Eugene Kaspersky Duqu 2
Eugene Kaspersky, on stage at DLD 2013 where he called cyber-weapons cleaner but much worse than traditional weapons. Mikko Hypponen/Twitter

Q: Why won't sharks attack lawyers?

A: Professional courtesy

I overheard that joke once when I was on a flight. For some reason, it stuck with me. While it's obviously a tad harsh to tar all lawyers with the same brush, my recent encounters with legal practitioners have done little to disprove the accuracy of this joke.

In 2015, not only do we have patent trolls shaking down companies, but we must also contend with a growing number of predatory law firms disguising themselves as "consumer champions". Little more than opportunistic shysters, these firms make their money by launching dubious class-action claims against companies that they believe can be scared into settling out of court (to make the problem go away).

Here's how they work.

Take a manufacturer of a consumer good. One of these law firms, through hard work and persistence, has uncovered an alleged small flaw in the manufacturer's product. Once they find the most promising "defect" they seek out a supposedly affected and aggrieved consumer, who then files a claim against the manufacturer.

Not only do they file the claim on their behalf, but also on behalf of a large group in a class-action lawsuit claiming violation of consumer rights. A website is created and an advertising campaign is launched (no joke) calling on consumers to join their concerted effort against the "excesses, unfairness and incompetence" of the alleged guilty party.

A flea bite to an elephant

In the US, there are even dedicated websites that keep track of such litigation and send out emails, encouraging their mailing list to sign up. Ten bucks here, another ten there - a tidy sum of extra income can be earned.

For large multinational companies with multimillion dollar turnovers – generally these class actions hardly even register. They are like a flea-bite to an elephant. However, for not-so-big companies, small software vendors for example, class actions add up to huge sums.

Often the money has to be taken from their research and development pot; but sometimes, the hit is so hard that it's simpler to just declare bankruptcy and start the business over.

I don't know how many tens of thousands of lawyers earn their living feeding at this trough or what the annual turnover is ($6-£8bn (£4.1-£5.5bn) has been estimated), but what I do know is that these days, it's very widespread.

And it's obvious why. Costs are minimal and the companies that are targeted by this kind of extortion generally prefer to negotiate than fight through the courts. For big companies, it's often not worth the reputation damage to slug it out in court, nor is it worth tying up legal resources for months on end.

Shake-down artists

For others, they simply don't have the wherewithal to go to court (it's never cheap). As a result, this industry flourishes as more and more lawyers pour into it after getting a whiff of the easy bucks.

Still not convinced that these "consumer champions" are simply shake-down artists? Then let me give you another example.

A little over a year ago, Edelson, one of the most notorious "consumer champions", approached a competitor of ours with a class action claim. Our competitor chose to settle the claim and avoid a long, protracted court case.

They ended up paying $700,000 to Edelson, $1.25 million to nominated third-party organisations, and a paltry $9 plus three months free use of its product to each participating consumer. It's fairly clear who the real winners were in this scenario (hint: it wasn't the consumers).

So when my company became a target of one of these ridiculous law-suits, we were instantly on high alert.

Kaspersky Security SCan
The notification which pops up after Kaspersky Security Scan runs Kaspersky Lab

We fight to the end

In our case, the claim was in relation to our free Kaspersky Security Scan (KSS). The plaintiff, Barbara Machowicz, represented dutifully by her lawyers, alleged "[that she was] fraudulently induced to buy [Kaspersky Lab's] security software through... KSS, which is purportedly designed to 'detect unwanted malware, software vulnerabilities, and other non-malware security problems'" and "that KSS is essentially 'scareware' engineered to detect fake security threats".

KSS scans a computer for malicious and suspicious programs, system and application vulnerabilities, the correctness of settings, and other particulars that could affect the security of the computer.

Machowicz had KSS scan her computer, and though it didn't find any malware, it did find a slew of vulnerabilities, including dangerous Windows and Internet Explorer settings, USB and CD auto-runs, and caching of data received via https. As a result, KSS rightly issued Machowicz its verdict: "Your computer could be at risk. Problems found!"

After a little digging of our own, we soon confirmed our hunch. The same law firm, Edelson, which had recently targeted our competitor was now coming after us.

They probably expected an easy fight, but they weren't going to get one. We have a strict policy on negotiating with opportunistic bullies. We don't. Instead, we fight to the end. It's not the easy way out, nor the cheapest, but we believe it is the right approach as it sends a clear message that we won't be coerced or pushed around.

We have a strict policy on negotiating with opportunistic bullies. We don't. Instead, we fight to the end
- Eugene Kaspersky

So back to the story... as many of you are probably aware, today's antivirus software protects against much more than just viruses, just like today's definition of a 'threat to a computer' goes far beyond malware. The problem is, not everybody understands this, and in our experience, courts can be especially pedantic when it comes to details. We knew that if we were going to build a defence, we'd need to spell it out for them.

Disappeared

So we set about preparing detailed explanations of each of the 112 'non-virus' vulnerabilities that KSS considers a threat. We created ready examples of malware penetrating a system via these vulnerabilities. We'd even set up a stand for a live demonstration so that the court could see attack scenarios via these found vulnerabilities and how Kaspersky Internet Security protects against them.

But before we could start to provide our explanations, all of a sudden a most unexpected, interesting, yet very satisfying thing happened: the plaintiff... disappeared! And all communication with her lawyers stopped. What actually happened I don't know, but the lawsuit was dropped.

Maybe the opposing side finally understood how serious vulnerabilities are and how important anti-malware programs can be to the stability of a computer? We can only guess.

As satisfying as this victory was, importantly it sent a very strong signal to other predators to stay away: there's no easy money here. And perhaps even more importantly, now other tech companies have access to a working case on how to successfully fight legal attacks like this one.

So if you're a developer and these types have already started going after you, send me a message. We'll be glad to assist. Meanwhile, we'll rest easy knowing that we stood up for ourselves and ultimately sent our bully packing.


Eugene Kaspersky is the founder and CEO of security company Kaspersky Lab