You agree to online contracts all the time

You sign online contracts every time you browse the Web, install some application or do just about anything on your devices. This is how it works.

How many online contracts did you agree to, today? Everything in this day and age is done online – whether it is shopping, browsing Wikipedia, sharing your thoughts on twitter or posting pictures on Facebook. In fact it has become so prevalent that people of absolutely all ages are occupied almost throughout the entire day with updates on their phones, tablets, laptops and PC’s. We are always connected and with that comes its own quagmire of “what am I actually agreeing to?”.

How you agree to so many online contracts

During your online shopping spree or when uploading a picture of yourself and your beloved feline companion, you have almost certainly come across an “I agree” button. Whether it is agreeing to provide a website with your location and/or email address (for location accuracy purposes) or whether you are agreeing that you are actually entitled to upload the picture, you are agreeing to “something”. That “something” is typically an online contract.

And, instead of fully understanding what we are agreeing to, we have simply become a species of “yes people”, only to happen to click the “I agree” button just to get your music download or complete your purchase. But what does that actually mean? By clicking on that ever increasingly intimidating “I Agree” button, we as online users may be binding ourselves to legally enforceable contracts with the online service provider. And I don’t know about you, but that really scares me.

But did we, as online users, actually “agree” to anything, really? As with any legal agreement, both sides, including the user, must agree to the online contract in the form of the terms and conditions being offered by the relevant online service you are currently using, whether it is Facebook or eBay, in order to create a legally enforceable “agreement”.

Understanding the difference between click-wrap agreements v.s browse-wrap agreements

Some service providers ask for your agreement by requiring you to click the “I Agree” or “Accept” button after being shown the agreement (i.e. a “click wrap” agreement). A common example of a click-wrap agreement is where a consumer is transported, usually by clicking a hyperlink, to a webpage containing terms and conditions which will be included in the agreement, where there is normally (at the end of the page) a button with the phrase “I agree” or “Accept” printed on or next to it.

I agree Screenshot - WTL blog post

As its name suggests, a click-wrap agreement requires a positive act from a consumer, still other service providers, try to characterise your simple use of their website as your “agreement” to a set of terms and conditions buried somewhere on the site, a sort of “what agreement are you talking about” site (i.e. a “web-wrap” or “browse-wrap” agreement). The browse-wrap is similar to the click-wrap agreement, and is often used under similar situations, except for one rather important difference.

Not all online contracts behave the same way. Where a click-wrap agreement actually requires a positive action to indicate agreement, a browse wrap agreement does not. It is sneaky that way.

Sometimes the terms will be displayed on the web page being used and other times it will not. A kind of “out of sight out of mind” scenario. An online user is not required to click on the terms and conditions if it is provided via a hyperlink, and there are very few ways to actually ascertain whether or not such a user was made aware of the terms and conditions. There are other similar themes as the click wrap or browse wrap, such as mandatory checkboxes (“check this box to indicate your agreement to our terms and conditions”) or email notices (“by continuing to use our service, you agree to the recent modifications to our terms of service”).

But thankfully not all methods, be they click-wrap or browse-wrap, are good enough to create “legally binding contracts”. I sense a collective sigh of relief.

But when are online contracts binding?

But when or how will such online interactions constitute binding agreements? The consensus here depends on which region you are in – by participating in online transactions in whichever form they are in, we can all basically assume that the interactions here will most likely be cross or trans-border.

This does create some difficulty in the sense that some territories, like The United States, are more evolved in this aspect than others. For example in South Africa there is very little to no case law on this matter. In the UK and EU they too have very limited case law or Legislation based on what binds a user to online terms and conditions except to say that they have established one rule

an online user should be provided with all terms and conditions in a manner that is readily available and easily accessible without inappropriately or irrevocably binding a consumer to terms he had no real opportunity to become acquainted with.

It seems rather polite of them and a decent way to conduct oneself when interacting online. Could one say “typical of the British”? Whereas the US have accepted as a rule of thumb, the click-wrap agreement for its obvious enablement of the user to assent to the website’s terms and conditions. In other words the user, by clicking that “I Agree” button acknowledges that they intend to bind themselves.

In South Africa we are sort of playing catch up with both the US and the UK. In this regard and with the application of our contract law as well as our Common Law, one needs to look at the intention of the parties as well as the actual agreement of the parties. With click-wrap agreements it is quite easy to ensure that the user indicates their agreement by making a mark in the relevant space.

document-428331_1920

In our Electronic Communications and Transaction Act, an electronic signature is defined as that of “data attached to, incorporated in, or logically associated with other data and which is intended by the user to serve as a signature”. It is therefore accepted that the function of a signature is some kind of personal mark which may be used to identify a party and to convey or confirm an intention to be bound. Common knowledge, I would assume.

In this context, this “mark” as an indication of a person’s agreement is the same as a click-wrap agreement. This in essence leads one to believe that the click-wrap agreement is more than just an “I Agree” Button, but rather an “I have been shown the terms and conditions, have read them and have agreed to be bound by them” button. If you are like me, I immediately think of my iTunes account and the constant need to “accept” their terms of use when updating your version of iTunes account. If I am absolutely honest, I have never actually read the terms of use before clicking “accept”. As astounding as that sounds from someone of my vocation, all I really want to do is download my music or update my WhatsApp application.

Eeeek!

ALWAYS read the terms and conditions

Once I have finished writing this article, I think I will go avail myself (really) of Apple’s user terms and conditions and next time I click on the “I agree” or “accept” button make sure that I well and truly “Agree” or “Accept” because what I have learnt from writing this article (and which should be obvious) is that with everything, be it a written, a formal Contract or online terms and conditions – read before you click that button, it may hold more consequences than you think!

#justsaying

Your future digital government

I had to apply for unabridged birth certificates for our children the other day so I sat down in front of my laptop, browsed to the Department of Home Affairs’ website and logged into the secure Civic Services portal to start the process. I used my new ID card with its embedded personal digital certificate and a one-time code from my smartphone to authenticate myself.

As you can imagine, Home Affairs has all my details and who our kids are so all I really had to do was select the option for the unabridged birth certificates and place the order. The system informed me that because this was the first time I had requested these particular birth certificates there wouldn’t be a charge. I received a confirmation of my request along with digitally signed and locked digital versions of our kids unabridged birth certificates about five minutes after I concluded my request.

The birth certificates were in PDF and I quickly verified that they were signed by Home Affairs using the Department’s current public key (they were) and then forwarded them on to the service provider that requested them from us.

At this point you are probably wondering how I managed to do all of this? You probably had to drive out to your local Home Affairs office, fill out the forms on paper and wait in line to hand the forms over to the person behind the counter and be told you’d have to wait six to eight weeks for the birth certificates to be printed out in Pretoria and delivered to that office. You would then have to return to the office with your receipt so you could collect the pages.

My story is completely hypothetical. That process is not currently possible at the moment. This isn’t because the technology doesn’t exist, it does, or because the law doesn’t currently cater for it, it does. Implementing processes like this requires a different approach to digital government services. In this particular case, the starting point is likely a combination of a number of factors:

  • A secure, complete and accurate citizens’ and residents’ database;
  • A secure portal through which citizens and residents can access government services using a unique digital identity which is linked to the data the government has about them;
  • Digital certificates issued to each citizen and resident along with each person’s national identity;
  • A convenient means of both securing and using a digital identity to authenticate each citizen and resident that has a cross-platform mobile as well as conventional desktop interface.

The Electronic Communications and Transactions Act provides a broad framework for much of what would be required, including digital signatures, digital documents and data retention and evidence. The benefits could be to radically streamline government services and empower citizens to transact more securely and effectively with each other. These benefits are not reserved for government services, they extend to private services too. In fact, a single secure and digital identity for South Africa’s inhabitants could serve as a platform for a variety of providers to develop engagement models that could transform how the country functions.

So why isn’t such a system being developed (or in place already – much of the technology required has probably existed for some time now). The Verge has an interesting post on this topic titled “Our future government will work more like Amazon” which has a few relevant observations, including this one:

The problem is logistics. Sure, the Postal Service would probably love to have some fresh resources to boost up these facilities. But consolidating many offices into one is never easy. And reappropriating human resources would definitely be controversial. But with good digital systems to reduce paperwork, remember previous encounters with citizens, and greatly reduce the need for people to visit brick and mortar offices in the first place, it’s certainly feasible.

From a legal perspective there are very few barriers to this sort of future. Aside from logistics, the challenge is that our culture is still heavily invested in paper and paper paradigms and the change to digital workflows seems to be prohibitively complicated. That said, there are many benefits to going digital including cost savings, better security and improved redundancy (if you work with paper files, how much redundancy is built into your filing system?).

Simply adopting the necessary technologies isn’t going to solve the problem either. Effective implementation is essential and failing to do this has led to controversies such as the SANRAL consumer data exploits we read about recently. I came across another example of poor implementation when I began writing this post this morning, somewhat ironically from the South African Post Office’s Trust Centre which is charged with delivering trusted digital identity solutions:

SAPO_Trust_Centre_screenshot_-_authentication_problem

Leaving aside what must be an oversight, the Trust Centre delivers a key component in this future digital economy. An advanced electronic signature, for example, opens the door to a range of digital transactions otherwise reserved for paper-based transactions. One of the things I would like to do, as an attorney, is commission affidavits digitally. That is only legally possible if both I, as the attorney, and the person who wants to have an affidavit commissioned have advanced electronic signatures. At the moment this has to be done in person but when both parties have advanced electronic signatures (and have been authenticated by the Trust Centre), this could probably take place remotely. That, alone, represents a cost and time saving. Other transactions which become possible include digital contracts to sell land and even truly digital wills.

Going digital can transform how we function and how businesses and government operate. It just takes vision, an understanding of the legalities and risks and sensible technology implementations.

Digital signatures and contracts in South Africa

What is the status of digital signatures in South Africa? Are digital contracts legally binding contracts? The answer to both questions is yes, but …

Duncan McLeod asked the following question in response to my post titled “Corporate laws to go digital“:

I was wondering what the precedent was for digital signatures in South Africa. For example, is it possible to digitally sign a contract using public/private key type signatures and have that accepted in a court of law?

I was about to respond with a comment of my own and thought I’d rather talk a bit about digital signatures here instead.

The starting point for a discussion about digital signatures in the context of South African law is the Electronic Communications and Transactions Act which was passed in 2002 or so. The ECT Act started with the basic premise that digital communications are no less valid than paper based communications. An important consideration that was taken into account when the Act was drafted is that the Act should be technology neutral so that it isn’t quickly dated as technologies evolve. This translated into an Act that sets out certain features and technology neutral requirements for things like digital signatures which can be used to determine whether the signature concerned (in this example) are satisfactory.

One important consequence of the Act is the fact that a data message, like an email, has just about the same effect as a fax or letter in our law:

Information is not without legal force and effect merely on the grounds that it is wholly or partly in the form of a data message. (Section 11(1))

When it comes to signatures the Act makes reference to an advanced electronic signature which is a specific form of digital signature that has been accredited by the Accreditation Authority, or the Director-General of the Department of Communications. An advanced electronic signature is required where a law specifies that a document be signed. What is also interesting is that where an advanced electronic signature is used there is a presumption that the document concerned has been properly signed unless the contrary has been proved.

Where there is no legal requirement for this sort of signature, a ‘normal’ digital signature can be used to sign agreements, letters and other documents which you may wish to signify your assent to. In the commercial sphere, parties are free to contract electronically and to sign agreements using digital signatures if they wish. It would be up to the parties to the agreement to determine which forms of digital signature they require in order for the agreement to be properly signed. The Act specifies two requirements where the parties to the agreement have not specified the form of digital signature to be used:

3) Where an electronic signature is required by the parties to an electronic transaction and the parties have not agreed on the type of electronic signature to be used, that requirement is met in relation to a data message if-

a) method is used to identify the person and to indicate the person’s approval of the information communicated; and

b) having regard to all the relevant circumstances at the time the method was used, the method was as reliable as was appropriate for the purposes for which the information was communicated.

Basically what this means is that the rules that we apply to the signature of an agreement recorded on paper are applied to digital versions as well. When you sign an agreement your signature is a means to identify you as the signatory. Your signature is also applied to a point in the document where it is clear that the presence of your signature signifies your assent to the terms of the agreement.

Should the digital signatures on an agreement or other document be contested in court, the Act says that the mere fact that the agreement is recorded in a data message (or in digital form) does not invalidate the document. What is required is that the court evaluate the integrity of the data message and, most likely, the system it was generated and transmitted on to ensure that the data message has not, for example, been tampered with and was, in fact, signed by the purported signatory and that this has been verified.

When it comes to the admissibility of data messages, generally, the Act provides as follows:

A data message made by a person in the ordinary course of business, or a copy or printout of or an extract from such data message certified to be correct by an officer in the service of such person, is on its mere production in any civil, criminal, administrative or disciplinary proceedings under any law, the rules of a self regulatory organisation or any other law or the common law, admissible in evidence against any person and rebuttable proof of the facts contained in such record, copy, printout or extract. (Section 15(4))

This clause is an example of how the Act seeks to achieve parity between paper based documents and their digital cousins by catering for the inherent features of paper documents that we take for granted and ensuring that users of data messages are given a leg up, so to speak, and empowered to use data messages as replacements for paper documents with confidence.

I seem to recall that the South African Post Office was supposed to have been accredited as an authentication service provider and authorised to issue advanced electronic signature. As far as I am aware, this has not happened and there don’t appear to be any service providers authorised to issued advanced electronic signatures as contemplated in the Act. When it comes to ordinary digital signatures, you can obtain these from various certification authorities including Thawte and Verisign (Thawte was started by Mark Shuttleworth and who made his initial fortune in the deal to sell Thawte to Verisign).

This post is really just a summary of some of the provisions of the Act pertaining to digital signatures and their commercial application. The Act is far more involved and deals with issues that go beyond the subject matter of this post.

I am interested if anyone has been using digital signatures either in emails or to sign documents and what your experiences have been so feel free to comment below and let me know.