Analysis Last week, fourteen cybersecurity experts, infosec biz ESET, and tech advocacy groups the Internet Association and TechFreedom filed friend-of-the-court briefs urging the US Supreme Court to review a 2019 appeals court ruling against antivirus maker Malwarebytes.
The flurry of legal arguments represents an effort to ensure blanket immunity protections outlined in Section 230 of America's Communications Decency Act (CDA) – which Malwarebytes is relying on – remain as broad as possible.
In 2017, a district court judge in San Jose, California, dismissed a complaint brought by Enigma Software against its competitor Malwarebytes. Enigma filed its complaint because Malwarebytes' tools labelled Enigma's anti-spyware app a "potentially unwanted program," and asked users whether they wanted to remove it, if it was detected on a system.
Enigma claimed that its Spyhunter software was legitimate and posed no threat to users. However, Malwarebytes prevailed in court when the judge dismissed the case, citing 2009's Zango v. Kaspersky decision. The judge affirmed Malwarebytes was immune from liability under 47 U.S.C. § 230(c)(2)(B) of the CDA.
Malwarebytes back to square one as appeals court rules blocking rival antivirus maker isn't onREAD MORE
That section of the law exempts service providers from liability for providing others with means to take action against material – identified in § 230(c)(2)(A) – "that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected."
In this case, that provider was Malwarebytes, which made the filtering technology that flagged Enigma software for users to then choose to remove or not. The (c)(2)(B) portion of the CDA is tied to the (c)(2)(A) section of the law that the Trump administration has threatened to gut over Twitter's decision to flag presidential tweets for policy violations. Though related, the two sections are not the same.
The Trump administration has it out for § 230(c)(2)(A), which applies to those who actually restrict content (e.g. Twitter), and § 230(c)(2)(B) applies to those like Malwarebytes who provide the technical means (e.g filters) by which content restrictions are carried out.
A crucial difference between the two sections is that those taking action under section A are required to act in good faith while those providing the tools to take action are not subject to that requirement. Malwarebytes insists the law allows the company to take action against whatever it finds "objectionable," which in this case was Engima's software, without being sued for doing so. And the district court agreed.
But the Ninth Circuit Court of Appeals, in a 2-to-1 ruling, overturned that decision last September, asserting that the CDA is not limitless.
So last week, the fourteen security experts, ESET, the Internet Association, and TechFreedom added their voices to other organizations like the Electronic Frontier Foundation to urge the Supreme Court to accept the case for review. The security experts' brief [PDF] notes that competing anti-threat software can itself be a genuine threat if it contains bugs (e.g. Symantec's Norton Antivirus in 2016) or if it's actually malware claiming to be legitimate.
Dixons hits back at McAfee's £30m antivirus sueball: Your AV didn't work on Windows 10SMORE LIKE THIS
The security experts, mostly law and technology professors, argue that the Ninth Circuit decision "permits spurious legal claims based on mere allegations of 'anticompetitive animus' by vendors whose products have been identified as threats," thereby discouraging security vendors from aggressively identifying threats.
ESET's argument [PDF] is similar, noting it is submitting a brief in support of a direct competitor because defending Section 230 protections are so important.
"If the Ninth Circuit’s opinion stands, anyone can manufacture a facially valid claim against a security software company simply by combining cyber security features with objectionable features," ESET's filing this month stated.
And the ESET brief echoes a point made by the security experts about the prevalence of malware that claims to be security software. "In a recent analysis of 250 purported antivirus apps in the Google Play store, for instance, less than a third of the apps were even functional; the rest were at best ineffective and at worst harmful," it stated.
If the Ninth Circuit decision is allowed to stand, it's claimed, there will be more litigation – by companies that don't like being blocked or filtered – and less innovation – as makers of security software, internet filters, or spam stoppers avoid making legally risky editorial decisions or providing tools that affect third-party content. ®