 

Test and Evaluate What?

In case you missed the implication: you are limited to testing and evaluation, but when the new version comes out, you will get zero time to test and evaluate.  But it gets worse:

You shall not use the Software to develop any software or other technology having the same primary function as the Software, including but not limited to using the Software in any development or test procedure that seeks to develop like software or other technology, or to determine if such software or other technology performs in a similar manner as the Software.

This is not just a reverse-engineering clause (that appears elsewhere).  We have an explicit interest in “other technology” with the same “primary function”, namely to retrieve and display/play remote content, optionally copying it to portable devices.  For example, imagine a hypothetical “iTunes for Libraries”,  “Amazon MyLibrary” or Hathi companion plug-in for Chrome, etc.  If followed, this clause would prevent us from even making simple feature comparisons between OMC and it, or any other possible competing (or even supplementing) technologies.  Acceptance would constitute a permanent prejudicial preference for OverDrive in purchasing: on a technical level, we would not be allowed to compare OMC head-to-head or profile its performance.  Clearly no administrator in public office could agree to such a condition.

So no time to test and we cannot evaluate against anything, not even against other versions of OMC.  By my count, that effectively excludes the last remaining legitimate allowed uses of OMC: by its own terms, it is good for ∅.

 

Content Restrictions

In order to secure content from publishers, OverDrive is expected to maintain the protections publishers apply to it.  Some terms acceptable to one library might be refused by another.

The “DIGITAL CONTENT” section and the final section are modified incompatible versions of each other.  The “RESTRICTIONS” section and the final section are modified incompatible versions of each other.  Problems include:

  • The term “Content” is defined multiple times, one seemingly including the Software and remote services.
  • “personal, non-commercial use” vs. “personal, non-commercial, entertainment use”:  The former may be acceptable to most, but insisting on entertainment use excludes government, technical, reference, creative and educational uses.  I don’t think libraries intend that limitation on patrons for any part of their collections.
  • “You will not redistribute, transmit, assign, sell, broadcast, rent, share, lend, modify, adapt, edit, sub-license or otherwise transfer the Content.” vs. “You may copy, store, transfer and burn the Digital Content”:  Which is it?  Can we transfer or not?  TransferWizard.exe suggests transfer is intended.
  • “You will not redistribute, transmit, assign, sell, broadcast, rent, share, lend, modify, adapt, edit, sub-license or otherwise transfer or use the Content.”: yes, those blocked actions are listed again with one discrete difference.  You agree not to USE the Content. End of sentence.

What a disaster.  To be fair, a version of that restriction that makes sense does appear in a different section: “The Content and any other copyrighted material may not be modified, copied, distributed, shared, displayed, emailed, transmitted, sold or otherwise transferred, conveyed or used, in a manner inconsistent with the Agreement, or rights of the copyright owner.”   This is far different than the unconditional prohibitions.

The takeaway here is that license to use the software is not enough: your patrons need to be enabled for all non-infringing uses of Content as well.  This EULA provides neither.

 

Mozilla License Violation

Each platform’s OMC is essentially a dedicated browser for retrieving files from OverDrive’s servers, with desktop version accompanied by various plug-ins for connecting to portable devices.  Writing a robust, speedy graphical browser is a complex and difficult task.  For reliability and speed of development, I would not be surprised to see that OverDrive started with Mozilla, the mostly widely used open source browser engine in the world.  In fact, in the “THIRD PARTY ACKNOWLEDGEMENTS” section, they specify:

Portions of the Software utilize or include materials that are subject to the Mozilla Public License Version 1.1. (“License”). You may obtain a copy of the License at www.mozilla.org/MPL/.

OK.  Defining “License” here is not helpful, because it isn’t used in the document subsequently.

But more importantly, none of the MPL 1.1 conditions were followed: specifically, for example, sections 3.63.23.3, 3.5, etc.  The Covered Code is not identified, the changes are not described, and the source code is not made available.  Each of these is a dealbreaker.

Without the required disclosure it is unclear what code is MPL-licensed, so we don’t know how much of the application is implicated or where it came from (further analysis required).  It could be a lingering mistake, or it could be they appropriated the entire browser engine.  Until fixed, it is invalid for anyone to use or distribute OMC.

Conclusion

Although it has been in use since April 2010, it is unclear whether any party involved has taken this EULA seriously yet.  But about now we are going to have to: libraries can neither use nor recommend using OMC 3.2, and OverDrive cannot legally distribute it.

As the rest of this post demonstrates, this is not just a question of MPL-compliance.  The EULA is unacceptable and plain erroneous on at least a half dozen other counts.   The common principles libraries must insist on are:

  • stable production-release for real use,
  • no (contractually) forced updates,
  • preserve users’ rights to all non-infringing uses of Content,
  • contractual coherence, and
  • contractual completeness, covering all included code.

These should be unobjectionable because none limits the legitimate rights of OverDrive or content providers.  But it will likely take sustained attention from OverDrive’s major customers to produce an agreeable document.  Similar scrutiny should be applied to the OMC code and licenses for other platforms: Android, iPhone, BlackBerry, Mac OS and Windows Mobile.

In separate post(s), Library Hacker will look at the strategic ramifications of the problem.