The Personal and Social Implications of the End User License Agreement
As in-house counsel, I often read and write online licensing agreements for software. These agreements go by a variety of names, such as Terms of Service (ToS) or End User License Agreements (EULAs). These are the agreements you scroll through (without actually reading) and then click the “I Agree” box, thus legally binding yourself to something you didn’t take the time to read or understand in order to get something you want quickly.
Not Your Fault
Don’t feel bad about not reading EULAs. It would take a significant amount of time to read every one of the agreements you encounter. Also, many of them would require you to go to law school to understand them! And even if you didn’t like the terms of an agreement, your only options would be to try to negotiate better terms (best of luck with that!) or not use the software or service. Besides which, if you’re getting the software or service for free, you may ask, “Who cares?” You should! Even if the transaction doesn’t involve money, it isn’t actually free. You may not be giving up your money, but you are giving up your legal rights.
You may not care about some of those rights, as they often may not impact you too seriously. But one serious development I do see coming up more often is when a company reserves the right to change the agreement at any time by posting new terms on its website. If you continue to use that company’s software, then you automatically agree to the new terms. This means that it’s possible that a free app you downloaded one day wouldn’t be free the next day—and you wouldn’t know it unless you compulsively checked the website to read what you didn’t read the first time.
Sometimes You Can Win in Court – But You do Have to Go to Court
It’s not all bad in EULA land. In some instances, the court will have your back. Because EULAs are non-negotiable form agreements, they’re considered “adhesion contracts.” Generally, courts won’t allow the dominant party (the one that wrote the adhesion contract) to enforce an adhesion contract term if the court considers it “unconscionable”— that is, generally, and as a simplification, if the contract term is unfair to the weaker party. But that also means you have to sue and spend time paying for your case.
So Who is Going to Change the EULA?
Although there may be little incentive for lawyers to change EULAs on their own, there are incentives for the lawyer’s clients. Companies invest a lot in their customer experience. EULAs are clearly not part of that investment, but they should be—after all, the EULA is where the software or service is purchased. Companies are in a position to challenge their legal counsel to draft EULAs that work to enhance the customer experience. Outside of a sea change in the law, this may be the only way EULAs will change.
At Kyrio, I work hard to make our agreements as simple as possible. I have also launched my own initiative with lawyers and designers to develop contracts that are written in standard English. Subscribe to our blog to learn more in the future.
Do We Have Privacy Wrong?
Technology sparks changes in society, which brings changes in law, which can affect technology use and innovation. Privacy law in U.S. law provides a good demonstration of this technology, society, and law cycle. Recognition of a need for a right to privacy didn’t occur until December 15, 1890, when Samuel Warren and Louis Brandeis published “The Right to Privacy" in the Harvard Law Review. Warren and Brandeis felt a need to develop this new right because of the prevalence of a new technology: inexpensive cameras. Cameras, particularly in the hands of the press, allowed for “unauthorized circulation of portraits of private persons.” We now have laws that regulate how and where cameras are used.
Financial vs. Mental
The Internet has given rise to a new collection of privacy concerns that we have yet to resolve. The difficulty in resolving the non–4th Amendment (government intrusion) privacy issues that arise with technology may not be because of what the technology creates but how we view privacy. Current legal solutions—such as the California Consumer Privacy Act of 2018 (effective January 1, 2020), which in itself is based in part on the European General Data Protection Regulation which went into effect May 25, 2018,—focus on controlling data. This approach lumps together the financial harm that arises from identity theft with the mental harm that arises from privacy intrusion.
Confusing these two types of harm adds to the confusion that technology innovators may face regarding what data should be considered private. This, in turn, can negatively impact technical innovation as new innovations may create new types of data with uncertain legal implications. This negative impact could be lessened if intrusion-of-privacy concerns were decoupled from identity-theft concerns. That is, privacy should be less about data collection, storage and use and more about the tort of privacy intrusion. This is not to say that data protection isn’t important—particularly with regard to the financial impacts of identity theft—but rather that regulating data to limit privacy intrusion harm is akin to regulating how high someone can raise their arm while trying to protect against assault. (Assault, in a legal sense, is intentionally acting to cause the reasonable apprehension of an immediate harmful or offensive contact. This is different from battery, which is the harmful or offensive contact itself.)
A problem with regulating data as a means to protect against privacy intrusion is that it’s not always apparent that the data technology raises privacy implications. It isn’t likely that George Eastman considered the social impact of the Kodak camera’s ability to easily create and allow the sharing of a stranger’s image (“could he? should he?”). The many creators of the Internet couldn’t have reasonably foreseen what others might learn about us based on the apparently insignificant details of our Internet use scattered across the web, such as our IP address, websites visited, web pages visited, length of time spent on each web page, geographic location, what we post, and purchasing history—let alone the information we provide when we fill out forms.
Privacy Intrusion as Assault
Although the data you make available about yourself on the internet may not be apparent, what is apparent is what a privacy intrusion feels like to you. You feel vulnerable. To be vulnerable is to feel apprehension to mental harm, much as assault is the apprehension of physical harm.
Treating privacy intrusion like assault allows for the mental harm of privacy intrusion to be separated from the financial harm arising from identity theft. Separating these two types of harm results in more than just redress for the victims. It also allows the innovator to consider separately the identity theft and privacy intrusions that may arise in the implementation of the innovation rather than have to consider the legal implications in having identity theft and privacy intrusion lumped together. For example, online camera applications tend to have more privacy-intrusion risks whereas online payment applications tend to have more identity-theft risks. Clarity in the law helps the innovator identify the legal risks.
The cycle of technology impacting society, causing changes in the law, which then regulates technology is spinning faster than ever as a culture that favors innovation and disruption creates more technology faster than ever before. The right to privacy—one of the early U.S. legal creations to come from a new technology—is receiving a renewed focus. An intrusion of privacy, however, isn’t the same thing as identity theft. Lumping them together in the law helps neither the victim nor the innovator.
At CableLabs and Kyrio, we think about the social and legal impacts of innovation. We also create and bring to market technologies that enhance protections against identity theft and privacy intrusion.
Subscribe to our blog to learn more about law and innovation in the future.
Should Artificial Intelligence Practice Law?
As in many other professions, artificial intelligence (AI) has been making inroads into the legal profession. A service called Donotpay uses AI to defeat parking tickets and arrange flight refunds. Morgan Stanley reduced its legal staff and now uses AI to perform 360,000 hours of contract review in seconds and a number of legal services can conduct legal research (e.g., Ross Intelligence), perform contract analysis (e.g., Kira Systems, LawGeex, and help develop legal arguments in litigation (e.g., Case Text).
Many of these legal AI companies are just a few years old; clearly, there are more AI legal services to come. Current laws allow only humans that passed a bar exam to practice law. But if non-humans could practice law, should we have AI lawyers? The answer may depend on how we want our legal analysis performed.
Today, when people talk about AI, they often refer to machine learning. Machine learning has been around for many years, but because it is computationally intensive, it has not been widely adopted until more recently. In years past, if you wanted a computer to perform an operation, you had to write the code that told the computer what to do step-by-step. If you wanted a computer to identify cat pictures, you had to code into the computer the visual elements that make up a cat, and the computer would match what it “saw” with those visual elements to identify a cat.
With machine learning, you provide the computer with a model that can learn what a cat looks like and then let the computer review millions of cat (and non-cat) pictures, stimulating the model when it correctly discerns a cat, and correcting it when it doesn’t properly identify a cat. Note that we have no idea how the computer structured the data it used in identifying a cat—just the results of the identification. The upshot is that the computer develops a probabilistic model of what a cat looks like, such as “if it has pointy ears, is furry, and has eyes that can penetrate your soul, there is a 95 percent chance that it is a cat.” And there is room for error. I’ve known people who fit that cat description. We all have.
If a lawyer applies legal reasoning to identifying cat pictures, that lawyer will become well versed in the legal requirements as to what pictorial elements (when taken together) make up a cat picture. The lawyer will then look at a proposed cat picture and review each of the elements in the picture as it relates to each of the legally cited elements that make up a cat and come up with a statement like, “Because the picture shows an entity with pointy ears, fur, and soul-penetrating eyes, this leads to the conclusion that this is a picture of a cat.”
In machine learning, the room for error does not lie in the probability of the correctness of the legally cited cat elements to the proposed cat picture. The room for error is in the lawyer’s interpretation of the cat elements as they relate to the proposed cat picture. This is because the lawyer is using a causal analysis to come to his or her conclusion—unlike AI, which uses probability. Law is causal. To win in a personal injury or contracts case, the plaintiff needs to show that a breach of duty or contractual performance caused damages.
For criminal cases, the prosecutor needs to demonstrate that a person with a certain mental intent took physical actions that caused a violation of law. Probability appears in the law only when it comes to picking the winner in a court case. In civil cases, the plaintiff wins with “a preponderance of the evidence” (51 percent or better). If it is a criminal case, the prosecution wins if the judge or jury is convinced “beyond a reasonable doubt” (roughly 98 percent or better). Unlike in machine learning, probability is used to determine the success of the causal reasoning, and is not used in place of causal reasoning.
Lawyer or Machine?
Whether a trial hinges on a causal or probabilistic analysis may seem like a philosophical exercise devoid of any practical impact. It’s not. A causal analysis looks at causation. A probabilistic analysis looks at correlation. Correlation does not equal causation. For example, just because there is a strong correlation between an increase in ice cream sales and an increase in murders doesn’t mean you should start cleaning out your freezer.
I don’t think we want legal analysis to change from causation to correlation, so until machine learning can manage a true causal analysis, I don’t think we want AI acting like lawyers. However, AI is still good at a lot of other things at Kyrio and CableLabs. Subscribe to our blog to learn more about what we are working on in the field of AI at CableLabs and Kyrio.
How Will the Law Treat Injuries Caused by Autonomous Vehicles?
A version of this article appeared in S&P Global Market Intelligence in April 2018.
Recently, in Arizona, a self-driving Uber vehicle with a minder onboard struck and killed a cyclist. The deadly accident has raised familiar—and serious—philosophical and legal questions surrounding the rise of autonomous vehicles.
There’s an important philosophical debate already being waged over self-driving cars and safety in the wake of this tragedy, but the fact that I’d have to look up the meanings of “deontological” and “teleological” disqualifies me for that discussion. However, I am a practicing lawyer, and although I don’t practice personal injury law, I do have sufficient bona fides to opine on tort law and autonomous vehicles.
Culpability in the Arizona crash will be legally decided in accordance with the principles of tort law. A tort is, simply, a civil wrong - that is a wrongful act causing harm to a member of society. This is not to be confused with a criminal act, which requires a mental state and action that causes a violation of a criminal law. Torts require four elements, and all four elements must be met, or you don’t have a case:
- A civic duty
- A breach of that civic duty
- The breach of the civic duty led directly to a harm
- The harm resulted in damages
Using the framework of tort law, in the event that an autonomous vehicle causes an accident, it is the first two elements of a tort—there was a duty, and that duty was breached—that are significant. In this case, there may be several legal duties.
Uber and Autonomous Vehicle
One legal duty could be found with Uber or the car manufacturer (by “manufacturer,” I mean the designer, software provider, and everyone else in the supply chain). Uber and the manufacturer have a legal duty to not design or manufacture a defective product. The question here is whether the Uber self-driving car involved in the accident was defectively designed or manufactured, and whether it was Uber or the car manufacturer that put a defective vehicle on the road.
What makes a self-driving car defective? Answers to that question will be based on the “standard of care.” Reviewing the standard of care means understanding what a reasonable car manufacturer and self-driving car modifier would do for safety. Lawyers will review what other self-driving car companies, such as Waymo, have done with regard to numbers and types of sensors, as well as bring in self-driving car experts. More standard questions as to the effectiveness of the car’s brakes may also come into play.
There are also legal duty questions about the Uber employee who was in the vehicle and who was allegedly not looking at the road at the time of the accident. I would assume the minder was in the car to help prevent accidents. If that’s the case, she probably had a legal duty. However, what if she had been in the car for a sufficient amount of time to reasonably become fatigued and had no way of pulling over? Driving long hours is hard enough. Being a passenger—not controlling the car but needing to keep a sharp eye on a road—seems like a monotonous job.
If Uber had the minder in the car too long to be effective, that may be a design defect. On the other hand, if the employee could have pulled the car over to rest, then she may have breached her duty. Going one step further, does Uber or the car manufacturer have a duty to put in a sensor that would detect when the minder became fatigued and instruct the car to automatically pull over?
The fault is not all on the car manufacturer and Uber. The woman who was killed was crossing a well-trafficked road at night pushing a bicycle. Did she breach a legal duty? If so, and if the court finds that the car manufacturer or Uber breached its legal duty, then it is a case of comparative negligence and the court may reduce the car manufacturer’s or Uber’s damages in accordance with the amount of negligence of the woman who was killed.
Arizona is a comparative negligence state, which means someone can recover damages under tort even if he or she were 99 percent at fault (compared with Maryland, which is a contributory negligence state, where the plaintiff gets nothing even if he or she is 1 percent at fault). Under Arizona law, however, there won’t be any recovery if the deceased intentionally caused the accident—so that raises the question of intent.
More to Come
While the Uber case reached an undisclosed settlement it would be overly optimistic to think that this accident will be the last accident involving a self-driving car. While it’s too early to tell how these self-driving car cases will play out in the courts, this is one area of the law that may not need to struggle to keep up with changes in technology (such as privacy law). Traditional tort law provides a legal framework for deciding fault and damages for self-driving cars.
The crossroads of law, technology and society is an interesting place to be. This article is the first part of our legal series by our legal experts at CableLabs examining the impact of new technologies on law and how we live. Make sure to subscribe to our blog to stay current on our legal series.
Yes, I am an attorney, but I’m not your attorney and this article does not create an attorney-client relationship. I am licensed to practice law in Colorado and have based the information presented on US laws. This article is legal information and should not be seen as legal advice. You should consult with an attorney before you rely on this information.