1998 A. Michael Froomkin.

Professor of Law, University of Miami School of Law; B.A., 1982, Yale College; M.Phil., 1984, Cambridge University; J.D., 1987, Yale Law School. Internet: froomkin@law.tm. I would like to thank Caroline Bradley, Amy Boss, Bernie Cosell, Patrick Gudridge, Richard Hornbeck, Ray Nimmer, Adam Smith and Jane Winn for their helpful comments on earlier drafts. I am particularly grateful to Pam Samuelson and Mark Lemley for including me in this Symposium. The initial version of this paper was delivered in Berkeley in April, 1998; unless otherwise indicated, this version seeks to reflect legal and technical developments as of October 1, 1998. Research was supported by a Summer Research Grant from the University of Miami School of Law.

1. See generally UNITED STATES DEPARTMENT OF COMMERCE, THE EMERGING DIGITAL ECONOMY (1998), available at <http://www.ecommerce.gov/emerging.htm>.

2. U.C.C. Article 2B-Licenses (Aug. 1, 1998 Draft), available at <http://www.law.upenn.edu/library/ulc/ucc2/2b898.htm>. The Microsoft Word version of the August draft, available on the web site maintained by the University of Pennsylvania repository of U.C.C. drafts, contains redline and strikeout marks that show changes from the previous draft. To track changes from the April to the August draft one must acquire each of the intervening drafts available at <http://www.law.upenn.edu/library/ulc/ulc.htm#ucc2b>.

3. At the Berkeley symposium I learned that the Article 2B as software metaphor used in this paper, which grew out of a conversation with my colleague Patrick Gudridge, has been used by others, notably Cem Kaner. See, e.g., Cem Kaner, Bad Software-Who is Liable?, Address at the Proceedings of the American Society for Quality's 52nd Annual Quality Congress (May 1998), available at <http://www.badsoftware.com/asqcirc.htm>; Cem Kaner, Brian Lawrence & Bob Johnson, SPLAT! Requirements Bugs on the Information Superhighway, 5 Software QA 18 (1997).

4. U.C.C. Article 2B-Licenses (Mar. 1998 Draft), available at <http://www.law.upenn.edu/library/ulc/ucc2/2b398.htm>.

5. Compare U.C.C. 2B-104(c) (Apr. 15, 1998 Draft) ("A statute authorizing electronic or digital signatures in effect on the effective date of this article is not affected by this article"), available at <http://www.law.upenn.edu/library/ulc/ucc2/2b498.htm>, with U.C.C. 2B-104(c) (Mar. 1998 Draft), available at <http://www.law.upenn.edu/library/ulc/ucc2/2b398.htm> ("A statute authorizing electronic or digital signatures in effect on the effective date of this article is not affected by this article, but in the case of a conflict this article controls.") (emphasis added). See also infra text accompanying note .

6. The July draft, which was prepared for the July 1998 meeting of the National Conference of Commissioners on Uniform State Laws, can be found at <http://www.law.upenn.edu/bll/ulc/ucc2b/ucc2bamg.htm>.

7. It should not need to be said, but it also follows from the rapid rate of change in a complex document that arguments in favor of Article 2B based on some form of notice and estoppel ("we discussed this issue two years ago-where were you?") deserve to be treated with derision. Alas, some of Article 2B's more exuberant proponents continue to make such arguments. See, e.g., Memorandum from the Business Software Alliance et al. on Article 2B (July 15, 1988) ("One would expect ALI motions and votes to be circumspect and to give credence to the open forum of NCCUSL and the endless hours of discussion heard and considered by the Article 2B Drafting Committee. But they do not. [One] motion on standard form contracts seeks to overturn the delicate compromise reached by the Drafting Committee after untold hours of debate and consideration of alternative approaches. The motions on choice of law and choice of forum also ignore hours of discussion and compromise, as well as commercial realities and needs. We do not support this type of above-the-fray tinkering, particularly on such fundamental issues."), available at <http://www.2Bguide.com/docs/amemo981.html>.

8. For instance, Article 2B also has innovative features regarding automated contracts formed by electronic agents, some of which are discussed in section II.D.

9. For a fuller explanation of public-private key technology see A. Michael Froomkin, The Essential Role of Trusted Third Parties in Electronic Commerce, 75 OR. L. REV. 49, 50-53 (1996), available at <http://www.law.miami.edu/~froomkin/articles/trusted.htm>.

10. When combined with a digital time stamp the message can also be proved to have been sent at a certain time. See id. at 65-67.

11. Article 2B does not use the term "verify" in the context of electronic contracting. The term is used in the ABA Digital Signature Guidelines and in the Utah Digital Signature Act: "Verify a digital signature" means, in relation to a given digital signature, message, and public, key, to determine accurately that: (a) the digital signature was created by the private key corresponding to the public key; and (b) the message has not been altered since its digital signature was created. See DIGITAL SIGNATURE GUIDELINES 1.37 (1996), available at <http://www.abanet.org/scitech/ec/isc/dsgfree.html>; Utah Digital Signature Act 103(37), UTAH CODE ANN. tit. 46, ch. 3 (1995). Instead, Article 2B uses the term "authenticate" which refers to both the act of creating the original digital signature and the act of confirming its authenticity and validity. See U.C.C. 2B-102(a)(3) (Aug. 1, 1998 Draft). Conflating the two significantly different actions into one term creates a real, and avoidable, potential for confusion.

12. Digital signatures achieve this by computing a one-way hash value of the message and then encrypting the hash value with the user's private key. A hash function takes an input string and converts it to a fixed-size, and usually smaller, output string. A one-way hash function adds the property that while it is easy to compute the hash value from the input it is very hard to find other inputs that produce the same hash output. See BRUCE SCHNEIER, APPLIED CRYPTOGRAPHY 28 (2nd ed. 1996). The recipient checks the digital signature by decrypting the hash value with the sender's public key, then comparing the hash value with the independently generated hash value of the file received. If the two numbers are the same, the file is authentic and unchanged. See RSA Laboratories, Answers to Frequently Asked Questions About Today's Cryptography 2.1.6 (visited Nov. 9, 1998) <http://www.rsa.com/rsalabs/newfaq/alg_tech.htm>.

13. See SCHNEIER, supra note 12, at 38 (noting that a digital signature using a 160-bit hash number has only a one in 2160 chance of mistakenly authenticating another document).

14. See Ronald L. Rivest, Can We Eliminate Certificate Revocation Lists?, PROC. OF FINANCIAL CRYPTOGRAPHY 178 (Rafael Hirschfeld ed., 1988) (proposing and advocating a means of dispensing with certificate revocation lists in which the proponent of a digital signature bears the burden of providing a suitably recent and reliable certificate to the relying party), available at <http://theory.lcs.mit.edu/~rivest/revocation.ps>; see also Richard Hornbeck, The Troubling Truth About "Trust" on the Internet, 10 J. ELECTRONIC COMM. 59, 65 (1997) (critiquing CRL model), available at <http://www.primenet.com/~hornbeck/trust.htm>.

15. See VeriSign Home Page (visited Nov. 9, 1998) <http://www.verisign.com>.

16. See ABA Announces Plan to Become Certificate Authority For Financial Services Industry (Mar. 6, 1998) <http://www.aba.com/abatool/showme_rel.html?location= PR_030698ec.htm>; OCC Approves A National Bank to Certify Digital Signatures (Jan. 13, 1998) <http://www.occ.treas.gov/98Rellst.htm>.

17. For a continually updated summary of state legislation see McBride, Baker & Coles, Summary Of Electronic Commerce And Digital Signature Legislation (last modified Oct. 13, 1998) <http://www.mbc.com/ds_sum.html>.

18. See generally Juan Avellan, Digital Signature Links, (last modified June 10, 1997) <http://www.qmw.ac.uk/~tl6345/#Europe> (Summary of activities in European countries, including Germany, Italy and the UK.).

19. See generally Towards A European Framework for Digital Signatures And Encryption, COM(97)503, available at <http://www.ispo.cec.be/eif/policy/97503toc.html>.

20. See generally Draft Uniform Rules on Electronic Commerce, UNICITRAL, 32nd Sess., U.N. Doc. A/CN.9/WG.IV/WP.73 (1998), available at <http://www.un.or.at/uncitral/english/sessions/wg_ec/wp-73.htm>; UNCITRAL Model Law on Electronic Commerce, G.A. Res 51, U.N. GAOR 6th Comm., 85th plen. mtg., U.N. Doc. A/51/628 (1996), available at <http://www.un.or.at/uncitral/english/texts/electcom/ml-ec.htm>.

21. E.g., Japan. See Electronic Commerce Promotion Council of Japan, Certification Authority Guidelines (Alpha Version) (Apr. 7, 1997) <http://www.ecom.or.jp/eng/output/ca/eng-guideline.htm>.

22. See generally DIGITAL SIGNATURE GUIDELINES (1996), available at <http://www.abanet.org/scitech/ec/isc/dsgfree.html>.

23. I belabor this point in Froomkin, supra note .

24. So far as I am aware, there have been none, other than rare cases in which courts addressed whether an electronic "copy" can have the same legal force and effect as a traditional written signature in the absence of a "written original." See, e.g., Allen v. Caldwell, 470 S.E.2d 696, 698 (Ga. App. 1996) (questioning the validity of a "facsimile" that lacks an "original").

25. It is entirely normal, appropriate, and often praiseworthy for the legislature (and others) to seek to enact power-conferring laws. See generally H.L.A. H ART, THE CONCEPT OF LAW 27-33 (1961). The issue is the content of the facilities created for individuals to realize their wishes, and the structure of the resulting de facto as well as the de jure structures of rights and duties that will flourish within the coercive framework of the law.

26. Stewart A. Baker, International Developments Affecting Digital Signatures, (Oct. 1997) <http://www.steptoe.com/WebDoc.NSF/Law+&+The+Net+All/Interna-tional+Developments+Affecting+Digital+ Signatures? OpenDocument>.

27. In the case of states such as Utah or Minnesota, which have already amended their original digital signature laws, we may be at version 1.1. The rapidity and frequency with which digital signature laws are likely to be revised underlines the point that we are at an early stage in their development.

28. Several institutions enable continual contacts, including committees of the American Bar Association, the Commissioners on Uniform Laws, the UNCITRAL drafting process, and an excellent electronic mailing list with more than 150 members maintained by Professor Amelia Boss at Temple.

29. For an excellent survey of digital signature issues relating to other sections of the U.C.C., see Jane Kaufman Winn, Open Systems, Free Markets, and Regulation of Internet Commerce, 72 T ULANE L. REV. 1177 (1998). Very valuable, more narrowly focused, treatments of various issues relating to digital signatures and online sales or to digital signatures and specific articles of the U.C.C. include C. Bradford Biddle, Legislating Market Winners: Digital Signature Laws and the Electronic Commerce Marketplace, 34 SAN DIEGO L. REV. 1225 (1997); C. Bradford Biddle, Misplaced Priorities: the Utah Digital Signature Act and Liability Allocation in a Public Key Infrastructure, 33 SAN DIEGO L. REV. 1143 (1996); Walter A. Effross, The Legal Architecture of Virtual Stores: World Wide Web Sites and the Uniform Commercial Code, 34 SAN DIEGO L. REV. 1263 (1997); and Jane Kaufman Winn, Couriers Without Luggage: Negotiable Instruments and Digital Signatures, 49 S. CAR. L. REV. 739 (1998).

30. See supra note 14 (noting a potential alternative model of e-commerce).

31. "'Access contract' means a contract to electronically obtain access to, or information in electronic form from, an information processing system. The term does not include a contract for physical access to a place, such as a theater or building." U.C.C. 2B-102(a)(1) (Aug. 1, 1998 Draft).

32. Id. 2B-103(a).

33. See id. 2B-103(b).

34. According to section 2B-103(b)(2), Articles 2 or 2A also apply and Article 2B does not apply "as to subject matter that is excluded [from Article 2B] under Section 2B-104(3)," i.e. to the extent that a transaction:

(3) is a sale or lease of a copy of a computer program as part of a sale or lease of goods that contain the computer program unless:

(A) the goods are merely a copy of the program;

(B) the goods are a computer or computer peripheral; or

(C) giving the purchaser of the goods access to or use of the computer program is a material purpose of the transaction.

Id. 2B-104(3) (emphasis added). This is not very clear. Is the purchase of a computer system, promoted as a word processing package and bundled with word processing software, for the express purpose of writing a book, a transaction in which "giving the purchaser ... access to or use of the computer program" is or is not "a material purpose of the transaction"? If it is, then unraveling the double negative of sections 2B-103(b)(2) and 2B-104(3)(C) suggests that Article 2B applies to the sale of the program and the computer system.

35. Id. 2B-103(b)(3)(A).

36. Id. 2B-103(b)(3)(B).

37. Id. 2B-103, Reporter's Note 5.

38. Id. 2B-103(c)(1).

39. Id. 2B-105(g). Note that this was section 104(c) in the April draft.

40. U.C.C. 2B-104(c) (Mar. 1998 draft) (emphasis added).

41. Article 2B defines "Authenticate" as:

to sign, or otherwise to execute or adopt a symbol or sound, or encrypt or similarly process a record in whole or part, with intent of the authenticating person to:

(A) identify the person;

(B) adopt or accept the terms or a particular term of a record that includes or is logically associated or linked with the authentication or to which a record containing the authentication refers; or

(C) establish the integrity of the information in a record which includes or is logically associated or linked with the authentication or to which a record containing the authentication refers."

U.C.C. 2B-102(a)(3) (Aug. 1, 1998 Draft).

42. See, e.g., U NIFORM ELECTRONIC TRANSACTIONS ACT 102(a)(20) (Mar. 23, 1998 Draft) (defining "signature" as "any symbol, sound, process, or encryption of a record in whole or in part, executed or adopted by a person or the person's electronic agent with intent to: (A) identify that person; (B) adopt or accept a term or a record; or (C) establish the informational integrity of a record or term that contains the signature or to which a record containing the signature refers."), available at <http://www.law.upenn.edu/library/ulc/uecicta/eta398.htm>.

43. UNIFORM ELECTRONIC TRANSACTIONS ACT 102(a)(20) (Sept. 18, 1998 Draft), available at <http://www.law.upenn.edu/library/ulc/uecicta/eta1098.htm>.

44. See infra text accompanying notes -. Compare Guideline 1.4 of the ABA Digital Signature Guidelines, which defines "authentication" as: "A process used to ascertain the identity of a person or the integrity of specific information. For a message, authentication involves ascertaining its source and that it has not been modified or replaced in transit." This definition excludes signing with an intent to be bound. See D IGITAL SIGNATURE GUIDELINES 5.2 (1996), available at <http://www.abanet.org/scitech/ec/isc/dsgfree.html>.

45. For a state-of-the-art CPS see Verisign Certification Practice Statement (May 15, 1997) <https://www.verisign.com/repository/CPS1.2/CPS1.2.pdf>.

46. See generally Froomkin, supra note , at 55-65, 97.

47. For an example of a CRL lookup form see VeriSign, Verify the Status of a Digital ID, (visited Nov. 19, 1998) <http://digitalid.verisign.com/status.htm>.

48. I have argued elsewhere that the second part of this scenario has some limits. If, for example, Bob is paying by credit card, the credit card company fulfills the role of trusted third party and there is little reason for Alice to require Bob to guild the lily with a certificate. Indeed, to the extent that the credit card company functions as an insurer, there is little incentive for Bob to worry about the validity of Alice's public key either, since he bears little or no risk of loss. See generally Froomkin, supra note , at 68. Nevertheless, as the scenario in the text appears to animate most digital signature statutes, it remains worth considering.

49. Indeed, failure to consult a CRL before relying on a certificate in these models likely would be per se negligence. See D IGITAL SIGNATURE GUIDELINES 5.4 (1996), available at <http://www.abanet.org/scitech/ec/isc/dsgfree.html>. A person who negligently uses an attribution procedure that could have been adequate may be estopped from pleading reliance upon the attribution procedure of which the certificate is a part, since only those who act reasonably are entitled to claim this type of reliance. See, e.g., U.C.C. 2B-117(4) (Aug. 1, 1998 Draft) ("If the sender complies with the attribution procedure, but the receiving party does not, and the change or error would have been detected had the receiving party also complied, the sender is not bound by the error or change.").

50. On the other hand, one can also imagine alternate e-commerce models using digital signatures backed by certificates which do not rely on CRLs, perhaps because parties always demand reasonably fresh certificates, and the market responds by having CAs provide a continual stream of newly minted but short-lived certificates. This, more or less, is the model discussed in Rivest, supra note .

51. Froomkin, supra note , at 89-90.

52. For example, in the March 1998 draft, Article 2B defined a mass market transaction as a "consumer transaction ... directed to the general public ... for the same information." U.C.C. 2B-102(a)(31) (Mar. 1998 Draft). The term excluded "a transaction in which the information is or becomes customized or otherwise specially prepared by the licensor for the licensee." Id. at 2B-102(a)(31)(C). If a certificate is not the subject of a mass market transaction, by definition it cannot be covered by a "mass-market license" since a "'[m]ass-market license' means a standard form that is prepared for and used in a mass-market transaction." Id. 2B-102(a)(30). As a result, various consumer protections designed to apply to mass market transactions would not have applied to CAs under the March 1998 formula.

53. U.C.C. 2B-102(a)(32) (Aug. 1, 1998 Draft).

54. "Consumer" is defined at section 2B-102(a)(10).

55. U.C.C. 2B-102(a)(11) (Aug. 1, 1998 Draft).

56. The drafters identify the following as consumer protections in mass market transactions: "The provisions of this Article that provide additional consumer protections include: 2B-107 (choice of law); 2B-118 (electronic error); 2B-208 (limit on mass market license; right to refund); 2B-303 (limit on no-oral modification clause); 2B-304 (limit on modification of continuing contract); 2B-406 (warranty disclaimer); 2B-409 (third-party beneficiary); 2B-609 (perfect tender); 2B-619 (limit on hell and high water clauses); 2B-703 (exclusion of personal injury claim)." Id. 2B-105, Reporter's Note 5.

To what extent each of these matter in the context of a CA is another debate; one place where it matters whether a transaction is mass market or not is the extent to which warranty disclaimers must be conspicuous. See id. 2B-406 (b)(4).

57. Id. 2B-102, Reporter's Note 28.

58. Id.

59.Id.

60. See id. 2B-104(5) (excluding contract for "personal or entertainment services"); see id. Reporter's Note 2.

61. See Froomkin, supra note , at 87-88:

A certificate resembles a professional's opinion in that a certificate ordinarily is the tangible memorial of a process of analysis in which the subject's credentials were checked in some manner. On the other hand, a certificate differs from a professional's opinion in some ways that may be relevant. Any trustworthy CA will be managed by a professional-someone who knows how to run a trustworthy computer system-but it is not inevitable that the actual checking of credentials in all cases will be the sort of activity traditionally undertaken by professionals. If Alice's certificates are founded on checking the subject's passport, it may well be that the person who actually examines Alice's passport and issues her certificate is a clerk who has been trained in passport authentication, not an expert like a surveyor or valuer. There is no policy reason, however, why the classification of a certificate as a good or service should turn on whether the person making the report happens to be a professional.

Id.

62. "VeriSign public keys: VeriSign root public keys, including all PCA public keys, are the property of VeriSign, Inc. VeriSign licenses relying parties to use such keys only in conjunction with trustworthy hardware or software product in which the root public key is distributed with VeriSign's authority." VeriSign CPS, supra note , at 12.13; see also id. at i (describing right to reproduce CPS itself in license terms).

63. See, e.g., U.C.C. 2B-102(a)(1) (Aug. 1, 1998 Draft) (defining "access contract" as "a contract to electronically obtain access to, or information in electronic form from, an information processing system. The term does not include a contract for physical access to a place, such as a theater or building."); see also id. 2B-615 ("Access Contracts"). There are potential conflicts between some of the rules for access contracts, (e.g., section 2B-107(b) on choice of law for access contracts) which provides that even in a consumer transaction "[a]n access contract or a contract providing for electronic delivery of a copy is governed by the law of the jurisdiction in which the licensor is located when the agreement is made" and the general deference to digital signature laws in section 2B-105(g) since some state digital signature laws require that parts of their own law be applied regardless of the physical location of the CA. See, e.g., Washington Electronic Authentication Act, W ASH. REV. CODE 19.34.220(3) (1997) (providing that CA must certify to "all those who reasonably rely on the information" that information in certificate and listed as confirmed is accurate, that subscribers accepted certificate; that all information foreseeably material to reliability of the certificate is stated or incorporated by reference in the certificate; and that CA complied with Authentication Act and other applicable laws of the state).

64. U.C.C. 2B-104, Reporter's Note 5 (Aug. 1, 1998 Draft).

65. Id. 2B-104.

66. Id. 2B-103(b)(3)(B). In addition, section 2B-103 (c) states that the parties may agree that all of Article 2B applies so long as this agreement does not alter mandatory consumer protections rules that would otherwise apply, and so long as this agreement does not remove a transaction from either U.C.C. Article 2 or U.C.C. Article 2A when one of those articles would otherwise apply. See id. 2B-103(c).

67. Section 2B-104(5) states that 2B will not apply to the extent that an agreement "is a contract for personal or entertainment services by an individual or group of individuals, other than a contract of an independent contractor to develop, support, modify or maintain software." Interestingly, if somewhat puzzlingly, the Reporter's Note states that this exclusion "does not exclude situations where automation creates a digital replacement for activities previously characterized as personal services." Id. 2B-104, Reporter's Note 6.

68. U.C.C. 2-102 (1996) states that "unless the context otherwise requires, this Article applies to transactions in goods ...."

69. U.C.C. 2B, Preface, p.6 (Aug. 1, 1998 Draft) (quoting R OBERT REICH, THE WORK OF NATIONS 85-86 (1991)) (alterations in original).

70. On the "predominant purpose" test, see J AMES J. WHITE & ROBERT S. SUMMERS, UNIFORM COMMERCIAL CODE 3-4 (4th ed. 1995) ("If a sale of goods is not the 'predominant purpose,' then [the U.C.C. Article] does not apply at all.").

71. See U.C.C. 2B-103, Reporter's Note 5:

Formation Rules. Subsection (b)(3) addresses an effect created by Article 2B contract formation rules and the fact that Article 2B validates electronic commerce practices that may not be effective under common law or under current Article 2 or 2A. The subsection applies Article 2B formation rules to the entire transaction if Article 2B subject matter constitutes the predominant purpose of the transaction itself. This allows maximum scope to the contract formation rules and electronic commerce.

Id.

72. See U.C.C. 2B-103, Reporter's Note 3 (Mar. 1998 draft) ("This Article applies to the extent that the transaction involves subject matter within its scope, but not to the extent that a particular subject matter or aspect of a relationship is excluded or otherwise outside the scope.") The tautological reassurance that what is excluded is excluded, and what is included is included was not comforting and seemed to mean that if the predominant purpose of the transaction is within Article 2B, then the contract formation rules-but not the other parts-of Article 2B applied to the entire transaction. Whatever it meant, we are well rid of it.

73. The situation in states with pre-existing digital signature laws may be even more complex. These statutes are not uniform, and Article 2B does not seek to displace them. See U.C.C. 2B-105(g) (Aug. 1, 1998 Draft). To the extent that some of these statutes may have explicit contract formation terms, beyond defining a "writing," those terms will trump anything in 2B. See id. In the absence of an explicit provision to the contrary, however, Article 2B's terms will presumably control, including the treatment of mixed transactions described in this section.

74. See id. 2B-103(b)(3)(B).

75. Id. 2B-615.

76. The word "or" at the end of section 2B-615(b)(2) suggests that one should read an "or" into the end of section 2B-615(b)(1) and that therefore each of the three circumstances listed in section 2B-615(b) are independent defenses against claims for breach of contract.

77. The Free On-Line Dictionary of Computing defines the "blue screen of death" as "[t]he infamous white-on-blue text screen which appears when Microsoft Windows crashes. BSOD is mostly seen on the 16-bit systems such as Windows 3.1, but also on Windows 95 and ... Windows NT 4." Free On-Line Dictionary of Computing, Blue Screen of Death (Sept. 9, 1998) <http://wombat.doc.ic.ac.uk/foldoc/foldoc.cgi?blue+screen+of+death>.

78. Id. 2B-105(d), Reporter's Note 6.

79. See infra text accompanying notes -.

80. See, e.g., U.C.C. 2B-116, Reporter's Note 2 (Aug. 1, 1998 Draft).

81. See UNCITRAL Model Law, supra note , at art. 1, n.** ("This Law does not override any rule of law intended for the protection of consumers.").

82. U.C.C. 2B-105(e)(1) (Aug. 1, 1998 Draft).

83. Id. 2B-102(a)(39).

84. See id. 2B-113 ("A record or authentication may not be denied legal effect, solely on the ground that it is in electronic form.").

85. UNIFORM ELECTRONIC TRANSACTIONS ACT 301 (Sept. 18, 1998 Draft), available at <http://www.law.upenn.edu/library/ulc/uecicta/eta1098.htm>.

86. Clickwrap licenses are "textual windows of non-negotiable, take-it-or-leave-it contract terms that prompt a user to 'click' assent [on a web form or program button] before allowing installation of a program or access to a website." Keith Aoki, The Stakes of Intellectual Property Law (visited Nov. 22, 1998) <http://www.law.uoregon.edu/~kaoki/AOKI.html>.

87. U.C.C. 2B-105(e)(2) (Aug. 1, 1998 Draft).

88. Id. 2B-102(a)(3).

89. Cf. U.C.C. 2B-119(c) ("Unless the circumstances indicate otherwise, authentication is deemed to have been done with the intent to establish the person's identity, its adoption or acceptance of the record or term, its acceptance of the contract, and the integrity of the records or terms as of the time of the authentication.") (emphasis added).

90. See, e.g., Letter from Donald A. Cohn & Mary Jo Howard Divley to Carlyle C. Ring (Oct. 12, 1998) <http://www.2Bguide.com/docs/cdm1098.html> ("What does it take for me to manifest assent to a license under the proposed draft? First, I must be acting either with knowledge or after having had an opportunity to review the record or term. (Under Section 112, if I don't have the opportunity to see the record before I pay for the product, I must be given the unconditional right to return it if, after I do see the record, I don't accept any part of it, even if the product is fine.) If I use conduct, I must intend that conduct and I must know or have reason to know that the other party may infer from my conduct that I assented to the record or term. ... Just because we are dealing with certain new subject matter does not mean that all courts will suddenly lose their reason.")

91. U.C.C. 2B-105(e)(4) (Aug. 1, 1998 Draft).

92. For example, section 2B-111 of the August 1998 draft is heavily annotated with editorial cautions that the text has yet to be reviewed by the Drafting Committee. Similarly, the current UETA draft has bracketed section 107 on manifestation of assent, although it is clear that UETA intends to draw a sharp distinction between authentications and contractual commitments. See U NIFORM ELECTRONIC TRANSACTIONS ACT 107 (Sept. 18, 1998 Draft), available at <http://www.law.upenn.edu/library/ulc/uecicta/eta1098.htm> and accompanying notes.

93. Opportunity to review is defined in section 2B-112. The critical part of the definition reads:

(a) A person or electronic agent has an opportunity to review a record or term only if the record or term is made available in a manner that:

(1) in the case of a person, ought to call it to the attention of a reasonable person and permit review; or

(2) in the case of an electronic agent, would enable a reasonably configured electronic agent to react to the record or term.

U.C.C. 2B-112 (Aug. 1, 1998 Draft).

The Draft UETA section 108 contains similar language, but the section is bracketed for further discussion. See U NIFORM ELECTRONIC TRANSACTIONS ACT 108 (Sept. 18, 1998 Draft), available at <http://www.law.upenn.edu/library/ulc/uecicta/eta1098.htm>.

94. U.C.C. 2B-112(a) (Aug. 1, 1998 Draft).

95. Id. 2B-102(a)(9).

96. Id. 2B-102(a)(9).

97. Reporter's Note 4 to section 2B-110 ("Bizarre and oppressive terms") states that "[u]nconscionability doctrine allows courts to monitor and limit application of [common law principles] in a way that avoids binding the assenting party to unknown terms that are bizarre and unfairly oppressive." Id. 2B-110, Reporter's Note 4. This seems to suggest that unconscionability might be invoked to correct gross defects in the process of contract formation, as well to correct grossly unfair contract terms, if electronic agents run wild. I find this to be a very intriguing idea-but one that is absent from the text of section 2B-110.

98. Id. 2B-105, Reporter's Note 6. No examples are offered-probably because there are none. See infra note .

99. Other than stating the circumstances in which an electronic message may satisfy a writing requirement, most of the state digital signature statutes to date, including the influential Illinois statute, are silent on the subject of consumer protection. When they do address the issue, they add, not subtract, protections for consumers. For example, the Washington Electronic Authentication Act makes it clear that while agreements between a CA and a subscriber may vary many of the provisions of the Authentication Act itself, "Nothing in this chapter shall be construed to eliminate, modify, or condition any other requirements for a contract to be valid, enforceable, and effective." W ASH. REV. CODE 19.34.320(2)(b) (1997). Additional consumer protections include forbidding a CA from disclaiming or limiting warranties that a certificate has no known false information, and that the certificate satisfies all material requirements of the statute. A CA is also required to give a warranty that it has not exceeded limits of its license (e.g., the reliance limits). Id. 19.34.220(1).

100. U.C.C. 2B-102(a)(36) (Aug. 1, 1998 Draft).

101.Id.

102. See Froomkin, supra note .

103. See U.C.C. 2B-404(b)(2) (Aug. 1, 1998 Draft).

104. See id. 2B-404 to 2B-406.

105. Id. 2B-102(a)(4).

106. "'Electronic agent' means a computer program or other automated means used by a person to independently initiate or respond to electronic messages or performances on behalf of that person without review by an individual." Id. 2B-102(a)(19).

107. Id. 2B-102(a)(9) (emphasis added).

108. See id. 2B-204(3) ("The terms of a contract formed under paragraph (2) are determined under Section 2B-207 or 2B-208 [relating to mass-market contracts], as applicable, but do not include terms provided by the individual in a manner to which the electronic agent could not react.").

109. Cf. Paul Phillips, Why Mozilla Matters (visited Nov. 9, 1998) <http://www.mozilla.org/why-mozilla-matters.html>.

110. U.C.C. 2B-119(a) (Aug. 1, 1998 Draft).

111. See also id. 2B-110, Reporter's Note 4:

In some cases, however, automation may produce unexpected results because of errors in program, problems in communication, technological 'bugs', or other unforeseen circumstances. When this occurs, common law concepts of mistake apply, as do the provisions of Section 2B-118 ["electronic error"-see infra note and accompanying text]. In addition, unconscionability doctrine may be used to prevent oppressive results caused by the breakdown in the contracting process. While automated transactions are a new setting for this doctrine, the safeguards it supplies are important for this type of commerce.

Id. 2B-110.

112. Id. 2B-116(a).

113. Id. 2B-116(c). Other requirements, satisfied in the hypothetical in the text, are that:

(2) the other party reasonably relied on the belief that the person was the source of an electronic authentication, message, record, or performance,

(3) the reliance resulted from acts of a third person that obtained access numbers, codes, computer programs, or the like from a source under the control of the person rebutting the presumption; and

(4) the use of the access numbers, codes, computer programs, or the like created the appearance that it came from the person rebutting the presumption.

Id. 2B-116(c).

114. The Reporter's Note to section 2B-118 offers two illustrations:

Illustration 1: Consumer intends to order ten copies of a video game from Jones. In fact, the information processing system records 110. The electronic agent maintaining Jones' site disburses 110 copies. The next morning, Consumer notices the mistake. He sends an E-Mail to Jones describing the problem, offering to immediately return or destroy copies; he does not use the games. Under this section, performing on these offers means that there is no presumption that the contract was for 110 copies. If it desires to enforce the apparent contract, Jones must prove that there was no error.

Illustration 2: Same facts, except that Jones' system before shipping sends a confirmation, asking Consumer to confirm that it ordered 110 games. Consumer confirms 110 copies. This section no longer applies. If Consumer sees the confirmation request and does not respond, the section also does not apply. In either case, the system reasonably allowed for correction of the error.

Id. 2B-118, Reporter's Note.

115. See id. 2B-120 ("an electronic message is effective when received even if no individual is aware of its receipt. If an offer in an electronic message initiated by a person or an electronic agent evokes an electronic message in response, a contract is formed: (1) when an acceptance is received ...").

116. Id. 2B-118.

117. For a summary of the issues see C. Bradford Biddle, Misplaced Priorities: The Utah Digital Signature Act and Liability Allocation in a Public Key Infrastructure, 33 S AN DIEGO L. REV. 1143 (1996).

118. Recall that, under U.C.C. 2B-116, " an electronic authentication, message, record, or performance is attributed to a person if ... (2) the receiving person, in accordance with a commercially reasonable attribution procedure for identifying a person, reasonably concluded that it was the action of the other person."

119. See 15 U.S.C. 1643(a)(1)(B); 12 C.F.R. 205.6 (1995) (limiting liability to $ 50 for most unauthorized electronic funds transfers).

120. For what it's worth, I believe I originated this now-widespread meme in 1995, in my participation on the ABA Digital Signature Guidelines drafting process.

121. Recall that section 2B-105(g) grandfathers digital signature statutes.

122. The Recording Industry Association of America, the National Association of Broadcasters, the National Cable Television Association, the Newspaper Association of America, the Magazine Publishers of America, and the Motion Picture Association of America have each expressed opposition to Article 2B or asked that their industry be excluded from it. See, e.g., Letter from Cary H. Sherman, Senior Executive Vice President and General Counsel, Recording Industry Association of America to National Conference of Commissioners on Uniform State Laws (Oct. 9, 1998) (expressing opposition and noting similar views of other trade associations), available at <http://www.2Bguide.com/docs/riaa1098.html>. See also infra note 128 (noting suggestion by Director of ALI and other influential lawyers that scope of Article 2B should be limited).

123. The current draft's language is in flux, but reads "[a]n electronic record is attributable to a person if ... [an] other person, in good faith and acting in compliance conformity with a commercially reasonable security procedure for identifying the person to which the electronic record is sought to be attributed, reasonably concluded that it was the act of the other person, a person authorized by it, or the person's electronic agent." U NIFORM ELECTRONIC TRANSACTIONS ACT 202 (Sept. 18, 1998 Draft), available at <http://www.law.upenn.edu/library/ulc/uecicta/eta1098.htm>.Even when a record created by Alice is "attributable" to Bob, it has only "the effect provided for by the agreement regarding the security procedure." Id.

124. U.C.C. 2B-104, Reporter's Note 1 (Aug. 1, 1998 Draft).

125. See Yannis Bakos & Erik Brynjolfsson, Aggregation and Disaggragation of Information Goods: Implications of Bundling, Site Licensing and Micropayment (visited Oct. 24, 1998) <http://www.stern.nyu.edu/~bakos/aig.pdf>.

126. Letter from Terrence Maher, to Editor, San Francisco Chronicle, (June 17, 1998), available at <http://www.2Bguide.com/docs/tmaherrre.html> (visited Nov. 23, 1998).

127. U.C.C. Art. 2B, Default Rules (quoting Grant Gilmore, On the Difficulties of Codifying Commercial Law, 57 Y ALE L. J. 1341 (1957)).

128. On October 7, the Director of the ALI joined in a letter requesting substantial changes to Article 2B, including narrowing the scope to apply only to information subject to "informational right" as defined in section 102(a)(27) and the removal of all sections relating to contract formation by electronic means. See Memorandum from Geoffrey C. Hazard, Jr. et al. on July 1998 Draft Suggested Changes to Article 2B Drafting Committee (Oct. 7, 1998) available at <http://www.2Bguide.com/docs/gch1098.pdf> (visited Nov. 23, 1998). This is a very encouraging development.