Dealing with malicious third-party content

Last week’s Trade Me virus attack raises a number of legal issues, including.

  1. What laws prevent a malicious advertiser from using an innocent third-party’s site (in this case Trade Me) as a virus vector?
  2. Can the affected users (estimated at several thousand) claim compensation from anyone?
  3. What can / should website operators do to protect themselves?
  4. What is the position of the unwitting “advertiser”?

My thoughts on each below:

1. Laws preventing “virus advertisements”

The Herald reports:

Ford said users’ computers contracted the virus through a malicious advertisement supposedly from Lonely Planet. Trade Me accepted the advertisement online from someone who claimed to represent the travel book company.

There are 2 distinct possible criminal scenarios in the Trade Me attack: first, the act by the advertiser of configuring and uploading the malicious ad. Second, the damage intended by the advertiser to be done by the malware to third parties.

As to the first, the ad in question was “false” in that it was not from who it claimed to be from, and was apparently designed to trick users into downloading a virus. It is not a crime merely to place a “false” or malicious advertisement as such (though placing a false birth, death or marriage notice incurs a fine!), unless some other element such as fraud is present. Also, the malicious activity in this case was clearly not targeted against Trade Me, but against its users.

Which brings us to the second scenario, where it is a crime to interfere with or damage a computer system (s 250 Crimes Act), to access a system for a dishonest purpose (s 249 Crimes Act),  to distribute certain types of malware (s 251 Crimes Act), and to access a computer system without authorisation (s252 Crimes Act). If the intention is to trick users into paying money or other such tactics, fraud and other crimes may also be committed. Potentially serious stuff.

It is not clear what the malware did, or what the advertiser intended. It seems that there was no malicious code in the advertisement itself. But if the purpose of the advertisement was to cause such malware to be installed on victims’ computers, it is likely to be criminal activity or soon result in criminal activity if a virus is later caused to be downloaded. The placing of the ad was part of the overal activity of causing malware to be installed on victims’ computers. Even if the false advertisement was detected before anyone acted on it, an attempted criminal act may still have been committed.

Of course in a case such as this, it may be very difficult to track down the advertiser – and they are very likely to be from outside the jurisdiction anyway. That does not negate any criminal act, but it does mean that it may be impossible (or uneconomical) to prosecute.

2. Can affected users claim compensation?

If a person deliberately installed (or caused to be installed) a virus or other malware on someone’s computer and caused them loss, the victim could claim compensation from the wrongdoer, such as for the cost of removing the malware and reinstating the system, loss of use of the computer in the meantime, lost data, etc). Unfortunately, in most cases it will likely be uneconomic to prosecute for relatively minor loss, and in most cases the perpetrator will be unidentifiable and/or from overseas.

But what about claiming compensation from Trade Me – or any other website operator who is unknowingly used as a vector for transmitting malware? Trade Me had no prior knowledge of the malicious ad and appears to have taken all appropriate action as soon as it became aware of the problem. They are probably the most on-to-it company in NZ for handling online risks.

However, if a less on-to-it operator was negligent in allowing an ad to be placed or in allowing it to remain on the site, resulting in harm to users, then a claim could possibly be brought against that website operator (though I am not aware of any case establishing a duty of care in these circumstances). There is also the possibility of bringing a claim under the Consumer Guarantees Act on the basis of a “service” being provided.

However, the cost of making such a claim (a civil claim) would be significant, and if the virus was successful due in large part to the victim not having proper antivirus software, etc then a Court could reduce any compensation due to the victim’s contributory negligence.

3. Managing website owners’ liability

Website operators are often in the difficult position of having unknown users come onto their site and take certain actions, such as placing ads or other content that may or may not be proper and lawful. I have written before that in recent years the Courts taken a pragmatic approach that recognises this modern reality – that website operators are to a large extent reliant on their users acting properly, and cannot be expected to monitor everything in real time or alter their business models due to a few miscreants [e.g. see here, here and here].

But it is still incumbent on website operators to ensure they have some measure of legal protection, and the primary tool for website operators is via a disclaimer. In many cases, a simple disclaimer will do. In other cases, a detailed set of website terms and conditions is advisable. For e-commerce sites in particular, getting a proper set of terms and conditions one time at the outset is a highly efficient way to greatly reduce risk for many years of trading to come.

Some terms and conditions attempt to expressly exclude liability for malicious advertising and malware risks via language such as:

We do not warrant or represent that our website will not cause damage or is free from any computer virus or any other defects, errors, or malicious third-party use. We accept no responsibility whatsoever for any third-party use of our website or content uploaded to or transmitted by our website. You accept full responsibility for ensuring your computer has effective security software including up-to-date antivirus and anti-malware software.

4. The unwitting “advertiser”

It was Lonely Planet whose good name was falsely used by the party placing the dodgy ads. It is likely that if a company’s name is misused in such a manner, the company will have a claim against the false advertiser (if they can be found and if it is worth it) for defamation, malicious falsehood, and possibly under the Fair Trading Act.

Tech law news 20 April 2010

ACTA deal and 3-strikes disconnection

ACTA negotiators have issued a statement that the agreement will not require participant countries to implement 3-strike internet disconnection laws. As it happens, the Government’s revised s92A bill (currently before parliament) still provides for disconnection in limited circumstances, but only as a Court-sanctioned remedy.

ICT finance regulation

Computerworld has an article on the upcoming financial services reform and its possible impact on ICT finance providers:

It is not clear which financial providers in the IT industry will be affected. The MED says that, in general, if an organisation is providing credit under a credit contract, then they are offering a financial service and the registration requirement will apply, meaning they have to join a dispute resolution service.

Consumer finance customers (i.e. those obtaining finance for personal or domestic purposes) already receive a good measure of protection under the Credit Contracts and Consumer Finance Act 2003. The new reforms are still being refined; the extent to which they will affect finance operators remains to be seen.

Government indemnities

The Government recently amended clause 4 of the Public Finance (Departmental Guarantees and Indemnities) Regulations 2007 to permit Government departments to agree to:

any guarantee or indemnity contained in the standard terms and conditions for the purchase, licence, or use by the Crown of—

(i) an Internet site;
(ii) software;
(iii) information technology tools, products, or services.

Many websites include indemnities in their standard terms (for example, by even reading the New Zealand Herald you agree to an indemnity). This change makes it more practicable for the Government to use common online and software applications, without having to obtain internal sign-offs.

The “Immortal Soul” clause

On the subject of website terms, a website recently added an “immortal soul” clause to its terms and conditions:

By placing an order via this Web site on the first day of the fourth month of the year 2010 Anno Domini, you agree to grant Us a non transferable option to claim, for now and for ever more, your immortal soul.

While this was an April Fool’s Day prank, it’s purpose was to highlight the fact that very few people actually read website terms. In any case, something tells me this would not be an enforceable website term!

Tech Law news 26 March 2010

Restraints of trade in employment

Computerworld reports on an Employment Relations Authority decision upholding a restraint of trade clause for a former IT account manager. Restraint clauses are common in the IT industry, as in others, and can be particularly important given the significance of IP and know-how in the IT sector. The article notes that the decision “belies the commonly-held belief that restraint of trade clauses are difficult to enforce”. It is true that the ERA and the Courts will strike down or limit unreasonable restraint clauses, but in recent years the Courts have tended to uphold restraint clauses. The conduct of the parties post-termination is also likely to be relevant, with “bad behaviour” on either side likely to be taken into account by the relevant authority.

Website terms

My latest Computerworld article is now online: Analysis: Cases clarify requirements for website terms of use

Facebook privacy investigation

The EU is investigating whether posting photos and other information about people on Facebook without their consent is a breach of privacy law. Privacy is a rapidly developing area, and the EU (for better or worse) leads the world in this area. The policies adopted in the EU are likely to influence privacy policy in other jurisdictions, including New Zealand where the Law Commission recently recommended leaving privacy to develop at common law (i.e. develop “organically”). It is reasonable to expect that with privacy, where Europe goes, the UK will go; and where the UK goes, New Zealand will eventually go.

Tech Law news 16 March 2010

Mozilla Public License

The Mozilla Public License is going to be redrafted.  Although this license is only used by about 2% of open source projects, it is the main license used by Firefox and Thunderbird. A controversial question is whether the new version will be compatible with the Apache license, which allows non-copyleft commercial use.

Ask before linking?

An amusing story about a blogger who actually applied to get written consent before linking to the Royal Mail website, as required by its website terms. This is a relatively common provision in website terms. New Zealand Post’s terms include the provision too (under the heading “Hypertext Links”). While such a provision could, technically, be binding, in practice it will be entirely unenforceable and is therefore pointless. The ongoing presence of the clause in so many website terms is a good example of “precedent” terms being copied without much thought.

“Subject to contract” agreement can be binding

The UK’s highest court, the UK Supreme Court (formerly the Judicial Committee of the House of Lords) has ruled that an unsigned agreement, which was “subject to contract”, had actually become binding because the parties acted as if it had. The Court said:

“… we do not think that the reasonable honest businessman in the position of either RTS or Müller would have concluded as at 25 August that there was no contract between them … all the terms which the parties treated as essential were agreed and the parties were performing the contract without a formal contract being signed or exchanged … The only reasonable inference to draw is that … the parties had in effect agreed to waive the ‘subject to contract’ provision.

It is quite common for technology contracts to get underway before a formal contract is signed. This case is a good reminder that, even where an unsigned agreement clearly states it to be “subject to contract”, one party may not be able to walk away from it if their behaviour is clearly consistent with a binding agreement having been reached.

Enforceability of Website Terms

I have written an article here on 2 recent US cases about the enforceability of website terms & conditions. The cases provide good examples of basic contract law principles – here, reasonable notice and agreement – being applied to website terms. They deal with common law contract principles that are equally relevant in New Zealand.

In one case, the website terms were binding. In the other, they were not. These decisions do not change the law, but they are useful reminders not to overlook your disclaimers when designing a website.

Full article: Update on Enforceability of Website Terms, February 2010

Links to the cases:

Lex mercatoria and e-commerce: a small step

A court decision has taken a small step – in the right direction – towards recognising customary practices and policy considerations in applying online terms and conditions.

In the case Miller v Facebook (15 January 2010, US District Court, Georgia), the plaintiff claimed that part of Facebook’s terms and conditions did not apply – specifically, the clause requiring any claims to be brought in Facebook’s home state of California (known as a “forum selection” or jurisdiction clause). The court said:

“striking the forum selection clause could wreak havoc on the entire social-networking internet industry. If this court were to determine that the forum selection clause contained in Facebook’s TOU was unenforceable, the company could face litigation in every state in this country and in nations around the globe which would have potential adverse consequences for the users of Facebook’s social-networking site and for other internet companies”

The court therefore upheld Facebook’s forum selection clause.

Common law legal systems (such as New Zealand, the UK, the US and Australia) have long recognised “customs of merchants” (the lex mercatoria) in applying and shaping the law. There are good reasons why the common law has done so, going back many centuries: it provides certainty for commerce, recognised accepted “best practice”, and promoted uniformity conducive to trade. To ignore it would have been to potentially disrupt and destabilise commercial dealings.

For the same reasons, as the common law is continuously evolving, the customs of “e-merchants” should also be taken into account by courts.

This is likely to be relevant to the enforceability of website terms and conditions. There have been a number of cases in the past year involving disputes over whether or not website terms are binding (for example Website disclaimers – yes, they do work). Some have argued that a standard link to a disclaimer is insufficient. There are a number of legal grounds for finding it is sufficient (and a growing number of cases have upheld them – successful challenges are rare).

However, there is good argument that such practice is now also customary. Many websites have a disclaimer link, often at the bottom of the page. It is commonly understood that when you use a website, there may be “Terms of use” or “Disclaimer” link. That is accepted and, today, could be said to be the custom for online business. The common law should not disregard the accepted, reasonable and necessary practices established by modern merchants.

Although the Facebook decision is only a lower-court procedural ruling, it provides an encouraging demonstration of a court’s willingness to consider the new lex mercatoria (and other policy considerations), and the perils of the law ignoring them, relating to e-commerce.