photo by Anik Shrestha, https://www.flickr.com/photos/anikshrestha/

Malwarebytes and Enigma offer competitive anti-threat software. Malwarebytes classified Enigma’s software as a “potentially unwanted program,” or PUP, and quarantined the programs. Enigma sued Malwarebytes for that classification/quarantine.

Initially, the district court dismissed the case on Section 230(c)(2)(B) grounds. In a terrible ruling, the Ninth Circuit reversed on the misguided theory that Malwarebytes and Enigma are competitors and thus Malwarebytes may have made its classification decisions based on “anticompetitive animus.” On remand, after 2 more years of litigation, the district court has again dismissed the lawsuit, this time on its lack of merits.

Lanham Act False Advertising. Enigma claimed it was false for Malwarebytes to call its programs “malicious,” “threats,” and PUPs. In Asurvio v. Malwarebytes, the court held that such labels were subjective opinions, not verifiably false. The court says this case is “indistinguishable” from Asurvio. The court says “users of Malwarebytes are aware of why it opines that a given software program may be a PUP based on Malwarebytes’ disclosed criteria and can choose to quarantine or un-quarantine the detected program….Enigma’s allegations that Malwarebytes knew the labels used to describe Enigma’s programs were false are conclusory and need not be accepted as true.”

Tortious Interference. Malwarebytes gives users instructions on how to keep using PUPs, so no tortious interference.

Implications

On the surface, this looks like a decent outcome. The district court granted Malwarebytes’ motion to dismiss on the grounds that Malwarebytes’ classifications are its opinions, not falsifiable statements of fact. On that basis, it seems like Malwarebytes should be equally positioned to win all future disputes on the same basis. Further, the Asurvio case also relied on Section 230(c)(2)(B) despite the plaintiff’s allegation of anticompetitive animus. So long as Malwarebytes can win these kinds of classification challenges on motions to dismiss, it may not really matter how we get here.

(Of course, with a trip to the 9th Circuit and Supreme Court, this particular case has taken four years and many hundreds of thousands of extra dollars due to the Ninth Circuit craziness).

Despite this good outcome, this case has left two lingering scars on Internet law.

First, the Ninth Circuit created a new workaround to Section 230 based on anticompetitive animus. This workaround is completely undefined–is it coextensive with antitrust law, or does apply when competitors have anticompetitive “intent” even if their actions don’t constitute an antitrust violation? The Ninth Circuit dodged this critical issue. As a result, plaintiffs can freely invoke the anticompetitive animus workaround and impose greater defense costs to resolve this issue. This doctrinal ambiguity is particularly pernicious in the cybersecurity context, where the court created incentives for anti-threat vendors to reduce their vigilance against cybersecurity threats that can claim (legitimately or not) competitive status.

Worse, this appears to be at least the fifth time that the Ninth Circuit has created doctrinal workarounds to Section 230 that appear to benefit no one. Other cases that fit this pattern:

• Fair Housing Councils v. Roommates.com. Section 230 didn’t apply to housing discrimination claims, but the Ninth Circuit ruled four years later that the housing discrimination claims never applied at all.
• Barnes v. Yahoo. Promissory estoppel is a pleadaround to Section 230, but plaintiffs can’t win promissory estoppel cases.
• Doe v. Internet Brands. Failure-to-warn claims are a pleadaround to Section 230, but plaintiffs can’t win failure-to-warn claims.
• Lemmon v. Snap. The story is still being written about this ruling, but it seems like it will fit the pattern. The Ninth Circuit said that Section 230 doesn’t apply to design defect claims that aren’t based on third-party content, but we know that the plaintiff is likely to lose the case on its merits based on a nearly identical case that failed in Georgia courts.

Now, add Enigma v. Malwarebytes and its anticompetitive animus exception to this list. If threat classifications are opinions, then plaintiffs will always lose and the Ninth Circuit’s Section 230(c)(2)(B) workaround does nothing but mess up Section 230. Should we applaud the Ninth Circuit for so carefully policing the boundaries of Section 230’s immunities, or should we criticize them for unnecessarily swiss-cheesing Section 230?

Second, on appeal to the Supreme Court, Justice Thomas used the cert denial as an excuse to blog his misguided free-association thoughts about why he hates Section 230. This screed has perniciously inspired plaintiffs to position their Section 230 case for Supreme Court review and motivated #MAGA politicians to pursue ever-worse censorial regulatory ideas. The legacy of Justice Thomas’ blogging will live on long after the Enigma case is over.

Enigma hasn’t yet appealed the latest ruling, but I assume this case will take another trip to the Ninth Circuit.

Case Citation: Enigma Software Group USA, LLC v. Malwarebytes Inc,, 2021 WL 3493764 (N.D. Cal. Aug. 9, 2021)

Enigma v. Malwarebytes Case Library

• District Court dismissal on the merits. Blog post.
• Denial of certiorari, including Justice Thomas’ statement. Blog post.
• Malwarebytes’ petition for certiorari. Amicus briefs from Cybersecurity Experts, EFF, ESET, Internet Association, and TechFreedom. Blog post on amicus briefs.
• The SCOTUS page for Malwarebytes v. Enigma.
• Blog post on Asurvio v. Malwarebytes, an application of the Ninth Circuit’s ruling.
• Ninth Circuit’s amended ruling. Blog post on that ruling.
• Malwarebytes’ petition for rehearing. Supporting amicus briefs from cybersecurity law professors, EFF/CAUCE, ESET, and Internet Association. Blog post on the filings.
• Ninth Circuit ruling. Blog post on that ruling.
• District court opinion. Blog post on that ruling.
• Related decision in Enigma Software v. Bleeping Computer. Blog post on that ruling.

The post As Expected, Malwarebytes Defeats Enigma’s Lawsuit Without Section 230’s Help appeared first on Technology & Marketing Law Blog.

Last year, the Ninth Circuit ruled that a plaintiff could plead around Section 230(c)(2)(B), the safe harbor for providing filtering instructions, by claiming that the filtering was motivated by anticompetitive animus. Last week, the Supreme Court denied certiorari. This isn’t surprising–the Supreme Court takes a low percentage of cases–but it’s too bad the Ninth Circuit ruling won’t be corrected.

Alongside the cert denial, Justice Thomas added a statement railing against Section 230 (starting on page 12). The statement is procedurally troubling and substantively wrong. Some lowlights in the statement:

• The statement repeatedly and casually flips between Section 230(c)(1) and Section 230(c)(2).
• The statement focuses on Section 230(c)(1), even though the question presented to the court solely addressed Section 230(c)(2)(B). Because the court wasn’t briefed on most of the issues Justice Thomas nevertheless discusses, it makes me wonder where Justice Thomas got his information. What news sources is he reading?
• Because the court wasn’t briefed on Section 230(c)(1), he does not acknowledge the many legal, factual, and policy counterarguments to his positions that surely would have been addressed by proper briefing. In other words, without hearing contrary perspectives, his statement is one-sided and under-informed (more on this later).
•  The statement says: “many courts have construed the law broadly to confer sweeping immunity on some of the largest companies in the world.” The Internet giants benefit from Section 230, but so do thousands of less-well-known companies–including the defendant in this case.
• The statement says the Ninth Circuit decision “is one of the few where courts have relied on purpose and policy to deny immunity under §230.” Note the tension in this statement. Hundreds of decisions have denied Section 230 immunity because they relied on the statutory text. Is Justice Thomas saying they should have relied instead on the statute’s “policy and purpose”?
• The statement calls Section 230(c)(1) “definitional.” This is an atextual and highly idiosyncratic way of characterizing the statute. Nearly two decades ago, Easterbrook took a similar position in Doe v. GTE. Virtually every other judge since has not agreed.
• The statement says Section 230(c)(1) “ensures that a company (like an e-mail provider) can host and transmit third-party content without subjecting itself to the liability that sometimes attaches to the publisher or speaker of unlawful content.” It’s a strange move to use email service providers as the Section 230(c)(1) archetype. Email providers rely on Section 230(c)(2)(A) for their spam filters, but it’s rare to see email providers invoke Section 230(c)(1) because they don’t “host” content.
• The statement says Section 230(c)(2) “provides direct immunity from some civil liability.” This is backwards. Section 230(c)(1) provides an immunity from suit; Section 230(c)(2) provides a safe harbor.
• The statement says Section 230(c)(2)’s “limited protection enables companies to create community guidelines and remove harmful content without worrying about legal reprisal.” A few problems here. First, Section 230(c)(1) also necessarily permits “community guidelines” in the form of leave-up policies. Second, Section 230(c)(2)(A) does not let companies stop “worrying about legal reprisal.” They worry about the costs of defense due to the “good faith” prerequisite, which is why so few companies rely on it. Third, this case was about Section 230(c)(2)(B), which relates to the provision of filtering instructions to third parties.
• The statement says historically “Publishers or speakers….could be strictly liable for transmitting illegal content.” This is garbled because “publishers” don’t “transmit” (they, uh, “publish”). Publishers can be strictly liable for publishing content, and “transmitting” content is governed by different legal rules that typically negate strict liability.
• The statement says that historically distributors “acted as a mere conduit without exercising editorial control, and they often transmitted far more content than they could be expected to review.” Once again the statement conflates different functions–this time falsely equating distributors with “conduits” and “transmitters.” To get an example of how this is wrong, consider the bookstore as a distributor. It unavoidably exercises editorial discretion about which books to stock and how to display them, but that doesn’t mean bookstores stand behind every word in every book they carry. But no one would properly call a bookstore a “conduit” or say that it “transmits” content.
• The statement says “§230(c)(1) indicates that an Internet provider does not become the publisher of a piece of third-party content—and thus subjected to strict liability—simply by hosting or distributing that content.” Section 230(c)(1) says plainly that services won’t be treated as publishers of third-party content. On its face, the provision negates all forms of publisher liability. I don’t see how to read the language as saying or implying that it negates only the category of liability uniquely imposed on publishers. Furthermore, publisher/speaker functions should include hosting and distributing, but the statutory text doesn’t imply that it’s limited to those functions. The language covers any function where a defendant is alleged to act as a publisher or speaker.
• The statement says “the statute suggests that if a company unknowingly leaves up illegal third-party content, it is protected from publisher liability by §230(c)(1); and if it takes down certain third-party content in good faith, it is protected by §230(c)(2)(A).” This misapprehends the nature of “publisher liability.” It is impossible to distinguish between the “leave up” and “removal” decisions because they are the result of the exact same editorial decision-making process of publishing.
• The statement says: “Sources sometimes use language that arguably blurs the distinction between publishers and distributors.” I think the statement contains some distinction-blurring language of its own.
• The statement notes inconsistent language between the CDA’s criminal provisions and Section 230, even though it has been repeatedly explained by many experts why the CDA criminal provisions and Section 230 had nothing to do with each other (they were alternative policy proposals smushed together in conference).
• The statement apparently questions if Congress’ goal was to overturn Stratton Oakmont because it didn’t mirror the language in the opinion. The legislative history clearly says “One of the specific purposes of this section is to overrule Stratton-Oakmont v. Prodigy and any other similar decisions which have treated such providers and users as publishers or speakers of content that is not their own because they have restricted access to objectionable material.”
• The statement says “Courts have also departed from the most natural reading of the text by giving Internet companies immunity for their own content” (emphasis added). This is literally false. No court has ever done this.
• The statement says “To say that editing a statement and adding commentary in this context does not ‘creat[e] or develo[p]’ the final product, even in part, is dubious.” It’s a crafty rhetorical move to refer to the “final product” instead of the actual statutory referent “information.” Doing this invites the conclusion that every UGC service loses Section 230 because they package third-party content into a “final product.”
• The statement argues that a broad reading of Section 230(c)(1) renders Section 230(c)(2) superfluous. Barnes v. Yahoo explained how Section 230(c)(2)(A) applies in circumstances where the defendant partially or wholly created or developed the content. The statement instead cites language from e-ventures v. Google. But (1) Google still won the e-ventures case, so its denigration of Section 230(c)(2)(A) became inconsequential, and (2) other courts have since criticized the e-ventures language, including Domen v. Vimeo and Prager University v. Google.
• The statement says “With no limits on an Internet company’s discretion to take down material, §230 now apparently protects companies who racially discriminate in removing content.” Characterizing the cited Sikhs for Justice ruling case as a racial discrimination case is simplistic at best. The case involved advocacy content that the Indian government required to be blocked. Still, it’s true Section 230(c)(1) can protect removals even when the plaintiff claims discrimination. You might even be OK with the application of Section 230(c)(1) in the cases I’m seeing, including Lewis v. Google, where the plaintiff claimed that YouTube discriminated against him for being an American; and the Wilson v Twitter cases, where the plaintiff claimed Twitter discriminated against him because he’s a Christian heterosexual.
• The statement criticizes Section 230’s application to claims involving “alleged product design flaws—that is, the defendant’s own misconduct.” But what are “product design” flaws in this context? That’s just a fancy euphemism for the editorial decisions about how to gather, organize, and publish third-party content.
• The statement says “Paring back the sweeping immunity courts have read into §230 would not necessarily render defendants liable for online misconduct. It simply would give plaintiffs a chance to raise their claims in the first place. Plaintiffs still must prove the merits of their cases, and some claims will undoubtedly fail.” This deeply misunderstands the issues in the Malwarebytes case. By “paring back” the Section 230(c)(2)(B) safe harbor, the new liability exposure distorts the filtering services’ substantive decisions by making them gun-shy; it gives plaintiffs ways to play holdup games and extract settlements for less than the defense costs; it ignores how defense costs can doom services (the death by ten thousand duckbites that Judge Kozinski addressed in the Roommates.com case); and it ignores the other critical procedural benefits provided by Section 230 that enable third-party online speech where other liability schemes would not. As I keep saying, everyone benefits when unmeritorious cases lose fast and early. Giving plaintiffs more time in court doesn’t come for free, and it might be a very bad deal for all of us.

The statement concludes: “Without the benefit of briefing on the merits, we need not decide today the correct interpretation of §230. But in an appropriate case, it behooves us to do so.” Just to be clear, Justice Thomas admits that he wrote the prior ten pages of criticism “without the benefit of briefing.” That undermines the credibility of the entire statement. Nevertheless, the statement tells all plaintiffs that if they appeal their Section 230 cases to the Supreme Court, they have at least one vote ready to go.

When we filed an amicus brief in support of Malwarebytes, one of our fears was that the Supreme Court would ignore the question presented (tightly restricted to Section 230(c)(2)(B)) and do damage to Section 230(c)(1) despite it being outside the scope of the question presented. Justice Thomas’ critical remarks about Section 230(c)(1) show that these fears were well-founded, and I’m a little relieved that the court didn’t take the case. That means Malwarebytes can still win this case on remand (a likely outcome; see the Asurvio ruling), albeit at the cost of unnecessary time and money, and Section 230 lives for another day.

This statement bears some resemblance to Justice Thomas’ statement in early 2019 that the Supreme Court should reconsider the actual malice standard from New York Times v. Sullivan. Like this statement, that statement was anti-media, pro-censorship, and quite unpersuasive. So far, the Supreme Court hasn’t taken up Justice Thomas’ initiative against the actual malice standard. I hope this statement suffers the same fate.

Even if the Supreme Court never takes up Justice Thomas’ arguments, this statement hurts the discourse. It represents yet another inaccurate federal government statement about Section 230 (others include the Trump EO from May and the NTIA petition to the FCC). Collectively, these taxpayer-funded misstatements pollute the discourse and create FUD about Section 230. We have to spend time debating what Section 230 even says, and Section 230 critics can misportray Section 230 to spur mistargeted responses. This makes it impossible to have well-informed “debates” about Section 230 or what, if any, reforms would fix any perceived policy deficiencies.

Case Citation: Malwarebytes, Inc. v. Enigma Software Group USA, LLC,  2020 WL 6037214 (Oct. 13, 2020)

Enigma v. Malwarebytes Case Library

• Denial of certiorari, including Justice Thomas’ statement.
• Malwarebytes’ petition for certiorari. Amicus briefs from Cybersecurity Experts, EFF, ESET, Internet Association, and TechFreedom. Blog post on amicus briefs.
• The SCOTUS page for Malwarebytes v. Enigma.
• Blog post on Asurvio v. Malwarebytes, an application of the Ninth Circuit’s ruling.
• Ninth Circuit’s amended ruling. Blog post on that ruling.
• Malwarebytes’ petition for rehearing. Supporting amicus briefs from cybersecurity law professors, EFF/CAUCE, ESET, and Internet Association. Blog post on the filings.
• Ninth Circuit ruling. Blog post on that ruling.
• District court opinion. Blog post on that ruling.
• Related decision in Enigma Software v. Bleeping Computer. Blog post on that ruling.

The post Justice Thomas Writes a Misguided Anti-Section 230 Statement “Without the Benefit of Briefing”–Enigma v. Malwarebytes appeared first on Technology & Marketing Law Blog.

photo by Anik Shrestha, https://www.flickr.com/photos/anikshrestha/

On Friday, 14 cybersecurity experts filed an amicus brief with the U.S. Supreme Court, supporting Malwarebytes’ certiorari petition to review the Ninth Circuit’s 2019 Enigma v. Malwarebytes ruling regarding 47 U.S.C. 230(c)(2)(B)’s application to spyware classification decisions. The Juelsgaard Intellectual Property and Innovation Clinic prepared the brief; the work was done by two Stanford Law students supervised by Phil Malone, and I supported each draft iteration of the brief.

The SCOTUS cybersecurity experts’ brief built on the amicus brief that Venkat and I prepared to support Malwarebytes’ unsuccessful en banc petition to the Ninth Circuit. The new brief expands the prior arguments and has more signatories.

From the brief’s argument summary:

This case involves a narrow legal issue with broad and exceptionally important implications for cybersecurity. The Ninth Circuit’s ruling will expose Internet users to an array of threats that can compromise their systems and data, corrupt or extract their files, bog down their computers or smartphones, and weaponize their devices against other Internet users.

The decision below erodes the legal immunity provided by Section 230(c)(2)(B), which allows companies to develop robust anti-threat software to protect Internet users. In place of that immunity, the decision creates an opening for expensive and prolonged litigation. To avoid costly litigation and reduce business risk, anti-threat software vendors will opt to become overly conservative in identifying and blocking potential threats. This will leave tens of thousands of government entities, tens of millions of businesses, and hundreds of millions of Internet users more vulnerable to hazardous software.

Malwarebytes’ Petition. Malwarebytes described the question presented (emphasis added):

Section 230(c)(2)(B) of the Communications Decency Act provides immunity from most civil liability to computer-service providers for “any action taken to enable or make available to * * * others the technical means to restrict access to material” that “the provider or user considers to be * * * objectionable.” 47 U.S.C. § 230(c)(2). The court below agreed that none of the narrow, express exceptions to that immunity in Section 230(e) apply here. The question presented is:

Whether federal courts can derive an implied exception to Section 230(c)(2)(B) immunity for blocking or filtering decisions when they are alleged to be “driven by anticompetitive animus.”

This is an appropriately narrow question presented, and it does not implicate other parts of Section 230. If the Supreme Court takes the case, let’s hope it stays that way.

Other Filings. A total of five amicus briefs, including the cybersecurity experts’ brief, supported the certiorari petition. The same players had supported Malwarebytes’ Ninth Circuit en banc petition, except for a new entry from TechFreedom.

EFF Amicus Brief. The brief discusses how the Ninth Circuit’s ruling threatens the EFF’s Privacy Badger tool and undermines the fight against stalkerware.

ESET Amicus Brief. From the argument summary:

ESET takes the unusual step of submitting an amicus brief in support of one of its direct competitors to stress the importance of this issue. Americans are becoming increasingly reliant on the internet and interactive media for political, educational, cultural, and entertainment services. 47 U.S.C. § 230(a)(5). Yet security threats are flourishing, with hundreds of thousands of new forms of objectionable content every day. Congress determined that consumer choice and robust competition are the best way to safeguard consumers, but the Ninth Circuit’s decision frustrates both choice and competition.

Internet Association Amicus Brief.

Congress had good reason to omit a good faith requirement from subsection (c)(2)(B). As discussed above, subsection (A) protects direct blocking or filtering by online service providers—situations where providers act unilaterally to protect themselves or their users from objectionable material. In contrast, subsection (B) only applies where service providers put blocking tools in the hands of users, who must independently and affirmatively decide to use those tools. Here, blocking does not occur unilaterally; it instead requires cooperation between a service provider and a third party….

Congress logically concluded it was unnecessary to include a good faith requirement or to allow Section 230’s protection to turn on disputes about a service provider’s motives. Here, the user’s independent choice operates as a check on the provider’s decisions about what material should be filtered or blocked.

TechFreedom Amicus Brief. From the argument summary:

Subsection 230(c)(2)(B) contains a simple command: “No provider or user of an interactive computer service shall be held liable [for] any action taken to enable or make available . . . the technical means to restrict access to [objectionable] material.” That’s it. But when the Ninth Circuit interpreted this statute, it saw something different. Speculating that a strict textual interpretation would lead to a result that “appear[ed] contrary to [the statute’s] history and purpose,” the court divined words invisible to the human eye: an exception for conduct allegedly motivated by “anticompetitive animus.” That exception is nowhere to be found in the statute that Congress enacted.

Case library

• Malwarebytes’ petition for certiorari. Amicus briefs from Cybersecurity Experts, EFF, ESET, Internet Association, and TechFreedom.
• The SCOTUS page for Malwarebytes v. Enigma.
• Blog post on Asurvio v. Malwarebytes, an application of the Ninth Circuit’s ruling.
• Ninth Circuit’s amended ruling. Blog post on that ruling.
• Malwarebytes’ petition for rehearing. Supporting amicus briefs from cybersecurity law professors, EFF/CAUCE, ESET, and Internet Association. Blog post on the filings.
• Ninth Circuit ruling. Blog post on that ruling.
• District court opinion. Blog post on that ruling.
• Related decision in Enigma Software v. Bleeping Computer. Blog post on that ruling.

The post Cybersecurity Experts Support Supreme Court Review of Enigma v. Malwarebytes Ruling on Section 230(c)(2)(B) appeared first on Technology & Marketing Law Blog.

photo by Anik Shrestha, https://www.flickr.com/photos/anikshrestha/

Section 230(c)(2)(B) says that filtering software makers aren’t liable for their classification decisions. This proposition provides the legal foundation for the anti-threat software industry. However, those expectations were disrupted by the Ninth Circuit’s 2019 in Enigma v. Malwarebytes, which held that Section 230(c)(2)(B) didn’t apply when a plaintiff alleges that the filtering decision was motivated by anticompetitive animus. This amicus brief explains why the 9th Circuit’s ruling is bad for cybersecurity.

Today I’m blogging about what I believe is the first ruling applying Enigma to anti-threat software since the Ninth Circuit ruling. The defendant is the same (Malwarebytes); but this time the plaintiff is Asurvio, which used to be “PC Driver.” I blogged a prior ruling in this case last year. The district court judge shuts down the Section 230(c)(2)(B) workaround.

Section 230(c)(2)(B). In response to Malwarebytes’ motion to dismiss, the court says Asurvio doesn’t compete with Malwarebytes:

[Asurvio] is not a computer security software provider; it does not sell malware detection software designed to scan a computer and report PUPs. Rather, Asurvio sells driver update software. Asurvio’s software programs “work in real time in the background of the operating system to optimize processing and locate and install all missing and outdated software drivers.” Asurvio does not allege that its DRIVER SUPPORT or ACTIVE OPTIMIZATION programs provide any anti-spyware or anti-malware functionality as Malwarebytes does

Asurvio claimed it also provided anti-malware services. The court discounts these services because they are provided only via live technical support, not as a primary service. Asurvio also argued that both parties competed to help users improve their computers’ performance. The court rejects this too: “If the Court were to accept Asurvio’s argument, then any developer of performance optimizing software designed for “self-help” computer users could potentially plead around the broad immunity granted by section 230(c)(2)(B) and render the statutory immunity meaningless.”

Section 230(c)(1). Asurvio complained about critical third-party messages in Malwarebytes’ message boards. The court says that the complaint doesn’t connect the third parties to Malwarebytes, despite the users’ titles as “trusted advisor” and “expert.” Compare the Enigma v. Bleeping Computer opinion from 2016.

Others. The disparagement/Lanham Act claims fail because Malwarebytes’ classifications are not capable of being proven false. The tortious interference claim fails because Asurvio didn’t specify which contract was being interfered with.

Implications

The Enigma ruling sent shockwaves through the anti-threat vendor community because it disrupted a decade of settled legal doctrine. Though it’s logical to fear “anticompetitive” blocking, in reality we know it’s easy to allege anticompetitive blocking and quite hard to prove. So the Enigma ruling created the risk that many previously easy cases would become expensive and time-consuming, even if they were eventually unmeritorious.

This ruling partially assuages those fears. On a motion to dismiss, the court circumscribed the universe of competitors and rejected tendentious attempts to portray non-competitors as competitors. Both of these conclusions bode well for future Section 230(c)(2)(B). Still, this ruling doesn’t change the fact that many existing anti-threat software vendors are in fact sketchy and deserve to be filtered; yet anti-threat vendors will be skittish about calling out their sketchy competitors. This case also contributes towards building a new jurisprudence of competition internal to Section 230(c)(2)(B), an unwanted development given that we have an entire body of law (antitrust law) dedicated to that purpose.

Case citation: Asurvio LP v. Malwarebytes Inc., 2020 WL 1478345 (N.D. Cal. March 26, 2020)

The post Section 230 Protects Classifying Non-Competitive Software as a Threat–Asurvio v. Malwarebytes appeared first on Technology & Marketing Law Blog.

This PUP Is definitely having a bad day after this ruling.
photo by Anik Shrestha, https://www.flickr.com/photos/anikshrestha/

This case involves rival makers of anti-threat software. The defendant, Malwarebytes, classified its rival’s software as a PUP, or Potentially Unwanted Program. The rival sued. Malwarebytes defended on 47 USC 230(c)(2)(B), which provides a safe harbor for filtering software. Malwarebytes won on that ground in the district court. Then, in a troubling ruling that broke with precedent, a 3-judge panel of the Ninth Circuit held that (1) 230(c)(2)(B) requires good faith on the part of filtering software makers, and (2) mere allegations that filtering was based on ant-competitive animus defeat the 230(c)(2)(B) safe harbor. Thus, Malwarebytes cannot rely on the safe harbor that Congress custom-developed for this circumstance.

Malwarebytes sought rehearings by the panel and en banc. In support of that request, Venkat and I, on behalf of 7 other cybersecurity law professors, submitted an amicus brief explaining how the ruling undermined cybersecurity, because it will discourage anti-threat software makers from legitimately downgrading their shady AF rivals (and many anti-threat software vendors are indeed shady AF). Any benefits consumers might gain from policing anticompetitive downgrades surely will be overwhelmed by the greater proliferation of harmful software that undermines our online security.

On New Years Eve (in a fitting end to an awful year for Internet Law), the Ninth Circuit denied the petition and issued an amended opinion. Unfortunately, the court made only minor substantive amendments. The redline of those substantive changes:

There are two good aspects of this amended opinion. First, the court got rid of the murky language that filtering software makers could not consider the identity of the threat’s maker in its filtering decision. That legal standard contravened central tenets of cybersecurity, so good riddance. Second, the amended language expresses the court’s holding exceptionally clearly: “blocking and filtering decisions that are driven by anticompetitive animus are not entitled to immunity under section 230(c)(2).”

I have nothing else good to say about the amendments. The court still collapses 230(c)(2)(A), which has a “good faith” requirement, with 230(c)(2)(B), which does not; and the amended opinion still gives purveyors of shady AF anti-threat software an easy workaround to any future 230(c)(2)(B) defense. For reasons that Venkat and I explain in the amicus brief, this makes the Internet less secure.

As for this case, Malwarebytes has a choice. It can appeal to the US Supreme Court, which I personally hope it does not do because the case’s legal issues aren’t the best fact setup for SCOTUS review of Section 230. Malwarebytes would have favorable odds on appeal, but the odds of something going dreadfully wrong are too high for my tastes. Alternatively, Malwarebytes can pursue the case on remand and win on the merits. Rebecca Tushnet explores some of the likely arguments. On remand, Malwarebytes probably will show that its filtering decision lacked anti-competitive animus, in which case it deserved the Section 230(c)(2)(B) safe harbor that this court denied. That wouldn’t be the first time that the Ninth Circuit eviscerated Section 230’s procedural benefits for no corresponding gains. Recall, for example, how the court denied Section 230 for Roommates.com because it allegedly engaged in illegal content, only to conclude four years later that Roommates.com actually qualified for Section 230 all along because Roommates.com never had illegal content at all.

Case citation: Enigma Software Group USA v. Malwarebytes, Inc., 2019 WL 7373959 (9th Cir. Dec. 31, 2019)

Case library:

• Malwarebytes’ petition for rehearing. Supporting amicus briefs from cybersecurity law professors, EFF/CAUCE, ESET, and Internet Association. Blog post on the filings.
• Ninth Circuit ruling. Blog post on that ruling.
• District court opinion. Blog post on that ruling.
• Related decision in Enigma Software v. Bleeping Computer. Blog post on that ruling.

The post Ninth Circuit Doubles Down on Bad Ruling That Undermines Cybersecurity–Enigma v. Malwarebytes appeared first on Technology & Marketing Law Blog.

A good PUP. Photo by Anik Shrestha, https://www.flickr.com/photos/anikshrestha/

In September, in Enigma v. Malwarebytes, the Ninth Circuit issued a troubling Section 230(c)(2)(B) ruling that allowed plaintiffs’ allegations of anti-competitive animus to override the safe harbor for anti-threat software vendors. It was a 2-1 ruling on a key topic, so it’s the kind of case that could support further proceedings in the Ninth Circuit.

Perhaps not surprisingly, the defendant Malwarebytes has requested en banc or panel review. Its petition for rehearing.

Four amicus briefs were filed in support of Malwarebytes’ brief:

Cybersecurity Law professors’ amicus brief

Venkat and I drafted this brief (with the help of Jess Miers) and filed it on behalf of 7 other professors. Our introduction:

The panel or the Court en banc should rehear this case so that it can reevaluate the ruling’s consequences for cybersecurity. Though anti-competitive animus could be a troubling reason for one software program to block another, the Court’s decision overcorrects for this concern. The panel decision will foster spurious legal accusations of anti-competitive blocking of software programs that are, in fact, dangerous to businesses and consumers. These legal threats will hinder the ability of anti-threat software vendors to properly classify threats to businesses and consumers, which will make the Internet less safe for everyone.

Internet Association amicus brief

Three aspects of the majority’s decision especially concern IA and its members. First, the panel improperly imported a motive-based good-faith limitation into Section 230(c)(2)(B). As explained in Appellee’s rehearing petition, that defies fundamental rules of statutory interpretation and collapses an important distinction between subsection (c)(2)(A), which includes an express “good faith” requirement, and subsection (c)(2)(B), which conspicuously omits one.

Second, by uncritically accepting what appears from the opinion to be Appellant’s bare allegations of anticompetitive animus, the panel’s decision threatens to make it all too easy for plaintiffs to plead around Section 230(c)(2)(B). That result is squarely at odds with this Court’s decisions in Fair Hous. Council v. Roommates.com, LLC, 521 F.3d 1157, 1162 (9th Cir. 2008) (en banc), and Kimzey v. Yelp!, Inc., 836 F.3d 1263 (9th Cir. 2016). Those cases make clear that because Section 230 protects service providers against protracted legal battles (not just ultimate liability), the immunity cannot be defeated at the pleading stage with conclusory assertions. The panel’s contrary approach puts the content-moderation decisions of online providers and users at risk of “death by ten thousand duck-bites,” Roommates.com, 521 F.3d at 1174, opening the door to costly litigation for any plaintiff willing to make even threadbare allegations of improper motive. That subverts Congress’s goal of encouraging and removing disincentives for the development and use of filtering technologies.

Third, the majority’s dictum that the “criteria for blocking online material must be based on the characteristics of the online material, i.e., its content, and not on the identity of the entity that produced it,” is particularly troubling. While perhaps unintended by the panel, this stray statement could be applied in ways that would further undermine the very practices that Section 230 was intended to protect. Online service providers and their users routinely make moderation decisions that apply to entities or individuals, rather than just isolated pieces of content. That happens, for example, when a provider terminates a user’s account or when users deploy tools like Twitter’s Block feature to filter content from certain other users. These measures are a vital part of online self-regulation and are covered by any coherent reading of Section 230(c)(2). The panel’s ambiguous language threatens to arbitrarily limit the ability of platforms and users to protect themselves against abusive, offensive, or problematic accounts or users. At a minimum, therefore, the Court should grant rehearing to correct (or strike) the panel’s errant dicta.

ESET amicus brief

The majority opinion in this case undermines internet security and harms consumer choice in at least two critical ways.

First, the opinion creates a major roadblock to effective computer security software. The decision undercuts statutory immunity for filtering technology whenever there are allegations of anticompetitive animus, even though a purveyor of objectionable material can easily position itself as a competitor and make a facially plausible claim of such animus. This undermines Congress’s goals in enacting the Communications Decency Act, 47 U.S.C. § 230 (1996) (CDA), and harms the procompetitive interests the majority opinion purports to protect.

Second, the decision substitutes litigation for the user choice that has created a thriving marketplace of protections available to consumers. Such choice now exists at two levels: when the user decides what security software to deploy, and when the user chooses to filter out an objectionable program with the aid of that software. The majority opinion would substitute litigation in which the user has no role for both of these choices.

EFF/CAUCE amicus brief

Amici represent the interests of Internet users and support Malwarebytes’ petition because the Enigma panel’s ruling will discourage the development of effective tools that allow users to customize their experiences online. Reading Section 230(c)(2)(B) (47 U.S.C. § 230(c)(2)(B)) to provide unequivocal protection to the providers of filtering tools, which the Enigma panel failed to do, is consistent with the plain meaning of the statute and congressional policy goals, and ultimately best empowers Internet users by incentivizing the development of robust and diverse filtering tools.

Filtering tools give Internet users choices. People use filtering tools to directly protect themselves and to craft the online experiences that comport with their values, by screening out spyware, adware, or other forms of malware, spam, or content they deem inappropriate or offensive. Platforms use filtering tools for the same reasons, enabling them to create diverse places for people online.

Amicus EFF also supports rehearing because it directly benefits from a plain reading of Section 230(c)(2)(B), as its public interest technologists have developed a free tool, called Privacy Badger, that stops advertisers and other third-party trackers from secretly tracking users as they browse the web. EFF’s ability to continue providing free privacy-enhancing tools to Internet users will be seriously threatened if the panel’s incorrect interpretation of Section 230(c)(2)(B) stands.

Finally, amicus EFF supports rehearing because ensuring that Section 230(c)(2)(B) unequivocally protects filtering tool providers encourages those providers to block harmful software that is used to perpetuate domestic violence and harassment. EFF is working to eradicate this so-called “stalkerware,” and that goal is more likely to be achieved when filtering tool providers have the unqualified Section 230(c)(2)(B) immunity that Congress intended.

Case library

Malwarebytes’ petition for rehearing. Supporting amicus briefs from cybersecurity law professors, EFF/CAUCE, ESET, and Internet Association.

Ninth Circuit ruling. Blog post on that ruling.

District court opinion. Blog post on that ruling.

Related decision in Enigma Software v. Bleeping Computer. Blog post on that ruling.

The post Rehearing Briefs in Enigma Software v. Malwarebytes appeared first on Technology & Marketing Law Blog.

Despite its deep anti-technology and pro-censorial motivations, the EU’s RTBF has been a popular policy innovation among other regulators. It has proliferated to other countries, including Russia. It has also inspired a tsunami of other regulatory interventions that make other Internet technologies dumber than they need to be. Arguably, we might view the period right before RTBF’s launch as the high-water mark of Internet freedom. It’s been a straight line downhill since.

Predictably, RTBF has fostered a lot of censorship. Google has received nearly 900,000 EU delisting requests, though it has rejected a majority of those requests. Its rejections have spurred countless complaints that keep percolating through DPAs and the court system–a litigation machine that will churn ceaselessly in perpetuity. Those lawsuits produced a couple of important RTBF-related ECJ rulings this week that I hope to address in a future blog post.

Today’s case involves an RTBF lawsuit over non-deindexing, but it involves the Russian RTBF and the leading Russian search engine, Yandex. This case is a fine example of a multi-year delisting lawsuit that has spanned continents. It’s also a good reminder that RTBF won’t work under current US law.

Mosha claims that search results in Yandex.ru (the Russian edition of Yandex’s search engine) defame him, such as “Yury Mosha–Exposing a Fraudster,” “Yury Mosha the Swindler,” “Yury Mosha the Rogue,” “Yury Mosha the Scammer,” and “Yury Mosha Deceived.” He asked Yandex to delist those results. Yandex refused. In 2017, he sued Yandex in Russia pursuant to Russia’s RTBF law. The Russian court ruled against Mosha after he and his lawyer unexpectedly (?) no-showed at the hearing. The US court summarizes the Russian court’s findings:

The Khamovniki Court held that Yandex, LLC’s refusal to de-index the websites was lawful and justified for numerous reasons: (1) Mosha presented no evidence, and the record did not reflect, that the sites distributed the information in violation of Article 10.3; (2) the Yandex search system on Yandex.ru automatically indexes publicly available information on the Internet and does not distribute the information, so it is not liable for third-party content; (3) Russia’s constitution guarantees the right to freely share information; and (4) per Article 10.3, the websites contained information about activities with criminal features (i.e. Articles 158 (robbery) and 159 (swindling) of the Russian Federation Criminal Code) and the time limit for imposing criminal liability for those actions had not yet expired.

A Russian appellate court upheld this ruling on what appears to be procedural grounds.

In 2018, Mosha sued Yandex’s US subsidiary in New York for failure to delist the Yandex.ru search results. The US court grants the defendant’s motion to dismiss.

International Comity. Yandex claimed res judicata as a defense because it won in Russia, which it said should preclude relitigation in the US. The court rejects this argument on several grounds, including the fact that Mosha was suing a different entity (the US subsidiary) with different claims than those at issue in Russia.

Yandex’s loss of the res judicata defense has a silver lining. Arguably, if Mosha had won the deindexing ruling in Russia and sought to enforce it in the US, we would not want to squelch Yandex’s defense on res judicata grounds. Instead, we would want to relitigate it under US law, which would almost certainly reject such deindexing. It makes me wonder if Yandex was short-sighted in bringing this defense or if it was playing some clever 4D chess with the hope of losing the defense here so that it would set a precedent for future cases where it wouldn’t want the defense. Or maybe they were so confident that they would always win international RTBF rulings that they would only be seeking affirmances in future US cases?

Defamation. The court says: “while the purported statement imputes fraud or misconduct to Mosha’s character, it does not do so in relation to his important business operations, i.e., Mosha does not plead his business significantly involves his Jewish heritage, or specifically says that he cheats his business customers….Additionally, Mosha did not plead that Yandex, Inc. published the defamatory statements; he merely references seventeen website links which he claims to contain defamatory information.”

Tortious Interference. The court says: “Mosha does not identify any specific contracts that were breached, the parties to said contracts, or how such contracts were breached—all essential elements for sustaining a claim of tortious interference….he makes no plausible allegations that Yandex, Inc. intentionally procured Mosha’s customers to breach their contract with him or that he suffered actual damages.”

.Section 230. The court says: “Yandex, Inc. has immunity under the CDA….Courts have widely held that as aggregators of third-party content, Internet search providers are interactive computer services, and as such, have immunity under the CDA.”  To get around Section 230, Mosha argued that the content violated federal criminal law. The court responds: “the § 230(e)(1) exception does not apply in civil actions, even assuming arguendo that civil litigants could ‘enforce’ criminal statutes through a separate civil remedies provision.” [Cite to Force v. Facebook, though there are several other cases in this line saying 230 applies to civil claims for federal crimes.]

This is a clean and decisive ruling, but it’s not the first time that a court has used Section 230 to reject an RTBF-style claim in the United States. Other precedents include Maughan v. Google Technology, Inc., 143 Cal. App. 4th 1242 (Cal. App. Ct. 2006); Murawski v. Pataki, 514 F. Supp. 2d 577 (S.D.N.Y. 2007); Shah v. MyLife.Com, Inc., 2012 WL 4863696 (D. Or. 2012); Merritt v. Lexis Nexis, 2012 WL 6725882 (E.D. Mich. 2012); Nieman v. Versuslaw, Inc., 2012 WL 3201931 (C.D. Ill. 2012); Getachew v. Google, Inc., 491 Fed. Appx. 923 (10th Cir. 2012); Mmubango v. Google, Inc., 2013 WL 664231 (E.D. Pa. 2013); O’Kroley v. Fastcase Inc., 831 F.3d 352 (6th Cir. 2016); Fakhrian v. Google Inc., 2016 WL 1650705 (Cal. App. Ct. 2016); Despot v. Baltimore Life Insurance Co., 2016 WL 4148085 (W.D. Pa. 2016); Manchanda v. Google, Inc., 2016 WL 6806250 (S.D.N.Y. 2016).

Case citation: Mosha v. Yandex Inc., 2019 WL 4805922 (S.D.N.Y. Sept. 30, 2019) (see the amended version issued October 30, 2019: 2019 WL 5595037),

The post Section 230 Helps Search Engine Defeat “Right to Be Forgotten” Lawsuit–Mosha v. Yandex appeared first on Technology & Marketing Law Blog.

This ruling caused this PUP to have a bad day. Photo by Anik Shrestha

The Ninth Circuit has issued a Section 230(c)(2) opinion that creates significant problems for anti-spyware/spam/virus vendors (I’ll call them “anti-threat vendors”). The ruling will paralyze their decision-making, expose them to greater legal threats, and reduce their ability to protect consumers from unwanted software. This ruling makes the Internet less safe. I hope the Ninth Circuit will fix it via further proceedings.

Background

Section 230 protects online services from liability for third-party content in two primary ways. As a crude approximation, Section 230(c)(1) immunizes the decisions to leave up third-party content; Section 230(c)(2) provides a safe harbor for removing or blocking third-party content. Section 230(c)(2) further subdivides into two parts. (A) covers first-party removals; (B) covers anti-threat vendors who send blocking/filtering instructions to third parties (like users who have installed the vendor’s software, or servers that subscribe to third-party blocklists).

The vast majority of Section 230 caselaw involves 230(c)(1), which has become the foundation of the modern Internet. In contrast, Section 230(c)(2) gets a lot less attention, for several reasons. First, content removal generally produces less litigation than continued content publication. Second, liability for content removal often can be handled through a variety of risk management techniques, including contract provisions. Third, Section 230(c)(2)(A) has a “good faith” requirement that is riskier and more expensive to litigate than Section 230(c)(1), which has no parallel scienter requirement. As a result, online services sued for terminating user accounts have successfully adopted a 230(c)(1) defense in situations where the statute seemingly contemplated 230(c)(2)(A) would apply.

Because of this, Section 230(c)(2) has largely receded in importance. However, Section 230(c)(2)(B) still provides foundational protection in one critical context: anti-threat software.

In 2009, the Ninth Circuit issued a groundbreaking Section 230(c)(2) ruling in Zango v. Kaspersky. I ranked that ruling as #6 on my list of top 10 Section 230 rulings of all time. The opinion didn’t do anything fancy; it just basically interpreted the statute as written to conclude that anti-threat vendors qualified for Section 230(c)(2)’s protection. Despite the straightforward statutory analysis, the ruling has had major and beneficial consequences. As I wrote in my article, “this ruling is the main reason why we rarely see lawsuits anymore against [anti-threat vendors] for their blocking or removal decisions.” Because of Zango’s importance, any change to its holding has potentially dramatic implications.

Section 230(c)(2) and Anticompetitive Animus

Writing for the majority, Judge Schroeder (a Carter appointment) frames the case as “whether § 230(c)(2) immunizes blocking and filtering decisions that are driven by anticompetitive animus.” The majority answers the question negatively: “if a provider’s basis for objecting to and seeking to block materials is because those materials benefit a competitor, the objection would not fall within any category listed in the statute and the immunity would not apply.” The majority explains:

users selecting a security software provider must trust that the provider will block material consistent with that user’s desires. Users would not reasonably anticipate providers blocking valuable online content in order to stifle competition. Immunizing anticompetitive blocking would, therefore, be contrary to another of the statute’s express policies: “removing disincentives for the utilization of blocking and filtering technologies”….interpreting the statute to give providers unbridled discretion to block online content would, as Judge Fisher warned, enable and potentially motivate internet-service providers to act for their own, and not the public, benefit”

The dissent thought the Zango precedent was dispositive: “Although the parties were not direct competitors, the plaintiff in Zango asserted similar anticompetition effects. The majority’s policy arguments are in conflict with our recognition in Zango that the broad language of the Act is consistent with “the Congressional goals for immunity” as expressed in the language of the statute.”

Still, at a high enough level of abstraction, the majority’s reasoning sounds sensible. If a plaintiff has credible evidence that the defendant has violated antitrust law, it should have legal recourse. Section 230(c)(2) should not stand in the way.

Nevertheless, the majority’s legal standard creates two obvious and significant problems. First, many spammers, virusmakers, and adware/spyware makers will claim–legitimately or not–to be direct or partial competitors with anti-threat vendors. In those situations, the threat purveyors will naturally claim that the blocking was motivated by anticompetitive animus. In fact, I would expect such anticompetitive animus claims to be routine for blocked entities, not an exception. Indeed, as the dissent noted, Zango claimed (not credibly) its adware was competitive with Kaspersky’s anti-threat software. For a similar phenomenon, recall how many vertical search engines mockably claimed they were Google’s competitors when Google downranked or delisted them. If a blocked or filtered threat purveyor can easily bypass Section 230(c)(2) merely by claiming they were blocked based on the anti-threat vendor’s alleged anticompetitive animus, then Section 230(c)(2)(B) doesn’t really protect anti-threat vendors.

Second, even when a software vendor actually directly competes with the anti-threat vendor, it might still be appropriate to block it. Unfortunately, the anti-threat software industry has too many sleazy players who are really in the scareware or adware business. When anti-threat vendors’ direct competitors are also threats to consumers, the court’s standards virtually ensure that Section 230(c)(2) won’t be available.

Thus, this case functionally overturns Zango v. Kaspersky. The Zango ruling gave a lot of comfort to anti-threat vendors that they could make their classification decisions without being sued for each one. This ruling restores the pre-Zango default, when anti-threat vendors feared a lawsuit with each of their classification decisions.

The demise of the Zango v. Kaspersky rule will have three pernicious consequences. First, anti-threat vendors will have to do more upfront homework to justify and document their blocking decisions in case they may be challenged in the future. That increases their costs and slows down their decision-making.

Second, to reduce the risk of litigation, anti-threat vendors will err on the side of not blocking (or will reverse their decision when threatened with a lawsuit). At the margins, anti-threat vendors will now green-light “potentially unwanted programs” (PUPs) that they would have historically blocked. Ironically, then, this ruling is pro-spam, pro-virus, and pro-spyware/adware. It makes consumers less safe because more sketchy programs will not be blocked when they should have. Worse, as anti-threat vendors do a poorer job of their core consumer protection function, consumers’ trust in the entire anti-threat industry will degrade even more.

Third, anti-threat vendors will be sued by blocked software vendors more often. Even if those lawsuits ultimately fail, they will increase the industry’s costs with little concomitant benefit. And in the end, we don’t want courts usurping the judgment of anti-threat vendors in deciding what is a threat or not. That’s an expensive, slow, and very unsatisfying way of making blocking decisions.

All of these consequences are maddeningly unnecessary because Malwarebytes is likely to win this case via other legal theories. It probably didn’t block Enigma solely out of anti-competitive animus, and its judgment about Enigma’s threat status is a constitutionally protected opinion. Like some of the other Ninth Circuit Section 230 debacles (like promissory estoppel and failure to warn), this opinion is likely to increase everyone’s litigation and judicial costs to reach defense wins. Anti-threat vendors have the editorial freedom to decide what programs to block, but they won’t have 230(c)(2)’s judicial fast lane.

But what if Malwarebytes did actually block Enigma solely out of anti-competitive animus? The majority treats Malwarebytes’ block as market-determinative, i.e., Malwarebytes’ block apparently freezes Enigma out of the market. But if Malwarebytes’ users aren’t happy with its blocking function, the users can uninstall Malwarebytes and adopt Enigma instead. This means consumers are empowered to override Malwarebytes’ decisions. If so, we don’t need Section 230(c)(2)(B) to police this corner of the marketplace.

Note: The tie-breaking vote was cast by a district judge sitting by designation, not by a Ninth Circuit-appointed judge. It’s troubling to see Ninth Circuit law being set by a visiting judge. This would be another good reason to consider granting en banc review.

Problematic Dicta With the Majority Opinion

The majority opinion reaches a bad result, but that’s not its only problem. I’ll highlight three unfortunate passages from the majority opinion:

What Does “Objectionable” Mean? 230(c)(2) has a catchall excuse for blocking of anything vendors consider “objectionable.” This catchall has vexed courts because it is broad and unbounded. The majority says the catchall could apply here: “Spam, malware and adware could fairly be placed close enough to harassing materials to at least be called ‘otherwise objectionable.'”

So far so good. Then, the majority adds: “We think that the catchall was more likely intended to encapsulate forms of unwanted online content that Congress could not identify in the 1990s.” Huh? I have no idea where the majority got this impression. More likely, Congress wanted a general-purpose catchall to avoid comprehensively enumerating all possible categories of objectionable material. Because the majority’s addition is unsupported and speculative dicta, I hope other courts will ignore it.

Blocking Based on Identity. The majority opinion says:

the criteria for blocking online material must be based on the characteristics of the online material, i.e. its content, and not on the identity of the entity that produced it.

Rebecca Tushnet calls this language “particularly destructive” of the safe harbor, for good reason. This passage can’t possibly be right. Read literally, this would prevent any reputation scores for spam filters, any effort to identify and block recidivists, even any IP address blocks. There are substantial operational efficiencies from making blocking and filtering decisions based on content source rather than doing individualized determinations for each and every content item. This passage jeopardizes all of those operational efficiencies. Plus, in some cases, the identity of the content publisher makes a huge difference. A beheading video posted by a terrorist organization is different when it’s posted by a human rights watchdog, even if the video is identical in both cases. So it’s essential for anti-threat vendors to consider content source and not just the four corners of content items. This passage needs to be fixed or ignored.

Limits on Discretion. It’s worth revisiting this quote from the majority opinion:

interpreting the statute to give providers unbridled discretion to block online content would, as Judge Fisher warned, enable and potentially motivate internet-service providers to act for their own, and not the public, benefit

WTH? Of course all for-profit companies act for their own benefit. That’s called capitalism. What’s remarkable about Section 230 is that it motivates Internet companies to undertake *socially valuable* content moderation work–despite the apparent financial disincentives to doing so.

As a result, language like this is extraordinarily pernicious, because it suggests that Section 230 is conditioned on defendants exercising their editorial discretion only for the “public benefit” rather than any other objectives. That’s nonsensical. Content moderation is a zero-sum game where someone gets what they want and someone else doesn’t, and the losers will always claim that the decision wasn’t in the “public” benefit. Furthermore, as Margaret Thatcher suggested, there is no monolithic “public” to prioritize. Instead, there are heterogeneous communities with diverse needs that often must balanced rather than pareto-optimize. This passage also needs to be fixed or ignored.

Section 230 and Lanham Act False Advertising Claims

The opinion had one good aspect. Section 230 expressly does not apply to intellectual property claims, including federal trademark claims. However, because the Lanham Act false advertising provisions occupy the same part of the US code as federal trademark law, some courts have held that Section 230 doesn’t apply to Lanham Act false advertising claims. The court correctly reaches the opposite conclusion:

the intellectual property exception contained in § 230(e)(2) encompasses claims pertaining to an established intellectual property right under federal law, like those inherent in a patent, copyright, or trademark. The exception does not apply to false advertising claims brought under § 1125(a) of the Lanham Act, unless the claim itself involves intellectual property.

Comments from the Litigants

Comments from Terry Budd, Enigma’s counsel:

In its Opinion in the Enigma Software vs Malwarebytes case the 9th Circuit (Justice Schroeder) held that Section 230 is not limitless – and reasoned that to grant immunity for anticompetitive tortious conduct by a company against a competitor would violate the statutory purposes of Section 230 expressly articulated by Congress and violate the statute itself.  Stated another way, to allow a company to harm a competitor and consumers though anticompetitive, unfair trade practices which have been unlawful under well established American legal precedent for decades –  and then to allow that company to claim immunity under what was designed to be a Good Samaritan statute, is antithetical to the very core of the Good Samaritan Doctrine. The 9th Circuit is a very highly-respected and thoughtful Court – particularly so in the legal software/tech sector  – and we agree with the Court’s ultimate holdings.

Comments from Tyler Newby, Malwarebytes’ counsel:

We are disappointed by the majority’s ruling.  The company is evaluating its options for seeking further appellate review, and it is likely to petition for en banc review.

We think the majority opinion failed to recognized the distinction between 230(c)(2)(A), which applies to service providers that filter content in a way that may not be transparent to users, and 230(c)(2)(B), which applies to providers of filtering technology that users may choose to use or not to use based on their own preferences.  We agree with Judge Rawlinson’s dissent that the plain text of CDA Section 230(c)(2)(B) does not include the limitation on immunity read into it by the majority.  Nothing in the text of the statute or its stated purposes would limit immunity to filtering where the source of the filtered content was not considered.  Malwarebytes, like other security software providers, is a provider of  filtering tools to users who can choose to use its software or one of the many other options available to them, depending on whether they agree with how Malwarebytes filters PUPs.  Malwarebytes puts consumer choice first, and its Potentially Unwanted Program criteria are designed give users more control over their computers.

Finally, it is important to note that Malwarebytes does not compete with Enigma. The opinion’s description of the companies as direct competitors is not based on any evidentiary findings, but solely on Enigma’s allegations at the pleadings stage.

Other Coverage:

Rebecca Tushnet. She wrote: “Eric Goldman is gonna hate that.” Rebecca knows me really well!

Tim Cushing

Case citation: Enigma Software Group USA, LLC v. Malwarebytes, Inc., 2019 WL 4315152 (9th Cir. Sept. 12, 2019)

The post Terrible Ninth Circuit 230(c)(2) Ruling Will Make the Internet More Dangerous–Enigma v. Malwarebytes appeared first on Technology & Marketing Law Blog.

Rep. Gosar’s HR 4027 was introduced in Congress July 25, 2019, but the text didn’t appear in Congress.gov until yesterday (August 14). I do not understand it took 3 weeks for the bill’s text to become public. In the interim, the bill has caused some confusion. When introduced, Rep. Gosar issued a press release but didn’t include the text. Unsurprisingly, the press release wasn’t 100% accurate. That sparked several news reports that responded to the press release but were themselves imprecise because they weren’t grounded in the text.

Now that the text is public, we can finally do a well-informed evaluation. The bill proposes three substantive changes to Section 230(c)(2). First, it would limit the 230(c)(2)(A) safe harbor for filtering/blocking decisions only to “unlawful” content, rather than the current much broader scope of “objectionable” content. Second, it would limit the 230(c)(2)(B) safe harbor for providing filtering instructions only to “unlawful” content. Third, it would create a new safe harbor for providing users with the ability to restrict access to material. I did a redline showing its proposed changes to Section 230(c):

This bill is terrible in many ways. Among other problems, it grossly misunderstands Section 230’s mechanics, its desired policy consequences would be horrible, and it is misdrafted to advance those objectives. Some of the bill’s lowlights:

Internet Services Rarely Rely on Section 230(c)(2)(A) Any More. Section 230(c)(2)(A) doesn’t matter to most Internet services. As I’ve explained before, as a gross stereotype, Section 230(c)(1) protects “leave-up” decisions, and Section 230(c)(2)(A) protects “removal” decisions. In general, content removal decisions trigger far fewer lawsuits than leave-up decisions.

In the case of removals, the most likely plaintiff is the user whose content has been removed. Those users often don’t have enough at stake to sue, and they will have to navigate around the service’s TOS and its many provisions protecting the service.

Meanwhile, courts have narrowed the scope of Section 230(c)(2)(A)’s safe harbor to the point where very few services rely on its safe harbor. Instead, courts routinely hold that Section 230(c)(1), instead of Section 230(c)(2)(A), preempts users’ suits over removal decisions, so most Internet services rely on that.

As a result, amending Section 230(c)(2)(A) won’t likely change the outcomes for users who experience removals. In other words, the bill’s revisions to Section 230(c)(2)(A) aren’t likely to advance the drafters’ policy objectives. It’s perplexing, and possibly embarrassing, that the bill drafters apparently misunderstood the role Section 230(c)(2)(A) actually plays in the ecosystem. Oops.

Anti-Threat Vendors Rely on Section 230(c)(2)(B), But This Bill Would Eviscerate Their Safe Harbor. While Section 230(c)(2)(A) has faded in importance, Section 230(c)(2)(B) remains a vital protection for anti-threat vendors, such as vendors of anti-spam, anti-spyware, anti-malware, and anti-virus software. Every time these vendors make a classification decision that will block their users’ access to third party software or content, they face potential lawsuits. Fortunately, in the Zango v. Kaspersky ruling from a decade ago, the Ninth Circuit held that Section 230(c)(2)(B) applied to those lawsuits. In practice, that ruling ended lawsuits by spammers, adware vendors, and other producers of threats against software vendors over blocking and classification decisions.

The bill would implicitly overturn Zango v. Kaspersky and instead provide a safe harbor only for blocking “unlawful content.” As a result, vendors who produce software or content that is pernicious/unwanted, but not technically illegal, would have much greater legal leverage to challenge any classification decisions. This has at least two bad consequences: (1) anti-threat software will become substantially less useful to users because they let through more unwanted stuff, and (2) there will be a lot more litigation over classification decisions, which will raise defense costs and make the anti-threat vendors scared to block anyone. So instead of calling this bill “Stop the Censorship Act,” it might be more accurate to call it the “Stop Protecting Consumers from Spam, Spyware, Malware, and Viruses Act.”

The bill would also remove the safe harbor for parental control software vendors that block children’s access to content that is lawful but nevertheless inappropriate for kids. If this changes the vendors’ behavior, the bill seemingly would make parental control software useless. That outcome would be rich in historical irony, because Congress wanted Section 230 to spur the adoption of self-regulatory efforts to keep kids safe online–through technologies like parental control software. Indeed, Section 230(d) (added a couple years after Section 230’s initial passage) *requires* “interactive computer services” to notify customers about the availability of parental control software (a provision that is widely ignored, but whatever). This bill would directly undermine one of Section 230’s principal policy goals, so perhaps it should be renamed the “Stop Keeping Kids Safe Online Act.”

What Is “Unlawful” Content? The bill doesn’t define the term “unlawful content,” and its meaning isn’t self-evident. Some possibilities of what it might mean:

• Most likely the drafters meant that “unlawful” content only refers to content categorically outside of U.S. Constitutional protection. That includes things like child porn, obscenity, true threats/incitement to imminent violence, certain types of speech incident to criminal conduct, and possibly copyright infringement. Note that some other standard First Amendment exclusions, such as defamation, enjoy substantial procedural limits required by the First Amendment, so it’s not clear how to categorize that kind of content.
• Any content that creates potential tort exposure. This would include a wide but indeterminate array of content.
• Any content that is illegal or tortious under any law anywhere on the globe. In practice, that would be virtually all content.

Due to the term’s imprecision, it’s hard to judge the scope of the suppressable content that would be consistent with the redefined safe harbor.

Limiting Content Filtering to “Unlawful Content” Would Be Stupid. Let’s assume the bill would limit the Section 230(c)(2) safe harbors only to removing Constitutionally unprotected content. If so, removing pernicious but legal content would no longer get the safe harbor. If Internet services actually changed their behavior due to this reshaped safe harbor, they would be overrun by trollers, spammers, and miscreants, which would crowd out all productive conversations. In other words, this bill seeks to make Internet services look more like 8Chan. Perhaps this bill should be renamed the “I 8Chan Act.”

What Does It Mean to Give Users “Options to Restrict Access” to Content? The bill proposes a new safe harbor for putting more filtering power in users’ hands. Putting aside the filter bubble risk, on balance that sounds like it could be a good thing.

But what does it mean to give users “options to restrict access”? The press release expressly cites three examples: Google SafeSearch, Twitter Quality Filter or YouTube Restricted Mode (I retained the quirky italicization from the press release).

Wut? Google SafeSearch is on by default, so does this means that Google’s default search always will qualify for the new 230(c)(2)(C) safe harbor even though the SafeSearch routinely blocks and downgrades lawful content?  I don’t know much about Twitter’s Quality Filter or how widely it’s used. Surely the reference to YouTube’s Restricted Mode can’t be right–after all, having his videos restricted triggered Prager University to sue Google (unsuccessfully). Or maybe the drafters didn’t realize that?

All three examples involve coarse filters–essentially, they are either on-or-off. So if a binary on/off filtering tool qualifies as giving users “options” to filter, then what personalization or filtering tool wouldn’t qualify for 230(c)(2)(C)?

Because many services give users options to personalize the content they see in some way or another, 230(c)(2)(C) seemingly could swallow up the rest of the bill and make the changes to 230(c)(A) and (B) functionally irrelevant. For example, because installing anti-threat software or parental control software is a binary “option,” maybe those services gain back via 230(c)(2)(C) everything that they seemingly lost in the proposed revisions to 230(c)(2)(B)…? But it’s hard to say that most filtering software puts true “options” into the hands of users–in virtually all cases, anti-spam software is a binary on/off, so the real filtering power remains in the service’s classification decisions. So if 230(c)(2)(C) is broad enough to pick up binary options, I don’t understand what the drafters think they are accomplishing.

[Note the odd grammar of 230(c)(2)(C). The safe harbor only applies to “actions taken to provide” users with filters. It doesn’t say that the safe harbor applies to the actual filtering decisions. I’m assuming it does because that’s the only sensible outcome. If the safe harbor doesn’t protect filtering decisions, I have no idea what would be covered by this safe harbor.]

* * *

Last month, a huge coalition of Section 230 experts released seven principles to evaluate proposed amendments to Section 230. I’ll use the principles to evaluate Rep. Gosar’s bill:

• Principle #1: Content creators bear primary responsibility for their speech and actions. The bill doesn’t directly address this issue because it focuses on removals, not leave-up decisions.
• Principle #2: Any new intermediary liability law must not target constitutionally protected speech. Arguably, the bill doesn’t violate this principle because it seeks to protect Constitutionally protected speech from editorial filtering. But it advances that goal at the expense of the Internet services’ editorial discretion, so it also seeks to restrict the constitutionally protected speech of Internet services.
• Principle #3: The law shouldn’t discourage Internet services from moderating content. It absolutely tries to discourage Internet services from moderating content in the worst possible way.
• Principle #4: Section 230 does not, and should not, require “neutrality.” The bill doesn’t expressly address neutrality, but by forcing Internet companies to treat pro-social and anti-social content equally, the bill creates the kind of false equivalency that violates this principle.
• Principle #5: We need a uniform national legal standard. The bill doesn’t directly address this issue. However, by circumscribing Section 230(c)(2)’s shield, it would newly expose defendants to a wide range of diverse state law claims–something we saw frequently when spammers and adware vendors sued anti-threat software vendors. So the bill violates this principle sub silento.
• Principle #6: We must continue to promote innovation on the Internet. The bill drafters might think they are promoting innovation with the new 230(c)(2)(C) safe harbor, which tries to push more filtering to user-controlled options and thus might spur filtering innovations. I don’t think that would be the result, especially if a binary on-off option satisfies the safe harbor. However, I don’t think this bill has the same pernicious anti-innovation effects that Sen. Hawley’s bill would have.
• Principle #7: Section 230 should apply equally across a broad spectrum of online services. The bill doesn’t directly implicate this issue. However, by mucking with Section 230(c)(2)(B), the bill would actually newly expose anti-threat vendors to liability that might not be faced by other players in the ecosystem.

On the plus side, this bill doesn’t run afoul of all the principles. On the minus side, this bill directly, squarely, and perniciously violates several principles, especially Principles #3 and 4. That should be a huge red flag.

* * *

It doesn’t bring me any joy to dunk on a bill like this. Like Sen. Hawley’s bill, it almost certainly was meant as a piece of performative art to “play to the base” rather than as a serious policy proposal. But even as performative art, it highlights how Section 230 is grossly misunderstood by politicians inside DC, and it’s a reminder that modifying Section 230 requires extreme care because even minor changes could have dramatic and very-much-unwanted consequences.

Even if there are merits to taking a closer look at Section 230, proposals like this don’t aid that process. Instead, by perpetrating myths about Section 230 and politicizing Section 230, bills like this degrade the conversation. They move us yet closer to the day when Congress does something terrible to Section 230 for all of the wrong reasons.

[SPECIAL SHOUTOUT TO REPORTERS: If I’m right that Sen. Hawley’s bill and this bill are performative art, not serious policy proposals, you do a HUGE disservice to your readers and the world when you treat the bill authors as credible information sources on Section 230. In effect, you are helping them amplify their messages to their base while polluting the discourse for everyone else. Of course, the bill drafters know you will do this, so introducing a performative art bill buys them an ill-deserved seat at the discussion. They are intentionally weaponizing your compulsion to present “both sides” against you. Don’t take the bait.]

* * *

Appendix

I offered several alternative names for the bill, so I thought it would be helpful to recap them all here:

“Censorship Act”

“Stop Protecting Consumers from Spam, Spyware, Malware, and Viruses Act”

“Stop Keeping Kids Safe Online Act”

“I 8Chan Act”

The post Comments on Rep. Gosar’s “Stop the Censorship Act,” Another “Conservative” Attack on Section 230 appeared first on Technology & Marketing Law Blog.

Unlike shady software, this is a good PUP. by Anik Shrestha, https://www.flickr.com/photos/anikshrestha/

I blogged about this case in September. PC Drivers makes software that claims to help speed up users’ computers. Malwarebytes blocked it as a “potentially unwanted program,” or PUP. Litigation ensued. In the prior ruling, Malwarebytes won big, but then unexpectedly asked the judge to transfer the litigation from Texas to California rather than close out the case with a judge who already supported its positions. Fortunately for Malwarebytes, the California court reaches the same conclusions.

Section 230(c)(2)(B). As the Texas court held, Malwarebytes’ blocking of PC Drivers is pretty much a textbook application of Section 230(c)(2)(B)’s safe harbor for filtering instructions. PC Drivers tried four arguments to get around it:

• The safe harbor shouldn’t work on a motion to dismiss. The court cites 3 cases that have found 230(c)(2)(B) on a motion to dismiss.
• 230(c)(2)(B) doesn’t apply to click stealing. PC Drivers claims that Malwarebytes “steals” “click advertising services” by diverting PC Drivers customers to become Malwarebytes customers. This happens because Malwarebytes flagged PC Drivers’ domains as PUP sources and displays a warning to its software users when they try to access those domains. The court says the “alleged redirection in this case clearly is an action that enables or makes available the technical means to restrict access to material.” This discussion has some parallels to the alleged diversion at issue in competitive keyword advertising cases, but the court doesn’t make the linkage. The court also says 230(c)(2)(B) extends to providing screenshots and instructions on how to remove PC Drivers.
• Malwarebytes committed tortious contract interference by blocking its software even for its paying customers and making it really hard for them to keep using the software. The court says the Ninth Circuit rejected this argument in Zango v. Kaspersky.
• Its software isn’t “objectionable.” The court responds that the statute makes clear that it’s a subjective standard for objectionable.

Section 230(c)(2)(B) thus wipes out most of PC Drivers’ claims.

False Advertising. PC Drivers claims that Malwarebytes violated Lanham Act 43(a) by saying that its software is a “system optimizer” that “uses intentional false positives to convince users that their systems have problems.” The court says these are non-actionable opinions.

Trademarks. “PC Drivers contends that Malwarebytes’ use of the Marks is causing confusion by ‘deceiv[ing] the public into believing PC Drivers’ website and [P]roducts are malicious, and that Malwarebytes’ premium product is the solution to resolve any future ‘malicious’ programs.'” The court says this is a “novel” theory of trademark infringement unsupported by the precedent. Also, Malwarebytes qualifies for nominative use because its messages connoted disapproval of PC Drivers.

The court’s ruling is sensible and unsurprising given the Texas ruling. A different case against Malwarebytes, brought by Enigma, is on appeal to the Ninth Circuit. The ruling in that case should be more of the same, but if the Ninth Circuit does something goofy, this case previews the nonsense we can anticipate.

Case citation: PC Drivers Headquarters LP v. Malwarebytes Inc., 2019 WL 1061739 (N.D. Cal. March 6, 2019)

Other Posts on Malwarebytes:

Section 230 Helps Malware Vendor Avoid Liability for Blocking Decision–PC Drivers v. Malwarebytes

Section 230(c)(2) Protects Anti-Malware Vendor–Enigma v. Malwarebytes

Message Board Operator May Be Liable For Moderator’s Content–Enigma v. Bleeping

The post Filtering Software Defeats Another Lawsuit–PC Drivers v. Malwarebytes appeared first on Technology & Marketing Law Blog.