• United States



Beware “Phone Home” Functionality in Software

Oct 13, 20112 mins
Core Java

A growing number of software applications come complete with a means by which the software periodically transmits usage information to the licensor. The information may be nothing more than statistical information about the software, error codes, etc. However, it may also include information flagging any use by the licensee of the software in excess of the rights granted under the license agreement. This could lead to a full and invasive audit of the licensee.

This type of functionality poses several risks, foremost among them, the software is transmitting potentially unknown information and data off the licensee’s systems. That data may contain confidential information of the licensee. In some cases the data is encrypted and cannot be reviewed by the licensee. Another risk is that this functionality requires an open connection to the Internet from the software, potentially creating a security vulnerability.

For these reasons, many licensees are refusing to allow this functionality. If that is not possible, they are using warranties like the following example to mitigate potential risk:

In the event the Software contains a “phone-home”, metering, or other feature designed to periodically transmit usage, statistical or other data to Licensor, Licensor represents and warrants that the “phone-home” or other such feature (a) will not result in the transmission of any Licensee Confidential Information from Licensee’s systems; and (b) the feature will not create a security vulnerability that would permit any unauthorized party to gain access to Licensee’s systems or data. Licensor further represents and warrants that the foregoing features or functionality may only send information at mutually agreed upon times and that at all other times Licensee may prevent access to the internet.


Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law.

Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

The opinions expressed in this blog are those of Michael R. Overly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author