Computer underground Digest Wed Aug 28, 1996 Volume 8 : Issue 63 ISSN 1004-042X Editor: Jim Thomas (cudigest@sun.soci.niu.edu) News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu) Archivist: Brendan Kehoe Shadow Master: Stanton McCandlish Field Agent Extraordinaire: David Smith Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Ian Dickinson Cu Digest Homepage: http://www.soci.niu.edu/~cudigest CONTENTS, #8.63 (Wed, Aug 28, 1996) File 1--London Observer article on "Internet child abuse" File 2--Re: London Observer article on "Internet child abuse" File 3--An open letter to the Editor of The Observer File 4--7th Crct Enforces "Shrinkwrap" License in Procd v. Zeidenberg File 5--Cu Digest Header Info (unchanged since 7 Apr, 1996) CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION ApPEARS IN THE CONCLUDING FILE AT THE END OF EACH ISSUE. --------------------------------------------------------------------- Date: Sun, 25 Aug 1996 20:06:43 -0700 From: "Jeanne A. E. DeVoto" Subject: File 1--London Observer article on "Internet child abuse" There's an article in the London Observer today (8/25) concerning "pedophilia on the Internet" that appears to claim a number of bizarre things, such as that the director of the British ISP Demon Internet and the guy who runs the Finnish anon server are the primary people responsible for child porn via the Internet, and to use extreme language which seems at first glance to be clearly libelous. It's my understanding that the Observer is a well-reputed, serious newspaper - in other words, this is not some tabloid trash grabbing for headlines. The following information about the article is from Wendy Grossman (wendyg@well.com), a freelance writer based in London. [The Observer has a site, at http://www.guardian.co.uk/observer/, but it doesn't appear to contain their stories or archives.] -------------------------- Following the request of the Clubs & Vice Squad to the British Internet Service Providers' Association (ISPA) to block access to 133 newsgroups believed to contain illegal material (the full list is posted to uk.censorship and includes alt.sex.stories, alt.binaries.pictures.erotica.babies, and alt.homosexual), London's Observer newspaper used half its front page to flag a three-page inner spread on child pornography. (A chunk of this coverage was dedicated to the recent Belgian case, which has had a lot of coverage here.) For those who are not familiar with the Observer, it is one of Britain's oldest quality Sunday newspapers, and is supposed to have (roughly) a left-wing slant. It is currently owned by the Guardian, and shares staff and facilities with that newspaper. Main headline: "The pedlars of child abuse: We know who they are. Yet no one is stopping them." Underneath: two pictures. First, captioned, "The school governor who sells access to photos of child rape," a rather seedy looking picture of Clive Feather, associate director of Demon Internet, Britain's first and largest mass-market ISP. Second, captioned, "The Internet middleman who handles 90 percent of all child pornography," a picture of Julf Helsingius, administrator of the well-known anon.penet.fi anonymous remailer. Page 19, headline: "These men are not paedophiles: they are the Internet abusers." Story begins by saying that Feather and Helsingius are "key links in the international paedophile chain. One is a director of a company that provides access to thousands of illegal photographs of young children being sexually assaulted, the other provides a service which allows those who abuse children for the pornography trade to supply the Internet without fear of detection. They may not know each other, and both claim they cannot beat the paedophiles. But police forces in Britain and around the world are pressing both to do more." In fact, if you read the rest of the article, the only thing Feather seems to have actually done is to have refused, on behalf of Demon, to block the newsgroups and to tell the Observer's reporters (David Connett, London; Jon Henley, Helsinki) that he did not believe that blocking access would prevent children from being abused. Helsingius didn't get off quite as lightly. An FBI adviser (Toby Tyler) is quoted as saying that 75-90 percent of the child pornography he sees comes through that remailer. Page 19 also has a picture of each man. Feather's is OK -- standing outside, talking. Helsingius's picture shows him seated at a computer with what looks like a posed Barbie doll on the screen (presumably meant to be a bimbo stripping or some such). It's notable that the picture of the female whatever-it-is is much clearer than anything else on his computer screen, and speculation online in London is that the picture may have been touched up. I'm not a photographer and can't judge. The picture was, however, at least obviously posed and taken with Helsingius's cooperation. Other stories cover the upcoming Stockholm congress, child prostitution in Cambodia and Thailand, the prospects for a cure for pedophiles, the reactions in a small town in "middle England" when a sex offender moves into a neighborhood, pedophilia as a "billion-dollar business" (this piece quotes Interpol estimates that there are 30,000 pedophiles in Europe alone, linked via a variety of communications media, including the Internet), and a piece on the Belgian girls' funeral. Some points to consider: 1) The newsgroups on the police list included a number of groups that have nothing to do with child pornography, pedophilia, or, indeed, pornography of any type. Groups like alt.homosexual exist for discussions of matters pertinent to being gay. Any attempt to post pictures to those newsgroups would be greeted with extreme resentment. The Observer says there were more than 150 newsgroups on the list; there were 133 (although I've since seen the number 152 elsewhere, but don't know the source of that number). No attempt is made by the reporters to look at the material in the groups or understand the technical issues involved in monitoring the amount of data that flows every day, or place the amount of pornography on the Internet or its source in the context of the amount and pornography available offline. 2) I've never heard that Helsingius makes any money off the anonymous remailer, which is free. IIRC he runs a computer company in Helsinki as his real job. 3) As I understand it, the Finnish remailer blocks access to the binary newsgroups, for bandwidth reasons, and also restricts the maximum size of messages. The implication in the article is that the remailer has been used to anonymize live, interactive video; this seems impossible. The article also says that "The photographs made available to Demon's subscribers are supplied anonymously by remailing companies which repackage images to ensure it is impossible to trace the material's origins. Although it's almost certainly true that remailers have been used to anonymize pictures in transit, the syntax makes remailing sound like a commercial distribution operation ("repackage"), and the article also makes no mention of the fact that many other ISPs supply the same messages to *their* subscribers. The CDA and its defeat are also not mentioned. (After reading an article like this, I think any person wishing to send anything remotely pornographic across the Internet would decide to use an anonymous remailer rather than attach his own name.) The article makes no mention of the many *other* reasons for using an anonymous remailer. 4) Most of the messages in groups like alt.sex.stories, which do sometimes contain disturbing fantasies about sex with minors (usually teenaged girls) are *not* anonymous, based on a couple of quick glances at the newsgroup. I have never yet seen any pictures on Usenet that are as disturbing as the *text* in alt.sex.stories. (That was, for those who have forgotten, the newsgroup where Jake Baker's violent fantasy was posted.) 5) To characterize Clive Feather as "The school governor who sells access to photos of child rape" on the above basis seems equivalent to characterizing the head of BT as "The millionaire who sells access to live telephone sex." No context is given; the article makes it sound as though access to this material is the only reason people subscribe to Demon. (It is true, however, that Demon was the first UK company to offer uncensored access to Usenet, and that it has consistently claimed to offer a full newsfeed.) 6) The article says Helsingius ("the Internet middleman who handles 90 per cent of all child pornography") has been raided (this is true). "Finnish police have seized information from the remailer on half-a-dozen occasions, acting on request from police forces, but no child pornography has been found." At least one of those raids was presumably the February 1995 one at the instigation of the Church of Scientology. *That* raid had nothing to do with child pornography, but with material the CoS claimed had been stolen from its internal computer system. Helsingius noted publicly in February 1995 that around the time of the CoS request a story was published in a Swedish newspaper alleging that his service was being used for child pornography, adding that the story was investigated and the messages on which it was based shown to be forgeries (from the UK). 7) The article recommends rules for parents to give their children. One of the points includes the suggestion that parents should get their kids to teach them about the Net. Great idea. But the article then goes on to recommend installing blocking software, without apparently realizing that most blocking software requires some technical understanding to install, and that a reasonably computer-literate kid is quite likely to be able to defeat it without the parents' knowledge. The existence of blocking software or of new technological efforts such as PICS is not mentioned in the main article. (There's no mention of Declan's and Brock's researches into the type of material blocking software blocks, either.) In any event, blocking software is not presented as an *alternative* to government regulation. 8) There seems to be little understanding of any of the technology involved, and little attempt to acquire any. Ditto for the finances involved -- newsstand pornography magazines are big business here, as are certain types of sex clubs, but those money-making ventures are not discussed. The reporters don't seem to have actually looked at any of the newsgroups to form an assessment of their contents. (I note that the official description of alt.transgen reads "Robbing the cradle and the grave" and wonder if that is how it got on the police list.) Essentially, they seem to have bought the police view without questions. 9) There seem also to be some interesting background politics, which no attempt is made to set in context. Reference is made to the ISPA (the Internet Service Providers Association), which "represents more than 60 of the UK's 140 providers". The ISPA chairman "said responsible providers were being undermined by companies like Demon. 'We are being portrayed as a bunch of porn merchants. This is an image we need to change. Many of our members have already acted to take away the worst of the Internet. But Demon have taken every opportunity to stand alone in this regard. They do not like the concept of our organisation.'" However, according to someone on CIX (London's main online service where techies gather), this same gent is quoted in the October issue of the UK magazine PC Pro saying that "The last thing we want is to stop pornography on the Internet; we just want to make sure it can only be accessed by people who want to see it." [Please note that the material in this note is to the best of my knowledge and recolletion; but hasn't been fact-checked the way one would for professional publication.] wg ------------------------------ Date: Mon, 26 Aug 1996 12:23:44 +0100 From: azeem@dial.pipex.com (Azeem Azhar at home) Subject: File 2--Re: London Observer article on "Internet child abuse" Some comments about Wendy's excellent analysis: >On Sun, 25 Aug 1996, Jeanne A. E. DeVoto wrote: > >> The following information about the article is from Wendy Grossman >> (wendyg@well.com), a freelance writer based in London. >Status: U >Date--Mon, 26 Aug 1996 11:15:46 +0100 (BST) >From--Azeem Azhar >To--azeem@dial.pipex.com >Subject--London Observer article on "Internet child abuse" (fwd) >MIME-Version: 1.0 >Sender: Azeem Azhar > > > > >Azeem Azhar >The Economist >25 St James's Street >London >SW1A 1HG > >---------- Forwarded message ---------- >Date--Mon, 26 Aug 96 11:05 BST-1 >From--Wendy Grossman >To--aja@economist.com >Subject--London Observer article on "Internet child abuse" > >This is the version I sent out last night, miraculously returned to me. > >[The Observer has a site, at http://www.guardian.co.uk/observer/, but it >doesn't appear to contain their stories or archives.] This is correct, although there is a threaded feedback area which the editor is supposed to read. (When I last looked some weeks ago, no-one had fed back.] >-------------------------- >Following the request of the Clubs & Vice Squad to the British Internet >Service Providers' Association (ISPA) to block access to 133 newsgroups >believed to contain illegal material (the full list is posted to >uk.censorship and includes alt.sex.stories, >alt.binaries.pictures.erotica.babies, and alt.homosexual), Can I encourage people to look at babylon.ivision.co.uk (and spread the URL to anti-censorship lists) about problems with the police's action. I think it's important to stress here that the ISPA did something quite sensible talking to the police: they have kept themselves in the decision-making circle. This should mean that Internet providers and those who get it will be asked to advise when it comes to new legislation. This legislation is inevitable, the view amongst some of those in the ISPA is that taking a stand (the way Demon has) is likely to be misinterpreted: so much better to keep one hand on the reins of power that lose both. >Main headline: "The pedlars of child abuse: We know who they are. Yet no >one is stopping them." > >Underneath: two pictures. First, captioned, "The school governor who >sells access to photos of child rape," a rather seedy looking picture of >Clive Feather, associate director of Demon Internet, Britain's first and >largest mass-market ISP. Second, captioned, "The Internet middleman who >handles 90 percent of all child pornography," a picture of Julf Helsingius, >administrator of the well-known anon.penet.fi anonymous remailer. > >Page 19, headline: "These men are not paedophiles: they are the Internet >abusers." I'm afraid I really don't know what this means. >Story begins by saying that Feather and Helsingius are "key >links in the international paedophile chain. One is a director of a >company that provides access to thousands of illegal photographs of young >children being sexually assaulted, the other provides a service which >allows those who abuse children for the pornography trade to supply the >Internet without fear of detection. They may not know each other, and both >claim they cannot beat the paedophiles. But police forces in Britain and >around the world are pressing both to do more." > >In fact, if you read the rest of the article, the only thing Feather seems >to have actually done is to have refused, on behalf of Demon, to block the >newsgroups and to tell the Observer's reporters (David Connett, London; Jon >Henley, Helsinki) that he did not believe that blocking access would >prevent children from being abused. I would add that Clive Feather is a tiny cog in Demon. He used to run a proto-defunct service provider/Web house called CityScape, which Demon bought. The really big cheese is Cliff Stanford who set the company up. >Helsingius didn't get off quite as lightly. An FBI adviser (Toby Tyler) is >quoted as saying that 75-90 percent of the child pornography he sees comes >through that remailer. Page 19 also has a picture of each man. Feather's >is OK -- standing outside, talking. Helsingius's picture shows him seated >at a computer with what looks like a posed Barbie doll on the screen >(presumably meant to be a bimbo stripping or some such). It's notable that >the picture of the female whatever-it-is is much clearer than anything else >on his computer screen, and speculation online in London is that the >picture may have been touched up. I'm not a photographer and can't judge. >The picture was, however, at least obviously posed and taken with >Helsingius's cooperation. The picture is not of a barbie doll but a Playboy centrefold. I remember seeing it (the picture) when I worked at The Guardian and we were running a (reasonable) piece o Julf. As someone with some photographic and Photoshop experience--I was production guru of a section at The Guardian, which owns The Observer, fr several months--the most that has happened has been that an Unsharp Mask or Sharpen filter has been applied to the part of the picture which includes the screen (and the centrefold). The picture is an old one--Julf is even using Netscape 1.0 in it. >Some points to consider: > >1) The newsgroups on the police list included a number of groups that have >nothing to do with child pornography, pedophilia, or, indeed, pornography >of any type. Groups like alt.homosexual exist for discussions of matters >pertinent to being gay. Any attempt to post pictures to those newsgroups >would be greeted with extreme resentment. The Observer says there were >more than 150 newsgroups on the list; there were 133 (although I've since >seen the number 152 elsewhere, but don't know the source of that number). >No attempt is made by the reporters to look at the material in the groups >or understand the technical issues involved in monitoring the amount of >data that flows every day, or place the amount of pornography on the >Internet or its source in the context of the amount and pornography >available offline. The most accurate number is 133. You can find a list at www.uk.vbc.net, a UK backbone ISP which has taken a stauncher line than Demon (but failed to make The Observer). >2) I've never heard that Helsingius makes any money off the anonymous >remailer, which is free. IIRC he runs a computer company in Helsinki as >his real job. No remailer AFAIK is run for profit. >3) As I understand it, the Finnish remailer blocks access to the binary >newsgroups, for bandwidth reasons, and also restricts the maximum size of >messages. > The implication in the article is that the remailer has been used to >anonymize live, interactive video; this seems impossible. The article also >says that "The photographs made available to Demon's subscribers are >supplied anonymously by remailing companies which repackage images to >ensure it is impossible to trace the material's origins. Although it's >almost certainly true that remailers have been used to anonymize pictures >in transit, the syntax makes remailing sound like a commercial distribution >operation ("repackage"), and the article also makes no mention of the fact >that many other ISPs supply the same messages to *their* subscribers. The >CDA and its defeat are also not mentioned. (After reading an article like >this, I think any person wishing to send anything remotely pornographic >across the Internet would decide to use an anonymous remailer rather than >attach his own name.) The article makes no mention of the many *other* >reasons for using an anonymous remailer. Again, this is correct. The remailer has been designed, AFAP, to block postings of binaries. One of the most celebrated uses of penet.fi in the UK is the Samaritans (samaritans@penet.fi) who provide counselling to depressed and suicidal people. >4) Most of the messages in groups like alt.sex.stories, which do sometimes >contain disturbing fantasies about sex with minors (usually teenaged girls) >are *not* anonymous, based on a couple of quick glances at the newsgroup. I >have never yet seen any pictures on Usenet that are as disturbing as the >*text* in alt.sex.stories. (That was, for those who have forgotten, the >newsgroup where Jake Baker's violent fantasy was posted.) >5) To characterize Clive Feather as "The school governor who sells access >to photos of child rape" on the above basis seems equivalent to >characterizing the head of BT as "The millionaire who sells access to live >telephone sex." No context is given; the article makes it sound as though >access to this material is the only reason people subscribe to Demon. (It >is true, however, that Demon was the first UK company to offer uncensored >access to Usenet, and that it has consistently claimed to offer a full >newsfeed.) But Demon has been joined by many others, and they have always stood by their claim of uncensored news, even before net.porn/hysteria. >6) The article says Helsingius ("the Internet middleman who handles 90 per >cent of all child pornography") has been raided (this is true). "Finnish >police have seized information from the remailer on half-a-dozen occasions, >acting on request from police forces, but no child pornography has been >found." At least one of those raids was presumably the February 1995 one >at the instigation of the Church of Scientology. *That* raid had nothing >to do with child pornography, but with material the CoS claimed had been >stolen from its internal computer system. Helsingius noted publicly in >February 1995 that around the time of the CoS request a story was published >in a Swedish newspaper alleging that his service was being used for child >pornography, adding that the story was investigated and the messages on >which it was based shown to be forgeries (from the UK). > >7) The article recommends rules for parents to give their children. One of >the points includes the suggestion that parents should get their kids to >teach them about the Net. Great idea. But the article then goes on to >recommend installing blocking software, without apparently realizing that >most blocking software requires some technical understanding to install, >and that a reasonably computer-literate kid is quite likely to be able to >defeat it without the parents' knowledge. The existence of blocking >software or of new technological efforts such as PICS is not mentioned in >the main article. (There's no mention of Declan's and Brock's researches >into the type of material blocking software blocks, either.) In any event, >blocking software is not presented as an *alternative* to government >regulation. Nor the fact that on August 14th, Demon announced it would be supporting the use of MSFT Internet Explorer 3.0 and the PICS standard. >8) There seems to be little understanding of any of the technology >involved, and little attempt to acquire any. Ditto for the finances >involved -- newsstand pornography magazines are big business here, as are >certain types of sex clubs, but those money-making ventures are not >discussed. The reporters don't seem to have actually looked at any of the >newsgroups to form an assessment of their contents. (I note that the >official description of alt.transgen reads "Robbing the cradle and the >grave" and wonder if that is how it got on the police list.) Essentially, >they seem to have bought the police view without questions. > >9) There seem also to be some interesting background politics, which no >attempt is made to set in context. Reference is made to the ISPA (the >Internet Service Providers Association), which "represents more than 60 of >the UK's 140 providers". The ISPA chairman "said responsible providers >were being undermined by companies like Demon. 'We are being portrayed as >a bunch of porn merchants. This is an image we need to change. Many of >our members have already acted to take away the worst of the Internet. But >Demon have taken every opportunity to stand alone in this regard. They do >not like the concept of our organisation.'" However, according to someone >on CIX (London's main online service where techies gather), this same gent >is quoted in the October issue of the UK magazine PC Pro saying that "The >last thing we want is to stop pornography on the Internet; we just want to >make sure it can only be accessed by people who want to see it." The position of the ISPA and Demon isn't a million miles away. Both want to use technological methods of censorship and neither wants to take responsibility for the material they carry. Azeem Azeem Azhar +44 973 380328 ------------------------------ Date: Wed, 28 Aug 1996 06:06:31 -0700 (PDT) From: Declan McCullagh Subject: File 3--An open letter to the Editor of The Observer ---------- Forwarded message ---------- Date--Wed, 28 Aug 1996 07:12:28 GMT From--Matthew Richardson [I understand the text of the Observer article is available at http://www.hclb.demon.co.uk/obs.txt] -----BEGIN PGP SIGNED MESSAGE----- I. T. Consultancy Limited Our reference L2217 The Editor The Observer 119 Farringdon Road London EC1R 3ER 26 August 1996 AN OPEN LETTER FOR PUBLICATION Sir, I read with some interest the article by David Connett and Jon Henley in yesterday's edition regarding the Internet and child pornography. I was particularly interested as I am a computer consultant advising clients on Internet issues. In my professional opinion, the technical standard of the reporting was sufficiently poor as to be both inaccurate and misleading. The purpose of this letter is to clarify certain technical issues which might cause your readers to reach unfounded or incorrect conclusions. It is important to be aware of the various methods by which information generally (which can include pornography) is distributed around the Internet. Your article focuses on one particular route, namely Newsgroups. It is Newsgroups which are detailed in the Metropolitan Police's letter to Internet Providers and which are concentrated upon by your article. There are several other means of distributing information. I believe however that the Police letter lists fewer than the 150 groups referred to by the authors. Interestingly enough Newsgroups only offer the means of broadcasting information to anyone who wants to retrieve it. The authors do not appear to have a sufficient grasp of what a "remailer" does. For example they seem to draw a direct link between the use of such remailers and people being able to "log on and participate in 'live' and 'interactive' filmed sessions". A lay reader would perhaps draw the inference that the remailer is somehow involved in any such live participation. Unfortunately this could not be further from the truth. Remailers simply allow people to post messages, either as email to other people or to Newsgroups for general reading. Nothing more. Remailers are generally incapable of being "logged on" to. Your article also refers to "remailing companies", from which the lay reader might infer that remailers are operated for commercial profit. Such an inference would again be wholly incorrect. I know of no organisation operating a remailer for profit, indeed none of them even charge for their services. They are generally run by individuals on a voluntary basis who consider them as a service to the Internet community. Your article appears not to mention any of the purposes of such remailers other than in terms of the distribution of pornography. In my view it would be difficult to present a balanced article without doing so. Different remailers take different steps to prevent whatever their operators consider as "abuse". My understanding is that Mr. Helsingius' service restricts messages to 48k bytes (or characters) and prohibits postings to the "binaries" newsgroups designated for images. I also understand that it only allows 30 messages per user per day. At a technical level these restrictions would make it almost impossible to use his service for mass distribution of any binary data, not just pornography. It therefore appears surprising to me that your article should allege that Mr. Helsingius' remailer is responsible for handling "90 per cent of all child pornography" on the Internet. I wonder what substantiating evidence The Observer has to this effect other than the alleged claim by Toby Tyler. Indeed it appears from your article that the words "is supplied through this remailer" may not be a direct quote from Toby Tyler. Your article alleges that "the photographs made available to Demon's subscribers through the Internet are supplied anonymously by remailing companies". The lay reader might infer from this that all photographs therefore come via remailers. Again this would be far from the truth. Finally I hope this letter offers some assistance to your readers in clarifying a number of issues which were perhaps less than clear in your article. Given your newspaper's difficulties with technical issues, I would be grateful if you would kindly refer any editing of this letter to me prior to publication. Yours faithfully, Matthew Richardson ------------------------------ Date: Mon, 26 Aug 1996 17:40:10 -0500 (CDT) From: pkennedy Subject: File 4--7th Crct Enforces "Shrinkwrap" License in Procd v. Zeidenberg ********************************************** ** LEGAL BYTES ** ********************************************** Summer 1996, Volume 4, Number 2 ---------- George, Donaldson & Ford, L.L.P. Attorneys at Law 114 West 7th Street, Suite 1000 Austin, Texas 78701 (512) 495-1400 (512) 499-0094 (FAX) gdf@gdf.com http://www.gdf.com ---------- Copyright 1996, George, Donaldson & Ford, L.L.P. (These articles may be re-distributed electronically, without editing and with proper attribution) ---------- David H. Donaldson, Jr., Publisher, dhdonald@gdf.com Peter D. Kennedy, Editor, pkennedy@gdf.com ---------- 4. CASENOTE: SEVENTH CIRCUIT ENFORCES A "SHRINKWRAP" LICENSE IN PROCD V. ZEIDENBERG. The Contract question. Most software comes with a long license agreement. Technically, software publishers are not "selling" their products, but licensing its use. The licenses have become known as "shrinkwrap" contracts, because they are usually sealed within packaging and cannot be read until after the sale. Software publishers use shrinkwrap licenses for two basic reasons: (1) to reinforce and extend their control over their easily-duplicated creations by prohibiting unauthorized copying, distribution, and commercial use; and (2) to limit their legal liability to customers. Despite their forbidding legal language and ubiquitousness, whether shrinkwrap licenses can actually be enforced has been a debated question -- with most authorities doubting their binding force. See "Will the Shrink-Wrap License Dilemma Plague On-Line Sales?", Legal Bytes, Vol. 3, No. 1. Two problems are generally identified. First, and most importantly, shrinkwrap licenses try to impose terms that cannot be known by the customer until after a purchase is made. Typically, the law does not enforce terms of a contract to which both parties have not agreed. Second, shrinkwrap licenses are take-it-or-leave-it "contracts of adhesion," and courts often will not enforce inequitable terms of such contracts. ProCD, Inc. v. Zeidenberg is now the first legal opinion holding that any term of a shrinkwrap license can be enforced by the software publisher. See ProCD, Inc. v. Zeidenberg, 908 F.2d 640 (W.D. Wis. 1996), rev'd 86 F.3d 1447 (7th Cir. 1996). The trial judge, Barbara Crabb of Madison, Wisconsin, ruled that shrinkwrap terms could not be enforced. Her ruling was recently reversed by the Seventh Circuit Court of Appeals, sitting in Chicago, in an opinion that is sure to continue to generate debate and controversy. See ProCD, Inc. v. Zeidenberg, 86 F.3d 640 (5th Cir. 1996). ProCD publishes a set of CD-ROMs that contain a nationwide list of telephone and address listings called "Select Phone." The company spend millions of dollars compiling the listings from phone books around the country. A University of Wisconsin graduate student, Matthew Zeidenberg, copied the ProCD telephone listings (but not the ProCD software) and set up an Internet site on which visitors could search the database. ProCD, concerned that it was losing sales to Zeidenberg's site, sued to shut it down. ProCD advanced several legal theories, but the one that eventually won the day was its claim under its shrinkwrap license, which prohibited commercial use of the database by purchasers. Judge Crabb ruled that this license term could not be enforced for the commonly-cited ground: Zeidenberg could not have seen it before buying the CD-ROMs, and therefore he could not have agreed to the term. Judge Crabb's opinion reviewed the governing sections of the Uniform Commercial Code, and concluded that the "offer" took place when ProCD's software was put on the store's shelf, and the "acceptance" took place when Zeidenberg paid for it. Additional license terms that popped up out of the box after the money was paid was an unenforceable attempt to change the terms of the deal. In a ruling that has surprised many observers, the Court of Appeals disagreed. Judge Easterbrook's opinion for the Court recited a list of common consumer transactions where all the terms of the agreement are not known at the time of purchase -- insurance policies, which are delivered after payment; airline and concert tickets, which have printed terms often seen only after they are bought; and consumer electronics, which contain warranty disclaimers inside the packaging. The Court also considered the difficulty of conducting phone or on-line sales if the terms of a license had to be read beforehand, or the terms subject to invalidation later. Judge Easterbook's opinions, while always fluently written, sometimes obscure the basis for his conclusions. Concisely put, it appears that he concluded that ProCD set the terms of what an "acceptance" of its offer of sale would be: "ProCD proposed a contract that a buyer would accept by using the software after having an opportunity to read the license at leisure. ... [T]he software splashed the license on the screen and would not let him proceed without indicating acceptance." Until Zeidenberg used the software (or at least had time to read the license agreement), the contract was not fully formed. Judge Easterbrook pointed out that Section 2-606 of the Uniform Commercial Code (although it did not apply) "reinforced" the understanding that goods can be sold subject to inspection and a right to reject. True, the UCC does provide for a buyer's right to inspect and reject goods, but this right is intended to protect the buyer from non-conforming goods. Judge Easterbrook's opinion protects the seller -- by permitting the seller to structure a transaction so that the "acceptance" takes place only after the money has been paid and the software taken home for an inspection. The "inspection" Judge Easterbrook is referring to is an inspection of the terms of the contract itself, rather than the nature and quality of the product. To the Court, however, the terms of software license are not meaningfully distinguishable from the product itself. Two factors are clearly essential to the Court's conclusion: the software box warned the prospective customer that the sale was subject to an enclosed license, and the license provided the right to return the software for a refund if the terms were not accepted. Absent these provision, the Court could not characterize the license as the "offer" and the after-purchase use as the "acceptance." The Court did not hold that all shrinkwrap terms could be enforced, even unreasonable ones, but seemed to indicate that the buyer's right to reject the software would address concerns about onerous, undisclosed terms. Pre-emption of State Law by the Copyright Act. ProCD did not have a viable complaint against Zeidenberg under the Copyright Act -- the listing of names and addresses was not sufficiently original to be a protected creation under the Act, and Zeidenberg's limited use of the software that came with the CD-ROMs was not infringing. Both the trial court and appeals court opinions dealt with a thornier question -- the pre-emption of state law claims by the federal Copyright Act. The Copyright Act provides exclusive protections, and so state laws that provide equivalent protections to material falling under the Copyright Act are unenforceable. Judge Crabb ruled that ProCD's state law claims of breach of the license agreement and unfair competition and misappropriation were preempted by the Copyright Act, even though the telephone listings were not sufficiently original to warrant protection by the Act. In doing so, she followed language in a previous Seventh Circuit decision indicating that some matters can fall "within" the Copyright Act's scope, even though they do not qualify for the Act's protection. On appeal, the Seventh Circuit agreed with Judge Crabb on this point, but disagreed with her ultimate conclusion that the contract claim was preempted. (Note that a federal trial judge in New York recently reached a different conclusion, holding that if material is not protected by copyright, the Copyright Act does not preempt state law protections. See "It's All In The Game: Who Owns "Real- Time" Sports Information?," Legal Bytes, Vol. 4, No. 2, above.) Judge Crabb ruled that the contract claim was not sufficiently different from a Copyright Act claim, despite the need to prove a "breach" of the contract. The Seventh Circuit disagreed with this conclusion, because contract claims are based on an agreement between parties, and license terms can only be enforced against parties to the contract. The Copyright Act -- which creates rights against the whole world -- only preempts state laws that create similar "exclusive" rights, and therefore does not pre-empt the terms of agreements between individual parties. In light of the Court's decision to enforce shrinkwrap license terms, however, this distinction exists more in principle than in reality. Do state laws that enforce software licenses which must be agreed to before the software will even _function_ create exclusive rights in the publisher? It is unlikely that the ProCD v. Zeidenberg ruling will be the last word, although it undoubtedly will be influential. The American Law Institute and the National Conference on Uniform Laws have proposed a new section of the UCC that would explicitly validate standard form software licenses, which would render both Judge Crabb and Judge Easterbrook's contract rulings moot. However, the opinion provides ample warning to both publishers and users of software: publishers must continue to draft user licenses with great care, and software users disregard those terms at their own risk. ------------------------------ Date: Thu, 21 Mar 1996 22:51:01 CST From: CuD Moderators Subject: File 5--Cu Digest Header Info (unchanged since 7 Apr, 1996) Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost electronically. CuD is available as a Usenet newsgroup: comp.society.cu-digest Or, to subscribe, send post with this in the "Subject:: line: SUBSCRIBE CU-DIGEST Send the message to: cu-digest-request@weber.ucsd.edu DO NOT SEND SUBSCRIPTIONS TO THE MODERATORS. The editors may be contacted by voice (815-753-0303), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115, USA. To UNSUB, send a one-line message: UNSUB CU-DIGEST Send it to CU-DIGEST-REQUEST@WEBER.UCSD.EDU (NOTE: The address you unsub must correspond to your From: line) Issues of CuD can also be found in the Usenet comp.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT libraries and in the VIRUS/SECURITY library; from America Online in the PC Telecom forum under "computing newsletters;" On Delphi in the General Discussion database of the Internet SIG; on RIPCO BBS (312) 528-5020 (and via Ripco on internet); and on Rune Stone BBS (IIRGWHQ) (860)-585-9638. CuD is also available via Fidonet File Request from 1:11/70; unlisted nodes and points welcome. EUROPE: In BELGIUM: Virtual Access BBS: +32-69-844-019 (ringdown) Brussels: STRATOMIC BBS +32-2-5383119 2:291/759@fidonet.org In ITALY: ZERO! BBS: +39-11-6507540 In LUXEMBOURG: ComNet BBS: +352-466893 UNITED STATES: etext.archive.umich.edu (192.131.22.8) in /pub/CuD/CuD ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/ aql.gatech.edu (128.61.10.53) in /pub/eff/cud/ world.std.com in /src/wuarchive/doc/EFF/Publications/CuD/ wuarchive.wustl.edu in /doc/EFF/Publications/CuD/ EUROPE: nic.funet.fi in pub/doc/CuD/CuD/ (Finland) ftp.warwick.ac.uk in pub/cud/ (United Kingdom) The most recent issues of CuD can be obtained from the Cu Digest WWW site at: URL: http://www.soci.niu.edu/~cudigest/ COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Authors hold a presumptive copyright, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ------------------------------ End of Computer Underground Digest #8.63 ************************************