Home / Blogs

Can VeriSign Sue You Over SiteFinder?

An abstract from James Grimmelmann’s recent legal analysis in the Yale Law School’s LawMem regarding VeriSign’s controversial SiteFinder.

Attention so far has been focusing on the ethics of the move (positively satanic), its effects on DNS and non-Web applications (Considered Harmful), and on possible technical responses (Software Aimed at Blocking VeriSign’s Search Program). On the legal side of the fence, though, we’re not just talking about a can of worms. We’re talking about an oil drum of Arcturan Flesh-Eating Tapeworms.

A Question: Have VeriSign’s Terms of Service Become Binding on the World?

A bunch of people, for example on Dave Farber’s Interesting People list, have been worrying that VeriSign now has near-absolute legal authority over all Internet users (VeriSign now owns your use of .COM and .NET?). The fear is that by visiting VeriSign’s SiteFinder site and “using” its services, you become bound by VeriSign’s privacy policy and terms of service.

There’s some fretting over various nightmare scenarios possible under particularly ugly terms therein: you appear to authorize VeriSign to do content filtering for you, to disclaim any possible lawsuits against VeriSign, and to agree not to use the services for commercial purposes. And, of course, VeriSign can change the terms at will. Taken at face value, these terms would appear to let VeriSign more or less kick anyone off the Internet at its corporate whim, and to do anything it wants to Internet users. And, since Virginia, VeriSign’s home, is a UCITA state, merely visiting VeriSign’s page through the process of misspelling a domain name, would appear to be legally binding.

It’s a fun legal nightmare, but this is a non-issue. Lawyers know it won’t happen; they give various technical doctrinal reasons why such horrific terms would never be enforced against Joe Srufer. And total non-lawyers know it won’t happen: they refuse to believe that something so ridiculous could happen. It’s only the people in between—who know a few tricks about law—who’re afraid. But a little knowledge is a dangerous thing. These people have had their common sense beaten out of them, because, after all, getting rid of your common sense is the first step on the road to understanding the law. But they haven’t yet had it replaced with the more subtle sense of how legal systems heal themselves.

In Cindy Cohn‘s great phrase: “You can’t hack the law.” Even if UCITA appears to authorize binding click-contracts, and even if VeriSign’s policies proclaim themselves to be legally enforceable, you can’t always take these things at face value. Legal texts are starting points, not foreordained results. Laws aren’t like C programs: if a judge sees something taking place that seems egregiously, manifestly, insanely unjust and unintended, she will go right ahead and find a way to prevent it. Maybe the law will be reinterpreted in a way that undercuts its obvious meaning. Maybe she’ll craft an “equitable” exception. Maybe she’ll find a procedural way to throw out the suit. But she’ll find something.

And in this case, she won’t need to look very far. The operative words in UCITA are “manifestation of assent,” which are, here, a restatement of the fundamental, bedrock, principle of modern contract law: consent. The moral justification of contracts is that you should only be bound by contracts you’ve freely consented to. But contract law has taken a slightly looser view of things for centuries. Even if, in your secret heart of hearts, you don’t want to enter into one, if you sign your name on the dotted line or say “Yes, I’ll have the turnips there on the sixteenth” or do something else that would make other people think you meant to be bound, you will be. If you want to use a fancy lawyer term, you could call it “constructive” consent.

Now, UCITA does two things, for which it’s been criticized. It expands the set of acts that can be construed as showing consent, and it expands the set of things you should be bound by once you’ve clicked on the dotted line. There are plenty of abuses lurking in there: under UCITA you can click away far more of your legal rights than you could under pre-UCITA contract law. If you buy online an AIBO which malfunctions, rises up, and murders you in your sleep, UICTA would allow Sony to claim you’d waived your (or rather, your heirs’) right to sue for a mere product defect. Once you’ve done something that would “manifest” your “assent,” you can be nailed to a fairly high wall.

Do you see why we need not fear VeriSign, though we may mock and loathe it?

Contract Law Supplies Its Own Answer

What’re at stake here are typos. You know, mistakes. VeriSign itself is claiming that people will only come to its site by accident. Everything on SiteFinder starts from the premise that people made a mistake while typing in a URL (or are quite likely to have made a mistake, which is just as good). So when I load a page from SiteFinder after coming in off a typo domain…

- I made a mistake, and
- VeriSign knows I made a mistake.

There’s not a court in the country that would uphold this “contract,” UCITA or no. We’re talking first-semester Contracts doctrine. There’s no objective consent to be bound; it would be unreasonable for VeriSign to conclude that people coming in in this way had agreed to its terms.

We don’t even need to reach the issue of whether people know about VeriSign’s Terms of Service before using DNS. Yes, knowledge of what you’re agreeing to is another prerequisite to a contract, and yes there’s a big issue over how constructive that knowledge can be (witness “click here for our privacy policy” and “please read this tome carefully and in great detail before continuing”), but it wouldn’t matter if everyone in the world knew that typos sent you to SiteFinder and that SiteFinder’s terms of service including selling your children into slavery. The specific act at stake here remains a mistake. Precisely because VeriSign hijacked all the unassigned domain queries, they’re not allowed to conclude anything from the fact that you tried to look one up.

Even UCITA disclaims attempts to make contracts stretch this far. Here. Let’s go to the text:

Section 112(a)
A person manifests assent if the person . . . intentionally engages in conduct or makes statements with reason to know that the other party or its electronic agent may infer from the conduct or statement that the person assents…

But note: the conduct that I “intentionally” engage in is typing in a URL. The part where I make a mitsake in typing in the URL isn’t intentional. So, first, my conduct wasn’t intentional. Second, I probably have no reason to know—especially if I was making a non-HTTP request—what anyone would infer from my conduct. And third, even granting the first two, that inference is mighty shaky.

Section 112(b)-(e)
An electronic agent manifests assent to a record or term if, after having an opportunity to review it, the electronic agent authenticates the record or term…
...An electronic agent has an opportunity to review a record or term only if it is made available in manner that would enable a reasonably configured electronic agent to react to the record or term.

VeriSign can make its terms binding on you through your browser only if a “reasonably configured” browser could recognize those terms and react to them. But no web browser, SMTP server, IRC client, or any other piece of software at all exists which could understand that failed domain lookups now go to a private HTTP server with its own terms of service. Common usage is considered good evidence of what is “reasonable” or not; there is simply no way to claim that the “reasonably configured electronic agent” needed here is something that no one uses and doesn’t exist.

Section 112, Official Comment 3
On the other hand, conduct is not assent if it is conduct which the assenting party cannot avoid doing, such as blinking one’s eyes.

You can’t just define “assent” so that there’s no way around it.

Section 112, Official Comment 3
Doctrines of mistake, fraud, and duress apply in appropriate cases.

In this “appropriate case,” all three may well apply. We’ve been through mistake at length: you make a mistake, VeriSign knows it, no contract. Fraud is a little harder to make out, but not much. You don’t need to be a lawyer or a DNS expert to see that there’s something deceptive going on; it would be pretty easy to claim that VeriSign’s bait-and-switch trick constitutes misrepresentation of a fact material to the contract. And duress? Well, VeriSign does have a monopoly on running .com, does it not? Since it’s almost impossible to avoid making a typo now and then, and since use of the Internet is so hugely important, you could at least come into court arguing that VeriSign has such extreme power here that you were compelled to go to SiteFinder now and then.

Section 114
Every contract or duty within the scope of this [Act] imposes an obligation of good faith in its performance or enforcement.

“Good faith” is a much-disputed and much-litigated issue. And unilaterally redirecting my DNS lookups, without my knowledge, against the standard practice (and standards) of the Internet, for purposes of forcing me into acceptance of your terms of service, seems kinda low-down, dunnit? A court deprived of the other myriad ways of striking down that contract could easily find that VeriSign breached its duty of good faith.

Section 111
If a court as a matter of law finds a contract or a term thereof to have been unconscionable at the time it was made, the court may refuse to enforce the contract, enforce the remainder of the contract without the unconscionable term, or limit the application of the unconscionable term so as to avoid an unconscionable result.

Even taking away every other reason why these terms of service might not be enforceable, no court is required to enforce a contract that “shocks the conscience of the court.” If some truly truly horrific eeeee-vil consequence flowed from being bound upon mistyping your URL, the court could still refuse to carry it out. It doesn’t matter how legalistic and solemn your agreement to sell your kids into slavery is; it’s just not an enforceable contract, period.

Filed Under


George Kirikos  –  Oct 3, 2003 8:31 PM

In a business law course I took years ago, the Professor gave the following example:

Every day, Cindy takes a jog around High Park. Observing this, Chuck says to Cindy “My dog is for sale for $100. If you jog around High Park next Tuesday, I will take that as your agreement to that contract.”

What should Cindy do, if she doesn’t want the dog? :)

Clearly, folks don’t need to stop making typos, to avoid VeriSign’s “contract”, lol.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byVerisign

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC


Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API