Angry Nerds: The iTunes Youth Legal Nightmare

Written by Mark Rasch
April 25th, 2012

Attorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.

It’s not just those birds that are angry these days. The process by which Apple allows teens, pre-teens and even toddlers to download free apps, and then purchase game currencies within these free apps, may have landed the computer giant in hot water—with both parents and at least one federal district court in San Jose.

The case revolves around a longtime legal reality: Minors cannot agree to a contract. If they pretend to agree, it’s non-binding and can’t be enforced. But what if an adult gives the child their password and permission to make a purchase? It’s still the child doing it and the contract, therefore, probably can’t be enforced.

Last month, U.S. District Court Judge Edward Davila—in In Re Apple In-App Purchase Litigation, Dkt. No. 5:11-CV-1758 EJD (N.D.Ca., San Jose Div., March 31, 2012)—allowed a class-action lawsuit against Apple to proceed. Parents alleged that the software/hardware/music/let’s-face-it-everything giant configured its iTunes service to allow kids who typed in a parent’s password (to download the free app) to, for at least 15 minutes, continue to use the credential to download in-game apps for hundreds, if not thousands, of dollars.

Related Story: If Court Rules That Minors Can’t Be Made To Pay For Digital Purchases, M-Commerce Will Need A Massive Overhaul

Now, the fact that the case was allowed to proceed doesn’t mean that the angry parents will eventually win anything. But it does mean that, in designing a payment system and an accompanying authentication scheme, merchants and others must be aware of how such systems can be abused—even by those we might otherwise trust.

Up until a few months ago, when you logged into the iTunes app store to buy an app (technically, you never actually buy an app, you just license it), the owner of the account (let’s say Mom or Dad) would have to enter an authentication password (the user ID or E-mail address was saved). Although many apps cost from $4.99 to as much as $49.99, many of them are either free or a nominal amount, like 99 cents. Mom and Dad can handle a buck or two.

One can imagine a typical scenario—screaming kids in the car, fighting over the iPad or iPhone, one yelling, “Mommy, I want to download the zombies vs. werewolves vs. aliens app.” She responds, “How much is it?” The answer: “It’s free.” Hearing the magic word, Mom says, “no problem,” and either enters or tells the kid the password for the free app.

By the time they reach their destination, the kids have downloaded not only the app but also dozens of werewolves and aliens. For a price.

Now some legal basics. On the one hand, the iTunes agreement itself (which the parents could have seen when they created the account) says that “you are solely responsible for maintaining the confidentiality and security of your account and for all activities that occur on or through your account” and “Apple shall not be responsible for any losses arising out of the unauthorized use of your account.”

On the other hand is the basic legal principle that, to be liable under a contract, the party must have the capacity to enter into a contract—and for that you have to be of legal age. Clearly, a child has no capacity to enter into a contract. So, is the kid’s use of the persistent token (the password) an “unauthorized use” of the parent’s account for which the parent is liable? Not really.

The use is kinda sorta authorized.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.