Court: Retailers Not Bound To Online Promises. Their Shoppers Are
Written by Mark RaschAttorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.
A recent dismissal of a class-action lawsuit against the LinkedIn (NYSE:LNKD) social network raises the question of whether anyone is bound to keep the promises they make on their website at all. If taken at face value, the court’s dismissal means that companies are not bound to meet their own promised obligations but their customers are bound to comply with the Terms and Conditions of the website, whether they read them or not.
When LinkedIn premium customers Katie Szpyrka and Khalilah Wright learned that the website operator had been hacked, and that 6.5 million stolen LinkedIn passwords had been posted on the Internet (together with the user’s e-mail address), they went to sue LinkedIn for failing to provide adequate security and appropriate encryption for these passwords. Because users frequently use the same passwords for multiple accounts, stealing their LinkedIn passwords and E-mail addresses might expose a host of other accounts to compromise. Szpyrka and Wright (well, their lawyers, at least) sued for damages, asserting—among other things—that LinkedIn’s privacy policy was breached. The privacy policy, they argued, was a binding contract, and by failing to protect the passwords adequately, LinkedIn breached that contract.
LinkedIn told its customers: “Of course, maintaining your trust is our top concern, so we adhere to the following principles to protect your privacy: ‘All information that you provide will be protected with industry standard protocols and technology.'”
The “Security” section of the Privacy Policy stated: “In order to help secure your personal information, access to your data on LinkedIn is password-protected, and sensitive data (such as credit-card information) is protected by SSL encryption when it is exchanged between your Web browser and the LinkedIn website. To protect any data you store on our servers, LinkedIn also regularly audits its system for possible vulnerabilities and attacks, and we use a tier-one secured-access datacenter. However, since the Internet is not a 100 percent secure environment, we cannot ensure or warrant the security of any information you transmit to LinkedIn. There is no guarantee that information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards. It is your responsibility to protect the security of your login information. Please note that E-mails, instant messaging, and similar means of communication with other Users of LinkedIn are not encrypted, and we strongly advise you not to communicate any confidential information through these means.”
The class-action plaintiffs argued that by failing to use what is called salted encryption (which randomizes the keys to encrypt data), LinkedIn did not—as it promised—use “state of the art” security. This failure, according to the plaintiffs, caused them harm and damage, and breached the contract.
Not so fast, said the federal district court judge.
On March 5, Judge Edward Davilia in San Jose dismissed the class-action lawsuit. Remember that “promise” of security? It’s not binding. Not because it was too vague or because “state of the art” doesn’t mean much. No, that would be understandable. The court held that the online promise wasn’t supported by “consideration.” That is, premium subscribers were not paying LinkedIn for security; they were paying for premium services such as InMail (the ability to send E-mail to other LinkedIn subscribers), among others. Because the subscriber wasn’t paying for security, there was no binding “contract” to provide security. Lack of consideration.
But the court went further. LinkedIn wasn’t bound to its promise because, as the court noted, “Plaintiffs do not even allege that they actually read the alleged misrepresentation—the Privacy Policy—which would be necessary to support a claim of misrepresentation.” How can you be deceived by a privacy policy you didn’t even read? The court found that, to be enforceable, the “contract”—that is, the privacy policy—would have to have been read by the plaintiff, who would have had to understand it, rely on it and provide the company with “consideration” in return for the promises in the policy. Oh, and the court finally dismissed the class action because, in the judge’s opinion, the plaintiffs suffered no real economic harm from the breach.
This is a strange (but not unprecedented) way of looking at online contracts. Think about it. The consumer is bound by the terms of contracts, privacy policies, terms of use, terms of service, end-user license agreements, copyright notices or other online (or offline) contracts, whether they have read them or not. That 4-page microtype rental car agreement where you allow the rental agency to track your movements and charge you a non-refundable $500 fine if you travel into Mexico? Enforceable, even if you never read it, because you had the opportunity to read it.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
