Terrible Ninth Circuit 230(c)(2) Ruling Will Make the Internet More Dangerous–Enigma v. Malwarebytes

This ruling caused this PUP to have a bad day. Photo by Anik Shrestha

The Ninth Circuit has issued a Section 230(c)(2) opinion that creates significant problems for anti-spyware/spam/virus vendors (I’ll call them “anti-threat vendors”). The ruling will paralyze their decision-making, expose them to greater legal threats, and reduce their ability to protect consumers from unwanted software. This ruling makes the Internet less safe. I hope the Ninth Circuit will fix it via further proceedings.

Background

Section 230 protects online services from liability for third-party content in two primary ways. As a crude approximation, Section 230(c)(1) immunizes the decisions to leave up third-party content; Section 230(c)(2) provides a safe harbor for removing or blocking third-party content. Section 230(c)(2) further subdivides into two parts. (A) covers first-party removals; (B) covers anti-threat vendors who send blocking/filtering instructions to third parties (like users who have installed the vendor’s software, or servers that subscribe to third-party blocklists).

The vast majority of Section 230 caselaw involves 230(c)(1), which has become the foundation of the modern Internet. In contrast, Section 230(c)(2) gets a lot less attention, for several reasons. First, content removal generally produces less litigation than continued content publication. Second, liability for content removal often can be handled through a variety of risk management techniques, including contract provisions. Third, Section 230(c)(2)(A) has a “good faith” requirement that is riskier and more expensive to litigate than Section 230(c)(1), which has no parallel scienter requirement. As a result, online services sued for terminating user accounts have successfully adopted a 230(c)(1) defense in situations where the statute seemingly contemplated 230(c)(2)(A) would apply.

Because of this, Section 230(c)(2) has largely receded in importance. However, Section 230(c)(2)(B) still provides foundational protection in one critical context: anti-threat software.

In 2009, the Ninth Circuit issued a groundbreaking Section 230(c)(2) ruling in Zango v. Kaspersky. I ranked that ruling as #6 on my list of top 10 Section 230 rulings of all time. The opinion didn’t do anything fancy; it just basically interpreted the statute as written to conclude that anti-threat vendors qualified for Section 230(c)(2)’s protection. Despite the straightforward statutory analysis, the ruling has had major and beneficial consequences. As I wrote in my article, “this ruling is the main reason why we rarely see lawsuits anymore against [anti-threat vendors] for their blocking or removal decisions.” Because of Zango’s importance, any change to its holding has potentially dramatic implications.

Section 230(c)(2) and Anticompetitive Animus

Writing for the majority, Judge Schroeder (a Carter appointment) frames the case as “whether § 230(c)(2) immunizes blocking and filtering decisions that are driven by anticompetitive animus.” The majority answers the question negatively: “if a provider’s basis for objecting to and seeking to block materials is because those materials benefit a competitor, the objection would not fall within any category listed in the statute and the immunity would not apply.” The majority explains:

users selecting a security software provider must trust that the provider will block material consistent with that user’s desires. Users would not reasonably anticipate providers blocking valuable online content in order to stifle competition. Immunizing anticompetitive blocking would, therefore, be contrary to another of the statute’s express policies: “removing disincentives for the utilization of blocking and filtering technologies”….interpreting the statute to give providers unbridled discretion to block online content would, as Judge Fisher warned, enable and potentially motivate internet-service providers to act for their own, and not the public, benefit”

The dissent thought the Zango precedent was dispositive: “Although the parties were not direct competitors, the plaintiff in Zango asserted similar anticompetition effects. The majority’s policy arguments are in conflict with our recognition in Zango that the broad language of the Act is consistent with “the Congressional goals for immunity” as expressed in the language of the statute.”

Still, at a high enough level of abstraction, the majority’s reasoning sounds sensible. If a plaintiff has credible evidence that the defendant has violated antitrust law, it should have legal recourse. Section 230(c)(2) should not stand in the way.

Nevertheless, the majority’s legal standard creates two obvious and significant problems. First, many spammers, virusmakers, and adware/spyware makers will claim–legitimately or not–to be direct or partial competitors with anti-threat vendors. In those situations, the threat purveyors will naturally claim that the blocking was motivated by anticompetitive animus. In fact, I would expect such anticompetitive animus claims to be routine for blocked entities, not an exception. Indeed, as the dissent noted, Zango claimed (not credibly) its adware was competitive with Kaspersky’s anti-threat software. For a similar phenomenon, recall how many vertical search engines mockably claimed they were Google’s competitors when Google downranked or delisted them. If a blocked or filtered threat purveyor can easily bypass Section 230(c)(2) merely by claiming they were blocked based on the anti-threat vendor’s alleged anticompetitive animus, then Section 230(c)(2)(B) doesn’t really protect anti-threat vendors.

Second, even when a software vendor actually directly competes with the anti-threat vendor, it might still be appropriate to block it. Unfortunately, the anti-threat software industry has too many sleazy players who are really in the scareware or adware business. When anti-threat vendors’ direct competitors are also threats to consumers, the court’s standards virtually ensure that Section 230(c)(2) won’t be available.

Thus, this case functionally overturns Zango v. Kaspersky. The Zango ruling gave a lot of comfort to anti-threat vendors that they could make their classification decisions without being sued for each one. This ruling restores the pre-Zango default, when anti-threat vendors feared a lawsuit with each of their classification decisions.

The demise of the Zango v. Kaspersky rule will have three pernicious consequences. First, anti-threat vendors will have to do more upfront homework to justify and document their blocking decisions in case they may be challenged in the future. That increases their costs and slows down their decision-making.

Second, to reduce the risk of litigation, anti-threat vendors will err on the side of not blocking (or will reverse their decision when threatened with a lawsuit). At the margins, anti-threat vendors will now green-light “potentially unwanted programs” (PUPs) that they would have historically blocked. Ironically, then, this ruling is pro-spam, pro-virus, and pro-spyware/adware. It makes consumers less safe because more sketchy programs will not be blocked when they should have. Worse, as anti-threat vendors do a poorer job of their core consumer protection function, consumers’ trust in the entire anti-threat industry will degrade even more.

Third, anti-threat vendors will be sued by blocked software vendors more often. Even if those lawsuits ultimately fail, they will increase the industry’s costs with little concomitant benefit. And in the end, we don’t want courts usurping the judgment of anti-threat vendors in deciding what is a threat or not. That’s an expensive, slow, and very unsatisfying way of making blocking decisions.

All of these consequences are maddeningly unnecessary because Malwarebytes is likely to win this case via other legal theories. It probably didn’t block Enigma solely out of anti-competitive animus, and its judgment about Enigma’s threat status is a constitutionally protected opinion. Like some of the other Ninth Circuit Section 230 debacles (like promissory estoppel and failure to warn), this opinion is likely to increase everyone’s litigation and judicial costs to reach defense wins. Anti-threat vendors have the editorial freedom to decide what programs to block, but they won’t have 230(c)(2)’s judicial fast lane.

But what if Malwarebytes did actually block Enigma solely out of anti-competitive animus? The majority treats Malwarebytes’ block as market-determinative, i.e., Malwarebytes’ block apparently freezes Enigma out of the market. But if Malwarebytes’ users aren’t happy with its blocking function, the users can uninstall Malwarebytes and adopt Enigma instead. This means consumers are empowered to override Malwarebytes’ decisions. If so, we don’t need Section 230(c)(2)(B) to police this corner of the marketplace.

Note: The tie-breaking vote was cast by a district judge sitting by designation, not by a Ninth Circuit-appointed judge. It’s troubling to see Ninth Circuit law being set by a visiting judge. This would be another good reason to consider granting en banc review.

Problematic Dicta With the Majority Opinion

The majority opinion reaches a bad result, but that’s not its only problem. I’ll highlight three unfortunate passages from the majority opinion:

What Does “Objectionable” Mean? 230(c)(2) has a catchall excuse for blocking of anything vendors consider “objectionable.” This catchall has vexed courts because it is broad and unbounded. The majority says the catchall could apply here: “Spam, malware and adware could fairly be placed close enough to harassing materials to at least be called ‘otherwise objectionable.'”

So far so good. Then, the majority adds: “We think that the catchall was more likely intended to encapsulate forms of unwanted online content that Congress could not identify in the 1990s.” Huh? I have no idea where the majority got this impression. More likely, Congress wanted a general-purpose catchall to avoid comprehensively enumerating all possible categories of objectionable material. Because the majority’s addition is unsupported and speculative dicta, I hope other courts will ignore it.

Blocking Based on Identity. The majority opinion says:

the criteria for blocking online material must be based on the characteristics of the online material, i.e. its content, and not on the identity of the entity that produced it.

Rebecca Tushnet calls this language “particularly destructive” of the safe harbor, for good reason. This passage can’t possibly be right. Read literally, this would prevent any reputation scores for spam filters, any effort to identify and block recidivists, even any IP address blocks. There are substantial operational efficiencies from making blocking and filtering decisions based on content source rather than doing individualized determinations for each and every content item. This passage jeopardizes all of those operational efficiencies. Plus, in some cases, the identity of the content publisher makes a huge difference. A beheading video posted by a terrorist organization is different when it’s posted by a human rights watchdog, even if the video is identical in both cases. So it’s essential for anti-threat vendors to consider content source and not just the four corners of content items. This passage needs to be fixed or ignored.

Limits on Discretion. It’s worth revisiting this quote from the majority opinion:

interpreting the statute to give providers unbridled discretion to block online content would, as Judge Fisher warned, enable and potentially motivate internet-service providers to act for their own, and not the public, benefit

WTH? Of course all for-profit companies act for their own benefit. That’s called capitalism. What’s remarkable about Section 230 is that it motivates Internet companies to undertake *socially valuable* content moderation work–despite the apparent financial disincentives to doing so.

As a result, language like this is extraordinarily pernicious, because it suggests that Section 230 is conditioned on defendants exercising their editorial discretion only for the “public benefit” rather than any other objectives. That’s nonsensical. Content moderation is a zero-sum game where someone gets what they want and someone else doesn’t, and the losers will always claim that the decision wasn’t in the “public” benefit. Furthermore, as Margaret Thatcher suggested, there is no monolithic “public” to prioritize. Instead, there are heterogeneous communities with diverse needs that often must balanced rather than pareto-optimize. This passage also needs to be fixed or ignored.

Section 230 and Lanham Act False Advertising Claims

The opinion had one good aspect. Section 230 expressly does not apply to intellectual property claims, including federal trademark claims. However, because the Lanham Act false advertising provisions occupy the same part of the US code as federal trademark law, some courts have held that Section 230 doesn’t apply to Lanham Act false advertising claims. The court correctly reaches the opposite conclusion:

the intellectual property exception contained in § 230(e)(2) encompasses claims pertaining to an established intellectual property right under federal law, like those inherent in a patent, copyright, or trademark. The exception does not apply to false advertising claims brought under § 1125(a) of the Lanham Act, unless the claim itself involves intellectual property.

Comments from the Litigants

Comments from Terry Budd, Enigma’s counsel:

In its Opinion in the Enigma Software vs Malwarebytes case the 9th Circuit (Justice Schroeder) held that Section 230 is not limitless – and reasoned that to grant immunity for anticompetitive tortious conduct by a company against a competitor would violate the statutory purposes of Section 230 expressly articulated by Congress and violate the statute itself.  Stated another way, to allow a company to harm a competitor and consumers though anticompetitive, unfair trade practices which have been unlawful under well established American legal precedent for decades –  and then to allow that company to claim immunity under what was designed to be a Good Samaritan statute, is antithetical to the very core of the Good Samaritan Doctrine. The 9th Circuit is a very highly-respected and thoughtful Court – particularly so in the legal software/tech sector  – and we agree with the Court’s ultimate holdings.

Comments from Tyler Newby, Malwarebytes’ counsel:

We are disappointed by the majority’s ruling.  The company is evaluating its options for seeking further appellate review, and it is likely to petition for en banc review.

We think the majority opinion failed to recognized the distinction between 230(c)(2)(A), which applies to service providers that filter content in a way that may not be transparent to users, and 230(c)(2)(B), which applies to providers of filtering technology that users may choose to use or not to use based on their own preferences.  We agree with Judge Rawlinson’s dissent that the plain text of CDA Section 230(c)(2)(B) does not include the limitation on immunity read into it by the majority.  Nothing in the text of the statute or its stated purposes would limit immunity to filtering where the source of the filtered content was not considered.  Malwarebytes, like other security software providers, is a provider of  filtering tools to users who can choose to use its software or one of the many other options available to them, depending on whether they agree with how Malwarebytes filters PUPs.  Malwarebytes puts consumer choice first, and its Potentially Unwanted Program criteria are designed give users more control over their computers.

Finally, it is important to note that Malwarebytes does not compete with Enigma. The opinion’s description of the companies as direct competitors is not based on any evidentiary findings, but solely on Enigma’s allegations at the pleadings stage.

Other Coverage:

Rebecca Tushnet. She wrote: “Eric Goldman is gonna hate that.” Rebecca knows me really well!

Tim Cushing

Case citation: Enigma Software Group USA, LLC v. Malwarebytes, Inc., 2019 WL 4315152 (9th Cir. Sept. 12, 2019)