|
This is the first of two articles that will discuss some security-related aspects of software licenses and agreements for Web-based information services. Part One will focus on shrinkwrap and clickwrap agreements. Part Two will emphasize individually negotiated agreements, with particular regard to the opportunities for information security professionals to work with legal counsel in the negotiation and preparation of such agreements.
Licensing Agreements - The Security Issues
Clickwrap and shrinkwrap agreements are facts of life for just about anyone involved with information technology. Buy software from a brick and mortar vendor, and you will find that your rights to use it are governed by what has come to be known as a "shrinkwrap agreement", a lengthy printed agreement that appears in the documentation for the software and electronically as part of the installation process. A "clickwrap agreement" is the electronic equivalent of a shrinkwrap agreement. Buy software on-line or subscribe to an on-line service and you will likely find that your rights to access and use the software or services are governed by a clickwrap agreement; that is, an agreement that appears in screens that you must navigate through before you are able to use the program or services in question.
This article will discuss why shrinkwrap and clickwrap agreements are an important part of the legal infrastructure for bringing software and information services to market and why security professionals need to be particularly aware of some issues that these licensing agreements present.
Why Should Security Professionals Care?
Many people view these agreements as barriers to progress, and our common experience of software installation and similar transactions makes it easy to see why. Few, if any, users read these agreements. At the same time, it is unlikely that software vendors will know of, much less do anything about, an individual user's violation of licensing agreement provisions. So, if essentially no one reads shrinkwrap or clickwrap agreements, and if they often go unenforced, they may seem like a needless bother.
But for information security professionals, particularly for those working in smaller enterprises, shrinkwrap and clickwrap agreements are essential reading. When you depend on software to control security risks, that control comes, in part, from the sense that the firewall, anti-virus or other software you choose will do its job as promised, and that if it does not, you will be have recourse against the company that licensed that software to you. Of course, your rights depend on what your software license says. That means that you won't know what your rights are - or how protected you may be - unless you read the agreement. Furthermore, software vendors, including security software vendors, may take advantage of their control over shrinkwrap or clickwrap agreements to insert provisions that virtually eliminate users' recourse against them. The user agreement for one award winning security software product states, in part, that:
"YOU AGREE THAT [SOFTWARE PROVIDER] HAS MADE NO EXPRESS WARRANTIES, ORAL OR WRITTEN, TO YOU REGARDING THE SOFTWARE AND THAT THE SOFTWARE IS BEING PROVIDED TO YOU "AS IS" WITHOUT WARRANTY OF ANY KIND. [SOFTWARE PROVIDER] DISCLAIMS ANY AND ALL OTHER WARRANTIES, WHETHER EXPRESSED, IMPLIED, OR STATUTORY, INCLUDING, BUT WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF NONINFRINGEMENT OF THIRD PARTY RIGHTS, MERCHANTABILITY, AND FITNESS FOR A PARTICULAR PURPOSE. ...YOU MUST ASSUME THE ENTIRE RISK OF USING THE PROGRAM. IN NO EVENT SHALL [SOFTWARE PROVIDER] BE LIABLE TO YOU FOR ANY DAMAGES, INCLUDING ANY LOST PROFITS, LOST SAVINGS, OR OTHER INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND ARISING OUT OF THE USE OF THE [SOFTWARE PROVIDER'S] SOFTWARE, EVEN IF [SOFTWARE PROVIDER] HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT WILL [SOFTWARE PROVIDER'S] LIABILITY FOR ANY CLAIM, WHETHER IN CONTRACT, TORT, OR ANY OTHER THEORY OF LIABILITY, EXCEED THE LICENSE FEE PAID BY YOU, PROVIDED, HOWEVER, IF THE RELEVANT SOFTWARE WAS PROVIDED TO YOU AT NO CHARGE YOU AGREE [SOFTWARE PROVIDER] SHALL NOT BE LIABLE TO YOU FOR ANY DAMAGES. THIS LIMITATION SHALL APPLY TO CLAIMS OF PERSONAL INJURY TO THE EXTENT PERMITTED BY LAW."
The capsule translation of this language is that the software provider accepts essentially no responsibility for the consumer's use of its product, even if the software fails to perform as promised and compromises the user's security, and the problem is entirely the software provider's fault. It is possible, of course, that a court might not enforce such terms, but that prospect is remote. If you click the "I Agree" button, you agree to the terms stated, and as a general rule, you should expect to be bound by them.
In addition to these concerns, as pointed out in Rick Forno's SecurityFocus column Software Licensing: The Hidden Threat to Information Security, some licenses give vendors "the right to enter your premises and access your records and computer systems to verify that you have paid to [the vendor] the correct amounts owed under this License and determine whether the Products are being used in accordance with the terms of this License." Furthermore, according to Forno, licensing agreements may limit the user's right to discuss the product. As a result, there may be only a limited dialogue among security professionals as to whether the security software in question is effective.
What this all means is that careful security professionals need to understand why and how shrinkwrap and clickwrap agreements work, and be prepared to work with counsel to assess the terms of such agreements as part of the determination of whether and how a given product or service controls risk. With that in mind, let's review the basic considerations that underlie shrinkwrap and clickwrap agreements.
Background
Anyone who has intellectual property, such as software and Web-based information services, to sell can only bring it to market by giving others access to it. Ideally, licenses permit the product or service to come to market in a way that ensures that individual users each have productive use of the product or service at a cost they are prepared to pay, but without limiting the vendor's ability to earn additional revenue from other users for the same product or service. Striking deals that accomplish these goals is what the negotiation of licenses is all about. (The upcoming second article in this series will discuss negotiated licenses.)
But as the size of the potential user group for software or information services increases, logistics make the use of individually negotiated licenses and service agreements progressively more difficult and ultimately impossible. The sheer number of transactions, the variations in the length and amount of potential use, and multitude of hardware and software configurations in common use, to name only a few factors, make it impossible to bring mass-market products and services to their users one agreement at a time. Add the potential for doing business over the Web, with users who may be geographically remote from the vendor, and it becomes clear that, for the sake of vendors and users alike, the business of bringing software or information services to a sizeable market requires a standardized, uniform approach to entering into software licenses and similar agreements.
So, in theory, shrinkwrap and clickwrap agreements serve the interests of both vendors and users. Vendors are able to bring their intellectual property to market under uniform license agreements that users can enter into easily. Vendors typically make breaking the seal on the envelope containing their software, or any attempt to install or use the software, the act that constitutes the user's acceptance of the entire shrinkwrap license agreement. In the case of clickwrap agreements, the process is analogous: clicking the button labelled "I Agree" or the equivalent is the act that constitutes acceptance.
For their part, users are able to enter into agreements for access to the software and services they want simply by clicking a button labelled "I Agree" or by opening the envelope bearing the software. In fact, breaking the seal on an envelope or clicking an "I agree" button is so easy that many users may not be fully aware that doing either is an act of legal significance, the equivalent of signing a written agreement. Users may break the envelope's seal or click the "I Agree" button just to get on with business, without understanding that, whether they have read it or not, they are entering into a binding legal agreement.
In practice, the use of shrinkwrap and clickwrap agreements does more than simply eliminate repetitive negotiations. This method of contract formation has inherent advantages for vendors and service providers. Without the give and take that negotiation provides, vendors and service providers have total control over both the contents of shrinkwrap and clickwrap agreements and the manner in which they are presented to prospective users. Predictably perhaps, vendors sometimes take advantage of their control of these agreements, and the fact that users often have more urgent priorities than carefully scrutinizing such agreements, to insert provisions that may be unexpected, unpalatable, or unfair.
Are Shrinkwrap and Clickwrap Agreements Enforceable?
It is now fairly well established that shrinkwrap and clickwrap agreements are legally binding and enforceable. The early decisions in this area resolved most of the basic concerns about mass-market licenses in favor of enforceability. For example, provided that the user knows that the transaction is subject to additional terms and has a right to return the software and receive a refund in the event that those terms prove unacceptable, courts have ruled against users who argued that the terms of shrinkwrap or clickwrap agreements should not be enforced because the users had not read them or because there was no opportunity to read all the terms before payment.
The enforceability of contracts in the United States is governed primarily by state law, and it is probably too soon to say that the enforceability of shrinkwrap and clickwrap agreements has been definitively established throughout the United States. Nevertheless, there is a growing consensus that the procedures for shrinkwrap and clickwrap agreements outlined above generally yield enforceable agreements. It looks very much as if shrinkwrap and clickwrap agreements are here to stay.
Limitations and Qualifications
That said, there are instances in which certain shrinkwrap and clickwrap agreements have not been enforced. As you might expect, courts will not enforce shrinkwrap or clickwrap agreements in situations where the vendor's procedure for contract formation is flawed and, as a result, the terms of the license never become part of the agreement between the vendor and the user. The following cases illustrate some examples in which the licensing agreement have been found to be unenforceable.
Specht versus Netscape Communications Corp.
Specht v. Netscape, 2001 WL 755396 (S.D.N.Y. July 5, 2001), involved the alleged clickwrap agreement for Netscape's SmartDownload software, which improves the process of downloading files from the Internet by allowing users to resume interrupted downloads from the point of interruption, eliminating the need to start downloading the file again from the beginning. Netscape made SmartDownload available for download on its Web site at no charge. Although the download page referred to the SmartDownload license agreement, the reference appeared far from the button labelled "Download," below the fold, that is, where the reference to the agreement would not be seen until or unless the user scrolled down. Even then, the notice read, "Please review and agree to the terms of the Netscape SmartDownload software license agreement before downloading and using the software." This language was, in the court's words, a "mere invitation," that is, there was no requirement or obligation that users agree to, or even review the license before downloading and using the software.
When a group of users sued Netscape for allegedly using SmartDownload to collect private information about their Internet activity without their knowledge, Netscape tried to have the proceedings dismissed on the grounds that the SmartDownload license agreement required that all disputes had to be submitted to binding arbitration. However, by failing to require that the users agree to the license before downloading and using SmartDownload, there was no basis for finding that the users had agreed to arbitrate their claims. In fact, by proceeding as it had, Netscape had distributed SmartDownload essentially as a giveaway, without any agreement with the users who downloaded it.
Klocek versus Gateway, Inc.
Klocek v. Gateway, Inc., 104 F.Supp. 2d 1332 (D.Kansas 2000), shows the same principle at work in the context of a shrinkwrap agreement. In Klocek, the court found that by ordering a computer, the user had made an offer to buy a computer that Gateway accepted by sending the computer and accepting payment. There was a shrinkwrap license enclosed in the box with the computer, but Gateway never made its acceptance conditional on the purchaser's agreement to the shrinkwrap agreement. The shrinkwrap terms never became part of the agreement between the parties, and the court refused to enforce the arbitration provision they contained.
Williams versus America Online, Inc.
Finally, Williams v. America Online, Inc., 2001 WL 1356825 (Mass.Sup.Ct. February 8, 2001), shows that the rules for contract formation can help to address abuses of the inequality in bargaining position that shrinkwrap and clickwrap agreements involve. Williams involved claims brought against AOL brought in Massachusetts state court by a group of users whose computer systems were changed by AOL's installation software, resulting in their inability to access the Internet, send or receive e-mail, or access certain files except by using AOL. AOL attempted to have the case dismissed, on the grounds AOL's clickwrap agreement contained a forum selection clause that required that "any claim or dispute with AOL" had to be litigated in Virginia. However, the evidence showed that: (a) AOL's software altered the users' systems before they had a chance to review the clickwrap agreement; and (b) the alterations would proceed even when users rejected the agreement. Given that the user's systems were changed before the agreement could be reviewed, users had no notice of the forum selection clause, and no opportunity to accept or reject it. The court ruled that under these circumstances, AOL could not invoke the forum selection clause to require the users to proceed in Virginia.
Enforceability Requirements
Of course, shrinkwrap and clickwrap agreements also have to meet the same requirements for enforceability that apply to agreements generally. When those requirements are not met, the agreements are not enforced. For example, in Brower v. Gateway, 246 A.D.2d 246, 676 N.Y.S.2d 569 (1st Dept. 1998), the court refused to enforce the arbitration clause in Gateway's shrinkwrap agreement, which required that Gateway purchasers with claims against the company could not sue, but were instead required to arbitrate, paying a $4000 fee, $2000 of which was non-refundable, to participate in arbitration proceedings in Chicago, and pay Gateway's legal fees in the event that they lost. Given that few if any purchaser's claims were likely to be worth what an arbitration under these circumstances would cost, the court found this clause "unconscionable," that is, that the clause was "unreasonably favorable" to Gateway and would not be enforced. The court in Williams applied a similar line of reasoning.
Because the law will generally enforce contractual provisions other than those that are "unreasonably favorable" or those that fall within other similarly narrow exceptions, there is a substantial room for vendors to insert provisions that work to their advantage and are troublesome to users, such as the intrusive inspection and audit provisions that Richard Forno discussed in his column. The inherent uncertainty in determining what courts will see as "unreasonably" favorable to vendors mean that users, particularly commercial users, cannot count on "unconscionability" or similar doctrines to relieve them of contract provisions, except in extraordinary cases.
What's Next?
The next major development concerning shrinkwrap and clickwrap agreements will likely concern the application of the Uniform Commercial Code (UCC) and the Uniform Computer Information Transaction Act (UCITA) to such agreements. The UCC applies to agreements for the sale of goods, and technically speaking, neither software licenses nor agreements for services qualify. Nevertheless, certain courts look to the economic realities of the transaction to bring software licenses within the UCC, and others have "assumed, without deciding" that the UCC applies to software licenses. Courts extend the UCC to software licenses and agreements for services because it has been adopted throughout the United States, is well understood, and because at present, there is no other single law in effect throughout the United States that governs the interpretation of such agreements. UCITA was intended to provide such a law but, to date, it has only been enacted in two states. It has been widely criticized, notably in a January, 2002 report by a working group appointed by the American Bar Association's Board of Governors.
Conclusion
Shrinkwrap and clickwrap agreements provide the practical means for bringing software and information services to large and far-flung markets. Despite the potential for overreaching by vendors, they are part of the information technology landscape for individual users and small businesses.
Security professionals should consider the issues that shrinkwrap and clickwrap licenses pose whenever the effort to secure systems requires the use of software and services that are made available under such agreements. It would be prudent for them to have the organization's legal counsel vet any such agreements prior to purchasing, installing, and running any such security software or service, including any patches, revisions or updates.
As part of routine product or service selection processes, security professionals should assess the recourse, or lack thereof, that these agreements provide in the event that the product or service fails or causes other security or technological problems. Excesses in these agreements that are not considered to be unconscionable and similar limitations may have to be addressed by the market, through users' demonstrated preference for doing business with vendors who use these agreements more evenhandedly and, where circumstances permit for commercial users, in negotiating individual terms.
Steven Robinson is an intellectual property and information technology attorney practicing in New York. Mr. Robinson is a professor of technology management at Stevens Institute of Technology, and a former consultant to the Technology, Intellectual Property and Privacy practice in the Office of the General Counsel of Merrill Lynch. He has specialized in intellectual property and information technology matters since 1992, and in 1998, he received a grant from the United States Department of State to teach intellectual property and Internet law abroad.
|