Mega and the Sgt Schultz approach to copyright law

schultz

Sgt Schultz sees no copyright infringement

“I think Mega is using encryption not for the security of their users but their own personal legal protection,” Woodward added.  “I cannot imagine anyone who understands encryption would trust their precious data to Mega’s scheme as it currently stands. It would appear that Mega is after people who are looking for somewhere to store their data with a provider who wishes to adopt a position of ‘see no evil’.”

Alan Woodward, from the Department of Computing at the University of Surrey

The most touted aspect of Kim Dotcom’s new Mega site is its encryption – but this feature is said to be as much for Mega’s protection as for its users:

According to Dotcom, Mega has a sophisticated encryption system which will allow users to encode their files before they upload them onto the site’s servers, which Dotcom says are located both in New Zealand and overseas…

As a result, the site’s operators would have no access to the files, which they say would strip them from any possible liability for knowingly enabling users to distribute copyright-infringing content.

Any allegation of copyright infringement against Mega would presumably be met with a response along the lines of “I see nothing!” due to Mega’s claimed (and self-imposed) inability to access the user-encrypted files.

But is it that simple to avoid prosecution for copyright infringement – by simply “seeing no evil”? In a word, no: though a lack of actual knowledge can make prosecution more difficult, a person may still be liable on the basis of constructive knowledge of infringing material. For example, section 36(a) of the Copyright Act 1994 states:

Copyright in a work is infringed by a person who, in New Zealand, other than pursuant to a copyright licence … possesses in the course of a business … an object that is, and that the person knows or has reason to believe is, an infringing copy of the work.

On the issue of constructive knowledge in copyright cases, Justice Smellie said in Husqvarna Forest & Garden Ltd v Bridon NZ Ltd [1997] 3 NZLR 215:

Constructive knowledge is appropriately imputed in other areas of law, if a party wilfully closes its eyes to the obvious or wilfully fails to make those inquiries that an honest and reasonable person in the circumstances would have made.

Thus, adopting a “see no evil” approach does not provide a free ride over copyright law.

In some cases the inability to access stored files will actually make it harder to gain protection from “safe harbour” provisions designed to protect service providers. In New Zealand, section 92C of the Copyright Act 1994 provide such safe harbour protection. However, this protection does not apply where the website:

… does not, as soon as possible after becoming aware of the infringing material, delete the material or prevent access to it.

This requirement does not apply only where the website has actual knowledge of copyright infringement; it also applies where there is “reason to believe” (i.e. the constructive knowledge test mentioned above) that there is copyright infringement. In either case if, having received a complaint, the website does not delete or prevent access to the allegedly infringing material, they will potentially lose the legal protection the section affords.

The new Mega has a top legal team behind it – it claims to have “the most legally scrutinsed business plan in start-up history”, and the old saying about Telecom being a law firm with a large IT department comes to mind – and to be clear Mega is not, to my knowledge, betting the legitimacy of its site solely on the “see no evil” basis described by some media. Lead adviser Ira Rothken makes the comparison with the early legal challenges mounted against the VCR, in which Hollywood studios claimed that VCR’s facilitated copyright infringement:

Rothken responds that many technologies have dual uses, but on balance provide more public good. That’s how the VCR stayed on the market, despite facilitating video piracy. The same argument applies to cloud computing as a whole, he says.

Rothken is referring to the famous decision in which the US Supreme Court ruled (5-4) that VCRs were lawful because even though they could be used to break the law, they had significant non-infringing uses. It is perhaps a stretch to apply that to cloud computing as a whole, but certainly an argument can be made. In New Zealand there is also the availability of section 92B of the Copyright Act, which states (in part):

Merely because [a person] uses the Internet services of the Internet service provider in infringing the copyright, the Internet service provider, without more, does not infringe the copyright in the work…

The scope of this section, and what “without more” means in each case (including in relation to relatively new legal scenarios such as Mega raises), are the key questions and ones on which international case law and evidence will likely be relevant.

Website security privacy complaint

A recent case note issued by the Privacy Commissioner is a reminder that insecure website design is more than just a programming and credit card issue, but can result in potential privacy complaints. Credit card information was not involved in this particular incident – it was personal travel booking details instead:

A customer purchased travel related services from a company. The company sent him an email with a link to his booking details on its website. The customer noticed that the website URL link ended with his booking number. He observed that by changing the booking number, he could view booking details for other customers. He realised that other individuals would also be able to view his booking information.

The case note says that the travel company in question contacted its website design company, who fixed the problem very quickly.

Insecure URLs, or more specifically insecure query strings, are a prime cause of this type of disclosure. However, they are fundamental and somewhat trivial for competent web-designers to secure. In this case, it sounds as if the travel company acted responsibly, and was probably not aware of the flaw, instead relying on its website designer to build a reasonably secure site. If the travel company did suffer loss as a result of poor (insecure) website design, they may be able to seek compensation from the designer – this will depend on the contract between the travel company and the website designer. The travel company could also limit its liability to customers with an appropriate disclaimer (which could take into account that the website was designed by another firm), although it is not possible to exclude all liability in this manner.

Another, often overlooked, way for firms to gain some protection from these types of incidents is technology liability insurance offered by some insurers – for example, Lumley Insurance’s Technology Liability Insurance.

Dealing with malicious third-party content

Last week’s Trade Me virus attack raises a number of legal issues, including.

  1. What laws prevent a malicious advertiser from using an innocent third-party’s site (in this case Trade Me) as a virus vector?
  2. Can the affected users (estimated at several thousand) claim compensation from anyone?
  3. What can / should website operators do to protect themselves?
  4. What is the position of the unwitting “advertiser”?

My thoughts on each below:

1. Laws preventing “virus advertisements”

The Herald reports:

Ford said users’ computers contracted the virus through a malicious advertisement supposedly from Lonely Planet. Trade Me accepted the advertisement online from someone who claimed to represent the travel book company.

There are 2 distinct possible criminal scenarios in the Trade Me attack: first, the act by the advertiser of configuring and uploading the malicious ad. Second, the damage intended by the advertiser to be done by the malware to third parties.

As to the first, the ad in question was “false” in that it was not from who it claimed to be from, and was apparently designed to trick users into downloading a virus. It is not a crime merely to place a “false” or malicious advertisement as such (though placing a false birth, death or marriage notice incurs a fine!), unless some other element such as fraud is present. Also, the malicious activity in this case was clearly not targeted against Trade Me, but against its users.

Which brings us to the second scenario, where it is a crime to interfere with or damage a computer system (s 250 Crimes Act), to access a system for a dishonest purpose (s 249 Crimes Act),  to distribute certain types of malware (s 251 Crimes Act), and to access a computer system without authorisation (s252 Crimes Act). If the intention is to trick users into paying money or other such tactics, fraud and other crimes may also be committed. Potentially serious stuff.

It is not clear what the malware did, or what the advertiser intended. It seems that there was no malicious code in the advertisement itself. But if the purpose of the advertisement was to cause such malware to be installed on victims’ computers, it is likely to be criminal activity or soon result in criminal activity if a virus is later caused to be downloaded. The placing of the ad was part of the overal activity of causing malware to be installed on victims’ computers. Even if the false advertisement was detected before anyone acted on it, an attempted criminal act may still have been committed.

Of course in a case such as this, it may be very difficult to track down the advertiser – and they are very likely to be from outside the jurisdiction anyway. That does not negate any criminal act, but it does mean that it may be impossible (or uneconomical) to prosecute.

2. Can affected users claim compensation?

If a person deliberately installed (or caused to be installed) a virus or other malware on someone’s computer and caused them loss, the victim could claim compensation from the wrongdoer, such as for the cost of removing the malware and reinstating the system, loss of use of the computer in the meantime, lost data, etc). Unfortunately, in most cases it will likely be uneconomic to prosecute for relatively minor loss, and in most cases the perpetrator will be unidentifiable and/or from overseas.

But what about claiming compensation from Trade Me – or any other website operator who is unknowingly used as a vector for transmitting malware? Trade Me had no prior knowledge of the malicious ad and appears to have taken all appropriate action as soon as it became aware of the problem. They are probably the most on-to-it company in NZ for handling online risks.

However, if a less on-to-it operator was negligent in allowing an ad to be placed or in allowing it to remain on the site, resulting in harm to users, then a claim could possibly be brought against that website operator (though I am not aware of any case establishing a duty of care in these circumstances). There is also the possibility of bringing a claim under the Consumer Guarantees Act on the basis of a “service” being provided.

However, the cost of making such a claim (a civil claim) would be significant, and if the virus was successful due in large part to the victim not having proper antivirus software, etc then a Court could reduce any compensation due to the victim’s contributory negligence.

3. Managing website owners’ liability

Website operators are often in the difficult position of having unknown users come onto their site and take certain actions, such as placing ads or other content that may or may not be proper and lawful. I have written before that in recent years the Courts taken a pragmatic approach that recognises this modern reality – that website operators are to a large extent reliant on their users acting properly, and cannot be expected to monitor everything in real time or alter their business models due to a few miscreants [e.g. see here, here and here].

But it is still incumbent on website operators to ensure they have some measure of legal protection, and the primary tool for website operators is via a disclaimer. In many cases, a simple disclaimer will do. In other cases, a detailed set of website terms and conditions is advisable. For e-commerce sites in particular, getting a proper set of terms and conditions one time at the outset is a highly efficient way to greatly reduce risk for many years of trading to come.

Some terms and conditions attempt to expressly exclude liability for malicious advertising and malware risks via language such as:

We do not warrant or represent that our website will not cause damage or is free from any computer virus or any other defects, errors, or malicious third-party use. We accept no responsibility whatsoever for any third-party use of our website or content uploaded to or transmitted by our website. You accept full responsibility for ensuring your computer has effective security software including up-to-date antivirus and anti-malware software.

4. The unwitting “advertiser”

It was Lonely Planet whose good name was falsely used by the party placing the dodgy ads. It is likely that if a company’s name is misused in such a manner, the company will have a claim against the false advertiser (if they can be found and if it is worth it) for defamation, malicious falsehood, and possibly under the Fair Trading Act.

Whale Oil case: lessons for bloggers

My brief post yesterday noted Judge Harvey’s starting proposition that the Police v Slater case was not about the merits of name suppression orders in the 21st century, but was simply about whether the defendant’s conduct breached the law as it stands (albeit in a novel circumstance). And the judge got it right.* But the judgment also provided some useful observations of more general application. Some of these include:

While the case involved posts made by the blog owner himself, what is the position of comments by third parties? Judge Harvey noted:

… most administrators or supervisors of blog sites or those occupying the position of Mr Slater must hold some responsibility for the comments that are posted. Mr Slater in his DVD interview indicated that he exercised such supervisory power over his blog site. He would allow comments or postings of material with which he agreed. This indicates that he is able to delete or remove material or posts from the blog site. This would put Mr Slater in the position of a person of responsibility similar to that of the moderator in the case of Stratton Oakmont Inc v Prodigy Services Co.

The Prodigy case involved defamation, but the principle is the same: a person who knowingly permits defamatory, suppressed or other unlawful content to remain on a website under their control (or otherwise “assumes responsibility” for the material) may be held liable for that material. See my article here and posts here for more information.

On the other hand, the position where the website operator has no knowledge of unlawful material will usually be quite different. Recently, there have been a number of instances where Courts have taken a pragmatic view where website operators have little or no control over what their users do, or where attempting to introduce such controls would be very difficult. E.g. for a situation involving IP infringment see my post here and for a defamation situation see here. A similar situation arose today, with a US judge finding that eBay was not liable for its customers using its service to sell counterfeit jewelery. So lets be clear, the case does not mean that anyone operating a blog may be liable for what someone else posts. But for blogs with active moderation, or if the operator becomes aware of certain material posted on their site (or “ought to have” been aware of it), care should be taken, and editorial discretion exercised. Which is just common sense, and how many blogs operate anyway.

Whale’s lawyer also advanced an argument that, because the Whale Oil site is hosted on a server in San Antonio, Texas, there was no “publication” or relevant act in New Zealand, and therefore no crime under New Zealand law. Nice try, but with a judge as well versed in such matters – Judge Harvey literally wrote the book on internet law in New Zealand and teaches it at Auckland University – no cigar:

The reality of the situation therefore is that Mr Slater’s blog is available free of charge to internet users in New Zealand who may and do access it from time to time and therefore publication takes place in New Zealand… The evidence before me is that the material was able to be read and comprehended in New Zealand (thus constituting a publication) and the material was uploaded on the Whaleoil blog by Mr Slater present in New Zealand at the time. Thus acts necessary for publication – the creation of the material, the posting of the material and the availability of the material to be comprehended by readers in New Zealand – all took place within the jurisdiction.

What about a blog that doesn’t carry unlawful (suppressed, etc) material, but merely links to it? The judge noted the US DeCSS case, but left the question open for another day, saying:

“Following from that is the [hypothetical situation of a] New Zealand based blogger who may embed a link to the off-shore blogsite which contains the suppressed name. One should be cautious in such circumstances that one does not become involved in “publishing” by way of hypertext link… I have no doubt this point or something like it will fall to be decided in this country in some future case”.

Whale’s lawyer had attempted to argue that blogging was intrinsically “different”, and mentioning a suppressed name did not fall within the corners of the Criminal Justice Act definitions. He had also tried to argue that the Criminal Justice Act, passed in 1985, could not apply to blogs (which were not contemplated at that time) and must be limited to traditional news media. The judge rejected these lines of argument, saying:

Conceptually a blog is no different from any other form of mass media communication especially since it involves the internet which anyone who has an internet connection is able to access… It is publication. It is made to a wide audience. It goes beyond a private conversation over the telephone or, a coffee table or at a dinner party. It is the mass media element that accompanies the internet that places the blog within the same conceptual framework as any other form of mass media publication… In the age of mass communication and the internet, where everyone may be a publisher, that approach cannot be sustained. The law must continue to speak.

* So I have no doubt the decision here is correct, based on the current law and what has been reported. It has been interesting to read the comments (on Kiwiblog for example) of some, who should know better, but who are most upset that the judge did not take it on himself to legislate from the bench and reform the “broken” suppression regime and help bloggers to “expose crims”.  However as I wrote last year, I do think the law on suppression needs to change to a more open system. That is both desirable and inevitable, and parliament should act sooner rather than later on this.

Tech law news 12 April 2010

Government confirms ban on software patents

Commerce Minister Simon Power has confirmed that the Government will adopt the recommendation to ban software patents in New Zealand. The speed of this announcement is somewhat surprising, as lobbying against the ban had been signalled.

The Economist on shorter copyright terms

The Economist says it is “time to tip the balance back” on copyright terms:

Largely thanks to the entertainment industry’s lawyers and lobbyists, copyright’s scope and duration have vastly increased. In America, copyright holders get 95 years’ protection as a result of an extension granted in 1998, derided by critics as the “Mickey Mouse Protection Act”. They are now calling for even greater protection, and there have been efforts to introduce similar terms in Europe. Such arguments should be resisted.

In New Zealand, the copyright term is generally the life of the author plus 50 years – meaning that the period often cannot even be determined while the author is still alive.

Website operators: edit comments at your own risk

The Register reports on a recent case highlighting the defamation risk of editing website comments. A key issue in New Zealand is whether the website operator “assumes responsibility” for another person’s potentially defamatory comment. As I say in my article published here:

If your website publishes third-party content (e.g. forums, search results of other sites, user ratings, etc), ensure that you are not seen as “assuming responsibility” for that content. In practice, this can include not exercising editorial control over articles and comments. This will not always be possible or appropriate on some websites.

Enforceability of Website Terms

I have written an article here on 2 recent US cases about the enforceability of website terms & conditions. The cases provide good examples of basic contract law principles – here, reasonable notice and agreement – being applied to website terms. They deal with common law contract principles that are equally relevant in New Zealand.

In one case, the website terms were binding. In the other, they were not. These decisions do not change the law, but they are useful reminders not to overlook your disclaimers when designing a website.

Full article: Update on Enforceability of Website Terms, February 2010

Links to the cases: