Miscellaneous Issues

Trusting Software part 1
Trusting online merchants
Trusting Software part 2
Sony XCP
Voting machines


With all the concern about online theft, why do we trust online merchants at all? For that matter, why do we trust people we've met on facebook, etc?

Why we trust online sites:

Overall, it seems that lack of bad past experience has the most to do with why we trust. (Also, it doesn't appear to take much experience for many people to feel comfortable with something.)

What about personal sites? (Not necessarily dating, but those too.) How do we form online friendships (eg at discussion sites)? What about forming new friends on Facebook? What makes us think people aren't completely deceiving us? What about in face-to-face settings? Is that any different????

Some foreign governments have in the past expressed the concern that Windows must have some sort of back-door access mechanism accessible to the CIA.

Trusting software: how do we do this? What responsibility do vendors have?

    Should there be an obligation for software to work on our behalf?
    Should there be some sort of "fiduciary obligation"?
    How much can you count on trusting your email software, or trusting your browser?

The organization Stopbadware.org is devoted to identifying (and defining) "badware" on your computer. One of their hardest jobs has been figuring out just what "badware" is. Here's an earlier definition:

Badware is software that fundamentally disregards a user's choice regarding how his or her computer will be used. You may have heard of some types of badware, such as spyware, malware, or deceptive adware. Common examples of badware include free screensavers that surreptitiously generate advertisements, malicious web browser toolbars that take your browser to different pages than the ones you expect, or keylogger programs that can transmit your personal data to malicious parties. [stopbadware.org/home/badware]

What about DRM? What about Windows?

What about Android apps? Both free and paid?

In recent years, Stopbadware has shifted its emphasis from locally installed software to websites that download malware, through vulnerabilities involving javascript or the browser or some other component; in fact, they largely serve as a clearinghouse for information about bad sites.

The biggest problem stopbadware.org has is figuring out what qualfies. You'd think this would be easy.

Most is spyware or viruses or some inappropriate "control" software (eg Sony's "rootkit", below)

An older stopbadware.org definition:

   1.  If the application acts deceptively or irreversibly.
   2. If the application engages in potentially objectionable behavior without:

Here is their current list, from http://stopbadware.org/guidelines/software, of things software must not do:

  1. Software must be installed or executed on a computer only with the informed, affirmative consent of the user or administrator.
  2. Software must inform the user or administrator prior to engaging in potentially unwanted behavior.
  3. Software must not use deceptive behavior or language to influence decisions by the user or administrator.
  4. Software must provide the ability for the application and all of its functionality to be removed in a reasonable manner and without undue interference.

Stopbadware used to publish "alerts". RealPlayer (arguably a legitimate product) had been here (Spr 2008?)

We find that RealPlayer 10.5 is badware because it fails to accurately and completely disclose the fact that it installs advertising software on the user's computer. We additionally find that RealPlayer 11 is badware because it does not disclose the fact that it installs Rhapsody Player Engine software, and fails to remove this software when RealPlayer is uninstalled.

Do these things make it badware?

KaZaa had been here in (Spr 2008?)

We find that Kazaa is badware because it misleadingly advertises itself as spywarefree, does not completely remove all components during the uninstall process, interferes with computer use, and makes undisclosed modifications to other software.

Spyware Striker Pro (Spring 2009)
        (ironically, this is NOT "fake" spyware-removal software!)

Compare all this with the modern phone app:

Can we trust apps to limit themselves to the data they actually need to function? The answer is a resounding NO.

Trusting Merchants

With all the concern about online theft, why do we trust online merchants at all? For that matter, why do we trust people we've met on facebook, etc?

Technological issues & trust: can we at least trust that we're talking to the person we think we're talking to?

Old-style PGP (Pretty Good Privacy) trust:
You need to VERIFY people's public keys (that the key matches the person). Otherwise you can get a bad key, write to them using it, and be victim of a man-in-the-middle attack.

(public key crypto: each person has a public key and a private key. If someone encrypts a message to you with your public key, you can decrypt it with your private key. Similarly, if you encrypt something with your private key, anyone can decrypt it with your public key, and in the process verify that it was encrypted with your private key. That last bit means that the message can act as your DIGITAL SIGNATURE.)

How can we be able to TRUST our keys?

Alice needs Bob's key.

  1. She can meet Bob at a key-signing party. Bob can give her his key hash.
  2. She can ask Chuck. Chuck says Bob's online keyhash is legit.
  3. She can decide NOT to trust Chuck, at least about Bob, and ask Dora instead. Dora has never met Bob, but got Bob's keyhash from Ernie, who has.
  4. She can ask someone who has a large group of signed verifications of keys. Three of them are signed verifications of Bob's key.

SSL certificates (TLS certificates)
SSL = secure socket layer, old name
TLS = transport-layer security, new name

Any pair of entities can negotiate a session key:

You're guaranteed a random key provided the other side does not see your bits before choosing theirs. There are protocols to enforce that (eg exchanging encrypted bits and then exchanging special keys to decrypt them)

BUT: how do you know you're not about to give your credit card to a bad guy with whom you've just created a session key?

Ask landsend.com for their SSL certificate. Receive it. It includes digital signatures by well-known Certificate Authorities, or CAs. It also includes DNS name.
CHECK it by using known public key from one of the CAs. These keys are preinstalled in your browser.
This prevents man-in-the-middle attacks, but won't help if router or DNS is hacked

their SSL server uses public-key encryption to sign something with the current date/time; replay isn't feasible either.

What does this have to do with TRUST?

Do you trust the CAs listed in your browser? Huh? Have you even heard of any of them?

Firefox 2013: Edit => Preferences => Advanced => Encryption => View Certs

Of course, one of the real reasons we trust online commerce -- that we have relatively few bad experiences -- is related to all this encryption in that it makes it much harder for bad guys to eavesdrop. (The most likely location for bad guys, btw, is either in your house or on the servers at the other end.)

Note this is powerless against phishing attacks. Although the new Extended Valuation SSL Certs might help. Might.

Back to why we trust online vendors:

Overall, it seems that lack of bad past experience has the most to do with why we trust. This seems to be the case with face-to-face and brick-and-mortar relationships just as much as with online situations.

What about personal sites? (Not necessarily dating, but those too.) How do we form online friendships (eg at discussion sites)? What makes us think people aren't completely deceiving us? What about in face-to-face settings? Is that any different????

Trusting software part 2: how do we do this? What responsibility do vendors have?

We've seen that people form trust relationships based on a fairly limited set of positive experiences (though a limited set of negatives, as well). Sometimes it seems that software has a lot to live up to, in that we trust it because we don't see bad experiences, but it is so easy for software to take advantage of us.

In recent years, there does appear to be a trend even among nontechnical people of trusting computers less.

Email: who is responsible for keeping you safe from spam? From embedded tags in html that reveal to the sender if you've viewed the email?

The images issue has been around for almost a decade; many email vendors (and many freemail providers) have been reluctant to support image-blocking until ~2006 or later. (There may be legitimate reasons for that: it may be perceived as a hard-to-understand option.)

Browsers: browsers do all sorts of identification of themselves when they connect. Some of that is important; some is questionable. Most browsers do not leak "private" information, though they do leak the browser and OS you are using. Furthermore, this is hard to change!

Try http://www.jms1.net/ie.shtml, with internet explorer. (Actually, go to jms1.net, and you get redirected to the linked site if you're using IE. At one point there was a page on the site that would simply make IE die.)

IE's ActiveX security model is debatable; ActiveX is an approach to security where you trust any signed software. What signing authorities do you trust to look out for your interests here? Java, on the other hand, trusts any source, but runs the software in a "sandbox" where it supposedly can't damage your machine (though recently discovered vulnerabilities make it essential to upgrade your core Java regularly). Note that, in the real world, Java controls are rarely used; instead, websites run Javascript on your machine. While Javascript has some of the sandbox features of Java, it can still have a very negative effect on your browser.

What about plugins?

Many browser plugins do leak some degree of private information. When you register a plugin, you connect some personal information to that plugin. Also, some plugins contact the mothership at regular intervals.

See http://spywareremove.com/remove-BrowserPlugins

SEVERAL media players (plugin or otherwise) may do some checking of licenses or with the mothership before allowing play. Perhaps most players from media companies behave this way.

What about compatibility lock-in?

To what extent should your OS be required to act on your behalf?
Palladium (aka Next-Generation Secure Computing Base):
    locks you out of lots of things.
    Trusted side: can't be reached by debuggers or viruses
    Problem: machine now is autonomous; vendor has complete control. Do you trust your vendor?
    Software updates, file compatibility,

From Windows Internals by Russinovich & Salomon:  

In the Windows security model, any process running with a token containing the debug privilege (such as an administrator´┐Żs account) can request any access right that it desires to any other process running on the machine...

This logical behavior (which helps ensure that administrators will always have full control of the running code on the system) clashes with the system behavior for digital rights management requirements imposed by the media industry on computer operating systems that need to support playback of advanced, high-quality digital content such as BluRay and HD-DVD media. To support reliable and protected playback of such content, Windows uses protected processes. These processes exist alongside normal Windows processes, but they add significant constraints to the access rights that other processes on the system (even when running with administrative privileges) can request.

Protected processes can be created by any application; however, the operating system will only allow a process to be protected if the image file has been digitally signed with a special Windows Media Certificate. The Protected Media Path (PMP) in Windows Vista makes use of protected processes to provide protection for high-value media, and developers of applications such as DVD players can make use of protected processes by using the Media Foundation API.

Will all software vendors eventually request that their applications be protected? It would sure put a damper on reverse-engineering!

Sony XCP

The following Sony case has the rights of users front and center.
Sony introduced their "XCP" music-CD copy-protection scheme in 2005. It installed a private CD driver AND a hidden "r00tkit" (so named by Mark Russinovich, then of sysinternals.com) that conceals itself and hides some registry keys.

Is this legit?

How does it compare with Palladium (secure-computing platform)?

Users do click on a license agreement. Were they sufficiently warned? (The software was apparently installed before the EULA came up; and in any event clearly the EULA did not explain just what was going on.)

Note from Mark Russinovich, via wikipedia:

He also mentioned that the XCP software installed silently before the EULA appeared, that the EULA does not mention the XCP software, and that there was no uninstaller, all of which are illegal in various ways in various jurisdictions. Several comments to the entry recommended a lawsuit against Sony BMG.

There is now a virus/worm out that takes advantage of the sony kit.

Sony issued an uninstall utility that didn't actually uninstall the software, but did make it visible. However, users had to supply an email address, which by Sony's privacy policy was eligible for spamming.

This or a later removal kit allegedly ADDED a bad ActiveX control.

While we're on the subject of Sony, there was once a recent report (in print, which I can't find now) that a significant breakin at US Government sites was precipitated by flaws in the LimeWire file-sharing package. As in, under some circumstances LimeWire would share everything.

Trusting voting machines

If we trust our phones and calculators, why on earth shouldn't we trust voting machines?

Because nobody will gain from secretly having our phones and calculators give incorrect results. We would find out almost immediately, after all.

(And there are many phone viruses.)

In 2006, Ariel J Feldman, Alex Halderman and Edward Felten examined a particular model of the Diebold voting machine. They found serious flaws.
Look at the video here.

Question to think about and for discussion: 
Notes: just booting with a clean memory card does NOT necessarily clear the machine! The bootloader in flash memory may have been corrupted. The machine loads a new bootloader from every card with a file fboot.nb0
Seals (which Diebold recommends) are often ignored, and if not then breaking them constitutes an effective DoS attack. 

Remember that there were a batch of internal Diebold memos and sourcecode leaked, which Diebold aggressively tried to have taken down. In 2004, Online Policy Group won its case against Diebold, establishing that distribution of the documents does not infringe on Diebold's copyrights.
Voting machines are not the only situation where an irrefutable trail might be in order. On Dec 4, 2012, David Miller was arrested for an allegedly fraudulent scheme involving trading in Apple Computer stock. Miller bought 1,625,000 shares of Apple stock, expecting it to go up. When it did not, he claimed that he'd only meant to purchase 1,625 shares, but that the order was erroneously duplicated 1,000 times. This could be
More at http://www.zdnet.com/apple-trader-arrested-in-1-billion-wire-fraud-7000008349/.

Jurisdiction online

Jurisdictional issues apply to both criminal and civil law. Oddly, criminal law is more ambiguous; we will start with civil law. For online shopping, one of the first questions is where did the sale take place? Here are some legal theories that have been applied (eg in the LICRA/Yahoo case):

The following are the traditional three rules for a US court deciding it has "personal jurisdiction" in a lawsuit:

  1. Purposeful availment: did defendant receive any benefit from the laws of the jurisdiction? If you're in South Dakota and you sell to someone in California, the laws of California would protect you if the buyer tried to cheat you. Generally, this is held to be the case even if you require payment upfront in all cases. The doctrine of purposeful availment means that, in exchange here for the benefits to you of California's laws, you submit to California's jurisdiction.
  2. Where the act was done.
  3. Whether the defendant has a reasonable expectation of being subject to that jurisdiction.

eHarmony lawsuits

The California dating/matching company eHarmony was sued for alleged discrimination against homosexuals

    New Jersey lawsuit by Eric McKinley, 2005
    California lawsuit by Linda Carlson, 2007

How does jurisdiction apply? Should it have applied in New Jersey?
Is the fact that users must enter their address the deciding factor?

Would it have mattered if eHarmony were a free service?

Could eHarmony simply have agreed not to do business in NJ and CA?

What if residents of Newark (or Princeton) simply gave NYC addresses?


criminal law

laws governing sales: the seller can sue in his home state. This is more or less universal.
But in consumer disputes, it is more likely the buyer with the grievance. Should the buyer always be allowed to sue in his or her home state? This subjects the seller to a potential maze of legal regulations.

Does it matter if the seller is a major retailer or a private individual?

laws governing trademarks

Trademark scope
        The Blue Note Cafe was located in NYC
        The Blue Note, St Louis (actually Columbia, MO) was a club, sued for trademark infringement by Blue Note New York because they had a web site.
        The case: Bensusan Restaurant Corp v King, 937 F. Supp. 295 (SDNY 1996)
The case was brought in federal district court, which decided there was a lack of jurisdiction. Before that, however, note that the Missouri club began using the name in 1980, and the NYC club did not register the trademark until 1985. Note that, generally speaking, in this sort of situation the Missouri club retains the right to continue to use the name locally, while non-local use is reserved to the federal trademark-holder.

The district court did look at the "long-arm statute" of the "forum state", that is, New York. The New York law provides that

a New York court may exercise personal jurisdiction over a non-domiciliary who "in person or though an agent" commits a tortious act within the state.

The State-court interpretation of this was that the act had to be committed in New York State, and the federal court deferred to this interpretation.

Another part of the NY state law did provide for jurisdiction when the other party was outside the state. However, the law also

... restricted the exercise of jurisdiction under sub-paragraph (a)(3) to persons who expect or should reasonably expect the tortious act to have consequences in the state and in addition derive substantial revenue from interstate commerce

The second circuit decided that Blue Note Missouri did not derive revenue from interstate commerce. End of case.

Blue Note St Louis had a mostly passive web site, although they did advertise tickets online, to performances at the club itself. These tickets had to be picked up at the Missouri box office; they were never mailed. Does this matter? Does it matter that the tickets were technically not sold over the internet, but instead you had to call a phone number?

This case was decided on jurisdictional grounds: NY State did not have jurisdiction.
The second-circuit appellate decision is at http://caselaw.lp.findlaw.com/cgi-bin/getcase.pl?court=2nd&navby=docket&no=969344.

This was a reasonable decision, but notice that it sure doesn't offer many guarantees that your website won't infringe on a trademark far far away.
Domain names

Zippo v Zippo, 1997

See http://cyber.law.harvard.edu/metaschool/fisher/domain/dncases/zippo.htm
    zippo lighters v zippo.com
    trademark infringement was an issue under Pennsylvania state law, but the lawsuit was filed in federal district court.
    PA "long arm" statute
zippo.com was a news service. They had email customers in PA, and two ISP customers.
    (1) the defendant must have sufficient "minimum contacts" with the forum state,
    (2) the claim asserted against the defendant must arise out of those contacts, and
    (3) the exercise of jurisdiction must be reasonable.

We find Dot Com's efforts to characterize its conduct as falling short of purposeful availment of doing business in Pennsylvania wholly unpersuasive. At oral argument, Defendant repeatedly characterized its actions as merely "operating a Web site" or "advertising." Dot Com also cites to a number of cases from this Circuit which, it claims, stand for the proposition that merely advertising in a forum, without more, is not a sufficient minimal contact. [FN7] This argument is misplaced. Dot Com has done more than advertise on the Internet in Pennsylvania. Defendant has sold passwords to approximately 3,000 subscribers in Pennsylvania and entered into seven contracts with Internet access providers to furnish its services to their customers in Pennsylvania. [emphasis added]

The decision addressed the jurisdictional issue, plus others: Pennsylvania did have jurisdiction

Note the gray area between a completely passive website, just an "electronic billboard", and "the knowing and repeated transmission of computer files over the Internet". Usually the latter means subscriber-specific information.

But also consider whether zippo.com should expect to be hauled into court in every jurisdiction in which it has a customer, even for complaints unrelated to that customer. In this case, as the issue was the use of the trademarked name "Zippo", the jurisdiction based on other customers might be reasonable.

The Zippo court developed the following three-part strategy for assessing long-arm internet jurisdiction:

  1. The defendant actively does business in the state, eg accepting orders from state residents, and that this business goes beyond internet contact (eg the shipping of physical goods)
  2. intermediate: the defendant does business in the state, but the activity is conducted over the internet.
  3. The defendant's activity in the state is more-or-less limited to passive viewing. While orders may be accepted on the site, it would be clear that sales were not intended to those in the state.

The problem with this example is that nobody really knows what Case 2 should include.

What about google.com? Should Illinois courts have jurisdiction over issues involving google.com search? What about google+?

Internationally, we already looked at LICRA v Yahoo, filed in France (and won by LICRA) for Yahoo's selling of Nazi memorabilia on its auction site in the US. Yahoo had initially agreed to comply with the French order, and then later changed its mind, and filed suit in the US asking that the US court declare that the french court did not have jurisdiction. That case ended in a draw (specifically, in a declaration that the case was not "ripe").

Suppose your bank makes an error. Where do you sue them? What if their only presence in your state is online? Consider the case Soma Medical v Standard Chartered Bank. SCB is located in Hong Kong. Soma is in Utah. Soma did banking with SCB online. Some money disappeared. Soma lost their lawsuit in Utah, because the court ruled that the fact that SCB had a website accessible in Utah did not give the State of Utah personal jurisdiction. [Michael Shamos]

NTP v RIM: RIM's network hub was in Canada. RIM lost on that point, but there remain serious questions about whether US patent law extends to other countries.

Butler v Beer Across America
BAA is an Illinois company selling beer over the internet. Butler's minor son ordered beer, and it was delivered to him despite rules that required an adult signature. Butler sued BAA under an Alabama law that makes it illegal to sell alcohol to minors. In this case, Butler lost her bid to get Alabama jurisdiction, though the case was transferred by the Alabama court to Illinois.

Deciding that the sale of beer by Illinois defendants to an Alabama minor on the Internet occurred in Illinois, the federal court held that a single sale was insufficient minimum contacts to establish personal jurisdiction over the defendants in Alabama.


This is somewhat related to trademark disputes, but an essential component is the claim that one party doesn't really want the trademark, but just wants to "extort" money from the other side.

See http://www.networksolutions.com/legal/dispute-policy.jsp

    Uniform Domain Name Dispute Resolution Policy -- ICANN

4(b). Evidence of Registration and Use in Bad Faith. For the purposes of Paragraph 4(a)(iii), the following circumstances, in particular but without limitation, if found by the Panel to be present, shall be evidence of the registration and use of a domain name in bad faith:

(i) circumstances indicating that you have registered or you have acquired the domain name primarily for the purpose of selling, renting, or otherwise transferring the domain name registration to the complainant who is the owner of the trademark or service mark or to a competitor of that complainant, for valuable consideration in excess of your documented out-of-pocket costs directly related to the domain name; or

(ii) you have registered the domain name in order to prevent the owner of the trademark or service mark from reflecting the mark in a corresponding domain name, provided that you have engaged in a pattern of such conduct; or

(iii) you have registered the domain name primarily for the purpose of disrupting the business of a competitor; or

(iv) by using the domain name, you have intentionally attempted to attract, for commercial gain, Internet users to your web site or other on-line location, by creating a likelihood of confusion with the complainant's mark as to the source, sponsorship, affiliation, or endorsement of your web site or location or of a product or service on your web site or location.

There is also the AntiCybersquatting Consumer Protection Act.

Some form of bad faith is usually necessary. But not always, if the effect is to resemble a famous trademark and if you have good lawyers. Sometimes the only "bad faith" or "intent to profit" is the offer of the domain holder to settle the case by selling the domain to the plaintiff.

All this is really about trademarks, not about jurisdiction. But the "flat" namespace of the web makes all trademark disputes national, or even global.

vw.net: virtual works
Peculiarity: vw.net, a one-man company with James Anderson as principle, offered to sell the name to volkswagen in 1998, and threatened to auction the name off if volkswagen did not buy. This triggers a presumption of domain-name squatting.

"A federal appeals court in Virginia [2001] affirmed a lower court's ruling that online service provider Virtual Works Inc. violated the 1999 Anticybersquatting Consumer Protection Act when it registered the domain vw.net with the intent to sell it to Volkswagen of America."

"Grimes' [Anderson's early partner] deposition reveals that when registering vw.net, he and Anderson specifically acknowledged that vw.net might be confused with Volkswagen by some Internet users," Wilkinson wrote. "They nevertheless decided to register the address for their own use, but left open the possibility of one day selling the site to Volkswagen 'for a lot of money'."

See http://vwx.com. Oops, I guess not; that site is now for sale. At one point, it was about Anderson's side of the case.
A possibly important point was that virtual works never used the abbreviation "vw" except in the domain name.
They (vw.net) lost.

Is this about cybersquatting? Or is it about the (lack of) rights of the Little Guy to use their trademark in good faith?

american.com: formerly owned by cisco, later a private 'zine (the airline is aa.com), and now a more serious magazine The American

gateway 2000 v gateway.com
    gateway.com was a computer consulting firm, run by Alan Clegg. There was absolutely no evidence that Clegg foresaw that in the year 2000 the name gateway2000.com would become obsolete, and reserved gateway.com in anticipation of a domain sale.
yahoo.com v yahooka.com [which see]
    Case was actually never filed

state-law libel and jurisdiction

A state court in Clayton v. Farb, 1998 Del. Super. LEXIS 175 (Del. April 23, 1998), found that Delaware's long arm statute did NOT reach the defendant, who posted allegedly libelous and slanderous false statements about the plaintiff on his Internet site. The statute provided for jurisdiction over tortious activity outside of Delaware ONLY if defendant regularly conducted business in the state. The court found that access in Delaware to defendant's Internet posting did not constitute sufficient contact to support the exercise of personal jurisdiction.
This case was decided on JURISDICTIONAL grounds: Delaware did not have jurisdiction

Laws governing libel:

Truth is a defense, but can be expensive to prove. If you say something false about a public figure, they have to prove actual malice. If you say something false about anyone else, all they have to prove is that you were negligent.

We've seen Batzel v Cremers.

Cremers lost on the jurisdiction issue. Should he have?

Furthermore, what if the legal climate in the Netherlands was different for libel lawsuits? What if in the Netherlands the burden of proof lay with the plaintiff to prove something false, and Cremers was sued in a jurisdiction (eg England, which still has pro-plaintiff libel laws) where the burden of proof lay with the defendant?

Shrink-wrap and click-wrap licenses

The first name made sense; software was wrapped in "shrink-wrap" and was returnable unless you opened it and thus "accepted" the license. The click-wrap form is by back-formation.

It has never been clear how binding these are, though courts regularly uphold click-based "terms of service". However, this is most common in situations where you have to create an account, not for otherwise-public web pages.

Click-wrap software licenses remain a grey area, although violations of click-wrap Terms-of-Service agreements have been made criminal offenses under the CFAA.

Courts are in principle in pretty general agreement that a vendor can require contract terms. Where they differ is in items such as how explicit the contract has to be, and whether there are any requirements that are not enforceable. You can pretty much address the first issue with an explicit "I agree" button and a way to view the terms.

A major case in this area was ProCD v Zeidenberg (begun 1995). Zeidenberg purchased a database of phone book information from ProCD, at the "consumer" price. He then put the database online, in effect reselling it for a lower price. The Supreme Court had ruled in Feist that databases are not copyrightable, so Zeidenberg was in the clear in that regard. However, the software that came with the package (and the written manual) stated that "the [telephone] listings contained within this product are subject to a License Agreement". The license spelled out specific terms for the use of the data; one requirement was a no-resale rule. However, there was no "I Agree" button.

The district court found in Zeidenberg's favor (granting him summary judgment), but the Seventh Circuit reversed in 1996. The Seventh Circuit also found that licensing terms preempt copyright. (A big part of Zeidenberg's argument was that copyright law preempted the license.)

Many click/shrink licenses forbid reverse engineering, generally not defined in the license but often (though not always) understood to mean disassembly of the executable. Is this enforceable? In Sega v Accolade (1993) and Sony v Connectix (2000), the Ninth Circuit has allowed disassembly if it is the only way to figure out how to create interoperating products.

In recent years, courts have generally looked with favor on click-wrap agreements that have an "I Agree" button, because this makes the user take some active step to agree with the terms. What happens if a user clicks by mistake is not clear, yet this happens fairly often in the online world.

However, usually the sorts of terms that the courts have upheld are relatively traditional:
If there were limitations on the use of the data, they would be more questionable. What if the MS Office EULA required that users submit to MS any articles written with Word that were critical of MS? At one point the MS .NET EULA had exactly that requirement: technical articles written about .NET had to be submitted to MS before publication. MS eventually dropped that requirement, replacing it with this one (or maybe this one). (Note that the new version still has elaborate rules.)

Note that if you make a physical product, you cannot waive liability in many states.

The 1999 UCITA proposal (an upgrade to the Uniform Commercial Code titled the Uniform Computer Information Transactions Act) made shrink-click licenses binding. However, UCITA then went nowhere.

It's probably a good thing UCITA went nowhere. UCITA required that software vendors be 100% liable for any flaws in their software, unless liability was disclaimed in a shrink-wrap license. In effect, large software vendors would have zero liability (though they would have to state that, up front). A more serious issue was that open-source developers, who don't use shrink-wrap licenses and don't require that you agree to any license (read the GPL!) would be 100% liable! That would be a problem.

Here's an example from the Vista Home Basic (and Home Premium) EULA. Is this a legitimate, enforceable requirement, or is it anticompetitive?

4. USE WITH VIRTUALIZATION TECHNOLOGIES. You may not use the software installed on the licensed device within a virtual (or otherwise emulated) hardware system.

(By the way, note that if you install the appropriate version of Vista on a VM, the EULA states

6. USE WITH VIRTUALIZATION TECHNOLOGIES. You may use the software installed on the licensed device within a virtual (or otherwise emulated) hardware system on the licensed device. If you do so, you may not play or access content or use applications protected by any Microsoft digital, information or enterprise rights management technology or other Microsoft rights management services or use BitLocker. We advise against playing or accessing content or using applications protected by other digital, information or enterprise rights management technology or other rights management services or using full volume disk drive encryption.

Note that exactly what constitutes "virtualization" is not as clear as it might seem to be.


The blog post https://www.troyhunt.com/no-vtech-cannot-simply-absolve-itself/ discusses how toy manufacturer VTech leaked -- through exceptionally poor security practices -- information on millions of children, including photos. VTech's response was to change their Terms of Service to include the following disclaimer:

You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorized parties.

Should this be the end of the story? Do they have any responsibility to secure children's data?

VTech has now started selling home-security products.

In the case SoftMan Products v Adobe Systems, there was an interesting twist to all this. SoftMan bought Adobe software "collections" and resold the individual CDs. Adobe sued for violating their copyrights and their license. The court held that
This did not end the case, but Adobe was not granted summary judgment. I do not know if they pursued the case further.

Amazon unbox movie license, version 0.2

Here's a quote from Cory Doctorow, around 2007.

For example, if you buy a downloadable movie from Amazon Unbox, you agree to let them install spyware on your computer, delete any file they don't like on your hard-drive, and cancel your viewing privileges for any reason. Of course, it goes without saying that Amazon reserves the right to modify the agreement at any time.

The most interesting restriction (to me) was that you can only view Amazon Unbox movies at home. Not at someone else's home, or at work, or on the road, or in a hotel (all on your own laptop).

Amazon has since improved this license.

Generally speaking, there are several early licenses that have gradually become more reasonable over time.

Licenses and Jurisdiction

Generally, if you have a license, your jurisdiction applies. However, the license may require otherwise. What happens, though, if your jurisdiction has a consumer-protection rule that does not allow the license to specify the jurisdiction?

What about linking?

Is a link to a defamatory site a form of defamation?  (It probably depends on the context)
Is a link to "illegal" software forbidden? 

The injunction that 2600 Magazine may not link to deCSS still stands today.

from wikipedia (http://en.wikipedia.org/wiki/Universal_v._Reimerdes)

In particular the Second Circuit ruled that linking on the Internet happened so fast that it could be restrained in ways that might not be constitutional for traditional media. 

Also, apparently the defendants more or less admitted that they were providing links to deCSS for the purpose of making illegal DVD copies. Things might have been different had they linked for the purpose of research.

While we're at it, contemplate 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0. Is this a legal number?

Part of the issue with linking is that it can provide easy access to "forbidden" content such as circumvention software (deCSS) or copyrighted content (eg providing movie .torrents). For that part, providing the URL in "unlinked" form is probably also subject to regulation. 

But the other part is conventional "deep links". These can be used to view a given page out of context, or to view a given page in a border provided by another page, or to avoid advertising. Should these kinds of links be subject to prohibition?

Is linking to a site a form of using that site without authorization? Possibly leading to a claim of trespass-of-chattels?
What about linking to other sites? Here are some issues the other site might have:

Search engines do this kind of linking and framing constantly.
For a while this was a serious issue, but it seems to be dying out. Lots of sites still have bizarre linking policies, though.

http://dontlink.com; alas, active site work stopped in 2002.

But see: http://www.americanexpress.com/shared/copyright/webrules.html, item 9, "Linked Internet Sites". Actually, this link is down as of Dec 2009, but it still appears on the americanexpress.com page!!

Symantec has a different approach: http://www.symantec.com/about/profile/policies/legal.jsp#linking (2009)

Linking to Symantec's Web Site

Symantec permits anyone to link to Symantec's web site subject to the linker's compliance with the following terms and conditions:
A site that links to Symantec's web site:

  1. May link to, but not replicate, content contained in Symantec's site;
  2. Must not create a border environment or browser around content contained in Symantec's site;
  3. Must not present misleading or false information about Symantec's services or products;
  4. Must not misrepresent Symantec's relationship with the linker;
  5. Must not imply that Symantec is endorsing or sponsoring the linker or the linker's services or products;
  6. Must not use Symantec's logos or trade dress without prior written permission from Symantec;
  7. Must not contain content that could be construed as obscene, libelous, defamatory, pornographic, or inappropriate for all ages;
  8. Must not contain materials that would violate any laws;
  9. Must agree that the link may be removed at any time upon Symantec's request pursuant to Symantec's reserved rights to rescind its consent to allow the link.

Rules 1-8 are entirely reasonable.

A few other issues