Computer underground Digest Wed Aug 28, 1996 Volume 8 : Issue 63

Computer underground Digest Wed Aug 28, 1996 Volume 8 : Issue 63
ISSN 1004-042X

Editor: Jim Thomas ([email protected])
News Editor: Gordon Meyer ([email protected])
Archivist: Brendan Kehoe
Shadow Master: Stanton McCandlish
Field Agent Extraordinaire: David Smith
Shadow-Archivists: Dan Carosone / Paul Southworth
Ralph Sims / Jyrki Kuoppala
Ian Dickinson
Cu Digest Homepage: http://www.soci.niu.edu/~cudigest

CONTENTS, #8.63 (Wed, Aug 28, 1996)

File 1--London Observer article on "Internet child abuse"
File 2--Re: London Observer article on "Internet child abuse"
File 3--An open letter to the Editor of The Observer
File 4--7th Crct Enforces "Shrinkwrap" License in Procd v. Zeidenberg
File 5--Cu Digest Header Info (unchanged since 7 Apr, 1996)

CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION ApPEARS IN
THE CONCLUDING FILE AT THE END OF EACH ISSUE.

---------------------------------------------------------------------

Date: Sun, 25 Aug 1996 20:06:43 -0700
From: "Jeanne A. E. DeVoto" <[email protected]>
Subject: File 1--London Observer article on "Internet child abuse"

There's an article in the London Observer today (8/25) concerning
"pedophilia on the Internet" that appears to claim a number of bizarre
things, such as that the director of the British ISP Demon Internet and the
guy who runs the Finnish anon server are the primary people responsible for
child porn via the Internet, and to use extreme language which seems at
first glance to be clearly libelous. It's my understanding that the
Observer is a well-reputed, serious newspaper - in other words, this is not
some tabloid trash grabbing for headlines.

The following information about the article is from Wendy Grossman
([email protected]), a freelance writer based in London.

[The Observer has a site, at http://www.guardian.co.uk/observer/, but it
doesn't appear to contain their stories or archives.]

--------------------------
Following the request of the Clubs & Vice Squad to the British Internet
Service Providers' Association (ISPA) to block access to 133 newsgroups
believed to contain illegal material (the full list is posted to
uk.censorship and includes alt.sex.stories,
alt.binaries.pictures.erotica.babies, and alt.homosexual), London's
Observer newspaper used half its front page to flag a three-page inner
spread on child pornography. (A chunk of this coverage was dedicated to
the recent Belgian case, which has had a lot of coverage here.) For those
who are not familiar with the Observer, it is one of Britain's oldest
quality Sunday newspapers, and is supposed to have (roughly) a left-wing
slant. It is currently owned by the Guardian, and shares staff and
facilities with that newspaper.

Main headline: "The pedlars of child abuse: We know who they are. Yet no
one is stopping them."

Underneath: two pictures. First, captioned, "The school governor who
sells access to photos of child rape," a rather seedy looking picture of
Clive Feather, associate director of Demon Internet, Britain's first and
largest mass-market ISP. Second, captioned, "The Internet middleman who
handles 90 percent of all child pornography," a picture of Julf Helsingius,
administrator of the well-known anon.penet.fi anonymous remailer.

Page 19, headline: "These men are not paedophiles: they are the Internet
abusers." Story begins by saying that Feather and Helsingius are "key
links in the international paedophile chain. One is a director of a
company that provides access to thousands of illegal photographs of young
children being sexually assaulted, the other provides a service which
allows those who abuse children for the pornography trade to supply the
Internet without fear of detection. They may not know each other, and both
claim they cannot beat the paedophiles. But police forces in Britain and
around the world are pressing both to do more."

In fact, if you read the rest of the article, the only thing Feather seems
to have actually done is to have refused, on behalf of Demon, to block the
newsgroups and to tell the Observer's reporters (David Connett, London; Jon
Henley, Helsinki) that he did not believe that blocking access would
prevent children from being abused.

Helsingius didn't get off quite as lightly. An FBI adviser (Toby Tyler) is
quoted as saying that 75-90 percent of the child pornography he sees comes
through that remailer. Page 19 also has a picture of each man. Feather's
is OK -- standing outside, talking. Helsingius's picture shows him seated
at a computer with what looks like a posed Barbie doll on the screen
(presumably meant to be a bimbo stripping or some such). It's notable that
the picture of the female whatever-it-is is much clearer than anything else
on his computer screen, and speculation online in London is that the
picture may have been touched up. I'm not a photographer and can't judge.
The picture was, however, at least obviously posed and taken with
Helsingius's cooperation.

Other stories cover the upcoming Stockholm congress, child prostitution in
Cambodia and Thailand, the prospects for a cure for pedophiles, the
reactions in a small town in "middle England" when a sex offender moves
into a neighborhood, pedophilia as a "billion-dollar business" (this piece
quotes Interpol estimates that there are 30,000 pedophiles in Europe alone,
linked via a variety of communications media, including the Internet), and
a piece on the Belgian girls' funeral.

Some points to consider:

1) The newsgroups on the police list included a number of groups that have
nothing to do with child pornography, pedophilia, or, indeed, pornography
of any type. Groups like alt.homosexual exist for discussions of matters
pertinent to being gay. Any attempt to post pictures to those newsgroups
would be greeted with extreme resentment. The Observer says there were
more than 150 newsgroups on the list; there were 133 (although I've since
seen the number 152 elsewhere, but don't know the source of that number).
No attempt is made by the reporters to look at the material in the groups
or understand the technical issues involved in monitoring the amount of
data that flows every day, or place the amount of pornography on the
Internet or its source in the context of the amount and pornography
available offline.

2) I've never heard that Helsingius makes any money off the anonymous
remailer, which is free. IIRC he runs a computer company in Helsinki as
his real job.

3) As I understand it, the Finnish remailer blocks access to the binary
newsgroups, for bandwidth reasons, and also restricts the maximum size of
messages.
The implication in the article is that the remailer has been used to
anonymize live, interactive video; this seems impossible. The article also
says that "The photographs made available to Demon's subscribers are
supplied anonymously by remailing companies which repackage images to
ensure it is impossible to trace the material's origins. Although it's
almost certainly true that remailers have been used to anonymize pictures
in transit, the syntax makes remailing sound like a commercial distribution
operation ("repackage"), and the article also makes no mention of the fact
that many other ISPs supply the same messages to *their* subscribers. The
CDA and its defeat are also not mentioned. (After reading an article like
this, I think any person wishing to send anything remotely pornographic
across the Internet would decide to use an anonymous remailer rather than
attach his own name.) The article makes no mention of the many *other*
reasons for using an anonymous remailer.

4) Most of the messages in groups like alt.sex.stories, which do sometimes
contain disturbing fantasies about sex with minors (usually teenaged girls)
are *not* anonymous, based on a couple of quick glances at the newsgroup. I
have never yet seen any pictures on Usenet that are as disturbing as the
*text* in alt.sex.stories. (That was, for those who have forgotten, the
newsgroup where Jake Baker's violent fantasy was posted.)

5) To characterize Clive Feather as "The school governor who sells access
to photos of child rape" on the above basis seems equivalent to
characterizing the head of BT as "The millionaire who sells access to live
telephone sex." No context is given; the article makes it sound as though
access to this material is the only reason people subscribe to Demon. (It
is true, however, that Demon was the first UK company to offer uncensored
access to Usenet, and that it has consistently claimed to offer a full
newsfeed.)

6) The article says Helsingius ("the Internet middleman who handles 90 per
cent of all child pornography") has been raided (this is true). "Finnish
police have seized information from the remailer on half-a-dozen occasions,
acting on request from police forces, but no child pornography has been
found." At least one of those raids was presumably the February 1995 one
at the instigation of the Church of Scientology. *That* raid had nothing
to do with child pornography, but with material the CoS claimed had been
stolen from its internal computer system. Helsingius noted publicly in
February 1995 that around the time of the CoS request a story was published
in a Swedish newspaper alleging that his service was being used for child
pornography, adding that the story was investigated and the messages on
which it was based shown to be forgeries (from the UK).

7) The article recommends rules for parents to give their children. One of
the points includes the suggestion that parents should get their kids to
teach them about the Net. Great idea. But the article then goes on to
recommend installing blocking software, without apparently realizing that
most blocking software requires some technical understanding to install,
and that a reasonably computer-literate kid is quite likely to be able to
defeat it without the parents' knowledge. The existence of blocking
software or of new technological efforts such as PICS is not mentioned in
the main article. (There's no mention of Declan's and Brock's researches
into the type of material blocking software blocks, either.) In any event,
blocking software is not presented as an *alternative* to government
regulation.

8) There seems to be little understanding of any of the technology
involved, and little attempt to acquire any. Ditto for the finances
involved -- newsstand pornography magazines are big business here, as are
certain types of sex clubs, but those money-making ventures are not
discussed. The reporters don't seem to have actually looked at any of the
newsgroups to form an assessment of their contents. (I note that the
official description of alt.transgen reads "Robbing the cradle and the
grave" and wonder if that is how it got on the police list.) Essentially,
they seem to have bought the police view without questions.

9) There seem also to be some interesting background politics, which no
attempt is made to set in context. Reference is made to the ISPA (the
Internet Service Providers Association), which "represents more than 60 of
the UK's 140 providers". The ISPA chairman "said responsible providers
were being undermined by companies like Demon. 'We are being portrayed as
a bunch of porn merchants. This is an image we need to change. Many of
our members have already acted to take away the worst of the Internet. But
Demon have taken every opportunity to stand alone in this regard. They do
not like the concept of our organisation.'" However, according to someone
on CIX (London's main online service where techies gather), this same gent
is quoted in the October issue of the UK magazine PC Pro saying that "The
last thing we want is to stop pornography on the Internet; we just want to
make sure it can only be accessed by people who want to see it."

[Please note that the material in this note is to the best of my knowledge
and recolletion; but hasn't been fact-checked the way one would for
professional publication.]

wg

------------------------------

Date: Mon, 26 Aug 1996 12:23:44 +0100
From: [email protected] (Azeem Azhar at home)
Subject: File 2--Re: London Observer article on "Internet child abuse"

(MODERATORS' NOTE: The following was forwarded to CuD by Wendy Grossman,
author of the previous post))

Some comments about Wendy's excellent analysis:

>On Sun, 25 Aug 1996, Jeanne A. E. DeVoto wrote:
>
>> The following information about the article is from Wendy Grossman
>> ([email protected]), a freelance writer based in London.

>Status: U
>Date--Mon, 26 Aug 1996 11:15:46 +0100 (BST)
>From--Azeem Azhar <[email protected]>
>[email protected]
>Subject--London Observer article on "Internet child abuse" (fwd)
>MIME-Version: 1.0
>Sender: Azeem Azhar <[email protected]>
>
>
>Azeem Azhar
>The Economist
>25 St James's Street
>London
>SW1A 1HG
>
>---------- Forwarded message ----------
>Date--Mon, 26 Aug 96 11:05 BST-1
>From--Wendy Grossman <[email protected]>
>[email protected]
>Subject--London Observer article on "Internet child abuse"
>
>This is the version I sent out last night, miraculously returned to me.

>
>[The Observer has a site, at http://www.guardian.co.uk/observer/, but it
>doesn't appear to contain their stories or archives.]

This is correct, although there is a threaded feedback area which the
editor is supposed to read. (When I last looked some weeks ago, no-one had
fed back.]

>--------------------------
>Following the request of the Clubs & Vice Squad to the British Internet
>Service Providers' Association (ISPA) to block access to 133 newsgroups
>believed to contain illegal material (the full list is posted to
>uk.censorship and includes alt.sex.stories,
>alt.binaries.pictures.erotica.babies, and alt.homosexual),

Can I encourage people to look at babylon.ivision.co.uk (and spread the URL
to anti-censorship lists) about problems with the police's action. I think
it's important to stress here that the ISPA did something quite sensible
talking to the police: they have kept themselves in the decision-making
circle. This should mean that Internet providers and those who get it will
be asked to advise when it comes to new legislation. This legislation is
inevitable, the view amongst some of those in the ISPA is that taking a
stand (the way Demon has) is likely to be misinterpreted: so much better to
keep one hand on the reins of power that lose both.

>Main headline: "The pedlars of child abuse: We know who they are. Yet
no
>one is stopping them."
>
>Underneath: two pictures. First, captioned, "The school governor who
>sells access to photos of child rape," a rather seedy looking picture of
>Clive Feather, associate director of Demon Internet, Britain's first and
>largest mass-market ISP. Second, captioned, "The Internet middleman who
>handles 90 percent of all child pornography," a picture of Julf
Helsingius,
>administrator of the well-known anon.penet.fi anonymous remailer.
>
>Page 19, headline: "These men are not paedophiles: they are the Internet
>abusers."

I'm afraid I really don't know what this means.

>Story begins by saying that Feather and Helsingius are "key
>links in the international paedophile chain. One is a director of a
>company that provides access to thousands of illegal photographs of young
>children being sexually assaulted, the other provides a service which
>allows those who abuse children for the pornography trade to supply the
>Internet without fear of detection. They may not know each other, and
both
>claim they cannot beat the paedophiles. But police forces in Britain and
>around the world are pressing both to do more."
>
>In fact, if you read the rest of the article, the only thing Feather seems
>to have actually done is to have refused, on behalf of Demon, to block the
>newsgroups and to tell the Observer's reporters (David Connett, London;
Jon
>Henley, Helsinki) that he did not believe that blocking access would
>prevent children from being abused.

I would add that Clive Feather is a tiny cog in Demon. He used to run a
proto-defunct service provider/Web house called CityScape, which Demon
bought. The really big cheese is Cliff Stanford who set the company up.

>Helsingius didn't get off quite as lightly. An FBI adviser (Toby Tyler)
is
>quoted as saying that 75-90 percent of the child pornography he sees comes
>through that remailer. Page 19 also has a picture of each man. Feather's
>is OK -- standing outside, talking. Helsingius's picture shows him seated
>at a computer with what looks like a posed Barbie doll on the screen
>(presumably meant to be a bimbo stripping or some such). It's notable
that
>the picture of the female whatever-it-is is much clearer than anything
else
>on his computer screen, and speculation online in London is that the
>picture may have been touched up. I'm not a photographer and can't judge.
>The picture was, however, at least obviously posed and taken with
>Helsingius's cooperation.

The picture is not of a barbie doll but a Playboy centrefold. I remember
seeing it (the picture) when I worked at The Guardian and we were running a
(reasonable) piece o Julf. As someone with some photographic and Photoshop
experience--I was production guru of a section at The Guardian, which owns
The Observer, fr several months--the most that has happened has been that
an Unsharp Mask or Sharpen filter has been applied to the part of the
picture which includes the screen (and the centrefold).
The picture is an old one--Julf is even using Netscape 1.0 in it.

>Some points to consider:
>
>1) The newsgroups on the police list included a number of groups that have
>nothing to do with child pornography, pedophilia, or, indeed, pornography
>of any type. Groups like alt.homosexual exist for discussions of matters
>pertinent to being gay. Any attempt to post pictures to those newsgroups
>would be greeted with extreme resentment. The Observer says there were
>more than 150 newsgroups on the list; there were 133 (although I've since
>seen the number 152 elsewhere, but don't know the source of that number).
>No attempt is made by the reporters to look at the material in the groups
>or understand the technical issues involved in monitoring the amount of
>data that flows every day, or place the amount of pornography on the
>Internet or its source in the context of the amount and pornography
>available offline.

The most accurate number is 133. You can find a list at www.uk.vbc.net, a
UK backbone ISP which has taken a stauncher line than Demon (but failed to
make The Observer).

>2) I've never heard that Helsingius makes any money off the anonymous
>remailer, which is free. IIRC he runs a computer company in Helsinki as
>his real job.

No remailer AFAIK is run for profit.

>3) As I understand it, the Finnish remailer blocks access to the binary
>newsgroups, for bandwidth reasons, and also restricts the maximum size of
>messages.
> The implication in the article is that the remailer has been used to
>anonymize live, interactive video; this seems impossible. The article
also
>says that "The photographs made available to Demon's subscribers are
>supplied anonymously by remailing companies which repackage images to
>ensure it is impossible to trace the material's origins. Although it's
>almost certainly true that remailers have been used to anonymize pictures
>in transit, the syntax makes remailing sound like a commercial
distribution
>operation ("repackage"), and the article also makes no mention of the fact
>that many other ISPs supply the same messages to *their* subscribers. The
>CDA and its defeat are also not mentioned. (After reading an article like
>this, I think any person wishing to send anything remotely pornographic
>across the Internet would decide to use an anonymous remailer rather than
>attach his own name.) The article makes no mention of the many *other*
>reasons for using an anonymous remailer.

Again, this is correct. The remailer has been designed, AFAP, to block
postings of binaries.
One of the most celebrated uses of penet.fi in the UK is the Samaritans
([email protected]) who provide counselling to depressed and suicidal
people.

>4) Most of the messages in groups like alt.sex.stories, which do sometimes
>contain disturbing fantasies about sex with minors (usually teenaged
girls)
>are *not* anonymous, based on a couple of quick glances at the newsgroup.
I
>have never yet seen any pictures on Usenet that are as disturbing as the
>*text* in alt.sex.stories. (That was, for those who have forgotten, the
>newsgroup where Jake Baker's violent fantasy was posted.)

>5) To characterize Clive Feather as "The school governor who sells access
>to photos of child rape" on the above basis seems equivalent to
>characterizing the head of BT as "The millionaire who sells access to live
>telephone sex." No context is given; the article makes it sound as though
>access to this material is the only reason people subscribe to Demon. (It
>is true, however, that Demon was the first UK company to offer uncensored
>access to Usenet, and that it has consistently claimed to offer a full
>newsfeed.)

But Demon has been joined by many others, and they have always stood by
their claim of uncensored news, even before net.porn/hysteria.

>6) The article says Helsingius ("the Internet middleman who handles 90 per
>cent of all child pornography") has been raided (this is true). "Finnish
>police have seized information from the remailer on half-a-dozen
occasions,
>acting on request from police forces, but no child pornography has been
>found." At least one of those raids was presumably the February 1995 one
>at the instigation of the Church of Scientology. *That* raid had nothing
>to do with child pornography, but with material the CoS claimed had been
>stolen from its internal computer system. Helsingius noted publicly in
>February 1995 that around the time of the CoS request a story was
published
>in a Swedish newspaper alleging that his service was being used for child
>pornography, adding that the story was investigated and the messages on
>which it was based shown to be forgeries (from the UK).
>
>7) The article recommends rules for parents to give their children. One
of
>the points includes the suggestion that parents should get their kids to
>teach them about the Net. Great idea. But the article then goes on to
>recommend installing blocking software, without apparently realizing that
>most blocking software requires some technical understanding to install,
>and that a reasonably computer-literate kid is quite likely to be able to
>defeat it without the parents' knowledge. The existence of blocking
>software or of new technological efforts such as PICS is not mentioned in
>the main article. (There's no mention of Declan's and Brock's researches
>into the type of material blocking software blocks, either.) In any
event,
>blocking software is not presented as an *alternative* to government
>regulation.

Nor the fact that on August 14th, Demon announced it would be supporting
the use of MSFT Internet Explorer 3.0 and the PICS standard.

>8) There seems to be little understanding of any of the technology
>involved, and little attempt to acquire any. Ditto for the finances
>involved -- newsstand pornography magazines are big business here, as are
>certain types of sex clubs, but those money-making ventures are not
>discussed. The reporters don't seem to have actually looked at any of the
>newsgroups to form an assessment of their contents. (I note that the
>official description of alt.transgen reads "Robbing the cradle and the
>grave" and wonder if that is how it got on the police list.) Essentially,
>they seem to have bought the police view without questions.
>
>9) There seem also to be some interesting background politics, which no
>attempt is made to set in context. Reference is made to the ISPA (the
>Internet Service Providers Association), which "represents more than 60 of
>the UK's 140 providers". The ISPA chairman "said responsible providers
>were being undermined by companies like Demon. 'We are being portrayed as
>a bunch of porn merchants. This is an image we need to change. Many of
>our members have already acted to take away the worst of the Internet.
But
>Demon have taken every opportunity to stand alone in this regard. They do
>not like the concept of our organisation.'" However, according to
someone
>on CIX (London's main online service where techies gather), this same gent
>is quoted in the October issue of the UK magazine PC Pro saying that "The
>last thing we want is to stop pornography on the Internet; we just want to
>make sure it can only be accessed by people who want to see it."

The position of the ISPA and Demon isn't a million miles away. Both want to
use technological methods of censorship and neither wants to take
responsibility for the material they carry.

Azeem

Azeem Azhar +44 973 380328

------------------------------

Date: Wed, 28 Aug 1996 06:06:31 -0700 (PDT)
From: Declan McCullagh <[email protected]>
Subject: File 3--An open letter to the Editor of The Observer

---------- Forwarded message ----------
Date--Wed, 28 Aug 1996 07:12:28 GMT
From--Matthew Richardson <[email protected]>

[I understand the text of the Observer article is available at
http://www.hclb.demon.co.uk/obs.txt]

-----BEGIN PGP SIGNED MESSAGE-----

I. T. Consultancy Limited

Our reference L2217

The Editor
The Observer
119 Farringdon Road
London EC1R 3ER

26 August 1996

AN OPEN LETTER FOR PUBLICATION

Sir,

I read with some interest the article by David Connett and Jon Henley
in yesterday's edition regarding the Internet and child pornography.
I was particularly interested as I am a computer consultant advising
clients on Internet issues.

In my professional opinion, the technical standard of the reporting
was sufficiently poor as to be both inaccurate and misleading. The
purpose of this letter is to clarify certain technical issues which
might cause your readers to reach unfounded or incorrect conclusions.

It is important to be aware of the various methods by which
information generally (which can include pornography) is distributed
around the Internet. Your article focuses on one particular route,
namely Newsgroups. It is Newsgroups which are detailed in the
Metropolitan Police's letter to Internet Providers and which are
concentrated upon by your article. There are several other means of
distributing information. I believe however that the Police letter
lists fewer than the 150 groups referred to by the authors.
Interestingly enough Newsgroups only offer the means of broadcasting
information to anyone who wants to retrieve it.

The authors do not appear to have a sufficient grasp of what a
"remailer" does. For example they seem to draw a direct link between
the use of such remailers and people being able to "log on and
participate in 'live' and 'interactive' filmed sessions". A lay
reader would perhaps draw the inference that the remailer is somehow
involved in any such live participation. Unfortunately this could
not be further from the truth. Remailers simply allow people to post
messages, either as email to other people or to Newsgroups for
general reading. Nothing more. Remailers are generally incapable of
being "logged on" to.

Your article also refers to "remailing companies", from which the lay
reader might infer that remailers are operated for commercial profit.

Such an inference would again be wholly incorrect. I know of no
organisation operating a remailer for profit, indeed none of them
even charge for their services. They are generally run by
individuals on a voluntary basis who consider them as a service to
the Internet community. Your article appears not to mention any of
the purposes of such remailers other than in terms of the
distribution of pornography. In my view it would be difficult to
present a balanced article without doing so.

Different remailers take different steps to prevent whatever their
operators consider as "abuse". My understanding is that Mr.
Helsingius' service restricts messages to 48k bytes (or characters)
and prohibits postings to the "binaries" newsgroups designated for
images. I also understand that it only allows 30 messages per user
per day. At a technical level these restrictions would make it
almost impossible to use his service for mass distribution of any
binary data, not just pornography.

It therefore appears surprising to me that your article should allege
that Mr. Helsingius' remailer is responsible for handling "90 per
cent of all child pornography" on the Internet. I wonder what
substantiating evidence The Observer has to this effect other than
the alleged claim by Toby Tyler. Indeed it appears from your article
that the words "is supplied through this remailer" may not be a
direct quote from Toby Tyler.

Your article alleges that "the photographs made available to Demon's
subscribers through the Internet are supplied anonymously by
remailing companies". The lay reader might infer from this that all
photographs therefore come via remailers. Again this would be far
from the truth.

Finally I hope this letter offers some assistance to your readers in
clarifying a number of issues which were perhaps less than clear in
your article. Given your newspaper's difficulties with technical
issues, I would be grateful if you would kindly refer any editing of
this letter to me prior to publication.

Yours faithfully,
Matthew Richardson

------------------------------

Date: Mon, 26 Aug 1996 17:40:10 -0500 (CDT)
From: pkennedy <[email protected]>
Subject: File 4--7th Crct Enforces "Shrinkwrap" License in Procd v. Zeidenberg

**********************************************
** LEGAL BYTES **
**********************************************

Summer 1996, Volume 4, Number 2

----------
George, Donaldson & Ford, L.L.P.
Attorneys at Law
114 West 7th Street, Suite 1000
Austin, Texas 78701
(512) 495-1400
(512) 499-0094 (FAX)
[email protected]
http://www.gdf.com
----------
Copyright 1996, George, Donaldson & Ford, L.L.P.
(These articles may be re-distributed electronically,
without editing and with proper attribution)
----------
David H. Donaldson, Jr., Publisher, [email protected]
Peter D. Kennedy, Editor, [email protected]
----------
4. CASENOTE: SEVENTH CIRCUIT ENFORCES A "SHRINKWRAP" LICENSE IN
PROCD V. ZEIDENBERG.

The Contract question. Most software comes with a long
license agreement. Technically, software publishers are not
"selling" their products, but licensing its use. The licenses have
become known as "shrinkwrap" contracts, because they are usually
sealed within packaging and cannot be read until after the sale.

Software publishers use shrinkwrap licenses for two basic
reasons: (1) to reinforce and extend their control over their
easily-duplicated creations by prohibiting unauthorized copying,
distribution, and commercial use; and (2) to limit their legal
liability to customers.

Despite their forbidding legal language and ubiquitousness,
whether shrinkwrap licenses can actually be enforced has been a
debated question -- with most authorities doubting their binding
force. See "Will the Shrink-Wrap License Dilemma Plague On-Line
Sales?", Legal Bytes, Vol. 3, No. 1. Two problems are generally
identified. First, and most importantly, shrinkwrap licenses try
to impose terms that cannot be known by the customer until after a
purchase is made. Typically, the law does not enforce terms of a
contract to which both parties have not agreed. Second, shrinkwrap
licenses are take-it-or-leave-it "contracts of adhesion," and
courts often will not enforce inequitable terms of such contracts.

ProCD, Inc. v. Zeidenberg is now the first legal opinion
holding that any term of a shrinkwrap license can be enforced by
the software publisher. See ProCD, Inc. v. Zeidenberg, 908 F.2d
640 (W.D. Wis. 1996), rev'd 86 F.3d 1447 (7th Cir. 1996). The
trial judge, Barbara Crabb of Madison, Wisconsin, ruled that
shrinkwrap terms could not be enforced. Her ruling was recently
reversed by the Seventh Circuit Court of Appeals, sitting in
Chicago, in an opinion that is sure to continue to generate debate
and controversy. See ProCD, Inc. v. Zeidenberg, 86 F.3d 640 (5th
Cir. 1996).

ProCD publishes a set of CD-ROMs that contain a nationwide
list of telephone and address listings called "Select Phone." The
company spend millions of dollars compiling the listings from phone
books around the country. A University of Wisconsin graduate
student, Matthew Zeidenberg, copied the ProCD telephone listings
(but not the ProCD software) and set up an Internet site on which
visitors could search the database. ProCD, concerned that it was
losing sales to Zeidenberg's site, sued to shut it down.

ProCD advanced several legal theories, but the one that
eventually won the day was its claim under its shrinkwrap license,
which prohibited commercial use of the database by purchasers.
Judge Crabb ruled that this license term could not be enforced for
the commonly-cited ground: Zeidenberg could not have seen it
before buying the CD-ROMs, and therefore he could not have agreed
to the term. Judge Crabb's opinion reviewed the governing sections
of the Uniform Commercial Code, and concluded that the "offer" took
place when ProCD's software was put on the store's shelf, and the
"acceptance" took place when Zeidenberg paid for it. Additional
license terms that popped up out of the box after the money was
paid was an unenforceable attempt to change the terms of the deal.

In a ruling that has surprised many observers, the Court of
Appeals disagreed. Judge Easterbrook's opinion for the Court
recited a list of common consumer transactions where all the terms
of the agreement are not known at the time of purchase -- insurance
policies, which are delivered after payment; airline and concert
tickets, which have printed terms often seen only after they are
bought; and consumer electronics, which contain warranty
disclaimers inside the packaging. The Court also considered the
difficulty of conducting phone or on-line sales if the terms of a
license had to be read beforehand, or the terms subject to
invalidation later.

Judge Easterbook's opinions, while always fluently written,
sometimes obscure the basis for his conclusions. Concisely put, it
appears that he concluded that ProCD set the terms of what an
"acceptance" of its offer of sale would be: "ProCD proposed a
contract that a buyer would accept by using the software after
having an opportunity to read the license at leisure. ... [T]he
software splashed the license on the screen and would not let him
proceed without indicating acceptance." Until Zeidenberg used the
software (or at least had time to read the license agreement), the
contract was not fully formed.

Judge Easterbrook pointed out that Section 2-606 of the
Uniform Commercial Code (although it did not apply) "reinforced"
the understanding that goods can be sold subject to inspection and
a right to reject. True, the UCC does provide for a buyer's right
to inspect and reject goods, but this right is intended to protect
the buyer from non-conforming goods. Judge Easterbrook's opinion
protects the seller -- by permitting the seller to structure a
transaction so that the "acceptance" takes place only after the
money has been paid and the software taken home for an inspection.
The "inspection" Judge Easterbrook is referring to is an inspection
of the terms of the contract itself, rather than the nature and
quality of the product. To the Court, however, the terms of
software license are not meaningfully distinguishable from the
product itself.

Two factors are clearly essential to the Court's conclusion:
the software box warned the prospective customer that the sale was
subject to an enclosed license, and the license provided the right
to return the software for a refund if the terms were not accepted.

Absent these provision, the Court could not characterize the
license as the "offer" and the after-purchase use as the
"acceptance." The Court did not hold that all shrinkwrap terms
could be enforced, even unreasonable ones, but seemed to indicate
that the buyer's right to reject the software would address
concerns about onerous, undisclosed terms.

Pre-emption of State Law by the Copyright Act. ProCD did not
have a viable complaint against Zeidenberg under the Copyright Act
-- the listing of names and addresses was not sufficiently original
to be a protected creation under the Act, and Zeidenberg's limited
use of the software that came with the CD-ROMs was not infringing.
Both the trial court and appeals court opinions dealt with a
thornier question -- the pre-emption of state law claims by the
federal Copyright Act.

The Copyright Act provides exclusive protections, and so state
laws that provide equivalent protections to material falling under
the Copyright Act are unenforceable. Judge Crabb ruled that
ProCD's state law claims of breach of the license agreement and
unfair competition and misappropriation were preempted by the
Copyright Act, even though the telephone listings were not
sufficiently original to warrant protection by the Act. In doing
so, she followed language in a previous Seventh Circuit decision
indicating that some matters can fall "within" the Copyright Act's
scope, even though they do not qualify for the Act's protection.
On appeal, the Seventh Circuit agreed with Judge Crabb on this
point, but disagreed with her ultimate conclusion that the contract
claim was preempted. (Note that a federal trial judge in New York
recently reached a different conclusion, holding that if material
is not protected by copyright, the Copyright Act does not preempt
state law protections. See "It's All In The Game: Who Owns "Real-
Time" Sports Information?," Legal Bytes, Vol. 4, No. 2, above.)

Judge Crabb ruled that the contract claim was not sufficiently
different from a Copyright Act claim, despite the need to prove a
"breach" of the contract. The Seventh Circuit disagreed with this
conclusion, because contract claims are based on an agreement
between parties, and license terms can only be enforced against
parties to the contract. The Copyright Act -- which creates rights
against the whole world -- only preempts state laws that create
similar "exclusive" rights, and therefore does not pre-empt the
terms of agreements between individual parties. In light of the
Court's decision to enforce shrinkwrap license terms, however, this
distinction exists more in principle than in reality. Do state
laws that enforce software licenses which must be agreed to before
the software will even _function_ create exclusive rights in the
publisher?

It is unlikely that the ProCD v. Zeidenberg ruling will be the
last word, although it undoubtedly will be influential. The
American Law Institute and the National Conference on Uniform Laws
have proposed a new section of the UCC that would explicitly
validate standard form software licenses, which would render both
Judge Crabb and Judge Easterbrook's contract rulings moot.
However, the opinion provides ample warning to both publishers and
users of software: publishers must continue to draft user licenses
with great care, and software users disregard those terms at their
own risk.

------------------------------

Date: Thu, 21 Mar 1996 22:51:01 CST
From: CuD Moderators <[email protected]>
Subject: File 5--Cu Digest Header Info (unchanged since 7 Apr, 1996)

Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost electronically.

CuD is available as a Usenet newsgroup: comp.society.cu-digest

Or, to subscribe, send post with this in the "Subject:: line:

SUBSCRIBE CU-DIGEST
Send the message to: [email protected]

DO NOT SEND SUBSCRIPTIONS TO THE MODERATORS.

The editors may be contacted by voice (815-753-0303), fax (815-753-6302)
or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL
60115, USA.

To UNSUB, send a one-line message: UNSUB CU-DIGEST
Send it to [email protected]
(NOTE: The address you unsub must correspond to your From: line)

Issues of CuD can also be found in the Usenet comp.society.cu-digest
news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of
LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT
libraries and in the VIRUS/SECURITY library; from America Online in
the PC Telecom forum under "computing newsletters;"
On Delphi in the General Discussion database of the Internet SIG;
on RIPCO BBS (312) 528-5020 (and via Ripco on internet);
and on Rune Stone BBS (IIRGWHQ) (860)-585-9638.
CuD is also available via Fidonet File Request from
1:11/70; unlisted nodes and points welcome.

EUROPE: In BELGIUM: Virtual Access BBS: +32-69-844-019 (ringdown)
Brussels: STRATOMIC BBS +32-2-5383119 2:291/[email protected]
In ITALY: ZERO! BBS: +39-11-6507540
In LUXEMBOURG: ComNet BBS: +352-466893

UNITED STATES: etext.archive.umich.edu (192.131.22.8) in /pub/CuD/CuD
ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/
aql.gatech.edu (128.61.10.53) in /pub/eff/cud/
world.std.com in /src/wuarchive/doc/EFF/Publications/CuD/
wuarchive.wustl.edu in /doc/EFF/Publications/CuD/
EUROPE: nic.funet.fi in pub/doc/CuD/CuD/ (Finland)
ftp.warwick.ac.uk in pub/cud/ (United Kingdom)

The most recent issues of CuD can be obtained from the
Cu Digest WWW site at:
URL: http://www.soci.niu.edu/~cudigest/

COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views. CuD material may be reprinted for non-profit as long
as the source is cited. Authors hold a presumptive copyright, and
they should be contacted for reprint permission. It is assumed that
non-personal mail to the moderators may be reprinted unless otherwise
specified. Readers are encouraged to submit reasoned articles
relating to computer culture and communication. Articles are
preferred to short responses. Please avoid quoting previous posts
unless absolutely necessary.

DISCLAIMER: The views represented herein do not necessarily represent
the views of the moderators. Digest contributors assume all
responsibility for ensuring that articles submitted do not
violate copyright protections.

------------------------------

End of Computer Underground Digest #8.63
************************************