Beware "Phone Home" Functionality in Software

A growing number of software applications come complete with a means by which the software periodically transmits usage information to the licensor. The information may be nothing more than statistical information about the software, error codes, etc. However, it may also include information flagging any use by the licensee of the software in excess of the rights granted under the license agreement. This could lead to a full and invasive audit of the licensee.

This type of functionality poses several risks, foremost among them, the software is transmitting potentially unknown information and data off the licensee's systems. That data may contain confidential information of the licensee. In some cases the data is encrypted and cannot be reviewed by the licensee. Another risk is that this functionality requires an open connection to the Internet from the software, potentially creating a security vulnerability.

For these reasons, many licensees are refusing to allow this functionality. If that is not possible, they are using warranties like the following example to mitigate potential risk:

In the event the Software contains a “phone-home”, metering, or other feature designed to periodically transmit usage, statistical or other data to Licensor, Licensor represents and warrants that the “phone-home” or other such feature (a) will not result in the transmission of any Licensee Confidential Information from Licensee's systems; and (b) the feature will not create a security vulnerability that would permit any unauthorized party to gain access to Licensee’s systems or data. Licensor further represents and warrants that the foregoing features or functionality may only send information at mutually agreed upon times and that at all other times Licensee may prevent access to the internet.

Related:

Copyright © 2011 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.