Feeds

Closing spyware loopholes

Court decision against AOL sets limits

  • alert
  • submit to reddit

SANS - Survey on application security programs

I have this terrible recurring nightmare. One night, there is a knock on the door and Bill Gates and Steve Ballmer are there. When I ask why, they reply, "We are here for your kidney. Don't you remember the contract you clicked on when you downloaded the beta version of Internet Explorer? Don't you read those things?"

Fortunately, while "clickwrap" contracts are ubiquitous in the realm of e-commerce, a recent decision of a New York federal appeals court may limit how they are employed, even as it injects even more uncertainty into an already confused legal environment.

First, some contract law basics. A binding contract generally requires a bargain and a "meeting of the minds," which generally assumes some ability to know what you are agreeing to, and negotiate fairly. It does not require that the parties have equal bargaining power, and many (if not most) contracts that consumers end up entering into are of the "take it or leave it" variety -- buy the product and agree to the terms and conditions, or don't buy (and in some cases return) the product.

The problem for sellers of products online is, how do you get purchasers to agree to terms and conditions? The problem for purchasers of online products is, how do you negotiate? The answer to the first has traditionally been "clickwrap."

The lawsuit in New York involved the download, installation, and use of Netscape's Communicator. There were, at the time, two ways to get the browser. First you could download the browser directly from Netscape's website, and click through a contract that requires you to assent to the terms and conditions of the software license agreement, including a provision that required all disputes relating to the agreement to be subject to binding arbitration in Santa Clara County, California -- a bright, sunny part of the lower San Francisco Peninsula that's happens to be home to Netscape's offices.

The ability to control the manner and place of the litigation -- and indeed, whether you could even litigate issues arising out of the use of the Communicator software -- was of critical importance to Netscape, and to the plaintiffs who alleged that Netscape's installation of "spyware" violated their rights to privacy. The only way to reach that issue was to make it to court -- something Netscape hoped to avoid with its mandatory arbitration language.

Unfortunately for Netscape, they had provided a second way to download the product. Users could use the "SmartDownload" plug-in which did not require the user to "click-through" the agreement. There was simply a clickable warning noting:

The use of each Netscape software product is governed by a license agreement. You must read and agree to the license agreement terms BEFORE acquiring a product. Please click on the appropriate link below to review the current license agreement for the product of interest to you before acquisition. For products available for download, you must read and agree to the license agreement terms BEFORE you install the software. If you do not agree to the license terms, do not download, install or use the software.

So the question the 2nd Circuit Court of Appeals had to decide was this: was there any meaningful difference between a contract that is thrown up in front of a user's face before they can use a product, and one that's merely referenced in a clickthrough warning notice? The court held that there was -- in the former case, the parties would have been bound. But in the latter, no contract was formed. In other words, if you have the ability to read a contract, the terms of which indicate that by installing the software you agree to be bound by the terms, this is insufficient to form a binding agreement.

The court stated that a reasonable consumer would not know about the existence of the license terms, and that the warning was not "immediately visible" and did not require "unambiguous manifestation of assent" The court referenced by analogy California's consumer fraud statute, Cal. Bus. & Prof. Code Section 17538, which requires online consumer contract terms to be located either "[on] the first screen displayed when the vendor's electronic site is accessed, on the screen on which goods or services are first offered, on the screen on which a buyer may place the order for goods or services, on the screen on which the buyer may enter payment information, such as a credit card account number, or for nonbrowser-based technologies, in a manner that gives the user a reasonable opportunity to review that information."

The crux of the case then is that simply making contract terms (including warranties and other legal disclaimers) available to consumers is not likely to be sufficient to bind them. This rationale may end up applying to an employee's consent to be monitored by their employer. Merely stating that using a computer system grants such consent may no longer be sufficient.

In the long term, the rationale of requiring firm proof of a "meeting of the minds" could mean the full text of contracts will be popping up on our screen every time we every time we use an ATM, visit a Web portal, or log on at work. There is no good way to negotiate a fair contract in cyberspace. We are frequently bound by language we fail to read or comprehend, even when the text is easily available to us and not hidden. Although the Netscape language could have been placed in a more conspicuous manner, there was no evidence that it was hidden or buried. Therefore, it seems reasonable to place it on par with other contract language.

Sad to say, this may make it even less likely that people will read such contracts, as they become more ubiquitous and annoying. The clickwrap nightmare isn't over yet.

© 2002 SecurityFocus.com, all rights reserved.

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.