Court: Retailers Not Bound To Online Promises. Their Shoppers Are

Written by Mark Rasch
March 14th, 2013

Attorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.

A recent dismissal of a class-action lawsuit against the LinkedIn (NYSE:LNKD) social network raises the question of whether anyone is bound to keep the promises they make on their website at all. If taken at face value, the court’s dismissal means that companies are not bound to meet their own promised obligations but their customers are bound to comply with the Terms and Conditions of the website, whether they read them or not.

When LinkedIn premium customers Katie Szpyrka and Khalilah Wright learned that the website operator had been hacked, and that 6.5 million stolen LinkedIn passwords had been posted on the Internet (together with the user’s e-mail address), they went to sue LinkedIn for failing to provide adequate security and appropriate encryption for these passwords. Because users frequently use the same passwords for multiple accounts, stealing their LinkedIn passwords and E-mail addresses might expose a host of other accounts to compromise. Szpyrka and Wright (well, their lawyers, at least) sued for damages, asserting—among other things—that LinkedIn’s privacy policy was breached. The privacy policy, they argued, was a binding contract, and by failing to protect the passwords adequately, LinkedIn breached that contract.

LinkedIn told its customers: “Of course, maintaining your trust is our top concern, so we adhere to the following principles to protect your privacy: ‘All information that you provide will be protected with industry standard protocols and technology.'”

The “Security” section of the Privacy Policy stated: “In order to help secure your personal information, access to your data on LinkedIn is password-protected, and sensitive data (such as credit-card information) is protected by SSL encryption when it is exchanged between your Web browser and the LinkedIn website. To protect any data you store on our servers, LinkedIn also regularly audits its system for possible vulnerabilities and attacks, and we use a tier-one secured-access datacenter. However, since the Internet is not a 100 percent secure environment, we cannot ensure or warrant the security of any information you transmit to LinkedIn. There is no guarantee that information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards. It is your responsibility to protect the security of your login information. Please note that E-mails, instant messaging, and similar means of communication with other Users of LinkedIn are not encrypted, and we strongly advise you not to communicate any confidential information through these means.”

The class-action plaintiffs argued that by failing to use what is called salted encryption (which randomizes the keys to encrypt data), LinkedIn did not—as it promised—use “state of the art” security. This failure, according to the plaintiffs, caused them harm and damage, and breached the contract.

Not so fast, said the federal district court judge.

On March 5, Judge Edward Davilia in San Jose dismissed the class-action lawsuit. Remember that “promise” of security? It’s not binding. Not because it was too vague or because “state of the art” doesn’t mean much. No, that would be understandable. The court held that the online promise wasn’t supported by “consideration.” That is, premium subscribers were not paying LinkedIn for security; they were paying for premium services such as InMail (the ability to send E-mail to other LinkedIn subscribers), among others. Because the subscriber wasn’t paying for security, there was no binding “contract” to provide security. Lack of consideration.

But the court went further. LinkedIn wasn’t bound to its promise because, as the court noted, “Plaintiffs do not even allege that they actually read the alleged misrepresentation—the Privacy Policy—which would be necessary to support a claim of misrepresentation.” How can you be deceived by a privacy policy you didn’t even read? The court found that, to be enforceable, the “contract”—that is, the privacy policy—would have to have been read by the plaintiff, who would have had to understand it, rely on it and provide the company with “consideration” in return for the promises in the policy. Oh, and the court finally dismissed the class action because, in the judge’s opinion, the plaintiffs suffered no real economic harm from the breach.

This is a strange (but not unprecedented) way of looking at online contracts. Think about it. The consumer is bound by the terms of contracts, privacy policies, terms of use, terms of service, end-user license agreements, copyright notices or other online (or offline) contracts, whether they have read them or not. That 4-page microtype rental car agreement where you allow the rental agency to track your movements and charge you a non-refundable $500 fine if you travel into Mexico? Enforceable, even if you never read it, because you had the opportunity to read it.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.