A website for Currys PC World, www.currys.co.uk, included a product page for the PC World Knowhow Cloud seen in December 2016. Text stated “Once backed up, your files can be accessed whenever you need them, anywhere in the world” and “All your data is protected and backed up in our military grade encrypted UK based data centres. You can also secure the files on your computer, so if it’s ever lost or stolen your data is safe”.
The complainant, a business that understood the product would protect their data and secure it in the event it was lost or stolen and later found after a ransomware attack that their data was only recoverable if their files were individually recovered through a time-consuming manual process, challenged whether the ad was misleading and exaggerated the performance of the product.
DSG Retail Ltd said they did not believe the ad had exaggerated the performance of the product, rather that the ad accurately described the function of the service. They said “Lost or stolen” in the context of the ad referred to a hard drive failure, files deleted accidentally, a laptop being left on a train or perhaps stolen from a customer’s property. They said in these scenarios, files could be restored quickly and in bulk where necessary. They said “Lost or stolen” was not intended to cover files that were virus infected, which created a rather complex situation for restoration and could not be done in bulk by the user.
They said that their Cloud service backed up each document individually and that when a document was edited and re-saved, a new version was created. Further, if a file was to become encrypted with ransomware and then backed up in this encrypted state, that the Cloud service did not virus scan or check the files, so they would have no way of knowing which files were encrypted this way. They said this created a complex issue for restoring files to their pre-encrypted state and could only be done individually file by file.
They said previous versions of the files could be restored, but this required the user to manually choose which version of the file to restore per file. They said the files referred to by the complainant had not been lost or stolen; they had been infected by a virus which may have been caused by the failure of the user to suitably carry out updates to their computers or by inadequate virus protection. They said without the software interrogating each file individually, which could give rise to privacy risks, it was impossible to know which version of a file should be restored, which is why it was a manual process. They said files could be encrypted by virus or password and then automatically backed up to the Cloud. They said if a user then lost this password it was not the responsibility of the cloud product to unlock these files.
They said they did not think the ad was misleading as they had made no specific claim that their product protected against any particular virus.
The ASA considered that consumers would generally be aware that a cloud storage product allowed them to back up their own data from their personal devices via external storage services and would be aware that cloud storage was as secure as the servers connected to it. We also considered that consumers would be generally aware that storage services were separate from anti-virus or anti-malware services that could be purchased independently. They, would, however, consider that having an online backup was a means of mitigating the risk of data being lost or stolen. Therefore, we considered consumers would understand the text “Once backed up, your files can be accessed whenever you need them, anywhere in the world” and “You can also secure the files on your computer, so if it’s ever lost or stolen your data is safe” to mean that if something happened whereby their data was lost or stolen, this product would enable them to access their data, specifically by downloading their data, as it was, at a specific date, easily and in a timely manner. However, we understood that this was not how the product worked.
Further, we acknowledged that the ad did not explicitly state that the product included anti-virus or anti-malware. However, we considered that the impression created by the ad was not that the product was singularly for cloud storage, but that it provided some sort of additional security. This was suggested by the claim “Complete Security … All your data is protected and backed up in our military grade encrypted UK based data centres. You can also secure the files on your computer, so if it’s ever lost or stolen your data is safe”. We considered that consumers would understand this claim to mean the product would provide additional security benefits beyond those a standard cloud storage service would provide.
Because we understood that the product could not enable consumers to access or restore their data easily and in a practical and timely manner and did not provide additional security benefits, we considered the ad was misleading.
The ad breached CAP Code (Edition 12) rules 3.1 (Misleading Advertising) and 3.11 (Exaggeration).
The ad must not appear again in its current form. We told DSG Retail Ltd to ensure they did not exaggerate the capability or performance of their product and to not imply products they offered had additional security benefits when they did not.