Dealing with malicious third-party content

Last week’s Trade Me virus attack raises a number of legal issues, including.

  1. What laws prevent a malicious advertiser from using an innocent third-party’s site (in this case Trade Me) as a virus vector?
  2. Can the affected users (estimated at several thousand) claim compensation from anyone?
  3. What can / should website operators do to protect themselves?
  4. What is the position of the unwitting “advertiser”?

My thoughts on each below:

1. Laws preventing “virus advertisements”

The Herald reports:

Ford said users’ computers contracted the virus through a malicious advertisement supposedly from Lonely Planet. Trade Me accepted the advertisement online from someone who claimed to represent the travel book company.

There are 2 distinct possible criminal scenarios in the Trade Me attack: first, the act by the advertiser of configuring and uploading the malicious ad. Second, the damage intended by the advertiser to be done by the malware to third parties.

As to the first, the ad in question was “false” in that it was not from who it claimed to be from, and was apparently designed to trick users into downloading a virus. It is not a crime merely to place a “false” or malicious advertisement as such (though placing a false birth, death or marriage notice incurs a fine!), unless some other element such as fraud is present. Also, the malicious activity in this case was clearly not targeted against Trade Me, but against its users.

Which brings us to the second scenario, where it is a crime to interfere with or damage a computer system (s 250 Crimes Act), to access a system for a dishonest purpose (s 249 Crimes Act),  to distribute certain types of malware (s 251 Crimes Act), and to access a computer system without authorisation (s252 Crimes Act). If the intention is to trick users into paying money or other such tactics, fraud and other crimes may also be committed. Potentially serious stuff.

It is not clear what the malware did, or what the advertiser intended. It seems that there was no malicious code in the advertisement itself. But if the purpose of the advertisement was to cause such malware to be installed on victims’ computers, it is likely to be criminal activity or soon result in criminal activity if a virus is later caused to be downloaded. The placing of the ad was part of the overal activity of causing malware to be installed on victims’ computers. Even if the false advertisement was detected before anyone acted on it, an attempted criminal act may still have been committed.

Of course in a case such as this, it may be very difficult to track down the advertiser – and they are very likely to be from outside the jurisdiction anyway. That does not negate any criminal act, but it does mean that it may be impossible (or uneconomical) to prosecute.

2. Can affected users claim compensation?

If a person deliberately installed (or caused to be installed) a virus or other malware on someone’s computer and caused them loss, the victim could claim compensation from the wrongdoer, such as for the cost of removing the malware and reinstating the system, loss of use of the computer in the meantime, lost data, etc). Unfortunately, in most cases it will likely be uneconomic to prosecute for relatively minor loss, and in most cases the perpetrator will be unidentifiable and/or from overseas.

But what about claiming compensation from Trade Me – or any other website operator who is unknowingly used as a vector for transmitting malware? Trade Me had no prior knowledge of the malicious ad and appears to have taken all appropriate action as soon as it became aware of the problem. They are probably the most on-to-it company in NZ for handling online risks.

However, if a less on-to-it operator was negligent in allowing an ad to be placed or in allowing it to remain on the site, resulting in harm to users, then a claim could possibly be brought against that website operator (though I am not aware of any case establishing a duty of care in these circumstances). There is also the possibility of bringing a claim under the Consumer Guarantees Act on the basis of a “service” being provided.

However, the cost of making such a claim (a civil claim) would be significant, and if the virus was successful due in large part to the victim not having proper antivirus software, etc then a Court could reduce any compensation due to the victim’s contributory negligence.

3. Managing website owners’ liability

Website operators are often in the difficult position of having unknown users come onto their site and take certain actions, such as placing ads or other content that may or may not be proper and lawful. I have written before that in recent years the Courts taken a pragmatic approach that recognises this modern reality – that website operators are to a large extent reliant on their users acting properly, and cannot be expected to monitor everything in real time or alter their business models due to a few miscreants [e.g. see here, here and here].

But it is still incumbent on website operators to ensure they have some measure of legal protection, and the primary tool for website operators is via a disclaimer. In many cases, a simple disclaimer will do. In other cases, a detailed set of website terms and conditions is advisable. For e-commerce sites in particular, getting a proper set of terms and conditions one time at the outset is a highly efficient way to greatly reduce risk for many years of trading to come.

Some terms and conditions attempt to expressly exclude liability for malicious advertising and malware risks via language such as:

We do not warrant or represent that our website will not cause damage or is free from any computer virus or any other defects, errors, or malicious third-party use. We accept no responsibility whatsoever for any third-party use of our website or content uploaded to or transmitted by our website. You accept full responsibility for ensuring your computer has effective security software including up-to-date antivirus and anti-malware software.

4. The unwitting “advertiser”

It was Lonely Planet whose good name was falsely used by the party placing the dodgy ads. It is likely that if a company’s name is misused in such a manner, the company will have a claim against the false advertiser (if they can be found and if it is worth it) for defamation, malicious falsehood, and possibly under the Fair Trading Act.

One thought on “Dealing with malicious third-party content

  1. The first thing I thought about while reading your post was that anybody with adblocking software would have been protected 🙂

    What’s the legal status of using a proxy-based or plugin-based adblocker? Is there any way that a website operator can force (in a legal/contractual way, not using technical means) users to download and display ads?

Comments are closed.