†1998 A. Michael Froomkin.
† Professor of Law, University of Miami School of Law; B.A., 1982, Yale College; M.Phil., 1984, Cambridge University; J.D., 1987, Yale Law School. Internet: froomkin@law.tm. I would like to thank Caroline Bradley, Amy Boss, Bernie Cosell, Patrick Gudridge, Richard Hornbeck, Ray Nimmer, Adam Smith and Jane Winn for their helpful comments on earlier drafts. I am particularly grateful to Pam Samuelson and Mark Lemley for including me in this Symposium. The initial version of this paper was delivered in Berkeley in April, 1998; unless otherwise indicated, this version seeks to reflect legal and technical developments as of October 1, 1998. Research was supported by a Summer Research Grant from the University of Miami School of Law.
1. See generally UNITED STATES DEPARTMENT OF COMMERCE, THE EMERGING DIGITAL ECONOMY (1998), available at <http://www.ecommerce.gov/emerging.htm>.
2. U.C.C. Article 2B-Licenses (Aug. 1, 1998 Draft), available at <http://www.law.upenn.edu/library/ulc/ucc2/2b898.htm>. The Microsoft Word version of the August draft, available on the web site maintained by the University of Pennsylvania repository of U.C.C. drafts, contains redline and strikeout marks that show changes from the previous draft. To track changes from the April to the August draft one must acquire each of the intervening drafts available at <http://www.law.upenn.edu/library/ulc/ulc.htm#ucc2b>.
3. At the Berkeley symposium I learned that the Article 2B as software metaphor used in this paper, which grew out of a conversation with my colleague Patrick Gudridge, has been used by others, notably Cem Kaner. See, e.g., Cem Kaner, Bad Software-Who is Liable?, Address at the Proceedings of the American Society for Quality's 52nd Annual Quality Congress (May 1998), available at <http://www.badsoftware.com/asqcirc.htm>; Cem Kaner, Brian Lawrence & Bob Johnson, SPLAT! Requirements Bugs on the Information Superhighway, 5 Software QA 18 (1997).
4. U.C.C. Article 2B-Licenses (Mar. 1998 Draft), available at <http://www.law.upenn.edu/library/ulc/ucc2/2b398.htm>.
5. Compare U.C.C. § 2B-104(c) (Apr. 15, 1998 Draft) ("A statute authorizing electronic or digital signatures in effect on the effective date of this article is not affected by this article"), available at <http://www.law.upenn.edu/library/ulc/ucc2/2b498.htm>, with U.C.C. § 2B-104(c) (Mar. 1998 Draft), available at <http://www.law.upenn.edu/library/ulc/ucc2/2b398.htm> ("A statute authorizing electronic or digital signatures in effect on the effective date of this article is not affected by this article, but in the case of a conflict this article controls.") (emphasis added). See also infra text accompanying note .
6. The July draft, which was prepared for the July 1998 meeting of the National Conference of Commissioners on Uniform State Laws, can be found at <http://www.law.upenn.edu/bll/ulc/ucc2b/ucc2bamg.htm>.
7. It should not need to be said, but it also follows from the rapid rate of change in a complex document that arguments in favor of Article 2B based on some form of notice and estoppel ("we discussed this issue two years ago-where were you?") deserve to be treated with derision. Alas, some of Article 2B's more exuberant proponents continue to make such arguments. See, e.g., Memorandum from the Business Software Alliance et al. on Article 2B (July 15, 1988) ("One would expect ALI motions and votes to be circumspect and to give credence to the open forum of NCCUSL and the endless hours of discussion heard and considered by the Article 2B Drafting Committee. But they do not. [One] motion on standard form contracts seeks to overturn the delicate compromise reached by the Drafting Committee after untold hours of debate and consideration of alternative approaches. The motions on choice of law and choice of forum also ignore hours of discussion and compromise, as well as commercial realities and needs. We do not support this type of above-the-fray tinkering, particularly on such fundamental issues."), available at <http://www.2Bguide.com/docs/amemo981.html>.
8. For instance, Article 2B also has innovative features regarding automated contracts formed by electronic agents, some of which are discussed in section II.D.
9. For a fuller explanation of public-private key technology see A. Michael Froomkin, The Essential Role of Trusted Third Parties in Electronic Commerce, 75 OR. L. REV. 49, 50-53 (1996), available at <http://www.law.miami.edu/~froomkin/articles/trusted.htm>.
10. When combined with a digital time stamp the message can also be proved to have been sent at a certain time. See id. at 65-67.
11. Article 2B does not use the term "verify" in the context of electronic contracting. The term is used in the ABA Digital Signature Guidelines and in the Utah Digital Signature Act: "Verify a digital signature" means, in relation to a given digital signature, message, and public, key, to determine accurately that: (a) the digital signature was created by the private key corresponding to the public key; and (b) the message has not been altered since its digital signature was created. See DIGITAL SIGNATURE GUIDELINES § 1.37 (1996), available at <http://www.abanet.org/scitech/ec/isc/dsgfree.html>; Utah Digital Signature Act § 103(37), UTAH CODE ANN. tit. 46, ch. 3 (1995). Instead, Article 2B uses the term "authenticate" which refers to both the act of creating the original digital signature and the act of confirming its authenticity and validity. See U.C.C. § 2B-102(a)(3) (Aug. 1, 1998 Draft). Conflating the two significantly different actions into one term creates a real, and avoidable, potential for confusion.
12. Digital signatures achieve this by computing a one-way hash value of the message and then encrypting the hash value with the user's private key. A hash function takes an input string and converts it to a fixed-size, and usually smaller, output string. A one-way hash function adds the property that while it is easy to compute the hash value from the input it is very hard to find other inputs that produce the same hash output. See BRUCE SCHNEIER, APPLIED CRYPTOGRAPHY 28 (2nd ed. 1996). The recipient checks the digital signature by decrypting the hash value with the sender's public key, then comparing the hash value with the independently generated hash value of the file received. If the two numbers are the same, the file is authentic and unchanged. See RSA Laboratories, Answers to Frequently Asked Questions About Today's Cryptography § 2.1.6 (visited Nov. 9, 1998) <http://www.rsa.com/rsalabs/newfaq/alg_tech.htm>.
13. See SCHNEIER, supra note 12, at 38 (noting that a digital signature using a 160-bit hash number has only a one in 2160 chance of mistakenly authenticating another document).
14. See Ronald L. Rivest, Can We Eliminate Certificate Revocation Lists?, PROC. OF FINANCIAL CRYPTOGRAPHY 178 (Rafael Hirschfeld ed., 1988) (proposing and advocating a means of dispensing with certificate revocation lists in which the proponent of a digital signature bears the burden of providing a suitably recent and reliable certificate to the relying party), available at <http://theory.lcs.mit.edu/~rivest/revocation.ps>; see also Richard Hornbeck, The Troubling Truth About "Trust" on the Internet, 10 J. ELECTRONIC COMM. 59, 65 (1997) (critiquing CRL model), available at <http://www.primenet.com/~hornbeck/trust.htm>.
15. See VeriSign Home Page (visited Nov. 9, 1998) <http://www.verisign.com>.
16. See ABA Announces Plan to Become Certificate Authority For Financial Services Industry (Mar. 6, 1998) <http://www.aba.com/abatool/showme_rel.html?location= PR_030698ec.htm>; OCC Approves A National Bank to Certify Digital Signatures (Jan. 13, 1998) <http://www.occ.treas.gov/98Rellst.htm>.
17. For a continually updated summary of state legislation see McBride, Baker & Coles, Summary Of Electronic Commerce And Digital Signature Legislation (last modified Oct. 13, 1998) <http://www.mbc.com/ds_sum.html>.
18. See generally Juan Avellan, Digital Signature Links, (last modified June 10, 1997) <http://www.qmw.ac.uk/~tl6345/#Europe> (Summary of activities in European countries, including Germany, Italy and the UK.).
19. See generally Towards A European Framework for Digital Signatures And Encryption, COM(97)503, available at <http://www.ispo.cec.be/eif/policy/97503toc.html>.
20. See generally Draft Uniform Rules on Electronic Commerce, UNICITRAL, 32nd Sess., U.N. Doc. A/CN.9/WG.IV/WP.73 (1998), available at <http://www.un.or.at/uncitral/english/sessions/wg_ec/wp-73.htm>; UNCITRAL Model Law on Electronic Commerce, G.A. Res 51, U.N. GAOR 6th Comm., 85th plen. mtg., U.N. Doc. A/51/628 (1996), available at <http://www.un.or.at/uncitral/english/texts/electcom/ml-ec.htm>.
21. E.g., Japan. See Electronic Commerce Promotion Council of Japan, Certification Authority Guidelines (Alpha Version) (Apr. 7, 1997) <http://www.ecom.or.jp/eng/output/ca/eng-guideline.htm>.
22. See generally
DIGITAL SIGNATURE GUIDELINES
(1996), available at <http://www.abanet.org/scitech/ec/isc/dsgfree.html>.
23. I belabor this point in Froomkin,
supra note .
24. So far as I am aware, there
have been none, other than rare cases in which courts addressed whether an electronic
"copy" can have the same legal force and effect as a traditional written
signature in the absence of a "written original." See, e.g.,
Allen v. Caldwell, 470 S.E.2d 696, 698 (Ga. App. 1996) (questioning the validity
of a "facsimile" that lacks an "original").
25. It is entirely normal, appropriate,
and often praiseworthy for the legislature (and others) to seek to enact power-conferring
laws. See generally H.L.A. H
ART, THE CONCEPT
OF LAW 27-33 (1961). The issue
is the content of the facilities created for individuals to realize their wishes,
and the structure of the resulting de facto as well as the de jure structures
of rights and duties that will flourish within the coercive framework of the law.
26. Stewart A. Baker, International
Developments Affecting Digital Signatures, (Oct. 1997) <http://www.steptoe.com/WebDoc.NSF/Law+&+The+Net+All/Interna-tional+Developments+Affecting+Digital+
Signatures? OpenDocument>.
27. In the case of states such
as Utah or Minnesota, which have already amended their original digital signature
laws, we may be at version 1.1. The rapidity and frequency with which digital
signature laws are likely to be revised underlines the point that we are at
an early stage in their development.
28. Several institutions enable
continual contacts, including committees of the American Bar Association, the
Commissioners on Uniform Laws, the UNCITRAL drafting process, and an excellent
electronic mailing list with more than 150 members maintained by Professor Amelia
Boss at Temple.
29. For an excellent survey of
digital signature issues relating to other sections of the U.C.C., see Jane
Kaufman Winn, Open Systems, Free Markets, and Regulation of Internet Commerce,
72 T
ULANE L. REV.
1177 (1998). Very valuable, more narrowly focused, treatments of various issues
relating to digital signatures and online sales or to digital signatures and specific
articles of the U.C.C. include C. Bradford Biddle, Legislating Market Winners:
Digital Signature Laws and the Electronic Commerce Marketplace, 34 SAN
DIEGO L. REV.
1225 (1997); C. Bradford Biddle, Misplaced Priorities: the Utah Digital Signature
Act and Liability Allocation in a Public Key Infrastructure, 33 SAN
DIEGO L. REV.
1143 (1996); Walter A. Effross, The Legal Architecture of Virtual Stores: World
Wide Web Sites and the Uniform Commercial Code, 34 SAN DIEGO
L. REV. 1263 (1997);
and Jane Kaufman Winn, Couriers Without Luggage: Negotiable Instruments and
Digital Signatures, 49 S. CAR. L. REV.
739 (1998).
30. See supra note 14 (noting
a potential alternative model of e-commerce).
31. "'Access contract' means
a contract to electronically obtain access to, or information in electronic
form from, an information processing system. The term does not include a contract
for physical access to a place, such as a theater or building." U.C.C.
§ 2B-102(a)(1) (Aug. 1, 1998 Draft).
32. Id. § 2B-103(a).
33. See id. § 2B-103(b).
34. According to section 2B-103(b)(2),
Articles 2 or 2A also apply and Article 2B does not apply "as to subject
matter that is excluded [from Article 2B] under Section 2B-104(3)," i.e.
to the extent that a transaction:
(A) the goods are merely a copy of the program;
(B) the goods are a computer or computer peripheral; or
(C) giving the purchaser of the goods access to or use of
the computer program is a material purpose of the transaction.
35. Id. § 2B-103(b)(3)(A).
36. Id. § 2B-103(b)(3)(B).
37. Id. § 2B-103, Reporter's
Note 5.
38. Id. § 2B-103(c)(1).
39. Id. § 2B-105(g). Note
that this was section 104(c) in the April draft.
40. U.C.C. § 2B-104(c) (Mar. 1998
draft) (emphasis added).
41. Article 2B defines "Authenticate"
as:
(A) identify the person;
(B) adopt or accept the terms or a particular term of a record
that includes or is logically associated or linked with the authentication
or to which a record containing the authentication refers; or
(C) establish the integrity of the information in a record
which includes or is logically associated or linked with the authentication
or to which a record containing the authentication refers."
42. See, e.g., U
NIFORM ELECTRONIC TRANSACTIONS
ACT § 102(a)(20) (Mar. 23, 1998
Draft) (defining "signature" as "any symbol, sound, process, or
encryption of a record in whole or in part, executed or adopted by a person or
the person's electronic agent with intent to: (A) identify that person; (B) adopt
or accept a term or a record; or (C) establish the informational integrity of
a record or term that contains the signature or to which a record containing the
signature refers."), available at <http://www.law.upenn.edu/library/ulc/uecicta/eta398.htm>.
43. UNIFORM ELECTRONIC
TRANSACTIONS ACT
§ 102(a)(20) (Sept. 18, 1998 Draft), available at <http://www.law.upenn.edu/library/ulc/uecicta/eta1098.htm>.
44. See infra text accompanying
notes -. Compare Guideline 1.4 of the ABA Digital Signature Guidelines,
which defines "authentication" as: "A process used to ascertain
the identity of a person or the integrity of specific information. For a message,
authentication involves ascertaining its source and that it has not been modified
or replaced in transit." This definition excludes signing with an
intent to be bound. See D
IGITAL SIGNATURE GUIDELINES
§ 5.2 (1996), available at <http://www.abanet.org/scitech/ec/isc/dsgfree.html>.
45. For a state-of-the-art CPS
see Verisign Certification Practice Statement (May 15, 1997) <https://www.verisign.com/repository/CPS1.2/CPS1.2.pdf>.
46. See generally Froomkin,
supra note , at 55-65, 97.
47. For an example of a CRL lookup
form see VeriSign, Verify the Status of a Digital ID, (visited Nov. 19,
1998) <http://digitalid.verisign.com/status.htm>.
48. I have argued elsewhere that
the second part of this scenario has some limits. If, for example, Bob is paying
by credit card, the credit card company fulfills the role of trusted third party
and there is little reason for Alice to require Bob to guild the lily with a
certificate. Indeed, to the extent that the credit card company functions as
an insurer, there is little incentive for Bob to worry about the validity of
Alice's public key either, since he bears little or no risk of loss. See
generally Froomkin, supra note , at 68. Nevertheless, as the scenario
in the text appears to animate most digital signature statutes, it remains worth
considering.
49. Indeed, failure to consult
a CRL before relying on a certificate in these models likely would be per se
negligence. See D
IGITAL SIGNATURE GUIDELINES
§ 5.4 (1996), available at <http://www.abanet.org/scitech/ec/isc/dsgfree.html>.
A person who negligently uses an attribution procedure that could have
been adequate may be estopped from pleading reliance upon the attribution procedure
of which the certificate is a part, since only those who act reasonably are entitled
to claim this type of reliance. See, e.g., U.C.C.§ 2B-117(4) (Aug. 1, 1998
Draft) ("If the sender complies with the attribution procedure, but the receiving
party does not, and the change or error would have been detected had the receiving
party also complied, the sender is not bound by the error or change.").
50. On the other hand, one can
also imagine alternate e-commerce models using digital signatures backed by
certificates which do not rely on CRLs, perhaps because parties always demand
reasonably fresh certificates, and the market responds by having CAs provide
a continual stream of newly minted but short-lived certificates. This, more
or less, is the model discussed in Rivest, supra note .
51. Froomkin, supra note
, at 89-90.
52. For example, in the March 1998
draft, Article 2B defined a mass market transaction as a "consumer transaction
... directed to the general public ... for the same information." U.C.C.
§ 2B-102(a)(31) (Mar. 1998 Draft). The term excluded "a transaction in
which the information is or becomes customized or otherwise specially prepared
by the licensor for the licensee." Id. at § 2B-102(a)(31)(C). If
a certificate is not the subject of a mass market transaction, by definition
it cannot be covered by a "mass-market license" since a "'[m]ass-market
license' means a standard form that is prepared for and used in a mass-market
transaction." Id. § 2B-102(a)(30). As a result, various consumer
protections designed to apply to mass market transactions would not have applied
to CAs under the March 1998 formula.
53. U.C.C. § 2B-102(a)(32) (Aug.
1, 1998 Draft).
54. "Consumer" is defined
at section 2B-102(a)(10).
55. U.C.C. § 2B-102(a)(11) (Aug.
1, 1998 Draft).
56. The drafters identify the following
as consumer protections in mass market transactions: "The provisions of
this Article that provide additional consumer protections include: 2B-107 (choice
of law); 2B-118 (electronic error); 2B-208 (limit on mass market license; right
to refund); 2B-303 (limit on no-oral modification clause); 2B-304 (limit on
modification of continuing contract); 2B-406 (warranty disclaimer); 2B-409 (third-party
beneficiary); 2B-609 (perfect tender); 2B-619 (limit on hell and high water
clauses); 2B-703 (exclusion of personal injury claim)." Id. § 2B-105,
Reporter's Note 5.
To what extent each of these matter in the context of a CA is another debate;
one place where it matters whether a transaction is mass market or not is the
extent to which warranty disclaimers must be conspicuous. See id.
§ 2B-406 (b)(4).
57. Id. § 2B-102, Reporter's
Note 28.
58. Id.
59.Id.
60. See id.
§ 2B-104(5) (excluding contract for "personal or entertainment services");
see id. Reporter's Note 2.
61. See Froomkin, supra
note , at 87-88:
62. "VeriSign public
keys: VeriSign root public keys, including all PCA public keys, are the property
of VeriSign, Inc. VeriSign licenses relying parties to use such keys only in
conjunction with trustworthy hardware or software product in which the root
public key is distributed with VeriSign's authority." VeriSign CPS,
supra note , at § 12.13; see also id. at i (describing
right to reproduce CPS itself in license terms).
63. See, e.g., U.C.C. §
2B-102(a)(1) (Aug. 1, 1998 Draft) (defining "access contract" as "a
contract to electronically obtain access to, or information in electronic form
from, an information processing system. The term does not include a contract
for physical access to a place, such as a theater or building."); see
also id. § 2B-615 ("Access Contracts"). There are potential
conflicts between some of the rules for access contracts, (e.g., section 2B-107(b)
on choice of law for access contracts) which provides that even in a consumer
transaction "[a]n access contract or a contract providing for electronic
delivery of a copy is governed by the law of the jurisdiction in which the licensor
is located when the agreement is made" and the general deference to digital
signature laws in section 2B-105(g) since some state digital signature laws
require that parts of their own law be applied regardless of the physical location
of the CA. See, e.g., Washington Electronic Authentication Act, W
ASH. REV. CODE
§ 19.34.220(3) (1997) (providing that CA must certify to "all
those who reasonably rely on the information" that information in certificate
and listed as confirmed is accurate, that subscribers accepted certificate; that
all information foreseeably material to reliability of the certificate is stated
or incorporated by reference in the certificate; and that CA complied with Authentication
Act and other applicable laws of the state).
64. U.C.C. § 2B-104, Reporter's
Note 5 (Aug. 1, 1998 Draft).
65. Id. § 2B-104.
66. Id. § 2B-103(b)(3)(B).
In addition, section 2B-103 (c) states that the parties may agree that all of
Article 2B applies so long as this agreement does not alter mandatory consumer
protections rules that would otherwise apply, and so long as this agreement
does not remove a transaction from either U.C.C. Article 2 or U.C.C. Article
2A when one of those articles would otherwise apply. See id. §
2B-103(c).
67. Section 2B-104(5) states that
2B will not apply to the extent that an agreement "is a contract for personal
or entertainment services by an individual or group of individuals, other than
a contract of an independent contractor to develop, support, modify or maintain
software." Interestingly, if somewhat puzzlingly, the Reporter's Note states
that this exclusion "does not exclude situations where automation creates
a digital replacement for activities previously characterized as personal services."
Id. § 2B-104, Reporter's Note 6.
68. U.C.C. § 2-102 (1996) states
that "unless the context otherwise requires, this Article applies to transactions
in goods ...."
69. U.C.C. 2B, Preface, p.6 (Aug.
1, 1998 Draft) (quoting R
OBERT REICH, THE
WORK OF NATIONS
85-86 (1991)) (alterations in original).
70. On the "predominant purpose"
test, see J
AMES J. WHITE &
ROBERT S. SUMMERS,
UNIFORM COMMERCIAL CODE
3-4 (4th ed. 1995) ("If a sale of goods is not the 'predominant purpose,'
then [the U.C.C. Article] does not apply at all.").
71. See U.C.C. § 2B-103,
Reporter's Note 5:
72. See U.C.C. § 2B-103,
Reporter's Note 3 (Mar. 1998 draft) ("This Article applies to the extent
that the transaction involves subject matter within its scope, but not to the
extent that a particular subject matter or aspect of a relationship is excluded
or otherwise outside the scope.") The tautological reassurance that what
is excluded is excluded, and what is included is included was not comforting
and seemed to mean that if the predominant purpose of the transaction is within
Article 2B, then the contract formation rules-but not the other parts-of Article
2B applied to the entire transaction. Whatever it meant, we are well rid of
it.
73. The situation in states with
pre-existing digital signature laws may be even more complex. These statutes
are not uniform, and Article 2B does not seek to displace them. See U.C.C.
§ 2B-105(g) (Aug. 1, 1998 Draft). To the extent that some of these statutes
may have explicit contract formation terms, beyond defining a "writing,"
those terms will trump anything in 2B. See id. In the absence of an explicit
provision to the contrary, however, Article 2B's terms will presumably control,
including the treatment of mixed transactions described in this section.
74. See id. § 2B-103(b)(3)(B).
75. Id. § 2B-615.
76. The word "or" at
the end of section 2B-615(b)(2) suggests that one should read an "or"
into the end of section 2B-615(b)(1) and that therefore each of the three circumstances
listed in section 2B-615(b) are independent defenses against claims for breach
of contract.
77. The Free On-Line Dictionary
of Computing defines the "blue screen of death" as "[t]he infamous
white-on-blue text screen which appears when Microsoft Windows crashes. BSOD
is mostly seen on the 16-bit systems such as Windows 3.1, but also on Windows
95 and ... Windows NT 4." Free On-Line Dictionary of Computing, Blue
Screen of Death (Sept. 9, 1998) <http://wombat.doc.ic.ac.uk/foldoc/foldoc.cgi?blue+screen+of+death>.
78. Id. § 2B-105(d), Reporter's
Note 6.
79. See infra text accompanying
notes -.
80. See, e.g., U.C.C. §
2B-116, Reporter's Note 2 (Aug. 1, 1998 Draft).
81. See UNCITRAL Model Law,
supra note , at art. 1, n.** ("This Law does not override any rule
of law intended for the protection of consumers.").
82. U.C.C. § 2B-105(e)(1) (Aug.
1, 1998 Draft).
83. Id. § 2B-102(a)(39).
84. See id. § 2B-113
("A record or authentication may not be denied legal effect, solely on
the ground that it is in electronic form.").
85. UNIFORM ELECTRONIC
TRANSACTIONS ACT
§ 301 (Sept. 18, 1998 Draft), available at <http://www.law.upenn.edu/library/ulc/uecicta/eta1098.htm>.
86. Clickwrap licenses are "textual
windows of non-negotiable, take-it-or-leave-it contract terms that prompt a
user to 'click' assent [on a web form or program button] before allowing installation
of a program or access to a website." Keith Aoki, The Stakes of Intellectual
Property Law (visited Nov. 22, 1998) <http://www.law.uoregon.edu/~kaoki/AOKI.html>.
87. U.C.C. § 2B-105(e)(2) (Aug.
1, 1998 Draft).
88. Id. § 2B-102(a)(3).
89. Cf. U.C.C. § 2B-119(c)
("Unless the circumstances indicate otherwise, authentication is
deemed to have been done with the intent to establish the person's identity,
its adoption or acceptance of the record or term, its acceptance of the contract,
and the integrity of the records or terms as of the time of the authentication.")
(emphasis added).
90. See, e.g., Letter from
Donald A. Cohn & Mary Jo Howard Divley to Carlyle C. Ring (Oct. 12, 1998)
<http://www.2Bguide.com/docs/cdm1098.html> ("What does it take for
me to manifest assent to a license under the proposed draft? First, I must be
acting either with knowledge or after having had an opportunity to review the
record or term. (Under Section 112, if I don't have the opportunity to see the
record before I pay for the product, I must be given the unconditional right
to return it if, after I do see the record, I don't accept any part of it, even
if the product is fine.) If I use conduct, I must intend that conduct and I
must know or have reason to know that the other party may infer from my conduct
that I assented to the record or term. ... Just because we are dealing with
certain new subject matter does not mean that all courts will suddenly lose
their reason.")
91. U.C.C. § 2B-105(e)(4) (Aug.
1, 1998 Draft).
92. For example, section 2B-111
of the August 1998 draft is heavily annotated with editorial cautions that the
text has yet to be reviewed by the Drafting Committee. Similarly, the current
UETA draft has bracketed section 107 on manifestation of assent, although it
is clear that UETA intends to draw a sharp distinction between authentications
and contractual commitments. See U
NIFORM ELECTRONIC TRANSACTIONS
ACT § 107 (Sept. 18, 1998 Draft),
available at <http://www.law.upenn.edu/library/ulc/uecicta/eta1098.htm>
and accompanying notes.
93. Opportunity to review is defined
in section 2B-112. The critical part of the definition reads:
(1) in the case of a person, ought to call it to the attention
of a reasonable person and permit review; or
(2) in the case of an electronic agent, would enable a reasonably
configured electronic agent to react to the record or term.
The Draft UETA section 108 contains similar language, but the section is bracketed
for further discussion. See U
NIFORM ELECTRONIC TRANSACTIONS
ACT § 108 (Sept. 18, 1998 Draft),
available at <http://www.law.upenn.edu/library/ulc/uecicta/eta1098.htm>.
94. U.C.C. § 2B-112(a) (Aug. 1,
1998 Draft).
95. Id. § 2B-102(a)(9).
96. Id. § 2B-102(a)(9).
97. Reporter's Note 4 to section
2B-110 ("Bizarre and oppressive terms") states that "[u]nconscionability
doctrine allows courts to monitor and limit application of [common law principles]
in a way that avoids binding the assenting party to unknown terms that are bizarre
and unfairly oppressive." Id. § 2B-110, Reporter's Note 4. This
seems to suggest that unconscionability might be invoked to correct gross defects
in the process of contract formation, as well to correct grossly unfair contract
terms, if electronic agents run wild. I find this to be a very intriguing idea-but
one that is absent from the text of section 2B-110.
98. Id. § 2B-105, Reporter's
Note 6. No examples are offered-probably because there are none. See infra
note .
99. Other than stating the circumstances
in which an electronic message may satisfy a writing requirement, most of the
state digital signature statutes to date, including the influential Illinois
statute, are silent on the subject of consumer protection. When they do address
the issue, they add, not subtract, protections for consumers. For example, the
Washington Electronic Authentication Act makes it clear that while agreements
between a CA and a subscriber may vary many of the provisions of the Authentication
Act itself, "Nothing in this chapter shall be construed to eliminate, modify,
or condition any other requirements for a contract to be valid, enforceable,
and effective." W
ASH. REV. CODE
§ 19.34.320(2)(b) (1997). Additional consumer protections include forbidding a
CA from disclaiming or limiting warranties that a certificate has no known false
information, and that the certificate satisfies all material requirements of the
statute. A CA is also required to give a warranty that it has not exceeded limits
of its license (e.g., the reliance limits). Id. § 19.34.220(1).
100. U.C.C. § 2B-102(a)(36) (Aug.
1, 1998 Draft).
101.Id.
102. See Froomkin,
supra note .
103. See U.C.C. § 2B-404(b)(2)
(Aug. 1, 1998 Draft).
104. See id. §§
2B-404 to 2B-406.
105. Id. § 2B-102(a)(4).
106. "'Electronic agent'
means a computer program or other automated means used by a person to independently
initiate or respond to electronic messages or performances on behalf of that
person without review by an individual." Id. § 2B-102(a)(19).
107. Id. § 2B-102(a)(9)
(emphasis added).
108. See id.
§ 2B-204(3) ("The terms of a contract formed under paragraph (2) are determined
under Section 2B-207 or 2B-208 [relating to mass-market contracts], as applicable,
but do not include terms provided by the individual in a manner to which the
electronic agent could not react.").
109. Cf. Paul Phillips,
Why Mozilla Matters (visited Nov. 9, 1998) <http://www.mozilla.org/why-mozilla-matters.html>.
110. U.C.C. § 2B-119(a) (Aug.
1, 1998 Draft).
111. See also id. § 2B-110,
Reporter's Note 4:
112. Id. § 2B-116(a).
113. Id. § 2B-116(c).
Other requirements, satisfied in the hypothetical in the text, are that:
(3) the reliance resulted from acts of a third person that obtained
access numbers, codes, computer programs, or the like from a source under
the control of the person rebutting the presumption; and
(4) the use of the access numbers, codes, computer programs, or the
like created the appearance that it came from the person rebutting the presumption.
114. The Reporter's Note to section
2B-118 offers two illustrations:
Illustration 2: Same facts, except that Jones' system
before shipping sends a confirmation, asking Consumer to confirm that it
ordered 110 games. Consumer confirms 110 copies. This section no longer
applies. If Consumer sees the confirmation request and does not respond,
the section also does not apply. In either case, the system reasonably allowed
for correction of the error.
115. See id. §
2B-120 ("an electronic message is effective when received even if no individual
is aware of its receipt. If an offer in an electronic message initiated by a
person or an electronic agent evokes an electronic message in response, a contract
is formed: (1) when an acceptance is received ...").
116. Id. § 2B-118.
117. For a summary of the issues
see C. Bradford Biddle, Misplaced Priorities: The Utah Digital Signature
Act and Liability Allocation in a Public Key Infrastructure, 33 S
AN DIEGO L. REV.
1143 (1996).
118. Recall that, under U.C.C.
§ 2B-116, " an electronic authentication, message, record, or performance
is attributed to a person if ... (2) the receiving person, in accordance with
a commercially reasonable attribution procedure for identifying a person, reasonably
concluded that it was the action of the other person."
119. See 15 U.S.C. § 1643(a)(1)(B);
12 C.F.R. § 205.6 (1995) (limiting liability to $ 50 for most unauthorized electronic
funds transfers).
120. For what it's worth, I believe
I originated this now-widespread meme in 1995, in my participation on the ABA
Digital Signature Guidelines drafting process.
121. Recall that section 2B-105(g)
grandfathers digital signature statutes.
122. The Recording Industry Association
of America, the National Association of Broadcasters, the National Cable Television
Association, the Newspaper Association of America, the Magazine Publishers of
America, and the Motion Picture Association of America have each expressed opposition
to Article 2B or asked that their industry be excluded from it. See, e.g.,
Letter from Cary H. Sherman, Senior Executive Vice President and General Counsel,
Recording Industry Association of America to National Conference of Commissioners
on Uniform State Laws (Oct. 9, 1998) (expressing opposition and noting similar
views of other trade associations), available at <http://www.2Bguide.com/docs/riaa1098.html>.
See also infra note 128 (noting suggestion by Director of ALI
and other influential lawyers that scope of Article 2B should be limited).
123. The current draft's language
is in flux, but reads "[a]n electronic record is attributable to a person
if ... [an] other person, in good faith and acting in compliance conformity
with a commercially reasonable security procedure for identifying the person
to which the electronic record is sought to be attributed, reasonably concluded
that it was the act of the other person, a person authorized by it, or the person's
electronic agent." U
NIFORM ELECTRONIC TRANSACTIONS
ACT § 202 (Sept. 18, 1998 Draft),
available at <http://www.law.upenn.edu/library/ulc/uecicta/eta1098.htm>.Even
when a record created by Alice is "attributable" to Bob, it has only
"the effect provided for by the agreement regarding the security procedure."
Id.
124. U.C.C. § 2B-104, Reporter's
Note 1 (Aug. 1, 1998 Draft).
125. See Yannis Bakos
& Erik Brynjolfsson, Aggregation and Disaggragation of Information Goods:
Implications of Bundling, Site Licensing and Micropayment (visited Oct.
24, 1998) <http://www.stern.nyu.edu/~bakos/aig.pdf>.
126. Letter from Terrence Maher,
to Editor, San Francisco Chronicle, (June 17, 1998), available at
<http://www.2Bguide.com/docs/tmaherrre.html> (visited Nov. 23, 1998).
127. U.C.C. Art. 2B, Default
Rules (quoting Grant Gilmore, On the Difficulties of Codifying Commercial
Law, 57 Y
ALE L. J. 1341 (1957)).
128. On October 7, the Director
of the ALI joined in a letter requesting substantial changes to Article 2B,
including narrowing the scope to apply only to information subject to "informational
right" as defined in section 102(a)(27) and the removal of all sections
relating to contract formation by electronic means. See Memorandum from
Geoffrey C. Hazard, Jr. et al. on July 1998 Draft Suggested Changes to Article
2B Drafting Committee (Oct. 7, 1998) available at <http://www.2Bguide.com/docs/gch1098.pdf>
(visited Nov. 23, 1998). This is a very encouraging development.