Amazon Kindles a row

Amazon have prompted something of an internet storm this week by cancelling a Norwegian customer’s account and wiping all her Kindle books.

It is now reported that the customer’s account has been restored by Amazon, but the incident has highlighted a point that is often overlooked as e-books grow in popularity. Contrary to popular belief, when you purchase a Kindle title on Amazon, you are not “buying a book”, but merely being given a licence to download and read that book, subject to Amazon’s Kindle License [sic] Agreement and Terms of Use.

Those terms are, on the face of it, unequivocal. If you breach the agreement, your rights under it immediately terminate, and Amazon can wipe your entire book collection without any refund:

Termination. Your rights under this Agreement will automatically terminate if you fail to comply with any term of this Agreement. In case of such termination, you must cease all use of the Software, and Amazon may immediately revoke your access to the Service or to Digital Content without refund of any fees. Amazons failure to insist upon or enforce your strict compliance with this Agreement will not constitute a waiver of any of its rights.

In the case of this Norwegian customer, Amazon’s only explanation was that her account was “directly related to another which has been previously closed for abuse of our policies”. Amazon refused to provide any further explanation as to what this other account may have been, or as to the “abuse” of its policies.

What if the customer had been living in the UK? Could Amazon act in a similarly draconian and unaccountable manner? As we can see, their terms of business would appear to allow this. However, could aggrieved consumer argue that EU consumer laws protect them from losing their previously paid-for content?

For these purposes, the main law in the UK is the Unfair Terms in Consumer Contracts Regulations 1999. These provide that:

A contractual term which has not been individually negotiated shall be regarded as unfair if, contrary to the requirement of good faith, it causes a significant imbalance in the parties’ rights and obligations arising under the contract, to the detriment of the consumer.

An unfair term is unenforceable against a consumer. The OFT can also issue “stop now” notices requiring the trader to stop using the unfair term.

The OFT’s guidance on unfair terms gives examples of numerous occasions on which the OFT has held that provisions allowing traders to cancel contracts without giving a refund are unfair. So there would seem to be good grounds for arguing that Amazon’s termination provisions in its Kindle licence agreement are unfair.

The Unfair Terms in Consumer Contracts Regulations do not apply to terms which define “the main subject matter of the contract” (or the price payable). Amazon could try to argue that the “main subject matter” is, by nature, a limited licence that is capable of revocation. Looking at the OFT’s past practice as set out in its guidance, however, I suspect that they’d be given pretty short shrift. It’ll be interesting to see if this is ever tested – maybe someone should make a complaint to the OFT about it?

I also wonder whether this apparent imbalance between consumer perception (“I bought it, so I own it!”) and legal reality may become the subject of future consumer protection legislation, so that “one-time payment” licences for digital content are effectively made irrevocable in all but the most exceptional of circumstances.

Amazon’s actions in this case have led some people to say that they will be cracking the DRM on their Kindle books in order to protect them from future deletion by Amazon. Unfortunately, to do so is unlawful under s.297ZA Copyright, Designs and Patents Act 1988 (and can even be a criminal offence if done commercially). More to the point, circumventing the Kindle’s DRM is itself a breach of Amazon’s terms, potentially leading to termination of your account…

Update: this interesting post on the furore quotes Amazon’s PR as saying:

We would like to clarify our policy on this topic. Account status should not affect any customer’s ability to access their library. If any customer has trouble accessing their content, he or she should contact customer service for help. Thank you for your interest in Kindle.

Kindle users may or may not find that reassuring. The one observation I’d make is that this “policy” is not what Amazon’s terms and conditions say, and what happened to this customer seems more in line with the terms and conditions than with Amazon’s stated policy.

Passwords: cracking the code

Interesting post by Willard Foxton on password security, describing how the 2009 hacking of the RockYou gaming website started a cascade of website cracking – all too easy in an era where “cryptographic feats that were the stuff of legend in the Second World War” can now “be done on your iPhone”.

Foxton summarises “current best advice” on password security as follows:

The current best advice is to have passwords composed of 20 characters, with no real words, and your gobbledegook has to include upper and lower case letters, symbols, numbers and punctuation, all randomly scattered through the word. On top of that, you need to have a different password for every site you use and change your password for all of them every three months.

I think it’s safe to say that a system whose “best practice” amounts to that is a system that is irretrievably broken.

Are there any legal implications to this? Well, the Data Protection Act requires organisations holding personal data to take:

Appropriate technical and organisational measures … against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

The Act does not prescribe any specific security measures, but the Information Commissioner’s current advice to organisations on passwords recommends:

use a strong password – these are long (at least seven characters) and have a combination of upper and lower case letters, numbers and the special keyboard characters like the asterisk or currency symbols.

This is some way short of the “best advice” set out by Foxton, though how much actual practical difference it makes to security may be a different matter – for now. “Appropriate” measures include striking a balance between theoretical security and practical workability, depending on the risks involved. But it would seem likely that, over time, the gap between what is “appropriate” and Foxton’s counsel of perfection will close.

Rather than tightening up password policies beyond the ICO’s recommendations, there may be a stronger case for looking at measures such as two-factor authentication. I adopted this for my personal email account after reading this chilling account of how a hacked Gmail account enabled Mat Honan’s entire digital life to be wiped out earlier this year. Google offer two-step verification for their accounts, which is relatively simple to set up and use, at least if you own a smartphone.

I’m not aware of any guidance from the ICO as yet on the use of two-factor authentication. What the ICO does insist upon, however, is the use of encryption for any mobile devices holding personal data (laptops, memory sticks, tablets). If your organisation is using such devices without encryption, you should correct this straight away – or risk joining Greater Manchester Police in the dock with a £120,000 (or more) penalty.