YORUCHA - GAIN IN-DEPTH HALACHIC KNOWLEDGE FOR CONTEMPORARY BUSINESS DEALINGSLEARN MORE

Pay per Click: Are Virus Senders Liable?

Adapted from the writings of Dayan Yitzhak Grossman

June 3, 2021

 

Our previous article discussed the permissibility of businesses paying ransoms for the release of data held hostage by ransomware cyberattacks. In this article, we consider whether cyberattackers who cause financial harm by sending emails bearing viruses can be held halachically liable for their activities.

R’ Yaakov Dovid Schmahl, a dayan in Antwerp, was asked about someone who sent an email containing a computer virus to someone else, and the virus damaged the recipient’s computer data. (It seems that the sender sent the virus knowingly and maliciously, although this is not explicit.) Rav Schmahl notes various arguments for exempting the sender from liability bedinei adam (under human law), including the Talmudic rule that

One who places poison before another’s animal is exempt according to human laws but liable according to the laws of Heaven.[1]

According to Rav, this is due to the principle that “[the animal] should not have eaten it,” which Tosafos explains to mean that “since [the animal] deliberately brings upon itself the thing that damages it, it is not appropriate to hold [the one who placed the poison] liable for this.”[2] In our case as well, argues Rav Schmahl, since the virus is activated by the recipient opening his mailbox and downloading the infected email to his computer, there should be no liability bedinei adam.

The Rosh, however, apparently understands that the exemption of the placer of the poison is based on the assumption that an animal eating something that is harmful to it is unlikely, and it is therefore not the responsibility of the placer of the poison to anticipate the animal eating it, but rather that of the animal’s owner, if present, to prevent his animal from doing so.[3] While many users do run effective antivirus software, some do not, and some viruses may slip by such software; and while some users scrupulously follow the strong recommendations of security experts to avoid opening dubious emails and certainly their attachments, not all do. It can thus be argued that it is not unlikely that a user will open a virus-laden email (particularly if the sender is someone he knows, or if the fraudulent email is well disguised as a legitimate one), and so according to the Rosh, the Gemara’s principle might not apply to our case.

Rav Schmahl does not mention the opinion of the Rosh, but he does cite the Chazon Ish who points out that the Torah holds the digger of a pit liable for damage caused to a victim who stumbles into it, despite the fact that the pit’s victim, too, brings upon itself the thing that damages it. The Chazon Ish explains the distinction to be that in the case of the pit, although the victim intended to approach the pit, it did not intend to fall into it, and the act of falling in happened against its will, whereas in the case of the poison, the victim brought the damage upon itself “from beginning to end.”[4]

Accordingly, Rav Schmahl argues that the email virus is analogous to the pit rather than to the poison, because unlike in the case of the poison, where the animal did choose to eat the poison (although this was due to its failure to discern its harmful nature), the recipient of the email intended to download a legitimate email, and not a malicious virus, and the sender is therefore liable just as is the digger of the pit.

This analysis is debatable; it could easily be argued that the animal, too, did not wish to eat poison, but rather wholesome food, but it is still considered to have “brought upon itself the thing that damaged it” since ultimately it did intend to eat the stuff before it. Likewise, the email recipient intended to download the email, even though this is because he assumed it to be a legitimate email rather than a virus.

Moreover, as Rav Schmahl himself notes, the Shach extends the exemption from liability for poisoning to someone who adulterates legitimate animal food with poison.[5] In this case, in the context of the Chazon Ish’s distinction, it would certainly seem plausible to view the animal as having intended to eat only the wholesome food and not the poison. Rav Schmahl is forced to explain that since the animal deliberately ingested the food, which turned out to have been adulterated with poison, it is considered to have deliberately ingested the poison. It can similarly be argued that intentionally downloading an email that turns out to have been malicious is likewise considered the equivalent of intentionally downloading the malicious content.

Rav Schmahl himself ultimately concedes that his distinction between the poison and the virus is debatable, and the recipient of the virus may indeed be considered to have brought upon himself the thing that damages him. He records that he posed the question to R’ Mendel Shafran, a leading dayan in Eretz Yisrael, who responded that our case “is exactly like a pit,” and the sender is therefore liable. He explains the distinction between the cases of the poison on the one hand, and the pit and the email on the other, to be that when the victim’s action that triggered the harm is one that is generally performed as a matter of routine, without conscious thought, such as walking or opening email, we do not exempt the tortfeasor from liability on the grounds that the victim is considered to have brought the harm upon himself; the only time this exemption applies is when the victim’s action is the product of deliberate intent and a conscious decision, such as eating.[6]

[1]Bava Kama 47b.

[2]Tosafos ibid. s.v. Havah Lah shelo sochal.

[3]Piskei HaRosh ibid. siman 3. Cf. Sma C.M. siman 393 s.k. 4; Shimru Mishpat (Zafrani) cheilek 1 pp. 396-7.

[4]Chazon Ish Bava Kama siman 8 os 9.

[5]Shach C.M. siman 386 s.k. 23.

[6]Shu”t Kisos Levais Dovid cheilek 2 siman 134 pp. 352-5.

image_pdfimage_print

Related Posts

NEW Yorucha Program >