Section 230 Protects Classifying Non-Competitive Software as a Threat–Asurvio v. Malwarebytes

photo by Anik Shrestha, https://www.flickr.com/photos/anikshrestha/

Section 230(c)(2)(B) says that filtering software makers aren’t liable for their classification decisions. This proposition provides the legal foundation for the anti-threat software industry. However, those expectations were disrupted by the Ninth Circuit’s 2019 in Enigma v. Malwarebytes, which held that Section 230(c)(2)(B) didn’t apply when a plaintiff alleges that the filtering decision was motivated by anticompetitive animus. This amicus brief explains why the 9th Circuit’s ruling is bad for cybersecurity.

Today I’m blogging about what I believe is the first ruling applying Enigma to anti-threat software since the Ninth Circuit ruling. The defendant is the same (Malwarebytes); but this time the plaintiff is Asurvio, which used to be “PC Driver.” I blogged a prior ruling in this case last year. The district court judge shuts down the Section 230(c)(2)(B) workaround.

Section 230(c)(2)(B). In response to Malwarebytes’ motion to dismiss, the court says Asurvio doesn’t compete with Malwarebytes:

[Asurvio] is not a computer security software provider; it does not sell malware detection software designed to scan a computer and report PUPs. Rather, Asurvio sells driver update software. Asurvio’s software programs “work in real time in the background of the operating system to optimize processing and locate and install all missing and outdated software drivers.” Asurvio does not allege that its DRIVER SUPPORT or ACTIVE OPTIMIZATION programs provide any anti-spyware or anti-malware functionality as Malwarebytes does

Asurvio claimed it also provided anti-malware services. The court discounts these services because they are provided only via live technical support, not as a primary service. Asurvio also argued that both parties competed to help users improve their computers’ performance. The court rejects this too: “If the Court were to accept Asurvio’s argument, then any developer of performance optimizing software designed for “self-help” computer users could potentially plead around the broad immunity granted by section 230(c)(2)(B) and render the statutory immunity meaningless.”

Section 230(c)(1). Asurvio complained about critical third-party messages in Malwarebytes’ message boards. The court says that the complaint doesn’t connect the third parties to Malwarebytes, despite the users’ titles as “trusted advisor” and “expert.” Compare the Enigma v. Bleeping Computer opinion from 2016.

Others. The disparagement/Lanham Act claims fail because Malwarebytes’ classifications are not capable of being proven false. The tortious interference claim fails because Asurvio didn’t specify which contract was being interfered with.

Implications

The Enigma ruling sent shockwaves through the anti-threat vendor community because it disrupted a decade of settled legal doctrine. Though it’s logical to fear “anticompetitive” blocking, in reality we know it’s easy to allege anticompetitive blocking and quite hard to prove. So the Enigma ruling created the risk that many previously easy cases would become expensive and time-consuming, even if they were eventually unmeritorious.

This ruling partially assuages those fears. On a motion to dismiss, the court circumscribed the universe of competitors and rejected tendentious attempts to portray non-competitors as competitors. Both of these conclusions bode well for future Section 230(c)(2)(B). Still, this ruling doesn’t change the fact that many existing anti-threat software vendors are in fact sketchy and deserve to be filtered; yet anti-threat vendors will be skittish about calling out their sketchy competitors. This case also contributes towards building a new jurisprudence of competition internal to Section 230(c)(2)(B), an unwanted development given that we have an entire body of law (antitrust law) dedicated to that purpose.

Case citation: Asurvio LP v. Malwarebytes Inc., 2020 WL 1478345 (N.D. Cal. March 26, 2020)