Malwarebytes may not be allowed to label rival's app as 'potentially unwanted'
Legal prof warns: 'This case is like a wrecking ball for internet law'
The US Ninth Circuit Court of Appeals last week ruled that Enigma Software Group can pursue its long standing complaint against rival security firm Malwarebytes for classifying its software as "potentially unwanted programs" or PUPs.
Florida-based Enigma has been trying to hold Malwarebytes accountable for blocking its programs since 2017 when the firm initially sued Malwarebytes for tortious interference, violation of New York business law, and false advertising under the Lanham Act.
This suit was filed in response to antivirus maker Malwarebytes labeling Enigma's anti-spyware tool a PUP – soft, supposedly legally safe industry jargon for malware or almost-malware. That labeling caused Malwarebytes' software to automatically quarantine and remove Enigma's Spyhunter from PCs. Enigma objected to the classification.
A district court judge hearing the complaint in California dismissed the claim, citing the 2009 Zango v. Kaspersky decision, which affirmed that security firms have some latitude to classify software as harmful. The judge dismissed the case on Section 230(c)(2)(B) grounds, which exempts interactive service providers from liability for content moderation decisions.
But Enigma appealed and the Ninth Circuit in 2019 reversed the district court's decision, creating in the process an anticompetitive animus exception to Section 230 of the Communications Decency Act that generally shields online service providers.
That appellate ruling meant that Malwarebytes may be liable for characterizing Enigma's software as PUPs if it's deemed to be a competitor – a decision that has the potential to discourage security companies from characterizing software as harmful.
Malwarebytes, supported by advocacy groups and other security outfits, asked the Supreme Court to review the case but was denied in 2020.
In 2021, the California district court, having been told by the Ninth Circuit to reconsider Enigma's lawsuit, again dismissed the complaint. So far, Malwarebytes has been generally winning, and Enigma losing.
When a company in the computer security business describes a competitor’s software as 'malicious' and a 'threat' to a customer’s computer, that is more a statement of objective fact than a non-actionable opinion
At the time, Malwarebytes' outside counsel, Moez Kaba of Hueston Hennigan, celebrated the judgment by noting the district court’s ruling "validates the right of cybersecurity firms to identify potentially unwanted programs and recognizes the rights of users to choose whether or not to enable those programs on their devices."
But Malwarebytes' victory lap was premature. Enigma appealed again, and the Ninth Circuit last week revived the case [PDF], except for Enigma's claim of tortious interference with contractual relations. The case now heads back to the district court, subject to the appeals court's direction that New York law also needs to be considered alongside the false advertising claim.
"In the context of this case, we conclude that when a company in the computer security business describes a competitor’s software as 'malicious' and a 'threat' to a customer’s computer, that is more a statement of objective fact than a non-actionable opinion," the appeals court decision reads. "It is potentially actionable under the Lanham Act provided Enigma plausibly alleges the other elements of a false advertising claim."
Enigma in a statement cited the appeals court's rejection of a First Amendment free speech defense: "Enigma has alleged that Malwarebytes disparaged Enigma's products for commercial advantage by making misleading statements of fact. If those allegations are true, and at this state we must presume that they are, trying to wrap them in a First Amendment flag does not make them any less offensive or any less actionable."
- Microsoft takes PUPs behind the shed with gun in hand
- Let adware be treated as malware
- Avira turns tables to launch lawsuit against ‘crapware’ slinger
- ESET rushes to defend rival Malwarebytes in legal war over 'unwanted program' labeling
Eric Goldman, professor at Santa Clara University School of Law, told The Register in an email, "This case is like a wrecking ball for internet law."
"The Ninth Circuit already damaged Section 230 by creating an exception to its coverage (for 'anticompetitive animus') that no one understands and has not benefited anyone. Then, when the Supreme Court denied the appeal, Justice Thomas wrote a gratuitous error-riddled statement about Section 230 that spurred many regulators to pursue their censorship agendas. Now, the Ninth Circuit has redefined the standards for what constitutes a statement of 'fact' as opposed to an opinion in a way that hurts businesses in the anti-threat software space and well beyond."
The Ninth Circuit has redefined the standards for what constitutes a statement of 'fact'
Goldman said the majority's decision to treat the terms "malicious" and "threats" as simple true or false classifications doesn't fit with the way the security industry actually works. And by doing so, he argues, the court has made disputes about classifications more likely and has raised the costs and risks of making such classifications.
"If each classification could similarly support weaponization in court by businesses unhappy with the classifications, then anti-threat software vendors will avoid the financial and legal risks by lowering their cybersecurity standards or exiting the industry," said Goldman. "That puts all of us at greater risk."
In his dissent from the majority, Ninth Circuit Judge Patrick Bumatay took a similar position: "By treating these terms as actionable statements of fact under the Lanham Act, our court sends a chilling message to cybersecurity companies – civil liability may now attach if a court later disagrees with your classification of a program as 'malware.'"
Goldman said he believes the case is a good candidate for an en banc review by the Ninth Circuit, which involves all of the judges instead of just three of them.
Malwarebytes did not immediately respond to a request for comment. ®