If you haven't already heard, over this last weekend a character in World of Warcraft went on a killing spree. A virtual killing spree, but a killing spree nonetheless. Video of the massacre can be found on the linked page (thanks to Wired for the coverage).
The Wired article points out that the scene was very similar to an episode of South Park called "Make Love, Not Warcraft." If you haven't seen it, you can watch it here: http://www.southparkstudios.com/full-episodes/s10e08-make-love-not-warcraft.
Go ahead, we'll wait..........
Great episode, right? Of course, as we lawyers are wont to do, we read stories like this do not focus on the "life imitating art" aspect. Instead we pose questions to ourselves like "who's liable for what?" It's sad, but true (sigh). So here are some initial thoughts on legal liability:
There are a lot of people who were harmed here, but we can make things simple by classifying them into two categories: Blizzard and other players. As to Blizzard, they could pursue a number of causes of action against the Hacker. For example, trespass to chattels (an archaic legal name for "you improperly took my stuff, or otherwise deprived me of it") could exist. So too could a copyright cause of action depending on how the exploit occurred (consider the glider case - MDY v. Blizzard - and whether this would rise to the level of a precondition to the license agreement [pdf]). Other causes of action may similarly apply, depending on facts like the nature of the exploit, the location of the Hacker, the systems used to take advantage of the exploit, etc. After all,
As to other players, however, this is a more complex question than you might think. After all, WoW is a game where players can and often do kill each other. So we would have to separate the killings from those inside a no-PvP zone, and those outside. For those inside, causes of action against the Hacker may be available because no one would expect to be killed in a no-PvP zone. However, you have to ask whether it would be worth anyone bringing a claim for loss of virtual property triggered by a WoW death for several reasons. First, players may not even own the lost property depending on what was lost and the applicable EULAs/Terms and Conditions. Second, what is the value of that property? If it is something Blizzard could restore at the touch of a button, perhaps there is little to no value to the lost items. Third, what if the player whose character was attached had no right to certain lost items in the first place (e.g., purchased through illegal online auctions, stolen etc.). For these reasons, it would be difficult to value what may have been lost, thereby reducing the incentive for someone to sue the Hacker.
For the killings in a PvP zone, there might not be any cause of action available for players to sue the Hacker in the first place. After all, they were in a PvP zone, and thanks to a legal doctrine known as assumption of the risk, that might be the end of the case. Assumption of the risk states, in its most basic form, that if I engage in an activity I know to be dangerous, I cannot sue for damages if I'm hurt by the activity. Consider jumping off a high dive into a pool with no water - I know there's a chance (a really good one) that I'll be hurt badly. So if I jump and get hurt, I can't sue - I "assumed the risk" inherent in the activity. Same goes for being in a PvP zone. Of course, that's not to say someone won't come up with some creative legal theory, but making it stick will be difficult in this circumstances.
Could players sue Blizzard because it did not catch and fix the exploit prior to the Hacker's massacre? Perhaps, but this will depend entirely on the facts. If Blizzard knew of the exploit but did nothing about it, that could form the basis of a negligence case. But if Blizzard was caught entirely by surprise by the existence of the exploit, a negligence case could be difficult to prove. Moreover, Blizzard appears to have acted quickly in hotpatching WoW so that the exploit could no longer be used, meaning that a claim of ongoing negligence would be difficult to win.
Besides, Blizzard's EULA states that the software is provided "as is." This gives Blizzard another defense should a player whose character was killed by the Hacker try to pursue a legal claim against Blizzard.
What from the game dev/publisher side can be learned by this experience? A few thoughts:
- People will always find some way to take advantage of your game - expect it and have a plan to deal with it.
- Put that plan on paper before you need it. I don't know whether Blizzard did this, but given the speed with which everything happened, it would not surprise me if they did. Having a plan in place prior to needing it is a "good fact" that can help reduce claims of negligence down the road.
Also, don't create a plan then lock it in a box. Review it regularly, and revise as necessary to keep up with new threats and technologies. A plan dealing with a computer crisis circa 1992 isn't a good plan for 2012.
- Take action to stem the damage being done as soon as you reasonably can, regardless of whether that damage is legally cognizable or not. Be careful not to act too soon, however. Never act just for the sake of doing something quickly - do your research and act responsibly, just do it as quickly as you can.
- Review your EULAs and Terms and Conditions documents. If you don't know what precondition language I referred to in the above sections, read the links, then drop me a line. It is something you definitely want to look into.