Security

Malwarebytes may not be allowed to label rival's app as 'potentially unwanted'

Legal prof warns: 'This case is like a wrecking ball for internet law'


The US Ninth Circuit Court of Appeals last week ruled that Enigma Software Group can pursue its long standing complaint against rival security firm Malwarebytes for classifying its software as "potentially unwanted programs" or PUPs.

Florida-based Enigma has been trying to hold Malwarebytes accountable for blocking its programs since 2017 when the firm initially sued Malwarebytes for tortious interference, violation of New York business law, and false advertising under the Lanham Act.

This suit was filed in response to antivirus maker Malwarebytes labeling Enigma's anti-spyware tool a PUP – soft, supposedly legally safe industry jargon for malware or almost-malware. That labeling caused Malwarebytes' software to automatically quarantine and remove Enigma's Spyhunter from PCs. Enigma objected to the classification.

A district court judge hearing the complaint in California dismissed the claim, citing the 2009 Zango v. Kaspersky decision, which affirmed that security firms have some latitude to classify software as harmful. The judge dismissed the case on Section 230(c)(2)(B) grounds, which exempts interactive service providers from liability for content moderation decisions.

But Enigma appealed and the Ninth Circuit in 2019 reversed the district court's decision, creating in the process an anticompetitive animus exception to Section 230 of the Communications Decency Act that generally shields online service providers.

That appellate ruling meant that Malwarebytes may be liable for characterizing Enigma's software as PUPs if it's deemed to be a competitor – a decision that has the potential to discourage security companies from characterizing software as harmful.

Fight back

Malwarebytes, supported by advocacy groups and other security outfits, asked the Supreme Court to review the case but was denied in 2020.

In 2021, the California district court, having been told by the Ninth Circuit to reconsider Enigma's lawsuit, again dismissed the complaint. So far, Malwarebytes has been generally winning, and Enigma losing.

When a company in the computer security business describes a competitor’s software as 'malicious' and a 'threat' to a customer’s computer, that is more a statement of objective fact than a non-actionable opinion

At the time, Malwarebytes' outside counsel, Moez Kaba of Hueston Hennigan, celebrated the judgment by noting the district court’s ruling "validates the right of cybersecurity firms to identify potentially unwanted programs and recognizes the rights of users to choose whether or not to enable those programs on their devices."

But Malwarebytes' victory lap was premature. Enigma appealed again, and the Ninth Circuit last week revived the case [PDF], except for Enigma's claim of tortious interference with contractual relations. The case now heads back to the district court, subject to the appeals court's direction that New York law also needs to be considered alongside the false advertising claim.

"In the context of this case, we conclude that when a company in the computer security business describes a competitor’s software as 'malicious' and a 'threat' to a customer’s computer, that is more a statement of objective fact than a non-actionable opinion," the appeals court decision reads. "It is potentially actionable under the Lanham Act provided Enigma plausibly alleges the other elements of a false advertising claim."

Enigma in a statement cited the appeals court's rejection of a First Amendment free speech defense: "Enigma has alleged that Malwarebytes disparaged Enigma's products for commercial advantage by making misleading statements of fact. If those allegations are true, and at this state we must presume that they are, trying to wrap them in a First Amendment flag does not make them any less offensive or any less actionable."

Eric Goldman, professor at Santa Clara University School of Law, told The Register in an email, "This case is like a wrecking ball for internet law."

"The Ninth Circuit already damaged Section 230 by creating an exception to its coverage (for 'anticompetitive animus') that no one understands and has not benefited anyone. Then, when the Supreme Court denied the appeal, Justice Thomas wrote a gratuitous error-riddled statement about Section 230 that spurred many regulators to pursue their censorship agendas. Now, the Ninth Circuit has redefined the standards for what constitutes a statement of 'fact' as opposed to an opinion in a way that hurts businesses in the anti-threat software space and well beyond."

The Ninth Circuit has redefined the standards for what constitutes a statement of 'fact'

Goldman said the majority's decision to treat the terms "malicious" and "threats" as simple true or false classifications doesn't fit with the way the security industry actually works. And by doing so, he argues, the court has made disputes about classifications more likely and has raised the costs and risks of making such classifications.

"If each classification could similarly support weaponization in court by businesses unhappy with the classifications, then anti-threat software vendors will avoid the financial and legal risks by lowering their cybersecurity standards or exiting the industry," said Goldman. "That puts all of us at greater risk."

In his dissent from the majority, Ninth Circuit Judge Patrick Bumatay took a similar position: "By treating these terms as actionable statements of fact under the Lanham Act, our court sends a chilling message to cybersecurity companies – civil liability may now attach if a court later disagrees with your classification of a program as 'malware.'"

Goldman said he believes the case is a good candidate for an en banc review by the Ninth Circuit, which involves all of the judges instead of just three of them.

Malwarebytes did not immediately respond to a request for comment. ®

Send us news
53 Comments

Some US Kaspersky customers find their security software replaced by 'UltraAV'

Back story to replacement for banned security app isn't enormously reassuring

Despite OS shields up, half of America opts for third-party antivirus – just in case

Wisdom of the oldies or just a traditional fear of malware?

How did a CrowdStrike file crash millions of Windows computers? We take a closer look at the code

Maybe next time some staged rollouts? A bit of QA too?

From network security to nyet work in perpetuity: What's up with the Kaspersky US ban?

It's been a long time coming. Now our journos speak their brains

Discord dismantles Spy.pet site that snooped on millions of users

ALSO: Infostealer spotted hiding in CDN cache, antivirus update hijacked to deliver virus, and some critical vulns

This Windows update is snarling up some endpoint security tools

Malwarebytes and Trellix upgrades to the rescue

FTC goes undercover to probe suspected antivirus scam, scores $26M settlement

Imagine trying to trick folks into buying $500 of unnecessary repairs – and they turn out to be federal agents

Ransomwared health insurer wasn't using antivirus software

PhilHealth blames government procurement rules for license expiry and issues phishing warnings

Microsoft: For better security, scan more Exchange server objects

Software giant takes some files and processes off the exclusion list

VirusTotal: We're sorry someone fat-fingered and exposed 5,600 users

File under PEBCAK

Ransomware-as-a-service groups rain money on their affiliates

Qilin gang crims can earn up to 85 percent of extortion cash, or jail

Google's here to boost your cloud security and the magic ingredient? AI, of course

Send in the LLMs