Evan Schuman's StorefrontBacktalk

Attorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.

It’s not just those birds that are angry these days. The process by which Apple allows teens, pre-teens and even toddlers to download free apps, and then purchase game currencies within these free apps, may have landed the computer giant in hot water—with both parents and at least one federal district court in San Jose.

The case revolves around a longtime legal reality: Minors cannot agree to a contract. If they pretend to agree, it’s non-binding and can’t be enforced. But what if an adult gives the child their password and permission to make a purchase? It’s still the child doing it and the contract, therefore, probably can’t be enforced.

Last month, U.S. District Court Judge Edward Davila—in In Re Apple In-App Purchase Litigation, Dkt. No. 5:11-CV-1758 EJD (N.D.Ca., San Jose Div., March 31, 2012)—allowed a class-action lawsuit against Apple to proceed. Parents alleged that the software/hardware/music/let’s-face-it-everything giant configured its iTunes service to allow kids who typed in a parent’s password (to download the free app) to, for at least 15 minutes, continue to use the credential to download in-game apps for hundreds, if not thousands, of dollars.

Related Story: If Court Rules That Minors Can’t Be Made To Pay For Digital Purchases, M-Commerce Will Need A Massive Overhaul

Now, the fact that the case was allowed to proceed doesn’t mean that the angry parents will eventually win anything. But it does mean that, in designing a payment system and an accompanying authentication scheme, merchants and others must be aware of how such systems can be abused—even by those we might otherwise trust.

Up until a few months ago, when you logged into the iTunes app store to buy an app (technically, you never actually buy an app, you just license it), the owner of the account (let’s say Mom or Dad) would have to enter an authentication password (the user ID or E-mail address was saved). Although many apps cost from $4.99 to as much as $49.99, many of them are either free or a nominal amount, like 99 cents. Mom and Dad can handle a buck or two.

One can imagine a typical scenario—screaming kids in the car, fighting over the iPad or iPhone, one yelling, “Mommy, I want to download the zombies vs. werewolves vs. aliens app.” She responds, “How much is it?” The answer: “It’s free.” Hearing the magic word, Mom says, “no problem,” and either enters or tells the kid the password for the free app.

By the time they reach their destination, the kids have downloaded not only the app but also dozens of werewolves and aliens. For a price.

Now some legal basics. On the one hand, the iTunes agreement itself (which the parents could have seen when they created the account) says that “you are solely responsible for maintaining the confidentiality and security of your account and for all activities that occur on or through your account” and “Apple shall not be responsible for any losses arising out of the unauthorized use of your account.”

On the other hand is the basic legal principle that, to be liable under a contract, the party must have the capacity to enter into a contract—and for that you have to be of legal age. Clearly, a child has no capacity to enter into a contract. So, is the kid’s use of the persistent token (the password) an “unauthorized use” of the parent’s account for which the parent is liable? Not really.

The use is kinda sorta authorized.