Dealing with malicious third-party content

Last week’s Trade Me virus attack raises a number of legal issues, including.

  1. What laws prevent a malicious advertiser from using an innocent third-party’s site (in this case Trade Me) as a virus vector?
  2. Can the affected users (estimated at several thousand) claim compensation from anyone?
  3. What can / should website operators do to protect themselves?
  4. What is the position of the unwitting “advertiser”?

My thoughts on each below:

1. Laws preventing “virus advertisements”

The Herald reports:

Ford said users’ computers contracted the virus through a malicious advertisement supposedly from Lonely Planet. Trade Me accepted the advertisement online from someone who claimed to represent the travel book company.

There are 2 distinct possible criminal scenarios in the Trade Me attack: first, the act by the advertiser of configuring and uploading the malicious ad. Second, the damage intended by the advertiser to be done by the malware to third parties.

As to the first, the ad in question was “false” in that it was not from who it claimed to be from, and was apparently designed to trick users into downloading a virus. It is not a crime merely to place a “false” or malicious advertisement as such (though placing a false birth, death or marriage notice incurs a fine!), unless some other element such as fraud is present. Also, the malicious activity in this case was clearly not targeted against Trade Me, but against its users.

Which brings us to the second scenario, where it is a crime to interfere with or damage a computer system (s 250 Crimes Act), to access a system for a dishonest purpose (s 249 Crimes Act),  to distribute certain types of malware (s 251 Crimes Act), and to access a computer system without authorisation (s252 Crimes Act). If the intention is to trick users into paying money or other such tactics, fraud and other crimes may also be committed. Potentially serious stuff.

It is not clear what the malware did, or what the advertiser intended. It seems that there was no malicious code in the advertisement itself. But if the purpose of the advertisement was to cause such malware to be installed on victims’ computers, it is likely to be criminal activity or soon result in criminal activity if a virus is later caused to be downloaded. The placing of the ad was part of the overal activity of causing malware to be installed on victims’ computers. Even if the false advertisement was detected before anyone acted on it, an attempted criminal act may still have been committed.

Of course in a case such as this, it may be very difficult to track down the advertiser – and they are very likely to be from outside the jurisdiction anyway. That does not negate any criminal act, but it does mean that it may be impossible (or uneconomical) to prosecute.

2. Can affected users claim compensation?

If a person deliberately installed (or caused to be installed) a virus or other malware on someone’s computer and caused them loss, the victim could claim compensation from the wrongdoer, such as for the cost of removing the malware and reinstating the system, loss of use of the computer in the meantime, lost data, etc). Unfortunately, in most cases it will likely be uneconomic to prosecute for relatively minor loss, and in most cases the perpetrator will be unidentifiable and/or from overseas.

But what about claiming compensation from Trade Me – or any other website operator who is unknowingly used as a vector for transmitting malware? Trade Me had no prior knowledge of the malicious ad and appears to have taken all appropriate action as soon as it became aware of the problem. They are probably the most on-to-it company in NZ for handling online risks.

However, if a less on-to-it operator was negligent in allowing an ad to be placed or in allowing it to remain on the site, resulting in harm to users, then a claim could possibly be brought against that website operator (though I am not aware of any case establishing a duty of care in these circumstances). There is also the possibility of bringing a claim under the Consumer Guarantees Act on the basis of a “service” being provided.

However, the cost of making such a claim (a civil claim) would be significant, and if the virus was successful due in large part to the victim not having proper antivirus software, etc then a Court could reduce any compensation due to the victim’s contributory negligence.

3. Managing website owners’ liability

Website operators are often in the difficult position of having unknown users come onto their site and take certain actions, such as placing ads or other content that may or may not be proper and lawful. I have written before that in recent years the Courts taken a pragmatic approach that recognises this modern reality – that website operators are to a large extent reliant on their users acting properly, and cannot be expected to monitor everything in real time or alter their business models due to a few miscreants [e.g. see here, here and here].

But it is still incumbent on website operators to ensure they have some measure of legal protection, and the primary tool for website operators is via a disclaimer. In many cases, a simple disclaimer will do. In other cases, a detailed set of website terms and conditions is advisable. For e-commerce sites in particular, getting a proper set of terms and conditions one time at the outset is a highly efficient way to greatly reduce risk for many years of trading to come.

Some terms and conditions attempt to expressly exclude liability for malicious advertising and malware risks via language such as:

We do not warrant or represent that our website will not cause damage or is free from any computer virus or any other defects, errors, or malicious third-party use. We accept no responsibility whatsoever for any third-party use of our website or content uploaded to or transmitted by our website. You accept full responsibility for ensuring your computer has effective security software including up-to-date antivirus and anti-malware software.

4. The unwitting “advertiser”

It was Lonely Planet whose good name was falsely used by the party placing the dodgy ads. It is likely that if a company’s name is misused in such a manner, the company will have a claim against the false advertiser (if they can be found and if it is worth it) for defamation, malicious falsehood, and possibly under the Fair Trading Act.

Getting to yes, but at what cost?

My latest Computerworld article is now available online:

In New Zealand, several laws are relevant to allegations of deceit or misrepresentation in trade, the most significant of which is the Fair Trading Act 1986. The key part of this Act states that “no person shall, in trade, engage in conduct that is misleading or deceptive or is likely to mislead or deceive.” The Act cannot be excluded by contract, and applies to virtually all local commercial dealing.

BSkyB v EDS provides a useful example, applicable in New Zealand, of a vendor impliedly misrepresenting that there was a proper foundation for making a statement in a pre-contractual situation. The message is that such conduct (making a representation without foundation) may not simply be “negligent” or an oversight, but may be found to be deceitful.

Since publication, it has been announced that HP (which bought EDS) will pay a total settlement of £318 million (~NZ$680 million), and will not appeal the High Court judgment.

An amusing aspect of the trial involving a barrister’s dog is mentioned here.

The judgment itself is here.

Website disclaimers – yes, they do work

Website disclaimers (you know, the least-read page of any website containing the legal terms and conditions), while commonplace, have long been an ever-so-slightly grey area of the law. The basic principles are clear enough:

  1. A person can be held liable (in certain circumstances) to a third party for negligent statements.
  2. It is possible to disclaim liability for negligent statements.

Accordingly, it is customary on many, if not most, websites to include a disclaimer such as: “This information is of a general nature only, and is not professional advice”. Or “This information is provided ‘as is’, and we accept no liability for its accuracy”.

Surprisingly, however, there has not been a Commonwealth court decision (of high authority) on their effectiveness until recently. As a result, there has been some small degree of uncertainty over basic question, such as:

  1. In what circumstances is there a legal “duty of care” between a website operator and members of the public reading the website?
  2. In what circumstances will a disclaimer protect the website operator from liability?

The UK Court of Appeal recently reviewed these issues for the first time in the case Patchett v SPATA [2009] EWCA Civ 717 (15 July 2009).


The facts are briefly as follows.

Mr & Mrs Patchett decided to install a swimming pool. They searched on Google, and found the website of the Swimming Pool & Allied Trades Association (SPATA). SPATA is a voluntary UK trade body representing UK swimming pool installers. On the “about us” page, it stated:

“Installing a swimming pool is a specialised task requiring skills and technical expertise in a number of different areas. One way of guaranteeing that the pool installation company has this expertise, is to make sure they are a member of the Swimming Pool and Allied Trades Association (SPATA) before contacting them for a quotation… SPATA pool installer members are fully vetted before being admitted to membership, with checks on their financial record, their experience in the trade and inspections of their work. They are required to comply fully with the SPATA construction standards and code of ethics, and their work is also subject to periodic re-inspections after joining. Only SPATA registered pool and spa installers belong to SPATASHIELD, SPATA’s unique Bond and Warranty Scheme offering customers peace of mind that their installation will be completed fully to SPATA Standards – come what may!”

There was also a function for requesting an “information pack” (which would be sent by post) containing more information about the warranty and member requirements.

The website had a “member finder” function to help visitors find SPATA members near to them. The Patchetts used the function to locate Crown Pools Limited, who they hired to install their pool. Unfortunately, Crown became insolvent before completing the job, but after the Patchetts had paid their money. It soon emerged that Crown had not been financially vetted by SPATA, and was not even a full member, despite the Patchetts having been referred to Crown via SPATA’s website. As Crown was insolvent, the Patchetts attempted to sue SPATA on the basis that statements on its website – which suggested Crown was reliable and financially sound – were negligent.

The issues and findings

The issue, essentially, was whether SPATA was liable for negligently implying that all businesses listed on its website were reliable and of good financial standing.

The court (comprising three judges) found that the statements on SPATA’s website were, to some degree, negligent. Specifically, the statement shown above failed to mention that there were two types of membership – “full membership” and “affiliate membership”. Only “full” members were financially vetted and included in the warranty programme. The ‘member finder’ included both types of member without differentiation. As Crown Pools Limited was only an “affiliate” member of SPATA, it was not covered by the warranty or financially vetted. The statements on the website were, therefore, misleading, and capable of making SPATA liable for its negligent misstatement.

The court then considered whether there was a duty of care between SPATA and the Patchetts. While agreeing on the relevant legal principles, in particular the requirement that it be reasonably foreseeable that a person would act on advice without further inquiry, the court was divided on its finding.

The majority of the court found that there was no duty of care. The statement encouraging users to request an information pack meant that SPATA could not have expected a user to act on the information without making further inquiry, by ordering the information pack. In other words, SPATA expected that users would treat the website as the “first step in the process” and always request the information pack, which would explain the full story about the membership statuses. Because the Patchetts had not done so, SPATA would not be liable.

The minority of the court (Smith LJ) disagreed, and found that there was a duty of care. The dissenting view of Smith LJ is worth noting:

“There is nothing to suggest that the information pack might in any way limit the reliance which the customer can place upon the statement that a particular installer is a member of SPATA and is therefore a good contractor to engage. Nor is there anything to suggest that the information pack is necessary as a check on the accuracy of the information provided on the site itself. Of course, if the information pack had been requested and read, the customer would have discovered the mistake made on the website and would have found out that Crown was not a member of SPATA. But that fact should, in my view, be put out of mind, when considering whether, on an objective reading, there was an expectation that the customer would not rely on the website without the information pack. I do not accept that, objectively considered, this website was merely ‘the first step in the process’. The customer was given an option whether to ask for the further information in the pack. In my view, on reading the website, the customer might ask himself whether he needed the information pack and might well decide that he did not.”

Important findings

Although the court was divided on the outcome, it has given some important findings which will no doubt be relevant in subsequent cases:

  1. The court confirmed that “no different legal principles apply to misrepresentations on a website than to those anywhere else in the public domain.” While this has always been considered the position (after all, why should there be different treatment for websites?), it is nice to have a clear statement of judicial confirmation.
  2. Although the majority did not find a duty here, the court was unanimous that a duty of care can arise from statements on a website. Interestingly, the lead judge (Lord Clarke MR) appeared to suggest that this possibility was limited to “interactive” sites: “Some websites are interactive and it may be possible, applying the principles outlined above, to conclude in particular circumstances that a duty is owed.” Unfortunately, there was no further discussion on this point, such as what “interactive” might mean and how that would give rise to a duty of care over a “non-interactive” site (as the SPATA site presumably was). It should be noted that New Zealand courts apply slightly different legal tests in determining whether a duty of care exists (see this article for details).
  3. The majority accepted that a negligent statement on a website was, in effect, remedied by a disclaimer elsewhere on the site. I note that the critical statement (the encouragement to request an information pack) was not expressly a disclaimer, in that it did not expressly purport to “disclaim” anything. But the majority’s view was that the information pack statement made it unreasonable for a user to rely on the website alone, without requesting the information pack.

Key lessons

The majority judgment is not entirely convincing, but the case does reiterate some important messages:

1. Have a disclaimer

There was no general website disclaimer in this case (e.g. a “terms & conditions” page). Instead, the majority found that the simple statement encouraging users to request the information pack in one part of the website was, in effect, a disclaimer for negligent statements elsewhere. Ensure that your website has an appropriately worded disclaimer. These do not need to be lengthy, complex blocks of text. In light of this case, the key points they need to make are:

  • Instruct users to make their own, independent inquiries before acting on any information.
  • State that all information is of a general nature only and must not be taken as specific or complete advice.

2. Display the disclaimer (or a link to it) prominently

Ensure that the disclaimer is reasonably prominent. While the issue of bringing a disclaimer to the user’s attention was not expressly discussed in this case, if the critical statement (the “quasi-disclaimer” regarding the information pack) was buried away in a hard-to-locate part of the website, the result may have been different. The court acknowledged that if a reader had not read the about the information pack, he or she would probably have been misled (paragraph 30). The applicability of Lord Denning‘s famous red-hand test to website disclaimers did not arise in this case. Likewise, the issue of a general website disclaimer, which is usually tucked away discreetly on many sites, was not considered, but the case supports the generally agreed view that such a practice is effective for standard disclaimer terms.

3. Don’t mislead…

Of course, most problems can be avoided altogether if your website is not misleading. The problem in this case arose not because of any statement actually being untrue, but because some information was incomplete, and therefore was misleading. SPATA could have, for example:

  1. Provided full details about its membership structure and clarified that certain companies are only “affiliates” and not “full members”; or
  2. Removed the membership details and instructed users to contact SPATA for full membership details.

The bottom line is that if you say something on your website, it must not be misleading. Of course, in New Zealand it is possible that the Patchett’s would have had a claim under section 9 of the Fair Trading Act 1986 (FTA) for misleading and deceptive conduct. The FTA cannot be contracted out of.

4. Pay attention to your website

It is not uncommon to see websites with incomplete or outdated information, especially where the website is of a “supplemental” nature to the business or organisation, and the “primary” information is offline in physical form such as information packs. It is also not uncommon for websites to be maintained entirely by a third party (e.g. a web hosting company) or a sole administrator. There are probably many (if not most) organisations with websites that have never been fully reviewed for accuracy and legal risks by the board or a senior manager. The SPATA case highlights just how important it is to ensure that website statements are not misleading and that appropriate disclaimers and other precautions are always kept in place. Information also needs to be kept up to date to ensure it is always correct and does not become misleading if it gets out of date.