Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Can't We All Agree? Clickwrap Agreements
1. Can’t W All Agree?
e
A Solution for Software Clickwrap Agreements
Bill Coker
Manager of Software Licensing Management
Office of Information Technology
North Carolina State University
Bill_Coker@ncsu.edu
2. W is a Clickwrap Agreement?
hat
A clickwrap agreement is a type of contract that is widely used
with software licenses and online transactions in which a user
must agree to the terms and conditions prior to using the
product or service by clicking an “I Agree” or “I Accept”
button.
3. Clickwrap Agreement Challenges
Clickwraps are becoming more prevalent in IT
Clickwraps agreements are typically non-negotiable
Clickwraps creates logistical difficulties and approval issues for
the Office of General Counsel and Purchasing
Many users click “I Agree” without reading the terms or having
the authority to bind the university
4. Clickwrap Agreement Strategy
Implement an efficient process for reviewing and approving
clickwraps
Create a delegation of authority to approve clickwrap
agreements
Educate campus
5. A Clickwrap Awakening:
iOS Developer Agreement
Apple required an iOS developer to bind
the university to agreement
Terms of agreement violated State law
Apple would not negotiate terms
6. A Clickwrap Awakening:
iOS Developer Agreement
Written justification showing low risk for each issue
Approvals by Office of General Counsel, Trademarks &
Licensing, and Regulatory Compliance
CIO did not have signature authority
7. I’m Glad That’s Over
“I never want to go
through this process
again”
“Hopefully we won’t
have any other clickwrap
agreements”
“Surely no enterprise
solutions will employ
clickwraps”
8. Another Clickwrap Awakening:
Google Consumer Apps Pilot
Campus wants Google Consumer Apps (Blogger, Maps, Picasa,
YouTube, etc.)
Using personal accounts instead of NCSU.EDU accounts
Clickwrap agreement for the Google Apps Trusted Tester
Agreement
Every user on campus will be required by Google to click “I
Agree”
9. Looking for a Clickwrap Solution
UNC Greensboro was ahead of the curve
http://www.uncg.edu/ucn/clickwraps/approved_clickwraps.html
Google Consumer Apps approved by UNC-G’s Chancellor
Could not find solutions at other universities
10. NCSU’s Approach
On-going meetings with:
Office of General Counsel
Security Standards and Compliance
Outreach, Consulting and Communications
Software Licensing Management
Reviewed terms for desired Google Consumer Apps
11. NCSU’s Approach
Separated Consumer Apps into Four Tiers
Tier 1
Tier 2
Alerts, Feed Burner, Reader
Maps, Map Maker, Picasa,
YouTube, Blogger, Google+, Places
Tier 3
Takeout, News, Moderator, Public
Groups, Voice
Analytics, Chrome Web Store,
Google Chrome Sync
Tier 4
12. Acceptance of Terms
RISK: Any use of these services constitutes acceptance of the
Google Terms of Service
RESPONSE: These products are not made available to NCSU
users until they are activated by the NCSU Google
administrator. No user can accept the terms until all terms are
vetted by the university.
13. Ensuring Compliance of Terms
RISK: NCSU is responsible for ensuring End Users comply
with the applicable Google terms of service for each of the
Google Consumer Apps used.
RESPONSE: Students are bound by NCSU Policy 11.35.01 –
Code of Student Conduct and Employees are bound by the
various Policies, Regulations and Rules
15. Hold Harmless and Indemnify
RISK: Requires the University to hold harmless and indemnify
Google if the Service is being used on behalf of the University.
RESPONSE: The fact that the university will effectively enforce
compliance from students and employees using the Code of
Conduct and Policy, Regulations and Rules, the university
should assume minimal risk by indemnifying Google.
16. Ensuring Compliance with Federal Law
RISK: NCSU agrees that it is solely responsible for compliance
with all laws and regulations that apply to these Services,
including FERPA
RESPONSE: A FERPA Modular Course Consent and Waiver
Form has been created that allows faculty members to
customize the consent form to be applicable to the course
requirements.
17. Consent and W
aiver Form
Modified form used by DELTA
Allows faculty to customize form
based on Google Apps used and
the assignment
20. Risk Assessment Summary
Using the Risk Assessment Matrix:
Identified the Probability and Impact for each known risk
Assigned a Risk Level and Risk Assessment Level
Summarized the Findings
22. Google Apps Use Cases & Risks
“Stapler Principle”
Working with faculty who use personal Google Apps as part of
their instruction:
Identified what products are being used
How the products are being used
Identified the Probability and Impact for each known risk
Assigned a Risk Level and Risk Assessment Level
Summarized the Findings
24. Results
CIO provided limited signature authority and delegation
authority
Google Apps Trusted Tester Agreement was completed
NCSU was able to approve Tiers 1 & 2 of the Google Consumer
Apps
Google Apps made available to campus
We began working on Tiers 3 & 4
25. Moving the Process Forward
Began discussions to apply the process to other clickwrap
agreements
Created new issues since software and agreements vary so
much
26. Other Clickwrap Agreements
Identified common risks found in general clickwrap
agreements
Secure systems will utilize the software, possibly placing secure data at risk
Risk of university data exposure
Includes broad audit rights, permitting the vendor almost unlimited access to the
NCSU’s facilities, records, and systems
Contains expansive "feedback" and similar clauses that could result in the licensor
gaining ownership of intellectual property or data
Contains confidentiality or non-disclosure clauses
27. Other Clickwrap Agreements
Identified common risks found in general clickwrap
agreements
Requires the University to "hold harmless“ or "save harmless” or "indemnify" the
vendor
Limitation of liability for vendor
No limitation of liability for University
Potential litigation outside of North Carolina
Little to no warranty. Software is provided entirely "as-is"
The software is not widely distributed nor well established in the community
28. Other Clickwrap Agreements
Identified common risks found in general clickwrap
agreements
Requires all disputes to be submitted to binding arbitration
Permits vendor's agents, contractors and licensors (third parties) to have audit
rights
No protection if University is sued for third-party intellectual property
infringement
Requires University to reimburse the vendor for all attorney fees and costs
Violates other State laws not already identified
29. The Solution
Identified risks were categorized into three categories
Category 1: Common Problematic Clauses
Category 2: Unique/Challenging Problematic Clauses
Category 3: Risks arising from the Product Itself and/or
End-User Conduct or Misconduct Involving the Product
30. Category 1
Common Problematic Clauses
Limitation of Vendor’s Liability
Indemnification and “Hold Harmless” Clauses
Governing Law
Binding Arbitration
Requirements to reimburse vendor for attorney fees
31. Category 1
Common Problematic Clauses
Clauses are permitted
Office of General Counsel is constrained from “approving” the
clauses by the letter of the law
However, they are prepared to defend a business decision to
accept these clauses
This business decision is consistent with the actions of many
existing users in State government and other schools
The benefits outweigh the risks associated
32. Category 2
Unique/Challenging Problematic Clauses
Broad Audit Rights permitting vendor almost unlimited access
to NCSU’s facilities, records and systems
Grants audit rights over NCSU to vendor’s agents, contractors
and third parties
Clauses that could result in the licensor gaining ownership of
intellectual property or data
Confidentiality or non-disclosure clauses
•
Clauses permitting storage of NCSU data outside the US
33. Category 2
Unique/Challenging Problematic Clauses
•
•
•
•
Clauses are not be permitted without review
Clauses must be evaluated jointly by the Office of General
Counsel and the Office of Information Technology on a caseby-case basis
A risk assessment using the Risk Matrix must be completed
If approved, strategies must be determined to reduce risk
(educating end-users)
34. Category 3
Risks arising from the Product Itself and/or End-User
Conduct or Misconduct Involving the Product
•
NCSU’s secure systems will utilize the product, possibly placing
secure data at risk
•
Use of product may create risk of NCSU data exposure
•
Clauses restricting NCSU’s use of the product
•
Agreement contains little to no warranty – provided “as-is”
•
Product is not widely distributed nor well established in the
community
35. Category 3
Risks arising from the Product Itself and/or End-User
Conduct or Misconduct Involving the Product
•
•
Issues are typically the result of misuse or misconduct (the
Stapler Principle)
Student consent should be obtained using the Consent and
Waiver Form when the use of the software raises FERPA
concerns
36. Category 3
Risks arising from the Product Itself and/or End-User
Conduct or Misconduct Involving the Product
•
•
NCSU can treat its risks by restricting or eliminating access to
users who violate computer use policy
Behavior violating NCSU policies, state or federal laws can be
addressed under existing student, staff and faculty processes
dealing with misconduct
37. Communication
•
Communicated the clickwrap process to leadership for
feedback and approval
•
Office of General Counsel
•
Purchasing
•
Campus IT Governance committees
•
College IT Directors
•
Office of Information Technology
38. The Final Process
•
•
•
•
Software Licensing Management, with the help of the Software
Manager in the Colleges of Engineering, began reviewing
clickwraps agreements
All issues are identified as Category 1, 2 or 3
All clickwraps, issues and categories are entered into a master
spreadsheet
A risk assessment is conducted for Category 2 issues
(probability/impact) and sent to the Office of General Counsel
for review
39. The Result
•
When completed, clickwrap agreements are listed on the
Software@NC State web site
•
•
http://software.ncsu.edu/clickwraps
Clickwraps are listed with the following statuses:
•
Approved
•
Conditionally Approved
•
Denied
•
Pending
40. Be Aware
•
We can not review every clickwrap
•
•
•
Mobile device apps (iTunes, Google Play, etc.)
Device drivers
Not all open source licenses should be approved
•
Patent violations
41. Be Aware
•
Some free software has restrictions that prevents use on some
campuses
•
Overall budget
•
Non-commercial home-use only
•
Not all software has a clickwrap agreement
•
Some software states agreement by downloading or installing
42. The Response
•
•
Campus has embraced the new process and has submitted new
clickwraps for review
In the first three months, the clickwrap list grew from
approximately 100 clickwraps to more than 350
43. Maintenance
•
Every six months, the dates and versions of clickwrap
agreements are reviewed to determine if there have been
updates
•
Updated agreements are reviewed
•
New clickwraps are added when submitted
•
Outdated clickwraps and retired software are removed
44. Questions?
Can’t We All Agree?
Bill Coker
North Carolina State University
Bill_Coker@ncsu.edu