The case arose in the context of a dispute between property developer Jaevee Homes (J), based in Norwich, and demolition contractor Steve Fincham (F). The dispute involved demolition works at a former nightclub in Norwich.

The parties had agreed the F would carry out demolition work but disagreed over the terms of that agreement. F argued the contract was formed by an exchange of WhatsApp text messages, whereas J argued it was based on a demolition subcontract.

The Court found that the parties had agreed a contract by the exchange of WhatsApp messages. 

The Court said that the message exchange constituted contract based on the clear agreement on the project’s fee, work scope and payment terms, indicating an intention to create a binding agreement. It rejected J’s argument that it was necessary to agree contract duration or start date for there to be a concluded contract.  It also rejected J’s argument that the contracting party wasn’t identified.

The judge said “In my judgment, the exchange of WhatsApp messages, whilst informal, evidenced and constituted a concluded contract.”

The post High Court rules that exchange of WhatsApp messages formed a contract appeared first on Society for Computers & Law.

Over seven episodes, recorded in November 2024, Ben Evans, Shruti Hiremath and guests will look beyond the current position to identify some of the pressures the changing landscape will bring to bear.

Episode 4: The EU Data Act and Cloud Analogies

Are analogies between cloud and open banking and telecoms appropriate? A deep dive into the EU Data Act and the potential unintended consequences

Building on the discussion in episode 3, this episode 4 analyses the cloud provisions of the EU Data Act with reference to an influential and widely cited paper co-authored by Ben Evans and Sean Ennis. The panel explore the concept of ‘equivalence’ between cloud services and question the merits of the controversial ‘functional equivalence’ requirement, which is designed to boost switching between cloud providers. This leads to a discussion over whether the analogy between cloud computing services, which exhibit high degrees of feature complexity and innovation, and banking services, which exhibit both a limited number of key features and a relatively low level of innovation, is appropriate. As articulated by the authors in an earlier SCL article, it is suggested that these two differences are critical for considering the nature and focus of future cloud regulation and may limit the value of analogies to prior experiences with portability and interoperability. Moreover, the panel considers the authors’ observation that a significant number of cloud customers already have the possibility and incentive to account ex ante at contract stage for the trade-off between complexity and customisation in service functionality and ease of portability and interoperability. The discussion turns attention to profound concerns that the Data Act may have the unintended consequences of disincentivising innovation, strengthening the position of incumbents, and harming smaller cloud service providers by inter alia effectively commoditising cloud services to the extent that competition is reduced to price competition.

Panel

Ben Evans (Chair) is a Postgraduate Researcher at the School of Law and Centre for Competition Policy, University of East Anglia. He is a member of the LIDC Scientific Committee.

Shruti Hiremath is Counsel in the Clifford Chance Antitrust Team in London.

Lauren Murphy is Founder and CEO of Friday Initiatives.

Sean Ennis is Director of the Centre for Competition Policy and a Professor of Competition Policy at Norwich Business School, University of East Anglia.

The LIDC NEX GEN Podcast Series on ‘Competition in Cloud and AI’ explores some the most topical and hotly debated questions  with a panel of leading international experts from academia, legal practice and industry.

The series was recorded  on 7 November 2024, and the views and opinions expressed therein reflect the legal context and state of affairs up to that date.

You can also watch or listen via the LIDC website, YouTube and Spotify.

The post Exploring Competition in Cloud and AI Podcast: Episode 4: The EU Data Act and Cloud Analogies appeared first on Society for Computers & Law.

Over seven episodes, recorded in November 2024, Ben Evans, Shruti Hiremath and guests will look beyond the current position to identify some of the pressures the changing landscape will bring to bear.

Episode 3: Dissecting Cloud Competition

The investigations of the UK CMA and an introduction to the EU Data Act.

In episode three, the panel begin exploring the five-fold concerns raised by the UK CMA in its issues statement in relation to its cloud market investigation. First, the authority has expressed concern that potential market concentration may be limiting choice. Although a number of large firms hold substantial market share in public cloud, the existence of on-premises and hybrid cloud solutions may temper concerns. Second, the CMA is worried that data transfer fees may prohibit switching, an issue that has been addressed in the EU under the cloud provisions of the recently enacted Data Act. Third, there is a concern that impediments to portability and interoperability may create dependencies or impair customers’ ability to move assets and to integrate across providers. Although such concerns may be valid, the panel considers the reality that market-based solutions are already developing, with industry consortia and voluntary standards bodies emerging without the need for regulatory interference. Fourth, the CMA has considered whether committed spend agreements limit customer flexibility and cause lock-in. Any intervention should be mindful of the benefits of such agreements to consumers in terms of cost savings and price stability. Finally, unfair licensing practices have come under scrutiny and there is a legitimate question as to whether some large providers may restrict competition by, for example, requiring additional fees or adherence to restrictive terms when customers use software from rival providers.[1]

While there has been substantial regulatory interest in Japan, the Netherlands, South Korea and France, all of which have completed cloud market studies, and in Spain and the USA, which have started investigations, the UK authority has advanced arguably the most detailed research and analysis of competition in the sector. The panel observes that despite this, the initial conclusions reached by the CMA and the referring authority Ofcom do not necessarily follow from the empirical market research that underpins their respective studies. Indeed, this is an issue that has been raised by Ben Evans and Sean Ennis in their co-authored consultation responses to the CMA and Ofcom. The evidence suggests that generally customers are on the ‘way in’ on their cloud journey and that, as opposed to provider restrictions, one of the key factors leading to lock-in may be that those firms do not yet have the in-house technical capability to initiate cost and time efficient switch.

[1]  Since the recording of the podcast, the CMA has published its Provisional Decision Report on 28 January 2025. Further details are available at: https://www.gov.uk/cma-cases/cloud-services-market-investigation#provisional-findings.

Panel

Ben Evans (Chair) is a Postgraduate Researcher at the School of Law and Centre for Competition Policy, University of East Anglia. He is a member of the LIDC Scientific Committee.

Shruti Hiremath is Counsel in the Clifford Chance Antitrust Team in London.

Lauren Murphy is Founder and CEO of Friday Initiatives.

Sean Ennis is Director of the Centre for Competition Policy and a Professor of Competition Policy at Norwich Business School, University of East Anglia.

The LIDC NEX GEN Podcast Series on ‘Competition in Cloud and AI’ explores some the most topical and hotly debated questions  with a panel of leading international experts from academia, legal practice and industry.

The series was recorded  on 7 November 2024, and the views and opinions expressed therein reflect the legal context and state of affairs up to that date.

You can also watch or listen via the LIDC website, YouTube and Spotify.

The post Exploring Competition in Cloud and AI Podcast: Episode 3 – Dissecting Cloud Competition appeared first on Society for Computers & Law.

The Committee highlights that the UK government has described raising growth as its number one mission and has a target for the UK to achieve the highest rate of sustained growth in the G7. Currently the UK is not on course to meet that target, and the Committee says that a closer relationship with the UK’s largest export market, the EU, is mission critical to helping realise ambitions for growth. 

Among other things, it has made the following recommendations which may be of interest to tech lawyers:

• Any new UK-EU security arrangements should include an explicit recognition that it would be mutually beneficial to act together to guard the critical national infrastructure on which the UK and EU business community depends.

• The UK should work closely with the EU to strengthen coordinated action against non-market economies that undermine the international trading system through unfair practices, including abuse of forced labour, industrial subsidies, state-owned enterprise advantages, and forced technology transfers. Enhancing cooperation on trade defence instruments—such as anti-subsidy and anti-dumping measures—along with alignment of safeguards against use of forced labour in supply chains will help ensure a more effective and consistent response to market distortions that threaten fair competition.

• The Committee recommends that the UK government consults with the business community, unions, workers and consumer groups and identifies sectors of the economy where, over the next ten years, there will be mutual gains from maximising compatible regulation with the EU. This should include an assessment of the flexibilities the UK might need to maintain membership of existing trade deals like CPTPP, and to agree the free trade deals currently under negotiation with Switzerland, the Gulf Cooperation Council and India. Where there is significant mutual gain from compatible regulation with the EU, the government should commit to a regulatory roadmap that maintains compatible regulation with the EU and seek, where beneficial for both parties, mutual recognition of conformity assessments.

• The Committee notes the extensive cooperation between the UK government and the European Commission on the Data (Use and Access) Bill. It recommends that the government continues monitoring the EU’s Data Union Strategy when it is published and assess any relevant implications for UK policy, and take whatever steps are required to ensure a permanent data adequacy agreement is secured.

The post Business and Trade Committee issues report on strengthening UK-EU relations: techlaw aspects appeared first on Society for Computers & Law.

Over seven episodes, recorded in November 2024, Ben Evans, Shruti Hiremath and guests will look beyond the current position to identify some of the pressures the changing landscape will bring to bear.

Episode 2: Alternative Visions

A look at the emerging alternative visions of the AI stack around the world.

Episode 2 considers alternative visions for the AI stack. The discussion begins by thinking about the emergent ‘EuroStack’, which is a strategic initiative to develop independent digital infrastructure across all layers of the stack and reduce reliance on non-EU technologies that was launched in the European Parliament in 2024. At a high-level, this approach represents a significant transition away from the prevailing regulatory approach focussed on competition in  certain components of the stack towards an infrastructural approach driven by ambitious industrial policy. The panel proceeds to reflect on the approaches of different international jurisdictions, focussing in particular on the development of digital public infrastructure in emerging markets, and the issue of sovereignty. Crucially, the Indian examples of the Unified Payments Interface and the Open Network for Digital Commerce provide evidence that digital public infrastructure can promote significant competition. This prompts the panel to question whether regulatory intervention is necessary if there exists a sufficiently developed digital public infrastructure. Of course, it is essential that government initiatives are not mandated to the detriment of market-based solutions and are instead offered as alternatives. Ultimately, the co-existence of digital public infrastructure and private firm offerings may lead to a healthy competitive market.

Panel

Ben Evans (Chair) is a Postgraduate Researcher at the School of Law and Centre for Competition Policy, University of East Anglia. He is a member of the LIDC Scientific Committee.

Shruti Hiremath is Counsel in the Clifford Chance Antitrust Team in London.

Lauren Murphy is Founder and CEO of Friday Initiatives.

Sean Ennis is Director of the Centre for Competition Policy and a Professor of Competition Policy at Norwich Business School, University of East Anglia.

The LIDC NEX GEN Podcast Series on ‘Competition in Cloud and AI’ explores some the most topical and hotly debated questions  with a panel of leading international experts from academia, legal practice and industry.

The series was recorded  on 7 November 2024, and the views and opinions expressed therein reflect the legal context and state of affairs up to that date.

You can also watch or listen via the LIDC website, YouTube and Spotify.

The post Exploring Competition in Cloud and AI Podcast: Episode 2 – Alternative Visions appeared first on Society for Computers & Law.

Introduction – the new MCTs and SCCs

By now the ‘top level’ requirements of the new wave of EU tech and digital regulation are fairly well known: the AI Act’s risk-based approach, the key contract provisions at DORA Art. 30, the NIS 2 reporting requirements, for example. What we think will bubble to the surface over the course of the rest of 2025 are the new Model Contract Terms (“MCT”) and Standard Contractual Clauses (“SCC”) nestled in the secondary legislation made under these rules: the delegated regulations and the implementing technical and regulatory standards.

These new MCTs and SCCs will not be mandatory. In some cases they are more like templates to show SME buyers of IT services what good could look like in a market where IT contracts are often one-sided documents favouring the large tech vendor. And because they won’t be mandatory, a big question for the new MCTs and SCCs is: will anyone actually pay any attention?

Examples – MCTs and SCCs in the AI Act, NIS 2, DORA and the Data Act

To give a bit more context, we will briefly walk through three examples. This is not an exhaustive list: there are lots of requirements in the rules that will either directly or indirectly affect what will need to be included in IT contracts. These are examples which have caught our interest recently.

Example 1: MCTs for high-risk AI system providers & their suppliers (AI Act, Art. 25(4))

By Art. 25(4) of the AI Act, the recently established European AI Office is encouraged to “develop and recommend voluntary model terms for contracts between providers of high-risk AI systems and third parties that supply tools, services, component or processes…”. The MCTs should “take into account possible contractual requirements in specific sectors or business cases.”

It is unclear what the status of these MCTs is, but it is foreseeable the requirement that they consider “specific sectors” and “business cases” will add to their complexity and the length of time it takes the AI Office to prepare them. When they are published, they will form part of a growing corpus of European AI model contract terms. For another example, see the March 2025 Updated EU AI model contractual clauses.[1]

Example 2: focus on supply chains (NIS 2 and DORA)

When organisations buy in IT they cede a certain amount of knowledge and control to third parties: SaaS vendors, managed service providers, IT consultants, etc. This creates supply chain vulnerabilities which NIS 2 and DORA, in particular, seek to remedy at the contract level.

As with the AI Act, many of the requirements are tucked under the primary legislation. For NIS 2, specific contract requirements can be found in the NIS 2 Implementing Regulation, para. 5.1.4 of the Annex to which requires that “relevant entities shall ensure that their contracts with… suppliers and service providers specify, where appropriate through service level agreements” contract terms like cybersecurity requirements, staff training, staff background checks, incident notification requirements and audit provisions.

For DORA, which applies in the financial services sector to in scope “Financial Entities”, the Regulatory Technical Standards on subcontracting will, when finalised, impose contract requirements where ICT services supporting critical or important functions are subcontracted.[2]

Example 3: cloud computing SCCs (Data Act, Art. 41)

The Data Act requires the European Commission to develop and recommend by 12 September 2025:

• non-binding MCTs on data access and use, including terms on reasonable compensation and the protection of trade secrets, and
• non-binding SCCs for cloud computing contracts to assist parties in drafting and negotiating contracts with fair, reasonable and non-discriminatory contractual rights and obligations.

The cloud computing SCCs are currently under development by a European Commission Expert Group on B2B data sharing and cloud computing contracts.[3] The SCCs will address important aspects of cloud contracts like information security and business continuity, liability and termination. The approach taken in drafts released in late 2024 suggests that the final  cloud computing SCCs are likely to depart significantly from current market norms for cloud contracting.

Conclusion: prepare, but will anyone pay any attention?

The point of this article is to draw the reader’s attention to the lesser known MCTs and SCCs squirreled away at the layer of the secondary legislation in the new EU tech and digital rules.

This is worth doing because: (1) the MCTs and SCCs go directly to content requirements for IT contracts and (2) a number of them are likely to be finalised this year.

The MCTs and SCCs will give buyers of IT services new tools and models to negotiate better terms with their vendors. Vendors will need to think carefully about what, if anything, in these new forms of contract they are prepared to accept. Either way, we expect these new documents will start cropping up in IT contract negotiations in the course of 2025.

In almost all cases, these new MCTs and SCCs are not mandatory: contract parties can choose to incorporate them into their agreements or not. So the question remains: will anyone pay any attention?

Chris Kemp, Partner at Kemp IT Law LLP

[1] See European Commission: Updated EU AI model contractual clauses, dated 5 March 2025 <https://tinyurl.com/3nvnssb5>.

[2] See EBA, EIOPA and ESMA: Final report on Draft Regulatory Technical Standards to specify the elements which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions as mandated by Article 30(5) of Regulation (EU) 2022/2554, dated 26 July 2024 <https://tinyurl.com/yecuvkwj>.

[3] See European Commission webpage for the Expert Group on B2B data sharing and cloud computing contracts (E03840) here <https://tinyurl.com/bddb9vz9>.

The post IT Contracts in 2025: the new MCTs and SCCs appeared first on Society for Computers & Law.

We have teamed up with the LIDC (International League of Competition Law) to share a series of podcasts examining some of the increasingly pressing questions around cloud computing, AI and competition law.

Over seven episodes, recorded in November 2024, Ben Evans, Shruti Hiremath and guests will look beyond the current position to identify some of the pressures the changing landscape will bring to bear.

Episode 1: The Status Quo

The current state of competition law for cloud computing and what the regulators are up to now.

Episode 1 sets the listener up for a deep dive into cloud computing and AI later in the series with a high-level discussion of the key competition concerns that have been raised across the AI stack.

The AI stack broadly comprises of four components: data, compute (encompassing chips and cloud computing), foundation models, and AI applications. The panel reflect on the recent media and policy focus on the compute component and the widely reported chip shortages that have led competition authorities in the EU and USA to investigate how supply is being allocated. While there may have been shortages, these shortages – and any related competition concerns – should be considered against the backdrop of a sudden surge in AI product development, which may not represent a forward-looking picture of chip supply. Indeed, the recent proliferation of new chip development from firms including AMD, Intel, Google, OpenAI and Amazon suggests that competition for the supply of chips is fierce.[1] Authorities around the world are also showing considerable interest in cloud competition, focussing in particular on potential barriers to switching and interoperability. Episodes 3 and 4 are dedicated to exploring these issues in depth.

Turning attention to foundation models, the panel introduces concerns raised in particular by the UK Competition and Markets Authority (CMA) and the French Competition Authority (FCA)that firms perceived as controlling key inputs – principally data, cloud and skills – may restrict access in order to shield themselves from competition. Further concerns raised by authorities include the risk that cloud providers could exploit their market positions to distort foundation model choice, potentially engaging in self-preferencing à la Google Shopping (Case C-48/22 P Google and Alphabet v Commission). This discussion whets the appetite for a dissection of AI competition in a later episode.

Bringing the introductory session to a close, the panel also touches on concerns being raised by competition authorities that firms may be using strategic partnerships to reinforce, expand or extend existing market power through the value chain. This thorny issue is explored in greater detail later in the podcast series in an episode focussed on mergers and acquisitions, but at the outset thought is given to the importance of protections for investors in nascent technologies, with a parallel drawn to the pharmaceutical industry.

Panel

Ben Evans (chair) is a Postgraduate Researcher at the School of Law and Centre for Competition Policy, University of East Anglia. He is a member of the LIDC Scientific Committee.

Shruti Hiremath is Counsel in the Clifford Chance Antitrust Team in London.

Lauren Murphy is Founder and CEO of Friday Initiatives.

Sean Ennis is Director of the Centre for Competition Policy and a Professor of Competition Policy at Norwich Business School, University of East Anglia.

[1]  Further recent developments such as the development of more efficient models like DeepSeek’s R1 have also raised questions on the continued need for a large number of chips.

The LIDC NEX GEN Podcast Series on ‘Competition in Cloud and AI’ explores some of the most topical and hotly debated questions with a panel of leading international experts from academia, legal practice and industry.

The series was recorded  on 7 November 2024, and the views and opinions expressed therein reflect the legal context and state of affairs up to that date.

You can also watch or listen via the LIDC website, YouTube or Spotify.

The post Exploring Competition in Cloud and AI Podcast: Episode 1 – The Status Quo appeared first on Society for Computers & Law.

What is Software Testing?

Suppliers test systems to assess whether they do what they should do (functional testing) in a way that meets the customer’s need (non-functional testing). As such, it is the principal approach used to assure quality. Consideration of testing is useful both to transactional lawyers seeking to draft agreements that protect their clients’ interests and to contentious lawyers seeking to establish a claim.

If you have developed a spreadsheet and want to check whether it adds correctly, you may enter input data of 2 and 3, expecting to get the answer 5. If the actual result is what was expected, you call it a “pass.” If not, it is a “defect.” A useful “test report” contains details of the steps taken in testing by reference to the “test case,” of the input data, the result, and the deviation that leads you to believe it to be defective. In this way, when a developer is passed the defect for resolution, they may replicate the test as an early step in their triage, diagnosis, and fix.

Why Test?

The fundamental assumption is that if one looks for trouble before launching a product, one can address it before it harms anyone. Thus, the product is more likely to be satisfactory for users than if testing is inadequate.

Software engineers have long been aware that if they identify defects early in the process of development, they can fix them more cheaply than if the work has advanced. The reason is that the process of delivery involves bringing many components together. When a defect is discovered early on, just one component (that being developed) is affected. When found later, many others have been closely crafted to fit with the first, so each of these needs to be adapted and re-tested, first in isolation, then in combination. So, the impact is magnified. This is not a linear increase. If a fault is found only in live operation, the user population, support staff, documentation, data for processed transactions may all be affected. There can also be commercial fall-out as compensation or reputation are damaged. In this way, good testing is related to commercial success and profitability for the developing organisation and customer.

Risk and Testing

The aim of testing is to give reasonable assurance to those charged with developing and launching the system that it is ready for use and is likely to deliver greater benefit than it is harm.

This does not assure that the system is free of defects. No such guarantee can be given. Because of this, there is a residual level of risk. Managers decide whether testing has been appropriately rigorous to reduce the risk of harm to an acceptable level. If they delay launch to conduct more testing, there can be competitive and commercial consequences from this. So there are trade-offs to be made.

The conscious assessment and containment of risk is at the heart of good test design. This is assisted by the test managers’ having a good understanding of the intended business context of use, so that they focus their efforts on what is most important. The place to look for this is an over-arching document describing the project’s approach to testing, often called the “test strategy.”

In the most egregious cases, a system may be launched with little, or inadequate testing. The press, social media, customers, and regulators can be brutal in response.[1]

Some industries have developed sophisticated methods to address risks. Nuclear, aerospace and pharmaceuticals feature prominently. Such methods combine advanced management of the delivery process with considerations of risk and rigorous testing. West-Coast software developers have typically taken this on-board, moderated by methods such as progressive deployment and real-time monitoring of early responses to detect, react to and contain defects when they do occur.[2]

Types of Testing

There is a variety of types of testing with differing objectives. This results in each component being tested many times. When introducing a change, it is normal to repeat many of these. Types of testing that you may encounter include:

Functional

Unit – This is a set of tests normally performed by the person developing the component to validate that it performs the required function, such as the spreadsheet example above. One component may need to deliver several functions, each of which should have an associated test case. The unit is tested in isolation. Anything else the unit relies upon to function is simulated by programmes called “stubs” that deliver the result required from interfacing units and systems.

System – A system normally consists of more than one unit. In system testing, all the units are gathered and tested together, rather than relying on stubs. So, this encompasses looking at the interaction between component units.

Integration – A major system may have multiple elements, some from other suppliers or already in place within the customer’s environment. So, a finance system may interact with payroll and HR systems. Integration testing is a technical validation of the interactions and data flows.

Regression – Sometimes, when changing an element to fix one defect, it has unintended consequences, breaking another part of the system. Regression testing looks for such defects.

UAT – User Acceptance Testing is usually a late phase and is designed to address the question “is the system ready for business use?” It is not an exhaustive set of functional tests but is normally based on a few end-to-end scenarios.

It is normally required that functional testing should assure that the system does do what it should, or “positive testing.” It is wise also to check that it does not do what it should not, or “negative testing.” So, if you expect an input to the earlier spreadsheet example to be a positive integer, and the entry is either “-3” or “Friday” what does the system do? A helpful error message suggesting what is required is a good reaction; crashing is less good; producing an irrational answer is worse.

A complex system is likely to support many processes. Each may have an expected path and various exceptional cases. Each should be tested to assure it works as expected. It is likely to be infeasible to test all combinations, hence the use of risk to prioritise what are selected.

Non-Functional

Security – The project’s security lead should have conducted a security risk assessment. This will assess the value of the system’s function and data, consider vulnerability, the risks of attack and the means these may occur. From that, counter-measures may be constructed and their efficacy tested. One commonly adopted type of security test is “penetration” or “pen” testing. In this, hire a trusted person to attempt to penetrate the system’s defences and review its construction.

Performance – Express non-functional requirements as testable performance parameters. These can include elements such as response time; languages supported; support to disabled users; availability; capacity. Each parameter will have its own test.

User

Useability – Many systems need to operate effectively on a range of platforms such as mobile, PC, tablet. It is wise to validate that the system works effectively for the intended users, that they find the flow of interaction to be understandable and that it is effective in supporting them in their “jobs to be done.” [3] Useability testing explores aspects of the user experience.

Operational

Data Migration – If the new system is to take over from an existing one, there is likely to be data on historic transactions and assets that the new will need access to. Assume that existing data has faults such as missing or corrupt fields. Permitted values may also differ between the old and the new. Data migration testing runs along-side iterative cleansing of the data and its treatment to prepare it for the new and validates that transactions that are in-flight can be handled.

Deployment – Users of the new system may need material such as documentation and training to prepare them for the new system. Assess the efficacy of such preparation before rolling it out.

Support – Conduct “Operational Acceptance Test” or “OAT” through the repeated review of checklists. Questions may include “do we have a set of knowledge articles prepared to support the service desk with known issues?” It validates that the support organisation is ready for the system’s launch.

Code Inspection

It used to be widespread practice to require developers to submit code for human review. Whilst this is still used, it is normally now by exception and based on small sample sizes once a developer has established competence. Automated tools have taken over the bulk of the work.

Static Test – Automated tools are used to test the code for its ability to compile and for conformance to coding standards. The best organisations take this a long way into promoting the use of good practices in areas such as making code readable and declaring classes. Some tools automatically correct non-conformances.

The Limitations of Testing

Testing should be risk-based. It can assure within the scope of considered risks. It can say nothing of un-imagined “black swan” combinations of behaviour and data modes.

The aim of testing is to establish “does the system behave as intended?” A frequent source of contention is that what applies to the design of test is the designers wish. This may differ from that of the user and of the commissioning customer, especially where the expression is inarticulate. Most software testing is silent on the quality of the specification and of associated design until user testing.[4] The modern use of iterative design brings this process forward to avoid unwelcome surprises later.

Managers may consciously or ignorantly limit the scope of test. Often, they do this to accelerate launch. Sometimes the bet pays off. Sometimes not.[5]

Test Systems, Data, Environments

Setting up systems that replicate the production environment, or a part of it, can be expensive in labour, hosting, and maintenance charges. This is less of an issue in these days of virtualised and containerised systems than it was when everything was physical. But it still has costs.

For a test to operate, it must have access to:

The system – at the appropriate release level for every component required (or stubs).

An environment – loaded with the system to be evaluated, all pre-requisites and data.

Test data – Getting hold of enough of the right data can be a real problem. The contract often defines this as a customer obligation, one that can be difficult, causing delay. Then the customer’s security staff object to putting sensitive live customer data into an unsecured environment.

Modern software engineering promotes “test driven development” (TDD). Under this approach a developer first writes the test cases, then develops the code to satisfy them. This puts testing at the heart of the development process. Automated testing assists greatly.

So What? For Transactional Lawyers

Transactional lawyers are rightly reluctant to impose schedules defining detailed operational methods on the supplier. The tendering and selection process should have asked the customer to describe what they will do and the ways in which they will assure quality. An informed advisor with operational experience of testing should review the submission and raise the right awkward clarification questions during negotiations. Then upload the combined method statement, questions, and responses to become a schedule of the agreement. I hope to assist the drafting lawyer by providing introductory context and understanding to detect distracting waffle and to focus on what matters to the client.

The diligence of risk assessment heavily influences the level of assurance provided by test, making risk an area to prioritise. It is also worth considering how to report the progress and outcome of test. A key measure is test coverage, being the proportion of planned cases that are assessed.

So What? For Contentious Lawyers

Should the quality of testing or the treatment of defects become the subject of dispute, the contentious lawyer will be working along-side an expert who they need to instruct. There may be issues of breach and of tortious negligence, along-side consideration of associated loss. I hope that this article provides a guide to areas of test and their relation to the case that support the lawyer in their management of the matter.

Once test detects a defect, those investigating the case will be interested in whether the rate of fix is consistent with the planned schedule. They also look at whether defects accumulated in an uncontrolled manner or were simply and effectively despatched. Your expert should roll-up their sleeves and mine it for patterns that indicate systematic trends, so bringing clarity on the issues to the court.

If experts differ, it is likely that the supplier’s expert will seek to give the impression that overall, quality was good despite obstacles erected by the customer. The supplier was heroic. The customer’s expert may bemoan the manifold and serious failings encountered across delivery and the accumulated defects that took months to resolve.

Conclusions

A good and diligent programme of testing gives useful assurance that software is likely to be dependable. It complements good design, resourcing, and delivery methods. Where testing is appropriate in coverage and diligence, strong assurance follows and decisions are sound. Where testing is unreliable, so are its results.

Good delivery organisations embrace thorough testing and weave it into their development plans. The poor postpone the day of reckoning. Is your head high, scanning for threats, or buried in the sand?

William Hooper acts as an expert witness in IT and Outsourcing disputes and a consultant in service delivery. He is a member of the Society of Computers and Law and a director of Oareborough Consulting. He may be reached on +44 7909 958274 or William@Oareborough.com

[1] https://www.bbc.co.uk/news/business-50471919

[2] Software Engineering at Google, Titus Winters, Tom Manshreck, Hyrum Wright, 2020, O’Reilly Pages 301-303

[3] Know your customers’ “Jobs to be done”, Clayton M. Christensen, Taddy Hall, Karen Dillon, David S. Duncan, Harvard Business Review, September 2016 https://hbr.org/2016/09/know-your-customers-jobs-to-be-done

[4] https://oareborough.com/Insights/assessing-design-quality/

[5] https://www.fca.org.uk/news/press-releases/tsb-fined-48m-operational-resilience-failings and

https://www.forbes.com/sites/kateoflahertyuk/2024/08/07/crowdstrike-reveals-what-happened-why-and-whats-changed

The post Software Quality and Testing: A Primer appeared first on Society for Computers & Law.

The High Court has recently considered a dispute arising from a miscommunication regarding the claimant’s winnings on an online game. 

The claimant in Durber v PPB Entertainment Ltd [2025] EWHC 498 (KB) played the Wild Hatter game in October 2020 – a two-part game involving a fruit machine and a wheel of fortune. After spinning the jackpot wheel, the screen displayed she had won the “Monster Jackpot” which was stated as £1,097,132.71. The dispute revolved around the discrepancy between what was displayed on the claimant’s screen and the defendant’s server records which led to a significant reduction in the payout from the claimed Monster Jackpot of well over £1 million to a much smaller Daily Jackpot of £20,265.14. The claimant claimed the difference between this and the Monster Jackpot. 

The defendant said that the outcome was determined by a random number generator which had said she had only won the daily jackpot, but an error affected the animations of the game and showed her the wrong result. It sought to rely on its terms and conditions and referred to the decision in Parker-Grennan v Camelot UK Lotteries Ltd. 

What did the court say?

The court ruled that the rules of the online gambling game took precedence over the terms and conditions. The rules explicitly stated that the outcome of the game, including the determination of the jackpot, was based on what was displayed on the claimant’s screen. This “what you see is what you get” (WYSIWYG) approach was central to the claimant’s understanding and expectation of the game.

The terms and conditions included a clause that purported to make the defendant’s server records definitive if there was a discrepancy between the screen display and the server records. The court found this clause to be inconsistent with the game rules which clearly indicated that the screen display took precedence. Consequently, the court held that this clause was unenforceable.

The defendant also sought to rely on an exclusion clause that purported to absolve them of liability for any errors, including those in the generation of game results. However, the court found that this clause did not cover the specific human error in programming that caused the discrepancy between the server records and the claimant’s screen display. The error in question was a mapping error in the software which was a direct result of human programming and not a system or communication error as envisaged by the exclusion clause.

The court also examined whether the relevant terms were properly incorporated into the contract. It concluded that the terms were unusual and onerous and that the defendant had failed to take reasonable steps to bring these terms to the claimant’s attention. The terms were buried within a lengthy document and were not adequately signposted, making it unreasonable to expect the claimant to have been aware of them. 

Even if the terms had been properly incorporated, the court found them to be unfair and unenforceable under the Consumer Rights Act 2015. The Act requires that terms be fair and transparent and that they do not create a significant imbalance in the parties’ rights and obligations to the detriment of the consumer. The court held that the terms in question failed this test, as they included a very wide limitation of liability. It said that a more focused disclaimer would have created less imbalance. The terms also contradicted the game rules, causing an imbalance. 

Therefore, the court ruled that summary judgment should be entered for the claimant.

So what?

The court’s decision emphasises the importance of clarity and fairness in the terms and conditions of online gambling games and consumer-facing terms more generally. If you run online games, you need to clearly communicate your terms to consumers and also make sure that they are consistent with the rules of the game. Terms need to be fair and properly incorporated, especially those which aim to limit liability or alter the consumer’s understanding of the game outcomes. More widely, you need to make sure that your terms and rules hang together – it’s quite common for there to be different documents that affect the relationship with the consumer – but they need to be consistent and cross-referenced. 

Readers may remember the case of Green v Betfair where the court ruled in Mr Green’s favour, saying that Betfair’s terms were not adequate to exempt Betfred from the obligation to pay out on an ostensibly winning bet or series of bets.    

As the CMA gets greater powers in the coming weeks, businesses are advised to review their customer journeys and make sure that they comply with the law.

This report was first published on the Lewis Silkin website and is reproduced with permission

The post Monster Jackpot wins the day appeared first on Society for Computers & Law.

Two investigations into Apple and Google respectively will assess in parallel their position in their respective “mobile ecosystems” which include the operating systems, app stores and browsers that operate on mobile devices. The investigations will explore the impact on people who use mobile devices and the businesses developing services or content such as apps for these devices. 

Mobile devices such as smartphones and tablets play a fundamental role in the lives of people in the UK. According to the CMA, almost all (94%) of 16+ year olds in the UK – around 56 million UK consumers – currently have access to a smartphone and the average UK user spends around three hours a day using a mobile device

Almost 15,000 businesses are involved in developing apps used on mobile devices in the UK, and the total UK revenue for app development is estimated to be around £28 billion.

Virtually all mobile devices sold in the UK are pre-installed with either iOS (Apple) or Android (Google) and Apple’s and Google’s own app stores and browsers have either exclusive or leading positions on their platforms compared with alternative products and services. This means that Apple and Google are also able to exert considerable influence over much of the content, services and technological development provided on a mobile device. 

Given the importance of mobile ecosystems to people, businesses and the economy, the CMA says it is critical that competition works well.

Under the digital markets competition regime, the CMA may designate firms with SMS in relation to a particular digital activity. Once designated, the CMA can impose conduct requirements or propose pro-competition interventions to achieve positive outcomes for UK consumers and businesses.

The investigations will assess Apple’s and Google’s position in relation to their mobile operating systems, app stores and browsers (together referred to as ecosystems) and whether either firm has SMS in these areas. At the same time the CMA will also consider whether conduct requirements should be imposed in the event of a final designation decision.

The issues that will form part of the CMA’s investigations include:

• The extent of competition between and within Apple’s and Google’s mobile ecosystems. The CMA will assess how competition is working across Apple’s and Google’s mobile ecosystems and what barriers may be preventing other competitors from offering rival products and services on Apple’s and Google’s platforms.
• Possible leveraging of Apple’s and Google’s market power into other activities. This will include investigating whether Apple or Google are using their position in operating systems, app distribution or browsers to favour their own apps and services, which often come pre-installed and prominently placed on iOS and Android devices.
• Potential exploitative conduct. This will include investigating whether Apple or Google are requiring app developers to sign up to unfair terms and conditions as a condition of distributing their apps on Apple’s and Google’s app stores; and whether users may be presented with “choice architecture” which makes it difficult to make active choices about which apps they are using on mobile devices.
• Potential conduct requirements could include, for example, requiring Apple or Google to open up access to key functionality needed by other apps to operate on mobile devices; or making it possible for users to download apps and pay for in-app content more easily outside of Apple’s and Google’s own app stores.

These investigations are separate to the CMA’s ongoing market Investigation into Mobile Browsers and Cloud Gaming. In its provisional report, the inquiry group leading that market investigation recommended that the CMA launch an SMS investigation after provisional findings suggested that Apple’s and Google’s business practices are holding back competition in the mobile browsers market.

The statutory deadline for the SMS investigations is 22 October 2025. The CMA seeks comments by 12 February 2025.

The post CMA to investigate Apple and Google’s mobile ecosystems appeared first on Society for Computers & Law.