Cybersecurity Experts Support Supreme Court Review of Enigma v. Malwarebytes Ruling on Section 230(c)(2)(B)
On Friday, 14 cybersecurity experts filed an amicus brief with the U.S. Supreme Court, supporting Malwarebytes’ certiorari petition to review the Ninth Circuit’s 2019 Enigma v. Malwarebytes ruling regarding 47 U.S.C. 230(c)(2)(B)’s application to spyware classification decisions. The Juelsgaard Intellectual Property and Innovation Clinic prepared the brief; the work was done by two Stanford Law students supervised by Phil Malone, and I supported each draft iteration of the brief.
The SCOTUS cybersecurity experts’ brief built on the amicus brief that Venkat and I prepared to support Malwarebytes’ unsuccessful en banc petition to the Ninth Circuit. The new brief expands the prior arguments and has more signatories.
From the brief’s argument summary:
This case involves a narrow legal issue with broad and exceptionally important implications for cybersecurity. The Ninth Circuit’s ruling will expose Internet users to an array of threats that can compromise their systems and data, corrupt or extract their files, bog down their computers or smartphones, and weaponize their devices against other Internet users.
The decision below erodes the legal immunity provided by Section 230(c)(2)(B), which allows companies to develop robust anti-threat software to protect Internet users. In place of that immunity, the decision creates an opening for expensive and prolonged litigation. To avoid costly litigation and reduce business risk, anti-threat software vendors will opt to become overly conservative in identifying and blocking potential threats. This will leave tens of thousands of government entities, tens of millions of businesses, and hundreds of millions of Internet users more vulnerable to hazardous software.
Malwarebytes’ Petition. Malwarebytes described the question presented (emphasis added):
Section 230(c)(2)(B) of the Communications Decency Act provides immunity from most civil liability to computer-service providers for “any action taken to enable or make available to * * * others the technical means to restrict access to material” that “the provider or user considers to be * * * objectionable.” 47 U.S.C. § 230(c)(2). The court below agreed that none of the narrow, express exceptions to that immunity in Section 230(e) apply here. The question presented is:
Whether federal courts can derive an implied exception to Section 230(c)(2)(B) immunity for blocking or filtering decisions when they are alleged to be “driven by anticompetitive animus.”
This is an appropriately narrow question presented, and it does not implicate other parts of Section 230. If the Supreme Court takes the case, let’s hope it stays that way.
Other Filings. A total of five amicus briefs, including the cybersecurity experts’ brief, supported the certiorari petition. The same players had supported Malwarebytes’ Ninth Circuit en banc petition, except for a new entry from TechFreedom.
EFF Amicus Brief. The brief discusses how the Ninth Circuit’s ruling threatens the EFF’s Privacy Badger tool and undermines the fight against stalkerware.
ESET Amicus Brief. From the argument summary:
ESET takes the unusual step of submitting an amicus brief in support of one of its direct competitors to stress the importance of this issue. Americans are becoming increasingly reliant on the internet and interactive media for political, educational, cultural, and entertainment services. 47 U.S.C. § 230(a)(5). Yet security threats are flourishing, with hundreds of thousands of new forms of objectionable content every day. Congress determined that consumer choice and robust competition are the best way to safeguard consumers, but the Ninth Circuit’s decision frustrates both choice and competition.
Internet Association Amicus Brief.
Congress had good reason to omit a good faith requirement from subsection (c)(2)(B). As discussed above, subsection (A) protects direct blocking or filtering by online service providers—situations where providers act unilaterally to protect themselves or their users from objectionable material. In contrast, subsection (B) only applies where service providers put blocking tools in the hands of users, who must independently and affirmatively decide to use those tools. Here, blocking does not occur unilaterally; it instead requires cooperation between a service provider and a third party….
Congress logically concluded it was unnecessary to include a good faith requirement or to allow Section 230’s protection to turn on disputes about a service provider’s motives. Here, the user’s independent choice operates as a check on the provider’s decisions about what material should be filtered or blocked.
TechFreedom Amicus Brief. From the argument summary:
Subsection 230(c)(2)(B) contains a simple command: “No provider or user of an interactive computer service shall be held liable [for] any action taken to enable or make available . . . the technical means to restrict access to [objectionable] material.” That’s it. But when the Ninth Circuit interpreted this statute, it saw something different. Speculating that a strict textual interpretation would lead to a result that “appear[ed] contrary to [the statute’s] history and purpose,” the court divined words invisible to the human eye: an exception for conduct allegedly motivated by “anticompetitive animus.” That exception is nowhere to be found in the statute that Congress enacted.
Case library
- Malwarebytes’ petition for certiorari. Amicus briefs from Cybersecurity Experts, EFF, ESET, Internet Association, and TechFreedom.
- The SCOTUS page for Malwarebytes v. Enigma.
- Blog post on Asurvio v. Malwarebytes, an application of the Ninth Circuit’s ruling.
- Ninth Circuit’s amended ruling. Blog post on that ruling.
- Malwarebytes’ petition for rehearing. Supporting amicus briefs from cybersecurity law professors, EFF/CAUCE, ESET, and Internet Association. Blog post on the filings.
- Ninth Circuit ruling. Blog post on that ruling.
- District court opinion. Blog post on that ruling.
- Related decision in Enigma Software v. Bleeping Computer. Blog post on that ruling.