Bill to ban terms of service that say you're not allowed to complain

Introduced by Eric Swalwell (D-CA), the draft Consumer Review Freedom Act bans the "un-American" practice of making people agree not to complain as a condition of using websites.

Read the rest

Paranoid Paul: get notified of silent, sneaky terms of service updates


Paul writes, "I've created a free service called ParanoidPaul that notifies you when updates are made to the terms that affect you. I strongly believe that the websites we use every day should be accountable to their users, and transparent about changes made to their privacy policies and terms of services."

Read the rest

Some considerations for potential XKCD phone purchasers

Randall Munroe's xkcd Phone has the greatest warning label of all time: "Presented in partnership with Qualcomm, Craigslist, Whirlpool, Hostess, LifeStyles, and the US Chamber of Commerce. Manufactured on equipment which also processes peanuts. Price includes 2-year Knicks contract. Phone may extinguish nearby birthday candles. If phone ships with Siri, return immediately; do not speak to her and ignore any instructions she gives. Do not remove lead casing. Phone may attract/trap insects; this is normal. Volume adjustable (requires root). If you experience sudden tingling, nausea, or vomiting, perform a factory reset immediately. Do not submerge in water; phone will drown. Exterior may be frictionless. Prolonged use can cause mood swings, short-term memory loss, and seizures. Avert eyes while replacing battery. Under certain circumstances, wireless transmitter may control God."

You bought it, you own it, right?

In the latest Electronic Frontier Foundation post for Copyright Week, Corynne McSherry tackles one of the most troubling aspects of modern copyright law: the idea that even though you've bought a device or a copyrighted work to play on it, they're not really your property. Because of the anti-circumvention rules (which are supposed to backstop "copy protection"), it's illegal to discover how your technology works, to tell other people how their technology works, to add otherwise lawful features to your technology, and to make otherwise lawful uses of your media.

Read the rest

Apps come bundled with secret Bitcoin mining programs, paper over the practice with EULAs


Researchers at Malwarebytes have discovered that some programs covertly install Bitcoin-mining software on users' computers, papering over the practice by including sneaky language in their license agreements allowing for "computer calculations, security."

The malicious programs include YourFreeProxy from Mutual Public, AKA We Build Toolbars, LLC, AKA WBT. YourFreeProxy comes with a program called Monitor.exe, which repeatedly phones home to WBT, eventually silently downloading and installing a Bitcoin mining program called "jhProtominer."

Read the rest

Terms and Conditions May Apply: documentary about abusive license terms, privacy and surveillance

Cullen Hoback's documentary "Terms and Conditions May Apply" is a scathing look at the abusive, lengthy fine-print that dominates our online lives. If the YouTube trailer and the non-embeddable Guardian trailer are representative, this is an important and timely film. I do quibble with one point -- the movie doesn't distinguish between the stupid license agreements that are a function of a stupid law (for example, requiring LinkedIn users to license the stuff they give to LinkedIn so that LinkedIn can display it) and the ones that are pure greed and venality (AT&T making you agree to extrajudicial wiretapping).

Hoback has an op-ed in today's Guardian where he sets out his thesis with great clarity, and draws the important connection between Patriot Act surveillance and fine-print "agreements." Unfortunately, the video itself seems to be exclusively available through Itunes, which has some pretty dreadful license terms, and mandatory DRM to boot.

Read the rest

Court finds for man who rewrote the credit-card fine-print to give himself unlimited, interest-free credit


A wily Russian fellow crossed out the fine-print on an unsolicted credit-card application from Tinkoff Credit Systems in 2008 and wrote in his own terms, giving himself unlimited, interest-free credit and exemption from all fees, with a 3MM ruble fee should the bank change the terms and a 1MM ruble fee should they cancel his card. He crossed out the URL giving the terms and conditions and wrote in his own. And a court has ruled that his changes -- which were blindly accepted by the bank -- are binding. He's now suing them for breach of contract, since they refused to pay him the cancellation fee he'd written in -- he's seeking USD727,000.

Read the rest

Today, we save the Internet (again): fix the CFAA!

Read this if you want to stay out of jail.

When my friend Aaron Swartz committed suicide in January, he’d been the subject of a DoJ press-release stating that the Federal prosecutors who had indicted him were planning on imprisoning him for 25 years for violating the terms of service of a site that hosted academic journals.

Read the rest

How to fix the worst law in technology

Tim Wu's New Yorker piece on Aaron Swartz and the Computer Fraud and Abuse Act explains how Obama could, with one speech, fix the worst problem with the worst law in technology. The CFAA makes it a felony to "exceed your authorization" on a computer system, and fed prosecutors have taken the view that this means that if you violate terms of service, you're a felon, and they can put you in jail. As Wu points out, Obama doesn't need Congress to pass a law to fix this, he could just tell the DoJ that they should stop doing this. There's plenty of precedent, and it would be excellent policy.

When judges or academics say that it is wrong to interpret a law in such a way that everyone is a felon, the Justice Department has usually replied by saying, roughly, that federal prosecutors don’t bother with minor cases—they only go after the really bad guys. That has always been a lame excuse—repulsive to anyone who takes seriously the idea of a “a government of laws, not men.” After Aaron Swartz’s suicide, the era of trusting prosecutors with unlimited power in this area should officially be over...

There is a much more immediate and effective remedy: the Justice Department should announce a change in its criminal-enforcement policy. It should no longer consider terms-of-service violations to be criminal. It can join more than a dozen federal judges and scholars, like Kerr, who adopt a reasonable and more limited interpretation. The Obama Administration’s policy will have no effect on civil litigation, so firms like Oracle will retain their civil remedies. President Obama’s DREAM Act enforcement policy, under which the Administration does not deport certain illegal immigrants despite Congress’s inability to make the act a law, should be the model. Where Congress is unlikely to solve a problem, the Administration should take care of business itself.

All the Administration needs to do is to rely on the ancient common-law principle called the “rule of lenity.” This states that ambiguous criminal laws should be construed in favor of a defendant. As the Supreme Court puts it, “When choice has to be made between two readings of what conduct Congress has made a crime, it is appropriate, before we choose the harsher alternative, to require that Congress should have spoken in language that is clear and definite.” So far, at least thirteen federal judges have rejected the Justice Department’s interpretation of the Computer Fraud and Abuse Act. If that’s not a sign that the law is unclear and should be interpreted with lenity, I don’t know what is.

Fixing the Worst Law in Technology

Zappos's crappy EULA found unenforceable, leaving Zappos without a legal leg to stand on

Of all the stupid clauses in the license "agreements" that the Internet crams down your throat, the cake-taker is "this agreement subject to change without notice." In other words, you're "agreeing" to anything and everything that the company dreams up, for the rest of time. This clause -- and its place in a "browsewrap agreement" that you supposedly agreed to just by visiting a website with "by visiting this website, you agree to our terms of service" on the bottom of it -- was found to be unenforceable by a federal judge in Nevada, who voided out the company's whole agreement on that basis, leaving the company vulnerable to lawsuits after a password leak affecting 24 million customers.

Eric Goldman's posted analysis:

Zappos can hardly be surprised by this adverse judicial ruling. We have known for years that browsewraps are unenforceable (see some of the cases discussed here) and judges clearly dislike unilateral amendment clauses (see, e.g., the uncited Ninth Circuit's Douglas ruling from 2007 and the cited 2009 ruling in the Blockbuster/Facebook Beacon case).

Still, the ruling leaves Zappos in a bad position. Its contract is legally irrelevant, meaning that all of the risk management provisions in its contract are ineffective--its disclaimer of warranties, its waiver of consequential damages, its reduced statute of limitations, its clause restricting class actions in arbitration...all of these are gone, leaving Zappos governed by the default legal rules, which aren't nearly as favorable to it. Losing its contract provisions meant Zappos is legally naked.

Avoiding this outcome is surprisingly easy. Use clickthrough agreements, not browsewraps, and remove any clauses that say you can unilaterally amend the contract.

That's pretty grim: you can load up nearly any BS you want in a EULA, and so long as you stick it in a clickthrough "agreement" and it's binding. Good time to remind you all of my own email sig, the original "Reasonable Agreement:

READ CAREFULLY. By reading this email, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.

Feel free to use this in your own contexts, of course!

How Zappos' User Agreement Failed In Court and Left Zappos Legally Naked (Forbes Cross-Post)

Mandatory "agreement" for Playstation Network users waives your right to class actions over future hacks

The next time you log into your Sony Playstation Network account, the company is going to ask you to click through a EULA whereby you promise not to sue them in a class action if they get hacked again, even if they're negligent, and even if you get screwed over as a result. If you don't agree, no more PSN for you. (Thanks, @sickkid1972!)