The Department of Internal Affairs’ Anti-Spam Compliance Unit is again taking High Court action against an alleged spammer, seeking financial penalties of $200,000 against the company principal and $500,000 against his company. The Department has lodged two statements of claim in the High Court in Auckland alleging breaches under the Unsolicited Electronic Messages Act 2007 by Brendan Paul Battles and Image Marketing Group Limited.

…

The latest court application alleges that in February and March 2009 Image Marketing Group Limited and Brendan Battles sent, or caused to be sent, 44,824 SMS (Short Message Service) messages to mobile phones connected to networks in New Zealand operated by Vodafone New Zealand Limited and Telecom New Zealand Limited.

…

It is alleged that the SMS messages were unsolicited commercial electronic messages with the primary purpose of inviting the recipient to purchase over the internet a mobile phone antenna booster. In its statement of claim the Department alleges the SMS messages contravened section 9 of the Act in that they were unsolicited, section 10 as they did not include accurate sender information and section 11 as they did not contain an unsubscribe facility that could be used by the recipient at no cost.

The reference to the lack of an unsubscribe facility comes on the heels of allegations that Telecom has contravened the Act for the same reason.

The DIA is seeking the maximum penalties – $200K for an individual, and $500K for a company. Hopefully, no spammer makes amounts in excess of these penalties (surely not??) – otherwise they’d still end up in the black!

It will be interesting to see how the claim is framed against Brendan Battles personally, and his company Image Marketing Group Limited. Unless Battles was sending emails in his own right, and not via Image Marketing, issues of the “corporate veil” arise. Such issues are common in commercial litigation. For example, liability under the Fair Trading Act 1986 can attach to company officers, even though they were acting under the veil of the company (see Personal Liability of Directors under the Fair Trading Act, PDF).

However, the anti-spam act contains a specific section covering “third party breaches” (accessory liability), and also includes sufficiently expansive language, to cast the net wide enough to enable personal liability to attach to company officers and employees.

Internal Affairs is looking into whether Telecom may have breached spam laws by sending text messages to customers that did not include instructions on how customers could unsubscribe from receiving such messages… Victoria University law student Hamish McConnochie drew attention to the texts, promoting Telecom’s pre-pay top-ups and roaming services …

Here’s a quick tip: look at Telecom’s Term’s & Conditions (see below).

The anti-spam law (the Unsolicited Electronic Messages Act 2007) requires certain types of commercial electronic messages to offer an unsubscribe facility. This law is “technology neutral” – it applies to all types of electronic messages, including emails, text messages, instant messages, etc. However, the unsubscribe facility is not needed where there is a “contract, arrangement or understanding” between the sender and receiver not to include an unsubscribe. Telcos are well aware of this law and usually take necessary steps to comply. Telecom argues it has such an arrangement as follows:

Telecom sent customers text messages in November telling recipients that unless they objected then, Telecom would deem they had agreed future text messages from the company need no longer include an opt-out message. Spokeswoman Anna Skerten said those messages created such an arrangement.

A “no response means you accept” text cannot create a contract. However, it is arguable that it could create an “arrangement or understanding” – which are clearly intended to mean something less than a contract or other form of express consent.

But what is unusual is that Telecom’s spokeswoman did not simply refer to Telecom’s mobile service terms and conditions (link is for the prepaid version – others exist). Clause 13(3) states:

From time to time we may send you sales and marketing information about Telecom products and services. You can let us know at any time if you do not want to receive sales and marketing information by contacting Telecom Customer Services

There is no need for messy arguments over whether some text sent last year created an “arrangement”, when there is a contract which clearly applies. Together with Telecom’s “opt-out” text, that would probably suffice (there may be a more specific opt-out in some of the other T&C’s but I’m not going to read them all…) Importantly, Telecom’s T&C’s, like most others, also include a “changes” provision allowing Telecom to modify its terms. So if Telecom decides it needs to change or clarify its T&C’s in response to this reportage, it can do so. It should. Vodafone’s T&C’s are much better, as they clearly state:

You agree that we and our Agents may send you marketing messages, electronic or otherwise, about our special offers, products and Services, and those of our selected Agents and third parties which may be of interest to you. You agree too that the electronic marketing message we, our Agents and third parties send need not include an unsubscribe facility.

Internal Affairs could allege that Telecom’s terms (together with the opt-out text) were insufficient and launch a prosecution. I don’t think it would succeed, and it would probably be a waste of taxpayer money:  the worst outcome for Telecom would be a relatively minor fine that would most likely not cover the costs of a defended prosecution. Also it is highly unlikely that any customer will be able to claim compensation (which requires loss to have occurred).

Finally there is room for argument that under clause 11(2)(a), third-party texts would still not be covered by the telco’s terms & conditions, but that is a separate question.

1. What laws prevent a malicious advertiser from using an innocent third-party’s site (in this case Trade Me) as a virus vector?
2. Can the affected users (estimated at several thousand) claim compensation from anyone?
3. What can / should website operators do to protect themselves?
4. What is the position of the unwitting “advertiser”?

My thoughts on each below:

1. Laws preventing “virus advertisements”

The Herald reports:

Ford said users’ computers contracted the virus through a malicious advertisement supposedly from Lonely Planet. Trade Me accepted the advertisement online from someone who claimed to represent the travel book company.

There are 2 distinct possible criminal scenarios in the Trade Me attack: first, the act by the advertiser of configuring and uploading the malicious ad. Second, the damage intended by the advertiser to be done by the malware to third parties.

As to the first, the ad in question was “false” in that it was not from who it claimed to be from, and was apparently designed to trick users into downloading a virus. It is not a crime merely to place a “false” or malicious advertisement as such (though placing a false birth, death or marriage notice incurs a fine!), unless some other element such as fraud is present. Also, the malicious activity in this case was clearly not targeted against Trade Me, but against its users.

Which brings us to the second scenario, where it is a crime to interfere with or damage a computer system (s 250 Crimes Act), to access a system for a dishonest purpose (s 249 Crimes Act),  to distribute certain types of malware (s 251 Crimes Act), and to access a computer system without authorisation (s252 Crimes Act). If the intention is to trick users into paying money or other such tactics, fraud and other crimes may also be committed. Potentially serious stuff.

It is not clear what the malware did, or what the advertiser intended. It seems that there was no malicious code in the advertisement itself. But if the purpose of the advertisement was to cause such malware to be installed on victims’ computers, it is likely to be criminal activity or soon result in criminal activity if a virus is later caused to be downloaded. The placing of the ad was part of the overal activity of causing malware to be installed on victims’ computers. Even if the false advertisement was detected before anyone acted on it, an attempted criminal act may still have been committed.

Of course in a case such as this, it may be very difficult to track down the advertiser – and they are very likely to be from outside the jurisdiction anyway. That does not negate any criminal act, but it does mean that it may be impossible (or uneconomical) to prosecute.

2. Can affected users claim compensation?

If a person deliberately installed (or caused to be installed) a virus or other malware on someone’s computer and caused them loss, the victim could claim compensation from the wrongdoer, such as for the cost of removing the malware and reinstating the system, loss of use of the computer in the meantime, lost data, etc). Unfortunately, in most cases it will likely be uneconomic to prosecute for relatively minor loss, and in most cases the perpetrator will be unidentifiable and/or from overseas.

But what about claiming compensation from Trade Me – or any other website operator who is unknowingly used as a vector for transmitting malware? Trade Me had no prior knowledge of the malicious ad and appears to have taken all appropriate action as soon as it became aware of the problem. They are probably the most on-to-it company in NZ for handling online risks.

However, if a less on-to-it operator was negligent in allowing an ad to be placed or in allowing it to remain on the site, resulting in harm to users, then a claim could possibly be brought against that website operator (though I am not aware of any case establishing a duty of care in these circumstances). There is also the possibility of bringing a claim under the Consumer Guarantees Act on the basis of a “service” being provided.

However, the cost of making such a claim (a civil claim) would be significant, and if the virus was successful due in large part to the victim not having proper antivirus software, etc then a Court could reduce any compensation due to the victim’s contributory negligence.

3. Managing website owners’ liability

Website operators are often in the difficult position of having unknown users come onto their site and take certain actions, such as placing ads or other content that may or may not be proper and lawful. I have written before that in recent years the Courts taken a pragmatic approach that recognises this modern reality – that website operators are to a large extent reliant on their users acting properly, and cannot be expected to monitor everything in real time or alter their business models due to a few miscreants [e.g. see here, here and here].

But it is still incumbent on website operators to ensure they have some measure of legal protection, and the primary tool for website operators is via a disclaimer. In many cases, a simple disclaimer will do. In other cases, a detailed set of website terms and conditions is advisable. For e-commerce sites in particular, getting a proper set of terms and conditions one time at the outset is a highly efficient way to greatly reduce risk for many years of trading to come.

Some terms and conditions attempt to expressly exclude liability for malicious advertising and malware risks via language such as:

We do not warrant or represent that our website will not cause damage or is free from any computer virus or any other defects, errors, or malicious third-party use. We accept no responsibility whatsoever for any third-party use of our website or content uploaded to or transmitted by our website. You accept full responsibility for ensuring your computer has effective security software including up-to-date antivirus and anti-malware software.

4. The unwitting “advertiser”

It was Lonely Planet whose good name was falsely used by the party placing the dodgy ads. It is likely that if a company’s name is misused in such a manner, the company will have a claim against the false advertiser (if they can be found and if it is worth it) for defamation, malicious falsehood, and possibly under the Fair Trading Act.

While the case involved posts made by the blog owner himself, what is the position of comments by third parties? Judge Harvey noted:

… most administrators or supervisors of blog sites or those occupying the position of Mr Slater must hold some responsibility for the comments that are posted. Mr Slater in his DVD interview indicated that he exercised such supervisory power over his blog site. He would allow comments or postings of material with which he agreed. This indicates that he is able to delete or remove material or posts from the blog site. This would put Mr Slater in the position of a person of responsibility similar to that of the moderator in the case of Stratton Oakmont Inc v Prodigy Services Co.

The Prodigy case involved defamation, but the principle is the same: a person who knowingly permits defamatory, suppressed or other unlawful content to remain on a website under their control (or otherwise “assumes responsibility” for the material) may be held liable for that material. See my article here and posts here for more information.

On the other hand, the position where the website operator has no knowledge of unlawful material will usually be quite different. Recently, there have been a number of instances where Courts have taken a pragmatic view where website operators have little or no control over what their users do, or where attempting to introduce such controls would be very difficult. E.g. for a situation involving IP infringment see my post here and for a defamation situation see here. A similar situation arose today, with a US judge finding that eBay was not liable for its customers using its service to sell counterfeit jewelery. So lets be clear, the case does not mean that anyone operating a blog may be liable for what someone else posts. But for blogs with active moderation, or if the operator becomes aware of certain material posted on their site (or “ought to have” been aware of it), care should be taken, and editorial discretion exercised. Which is just common sense, and how many blogs operate anyway.

Whale’s lawyer also advanced an argument that, because the Whale Oil site is hosted on a server in San Antonio, Texas, there was no “publication” or relevant act in New Zealand, and therefore no crime under New Zealand law. Nice try, but with a judge as well versed in such matters – Judge Harvey literally wrote the book on internet law in New Zealand and teaches it at Auckland University – no cigar:

The reality of the situation therefore is that Mr Slater’s blog is available free of charge to internet users in New Zealand who may and do access it from time to time and therefore publication takes place in New Zealand… The evidence before me is that the material was able to be read and comprehended in New Zealand (thus constituting a publication) and the material was uploaded on the Whaleoil blog by Mr Slater present in New Zealand at the time. Thus acts necessary for publication – the creation of the material, the posting of the material and the availability of the material to be comprehended by readers in New Zealand – all took place within the jurisdiction.

What about a blog that doesn’t carry unlawful (suppressed, etc) material, but merely links to it? The judge noted the US DeCSS case, but left the question open for another day, saying:

“Following from that is the [hypothetical situation of a] New Zealand based blogger who may embed a link to the off-shore blogsite which contains the suppressed name. One should be cautious in such circumstances that one does not become involved in “publishing” by way of hypertext link… I have no doubt this point or something like it will fall to be decided in this country in some future case”.

Whale’s lawyer had attempted to argue that blogging was intrinsically “different”, and mentioning a suppressed name did not fall within the corners of the Criminal Justice Act definitions. He had also tried to argue that the Criminal Justice Act, passed in 1985, could not apply to blogs (which were not contemplated at that time) and must be limited to traditional news media. The judge rejected these lines of argument, saying:

Conceptually a blog is no different from any other form of mass media communication especially since it involves the internet which anyone who has an internet connection is able to access… It is publication. It is made to a wide audience. It goes beyond a private conversation over the telephone or, a coffee table or at a dinner party. It is the mass media element that accompanies the internet that places the blog within the same conceptual framework as any other form of mass media publication… In the age of mass communication and the internet, where everyone may be a publisher, that approach cannot be sustained. The law must continue to speak.

* So I have no doubt the decision here is correct, based on the current law and what has been reported. It has been interesting to read the comments (on Kiwiblog for example) of some, who should know better, but who are most upset that the judge did not take it on himself to legislate from the bench and reform the “broken” suppression regime and help bloggers to “expose crims”.  However as I wrote last year, I do think the law on suppression needs to change to a more open system. That is both desirable and inevitable, and parliament should act sooner rather than later on this.

This case is about whether or not a person behaved in a manner that breached the law and in doing so utilised some of the communications technologies associated with the Internet. It is not a case about whether or not the law should allow nonpublication orders. That debate must take place in another forum.

A lot of comment has been made about the Whale Oil case, and much of it centred on whether name suppression should be available. Except for those who believe in a particularly activist judiciary, such questions are not for the Court to decide. Similarly there has also been much comment on the possible futility of suppression orders in the internet era. Following the release of the Law Commission’s report on name suppression last year I said that:

If the law is not to permit exercises in futility, this issue [name suppression] may need to be revisited again before long.

Judge Harvey also addressed this issue, rightly saying:

Up until such time as the legislature decides to repeal or amend s 140 of the Criminal Justice Act 1985, orders made by the Court for non-publication are expected to receive compliance and the assumption is that citizens will abide by Court orders. If they do not they may expose themselves to possible prosecution or Contempt of Court proceedings.

Except possibly in extreme cases, it is not for the Court to decide that a statutory provision is no longer effective and shouldn’t be applied.

Read part 2 here.

This issue has arisen several times in defamation proceedings, where a person complains that they have been defamed in another country, even though they would not be able to sue for defamation in that second country. A few years back, an Australian court ruled that an article posted on the internet is considered published wherever it is downloaded. So an article written in the United States by a US citizen, and not actionable in the US, could be actionable in Australia if it is defamatory under Australian law.

Another example, this time involving criminal law, is currently underway with the Australian Human Rights Commission threatening to lay charges against the US-based operator of Encyclopedia Dramatica over an offensive entry on Aborigines.

Similarly, a UK court recently confirmed that English criminal law can apply to internet content accessible in the UK, regardless of where in the world it is hosted. Meanwhile, three US-based Google managers were convicted in absentia by an Italian court for “allowing”  disturbing footage of an Italian boy being bullied to be posted online, and not removing it.

In other cases, specific legislation (e.g. section 7A of the Crimes Act) or public policy may compel or be used to justify a court exercising jurisdiction. For example, in New Zealand the Commerce Commission has successfully prosecuted overseas residents for breaches (in New Zealand) of the Fair Trading Act.

In summary, it does not typically matter that a server, or a person, is located outside of the jurisdiction. The fact that conduct occurs in a jurisdiction (e.g. material can be accessed in a jurisdiction in the same manner as if the server or material were located there; conduct by an overseas person is “aimed” at the local jurisdiction)  is often sufficient.

In one case, the website terms were binding. In the other, they were not. These decisions do not change the law, but they are useful reminders not to overlook your disclaimers when designing a website.

Full article: Update on Enforceability of Website Terms, February 2010

Links to the cases:

• Major v McCallister, Missouri Court of Appeals, No. CD29871 (23 December 2009) [pdf]
• Hine v Overstock, US District Court E.D.N.Y. (4 September 2009) [pdf]

1. A person can be held liable (in certain circumstances) to a third party for negligent statements.
2. It is possible to disclaim liability for negligent statements.

Accordingly, it is customary on many, if not most, websites to include a disclaimer such as: “This information is of a general nature only, and is not professional advice”. Or “This information is provided ‘as is’, and we accept no liability for its accuracy”.

Surprisingly, however, there has not been a Commonwealth court decision (of high authority) on their effectiveness until recently. As a result, there has been some small degree of uncertainty over basic question, such as:

1. In what circumstances is there a legal “duty of care” between a website operator and members of the public reading the website?
2. In what circumstances will a disclaimer protect the website operator from liability?

The UK Court of Appeal recently reviewed these issues for the first time in the case Patchett v SPATA [2009] EWCA Civ 717 (15 July 2009).

Facts

The facts are briefly as follows.

Mr & Mrs Patchett decided to install a swimming pool. They searched on Google, and found the website of the Swimming Pool & Allied Trades Association (SPATA). SPATA is a voluntary UK trade body representing UK swimming pool installers. On the “about us” page, it stated:

“Installing a swimming pool is a specialised task requiring skills and technical expertise in a number of different areas. One way of guaranteeing that the pool installation company has this expertise, is to make sure they are a member of the Swimming Pool and Allied Trades Association (SPATA) before contacting them for a quotation… SPATA pool installer members are fully vetted before being admitted to membership, with checks on their financial record, their experience in the trade and inspections of their work. They are required to comply fully with the SPATA construction standards and code of ethics, and their work is also subject to periodic re-inspections after joining. Only SPATA registered pool and spa installers belong to SPATASHIELD, SPATA’s unique Bond and Warranty Scheme offering customers peace of mind that their installation will be completed fully to SPATA Standards – come what may!”

There was also a function for requesting an “information pack” (which would be sent by post) containing more information about the warranty and member requirements.

The website had a “member finder” function to help visitors find SPATA members near to them. The Patchetts used the function to locate Crown Pools Limited, who they hired to install their pool. Unfortunately, Crown became insolvent before completing the job, but after the Patchetts had paid their money. It soon emerged that Crown had not been financially vetted by SPATA, and was not even a full member, despite the Patchetts having been referred to Crown via SPATA’s website. As Crown was insolvent, the Patchetts attempted to sue SPATA on the basis that statements on its website – which suggested Crown was reliable and financially sound – were negligent.

The issues and findings

The issue, essentially, was whether SPATA was liable for negligently implying that all businesses listed on its website were reliable and of good financial standing.

The court (comprising three judges) found that the statements on SPATA’s website were, to some degree, negligent. Specifically, the statement shown above failed to mention that there were two types of membership – “full membership” and “affiliate membership”. Only “full” members were financially vetted and included in the warranty programme. The ‘member finder’ included both types of member without differentiation. As Crown Pools Limited was only an “affiliate” member of SPATA, it was not covered by the warranty or financially vetted. The statements on the website were, therefore, misleading, and capable of making SPATA liable for its negligent misstatement.

The court then considered whether there was a duty of care between SPATA and the Patchetts. While agreeing on the relevant legal principles, in particular the requirement that it be reasonably foreseeable that a person would act on advice without further inquiry, the court was divided on its finding.

The majority of the court found that there was no duty of care. The statement encouraging users to request an information pack meant that SPATA could not have expected a user to act on the information without making further inquiry, by ordering the information pack. In other words, SPATA expected that users would treat the website as the “first step in the process” and always request the information pack, which would explain the full story about the membership statuses. Because the Patchetts had not done so, SPATA would not be liable.

The minority of the court (Smith LJ) disagreed, and found that there was a duty of care. The dissenting view of Smith LJ is worth noting:

“There is nothing to suggest that the information pack might in any way limit the reliance which the customer can place upon the statement that a particular installer is a member of SPATA and is therefore a good contractor to engage. Nor is there anything to suggest that the information pack is necessary as a check on the accuracy of the information provided on the site itself. Of course, if the information pack had been requested and read, the customer would have discovered the mistake made on the website and would have found out that Crown was not a member of SPATA. But that fact should, in my view, be put out of mind, when considering whether, on an objective reading, there was an expectation that the customer would not rely on the website without the information pack. I do not accept that, objectively considered, this website was merely ‘the first step in the process’. The customer was given an option whether to ask for the further information in the pack. In my view, on reading the website, the customer might ask himself whether he needed the information pack and might well decide that he did not.”

Important findings

Although the court was divided on the outcome, it has given some important findings which will no doubt be relevant in subsequent cases:

1. The court confirmed that “no different legal principles apply to misrepresentations on a website than to those anywhere else in the public domain.” While this has always been considered the position (after all, why should there be different treatment for websites?), it is nice to have a clear statement of judicial confirmation.
2. Although the majority did not find a duty here, the court was unanimous that a duty of care can arise from statements on a website. Interestingly, the lead judge (Lord Clarke MR) appeared to suggest that this possibility was limited to “interactive” sites: “Some websites are interactive and it may be possible, applying the principles outlined above, to conclude in particular circumstances that a duty is owed.” Unfortunately, there was no further discussion on this point, such as what “interactive” might mean and how that would give rise to a duty of care over a “non-interactive” site (as the SPATA site presumably was). It should be noted that New Zealand courts apply slightly different legal tests in determining whether a duty of care exists (see this article for details).
3. The majority accepted that a negligent statement on a website was, in effect, remedied by a disclaimer elsewhere on the site. I note that the critical statement (the encouragement to request an information pack) was not expressly a disclaimer, in that it did not expressly purport to “disclaim” anything. But the majority’s view was that the information pack statement made it unreasonable for a user to rely on the website alone, without requesting the information pack.

Key lessons

The majority judgment is not entirely convincing, but the case does reiterate some important messages:

1. Have a disclaimer

There was no general website disclaimer in this case (e.g. a “terms & conditions” page). Instead, the majority found that the simple statement encouraging users to request the information pack in one part of the website was, in effect, a disclaimer for negligent statements elsewhere. Ensure that your website has an appropriately worded disclaimer. These do not need to be lengthy, complex blocks of text. In light of this case, the key points they need to make are:

• Instruct users to make their own, independent inquiries before acting on any information.
• State that all information is of a general nature only and must not be taken as specific or complete advice.

2. Display the disclaimer (or a link to it) prominently

Ensure that the disclaimer is reasonably prominent. While the issue of bringing a disclaimer to the user’s attention was not expressly discussed in this case, if the critical statement (the “quasi-disclaimer” regarding the information pack) was buried away in a hard-to-locate part of the website, the result may have been different. The court acknowledged that if a reader had not read the about the information pack, he or she would probably have been misled (paragraph 30). The applicability of Lord Denning’s famous red-hand test to website disclaimers did not arise in this case. Likewise, the issue of a general website disclaimer, which is usually tucked away discreetly on many sites, was not considered, but the case supports the generally agreed view that such a practice is effective for standard disclaimer terms.

3. Don’t mislead…

Of course, most problems can be avoided altogether if your website is not misleading. The problem in this case arose not because of any statement actually being untrue, but because some information was incomplete, and therefore was misleading. SPATA could have, for example:

1. Provided full details about its membership structure and clarified that certain companies are only “affiliates” and not “full members”; or
2. Removed the membership details and instructed users to contact SPATA for full membership details.

The bottom line is that if you say something on your website, it must not be misleading. Of course, in New Zealand it is possible that the Patchett’s would have had a claim under section 9 of the Fair Trading Act 1986 (FTA) for misleading and deceptive conduct. The FTA cannot be contracted out of.

4. Pay attention to your website

It is not uncommon to see websites with incomplete or outdated information, especially where the website is of a “supplemental” nature to the business or organisation, and the “primary” information is offline in physical form such as information packs. It is also not uncommon for websites to be maintained entirely by a third party (e.g. a web hosting company) or a sole administrator. There are probably many (if not most) organisations with websites that have never been fully reviewed for accuracy and legal risks by the board or a senior manager. The SPATA case highlights just how important it is to ensure that website statements are not misleading and that appropriate disclaimers and other precautions are always kept in place. Information also needs to be kept up to date to ensure it is always correct and does not become misleading if it gets out of date.