The 9th Circuit Keeps Trying to Ruin Cybersecurity–Enigma v. Malwarebytes

This case involves two anti-threat software vendors, Enigma and Malwarebytes. In 2016, Malwarebytes classified Enigma’s software as “malicious,” a “threat,” and a “potentially unwanted program” (or PUP), because the programs allegedly were “scareware.”

Enigma challenged Malwarebytes’ classifications in court. Initially, Malwarebytes defended on Section 230(c)(2)(B). The Ninth Circuit rejected that defense, in the process creating a new and totally unhelpful common law exception to Section 230 for “anti-competitive animus.”

Malwarebytes appealed the 9th Circuit’s ruling, first to the 9th Circuit en banc, and then to the US Supreme Court. (I helped file an amicus brief supporting cert). Along with the cert denial, Justice Thomas issued a statement, “without the benefit of briefing,” explaining his eagerness to eviscerate Section 230. Interestingly, the Gonzalez and Taamneh decisions showed how briefing does actually benefit the justices.

This case already wrecked Section 230 twice, but it seemed ultimately inconsequential when the district court dismissed it on remand. And then…the Ninth Circuit got the case again…

The Majority Opinion

After the Supreme Court cert denial, the district court ruled that Malwarebytes’ “malicious” and “threat” classifications were “non-actionable statements of opinion” and thus could not support a Lanham Act false advertising claim. On appeal, the majority responds:

its products either contain malicious files and threaten the security of users’ computers, or they do not. These statements are not the type of general, subjective claims typically deemed non-actionable opinions

Threats lie on a spectrum. It’s not binary at all.

The majority continues:

Malwarebytes’s anti-malware program specifically labeled Enigma’s software as “malicious” and a “threat,” which a reasonable person would plausibly interpret as the identification of malware.

The majority did not provide any citations for “a reasonable person’s” beliefs. How does the majority know this to be true?

If “malicious” and “threat” are objective statements of fact, what exactly do they mean? The majority makes a slippery and dubious rhetorical move to define “malware” instead, citing the OED:

Malware, in its ordinary meaning, refers to software “written with the intent of being disruptive or damaging to (the user of) a computer or other electronic device; viruses, worms, spyware, etc., collectively.”

OK, but Malwarebytes didn’t classify Enigma’s software as “malware,” so why is this relevant? The majority explains that Malwarebytes’ “threat scan” referred to “malware,” but is Enigma suing over the threat scan, the classifications, or whatever scrap of public disclosures it can find? In other words, the majority didn’t have to make this rhetorical shift to debating “malware,” and it did so only to reach its desired result.

Also, the definition of “malware” itself includes vague terms, like “disruptive” and “damaging”–and an “etc.” Both lay people and cybersecurity experts could fiercely debate when a software program qualifies as “malware,” yet the court treats it as an easy binary yes/no classification.

Digging deeper, the majority says the dictionary definition of “malware” “necessarily implies that someone created software with the intent to gain unauthorized access to a computer for some nefarious purpose.” NOT HELPFUL. What constitutes “unauthorized access” is itself a jurisprudential morass (see, e.g., every CFAA ruling since Van Buren), and it’s not credible to use any definition with the phrase “some nefarious purpose.”

The majority summarizes this discussion: “judges are not experts in the cybersecurity field. We should not presume that we are.” That’s true, yet the majority made confident, decisive, and empirical conclusions about “malicious,” “threats,” and “malware” that the cybersecurity community would vigorously debate.

In another surprise, the majority revives the tortious interference claim because allegedly “Malwarebytes induced Enigma’s customers to choose either not to install, or to delete, Enigma’s programs from their computers without any legitimate justification.”

The Dissent

The dissent says: “this should have been an easy affirm.” 🎯 The dissent rejects the majority’s characterization that threat determinations are binary:

A software program isn’t verifiably a “threat” or not. And a website isn’t measurably “malicious” or not. In the cybersecurity context, these terms refer to a spectrum of digital features with no verifiable line to cross to determine when they apply…

nowhere does Enigma offer an objective, measurable definition of the warnings…

Enigma’s identification of multiple meanings for “threats” by itself shows that the term represents an opinion rather than a fact.

Implications

This case is approaching its 7 year anniversary, yet it is still only at the motion to dismiss stage. The lawsuit’s lengthy duration and high defense cost has significant substantive implications. In the face of those costs and resources, any profit-maximizing vendor will act conservatively when making classifications that could launch a multi-year litigation war; i.e., if in doubt, approve the software–especially if the software can claim to be a competitor, pretextually or not–even if it’s actually a trojan like scareware. These skewed economic incentives give more room for malicious or threatening software to bypass our anti-threat protections. That undermines cybersecurity for all of us.

The deleterious consequences for cybersecurity highlight the tragedy of the 9th Circuit’s prior error on Section 230(c)(2)(B). Congress statutorily told the courts that anti-threat vendors can make classifications without worrying about lengthy court battles. Everyone benefits from predictable safe harbors and immunities that resolve meritless cases early. The 9th Circuit keeps misunderstanding that basic point:

What’s next for this case? I assume Malwarebytes will request a rehearing en banc. A rehearing would be appropriate because the deciding vote was cast by a visiting judge, not a regular 9th Circuit judge. Also, the dissent made excellent points. Whether the 9th Circuit hears it en banc or not, I assume this case will again head to the Supreme Court. It could be years more until a final resolution.

If the case goes back in the district court for a third time, I expect the district court will dismiss it again. In particular, the court hasn’t ruled on whether a threat classification constitutes the kind of commercial speech that the Lanham Act governs. Based on the fundamental illogic of its litigation position, I see no way for Enigma to win here. At least, for the sake of cybersecurity, I hope not.

Case citation: Enigma Software Group USA, LLC v. Malwarebytes, Inc., 2023 WL 3769331 (9th Cir. June 2, 2023)

Enigma v. Malwarebytes Case Library

• Ninth Circuit reversal. Blog post.
• District Court dismissal on remand. Blog post.
• Denial of certiorari, including Justice Thomas’ statement. Blog post.
• Malwarebytes’ petition for certiorari. Amicus briefs from Cybersecurity Experts, EFF, ESET, Internet Association, and TechFreedom. Blog post on amicus briefs.
• The SCOTUS page for Malwarebytes v. Enigma.
• Blog post on Asurvio v. Malwarebytes, an application of the Ninth Circuit’s ruling.
• Ninth Circuit’s amended ruling. Blog post on that ruling.
• Malwarebytes’ petition for rehearing. Supporting amicus briefs from cybersecurity law professors, EFF/CAUCE, ESET, and Internet Association. Blog post on the filings.
• Ninth Circuit ruling. Blog post on that ruling.
• District court opinion. Blog post on that ruling.
• Related decision in Enigma Software v. Bleeping Computer. Blog post on that ruling.