Saturday, October 27, 2007

"To" vs. "BCC": An Oldie but Goodie Strikes Again

For all of the talk amongst the cyberspace cognoscenti about high-technology security problems, it's good to be reminded that almost all of the 'oops' we've seen before today continue to haunt us.

I can't vouch for this story other than what we read here, but for what it's worth it's a good reminder to us all. There are reports out that an email was sent out by the US House Judiciary Committee to a group of people who had sent in anonymous notes to a whistle blower tip-box. The email was reminding all of how their identities were going to be kept secret.

Of course -- You guessed it -- The email was sent simultaneously to 150 anonymous tipsters by putting each of their email addresses into the "TO" field. Thus, everybody on the mailing list now knows the email addresses of the other 149. (Plus, all of the recipients were probably annoyed at having to scroll down through 7 inches of addresses before they got to the message!) The problem would have been mostly avoided by simply putting the recipients' addresses into the BCC field rather than the TO field. (Even then, the ISP that originally processes the email from the sender certainly has all of the BCC list on its logs, at least for some period of time, so it's not a totally safe maneuver.)

Without getting into the almost certain political fun that will follow, we can take this as a lesson. While we all work to stay up to date on the most cutting edge of exploits and security tactics, don't let the old ones fall out of sight and out of mind. The oldies but goodies are just as likely to bite you today as they were when they were new.

Monday, October 08, 2007

Electronic Contracting versus Laziness

This author has seen a spate of cases lately that some have been citing as the death knell of electronic contracting. To the contrary, I see nothing more interesting than a demonstration of how lazy implementation leads to predictable results. Frankly, had each of the parties in these matters simply followed the practices discussed in our Committee's ongoing series of articles, I doubt any of these contracts would gone bad. But, in each case, the party setting up the contract took the lazy way towards setting up their system. Unlike just a few years ago, where judges were often unwilling to venture into these areas, the bench is now tackling the systems, and calling parties to task for their bad implementations.

In each of these matters, one party set up a system to implement something electronically, either through incorporation in one 'contract' of another set of terms posted on the Web, or through the use of a purported click-through system. But, the party who found himself on the enforcement side of those purported terms or contracts challenged their incorporation or enforcement. Let us take a quick look at two of these examples.

In Federal Trade Comm. v. Cleverlink Trading Ltd., 2007 WL 2875626 (USDC N.D.Ill. No. 05 C 2889), the FTC was doing battle over the remaining assets of the losing defendant in a CAN-SPAM enforcement action. At issue was whether a contract that Cleverlink's former credit-card service, Oceanic, claimed was in place would give the erstwhile Cleverlink's money to that provider or leave it for the FTC. Oceanic and its leader, a Mr. Sholes, admitted they had no signed copy of the contract. But, they did claim they sent an email to Cleverlink that contained a link to an application for the service. "Sholes contends that Cleverlink would have had to click an "Accept" box and then digitally sign the document. [Later], Sholes sent an email to his attorney containing lines of computer code. Sholes stated in the email that the lines of code show that an email was sent to Cleverlink on March 11, 2005 with information on the processing agreement.

One might then hope that Mr. Sholes would have put his computer folks on the stand, maybe to do so little as to authenticate the business records purportedly portrayed in that email, or even better to explain what the email might mean and why. But, I can only gather that he rested his case on nothing more than his email. As we might guess, that did not cut it.

Without explanation, this Court cannot understand the lines of computer code in Sholes' email. Although Sholes stated in his email that the code lines came from Oceanic's servers, he had no first-hand knowledge regarding how and from where the code was retrieved. Sholes also could not interpret the code lines and explain how they can be read to prove that an email was sent to Cleverlink with a link to the [agreement]. Relief Defendants have provided no affidavit or testimony from anyone with actual knowledge of how and from where the code lines were retrieved. Likewise, there is no affidavit deciphering the lines of computer code. Even if the lines of codes proved that an email was sent to Cleverlink, [the card provider] still would be several steps from establishing that Cleverlink accepted the [agreement] submitted to the Court. First, there is no evidence that Cleverlink responded to the email or otherwise visited Oceanic's Web site. Sholes testified that any such evidence was deleted from Oceanic's servers before the FTC served Oceanic. Second, there is no evidence that whatever document was linked in Sholes' email contained the increased chargeback fees [at issue in this matter]. In this regard, Sholes did not retain a copy of the [agreement] and has indicated uncertainty regarding its exact terms. In the end, [Oceanic has] no competent evidence that Cleverlink electronically accepted the terms of the MPPSA.

(Citations ommitted.)

So class, can you go through that last paragraph and put together a check-list for your next client who plans to proffer an electronically-solemnized agreement in court?

(Thanks to committee member Eric Goldman for pointing this one out to me.)

The other case in mind is Manasher v. NECC Telecom, USDC E.D. Mich., No. 06-10749, 9/18/07). Here, telephone company NECC attempted to incorporate terms in the parties' contract that NECC had posted on the web -- A technique our Cyberspace folks have viewed favorably, but only if the incorporation is clear and understandable, and is done in a manner where the other party is clearly shown to have taken an action to agree. Here, the telephone company did just about everything it could to do it incorrectly. It signed up the customers over the phone without mention of a contract, it started to provide the services without any need for the customer to indicate agreement with terms, and it tried to incorporate its web terms by burying a line deep inside of the mailed invoice:

After the phone service began, Plaintiffs received an invoice. The second page of the invoice has five boxes containing five statements. The titles of the five statements are: (1) Recurring Fee; (2) Referral Discount 5%; (3) Preferred Customer Plan 'PCP,' Standard Customer Plan 'SCP;' (4) Rates; and (5) Agreement (Disclosure and Liabilities). [Motion, Exhibit D and E]. The fifth box, containing the statement regarding the 'Disclosure and Liabilities' is at issue. The statement provides "NECC's Agreement 'Disclosure and Liabilities' can be found online at www.necc.us or you could request a copy by calling us at (800) 766 2642."

NECC argued that this was adequate to incorporate the text of 'Disclosures and Liabilities', which was in fact a set of purported contract terms including an arbitration clause that was at stake in this suit. The court did not agree.

The language does not betray a clear intent that the Disclosure and Liabilities Agreement be considered part of the contract between the parties. NILAC, supra. Nothing in the statement clearly indicates that the Disclosure and Liabilities Agreement applies to the service contract between the parties, that it forms any part of the agreement between the parties, or that it is intended to be incorporated into the agreement between the parties. The statement merely informs the reader of where to find "NECC's Agreement 'Disclosure and Liabilities.'" Further, the statement is the last of five statements, written in plain text, on the second page of the invoice. There are no allegations of any other references to the Disclosure and Liabilities Agreement either in writing, or in the verbal dealings with Defendant. Thus, the Disclosure and Liabilities Agreement is not incorporated by reference....

---------------

I believe that had each of the parties setting up the systems in the above cases simply followed, both in their legal analysis as well as in their implementation, the simple principles our group's authors have long espoused, none of this would have come to pass (for them at least...). If you haven't reviewed them recently, take a new look at the two seminal articles published by members of our Committee -- The original Click-Through article, and the later Browse-Wrap article. Professor Christina Kunz and her team of authors in each article have provided clear pathways towards successful implementation.

Of course, it's up to each of you lawyers advising your clients to ensure that these principles actually get followed on the ground in a meaningful manner. Our jobs do not end when we've written text of the agreements. We must be aware of the process used to get those contracts in front of others, and challenge those processes if they do not lead to clean and admissible evidence. Alternatively, if we allow our clients to take lazy ways through these processes, we are likely to be getting called out later when the contracts fail to be enforced because they were never entered into in the first place!