An Israeli software company that has developed a popular program is currently contending with a complex public relations crisis. The software developed by it is distributed free of charge and in order to produce income the company displays advertising to the program's users. The product has become very successful and the number of users is estimated at many milion around the world. However, for about two weeks an e-mail has been circulating amongst the program's users, claiming that the new version of the program contains a component that transmits information to the company from the hard drive of the users' computers. Such a component is called "spyware". In response, the company has had to publish strong denials, stating that it neither collects nor is intending to collect information about the sites that the program's users have visited and that all that it does is to monitor how many times its program has been used and to which advertisements the user has been exposed.

It would appear that according to the Israeli law there is nothing legally wrong with a transaction in which a recipient who uses something for nothing - a successful program in the case herein - undertakes, in consideration, to be exposed to advertising or even to give some information about himself. So long as it is done by agreement, it would be difficult to find it illegitimate according to existing law, even if the user is willing to give his most intimate details. An infringement of privacy is something done without consent (section 1 of the Protection of Privacy Law). Obtaining informed consent in advance negates a possible plea of privacy infringement. In the world of software, consent is obtained by "clicking and accepting". In the process of installing the program a contract is presented to the user and he is required to confirm his consent to it by clicking on the button marked "I agree". If there is one specific lesson to be learned from this particular affair, it is that the intelligent use of "click and accept" agreements can avoid, or at least limit, damage to the image and business of software companies or Internet sites.

At the time of installation a user of the program herein is presented with two screens containing legal text. The first explains in simple terms that the program is supported by advertisements. Its wording is short and clear. It merely tells the user that when he connects to the Internet he will receive new advertisements instead of those that have expired. The user happily confirms his agreement and moves on to the next screen. Here again a legal text awaits him, this time long and detailed. The innocent user might believe that the privacy issue has already been dealt with - at the previous stage it was explained to him how the program's advertising mechanism works. Now, as is his wont, he can click "I agree" without even reading the text. Not in this case. The Israeli company has arranged a few surprises in the licence that it is asking the user to approve. In view of this, it can be understood why the complaint that the company is supposedly monitoring its users has been so resounding, despite the fact that the company strongly maintains that the complaint is unfounded and faithfully promises that it gives top priority to safeguarding its customers' privacy.

• In the software licence the company reserves its right to make functional changes to the program, including to the elements relating to privacy, at any time in its absolute discretion and without notifying the user in advance...
• The user acknowledges that the program's use is subject to the company's policy, as appearing on its Internet site. The policy conditions are not displayed during the installation process and the company can alter them at any time. Notice of the change will be published in the program (conveniently) or on the company's Internet site. The user will be treated as agreeing to the new conditions if he carries on using the program after the change has been published. However, if the announcement appears on the company's Internet site, how can it be legally presumed that the user has seen it and is subject to it? The Standard Contracts Law, 5741-1981 expressly provides that a condition that vests a supplier with unreasonable power unilaterally to alter the conditions of a contract is an unduly disadvantageous one and void.

• Appendix "A", which details the company's privacy policy, appears at the end of the licence. On reading the policy it transpires that the company reserves its right to do exactly what it is now trying to persuade us that it will not do. The company may collect information about the user's computer definitions and other technical information, including (but not only) about his operating system, the browser version that he has, the version of the company's program that he is using, information about his connections to the Internet, telecommunications parameters and also "other information concerning the program's operation". What is this mysterious other information? The licence is silent. Should the user, for example, suspect that information is being collected about his exact use of the program or of the Internet sites that he has visited?
• Although the company promises that the information that it shares with advertisers relates solely to configurations, it does not undertake in clear and open terms, as customary in statements of the type, that it is not in possession of information that could personally identify the user and that it will not share with third parties information that does personally identify users. Indeed, later in the installation process the user is asked to give various information, like his e-mail address, age, sex, occupation and more.
• The company states that it collects information about habits relating to the use of the program in order to help it individually tailor offers to users. If so, the user who takes the trouble to read the contract will wonder whether or not the company is collecting personal information?
• Nor does the privacy policy put an end to all the surprises of the licence. It is followed by... another agreement. This time it is with another Israeli company, which developed the advertising system embedded in the program. Although this particular company does undertake not to collect information that personally identifies the user, it nevertheless obtains the user's express permission to utilise the information that he gives in the program registration process in order to decide which advertisements will interest him. Another surprise - if the user thought that the information he gives on registration (e-mail, age, country of residence, occupation etc.) will only be transferred to the first company, ought he to understand that the information will also be given to the company that administers the changes of advertisement? Does this second company cross-link information that comes from various programs, which use its product in order to create a particular user profile?

• Finally, the original company states that users who do not want advertisements (that is to say that they wish to dispel the fear of any personal information being disclosed) can purchase the professional version of the program for $ 20. The innocent purchaser will be amazed to discover that the agreement that he is asked to approve in the case of the professional version is exactly the same as the contract described above. So what advantage does he gain by spending his money?

The prootection of privacy in the information environment is raising ever-increasing concern. It appears that the software companies have not yet got the message, at least not in this particular case. The legal documents drafted by them entitle them to do exactly what they claim they have no intention of doing. If that is the case, why are those provisions necessary? If they are waiting there for the day of reckoning, then perhaps the users' concern is justified. If they are not necessary, they ought to be removed immediately and the company's protection of privacy practices unequivocally explained and any misunderstanding dispelled. A contract does not always have to keep all the options open. It should certainly not do so when a standard contract is involved. That is not only intelligent legal practice but, more important, it is also sensible commercial practice. So far as the law is involved, the legislature ought to consider amending the Standard Contracts Law in such a way as to provide that a condition that unreasonably infringes privacy is an unduly disadvantageous one and void.

Translated by Word Power