Angry Nerds: The iTunes Youth Legal Nightmare

Attorney Mark D. Rasch is the former head of the U.S. Justice Department's computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.

It's not just those birds that are angry these days. The process by which Apple allows teens, pre-teens and even toddlers to download free apps, and then purchase game currencies within these free apps, may have landed the computer giant in hot water—with both parents and at least one federal district court in San Jose.

The case revolves around a longtime legal reality: Minors cannot agree to a contract. If they pretend to agree, it's non-binding and can't be enforced. But what if an adult gives the child their password and permission to make a purchase? It's still the child doing it and the contract, therefore, probably can't be enforced.

Last month, U.S. District Court Judge Edward Davila—in In Re Apple In-App Purchase Litigation, Dkt. No. 5:11-CV-1758 EJD (N.D.Ca., San Jose Div., March 31, 2012)—allowed a class-action lawsuit against Apple to proceed. Parents alleged that the software/hardware/music/let's-face-it-everything giant configured its iTunes service to allow kids who typed in a parent's password (to download the free app) to, for at least 15 minutes, continue to use the credential to download in-game apps for hundreds, if not thousands, of dollars.

Related Story: If Court Rules That Minors Can't Be Made To Pay For Digital Purchases, M-Commerce Will Need A Massive Overhaul

Now, the fact that the case was allowed to proceed doesn't mean that the angry parents will eventually win anything. But it does mean that, in designing a payment system and an accompanying authentication scheme, merchants and others must be aware of how such systems can be abused—even by those we might otherwise trust.

Up until a few months ago, when you logged into the iTunes app store to buy an app (technically, you never actually buy an app, you just license it), the owner of the account (let's say Mom or Dad) would have to enter an authentication password (the user ID or E-mail address was saved). Although many apps cost from $4.99 to as much as $49.99, many of them are either free or a nominal amount, like 99 cents. Mom and Dad can handle a buck or two.

One can imagine a typical scenario—screaming kids in the car, fighting over the iPad or iPhone, one yelling, "Mommy, I want to download the zombies vs. werewolves vs. aliens app." She responds, "How much is it?" The answer: "It's free." Hearing the magic word, Mom says, "no problem," and either enters or tells the kid the password for the free app.

By the time they reach their destination, the kids have downloaded not only the app but also dozens of werewolves and aliens. For a price.

Now some legal basics. On the one hand, the iTunes agreement itself (which the parents could have seen when they created the account) says that "you are solely responsible for maintaining the confidentiality and security of your account and for all activities that occur on or through your account" and "Apple shall not be responsible for any losses arising out of the unauthorized use of your account."

On the other hand is the basic legal principle that, to be liable under a contract, the party must have the capacity to enter into a contract—and for that you have to be of legal age. Clearly, a child has no capacity to enter into a contract. So, is the kid's use of the persistent token (the password) an "unauthorized use" of the parent's account for which the parent is liable? Not really.

The use is kinda sorta authorized.The use is kinda sorta authorized. But the parent had no idea that the authorization to buy the app extended for 15 minutes to enable in-app stuff to be purchased.

The parents in the lawsuit also argue that Apple and the app developers engaged in consumer and other fraud in the configuration of the iTunes service and by "marketing and promoting certain gaming apps as free or costing a nominal fee with the intent to induce minors to purchase in-app game currency."

It's important to note that the court didn't decide this issue—it just decided that the issue needed to be decided and, therefore, that the case could go forward.

For retailers, the case presents a problem that is exacerbated by technology. In general, minors lack the capacity to enter into contracts (except for contracts for what the law calls "necessities"). Such contracts are voidable, meaning that the minor can walk away from his or her obligations. The doctrine, intended to protect "infants" (people under the age of majority—now assumed to be 18), arose in an age when contracts were few and far between. In those days, contracts were generally accompanied by a large and foreboding document, signed with a quill pen, sealed with wax and emblazoned with ribbons.

It was assumed that juveniles lacked the capacity to enter into such an auspicious agreement. Now, everything from consent to collect personal information to purchases of video games to streaming of movies is accomplished with just a click of a mouse or a tap of an icon. The average Internet user (and this is even more true with minors) may "agree" to as many as 20 to 30 "contracts" a day. Even if a minor affirmatively lies about his/her age, the contract remains voidable at the minor's option.

This is even worse for things like videogames or online content directed at kids younger than 18. The retailer knows, or should know, that many of the people it "contracts" with for goods or services are younger than 18—that's kind of the point.

With embedded credentials (e.g., stored credit-card numbers), retailers make it easier for minors not only to enter into contracts for the purchase of goods and services but also to pay for them. If they use Mom or Dad's credit card, the merchant will likely assert that either Mom or Dad "authorized" the transaction (and is, therefore, liable for payment) or may allege that the minor's use of the card is "unauthorized," implying either that Mom or Dad are liable for the payment anyway or that the minor should go to jail for "stealing" the credit card.

Online contracts with minors are problematic. Merchants aren't selling to "an account" or to a credit-card number but to a person—and there is a risk that the person lacks the capacity to contract. In theory, a minor could buy bubblegum at the counter, chew it, and then demand his/her money back. Online, the stakes may be much higher. The better approach for retailers—particularly for those targeting children—is to make it clear to parents that they are making the purchases and authorizing the use of the stored credentials to make those purchases. Even though it is not legally binding—and, therefore, not technically true—it is probably going to be enough to scare most parents into paying for their kids' purchases.

If you disagree with me, I'll see you in court, buddy. If you agree with me, however, I would love to hear from you.