>> law, technology, and the space between

All content by Kyle E. Mitchell, who is not your lawyer.

You can subscribe via RSS/Atom or e-mail and browse other blogs.

Let’s Not All Read Terms of Servicecommon quips on website terms miss the point

I recently picked up Shoshana Zuboff’s The Age of Surveillance Capitalism again. Fifty pages in, I was struck by the passage below about terms of service and privacy policies for websites. The passage goes on for a couple pages. It left a bad taste in my mouth. Bad enough that I sat down to type some things out.

Among the many violations of [Internet] advocacy expectations, ubiquitous “terms-of-service agreements” were among the most pernicious.[Note] Legal experts call these “contracts of adhesion” because they impose take-it-or-leave-it conditions on users that stick to them whether they like it or not. … most people get wrapped in these oppressive contract terms by simply clicking on the box that says “I agree” without ever reading the agreement.[Note] … Scholars point out that these digital documents are excessively long and complex in part to discourage users from actually reading the terms … Adding insult to injury, terms of service can be altered unilaterally by the firm at any time, without specific user knowledge or consent, and the terms typically implicate other companies … without stating or accepting responsibility for their terms of service. These “contracts” impose an unwinnable infinite regress upon the user that law professor Nancy Kim describes as “sadistic.”

.. Even the former Federal Trade Commission Chairperson Jon Leibowitz publicly stated, “We all agree that consumers don’t read privacy policies.”[Note] In 2008 two Carnegie Mellon professors calculated that a reasonable reading of all the privacy policies that one encounters in a year would require 76 full workdays at a national opportunity cost of $781 billion.[Note] The numbers are much higher today. …

The idea that companies can bind you to legal terms willy-nilly, without telling you or giving you any choice in the matter, is an exaggeration. That’s not the law in the United States of America.

If there’s a troubling legal trend around terms of service, it’s the possibility of committing a crime by breaking website terms, under laws like the Computer Fraud and Abuse Act and even the Copyright Act. Narrowing down to just contract law, the law of enforceable agreements, the worry of some is how terms of service appear to be lowering the standard for what two sides have to do to make an agreement between them legally enforceable.

But the fundamental legal requirement that both sides have to take some action to show agreement before a court goes enforcing their terms hasn’t gone away. That’s why we all keep getting annoying e-mails about changes to terms of service and privacy policies. If the law let companies impose and change terms without telling us, and still get them to stick, that’s exactly what they’d do.

Neither is clicking an “I agree” box as low as the legal bar can go. Folks who don’t study law are often surprised to find out that American courts can and do enforce agreements that were never written down at all. So long as conversation or other communication between two sides makes sufficiently clear that they mean to agree, and what their agreement was about, that’s a contract. There are some exceptions, like sales of real estate and agreements to do crimes. But they are only exceptions, not the rule.

The trick with unwritten contracts isn’t the law so much as proving things that weren’t written down actually happened, later on, in court. The trick with terms of service, as I discussed earlier this month, is keeping records good enough to show that someone suing you did in fact do something to show that they agreed to your terms.

Zuboff mentions “take it or leave it”, and that is exactly right. To be legally enforceable, folks have to be able to leave it, too. But they aren’t entitled to take the service and leave the terms. Webmasters aren’t required to provide websites, and when they do, they’re free to require agreement to terms, in exchange.

There are good and bad reasons to require terms. From a lawyer’s point of view, “take it or leave it” contracts are a lot less interesting than actively negotiated ones. But webmasters usually don’t want to pay the cost of negotiating with their visitors, with or without lawyers on one or both sides. That’s turning every new account signup into an enterprise software-as-a-service sale. Recall that the economic magic of the Internet lies precisely in the fact that as many people from just about anywhere can get access to a simple website for close to zero marginal cost. Earnest negotiation costs a lot more than nothing.

In some other legal universe, perhaps the widespread adoption of the Internet has prompted Congress to pass a federal law with a standard or default set of terms of service for websites. Instead of letting webmasters guess what terms users will take rather than leave, the government has taken it on itself to guess.

The law probably includes a bunch of the terms we see in almost every set of terms of service today, such as requiring users to take responsibility for what they share, post, and do on the site, picking one place where any lawsuits under the terms will take place, so the webmaster doesn’t have to fly out to wherever somebody wants to sue them, and so on. The law probably doesn’t include some of the terms we sometimes see, like permission to use people’s photos in advertising or requirements to take disputes to arbitration, a kind of private court, rather than the public court system. As it stands, American courts frequently concoct ways to avoid enforcing terms that seem to overreach. There’s a reason so many of the important decisions about “click-wrap” contracts deny webmasters’ requests to force arbitration.

Back in our reality, there is no nationally or internationally mandated standard set of terms for websites. If you run a website and don’t set terms for your site, you get the “defaults” under the law, whatever those defaults happen to be and whatever law happens to apply. So when lawyers like me sit down to draft terms of service for clients, we end up having to address a lot of different rules and areas of law. Instead of spelling out only where our client wants terms that differ from the norm, we spell out the norm plus all the deviations. That makes for long documents, even when we try to keep them short.

Zuboff cites a few academics for the obvious consequence: terms of service are hard to read. When they link to other terms, such as terms for services the webmaster uses to run their site, those terms are also hard to read. So very few people, even very few lawyers, read them.

I’m all for shorter terms of service that people who aren’t lawyers can dig into. I’ve done a bit of work there, publicly and privately. But that’s getting lost in my niche. Name another kind of common consumer contract that consumers usually read. Did you read your mortgage front to back? Your lease? The terms you signed on your first day of work? Your prenup? Your divorce settlement? Your credit card agreement?

Even if Internet terms of service were all short, readable, available in every language, and lovingly illustrated by renowned children’s book artists, I wouldn’t want to see everyone reading them all the time. First and foremost, I’d want the same as I want now: more people aware of what they’re getting into and better evidence of balance reflecting the leverage that companies and user groups have. What we really want is good, efficient deals and awareness on both sides, especially the consumer side, of what is happening. Terms of service and privacy policies are just a means to that end.

We could break this project down in two parts.

Part of it is educational. Readable terms help there. More people can figure out for themselves what they and others are getting into. Whether terms are easy to read or hard, lawyers, advocacy groups, and maybe even commercial firms could provide more good, approachable information about terms, privacy policies, and what they mean. Some groups already do this. Terms of Service; Didn’t Read is a favorite link. But part of what makes that project such an undertaking is the sheer number of different websites, and therefore terms of service.

Another part is standardization. As it stands, we have more commonality in the websites people use than the terms those websites require. Lots of people use Google, Facebook, Twitter, Wikipedia, Reddit, and so on. The terms for each of those sites are basically one-off. They say a lot of the same things, over and over again. But they say them differently enough that there’s no easy comparison, no shortcuts to understanding or even a basic sanity check.

There’s nothing inherently wrong with people who can’t or don’t want to read legal terms looking around, seeing other people getting away with it, and running with the herd. This is basically how home finance, the biggest investment of many folks’ lives, works in the United States. The trouble is when it’s 1950 and the “standard terms” you’re handed aren’t the thirty-year, fixed-rate mortgage loan your vague expectations are based on, but the terms of a contract sale designed to kick you out of your home and run off with every payment you’ve made the first time a check runs two days late. You’re black in America. The sellers figures you don’t know better, or anyone who does. If the terms are approachable enough to spot the difference, you might save yourself. If you’ve got a family member, friend, lawyer, or advocacy group looking out for you, they might save you, too. At least if there’s competition: somewhere else to buy and someone else to sell it to you.

Competition online means more websites. Right now, that also means more terms to look at, and all the problems that come of that. That’s where standardization kicks in.

Create a new brand, like “Turnstile” or “Doormat” or “DMCASimple”, that’s independent of any particular website or company. Allow websites to use the terms verbatim, and if they do, to use the brand. Instead of banking on “everybody else agrees to Google’s terms without getting in trouble or made fun of, so I can, too”, establish “everybody else uses websites that use Turnstile terms, so I can, too”. Having set the new standard, even small, up-and-coming websites can tie in and benefit from it, as long as they’re willing to offer those terms.

Other approaches to standardization work, too. GDPR, the big European privacy law, has built-in support for informative badges, seals, certifications, and other ways to communicate common privacy practices. For example, the EU might establish a special, recognizable seal for websites that don’t share any information with third parties. Only sites that follow that practice could use the seal, and the EU could bring charges against any company that tries to pass itself off. As a result, the public could build recognition of the seal and trust in what it means, without ever reading the legal terms that back it up for any given website.

This kind of approach has already worked in other areas. Sometimes governments administer the program, like Energy Star. Sometimes private or charitable groups do, like Underwriters Laboratories, LEED, and NSF, using trademarks or other legal tools. As a rule, we don’t read the standards, testing reports, and other details behind those well known brands. We don’t look for the star mark on refrigerators, the UL mark on toasters, or the NSF mark on kitchen knives as we shop. But many of us do rely on retailer standards, product reviews, and folks we happen to know with interest in the relevant fields. Word gets around. We get better deals.

We want better deals on the Internet.

Your thoughts and feedback are always welcome by e-mail.

back to topedit on GitHubrevision history