IT Employment

Companies change their Terms of Service to limit their liability against hacks

Patrick Lambert points out the changes to Terms of Service that big companies like Sony enacted after its hacking fiasco to limit their liability.

At the end of the year, I think it's likely that the hacks against Sony's networks from this past Spring will turn out to be one of the most significant events in IT security this year. The breadth of these hacks, and the consequences on both the company and users were severe, with their PlayStation Network (PSN) being down for over a month, and other online systems being affected as well. Confidence in Sony's professionalism went down, and users became very unhappy.

Right away, some of the more obvious consequences were seen plainly. The most pressing issue was to determine who was behind it, and that caused a lot of drama around the web. Then there were compensations paid by Sony for over 100 million accounts that had been affected. But lately, another consequence resulted directly from those hacks, and was much less publicized.

A few weeks ago, Sony updated its Terms of Service for all users of Sony's PSN in the US, Canada, and other parts of the world. For now, Europe and Australia aren't affected. This text was added:

"Any Dispute Resolution Proceedings, whether in arbitration or court, will be conducted only on an individual basis and not in a class or representative action or as a named or unnamed member in a class, consolidated, representative or private attorney general action."

Sony is basically forcing all its users to agree not to sue them in a class action suit, or participate in one. Instead, if they get hacked again, and you feel they were criminally negligent with your credit card information or other personal data, you will have to go to court yourself, with no other support. You'll have to rely on arbitration with Sony, or pay for court fees yourself if you can't come to an agreement with the company.

Of course most users won't scroll down to read that, and will instead click on the Accept button. Even if they know, since the other alternative is to close your Sony account and sell your PlayStation products, chances are people will whine about it, but still make do. However, is it legal? Apparently it is, as Sony has been quick to point out to CNN. In a recent ruling in an AT&T case, the Supreme Court said that such language was acceptable.

The only silver lining they gave users was to also add this part, which allows you to keep the right to sue them, but you have to formally request it, by writing:

"If you do not wish to be bound by the binding arbitration and class action waiver in this section 15, you must notify SNEI in writing within 30 days of the date that you accept this agreement. Your written notification must be mailed to 6080 Center Drive, 10th Floor, Los Angeles, CA 90045, ATTN: legal department/arbitration"

But it doesn't end there. While Sony caught some flack for doing this, they held strong, and other companies were paying attention. Electronic Arts just recently made a change to the Terms of Service of its own online services, which look strangely similar:

"By accepting these terms, you and EA expressly waive the right to a trial by jury or to participate in a class action."

These terms also apply to Origin, the new online distribution service from EA, and in this case users have much to lose, like their payment information, should some kind of hack occur. Note however that in this case, users of Quebec, Russia, Switzerland, or Member States of the European Union are excluded from the new terms.

With this becoming a common part of the terms for online services, and such big companies using them, it's only a matter of time before this is standard practice in any company's online system. It takes a lot of power away from the user, because everyone knows that suing a large company is not realistic in most cases, unless you have access to a room filled with lawyers. This is why class action suits exist.

Thinking about the future, it's easy to see how companies no longer think of security as strictly a computer thing, something left to the IT crew, and for which management doesn't care much about. Now, hacks can cost money, and so the executives are no longer content with leaving such an important issue to the network gurus. It's going to be a multi-faceted approach. Securing the networks for many of them is only a means to an end. The end is making money, or in this case, making sure they don't lose any.

As the world watched Sony's reputation go down, and its costs go up, while it dealt with the multiple hacks that were done against its networks, the company quickly realized it was vulnerable. And the solution they found was both brilliant and terrifying. Regardless of how unhappy your customers get, make sure that whatever they do, it can't affect your bottom line.

About

Patrick Lambert has been working in the tech industry for over 15 years, both as an online freelancer and in companies around Montreal, Canada. A fan of Star Wars, gaming, technology, and art, he writes for several sites including the art news commun...

8 comments
tom.marsh
tom.marsh

If enough companies do this, we'll simply end up with a European-style privacy law that negates these sorts of agreements and imposes criminal penalties on criminaly negligent companies that fail to protect their customers' data. ...And honestly, given how greedy, short-sighted, and downright stupid many American for-profits appear to be acting in regards to personal information (i.e. "We put a piece of celophane tape over the keyhole, preventing any and all attempts to pick the lock") this would probably turn out to be a net "good thing."

hforman
hforman

If you spent a lot of time reading the Terms of Service for online services, there is very little privacy now. For a while, both Google and Dropbox said that anything you upload to them would be owned by them. Not very good if you are writing a book. The "ownership" statements don't seem to be there now. Even so, Dropbox have employees who can see your data and they will give your data to anyone with a subpoena. Google TOS section 11 (especially) says that they can do whatever they want with your data including modifying it. None of them guarantee any privacy.

Neon Samurai
Neon Samurai

Anyone I've spoken to who works with these sorts of contract clauses has always also awknowledged that they really are not enforcable against a lawyer. Step one, invalidate the clause, step two, procede with case against the neglegent company. (someone with more legal background could probably correct or confirm) Though, one thing I thought of.. what if all the indaviduals who have information leaked in Sony's next neglegent implementation file seporate legal actions. a twenty million funded laywers taking on Sony's single legal department and budget; seems like it may actualy tip the financial advantage away from Sony (or applicable corporation). (edit): I ment to add that given the madness of the US patent system does not give me much hope that the US legal system would realize the potential for abuse and negate "no litigation" clauses. (eg. Samsung just caved to Microsoft's protection racketeering. That's right, MS now gets paid the price of a Win7 Phone license for each Samsung Android device though MS put absolutely no resources into the development of Android. Where do I get paid for work I had absolutely nothing to do with?)

bikingbill
bikingbill

Users are entitled to expect different levels of privacy, depending on the data being stored. Blog entries are presumably intended for public consumption, e-mails are generally private but perhaps not too personal, and bank details should be very secure. The problem with most Terms of Service that I have seen is that they don't differentiate between the various levels of data. In the UK we have an "Unfair Contract Terms Act" which is intended to protect the consumer against the type of change that Sony has made in the US. Of course, we still need a lawyer to prove that the terms are unfair so it's not all good over here!

wizard57m-cnet
wizard57m-cnet

the majority of the large OEMs manufacturing Android devices pay a royalty to MS. There is supposedly a smattering of IP that belongs to Microsoft somewhere in the stack. If true, then the OEMs should pay to use the IP. Oh, for what it's worth, Microsoft has contributed more than most other software vendors to open source. I don't know about Android...but when you look at the amount of code Google has sent back to the Linux community from whence they made Android, MS looks downright philanthropic. As for the Sony TOS fiasco, I read about that last week and thought to myself "Why would anyone sign away their right to litigate in case of an act of negligence?" Then again, many people do ill-advised actions in regards to lots of so called "free" services.

tom.marsh
tom.marsh

In fact there is rather large number of astro-turf groups sponsored by the Fortune 500 campaigning to lock the courthouse doors to consumers, and only allow big corporations the protection of civil court.

Neon Samurai
Neon Samurai

If the patents are truly valid and non-obvious to a person knowledgable in the discablplie (ie. a software developer) then sure. Microsoft should be paid by those who choose to license the patents. The problem here is the Microsoft is not going after the manufacturer of Android. Microsoft is not detailing the infringed patents. Instead, Microsoft is running a protection racket protected with NDAs so no one can actually know what the infringements are or develop inovation alternative solutions (what the patent system was supposed to achieve). Microsoft is very clearly playing a legal game of building up case law to support claims that can not be supported openly on there own merits. "everybody else in the neibourhood pays us to keep them save.. are you sure you can afford not to?" They are building up towards litigation on presedence rather than litigartion based on facts and justice. If it was really about infringed patents, Microsoft would be aproaching Google (Android) and kernel.org (Linux) to resolve the infringements through licensing or alternative solutions. "Oh, for what it's worth, Microsoft has contributed more than most other software vendors to open source." uhhuh.. Microsoft has contributed a lot of code to it's own open source licenses. I'd be very interested to see stats on how much they've officially contributed to non-microsoft OSS licensed projects though. "I don't know about Android...but when you look at the amount of code Google has sent back to the Linux community from whence they made Android, MS looks downright philanthropic." And that's not at all being questioned. Yes, I've said many times that Google contributes a lot of code back to many OSS produced programs and probably has a healty presence within the Linux kernel contributors as well. The focus of this discussion was Android's kernel specifically though and that, by all accounts so far, is a very one side relationship. Yeah, in terms of Sony they answer to your question seems clear to me; "I wantz haz my games now pelase!" and whatever checkboxes or [OK] buttons they need to press withour reading will get checked/pressed. I think more people would truly shiver if they read user agreements and considered what they where agreeing too. Business can be thankful that we have an instant gratification coluture that celebrates metiocraty and willfull ignorance though.

Editor's Picks