Liability of Computer Security Software Providers in the European Union

TILBURG UNIVERSITY

Master Thesis

Ivana Lackova ANR: 591 867 June, 21st 2013 Supervisor: C.M.K.C. Cuijpers

Table of contents

Chapter 1 - Introduction ...... 2 Chapter 2 - The situation in the USA ...... 4 2.1 Short excurse to legislative history of §230 CDA and the related case law ...... 4 2.2 Zango v. Kaspersky ...... 6 2.2.1 Background of the case ...... 6 2.2.2 Drawbacks of Zango v. Kaspersky ...... 9 2.3 Zango v. PC Tools ...... 10 2.4 The end user and immunity of CSSPs according to §230 CDA...... 11 Chapter 3 - CSSP’s outputs and product liability in the EU ...... 13 3.1 Nature of CSSPs outputs ...... 14 3.1.1 Software in general - mere product or service? ...... 16 3.1.2 Are updates part of the software (product) or are they an additional service from the software provider? ...... 19 3.2 CSSPs liability to consumers on the internal market ...... 20 3.2.1 Liability for defective software ...... 21 3.2.2 Liability for unsafe software ...... 24 Chapter 4 - CSSP’s liability according to the eCommerce Directive ...... 26 4.1 Can a CSSP classify as an information society service provider in the EU? ...... 27 4.2 If CSSPs qualify as information society service providers, will the exemptions from liability, also known as the “safe heaven” apply to them? ...... 31 4.3 Conclusion ...... 33 Chapter 5 - CSSP’s liability in national legislation - The Slovak Republic and The Czech Republic ...... 34 5.1 General tort law ...... 35 5.1.1 The Slovak Republic and The Czech Republic until 31.12.2013 ...... 36 5.1.2 The Czech Republic and the New Civil Code ...... 38 5.2 Goodwill protection ...... 40 5.2.1The Slovak Republic and The Czech Republic until 31.12.2013 ...... 40 5.2.2 The Czech republic and the New Civil Code ...... 42 Chapter 6 - Conclusion ...... 43 Bibliography ...... 45

Chapter 1 - Introduction

Computer security software providers (hereinafter also as “CSSP(s)”) play a significant role in the cyber world by developing software to protect users from harmful content on the Internet, from causing harm to files by viruses, generally called malware. Malware for the purpose of this thesis can be defined as programming (code, scripts, active content, and other software) designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, gain unauthorized access to system resources, and other abusive behavior.1

The outputs of CSSPs, mainly called security software packs, usually consist of various forms of firewall, anti-spam, anti-spyware and anti-virus software.2 Therefore, the role of the CSSPs is not only to monitor and detect, but also to filter and possibly disallow malicious content. While performing these actions a mismatch can occur and the file or content detected as offensive may not be harmful. The owner of the software, whose file was mistakenly detected as malware, can suffer damage, because the end-user cannot access their website or cannot use their program. The role of end user in this situation is also important. The user can claim the goods (software, service) that were blocked and ask for a refund. However, there is another aspect - the scope of the control over the software that the CSSP provided to the user by program settings. This aspect cannot be overlooked either, because the CSSP should not be liable when the user adjusted his computer program settings and had control over the content.

This thesis will focus on the question, whether there is any liability of CSSPs, when their software mistakenly identifies a file or service as malware in the European Union (hereinafter also as “EU”) and removes the file or service, or blocks access to it. Nowadays, it is relatively clear in the United States of America (hereinafter also as “USA”) what CSSPs can expect, when their detection software (by mistake or by having too strict settings) filters and removes, or denies access to the content of another software provider or interactive online service provider.

1 Official website of the Department of Homeland Security. (n.d.). An Undirected Attack Against Critical Infrastructure. Retrieved March 3, 2013, from www.us-cert.gov/control_systems/pdf/undirected_attack0905.pdf 2 e.g. ESET Smart security available at: “Internet Security With Firewall, Anti-Theft, Parental Control & more - ESET Smart Security." ESET UK - Antivirus Software, Internet Security & Virus Protection. Retrieved March 3, 2013, from http://www.eset.co.uk/Home/Smart-Security 2

Therefore, in order to provide guidelines for the EU, the situation in the USA will be described in Chapter 2 of the thesis. A key decision has been given in the case Zango v. Kaspersky3 which affirmed immunity for CSSPs according to §230(c)(B) Communication Decency Act of 1996, 47 U.S.C. (hereinafter also as “CDA”). The chapter briefly describes the situation before Zango v. Kaspersky and the case law related to CSSPs. Although Zango v. Kaspersky is the only known case of CSSP liability in the United States Court of Appeals, there are also some interesting claims and decisions on the District court level, which are included in the thesis. The last part of Chapter 2 will be focused on the end user, because CSSP´s software could also be capable of causing harm. The question, whether relevant provisions of CDA would have been applicable, if the harm was caused to the user, will be answered as well.

In Chapter 3, the focus will be on product liability of CSSPs. The research will be performed on the EU level and case law in the United Kingdom and Germany. As these countries have developed legal systems there is a higher probability that there were claims, where CSSPs were sued for damages in relation to filtering of legitimate material. Chapter 3 will also try to answer the question, whether CSSP’s outputs are definitely products or if there is space to consider their actions as a service. The question whether false positive detection can be considered as a defect of the product will be answered as well.

Consequently in Chapter 4 the definition of Computer security software providers according to European legislation, using existing Directives and case law will be provided. The basis for this chapter will be an answer to the question, whether CSSPs are information society service providers. The importance of this chapter is to identify whether or not CSSPs fall within the definition of information society service providers and whether or not there is immunity from liability.

Due to author’s interest in the topic and deeper knowledge of the Slovak and Czech legal system, the legislations of those countries will be involved in the thesis. The forth-coming recodification of the Czech Civil Code including the reform of the civil liability regime, which will come into force on January, 1st 20144, could prove very interesting. The general tort law as well as goodwill protection (alternatives to the USA legal institutes, which were used in the claims in the USA) according to Czech and Slovak legislation applicable for CSSPs will be discussed in Chapter 5.

3 Zango v. Kaspersky Lab, Inc., 2009 WL 1796746 (9th Cir. June 25, 2009) 4 Uvodni stranka - Obcansky zakonik. Uvodni stranka - Obcansky zakonik. Retrieved June 3, 2013, from http://obcanskyzakonik.justice.cz/cz/uvodni-stranka.html 3

The liability regime for CSSPs in case of blocking content as well as mismatches is not very clear in the EU. There is no exact legislation in the EU as opposed to the USA. Until now, there has not been any ECJ decision concerning CSSPs liability so far. This research will identify which EU legislation might be applicable to civil liability of CSSPs in case of blocking and/or false positive detection. The thesis will also analyze legislation in various EU member states, even though the focus will be on Slovak and Czech legislation.

Chapter 2 - The situation in the USA

The case Zango v. Kaspersky clarified CSSPs position in the USA by granting immunity under the “Good Samaritan” provision §230(c)(2)(B) CDA. For as much as the case plays a key role in this thesis and for comparison with the situation in the EU, it is interesting to analyze it deeper including the background of §230 CDA and its effect on the USA case law.

2.1 Short excurse to legislative history of §230 CDA and the related case law

The most important role that §230 CDA plays, except the protection of children from online pornography, can be seen in the case Stratton Oakmont v. Prodigy5. Following this decision, representatives Chris Cox and Ron Wyden introduced an amendment to the Communications Decency Act6.

In the above mentioned famous case, Prodigy was a company which provided online bulletin boards. Stratton Oakmond, a securities investment banking firm felt offended by the statement on one of the Prodigy's bulletin boards - Money Talk, about committing criminal and fraudulent acts in connection with public offering of stock of Solomon-Page, Ltd.7 Since Prodigy also moderated, and therefore controlled its bulletin boards, it was held liable for the content of the messages, even when messages were written by its (anonymous) users. The court distinguished this case from previously known Cubby v. Compuserve8, in which the

5 Stratton Oakmont, Inc. v. Prodigy Services Co., 1995 WL 323710 (N.Y. Sup. Ct. 1995) 6 Electronic Frontier Foundation. (n.d.). CDA 230: Legislative History. Retrieved March 5, 2013, from https://www.eff.org/issues/cda230/legislative-history 7 EFF Summary of Stratton-Oakmont & Porush v. Prodigy . (n.d.). EFF Summary of Stratton-Oakmont & Porush v. Prodigy . Retrieved June 4, 2013, from w2.eff.org/legal/cases/Stratton_Oakmont_Porush_v_Prodigy/prodigy_decision_eff.summary 8 Cubby, Inc. v. CompuServe Inc., 776 F. Supp. 135 - Dist. Court, SD New York 1991. 4 provider of the content was not held liable, because its role was passive and did not intervene in the content of published information.

The House of Representatives and the Senate clearly stated that “One of the specific purposes of section 230 CDA is to overrule Stratton Oakmont v. Prodigy and any other similar decisions”9, in order to avoid imposing future liability on interactive computer service providers for content not directly generated by them.

Before the Zango v. Kaspersky decision the court had not handled a similar claim concerning CSSPs. Most of the cases were related to immunity according to §230(c)(1) CDA. The first case that took advantage of §230 CDA was Zeran v. AOL10. AOL is/was an ISP, who provided a bulletin board, where the “Naughty Oklahoma T-Shirts" advertisement11, with the phone number of Mr.Zeran appeared. Zeran sued AOL and claimed that § 230 CDA does not apply here as it eliminates only publisher’s liability, and not distributor’s liability. The 4th circuit of the Appellate Court affirmed the lower court dismissal of the claim and confirmed that AOL falls within the scope of §230 CDA because it is obvious that AOL’s action can be considered as “interactive computer service” (§230(f)(2) CDA). The unknown author of the advertisement as “information content provider” (§230(f)(3) CDA) is the one who should be liable in this case. For that reason AOL is exempted from liability according to §230(c)(1) CDA.

The reading of §230 CDA in definition of interactive computer service has been interpreted broadly and now it protects e.g. website operators (Universal Commons v. Lycos)12, bloggers (Anthony Dimeo v. Tucker Max)13, owners of chat rooms (Green v. AOL)14, moderators of discussion boards (Barett v. Rosenthal)15 and also CSSPs as in the case of Zango v. Kaspersky. However, in FTC v. Accusearch16 it was pointed out that an interactive computer service cannot benefit from its immunity where it also acts as an information content provider17.

9 House of Representatives Conference Report Number 104-458, Second Session, page 194 (1996) 10 Zeran v. America Online, Inc., 129 F. 3d 327 - Court of Appeals, 4th Circuit 1997 11 The advertisement in which T-shirts with improper (vulgar and offensive) slogans related to the Oklahoma City tragedy were offered 12 Universal Communication Systems v. Lycos, Inc., 478 F. 3d 413 - Court of Appeals, 1st Circuit 2007. 13 DiMeo v Max, 248 Fed Appx 280, 282 3d Cir 2007. 14 Green v. America Online (AOL), 318 F. 3d 465 - Court of Appeals, 3rd Circuit 2003. 15 Barrett v. Rosenthal, 146 P. 3d 510 - Cal: Supreme Court 2006 16 FTC v. Accusearch Inc., 570 F. 3d 1187 - Court of Appeals, 10th Circuit 2009. 17 Cybertelecom :: Good Samaritan 47 USC § 230. (n.d.). :: Cybertelecom :: Federal Internet Law and Policy ::. Retrieved June 4, 2013, from http://www.cybertelecom.org/cda/samaritan.htm 5

2.2 Zango v. Kaspersky

2.2.1 Background of the case

Zango, a provider of an online catalog, provided software, which after installation in the consumer’s computers allowed activation of advertisements on the user’s desktop of the user’s computer while browsing the Internet. Zango claimed that users, who did not want to see ads, had the opportunity to buy a paid pack of the software or service which would not allow the projection of advertisements. According to Kaspersky amicus curiae brief18, which was written by the alliance of anti malware software providers, Zango’s software was considered to be malware by other CSSPs as well. However, there were also some CSSPs, whose software detected Zango’s software only as adware and there was another very small group of CSSPs according to which Zango’s computer program had not posed any harm.

Kaspersky, who is a CSSP, had security software, which detected Zango’s software as malware and/or adware, and blocked access or installation at the user’s computers. Zango sued Kaspersky for “injunctive relief, tortuous interference with contractual rights, violation of the Washington Consumer Protection Act, trade libel and unjust enrichment”. The 9th circuit of appellate court in Zango v. Kaspersky decided according to the CDA that: “1.Kaspersky qualifies as an interactive computer service provider (access software provider), 2.There is no "good faith"19 standard in the statute for the vendor's decision to consider software objectionable, 3. The labeled software does not have to be actually "objectionable;" the vendor qualifies for protection so long as it subjectively considers the software objectionable.”20

1. Qualification as interactive computer service provider/access software provider

In the meaning of §230(f)(2) CDA “interactive computer service means any information service, system, or access software provider which provides or enables computer access by multiple users to a computer server, including specifically a service or system which provides access to the Internet, and such systems operated or services offered by libraries or

18 Amicus Brief in Zango v. Kaspersky Lab . (n.d.). Electronic Frontier Foundation. Retrieved May 30, 2013, from https://www.eff.org/document/amicus-brief-zango-v-kaspersky-lab 19 Oral arguments in Zango v. Kaspersky Lab, Inc., 2009 WL 1796746 (9th Cir. June 25, 2009) Retrieved April 4, 2013, from cdn.ca9.uscourts.gov/datastore/media/2009/02/02/07-35800.wma 20 Goldman, E. (n.d.). Technology & Marketing Law Blog: Anti-Spyware Vendor Protected by 47 USC 230(c)(2)--Zango v. Kaspersky. Technology & Marketing Law Blog by Eric Goldman. Retrieved June 4, 2013, from http://blog.ericgoldman.org/archives/2007/08/antispyware_ven.htm 6 educational institutions”. As an access software provider (§230(f)(4) CDA) is qualified a “provider of software (including client or server software), or any enabling tools which do at least one of the following: (A) filter, screen, allow, or disallow content; (B) pick, choose, analyze, or digest content; (C) or transmit, receive, display, forward, cache, search, subset, organize, reorganize, or translate content”.

Kaspersky is an “interactive computer service”, because it provides filtering software (Kaspersky Internet Security) which is able to filter, allow or disallow content. This computer program also enables multiple users to access the server in order to get malware definition updates. Therefore, Kaspersky fulfills the definition of interactive computer service, which also covers access software providers as defined in §230(f)(4) CDA. As discussed in the oral hearing21, if Kaspersky had provided updates only via CDs regularly sent to the user, it would not have fulfilled the criteria of allowing multiple users to access the server. Moreover, the court in its opinion noticed that it is not necessary to provide active access as Zango disputed, but the meaning of “allowing access” includes also passive access like in the case of the users of Kaspersky where they used to download malware definitions updates.

2. Good faith

The appellate court affirmed that the meaning of subsection 230(c)(2)(A) CDA contains the “good faith” requirement, whereas subsection 230(c)(2)(B) CDA did not. As it is obvious from the wording of subsection 230(c)(2)(A) CDA “any action voluntarily taken in good faith to restrict access to or availability of material which the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected”, in order to benefit from the exemption from liability, in case of a dispute the provider would have to demonstrate good faith, when restricting access to the material, the provider or user considered “improper”.

On the other hand, an interactive computer service would benefit from §230(c)(2)(B) CDA, when it enables or makes available to information content providers or others the technical means to restrict access to material which is obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable. This was the case of Kaspersky, because he provided software that was able to filter malicious software and was under control of the user. Kaspersky Internet Security showed a warning screen, when the problem with Zango’s

21 Oral arguments in Zango v. Kaspersky Lab, Inc., 2009 WL 1796746 (9th Cir. June 25, 2009) Retrieved April 4, 2013, from cdn.ca9.uscourts.gov/datastore/media/2009/02/02/07-35800.wma 7 software occurred and therefore allowed the user a technical means to consider, whether to allow or disallow the content which could be regarded as malware.

3. “Otherwise objectionable”

In the meaning of §230(c)(2)(A,B) CDA, the protection for “Good Samaritan” blocking and screening of offensive material is permitted in case “a provider or user of an interactive computer service, on account of any action voluntarily taken in good faith restricts access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, or any action taken to enable or make available to information content providers or others the technical means to restrict access to obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable material”.

Kaspersky was found not liable for blocking Zango, because the content - Zango’s software - was considered by the appellate court as “otherwise objectionable”. However, from the nature of the software of Zango, it could also be classified as harassing, because pop-up windows of any software, especially in case the user does not agree with this behavior or does not expect it, are generally considered as very annoying.

Moreover, Zango was not purely innocent either. In 2006, Zango was fined 3 million USD by the Federal Trade Commission of the USA. The case FTC v. Zango did not reach the court because it was settled by an agreement22. In the agreement, Zango stated “not to use any legacy program to display any advertisement to, or otherwise communicate with, a consumer’s computer”, “not to publish, disseminate, distribute via any electronic means, any software script, code, or other content in order to exploit a security vulnerability of any computer system”, and to allow its consumers to complain by providing them with an email address for this purposes. In addition, Zango should better inform its customers and obtain express consent of the customer, when he would decide to install Zango’s software and also provide detailed information about the displayed advertisement, under the conditions enumerated in the agreement. Besides all the above-mentioned, Zango should enable its customers to uninstall its software directly from their computers, not by accessing and downloading additional software. From an analysis of the agreement, it is obvious that Zango had distributed computer program(s) which behaved against the law. Therefore we can come

22 Agreement containing consent order. (n.d.). United States of America Federal Trade Commission. Retrieved May 30, 2013, from www.ftc.gov/os/caselist/0523130/0523130agree061103.pdf 8 to the conclusion, that in case of blocking Zango´s computer programs, Kaspersky´s security program did not mismatch the detection.

2.2.2 Drawbacks of Zango v. Kaspersky

Judge Fisher in his concurring opinion presented his view on the case from a different angle. He pointed out drawbacks concerning the legal term “otherwise objectionable” in connection with good faith and the extent the user being able to control the tools used for blocking.

Firstly, we can look at the indefinite term “otherwise objectionable”. Judge Fisher pointed out that “the risk inheres in the disjunctive language of the statute, which permits blocking of material that the provider or user considers … otherwise objectionable”. In order to fulfill the definition of access software provider that enables computer access by multiple users, Kaspersky should in the meaning of §230(f)(2) CDA perform an action to enable or make available to others the technical means to restrict access to obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable material (§230(c)(2)(B) CDA). According to §230(b)(3) CDA, the policy of the United States encourages the development of technologies which maximize user control over what information is received by others. So, as long as the user can control the content, he or she can consider what is objectionable and what is not. However, §230(c)(2)(B) CDA can also be misused for anticompetitive purposes. Any CSSP can block competitors programs or websites without user’s knowledge and moreover, it does not need to prove good faith in this action. An unfair CSSP can simply argue that it is for the purpose of protection of the user. At the end, it is the user who can decide whether the content is improper or not and consequently block it.

This can lead to the second argument - the scope of user control. In Judge Fisher’s argumentation, there was a fear of what a reasonable user can expect and do. Kaspersky`s software provided information, when the content was just about to be blocked, by a notification window, where the user could choose to allow or disallow the action. The concern was especially about the event when the CSSP’s software would not provide such choice and automatically disallow the content according to its malware database. A web browser with a third party filter was used as an example. It would not show websites or search results of the competitors of the browser vendor and the users would not know about the problem because they would rely on the expertise of the CSSP and/or default browser settings.

Nicolas Colnon23 devoted his research to the application of §230 CDA on CSSPs. In his article “Limiting §230 Immunity for Providers of Filtering Software” he provides an elaborated analysis, according to which CSSPs would not always benefit from §230 CDA immunity. In other words, in order to be immune from liability a CSSP should prove that its software allows user control, or user exercise control over content that is being blocked. The second alternative would be to prove good faith of the CSSP when expecting that user would consider the content somehow harmful or objectionable.

Colnon also differentiated two approaches of application of §230(c)(2)(B) CDA. First, the “user ratification approach”, according to which the user has a choice only to install or uninstall the blocking software or the software detected-as-malicious, if the user does not want to block the content. Secondly, he created the “manual override approach”, when the end user can choose, by using blocking tools of the software, whether or not to block suspicious content. However, Colon’s theories are a little bit confusing in distinguishing between the application of §230(c)(2)(A) and §230(c)(2)(B) CDA. He came to the conclusion that the immunity of CSSPs should not be absolute and that the provider, which does not enable enough control of its filtering software according to §230(c)(2)(B) CDA, still has a chance of falling under the scope of immunity by evidencing good faith in consideration of the content in the meaning of §230(c)(2)(A) CDA.

Therefore we can state that allowing absolute immunity for all CSSPs just because they provide blocking tools for users would not be the best approach. Thus, examination to what extent the user has a possibility to control the behavior of his anti malware-filtering software and to what extent the user understands and relies on the expertise of the CSSP, would be appropriate.

2.3 Zango v. PC Tools24

Kaspersky was not the only CSSP that was sued by Zango. There was a similar legal action against another CSSP - PC Tools in 2007. It was based on the same background as the Zango v. Kaspersky case, but at first seeking for a “temporary restraining order, and a preliminary injunction, to immediately remove Zango’s software from their detection database”. The merits of the case concerned tortious interference with contract, a violation of the Washington Consumer Protection Act, and trade libel. Zango v. PC Tools did not reach the Appellate

23 Colnon, N. R. (2012, March). Limiting § 230 Immunity for Providers of Filtering Software. Expresso, -, 46. Retrieved April 24, 2013, from http://works.bepress.com/nicholas_conlon/2/ 24 Zango, Inc. v. PC Tools Pty Ltd., 494 F. Supp. 2d 1189 - Dist. Court, WD Washington 2007 10

Court in the USA because the District Court in Washington dismissed the action. It is also worth mentioning that before the action was filed, PC Tools software named Spyware Doctor, classified Zango’s software as a lowest possible potential malware.25

As to tortious interference, the court considered protection of the customers from harmful and malicious content as conduct that can unlikely have improper motive or use wrongful means to cause injury to plaintiff’s contractual or business relationship.26

The grounds of the claim would also not fulfill the criteria of the five elements test, where the plaintiff has to prove that there is “unfair or deceptive act or practice, occurring in trade or commerce, public interest impact, injury to plaintiff in his or her business or property, and causation“27 according to the Washington Consumer Protection Act. Contrary to the claim, the court in its reasoning figured that users, who download the anti-malware software rely on the expertise of such software to prevent harm to their data and it is in the public interest to fight against potentially malicious software.

When thinking about the possibility to succeed in trade libel action, the court had doubts about the possibility of Zango to prove that the classification whether Zango’s software, according to PC Tools Spyware Doctor, is false in order to intentionally harm the pecuniary interests of Zango.

The case did not have a chance to be legally classified under §230 CDA. However, Zango v. PC Tools can demonstrate the opinion of the lower court on the question of CSSPs liability. Even if Zango had succeeded in the preliminary injunction28, it would not have succeeded in the merit, because the District court took into consideration the honorable motives of CSSPs and the protection of public interests against harmful content and data.

2.4 The end user and immunity of CSSPs according to §230 CDA.

According to §230 CDA protection should apply to a Good Samaritan (a person who voluntarily offers help or sympathy in times of trouble)29 for blocking and screening of

25Zango, Inc. v. PC Tools Pty Ltd., 494 F. Supp. 2d 1189 - Dist. Court, WD Washington 2007 (Defendants’ Opinion 7.) 26 Pleas v. City of Seattle, 774 P. 2d 1158 - Wash: Supreme Court 1989 27 Hangman Ridge Training Stables, Inc. v. Safeco Title Ins. Co., 719 P. 2d 531 - Wash: Supreme Court 1986 28 This is only theoretical point of view, because potential success in the merit is the condition for awarding preliminary injunction. 29 WordNet Search - 3.1. (n.d.). good Samaritan. Retrieved May 30, 2013, from wordnetweb.princeton.edu/perl/webwn?s=good%20samaritan 11 offensive material. The Good Samaritan definition can very well fit with most CSSPs because of their role in protection of the present cyber world.

However, CSSPs in some cases can affect the end user in a negative way. As an example the case of Gross v. Symantec (2012) 30(also known as the “Symantec scareware case”) can be used as an illustration. Although the claim was dismissed, Mr. Gross felt harm by an alleged fake scan and the detection performed by Symantec`s anti malware software. The software scared the user by announcement that there was malware in his computer and offered him the opportunity to fix the problems by buying Symantec’s product. Mr. Gross sued Symantec for a violation of California's Unfair Competition Law31, fraudulent inducement, breach of express warranties32, and breach of contract, breach of the implied covenant of good faith and fair dealing and unjust enrichment. Even though §230 CDA was not mentioned in the case, we can have a closer look at its potential applicability in case the end user feels harmed by using CSSP’s anti-malware software, where the harm was caused by false positive detection.

The question, whether §230 CDA could apply to immunity of CSSPs in case of harm caused by their software to the customer, can be answered in two ways. Firstly, there is an immunity for the CSSP, if the provider or user of an interactive computer service voluntarily takes “any action in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable” (§230(c)(2)(A) CDA), with the emphasis on “any action” and “voluntarily taken in good faith”. If the harm is caused by the blocking function of the software, which is primarily used for this purpose for the end user, it should be proved that the user did not block the content voluntarily and that the intent of the CSSP for this kind of blocking of the content was not taken in good faith. Eventually, a CSSP would not expect in good faith that the user will consider the content as lewd, harassing, etc. Secondly, the immunity for CSSPs could be possible, where “any action was taken to enable or make available to information content providers or others the technical means to restrict access” to improper material (§230(c)(2)(B) CDA). While the CSSP makes available technical means - its software - to the user in order to filter the content under his or her own control, it should not be held liable for the final decision of the user - whether the user chooses or not to block improper material. Moreover, there is always another possibility - to uninstall CSSPs software. The second approach seems to fit also with intent of self-regulation of the Internet and other interactive computer services according to §230(a)(4) CDA.

30 Gross v. SYMANTEC CORPORATION, District Court, ND California 2012 31 Californian Business & Professional Code, § 17200 32 Californian Commercial Code, § 2312 12

The second question concerning false positive matching and harm to the end user from the strict view of §230 CDA, could be applicable in the same sense as in the previous case. At first, the CSSP would not have been liable, if the content had been blocked by the user voluntarily. However, in this phase, the user somehow relies on the expertise of the CSSP and is not always able to consider whether the blocking is legitimate or not. On the other hand, CSSPs should normally be able to react on the “mismatch” situation very promptly and provide the reparation through the latest updates. So the potential harm, even if caused, would be, theoretically, minimized. Secondly, it should be the final decision of the user, whether to block or not, even if the software detected a virus wrongfully. However, in a case, where the CSSPs software does not provide an option for the user to decide, then it could be right to dispute the immunity of such CSSP.

It would also depend on examination, whether the false positive detection could be considered a defect of the software or just a part of small inevitable mistakes, which normally occur when the software is developed. This can lead to another type of liability - product liability. In the USA overall liability, eventually the immunity from the liability of CSSPs should be mostly covered by the Computer Decency Act, except with the few specific situations mentioned above. According to §230(c)(2) CDA provider of an interactive computer service is not liable on account of “any action voluntarily taken in good faith to restrict access…”, or “any action taken to enable or make available to information content providers or others the technical means to restrict access…”. Even if the “technical means to restrict access” was defective, a CSSP could be liberated from liability by proving good faith in “any action to restrict access”.

The situation in the EU is different. There is no general legal act in the EU like CDA in the USA. In the next chapters we will focus on liability of CSSPs from various perspectives. Product liability of CSSPs will be discussed in Chapter 3, liability of CSSPs as information society service providers according to the eCommerce Directive in Chapter 4 and liability of CSSPs according to the law of two member states (The Slovak Republic and The Czech Republic) in Chapter 5.

Chapter 3 - CSSP’s outputs and product liability in the EU

This chapter will try to outline the legal definition of CSSPs. Their role in the online world is important but the legal qualification seems to be ambiguous. Are they only sellers of their produced software or is there something more? The attention will be mainly paid to the classification of the most common final output of CSSPs - the software security pack and/or anti-virus software. 13

3.1 Nature of CSSPs outputs

The typical characteristic of anti-malware software is filtering of content. As was discussed in the previous chapter, in case of CSSPs we can also talk about providing software filtering tools for end-users, who can usually decide what content will be filtered. Thus, filtering is the characteristic of the CSSP’s output, not a service provided by CSSP. It is the user, who decides to install the anti-malware software in his computer and through the anti-virus software he decides what will be blocked. From the point of filtering, the CSSP can affect the blocked content only via a malware database that needs to be up-to-date.

Software security packs or at least their anti-malware parts are typical for their frequent updating. This means that the software itself connects to its producer or rights holder of the database in order to download actual information, usually without the user’s knowledge or better to say without the user being aware of such process. Of course, there are users who can adjust and modify a lot of settings, e.g. allowing and disallowing notifications or updates. However, an average user will probably not do this.

Firstly, we need to define the term “average user” used in the thesis. An average user is supposed to be a person, who is not “skilled in the art”, but can install under default settings a simple piece of software and use operating systems such as Microsoft Windows, Android, text editors or ordinary programs. The person knows that it is good to have some protection against harmful content but does not know what that protection really does. This person is unable to enhance the programs or systems, is not able to change the default settings of the programs, and rarely adjusts complicated settings.

We may also say that the average user keeps the settings from the manufacturer as they were originally adjusted, and then leaves the software “to live its own life”. The software updates itself, sometimes sends a message or an infected file to the manufacturer, and sometimes the manufacturer also receives a feedback from the user. In this point, we can deal with the issue of privacy. Therefore, it can be interesting to answer the question: What kind of data is being sent to the CSSP? The provider Symantec declares that all the information about the sent data is available under the “Security History” menu of their product33. ESET, in a slightly complicated manner in the User guide34 informs the user about the opportunity to install or

33 Norton Community Watch Privacy Policy - Symantec Corp.. Endpoint, Cloud, Mobile & Virtual Security Solutions | Symantec. Retrieved June 4, 2013, from http://www.symantec.com/about/profile/policies/ncwprivacy.jsp 34 Eset. (n.d.). User Manual. pg. 74, chapter 4.4.6 Retrieved May 30, 2013, from download.eset.com/manuals/eset_ess_6_userguide_enu.pdf 14 not to install the part of the security pack that collects and sends user’s data, eventually to exclude certain files from sending. So, these CSSPs seem to be willing to inform the user about the sent content. However, it remains unclear, whether all CSSPs provide transparent information about the trafficked data from users.

A closer look at the nature of anti-malware software shows that CSSPs software is updated more often than any other computer program. Therefore, the essential part of this software is updating. After knowing these facts, a few questions automatically arise: 1) Can these almost daily updates be considered to be a typical part of this product or can they be considered as (added) services to the product? 2) Does the “product” part or “service” part prevail?

One of the answers can be found in the terms and conditions, or in the license agreement. However, statements in these types of documents do not always guarantee the conformity with every system of law in every country (especially in the EU with a mixture of various legal systems on various levels). Even if the producer declares selling of their product in one country, after deeper analysis, the court can decide that it is a service and not a part of the product. Unfortunately, it is unknown if this kind of decision exists in any EU member states. In EULA of ESET35 the definition is focused on software which requires an Internet connection in order to work properly. Symantec EULA36, on the other hand, deals with the provided services and defines a service period during which the software is updated. Moreover, on Symantec’s website it is expressly stated that their products are licensed and not sold37.

The nature of this product is, however, in the services, or updates. Anti-virus software without updates or one year old anti-virus software without updates has merely no value. The user would prefer un-installing old unchanged software even after paying for it and would rather find a payment-free one, which is updated more often. Moreover, non-updated security software packs can become outdated after one month, even if some of its functions remain working, regardless of updates.

35 Agreement, c. o., media, i., & documentation, a. (n.d.). ESET End-User License Agreement. ESET | Antivirus, Internet Security Software & Virus Protection. Retrieved June 4, 2013, from http://www.eset.com/us/software- eula/ 36Symantec Corp.. (n.d.). EULA. Retrieved June 4, 2013, from https://www.symantec.com/content/en/us/about/media/eulas/2013/CPS%20SUBSCRIPTION%206.0%20U 37 Product License Agreements and Third Party Notices - Symantec Corp.. (n.d.). Endpoint, Cloud, Mobile & Virtual Security Solutions | Symantec. Retrieved June 4, 2013, from http://www.symantec.com/about/profile/policies/eulas/ 15

To resolve this, it is necessary to analyze the purpose of the security software installation. The main reason why users install the anti malware software is to protect their computers against all malware known at the date of installation, ideally also known in the near future. This is provided by software updates and/or later communication of the software with its manufacturer by sending and discussing suspicious files.38 Some people can argue that an outdated anti-virus program is not useless, but the user has to deal with a lower possibility of malware being found and detected. The dynamics in malware development is large. Every day new types of malware are detected, new anti-malware tools developed and describing databases updated.

However, this still does not mean that the anti-virus software will not be able to perform, it just will not be able to protect against the latest malware. Moreover, there are some functions of the software security packs like firewalls, which will probably remain fully functional without updates under the condition of the license agreement.

Another point that can help distinguish between services and products is the answer to the question: what the customer really pays for. CSSPs themselves vary in classifying their outputs. While some of them prefer to “sell” software, the others sell software with services (updating). Therefore, the answer will again defer from case to case.

If users do not update their MS Word, probably nothing will happen, and they will be able to use it for a long time without experiencing any difficulties. If during this period of time a new update is released but the user does not download it, they will still be able to write documents without any troubles. However, if the users do not update their antivirus software for a year, they might have useless software in their computer, because the essential part of this kind of software is the up-to-date malware detection database.

3.1.1 Software in general - mere product or service?

When going deeper into international law, we firstly need to try to establish whether software is considered to be goods or not. For this purpose, the Convention on International Sales of Goods (hereinafter also as “CISG”) was analyzed. The general opinion presented by Hiroo

38 Whoever with the suspicious file can also send this certain file for scan through various CSSP’s software at www.virustotal.com 16

Sono39 and others mentioned in the article, is that CISG applies for standard software on a tangible medium. Therefore in this case software is considered to be goods. However, custom made software is characterized as a mere service. In this case services prevail amongst final product outcomes. A lot of questions still remain unanswered or better to say, the answers are unclear. One of the problems is that the software itself is not tangible. On the other hand, if someone wants to profit from it, it is necessary to install it into a medium, because software cannot work without it. The software itself remains a matter of license agreement even when the paid amount will later be divided between the copyright holder and seller. So the information on the tangible goods could remain unregulated under CISG and applicable rights and obligations could be covered by an awarded license.

The same problem with subsumtion of the software arose from the Product liability directive40.The definition of product is in Art.2 of the Product liability directive. For the purpose of this directive product means “all movables, even if incorporated into another movable or into an immovable”. In addition, the definition includes electricity as well. At first sight, it is obvious that the definition is talking mostly about tangible objects, and, while including electricity, there is a suggestion that intangible objects are not adjusted automatically.

Likewise in CISG analysis, also in the Product liability directive it is necessary to distinguish at least between pre-fabricated software sold on the CD in a shop and custom made software for specific purposes to meet specific needs of the customer. In the first case, practice inclines towards the opinion that the product is being sold. However, in the second case, providing development of the software for a specific customer is considered to be a service, even though the final output is again a computer program. “Anglo American law answers the product- service question by applying the “essential nature test”. The test solves the problem by considering whether the content of the contract incline to providing a service or to the delivery of a product”41.

39 Electronic Library on International Commercial Law and the CISG - Hiroo Sono. Electronic Library on International Commercial Law and the CISG. Retrieved June 4, 2013, from http://www.cisg.law.pace.edu/cisg/biblio/sono6.html#* 40 Council Directive 85/374/EEC of 25 July 1985 on the approximation of the laws, regulations and administrative provisions of the Member States concerning liability for defective products 41 Albeit, K. (2001). Applicability of the EU Product Liability Directive to Software. Comparative & international law journal of Southern Africa, 34(2), 188. Retrieved April 16, 2013, from the Hein Online database 17

There are also different alternatives on how to obtain software, except being purchased on a data carrier in a shop. The software can be provided on-line and the user downloads it from the Internet. Or, the user can obtain part or the software on the CD and another part online.

Albeit42 just as Westerdijk also broadened the definition of software being a product in cases where the information in the computer program is generated by the software itself, or the information is generated by the user with help of the software. In the first example software should be considered as a product. However, in the second one, the final output is intangible information and cannot be regarded as a product. For the purpose of CSSPs this conclusion can be important to the extent of blocking of the suspicious website or the file being blocked by software itself with default settings or the user adjusting the settings to the highest possible protection, which does not allow some operations. However, experienced users are able to set up even the exceptions in the strictest mode.

Nevertheless, this is not the best solution to our problem, as indicated above, even when a tangible medium with software is being sold. In fact, it is impossible to acquire ownership rights to the software in the same meaning as the ownership rights to the objects, as it comes from the character of the intellectual property rights. In this case, the owner still remains the creator or rights holder of the computer program and the end user can exercise his rights within the limits of the license agreement. This can lead to the assumption that it is improper to claim damage from the user in any case, since the main rights remain with the intellectual property rights holder.

A selling agreement regulates the relationship between seller and buyer in order to obtain rights to movables and/or immovable objects. However, a license agreement merely “sells” rights to the output of creation, or if we consider software as a product, then specific rights to the product. The buyer expects to buy products or goods in quality, quantity and with required characteristics. Then should the licensee require that only the acquired rights will, according to the license agreement, be in a certain condition, or should the product, the licensee obtains the rights to, be in a desired condition, or both, rights and the product should be in an expected condition? The situation can become more complicated in case of “shrink-wrap” or “click-wrap” licenses, where the enforceability is in question43. While the license agreement

42 Ibid. 41 43 Enforceability of Clickwrap Agreement Called into Question - Checklist for Best Practices in Electronic Contracting | Holland & Knight . Holland & Knight. Retrieved June 4, 2013, from http://www.hklaw.com/digitaltechblog/Enforceability-of-Clickwrap-Agreement-Called-into-Question---- Checklist-for-Best-Practices-in-Electronic-Contracting-11-07-2012/ 18 is not harmonized on the EU level, the liability of the licensor remains a matter of national legislation and, matter of the extent of the concluded agreement.

In the recent decision UsedSoft v. Oracle44, the European Court of Justice dealt also with sales in the context of computer programs, although the merit of the case was related to copyright and its exhaustion. The court pointed out the fact that, even though the license agreement is concluded, the end user will acquire ownership rights to the copy of the software.45 Therefore, it seems that the court in its argumentation perceived providing of the software for remuneration as a sales agreement rather than as license agreement per se. Does it mean that we should start thinking about the license agreement as a special type of sales agreement?

To sum up the product-service and sale-license software dilemma, neither definition of goods according to CISG, nor products mentioned in the Product liability directive exactly fit with software. However, in many practical cases, but not all of them, the analogy to goods and products can be and is applied. Since CSSPs are in the first place developers of the software, the analogy with product-service and sale-license dilemma is applicable to them as well. Thus the liability derived from the selling/licensing/providing of their software remains in the grey zone depending on the consideration of an individual case.

3.1.2 Are updates part of the software (product) or are they an additional service from the software provider?

By using linguistic interpretation, “to update” means “to modernize, bring up to date, or bring to the latest state of technology”46. However, as a legal term concerning software, the meaning of updates remains within the free interpretation of the parties. In the software area, we can distinguish between updates which improve the main computer program and updates supplementing a computer program, e.g. a database. While the improving updates are mainly focused on fixing bugs in the program, supplementing renews do not affect the primary program, sustain the program in natural condition, and just renew lists or databases of the program.

44 UsedSoft GmbH v. Oracle International Corp. ECJ (Grand Chamber), 3 July 2012, In Case C‑128/11, REFERENCE for a preliminary ruling under Article 267 TFEU from the Bundesgerichtshof (Germany), made by decision of 3 February 2011, received at the Court on 14 March 2011 45 Ibid. 44 46 update - definition of update by the Free Online Dictionary, Thesaurus and Encyclopedia.. (n.d.). Dictionary, Encyclopedia and Thesaurus - The Free Dictionary. Retrieved June 4, 2013, from http://www.thefreedictionary.com/update 19

The manufacturer can remotely insure that the product is in certain condition, for a specified purpose. Should not this case be classified as a mere service? It can be said that by purchasing the pack, the user is buying the product - software and the services bound to the product, which can be then distinguished from the main product.

It is mostly the matter of the rights holders of the main software whether updates of the software will be classified as a part of or an essential part of the final product, or will be considered as additional services from the provider of the software. At the moment there is no unified view or exact answer to the question, what updates of the software according to the law are. The approach varies case-by-case and is mostly defined within terms and conditions, license agreements, or in maintenance agreements.

3.2 CSSPs liability to consumers on the internal market

It is worth mentioning that product liability according to the Product liability directive or General product safety directive applies to the producer - consumer relationship. There is no definition of the consumer in the Product liability directive and the definition according to the number of directives (10 other different directives) 47 varies slightly. From the entire definition, analysis of "EC Consumer Law Compendium“48 showed that the consumer is a natural person, who is not acting in the scope of their professional, business or trade activity. National transpositions of consumer directives show some differences, while in certain cases also an entrepreneur, natural person, can be involved in consumer protection49. However, after the ECJ decision in Idealservice case50, it became clear that the scope of protection is given only to natural persons. For the purpose of liability related to software manufacturers this decision narrowed the extent of possible legal regulation only to non-entrepreneurs.

47 Consumer Law Compendium . (n.d.). Comparative Analysis . Retrieved May 30, 2013, from www.eu- consumer-law.org/consumerstudy_part3a_en.pdf 48 Ibid.47 49 Ibid.47 50 Joined cases Cape Snc and Idealservice Srl (C-541/99), Idealservice MN RE Sas and OMAI Srl (C- 542/99), ECJ (Third Chamber) 22 November 2001 ,In Joined Cases C-541/99 and C-542/99, REFERENCE to the Court under Article 177 of the EC Treaty (now Article 234 EC) by the Giudice di pace di Viadana (Italy) for a preliminary ruling in the proceedings pending before that court 20

Apart from the above mentioned case, there are only a few judicial decisions in the area of product liability, probably because about 90% of the cases are solved out of court51. The rest of them rarely reach the court instance, where the available judicature is. For example in The Czech Republic, only 2 cases related to product liability were decided by the Supreme Court of The Czech Republic52.

3.2.1 Liability for defective software

Under the condition that software is a product, we can analyze the liability according to Product liability directive.

According to Art.3 of Product liability directive, “‘producer' is the manufacturer of a finished product; the producer of any raw material or the manufacturer of a component part, and any person who, by putting his name, trade mark or other distinguishing feature on the product presents himself as its producer”. Even though, the question about the software being a product remains slightly unclear according to the definition in the Art. 3 of Product liability directive, it is obvious that CSSP could match with the definition of the producer, because it is almost always known who provides such software, especially in the computer security area. “The software becomes defective when it does not provide the safety which a person is entitled to expect. All circumstances have to be taken into account, including the presentation of the software, the use to which it could reasonably be expected that the product would be put into, and the time when the product was put into circulation” (Art.6 of Product liability directive).

Thus it is questionable if the mismatch can be marked as a defect of the software; or the meaning of “defective” involves mere bugs in the software, or if the wrongfully tagged file or website is a bug in the software. Blocking the access to the website with paid services, or the opportunity to delete the possibly infected file, however, can lead to harm of the consumer -

51 Report from the Commission on the Application of Directive 85/374 on Liability for Defective Products /* COM/2000/0893 final */ EUR-Lex - 52000DC0893 - EN. EUR-Lex Retrieved June 4, 2013, from http://eur- lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:52000DC0893:E 52Ruling of the Supreme court of the Czech republic ( Usnesení Nejvyššího soudu ze dne 23. 8. 2007) No. 25 Cdo 1979/2005 and ruling of the Supreme court of the Czech republic (Usnesení Nejvyššího soudu ze dne 15.7.2008) No. 25 Cdo 32/2007. 21 average user. Computer program providers try to make their products bug-free and user friendly, but it is still impossible to create a 100% bug- free software.53

In the UK an interesting case related to software bugs appeared, when the court in Sam Business System Ltd. v.Hedley & Company54 decided, that if the software was being sold as tried and tested, it should not have bugs and the software vendor is liable for defects of the software.55 However, the court allowed also a limitation of the liability, so the software producer, in case of precisely treated contract or terms of conditions, can avoid the liability for bugs in the software. Even though it is obviously not the case related to the producer- consumer relationship, it can show the attitude of the court in the question towards software bugs that could potentially be applicable also to consumers.

The Product liability directive also provides space for liberation from liability for the producers, in case of them “not putting the product into circulation, or regarding the circumstances, it is probable that the defect which caused the damage did not exist at the time the product was put into circulation by the producer or that this defect occurred afterwards, or the product was neither manufactured for sale or any form of distribution for economic purposes nor manufactured or distributed in the course of the business. In addition the defect can be due to compliance of the product with mandatory regulations issued by the public authorities; or the state of scientific and technical knowledge at the time when the producer put the product into circulation was not such as to enable the existence of the defect to be discovered; or in the case of the manufacturer of a component that the defect is attributable to the design of the product in which the component has been fitted or to the instructions given by the manufacturer of the product”(Art 7 Product liability directive).

After an analysis of the above-mentioned article we can confirm that providers of free software are automatically out of competence for product liability. However, some of the free anti-malware software contains the advertisement and therefore could be exempted from this exemption.

For the purpose of CSSPs, state-of-art liberation can be interesting, mainly because CSSPs create their own state of scientific and technological knowledge. There is no standardizing

53 Callaghan, D., & O'Sullivan, C. (2005). Who should bear the cost of software bugs?. Computer Law & Security Review, 21(1), 56-60. Retrieved April 18, 2013, from the ScienceDirect database 54 Sam Business Systems Ltd v Hedley and Company [2002] EWHC 2733 (TCC) (19 December 2002). British and Irish Legal Information Institute. Retrieved June 4, 2013, from http://www.bailii.org/ew/cases/EWHC/TCC/2002/2733.html 55 Ibid.53 22 body for software nor for anti-malware software. In this case, organizations like AV Comparatives56 can be helpful. It is an independent non-profit organization focused on antivirus software comparison which results can be found on CSSPs websites (and their website as well). According to their false positive research, there is no anti-malware software which would not find a clean file as suspicious57. Thus the quality of anti malware software can be deduced, except from the amount of detected malware, also from the amount of false positive matches which can be useful for competition on the market.

The burden of proof is then on the consumer, who can find it being very expensive, because technical expertise is needed to prove causality between defective software and damage. Moreover, in case of CSSPs it became of notorious knowledge that the software uses blocking in order to stop malicious and suspicious files to run. The average user will not be able to consider whether file marked as infected is really infected, or it is just the mistake of the software.

Another negative fact for the consumer is that the amount of suffered damage has to be higher than 500 Euros, and there is a necessity to prove that the consumer used software for personal purposes, because application on the items for professional use is excluded from the scope of the product liability directive.58

Space for liberation of the producers of the software as well as burden of proof on the consumer makes the rights of the consumer in case of liability caused by anti-malware software almost inexecutable. There are so many obstacles for the consumer. However, there could be a space for liability of the software providers under certain conditions as well. If we evaluate activities of CSSPs, positive activities still significantly prevail amongst possible negatives and, on the other hand, it could be unfair to CSSPs to claim damage for some minor errors of their output.

56 AV-Comparatives Independent Tests of Anti-Virus Software » AV-Comparatives. (n.d.). AV-Comparatives Independent Tests of Anti-Virus Software » AV-Comparatives. Retrieved June 4, 2013, from http://www.av- comparatives.org/ 57 AV-Comparatives False Alarm Test Archive » AV-Comparatives. (n.d.). AV-Comparatives Independent Tests of Anti-Virus Software » AV-Comparatives. Retrieved June 4, 2013, from http://www.av- comparatives.org/false-alarm-tests/ 58 Société Moteurs Leroy Somer v Société Dalkia France, Société Ace Europe, ECJ (First Chamber),4 June 2009 23

3.2.2 Liability for unsafe software

Even though the liability for unsafe product should be an issue of national legislation, the directive provides framework guidelines and concepts which can under certain conditions, be applicable to software providers. General product safety, according to the Directive 2001/95/EC on general product safety59, is designated to protect consumers against potentially harmful products on the market for the health and safety of humans. In case of causing harm to individual, victims’ rights within the meaning of Council Directive 85/374/EEC are not affected.60

By the term product (Art. 2(a) of General product safety Directive) is meant “any product, including in the context of providing services, which is intended for consumers or likely, under reasonably foreseeable conditions, to be used by consumers even if not intended for them, and is supplied or made available, whether for consideration or not, in the course of a commercial activity, whether new, used or reconditioned”. It is obvious that this meaning can better fit with the nature of the software.

The definition of safe software would therefore come out from the Art.2(b) General product safety Directive. It means any software which, under normal or reasonably foreseeable conditions of use including duration and, where applicable, putting into service, installation and maintenance requirements, does not present any risk or only the minimum risks compatible with the software use. It is considered to be acceptable and consistent with a high level of protection for the safety and (health) of persons, taking into account particularly the characteristics of the software, including its instructions for installation and maintenance; the effect on other products; the presentation of the software; the labeling; and the categories of consumers at risk when using the software. Recital (16) of the General product safety directive also stipulates that in the absence of specific regulations, the safety of product (software) should be assessed taking into account i.e. national, European or international standards, the state of the art and the safety which consumers may reasonably expect.

Certain type of software for medical use can theoretically harm human health, but for our purposes we will focus on the issue of safety. The question is, whether safety of data in consumer’s computer falls within the scope of safety of the person. Linguistic interpretation

59 Directive 2001/95/EC of the European Parliament and of the Council of 3 December 2001 on general product safety 60 Recital (36) of General product safety directive 24 defines “safety”61 as “the condition of being safe; freedom from danger, risk, or injury”. While injury of the person explicitly includes human health in the extent of protection, we can deduce that safety of the person can involve any non-health related harm to person, including person’s property whether tangible or intangible. Therefore harmful software causing harm to consumer’s data could fall under the extent of the General product safety directive, and the software provider could be held liable in this case.

Even if some of the software manufacturers differentiate their products and websites for European, American, Asian or Australian markets, there are also many who do not. From the international nature of the Internet, when such a differentiation does not exist, it is impossible to determine for which market the software was intended. In the case when the vendor does not also sell materialized outputs on carrier, it could be difficult to prove that a Chinese CSSP with an international website and language support in English, having the website in China, but with the web also available to Europe, placed his product on the European market. Who should be liable in this case?

The General product safety directive is mentioned in the thesis, because the definition of the product in the General product safety directive better fit with software than the definition in the Product liability directive. The consequences from breach of the General product safety directive primarily do not concern civil liability. The thesis goal is to research CSSPs civil liability, so the specific damages according to the General product safety directive are not relevant. However, it is worth pointing out that different kind of liability could exist if the software is capable to cause harm.

The purpose of the General product safety directive is to avoid unsafe products on the internal market, whereas the Product liability directive focuses merely on civil liability for unsafe products. Therefore a CSSP can be, in case of placing unsafe software on the market, liable to the public authorities of the member states and, if the unsafe software causes damage to the customer, also to the customer through civil liability62. It is highly improbable that outputs of CSSPs from their nature will be able to interfere with the safety of humans, especially in case of infected software or a file mistakenly marked as malware. Moreover this software is intended to protect one’s data against harmful content online and offline. Even though it is obvious that the role of CSSPs is in this field very important and irreplaceable, there is no

61 safety - definition of safety by the Free Online Dictionary, Thesaurus and Encyclopedia.. (n.d.). Dictionary, Encyclopedia and Thesaurus - The Free Dictionary. Retrieved June 4, 2013, from http://www.thefreedictionary.com/safety 62 Ibid.59 25 special European regulation of legal status or liability of CSSPs in the product safety or product liability.

Chapter 4 - CSSP’s liability according to the eCommerce Directive

Users of anti malware software generally rely on the CSSP’s knowledge and classification of what can be considered to be a harmful content. Even though actions executed by CSSP’s software consist mostly in filtering of malicious content on the end user level, it is indisputable that it can be called filtering. The word “filtering” is often demonized, because it is often connected with censorship and interference with the freedom of expression. Many authors and experts talk about the potential necessity to filter content on different levels of internet intermediaries not only outside the EU, but also in the EU. This demonization was aggravated by attempts to impose filtering obligations to information society service providers. In the recent ECJ decision Scarlet v. SABAM63 the court decided that the obligation of filtering does not apply to internet service providers in the EU. The ECJ in this decision emphasized the need for balancing fundamental rights, because imposed filtering for the purpose of protection of copyright64 could lead to the infringement of the freedom to conduct a business65 in accordance with the law. The filtering preformed by CSSP´s software does not seem to be threatening to fundamental rights, because it is mainly user´s voluntary decision what will be filtered and what will be not. Therefore, various users can decide to filter different content.

Although the role of CSSPs in the cyber environment is very important, the ECJ decision regarding CSSP does not exist. It is not proper to say “unfortunately”, because it would also mean that there was a court proceeding related to CSSPs. From the legal researcher´s point of view a situation in which there is no relevant case law slightly complicates the research, but, on the other hand, it also provides more space for researcher’s own ideas. This chapter provides a closer view on CSSPs in the Internet environment in the EU. It is especially focused on the answer to the question, whether a CSSP can be considered an information

63 ECJ Scarlet Extended SA v. Société belge des auteurs, compositeurs et éditeurs SCRL (SABAM), intervening parties: Belgian Entertainment Association Video ASBL (BEA Video), Belgian Entertainment Association Music ASBL (BEA Music), Internet Service Provider Association ASBL (ISPA), In Case C-70/10 November 2011, Reference for a preliminary ruling under Article 267 TFEU from the cour d’appel de Bruxelles (Belgium), made by decision of 28 January 2010, received at the Court on 5 February 2010 64 The right to property according to Art.17(2) Charter of Fundamental Rights of the European Union 65 Art.16 Charter of Fundamental Rights of the European Union 26 society service provider in the meaning of relevant EU directives and the impact of this classification on their liability.

4.1 Can a CSSP classify as an information society service provider in the EU?

The Zango v. Kaspersky decision in the USA clearly defined a CSSP as an interactive computer service. More concrete as an access software provider that enables computer access by multiple users to a computer server (§230(f)(2,4) CDA), particularly because daily updates were automatically downloaded from the server without the intervention of the user. Kaspersky`s computer program provided and enabled computer access by multiple users to the computer server and the users could, through Kaspersky anti malware software, control the content themselves.

A similar legislation to CDA in the USA can be found in the EU in the Directive 2000/31/EC of the European Parliament and Council, on certain aspects of information society services, in particular electronic commerce, in the Internal Market (hereinafter as “eCommerce Directive”) In the first part of this chapter the question of whether a CSSP qualifies as an information society service provider will be answered and consequently the question will be addressed, if there is any liability or possible immunity from liability.

As mentioned in recital (17) of the eCommerce Directive, the definition of “information society services” is derived from Directive 98/34/EC laying down a procedure for provision of information in the field of technical standards and regulations and of the rules on information society services and Directive 98/84/EC on legal protection of services based on, or consisting of, conditional access. Information society services therefore, means:

“any services provided for remuneration, at a distance by electronic means and at the recipient's request for service.”

This definition does not apply to radio broadcasting and television broadcasting services. In recital (18) of the eCommerce Directive, we can find examples of subjects, which can and cannot be considered as “information society services”. CSSPs are not expressly included in the enumeration, but also not expressly excluded. Therefore, we can have a closer look, if their actions can fit within the definition, mentioned in recital (17) of the eCommerce Directive.

1. Any service

The first part of the definition talks about “any services”. In the USA, CSSPs, eventually their overall action in providing anti malware blocking software, qualifies as an interactive computer service, because it is able to fulfill the criteria of §230(f)(2) CDA in connection with §230(f)(4) CDA66.

CSSPs provide anti-virus software to protect users from a harmful content or data. A CSSP can, therefore, be perceived as a software provider with all the aspects connected with providing specific software, mainly: providing anti-software for remuneration, making available tools for content filtering for users and subsequent interaction with users after the installation of the software (broader sense). Even though CSSPs sell the software, there is nothing similar on the market like anti-virus software, which is characterized by its daily updates. This can lead to the conclusion, that indeed they sell a product, but they also provide services, since a user’s dependence does not end after buying and installing the software. There is also a necessity to make use of services, however passive they are (narrower sense). More details about the product-service software dilemma are part of Chapter 3. So, CSSPs activities can be perceived as services in a narrower sense - they only provide services, when they allow users of their software to update detection databases or as services in a broader sense - their overall activity is, mainly: selling antivirus software, providing filtering tools for the users, updating and/or detecting and/or filtering.

2. Remuneration

However, CSSPs are usually commercial sellers of their outputs, not all of them normally provide their services and software for remuneration. There are anti-virus products available from the companies such as Avira67 or Avast68, which do not require payment for downloading and using for non-commercial purposes. However, the eCommerce Directive does not explicitly define what kind of remuneration the information society service provider should obtain. The European Court of Justice in the decision Bond van Adverteerders and

66 According to §230(f)(4) CDA an access software provider is “ a provider of software (including client or server software), or enabling tools that do any one or more of the following: (A) filter, screen, allow, or disallow content; (B) pick, choose, analyze, or digest content; or (C) transmit, receive, display, forward, cache, search, subset, organize, reorganize, or translate content” 67 Avira Free Antivirus 2013 | Download Best Free Antivirus Software. (n.d.). Avira Antivirus Software for home and for business. Retrieved June 4, 2013, from http://www.avira.com/en/avira-free-antivirus 68 AVAST 2013 | Download Free Antivirus Software for Virus Protection. (n.d.). AVAST 2013 | Download Free Antivirus Software for Virus Protection. Retrieved June 4, 2013, from http://www.avast.com/index 28

Others v. the Netherlands State69 pointed out that “activity that is remunerated by a third party, can also qualify as a service normally provided for remuneration“70. Although this case is related to Art. 50 of the EC Treaty, it can also be applicable for information society service providers71. In the extended sense, the reward can be seen in obtaining useful information about consumers’ behavior, or by providing space for the advertisements in their products, funded by the advertiser.

3. At a distance

The services should be provided at a distance, where the parties are not physically in the same place, while performing actions. Starting from the narrower definition of CSSP´s services, the services are definitely provided at a distance, because a detection database is usually updated from a remote location. It becomes more complicated when we start from the broader definition, because some of the actions are not exactly executed from a distance. For example, selling can be done by purchasing a physical copy of a data carrier at a vendor’s domicile. Also blocking can occur in the situation, when the content or process is blocked in the user’s computer without a connection to the network. On the other hand, downloading a copy of the program through the Internet is being done at a distance. Also blocking or deleting of the content can be proposed by a remote antivirus scanner72. Blocking or filtering tools in the end users’ computers do not seem to be a distance service in the meaning of the European definition, but if the additional services are included, the overall activity could be classified as performed “at a distance”.

4. By electronic means

Electronic means should be used, in order to fulfill the definition of the information society service provider. More exactly, the definition of electronic means can be found in Directive 98/34/EC, in Art.1(2), where the service is provided by electronic means if it is “sent initially and received at its destination by means of electronic equipment for the processing and storage of data, and entirely transmitted, conveyed and received by wire, by radio, by optical

69ECJ, 26 April 1988, Bond van Adverteerders and others v. The Netherlands State, Case 352/85, E. CR. 1988, p. 2085 70 DLA Piper. (2009). Liability of online intermediaries. Legal analysis of a Single Market for the Information Society, tender OJ 2007/S 202 244659 of 19/10/2007. Retrieved April 28, 2013, from http://ec.europa.eu/information_society/newsroom/cf/itemdetail.cfm?item_id=7022 71 Ibid. 70 72 However, even in this case, there is necessary to install some kind of software. It is not excluded that CSSP will exploit the bug of the web browser, but it is questionable, whether in such case we can still talk about CSSPs. 29 means or by other electromagnetic means”. Regardless whether a narrower or a broader definition of services of CSSPs is used, except for selling which can be done by purchasing a physical copy on a data carrier, all the other conditions tend to be performed by electronic means. The electronic means can include various electronic equipment. So, even if the content was blocked offline, the electronic tools were used (the computer) and the condition can be met.

5. Recipient’s request

The recipient's request for a service can be seen in the narrower definition, where the software is updated. But there are also some tricky moments, especially when distinguishing between updates on individual requests and where the program is updated itself, without the control of the user. If we look at the definition where, the data should be transmitted upon the individual’s request, it is not clear, if every single request of the recipient should be approved by the recipient, or if it is enough that the user determines automatic settings for the updates after downloading and installing the program by one simple click done at one time. The definition in Art.1(2) of Directive 98/34/EC, which states that “the service is provided through the transmission of data on individual request” does not clarify the extent of individual control either. The broader definition fits with the `recipients request for services` requirement better, because the filtering tools and their functions are, at least partially, managed by the end user. Therefore any actions by the user addressed to the CSSP can be considered as a recipient´s request for services.

So, according to above analysis, we can look at the CSSP as an information society service provider in two ways. Firstly, the stricter view, under which only updating of the antivirus program will be considered as a service. If we look at the definition of information society services, the stricter sense will fit with the definition. However it should be clarified, if the term “individual request” must be explained as a users’ necessity to approve every single request in every single case, or if the individuals’ request can also be seen in adjusting the settings after the installation of the software and the software then consequently automatically obtains the updates from the CSSPs server. Thus, the computer program itself performs the recipient’s request.

Secondly, if the overall activities of CSSPs were considered as information society services, there should be a focus on the answer to the question of what kinds of activities were prevailing in an individual case. If we come to the conclusion that a CSSP provided mere services, then the only tricky moment of defining CSSPs as information society service providers can be seen in the definition “at a distance”. There is no exact answer to the 30 question, whether using CSSP’s software outside the domicile or office of the CSSP can be seen as “at a distance” enough, or if it is necessary for every single action to be provided at a distance.

4.2 If CSSPs qualify as information society service providers, will the exemptions from liability, also known as the “safe heaven” apply to them?

The immunity of information society service providers in case of mere conduit services and caching from liability, however, applies only in case, where the activity of an information society service provider is mere technical, automatic and passive in nature and the provider has neither knowledge nor control over the information transmitted or stored (recital (42) of eCommerce Directive). Especially, the nature of activities indicates that a CSSP could be excluded according to the eCommerce Directive, because anti-malware software can be considered as a technical tool that, mostly without any intervention from the provider (or user), after the installation, automatically protects the end user’s computer (or data) from the malicious software. While this activity is mostly done in the end user computer, the provider has neither control nor knowledge about the information transferred. However, a CSSP can be informed about the detection or suspicious files, because their software often allows sending or reporting a detected object.73

Even though CDA provisions in the USA were not primarily enacted to protect CSSPs, there was space for application for the purpose of computer security software providers. Now we will have a closer look if the eCommerce directive is applicable in question of liability to CCSPs.

1. Mere conduit service provider

The “Mere conduit” exemption from liability can be used in a situation, when the service “consists of the transmission in the communication network of information provided by a recipient of the services”, or when the “services providing an access to a communication network, under the condition that the provider does not initiate the transmission, does not select the receiver of the transmission and does not select or modify the information contained in the transmission” (Art. 12 eCommerce Directive). From the objectives of the eCommerce Directive, it is obvious that the main intent was merely to protect traditional internet access

73 Ibid. 32,33 31 providers74, however, it is also not forbidden to extend the scope on the other subjects, if they had fitted the definition.

Firstly, we can focus on the services of CSSPs in the narrower sense, where the definition database is being updated. There we can find a transmission of information, however, merely from the direction of the provider. The question of whether the updating process was initiated by the act of the user or if it was an automatic process, however, could be answered on a case- by-case basis only. Even if the CSSP qualifies to be a transmission provider, its liability would probably remain non-exempt. While updating the malware database, there is a selection of the receiver (the user with installed CSSP’s product), there is also some kind of initiation of the transmission (the software can inform the user about the necessity to update) and the provider selects the information contained in the transmission (the latest update of the database).

Secondly, the definition of CSSP in the broader sense will not fit with the mere conduit provider definition either, because the nature of overall services of CSSPs is different. Moreover, there can also be a stricter definition of “mere conduit” provider in the national level legislation. As an example, the transposition of the eCommerce Directive in The Slovak Republic can be used. In Art.6 (1) of the Act No. 22/2004 Coll. on electronic commerce75, a mere conduit provider exemption is available to the provider, whose only activity is to provide transmission and no other actions. Even though the CSSP had been a “mere conduit” provider according to the eCommerce Directive, there could have been a problem in Slovakia, because CSSPs also provide also other services and not the transmission of updates alone.

2. Caching provider

If the services of the information society service provider consist of the transmission of information provided by the recipient in the communication network, the storage of information that is automatic, intermediate and temporary for the sole purpose of making a more efficient onward transmission to other recipients upon their request, the service is, in the meaning of Art. 13 eCommerce Directive, called “caching”. The caching provider definition does not fit with the CSSPs activity. It is unlikely that a CSSP would provide this kind of service, either in the narrower sense or in the broader sense. Therefore, the caching exemption does not apply to CSSPs.

74 Ibid. 70 75 Zákon č. o elektronickom obchode a o zmene a doplnení zákona č. 128/2002 Z.z. o štátnej kontrole vnútorného trhu vo veciach ochrany spotrebiteľa a o zmene a doplnení niektorých zákonov v znení nehorších predpisov 32

3. Hosting provider

According to Art.14 eCommerce Directive, “where the storage of the information provided by recipient of the service is considered as an information society service”, the provider should not be liable for the stored information. There are two conditions, under which the provider could be immune. The first condition is when “the provider neither has actual knowledge of illegal activity, nor is aware of facts and circumstances, from which the illegal activity is apparent”. Or, the second, that the “provider should, upon notice, expeditiously remove or disable access to the information”.

The CSSP’s services in the narrower sense are not provided in the way that the user stores any information. On the contrary, there is the provider’s information stored in the provider’s server in order to be downloaded by the user. In the broader sense, the storing of the user’s information or data can be seen in the case, when the user voluntarily sends a possibly infected file for the analysis and this file is stored in the providers electronic means. However, the CSSP’s knowledge of illegal activity or information is obvious, because the main activity of CSSPs is to fight against harmful and often illegal material. In order to create the preventative measures, CSSPs have to obtain and process malicious codes.

Thus, it is quite improper not to make CSSPs immune from the liability in the event of stored information provided by the recipient of the services. This can, for example, occur in the situation when multiple users send possibly infected parts of the same software, which will be stored in CSSP’s server and the owner of this software will claim that its software, or part of it, is not malicious or infected. On the other hand, until now, there is no case law, or if it exists, it is not available to the public by electronic access in Slovak, Czech, German or English language in the EU, related to this kind of situation.

4.3 Conclusion

In the USA it was not necessary to analyze which part of the Kaspersky’s software was the one responsible for providing services, simply because the definition in the CDA, after judicial interpretation, fitted for the purposes of CSSPs. Zango v. Kaspersky classified CSSPs as access software providers.

Whether a CSSP qualifies as an information society services provider according to the European eCommerce Directive remains open for discussion. However, there is a space for 33 considering CSSPs as information society service providers. It is obvious that the eCommerce Directive in the time of creation did not deal with this kind of information society service providers, but the enumeration in recital (18) of the eCommerce Directive is not definite, and thus provides some space for flexible interpretation. But, it is also worth pointing out that at the time of the creation of the eCommerce Directive, it was clear that computer viruses existed and companies focused on protection against them were established as well.

Providing that CSSPs are considered as information society service providers, the attention should be paid on examining, if they provide any services. And if so, what kind of services they provide. However, the fact that providing updates of a malware detection databases is a service, cannot be overlooked. Whether the computer security software provider could be perceived as an information society service provider, or as a simple software vendor, or even both, will depend on the legislation of EU member states and more specifically - on individual cases.

Even if CSSPs would be considered as information society services, the exemptions from the liability as provided by the eCommerce Directive does not apply to them. CSSPs simply do not fit with “mere conduit”, caching and/or hosting provider definitions. Product liability, which according to the Product liability directive applies only to the end users as consumers, is analyzed in chapter 3. For the business relationships, where no harmonization is found on the EU level, the cross-section of national legislation concerning general tort law and goodwill protection of The Slovak Republic and The Czech Republic will be examined in Chapter 5.

Chapter 5 - CSSP’s liability in national legislation - The Slovak Republic and The Czech Republic

Harmonized EU legislation does not exactly answer the question of the liability of CSSPs. The national legislation in the EU member states could provide clarification in the CSSP’s liability in the legal environment. For the purposes of this thesis and because of the author´s Slovak and Czech legal background, the liability of CSSPs in case of blocking and false positive matches is being examined in the Slovak and Czech legislatures. Taking into account the fact that these countries were one in the past, their legal systems are now very similar. This also means that many legal acts in both countries, such as the

Commercial (Business) Code (Act. No.513/1991 Coll.76) (hereinafter also as “BC”), or Civil Code (Act No.40/1964 Coll.77) (hereinafter also as “CC”) not only have the same number of acts in the Collection of laws, but also the wordings of the most of the provisions of these two acts remained the same. Over the years, various minor changes of the Business and Civil codes occurred, however the majority of the wording has remained the same until now. The situation is going to be changed on 1.1.2014, when the new Czech Civil Code, Act No. 89/2012 Coll.78(hereinafter as “CCC”) comes into force. The Civil Code and the Commercial (Business) Code are expressly mentioned, because the general tort law, contractual liability and goodwill protection in both countries can be found in them79.

5.1 General tort law80

The general tort law in both countries is complicated, because the background of the tort law can be found in the Civil Code as well as in the Business Code. There is a complication not only because the types of liability are mixed in both codes, but also because in the Commercial Code, the liability is based on objective principles, whereas the Civil Code is focused more (but not always) on subjective liability. The objective principle in connection with the liability means that there is no fault needed for the party who infringed the other party’s right. In the subjective principle, the fault (whether intentional or negligent) is the necessary condition and should be examined in every single case. Moreover, in the case when there is no special regulation in the Commercial Code, the Civil Code regulation shall be applied. The most problematic aspects occur, when the Commercial Code regulates the situation only partially. When there is no special regulation in the Commercial Code, the Civil Code has to be used. The problem “which code should be used in which case” is also visible in case of liability. Therefore, it is very important to classify every single liability case very carefully.

The new CCC unifies the problematic application of both codes in The Czech Republic. In civil liability issues, the concept of uniformity of the civil delict is abandoned.81 In the

76 Slovak :Obchodný zákonník č. 513/1991 Zb. z 5. novembra 1991, Czech : Zákon č. 513/1991 Sb. Obchodní zákoník ze dne 5. listopadu 1991 (both ammended more than 40 times) 77 Slovak: Občiansky zákonník č.40/1964 Zb. z 26. februára 1964, Czech : Zákon č. 40/1964 Sb.,Občanský zákoník ze dne 26.února 1964 (Slovak ammended more than 50 times, Czech more than 60 times) 78 Zákon č. 89/2012 Sb., Občanský zákoník 79 However, there are also some individual acts related to some special kinds of liability, e.g. product liability. Slovak : Zákon č. 294/1999 Z.z. o zodpovednosti za škodu spôsobenú vadným výrobkom z 2. novembra 1999, Czech: Zákon č. 59/1998 Sb., o odpovědnosti za škodu způsobenou vadou výrobku ze dne 5. března 1998 80 Obcansky zakonik: komentar (2. vydani. ed.). (2008). Praha: C.H. Beck 35 classification of civil liability, the new regulation clearly distinguishes between contractual and non-contractual liability, applicable to the relationships between natural persons as well as legal persons.

5.1.1 The Slovak Republic and The Czech Republic until 31.12.2013

Due to a very complicated system of liability in both countries, the general provisions on liability are applicable for general torts (delicts) and also for liability resulting from breach of contracts. Tort liability as well as contractual liability are variously mixed and regulated in a uniform way.82 Unfortunately, this regulation on liability creates a lot of confusion and also legal uncertainty.

In this subchapter, we will examine CSSP´s blocking and mismatch as a general tort. Later, some aspects of the contractual liability will briefly be discussed between two legal entities. A detailed elaboration of contractual liability in both countries as applicable to CSSPs as software vendors could be the topic for a whole single thesis.

Firstly, we will focus on blocking and false positive detection as a tort. If there is no special provision applicable for harm caused by blocking of the content by CSSP’s software or caused by mismatch, the only possibility can be the general liability clause according to §420(1) CC. The general liability clause states that “everyone shall be liable for damage caused by violating a legal duty“. In order to a CSSP be held liable, three conditions have to be met. First, there must be damage, second the damage must be caused by the CSSP, eventually by its software, and finally the damage must be caused by a violation of CSSP´s legal duty.

Since there is no special law or provision that would define blocking and/or mismatch as a legal duty, the possible violation could be seen in the violation of the goodwill as a consequence of blocking according to §19b (2,3) CC, or the infringement of the preventative duty according to §415(1) CC. The goodwill infringement is discussed in the next subchapter. Preventative duty in §415(1) CC means that “everyone must act so as to avoid damages to health, property, nature and environment”. Due to the nature of the possible harm, we will limit the scope only to the harm to property. The preventative duty means that the reasonable care to prevent harm should be remained. It does not mean that the person has the unlimited

81 Ibid. 78 82 Fiala, ., urd k, ., irstov , K. (2010). Contract law in Slovak Republic. Alphen aan den Rijn, The Netherlands: Kluwer Law International. 36 obligation to predict every single possible harmful act in the future83. Therefore, the CSSP should act with reasonable care when their software is released on the market. As was discussed in the previous chapters of the thesis, at the moment there is no possibility to create a 100 per cent reliable software. Therefore, the evaluation whether there was a reasonable care of the CSSP or not, will depend on the court’s examination in each individual case. As evidence could be used, for example, the statistics of false positive matches amongst various CSSPs provided by the Austrian non-profit organization AV Comparatives84.

Secondly, we can analyze some aspects of liability in the situation, where a contractual relationship exists. Product liability has been discussed in the Chapter 3. Because this kind of liability is harmonized on EU level, we can expect that the content is almost the same in all the member states, with slight differences, where the Product liability directive allows such difference. However, the case, when the legal entity is harmed by blocking or false positive match of CSSP’s software in their computers has not been discussed yet, because product liability is only applicable in the relationship producer - consumer, who can only be a natural person. Therefore, the general liability provisions could be applicable in other situations, where there is no producer-natural person relationship.

In case of a contractual relationship between two legal entities, the provisions §373-38685 of the Commercial Code shall be applicable for their contractual liability. In our case, the BC will be applicable for the situation, where the CSSP’s output was purchased and used by a legal entity and the legal entity in the contractual relationship to the CSSP suffered harm by blocking or false positive detection of CSSP’s software.

83 Ibid. 80 84 Ibid. 56 85 The following provisions of the BC would mainly be used as a legal background in the situation of blocking/false positive detections of CSSP´s software: “Whoever breaches a duty arising from a contractual relationship is obliged to provide compensation for the damage caused to the other party, unless he proves that such a breach was caused by circumstances excluding his liability (§373 BC). “Circumstances excluding liability are an obstacle which arose independently of the obligated (liable) party's will and which prevent this party from performing its obligation, provided that it cannot be reasonably expected that the obligated party could avert or overcome such an obstacle or its consequences, and further that the occurrence of such an obstacle was unpredictable at the time when the obligated party undertook to perform such obligation” (374(1) BC). “ The right to damages may not be waived prior to the breach of an obligation (duty) from which damage may arise” (386(1) BC). 37

Applying provisions of BC on CSSP´s liability for harm caused by blocking and/or false positive detection, firstly there must be observed, whether there was such obligation of CSSP in the contract. The observer would, with very high probability have come to the conclusion that the CSSP provides mere filtering tools used by the end user. Although other duties of the CSSP in the agreement are not excluded as well, they will depend on the facts of the individual case. Secondly, it must be found out, whether there was a breach of the contractual duty of the CSSP. If the CSSP did not have a duty to block or filter according to the contract, there cannot be any breach of such duty. Thirdly, it must be proved that the breach of the duty caused harm. In the end, if there anyhow was a breach of the duty, there is still space for a CSSP to liberate himself from liability, when the CSSP proves that the breach was caused by circumstances excluding liability.

As pointed out above, the contractual liability for defective software in the Slovak and Czech legal environment could be the topic for one whole thesis. However, there is one important aspect related to the liability from contracts that should be mentioned. It is the very often used contractual clause not only in the EULAs, but also in other types of agreements, in which the licensee waives his rights for damages in case of harm caused by the software. This provision should be void according to the Slovak and Czech legal system, because the law forbids such a waiver86. Although it is possible to limit the amount of the damage in the contract, the limitation should be expressed more precisely, not as a general clause stating that the licensor is not liable for any damage.

5.1.2 The Czech Republic and the New Civil Code

The new CCC is also not comprehensive regarding liability of software providers. The provisions of the CCC impose a special liability regime neither for software vendors nor for CSSPs. Therefore, similar to the previous legal regime, mainly the general provision about the violation of the law according to § 2910 CCC 87 and consequently the preventative duty in §2900 CCC88 could be applicable. However, there is a new provision, §2902 CCC, which

86 Against the provision §574(2) CC and the §386(1) BC. 87 §2910 CCC Violation of the law “The offender, who, by his fault breaches the duty imposed by the law and this act intervenes with the absolute right of the injured party, the offender shall compensate the damages caused to the injured party. The offender’s obligation to compensate damages shall also arise from the intervention to another right of the injured party, caused by faulty breach of the legal duty created for the protection of such right. “ 88 § 2900 CCC “According to the circumstances of the case or the customs of the private life, everyone shall act in the way to prevent unreasonable harm on freedom, life, health or property of another.” 38 states that “the one, who breached the legal duty, or the one who may know and should know that he will breach such a duty, has to inform the person who could suffer harm about such breach without undue delay. If the information duty is performed, the injured party will not have right for compensation for the damages to the extent which could be avoided after the information about such possibility of harm was obtained.” So, if the CSSP would inform, for example in the public advertisements of their software, that there is a possibility of harm caused by blocking or false positive detection, the CSSP could not be held liable to some extent, because the (possible future) injured party was informed about the possibility, that the software by its blocking function can cause harm.

In the previous legislation in The Czech Republic, there was no classification that distinguished between material and immaterial objects89. The new CCC defines in §489 that the object (res) in the legal sense is everything different from the person, intended to serve human needs. The immaterial object can be the right, where the nature of the right allows such a qualification and another object which is not substantial in nature (§ 496 (2) CCC). Because the output of the CSSP the anti-virus software is definitely immaterial, thanks to the new provisions of CCC we can expect that the software will be clearly classified as an object in the legal sense.

The CCC established a new type of liability: liability for damages caused by objects. In §2937(1) CCC we can find a statement that if the damage was caused by the object itself, the reparations for an injury shall be compensated by the person, who had such object under supervision. If it is impossible to determine, who the person is, the owner of such object will be considered as the person who had the object under the supervision. Therefore, if the damage was caused by a copy of the software the user had in his computer and the user had the supervision over this software, the CSSP will not be held liable for such damage. Moreover, the position of the CSSP will be strengthened by §2902 CCC – regarding preventative duty - that was discussed above.

The provision of § 2913 CCC90 - about liability of the party in case of breach of a contractual obligation - clarifies contractual liability in the Czech environment. However, the provision

89 According to the §119 CC the only classification is that the objects are movable and immovable. 90 §2913(1,2) CC : “If the party of the contract breaches the contractual obligations, the party shall compensate the damage caused by such a breach to the other contractual party, to protection of whom the provision should serve. The party who breached the contractual obligation shall be liberated in case he proves the breach was caused by special unforeseeable and impassable obstruction which come into being without breaching party´s fault.” 39 does not change the nature of the previous legal regulation; therefore it is not necessary to discuss it again.

5.2 Goodwill protection

5.2.1 The Slovak Republic and The Czech Republic until 31.12.2013

The Slovak and Czech background for protection against unlawful infringement of goodwill of a legal entity is §19b(2) CC and §19b(3) CC. The provision of §19b(2) CC reads that if there is an unauthorized usage of the business name of a legal entity, the legal entity is entitled to claim at the court, so that the unauthorized user shall refrain from unauthorized usage and stop the infringement. The legal entity may also ask for an appropriate satisfaction that may be awarded even in money. According to §19b(3) CC, the provision of §19b(2) CC is adequately applicable to an unlawful infringement of goodwill of a legal entity.

Because Judge Fisher’s concurring opinion in Zango v. Kaspersky in the USA expressed the concern about the “anti-competitive blocking in the web browser of the third-party search engine results”, it is proper to mention it also on the national level. So, the additional protection of goodwill in The Slovak Republic and The Czech Republic can be found in the provisions concerning the protection against unfair competition in § 44 and §48 BC.

An interesting case about the relationship between general goodwill protection and protection of goodwill in competition is case No. 3Cmo/46/2000, decided by The High Court in Prague (Vrchní soud v Praze) in The Czech Republic. The injured company sued another company, which provided databases on a CD, including a list of economic subjects. In this list, the injured company was marked as “in liquidation”, which in the Slovak and the Czech republic means that the company had terminated its activities and actually is in the phase of final liquidation of its assets. The information about the injured company was not true and the injured company claimed for damages referring to §44 BC on unfair competition. The High Court in Prague dismissed the action because the injured company should use general protection of goodwill according to §19b (2,3) CC, not the provisions used for the protection against unfair competition. Therefore, in case of infringement of goodwill, attention has to be given to whether the infringement occurred in connection with competition.

The provisions on goodwill protection in both countries are very brief, therefore more clarification can be found in the case law of The Supreme Court of the Czech Republic as well as The Supreme court of The Slovak Republic.

An important case relating to goodwill protection is the decision of The Supreme Court of The Slovak Republic No. 4 Cdo 212/2007, which clarified the applicability of provision §19b(2,3) CC. In order to benefit from the protection of §19b(2,3) CC, the unlawful intervention has to be objectively capable to harm goodwill. The term unlawful intervention means every false statement intervening the interests of the legal entity, protected by §19b(2,3) CC. The unlawful intervention can also be a critique, if it overreached the limits of the justified critique. The liability for the infringement of goodwill is based on an objective principle, which means that it is not necessary to prove fault. If the infringement is based on factual statements, the author of the unlawful infringement has to prove that his claims are truthful in order not to be held liable.

Now, we can apply this case law to CSSP´s liability for blocking and false positive blocking. If a CSSP is sued for goodwill infringement, it must be proved that the blocking or false positive blocking is able to cause real harm. If this can be proved, in order to be liberated from liability, the CSSP must prove that the blocking was legitimate. This means that the false positive blocking could be capable of infringing the goodwill of the legal entity in certain cases. Another important decision is the ruling of the Supreme court of the Czech republic in case No. 30 Cdo 1385/2006. The decision clarified the question: “What does the term “goodwill” mean and how is goodwill examined when an infringement occurs?” According to the respectability principle, the legal entity has goodwill, until it is proved that there is no goodwill. The creation of the goodwill of the legal entity starts from the moment of the creation of the legal entity and it develops during the existence of the legal entity. The goodwill of the legal entity will primarily be considered according to legal entity’s behavior in the business relations. Therefore, the creation of the goodwill of a particular legal entity will depend on the experiences of business partners, customers or other subjects when dealing with this particular legal entity. The protection against unlawful infringement of goodwill can be exercised by the claim, in which the harmed party can ask the court to impose the infringer the obligation to stop the infringement. There is also the possibility to claim appropriate compensation, which can be awarded in monetary payment. If the injured party suffered damages, there is a possibility to claim damages according to §420 CC. The application of appropriate means for protection against unlawful infringement of goodwill should be assessed on the basis of the facts of each individual case.

5.2.2 The Czech Republic and the New Civil Code

In the CCC, the legislator decided to abandon the old terminology used in the CC and replaced the term “goodwill” by the term “reputation”. The protection against unlawful infringement of reputation of a legal entity can be found in §135(1, 2) CCC.

According to §135(1) CCC “a legal entity that has been harmed by contestation of its right to have a business name, or the legal entity that has suffered an injury by unlawful infringement of this right, or where there is a threat of this harm, especially by unauthorized usage of its business name, the legal entity is eligible to claim to refrain from unlawful interference, or claim to remove the consequences of the infringement”. Similarly, in the meaning of §135(3) CCC, the same protection is available to the legal entity against the one (natural person or legal entity), who without legitimate reason interferes with the reputation or privacy of the legal entity, except for scientific or artistic purposes, or the purposes of press, broadcasting, television or similar coverage; however, such interference cannot be inconsistent with legitimate interests of the legal entity.

Because the change is in wording it does not actually alter the contents, except for the new exceptions from the liability for scientific, artistic and media purposes, the previous case law related to the goodwill protection will be applicable also after the CCC comes to force. So, in the case of Zango’s claim for goodwill protection in The Slovak or Czech republics, there is a high probability that the action would be dismissed. Zango was fined by the Federal Trade Commission for inappropriate practices, therefore Zango lost his goodwill. When there is no goodwill, there cannot be an infringement of goodwill under new and old Czech and Slovak laws.

To sum up the findings in the recent Czech and Slovak laws, we can come to the conclusion that if a CSSP acted with reasonable care while creating software and the software by its blocking function or false positive detection caused harm, the CSSP should not be held liable. If there was a contractual relationship between the CSSP and the legal entity, the CSSP would be held liable only in case the CSSP would breach an obligation from the contract. However, we must point out that any waiver of the right to damages of the other party of the contract would be considered as void according to the actual effective Slovak and Czech legislation.

According to the upcoming CCC in The Czech Republic, a CSSP could, at least partially, liberate himself from the general preventative duty as discussed above, by providing 42 information about the possible harm that can be caused to the user by the anti-virus software. The new special kind of liability - the liability caused by an object, can also indicate the CSSP´s ‘non liability’. Because the anti-virus software in the user’s computer was under supervision of the user, the CSSP would not be held liable. Moreover, if we consider a user as the owner of the copy of the software, even if the user did not have the supervision over the software, the user as the owner of the object himself should be liable for the harm.

There is a slight difference in case of infringement of goodwill, where a CSSP could, by false positive detection, infringe the goodwill of another legal entity. At first it should be found out, whether the infringement occurred in competition on the market. Secondly, it must be proved that the injured legal entity had any goodwill. And thirdly, if the harm of goodwill was caused by blocking, the CSSP should prove that the blocking in this special case was legitimate. It should be pointed out that even if the harm was caused by an infringement, the injured party should ask the court to impose the CSSP to refrain from the infringement first. This is highly improbable, because if the detection was truly false the CSSP would be informed in advance and had the opportunity to fix the problem. Moreover, if the injured party wanted to obtain monetary damages the injured party should also be able to evaluate the harm in exact amounts of money. The situation according to the new CCC in The Czech Republic regarding the protection of the reputation of legal entities does not differentiate from the previous legal regulation, except when the situation occurs in relation to scientific, artistic and media purposes.

Chapter 6 - Conclusion

This thesis has investigated liability of Computer security software providers in the European Union. The results of this research support the idea that there is no uniform concept of CSSP’s liability and immunity from liability in the question of blocking and false positive detections in the EU. Whereas Zango v. Kaspersky immunized CSSPs from liability according to §230 CDA in the USA, liability and immunity of CSSPs in the EU merely depends on the legislation of each EU member state.

The study also showed that the immunity of CSSPs in the USA should not be considered absolute and definitive. There are two reasons why. Firstly, the immunity can be misused for anti-competitive purposes. The second reason depends on awarded scope of control that CSSPs provide to the user of their software. If the user cannot decide which content will be blocked, a CSSP in the USA should be liable, unless such CSSP acted in good faith.

Liability of CSSPs in the EU generally depend on examination, whether CSSP’s software is a product or service. CSSP’s software is unique in its nature due to its updating very often. Although updates of the software appear to be a service, CSSPs final output is often labeled as a product in the vendor’s terms and conditions. Moreover, CSSPs software is being sold as “ready-made” software which is, in practice, considered merely product. However, even if the software is considered product, the classification does not clearly determine CSSPs general contractual liability because of sale-license agreement dilemma.

Product liability, eventually liability for safe product according to applicable EU directives solves liability of CSSPs only in case CSSP’s software will be considered to be a product. This kind of liability is applicable to the consumer-producer relationship only, so the scope of possible application is very narrow. CSSP’s product liability is complicated by the obsolete definition of product in the Product liability directive, the financial threshold of damages and the burden of proof on the consumer. This leads to the conclusion that CSSPs can be liable but in fact they cannot be penalized under the regulation of Product liability directive.

The EU legislation provides space for classification of CSSPs as information society service providers according to the eCommerce Directive. However, even if CSSPs activities can be classified as information society services, the “safe heaven” immunity from liability regulated by the eCommerce Directive is not applicable. Therefore, liability of CSSPs depend on the tort law or specific provisions of the EU member states.

Detailed research on liability issue of CSSPs in question of blocking and false positive match was carried out in the Slovak and Czech legal environment. Although, it is improbable that a CSSP would be liable for breach of the general tort law in both countries, the study showed that, especially in the case of false positive matches CSSPs could be held liable for goodwill infringement. According to the new forth-coming Czech Civil Code, CSSPs will be able to liberate from torts, but the liability in the case of infringement of reputation of the legal entity remained the same as in the previous legal regulation.

It is obvious that the applicability of EU directives on CSSPs liability is very limited. Another problematic aspect appeared to be case law related to CSSPs. There was not found any relevant judicial decision related to CSSPs in researched countries in the EU.91

The evidence from this study suggests that CSSPs in the EU member states could be held liable, even though their contribution to society prevails amongst possible negatives. Future

91 United Kingdom, Germany, Slovak republic and Czech republic 44 research should therefore concentrate on the investigation of liability of CSSPs in all the other EU member states. Another future research could be focused on the impact of possibly awarded immunity of CSSPs on the EU legislation and the legislations of the EU member states.

Bibliography

Akdeniz, Y. (2010). To Block Or Not To Block: European Approaches To Content Regulation, And Implications For Freedom Of Expression. Computer Law & Security Review, 26(3), 260-272. Retrieved April 16, 2013, from http://dx.doi.org/10.1016/j.clsr.2010.03.004 Albeit, K. (2001). Applicability of the EU Product Liability Directive to Software. Comparative & international law journal of Southern Africa, 34(2), 188. Retrieved April 16, 2013, from the Hein Online database. August, T., & Tunca, T. I. (2011). Who Should Be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments. Management Science, 57(5), 934-960. Retrieved April 22, 2013, from http://mansci.journal.informs.org/content/57/5/934.full Blythe, S. (2005). Contractual Liability of Suppliers of Defective Software: A Comparison of the Law of the United Kingdom and United States. Northwestern Journal of International Law & Business, 26(1), 77-94. Retrieved April 25, 2013, from the Hein Online database. Brownsword, R. (2008). Internet Filtering: Rhetoric, Legitimacy, Accountability and Responsibility. Regulating technologies (p. 15). Oxford: Hart. Callaghan, D., & O'Sullivan, C. (2005). Who should bear the cost of software bugs?. Computer Law & Security Review, 21(1), 56-60. Retrieved April 18, 2013, from the ScienceDirect database. Colnon, N. R. (2012, March). Limiting § 230 Immunity for Providers of Filtering Software. Expresso, -, 46. Retrieved April 24, 2013, from http://works.bepress.com/nicholas_conlon/2/ Cusumano, M. (2004). Who is Liable for Bugs and Security Flaws in Software?. Communications of the ACM, 47(2), 25. Retrieved April 26, 2013, from the ACM Digital Library database. DLA Piper. (2009). Liability of online intermediaries. Legal analysis of a Single Market for the Information Society, tender OJ 2007/S 202 244659 of 19/10/2007. Retrieved April 28, 2013, from http://ec.europa.eu/information_society/newsroom/cf/itemdetail.cfm?item_id=7022 European Commision. (2012, January 11). A coherent framework for building trust in the Digital Single Market for e-commerce and online services. Commission Communication To The European Parliament, The Council, The Economic and Social Committee and The 45

Committee of The Regions, COM(2011) 942 final. Retrieved April 17, 2013, from http://ec.europa.eu/internal_market/e-commerce/communications/2012/index_en.htm Fenno, E., & Humphires, C. (2011, August). Protection Under CDA § 230 and Responsibility for Development of Third-Party Content. Communications Lawyer, 28. Retrieved May 11, 2013, from http://www.fennolaw.com/uploads/Protection_Under_CDA_230.pdf Fiala, ., urd k, J., & Kirstov , K. (2010). Contract law in Slovak Republic. Alphen aan den Rijn, The Netherlands: Kluwer Law International ;. Heckman, C. (2003). Two Views On Security Software Liability: Using The Right Legal Tools. IEEE Security & Privacy Magazine, 1(1), 73-75. Retrieved April 17, 2013, from http://dx.doi.org/10.1109/MSECP.2003.1203443 Lloyd, I. (1991). Liability For Defective Software. Reliability Engineering & System Safety, 32(1-2), 193-207. Retrieved April 16, 2013, from the ScienceDirect database. Lovells. (2003, February). Product liability in the European Union. A report for the European Commission, -. Retrieved April 17, 2013, from http://ec.europa.eu/enterprise/policies/single- market-goods/files/goods/docs/liability/studies/lovells-study_en.pdf Mann, R. (2005). The Promise of Internet Intermediary Liability. William and Mary Law Review, 47(1), 239-308. Retrieved April 20, 2013, from http://works.bepress.com/ronald_mann/24/ Moore, T. (2010). The Economics Of Cybersecurity: Principles And Policy Options. International Journal of Critical Infrastructure Protection, 3, 103-117. Retrieved April 16, 2013, from http://dx.doi.org/10.1016/j.ijcip.2010.10.002 Obcansky zakonik: komentar (2. vydani. ed.). (2008). Praha: C.H. Beck. Prins, J. E. (2003). Consumers, Liability, And The Online World. Information & Communications Technology Law, 12(2), 143-164. Quon. (2010). Implementing a Standard of Care to Provide Protection From A Lawless Internet. Whittier Law Review, 3(31), 589. Retrieved April 16, 2013, from the Hein Online database. Raman, J. (2006). Contracting over the quality aspect of security in software product markets. In Proceedings of the 2nd ACM workshop on Quality of protection, QoP '06, 19-26. Retrieved April 25, 2013, from the ACM DigitalLibrary database. Reidenberg, J. R., Debelak, J., Kovnot, J., & Miao, T. (2012, April 24). Section 230 of the Communications Decency Act: A Survey of the Legal Literature and Reform Proposals. Fordham Law Legal Studies Research Paper No. 2046230, -, 75. Retrieved May 10, 2013, from the SSRN database. Ryan, D. (2003). Two Views On Security Software Liability. IEEE Security & Privacy Magazine, 1(1), 70-72. Retrieved April 17, 2013, from http://dx.doi.org/10.1109/MSECP.2003.1176999 46

Salt, J. (1997). Liability For Information And The 'information Society'. International Journal of Law and Information Technology, 5(3), 308-325. Retrieved April 28, 2013, from http://dx.doi.org/10.1093/ijlit/5.3.308 Schellekens, M. (2011). Liability of internet intermediaries: A slippery slope?. Scripted, 8, 154-174. Retrieved April 16, 2013, from http://www.law.ed.ac.uk/ahrc/script-ed/vol8- 2/schellekens.pdf Štenglov , I., Pl va, S., Tomsa, M kolekt v. (2011). Beckova edice Komentované zákony Obchodní zákoník (11. vyd. (C.H. Beck 1. vyd.). ed.). Muenchen: Beck.