In an effort to avoid that graveyard of litigation, the plaintiff tried the trespass to chattels doctrine. But….um…exactly how does a browser extension trespass any chattel controlled by the retailer? The retailer’s answer (I shit you not, I would not make up shit like this):

superimposing the Price Comparison Tool over other content on the S&S Site trespasses on valuable digital real estate that S&S has expended time, resources, and effort to make aesthetically and functionally appealing to its customers (emphasis added)

Holy mixed metaphors….”digital real estate”!

This lawsuit would be mockable at any time, but its mockability skyrockets in the wake of the Best Carpet Values v. Google decision, which essentially rejected a functionally identical “trespass to web pages” argument.

Sticking closely to the Best Carpet Values decision, the court tells the plaintiff:

the alleged “trespass” is not to any aspect of S&S’s website that is in its possession. Rather, S&S alleges that Defendants’ Price Comparison Tool alters the appearance of S&S’s website in a consumer’s web browser on the consumer’s computer. S&S does not allege that it possesses the consumer’s browser or computer. And S&S cites no authority that it possesses, or has any property interest in, the appearance of its website on a third party consumer’s browser or computer.

The plaintiff tried to obfuscate this issue by arguing that trespass to chattels can apply to intangible property–a slightly true but deeply problematic statement. As I’ve repeatedly explained, if the definition of “chattels” mean intangibles–i.e., the antonym of “chattels”–then trespass to chattels morphs into a doctrine of “trespass to plaintiff’s butthurt feelings,” and the law implodes on itself.

The court doesn’t take this bait. Instead, like the Best Carpet Values decision, the judge observes that by the time the browser extension modifies the retailer’s web page, the digital bits are no longer in the retailer’s “possession.” I would much prefer courts define chattels to categorically preclude debates over its applicability to intangibles, but the court’s logic gets the job done.

There’s nothing left for the retailer to complain about:

Defendants are not alleged to have intercepted and altered S&S’s website transmission such that it was impossible for any consumer to view S&S’s website as S&S intended. Rather, Defendants provided a tool that consumers could decide to use to view S&S’s website in a way chosen by the consumer once the website transmission was in the consumer’s possession. S&S has no property right in the consumer’s internet viewing decisions.

Furthermore, the alleged act of “trespass” identified by S&S is an action taken by the consumer, not by the Defendants. The action S&S alleges constitutes “trespass” is the appearance of Defendants’ Price Comparison Tool superimposed on S&S’s website. But it is the consumer who decides whether to enable the Price Comparison Tool on their computer. To the extent enabling the Price Comparison Tool constitutes a trespass, Defendants aren’t the ones committing it.

In a sense, the court’s ruling is pro-user. The plaintiff is essentially claiming that it alone determines the canonical view of the website. However, websites are viewed on a wide range of devices and browsers, all of which the user chooses, so web pages don’t have any canonical version that the law can recognize. The court’s decision seemingly lets users, not the website, choose which technologies they want to use to access a website.

And yet, this passage also implies that perhaps the retailer could sue the users for trespass to its valuable digital real estate for marring its beautiful and canonical web page. As stupid as that sounds, such a claim would not be materially worse than the claim rejected here.

Case Citation: S&S Activewear LLC v. Promo Hunt, Inc., 2026 U.S. Dist. LEXIS 91156 (N.D. Ill. April 23, 2026). The complaint. Per the complaint, this lawsuit addressed more topics that just trespass to chattels. Still, three lawyers from Sidley & Austin–traditionally, one of the most prestigious law firms in the country–signed off on the phrase “trespasses on valuable digital real estate.” Surely that will be a peak moment of their legal careers. A note about my time at Sidley & Austin.

The post Plaintiffs Are Still Litigating–and Losing–Website Framing Cases (S&S v. Promo Hunt) appeared first on Technology & Marketing Law Blog.

Capital One defended on Section 230 grounds (among others). Capital One argued that the plaintiff is trying to hold Capital One liable for the text message sent by its customer to the customer’s “friend.” The plaintiff pointed out that Capital One authored and provided its customer with the exact content that the customer sent, so the content at issue wasn’t third-party content to Capital One. The district court agrees with the plaintiff.

It doesn’t change the 230 analysis that the promoting customer could have edited the content, because that didn’t happen in this situation. “Because Jensen alleges that Capital One is the sole author of the content of the text that she received, Capital One is not alleged to be merely the passive conduit of content created by others.” Groan. As I’ve discussed ad naseum on the blog, the “passive conduit” phrase is conceptually incoherent, and it’s inconsistent with Section 230’s protection for editorial decisions regarding third-party content.

The court adds: “the purpose of Section 230 immunity—to encourage Internet service providers to voluntarily monitor and edit user-generated speech in internet traffic—would not be served by protecting Capital One from liability in this case.” I disagree with the court’s characterization of Section 230’s goals, but I can see why the 230 defense vexed the court. Capital One isn’t hosting or distributing content authored by others; Capital One is trying to avoid liability for ad copy it prepared with the intent of profiting from securing new customers.

Still, the opinion sidesteps a key conceptual problem with this case. The court could have said that Capital One’s ad copy didn’t cause the legal violation asserted by the plaintiff. Capital One isn’t liable merely for providing promotional content to its customers; the customer could have been equally liable for violating the anti-spam law if they had written their own ad copy and sent it to their “friend”; and the promotional content wouldn’t have created liability if the sender had otherwise complied with the prerequisites of Washington’s anti-spam law. In other words, any anti-spam liability turns solely on the sender’s compliance efforts (or lack thereof), something Capital One can’t directly control. Viewed this way, the plaintiff seeks to hold Capital One liable for third-party “content,” i.e., its customers’ incomplete legal compliance when disseminating messages the senders had sole editorial control over.

Similar allocation-of-liability issues arose during the adware and affiliate program wars of the 2000s. See this roundup. Section 230 wasn’t a main issue in most of those litigation battles, and it doesn’t work here. Capital One may have tenable defenses on other grounds.

You may have noticed that I sometimes put the term “friends” in quotes. True friends don’t spam each other. That rule doesn’t change just because a marketing team labels its affiliate program “refer-a-friend.”

Case Citation: Jensen v. Capital One Financial Corp., 2025 WL 606194 (W.D. Wash. Feb. 25, 2025)

The post Section 230 Doesn’t Apply to “Refer-a-Friend” Text Message–Jensen v. Capital One appeared first on Technology & Marketing Law Blog.

Puppy chewing tennis ball. Photo by Anik Shrestha, https://www.flickr.com/photos/anikshrestha/

You probably know this case well, but I’ll recap it anyway. Malwarebytes makes anti-threat software. Enigma makes competitive offerings. Malwarebytes classified Enigma’s SpyHunter4 and RegHunter2 programs as malicious, a threat, and a potentially unwanted program (PUP).

This screenshot shows Malwarebytes’ interface. The green “upgrade now” button plays a key role in the court’s latest analysis:

Enigma sued Malwarebytes for its classifications in 2016, back when Obama was still president. This case should have been easily resolved by Section 230(c)(2)(B) per Zango v. Kaspersky. Instead, it has horked Internet Law in three major ways:

• The Ninth Circuit created a new Section 230 common law exception for “anti-competitive animus”–some undefined principle vaguely rooted in antitrust law. That allowed the case to survive the first motion to dismiss. The new exception has added no value to the jurisprudence. Instead, it casts a nebulous shadow over many Section 230 defenses.
• The Supreme Court denied Malwarebyte’s appeal. Nevertheless, Justice Thomas issued a “statement” in connection with that denial, which he self-admittedly wrote “without the benefit of briefing.” The statement mused about the ways Section 230 jurisprudence has gone wrong. Justice Thomas’ statement is terrible, both procedurally and substantively. Despite that, Federalist Society judges treat the statement as more persuasive than, you know, actual precedent.
• After remand, the case went back to the Ninth Circuit, which held that anti-threat classifications might be Lanham Act false advertising. Say what?

Today I’m blogging the district court decision after that remand. The result is ugly. The court horks the law for a fourth time, reinforcing how this case is a wrecking ball to Internet Law. I really do hate this case.

Lanham Act

Commercial Advertising or Promotion. The Lanham Act only applies to “commercial advertising or promotion.” This case reaches that question in an awkward fashion.

Malwarebytes offered try-before-you-buy software, which increases consumer demand by identifying a larger number of threats; that scares consumers into upgrading the free trial. (This need to get consumers to “act now” is one of the reasons why the D2C anti-threat software industry is dubious). In theory, Malwarebytes will boost conversions even more if it rates its competitors as threats, reducing their interest in the alternatives. Thus, if you squint, you might see how Malwarebyte’s classification of Enigma contributes to consumers’ buying decisions.

This reasoning creates some problems, though. First, the same logic would extent to all of the threats identified in the try-before-you-buy experience, not just the threat designations of direct competitors (though non-competitors may not have Lanham Act standing). That putatively means that the court would characterize all threat identifications as “advertising.” Second, the classifications work in both the try-before-you-buy and the purchased software, so the classifications either are false advertising after the sale has been made (which makes no sense–the deal is done) or the exact same classifications have different legal statuses pre- and post-purchase. If it’s the latter, then treating editorial content offered on a try-before-you-buy basis as advertising seemingly allows false advertising plaintiffs to sue over what is clearly editorial content (which is what I think happens in this case).

Having been reversed twice by the Ninth Circuit in this case, the judge cautiously makes all of the inferences in favor of Enigma this time. Thus, we get statements like “there is no categorical rule that in-product statements are immune from Lanham Act claims.” That’s true, because common sense usually forecloses that question.

The court says Enigma’s allegations that “the challenged designations were made in a marketing context for a potential transaction” make this a “close question,” so the court uses the Bolger test for determining commercial speech.

Bolger Factor 1: Advertising

the first Bolger factor—whether the statements are an advertisement—to fall slightly in favor of the conclusion that the challenged designations are commercial speech. Although the words at issue—“malicious” and “threat”—are not themselves advertisements, Enigma has alleged facts permitting an inference in its favor that Malwarebytes makes the speech in an advertising context. For example, Enigma alleges that the designations appear during a free trial period designed to showcase Malwarebytes’s product capabilities, so that the users experience “a marketing mechanism for Malwarebytes to entice users to ultimately purchase the Malwarebytes products.” Enigma also alleges that Malwarebytes displays the challenged speech directly alongside buttons with phrases such as “Upgrade Now.” Given these allegations, the Court finds that Malwarebytes’s labeling of Enigma’s competing anti-malware software as a “threat” or “malicious,” especially when combined with the button linking the user to a payment space, is an advertisement for purportedly superior MBAM products

In support of the last sentence, the court cites Enigma v. Bleeping Computer, where the court found that self-laudatory blog posts were ads. But this case involves the actual product itself, not promotional blog posts published independently of the product.

More generally: most commercially vended editorial items uses teasers/tasters as part of its marketing/advertising. Does this ruling indicate that doing so converts all of the editorial content into an ad for…the content itself? Consider an analogy: book publishers routinely give away free promotional copies of books to reviewers and others. If a book trashes a rival publisher and that part is included in a book excerpt used as marketing for the book, what result?

Bolger Factors 2 and 3: Reference to Specific Product and Economic Motivation.

Enigma alleges that Malwarebytes applied the challenged designations to Enigma’s SpyHunter 4 and RegHunter products within Malwarebytes’s own MBAM products, including AdwCleaner. Enigma also alleges that Malwarebytes has an economic motive to designate Enigma’s competing anti-malware products as “threats” and “malicious,” namely, to persuade users to buy MBAM products rather than Enigma’s competing anti-malware products, and thereby increase Malwarebytes’s sales, profits, and market position.

These allegations are good enough to reach the counterintuitive conclusion that an anti-threat software vendor’s threat classification is a “commercial advertisement or promotion.” Mind-blowing.

Disseminated to the Public.

the SAC’s allegations permit an inference that Malwarebytes disseminated the challenged designations to the relevant purchasing public. First, Enigma alleges that Malwarebytes’s free version includes features such as protection from malicious websites for 14 days—after which the only function of the free version is to clean up an already-infected computer—and that Malwarebytes uses its free trial directly as a marketing mechanism for its paid MBAM products. Second, Enigma alleges that users who had already downloaded and installed its products and subsequently ran an MBAM scan would find Enigma’s products quarantined and labeled a “threat,” and that Malwarebytes users who sought to download and install Enigma products would also see the “threat” label and quarantine action.

Falsity

[Enigma] has sufficiently alleged that the designations of “threat” and “malicious” were materially deceptive to a substantial segment of the relevant purchasing population. Enigma alleges that it received hundreds of complaints from users of its products who had viewed Malwarebytes’s designations, and that the complaints included statements indicating that the users understood the designations to identify Enigma’s products as malware.

The New York false advertising and tortious interference claims also survive the motion to dismiss.

Implications

Kudos, I guess, to Enigma’s lawyers. Having lost twice in the district court, they turned it around on the third try. In particular, they more compellingly won the battle over the narratives. Storytelling FTW.

I assume this case is headed back to the Ninth Circuit for the third time. How much money do these litigants have to fight a court battle over nearly a decade?

However much money they had, this case is a cautionary tale about the legal risks of anti-threat classifications. I imagine that most anti-threat software vendor will never again classify another anti-threat software vendor as malicious, a threat, or a PUP, even if those classifications are entirely appropriate and in consumers’ best interests. This is how the courts–especially the Ninth Circuit–have been indirectly undermining cybersecurity.

Case Citation: Enigma Software Group USA, LLC v. Malwarebytes, Inc., 2024 WL 2883671 (N.D. Cal. June 6, 2024). Prof. Tushnet’s coverage.

Enigma v. Malwarebytes Case Library

• District court opinion on the second Ninth Circuit remand. Blog post.
• Ninth Circuit reversal. Blog post.
• District Court dismissal on remand. Blog post.
• Denial of certiorari, including Justice Thomas’ statement. Blog post.
• Malwarebytes’ petition for certiorari. Amicus briefs from Cybersecurity Experts, EFF, ESET, Internet Association, and TechFreedom. Blog post on amicus briefs.
• The SCOTUS page for Malwarebytes v. Enigma.
• Blog post on Asurvio v. Malwarebytes, an application of the Ninth Circuit’s ruling.
• Ninth Circuit’s amended ruling. Blog post on that ruling.
• Malwarebytes’ petition for rehearing. Supporting amicus briefs from cybersecurity law professors, EFF/CAUCE, ESET, and Internet Association. Blog post on the filings.
• Ninth Circuit ruling. Blog post on that ruling.
• District court opinion. Blog post on that ruling.
• Related decision in Enigma Software v. Bleeping Computer. Blog post on that ruling.

The post This Case Keeps Wrecking Internet Law–Enigma v. Malwarebytes appeared first on Technology & Marketing Law Blog.

If this issue sounds familiar, it’s because framing generated huge discussion in Internet Law circles….20+ years ago. The plaintiffs lost all of the framing cases then, but here we are in 2024, still litigating framing cases. #YOLO.

Why are we revisiting this crusty old topic? The plaintiffs in this case apparently thought they were more clever than everyone else who looked at this issue over the past quarter-century. Instead of asserting copyright and trademark claims, they tried trespass to chattels. Voila! It was an audaciously mockable pivot…and yet, the district court judge shockingly bought the argument. My angst-filled blog post on that ruling.

Fortunately, the status quo has been restored. The Ninth Circuit concludes, as everyone knew, that framing isn’t trespass to chattels.  Unfortunately, the court expresses this intuitively obvious result in a baroque, technical, and inaccessible opinion.

Trespass to Chattels

I teach my Internet Law students that the first step in the prima facie trespass to chattels analysis is to identify the chattel at issue. In a framing case, the plaintiffs’ web servers aren’t the affected chattel because the plaintiffs’ web servers delivered the web pages directly to users’ devices, after which the framer (Google) superimposed its frame on the web pages once the copies were in users’ RAM. Thus, the framer never interferes with the web servers.

The district court said the “website” was the chattel. This is the kind of ambiguous generalization I see on Internet Law final exams that get a C. By using an overly general descriptor, the analysis can sidestep key (and legally significant) technical distinctions. In this situation, the generic noun “website” collapses several different elements: the website hardware (the servers), the domain name, the web pages as electronic files, the web pages’ HTML code, the web pages’ substantive content, and more. In other words, the district court judge was imprecise about exactly what chattel was being trespassed.

The Ninth Circuit fixes that obvious error, saying the chattel in question “are the copies of Plaintiffs’ websites.” Even this correction is suboptimal. The “copies” in question are not copies in the abstract sense. They are the electronic copies of requested web pages that reside in the web user’s device RAM.

Once we qualify the copies as “electronic,” it becomes unmistakable that this case deals with intangible items, not traditional “chattel” that are, by definition, tangible items. For that reason, the Ninth Circuit could have easily said that electronic files categorically aren’t chattel and the trespass to chattels doctrine *never* applies to any manipulation of or interference with electronic files.

Instead of taking such a clean and intuitive approach, the court says that the plaintiffs don’t have any possessory interests in the electronic copies of their web pages once delivered to users’ devices:

Under Plaintiffs’ theory, they maintain a possessory interest in an intangible copy that (1) is created when a user visits a website via the Search App, (2) exists on the user’s device, and (3) is deleted by the user when they leave the page. Plaintiffs’ possessory interest is thus entirely dependent on actions taken by an individual user unassociated with Plaintiffs or their websites. A possessory interest does not lie under these circumstances.

I guess? This is a bass-ackward way of discussing the issue. We’re talking about electronic bits zinging around the network, and it’s mostly nonsensical to talk about who “possesses” those electronic bits. Worse, it’s not clear the users have a “possessory interest” in those bits due to the possibility that copyright and contract law that may limit what users can do with those bits. What if no one has a “possessory interest” in those bits? What are we even talking about?

The Ninth Circuit takes this baffling approach in part due to the 20-year-old Sex.com case (Kremen v. Cohen), which held that a domain name could be “converted.” Domain names are also intangible, as are the records documenting domain name ownership, yet the court held they were capable of being converted. Accordingly, the Kremen case has long vexed the trespass to chattels jurisprudence by collapsing the distinction between intangibles and tangibles for property law purposes. However, I think there are numerous ways a court could distinguish between an electronic record that determines purported ownership and the many other types of electronic files, ranging from Word documents on my hard drive to web pages floating around the Internet.

Instead, to honor precedent, the Ninth Circuit applies the ill-suited three-element Kremen test to decide when intangibles qualify as chattels:

1) “an interest capable of precise definition.” The court says “there is no single way to display a website copy.” That’s true. In my prior blog post, I said: “Underlying this litigation is an epistemological question: what does a “canonical” version of a web page look like? Every browser software makes its own choices about how to render a page; every browser software “frames” every web page with its software features; and every browser software lets users configure the display in ways that affect website owners’ expectations.” The Ninth Circuit explains:

This translation of website code into a visual appearance necessarily varies across browsers and devices. Plaintiffs respond that the lack of a fixed display does not defeat their property interest. Although in Kremen we held that updating records in a document did not defeat a finding of a property interest, Plaintiffs’ argument elides the core inquiry of the “capable of precise definition” part. California law requires that the property interest be “well-defined” and “like staking a claim to a plot of land at the title office.” A website copy possesses neither of these qualities

2) “it must be capable of exclusive possession or control.” The court says:

once the website copy is generated and sent to the user’s device, users have control over what to do with it—whether to click on a link on Plaintiffs’ sites, resize the page, navigate away from the page themselves, or click on one of the links provided in the results

This is true as a technical matter, but is it true as a legal matter? Copyright and contract law that may restrict legally what the user may do with the “copies” that are now resident in the device RAM.

3) “the putative owner must have established a legitimate claim to exclusivity.” The court says “Plaintiffs themselves recognize that they do not control how their websites are displayed on different devices or web browsers.”

The Kremen test is so obviously ill-fitting to this inquiry, but the court gets to the right place: “there is no cognizable property interest in website copies that may serve as the basis for a trespass to chattels claim under California law.”

Implied-in-Law Contract/Unjust Enrichment

The court says that these state law claims are preempted by copyright law. As I’ve already indicated, copyright law casts a huge shadow over any litigation about the disposition of web pages. To reinforce the point, the court says: “a commercial website, like computer software, may qualify for copyright protection.”

[Notice that, like the district court, the 9th Circuit misuses the generic descriptor “commercial website” in a way that collapses the many disparate component parts. I guarantee that copyright owners will quote this statement to improperly assert ownership over uncopyrightable components of their “commercial websites.” The 9th Circuit just chided the district court for sloppy nomenclature, then it makes the exact same error. Why is this so hard??? SIGH.]

As for the claims’ equivalency to copyright law:

We need not decide whether it is more appropriate to characterize Plaintiffs’ Complaint as implicating rights to (a) display or reproduce copies or (b) prepare derivative works because the Complaint invokes both rights and both rights are recognized under federal copyright law. Plaintiffs alleged that Search App “obtains a copy of the requested website page from the host web server and delivers the copy to the user by translating the website’s codes” and then “recreat[es] the website page on the user’s . . . mobile device screen.” Displaying and reproducing a copy of a copyrighted work (Plaintiffs’ website) falls squarely within the scope of 17 U.S.C. § 106. Plaintiffs further alleged that Search App “superimpose[ed] advertisements on their websites’ homepages and other landing pages” when displayed on screens. Google’s reproductions of Plaintiffs’ websites, which necessarily vary in appearance on users’ screens, can be recognized as an act of “prepar[ing]” “derivative works.” Either way, these allegations implicate the exclusive rights to copyright holders bestowed by federal statute.

The claims didn’t have the requisite “extra element” to overcome preemption because these claims were really just repackaged copyright claims.

Implications

Let’s start with the good news. The Ninth Circuit fixed the misguided district court ruling and reached the common-sense outcome that electronic files can’t be trespassed. This has the salutary effect of reinstating the status quo that web browser framing is legal.

Now, the less-good news.

First, this opinion requires mental gymnastics because sometimes intangible assets are legally treated as chattel (like domain name records). That outcome makes sense, but the collapse of the legal distinctions between intangibles and tangible assets ensures ongoing jurisprudential tensions.

Second, we desperately need more clarity on the Ninth Circuit’s positions regarding trespass to chattels in the wake of the hiQ v. LinkedIn chaos. I tried to teach the topic in my Fall Internet Law course and left the students with so many unanswered questions that they loudly complained that they didn’t understand the state of the law. (In fact, the students’ confusion was confirmation that they actually did understand the situation just fine, but it wasn’t satisfying to them). I’ve declared the trespass to chattels doctrine “unteachable” in its current status. Unfortunately, this opinion doesn’t do anything to clean up that doctrinal mess.

Third, the court’s decision also sidesteps the obvious issues with the jurisprudential line of web-browsing-as-copyright-infringement. If downloading the electronic copy implicates copyright law, could that copyright interest be weaponized to control the user’s use of framing or the framer’s activities? Under prevailing law, that question isn’t as ridiculous as it might sound.

Finally, I’ll note the parallels between this case and the Edible IP case in Georgia state court, where local lawyers claimed that Google’s keyword advertising program “converted” their intangible assets (their trademark/goodwill). That lawsuit also failed. To me, it’s a sign of desperation, not cleverness, when plaintiffs’ lawyers try to extrapolate offline physical-space doctrines to the intangible activities on the Internet.

Case Citation: Best Carpet Values, Inc. v. Google LLC, No. 22-15899 (9th Cir. Jan. 11, 2024)

Selected Related Blog Posts

* If “Trespass to Chattels” Isn’t Limited to “Chattels,” Anarchy Ensues–Best Carpet Values v. Google
* Georgia Supreme Court Blesses Google’s Keyword Ad Sales–Edible IP v. Google
* Creditors Can’t Seize Country Code Top Level Domains
* Ohio Appeals Court: GoDaddy can be Held Liable for Wrongly Transferring Control Over Domain Name and Email Accounts — Eysoldt v. ProScan
* Internet Rewards Program Class Action Survives Initial Motion to Dismiss — In re Easysaver Rewards
* Ninth Circuit Applies California law to Domain Name Ownership Dispute and Remands for Determination of Whether “Innocent Purchaser” Defense Applies — CRS Recovery, Inc. v. Laxton
* Ninth Circuit: Creditor Can Execute Against Domain Name Where Registry is Located — Office Depot v. Zuccarini
* Domain Names as Property Subject to Creditor Claims–Bosh v. Zavala
* Taking Intangible Electronic Files is Criminal Fraud–NM v. Kirby
* Sex.com — An Update

The post Web Page Framing Isn’t Trespass to Chattels–Best Carpet Values v. Google appeared first on Technology & Marketing Law Blog.

Enigma challenged Malwarebytes’ classifications in court. Initially, Malwarebytes defended on Section 230(c)(2)(B). The Ninth Circuit rejected that defense, in the process creating a new and totally unhelpful common law exception to Section 230 for “anti-competitive animus.”

Malwarebytes appealed the 9th Circuit’s ruling, first to the 9th Circuit en banc, and then to the US Supreme Court. (I helped file an amicus brief supporting cert). Along with the cert denial, Justice Thomas issued a statement, “without the benefit of briefing,” explaining his eagerness to eviscerate Section 230. Interestingly, the Gonzalez and Taamneh decisions showed how briefing does actually benefit the justices.

This case already wrecked Section 230 twice, but it seemed ultimately inconsequential when the district court dismissed it on remand. And then…the Ninth Circuit got the case again…

The Majority Opinion

After the Supreme Court cert denial, the district court ruled that Malwarebytes’ “malicious” and “threat” classifications were “non-actionable statements of opinion” and thus could not support a Lanham Act false advertising claim. On appeal, the majority responds:

its products either contain malicious files and threaten the security of users’ computers, or they do not. These statements are not the type of general, subjective claims typically deemed non-actionable opinions

Threats lie on a spectrum. It’s not binary at all.

The majority continues:

Malwarebytes’s anti-malware program specifically labeled Enigma’s software as “malicious” and a “threat,” which a reasonable person would plausibly interpret as the identification of malware.

The majority did not provide any citations for “a reasonable person’s” beliefs. How does the majority know this to be true?

If “malicious” and “threat” are objective statements of fact, what exactly do they mean? The majority makes a slippery and dubious rhetorical move to define “malware” instead, citing the OED:

Malware, in its ordinary meaning, refers to software “written with the intent of being disruptive or damaging to (the user of) a computer or other electronic device; viruses, worms, spyware, etc., collectively.”

OK, but Malwarebytes didn’t classify Enigma’s software as “malware,” so why is this relevant? The majority explains that Malwarebytes’ “threat scan” referred to “malware,” but is Enigma suing over the threat scan, the classifications, or whatever scrap of public disclosures it can find? In other words, the majority didn’t have to make this rhetorical shift to debating “malware,” and it did so only to reach its desired result.

Also, the definition of “malware” itself includes vague terms, like “disruptive” and “damaging”–and an “etc.” Both lay people and cybersecurity experts could fiercely debate when a software program qualifies as “malware,” yet the court treats it as an easy binary yes/no classification.

Digging deeper, the majority says the dictionary definition of “malware” “necessarily implies that someone created software with the intent to gain unauthorized access to a computer for some nefarious purpose.” NOT HELPFUL. What constitutes “unauthorized access” is itself a jurisprudential morass (see, e.g., every CFAA ruling since Van Buren), and it’s not credible to use any definition with the phrase “some nefarious purpose.”

The majority summarizes this discussion: “judges are not experts in the cybersecurity field. We should not presume that we are.” That’s true, yet the majority made confident, decisive, and empirical conclusions about “malicious,” “threats,” and “malware” that the cybersecurity community would vigorously debate.

In another surprise, the majority revives the tortious interference claim because allegedly “Malwarebytes induced Enigma’s customers to choose either not to install, or to delete, Enigma’s programs from their computers without any legitimate justification.”

The Dissent

The dissent says: “this should have been an easy affirm.” The dissent rejects the majority’s characterization that threat determinations are binary:

A software program isn’t verifiably a “threat” or not. And a website isn’t measurably “malicious” or not. In the cybersecurity context, these terms refer to a spectrum of digital features with no verifiable line to cross to determine when they apply…

nowhere does Enigma offer an objective, measurable definition of the warnings…

Enigma’s identification of multiple meanings for “threats” by itself shows that the term represents an opinion rather than a fact.

Implications

This case is approaching its 7 year anniversary, yet it is still only at the motion to dismiss stage. The lawsuit’s lengthy duration and high defense cost has significant substantive implications. In the face of those costs and resources, any profit-maximizing vendor will act conservatively when making classifications that could launch a multi-year litigation war; i.e., if in doubt, approve the software–especially if the software can claim to be a competitor, pretextually or not–even if it’s actually a trojan like scareware. These skewed economic incentives give more room for malicious or threatening software to bypass our anti-threat protections. That undermines cybersecurity for all of us.

The deleterious consequences for cybersecurity highlight the tragedy of the 9th Circuit’s prior error on Section 230(c)(2)(B). Congress statutorily told the courts that anti-threat vendors can make classifications without worrying about lengthy court battles. Everyone benefits from predictable safe harbors and immunities that resolve meritless cases early. The 9th Circuit keeps misunderstanding that basic point:

What’s next for this case? I assume Malwarebytes will request a rehearing en banc. A rehearing would be appropriate because the deciding vote was cast by a visiting judge, not a regular 9th Circuit judge. Also, the dissent made excellent points. Whether the 9th Circuit hears it en banc or not, I assume this case will again head to the Supreme Court. It could be years more until a final resolution.

If the case goes back in the district court for a third time, I expect the district court will dismiss it again. In particular, the court hasn’t ruled on whether a threat classification constitutes the kind of commercial speech that the Lanham Act governs. Based on the fundamental illogic of its litigation position, I see no way for Enigma to win here. At least, for the sake of cybersecurity, I hope not.

Case citation: Enigma Software Group USA, LLC v. Malwarebytes, Inc., 2023 WL 3769331 (9th Cir. June 2, 2023)

Enigma v. Malwarebytes Case Library

• Ninth Circuit reversal. Blog post.
• District Court dismissal on remand. Blog post.
• Denial of certiorari, including Justice Thomas’ statement. Blog post.
• Malwarebytes’ petition for certiorari. Amicus briefs from Cybersecurity Experts, EFF, ESET, Internet Association, and TechFreedom. Blog post on amicus briefs.
• The SCOTUS page for Malwarebytes v. Enigma.
• Blog post on Asurvio v. Malwarebytes, an application of the Ninth Circuit’s ruling.
• Ninth Circuit’s amended ruling. Blog post on that ruling.
• Malwarebytes’ petition for rehearing. Supporting amicus briefs from cybersecurity law professors, EFF/CAUCE, ESET, and Internet Association. Blog post on the filings.
• Ninth Circuit ruling. Blog post on that ruling.
• District court opinion. Blog post on that ruling.
• Related decision in Enigma Software v. Bleeping Computer. Blog post on that ruling.

The post The 9th Circuit Keeps Trying to Ruin Cybersecurity–Enigma v. Malwarebytes appeared first on Technology & Marketing Law Blog.

* * *

This opinion addresses a venerable issue in Internet Law: can a website control how visitors see its web pages? I first remember this issue flaring up in the late 1990s when Third Voice, a browser plug-in, let users write commentary “over” third-party websites. That sparked angst among website operators who couldn’t control what users were saying about them in the Third Voice frame. Third Voice was followed by adware vendors such as AllAdvantage, which framed third-party websites, displayed ads in the frame, and shared some ad revenue with users (its tagline: “Get Paid to Surf the Web”). Gator, WhenU, and other adware vendors followed. By its nature, adware changes the screen display of the sites users are visiting. A series of lawsuits from two decades ago covered some important ground regarding the ability of website owners to block adware. Wells Fargo v. WhenU concluded that copyright was a dead-end. 1-800 Contacts v. WhenU concluded that trademarks was a dead-end. Nevertheless, because adware often provided poor consumer experiences, adware largely fizzled out by 2010. As a result, the legal issues rarely are litigated any more.

* * *

The court approaches this case like it’s an adware case, but the court never once uses the term. The issue is that Google incorporated a new feature into its Android software. You can see how it modified a website’s display in these before/after screenshots (the component at issue is the “view 15 related pages” bar on the bottom right):

As you can see, the new bar covers up the “cove base” line. If a user selects the up arrow, a new screen covers up most of the web page and displays links to rival vendors:

Google has since dropped this feature.

The plaintiffs alleged that the prior screenshot contains ads, which turns this case into an adware case. But the screenshot doesn’t label the listings as “ads,” so either Google uncharacteristically cut that corner or these listings are organic search results, and this isn’t an adware case at all. I’m going to characterize Google’s feature as an “adware bar” because the court accepts the plaintiffs’ allegations as true on a motion to dismiss, but I wonder if that characterization will withstand further scrutiny.

Underlying this litigation is an epistemological question: what does a “canonical” version of a web page look like? Every browser software makes its own choices about how to render a page; every browser software “frames” every web page with its software features; and every browser software lets users configure the display in ways that affect website owners’ expectations. As just one example of the latter point, browser software programs let users magnify or shrink the display size, so what appears above/below the fold critically depends on user configuration, not just the website operator’s choices.

For this reason, if courts want to assess the veracity of the plaintiffs’ claim that the “cove base” link gets covered up, judges must assume how a canonical version of a web page appears. For example, in the “before” image above, the court doesn’t explain the source of the screenshot, what technological conditions it reflects, and how often those conditions will hold in the field. Thus, a court’s hypothesis may have no grounding in reality. It also strips users of their own agency to decide what browsing tools best serve their needs and how best to configure those tools.

* * *

In this lawsuit, the plaintiffs aren’t suing Google for violating their copyrights or trademarks. With respect to copyright, the court says: “Plaintiffs do not rely on copyright protection for their websites in pleading their claim…Plaintiffs are not asserting infringement of any right to the reproduction, performance, distribution, or display of their websites. Plaintiffs want and expect Google to copy and display their websites in Chrome browser and Search App, and acknowledge that Google has license to do so.”

Wait, what? We need to know more about this license. If a website “permits” browser software to display them (assuming such permission is even required in the first place, and assuming that permission isn’t automatically granted by connecting the website to the web), then a website can’t control the browser software configurations. It seems like this license could be dispositive to the case, but the court doesn’t explore it more.

Trespass to Chattels

The plaintiffs instead claim that the adware bar constitutes a trespass to chattels. However, Google’s adware bar never interacts with the plaintiffs’ physical servers at all. As the court says, “None of Plaintiffs’ websites, files, or data were physically altered in any way. Nor were Plaintiffs’ servers disrupted.” Instead, the adware bar’s display customization takes place solely on the user’s device, supplementing how the code renders on the device. So the “chattel” at issue here isn’t the website operator’s servers; it’s the HTML code that the website operators send to each user’s device (and gave Google permission to display).

If the “chattel” at issue is only the intangible HTML code, then no “chattels” are being trespassed. It’s not possible to “trespass” an intangible asset; any legal protection for the asset comes from contract law (but the plaintiffs gave a license) or IP law, such as copyright law, which the plaintiffs aren’t invoking. Thus, given that “intangible chattel” is a legal oxymoron, a lawsuit over “trespassing HTML code” should fail hard. It didn’t.

Citing a 2003 Ninth Circuit case, Kremen v. Cohen, the court says “a website can be the subject of a trespass to chattels claim.” This abstract statement requires more clarification. The Kremen case involved the alleged theft of the sex.com domain name by improperly modifying the electronic records evidencing ownership of the domain name. The Ninth Circuit held that the intangible asset (the domain name) could be “converted,” even though normally conversion only applies to chattel (i.e., physical property), not intangibles. We need legal doctrines to redress the improper hijacking of the monetary value of owning a domain name, just like we would redress the improper acquisition of monetary value stored in an online bank or cryptocurrency account. Thus, other cases have applied conversion law to alleged theft of domain name registrations (e.g., CRS v. Laxton).

But the Kremen case didn’t say that all of a website’s intangible assets are like tangible assets. If it had, it would have eliminated the distinctions between IP law and the law of chattels.

So when this court says “Plaintiffs have property rights to their websites for the same reasons a registrant has property rights to a domain name,” I have no idea what it means. A website can sometimes control access to its servers (see the Van Buren case). A website can own the copyrights to the HTML code and the files that users download. Website owners can prevent the unauthorized reassignment of their ownership interests, such as someone trying to modify their copyright registration records. But the broad statement “property rights to their websites” is mostly wrong.

To find the HTML code’s physicality necessary to treat it like a chattel, the court makes this garbled statement:

like a domain name, a website is a form of intangible property that has a connection to an electronic document. “A website is a digital document built with software and housed on a computer called a ‘web server,’ which is owned or controlled in part by the website’s owner.  website occupies physical space on the web server, which can host many other documents as well.” Compl. ¶ 34. Plaintiffs’ website is also connected to the DNS through its domain name, bestcarpetvalue.com, just as Kremen’s domain name was connected to the DNS.

This is very, very confused. My copyrighted works may be printed on physical pages, but that doesn’t mean a third-party’s encroachment into my intangible copyrights becomes trespass to chattels. That’s the purview of copyright–or not restricted at all. And the linkage to the domain name record is nonsensical because the domain name wasn’t “taken,” and indeed the website operator gave a license to display it. The court even acknowledges that its line of logic has been rejected before:

After Kremen, the California Court of Appeal, Sixth Appellate District, noted that conversion traditionally required a taking of tangible property and that “this restriction has been greatly eroded,” but not “destroyed.” Silvaco Data Sys. v. Intel Corp., 184 Cal. App. 4th 210, 239 n.21 (2010). The Silvaco court also cautioned that “the expansion of conversion law to reach intangible property should not be permitted to ‘displace other, more suitable law.’” As discussed above, however, Plaintiffs’ websites have a connection to a tangible object.

Having accepted the core fallacy of the plaintiffs’ claims, the court makes unhelpful statements like “trespass to chattels ought to apply to a website, and several courts have so found.” The first half of the sentence isn’t in contention; everyone agrees that trespass to chattels can protect a website’s servers (not at issue in this case). Some of the cited precedent do not involve applying trespass to chattels only to intangible code. Some courts have in fact done this (not all of which the court cited), but those cases are overwhelmed by precedent rejecting the point. The court disregards Google’s citations those cases, breezily saying “Other cases cited by Google do not discuss the distinction between tangible and intangible property and offer little guidance.” (That critique might apply to this opinion, too).

Having satisfied itself that “a website is a form of intangible property subject to the tort of trespass to chattels,” the court next turns to harm. The court ignores the plainly stated and impossible-to-miss holding of Intel v. Hamidi, which says that common law trespass to chattels is actionable only when electronic signals cause or threaten to cause measurable loss to computer system resources. The plaintiffs can’t possibly prove any harm to any computer system resources.

Instead, the court cites a different part of the Hamidi opinion saying that Intel didn’t show any “physical or functional harm or disruption” to its computer systems. The court proceeds: “although Plaintiffs are not alleging physical harm to their websites, they do allege functional harm or disruption.” HOLD ON. The plaintiffs may claim “functional harm or disruption,” but the complete test is functional harm or disruption…TO THEIR COMPUTER SYSTEMS. By omitting those words, the court dramatically and improperly expands the test. Seriously, it’s impossible to read the Intel v. Hamidi opinion and miss the majority’s point that not all intangible harms count; only harms to COMPUTER SYSTEM RESOURCES count.

The court says the plaintiffs sufficiently alleged “functional disruption” by claiming that Google’s ads “obscured and blocked their websites, which if true, would interfere with and impair their websites’ published output. Although Google’s ad may not have disabled or deactivated the ‘Cove Base’ product link, it nevertheless allegedly impaired the functionality of the website: an Android phone user cannot engage a link that cannot be seen.” But “published output” isn’t a computer system resource, and an “obscured link” assumes what the hypothetical canonical website looks like.

Implied-in-Law Contract/Unjust Enrichment

Given that the plaintiffs granted a license to Google to display its site, I don’t know what this claim could possibly cover. Google responds that whatever it means, it’s preempted by copyright law. Google’s position seems reasonable given that this claim wades squarely into copyright’s realm. The adware cases from 2 decades ago rejected copyright claims in virtually identical facts; and there are the old copyright cases involving things like adding ads to pre-manufactured videos. Not surprisingly, this judge finds a way around that too.

The court summarizes that “Google allegedly covered up or obscured a portion of Plaintiffs’ websites from Android phone users for financial benefit, which makes their claim ‘qualitatively different’ from a copyright claim.” No, that’s exactly what the derivative work right covers, and it’s the exact issue litigated in the old WhenU cases. To get around this, the plaintiffs argued:

Google could not in the brick-and-mortar marketplace lawfully plant its logo on Plaintiffs’ storefront windows without Plaintiffs’ consent, even if Google owned their buildings. Nor could Google place ads in Plaintiffs’ marketing brochures or superimpose ads on top of Plaintiffs’ print advertisements without Plaintiffs’ permission and without paying Plaintiffs’ price. Likewise, Google cannot in the online marketplace unilaterally superimpose ads on Plaintiffs’ website without Plaintiffs’ consent and without compensation just because Google makes the software through which Android users view that website on their mobile screens…

a storefront business owner is injured when its window is obscured, regardless of whether that window is clear or covered with advertisements. By analogy, a website owner is injured when its website is obscured by unwanted ads, regardless of the content displayed in the website.

Are we really doing this again? I agree Google can’t unilaterally stick its logos onto a physical retailer’s windows…because THAT WOULD BE REAL PROPERTY TRESPASS. I’m not sure what law prevents Google from placing ads over marketing brochures or print ads OTHER THAN COPYRIGHT LAW (or possibly trademark law–but at this point, what does any of this have to do with IMPLIED-IN-LAW CONTRACTS?). And there are many other forms of competitive marketing adjacencies that are fully permissible in the offline/physical space world, as I documented over a decade ago in my Brand Spillovers paper.

Plus, let’s not lose sight of the users’ agency–they are the ones responding to the marketing signals. They aren’t passive automatons in this equation. My Deregulating Relevancy article from 15 years ago explains that principle more.

First Amendment

There is some discussion about the First Amendment, but it’s so terrible that I can’t bring myself to blog it. To summarize: the court seems to be saying that the plaintiffs can suppress truthful non-misleading advertising without relying on any intellectual property rights (and without any countervailing public policy doctrines, like fair use). That can’t possibly be right.

Implications

As you can see, the court creates a distorted pastiche of the precedent to reach an obviously wrong and wholly counterintuitive outcome.

In particular, the court’s mangled summaries, like “Plaintiffs have property rights to their websites” and “a website is a form of intangible property subject to the tort of trespass to chattels,” cannot survive critical scrutiny. What is the point of calling it “trespass to CHATTELS” if no actual chattels are harmed? In that circumstance, the trespass to “chattels” doctrine becomes a boundary-less “commercial trespass to intangibles” concept that both lacks any precedent and conflicts with the entire system of IP.

A boundary-less commercial trespass doctrine creates plenty of problematic edge cases:

• By design, ad blockers block portions of how websites display. (The websites can’t claim copyrights in third-party ads, but this court wasn’t considering copyright anyways). How would the court’s “commercial trespass” doctrine apply to ad blockers? Indeed, unlike Google’s browser software, many websites expressly contractually ban ad blockers.
• What about updates of browser software? By definition, those updates change the previous website renderings to a new website rendering. If any website prefers the old rendering to the new, can it sue the browser software for commercial trespass?
• Browser software programs allow users to resize their windows. Commercial trespass?
• Phone manufacturers create different screen sizes. If this cuts off “cove base” from being above the fold, liability?

This case brought to mind the Edible Arrangements v. Google lawsuit in Georgia (also not cited by the court). In that case, the trademark owner claimed that Google committed theft/conversion by selling its trademark for keyword advertising purposes. Unlike this court, the Georgia appellate court rejected the theft/conversion analysis. Weirdly, though, the Georgia Supreme Court granted a petition to hear the case, so who knows anything any more?

Case citation: Best Carpet Values Inc. v. Google LLC, 5:20-cv-04700 (N.D. Cal. Sept. 24, 2021)

The post If “Trespass to Chattels” Isn’t Limited to “Chattels,” Anarchy Ensues–Best Carpet Values v. Google appeared first on Technology & Marketing Law Blog.

photo by Anik Shrestha, https://www.flickr.com/photos/anikshrestha/

Malwarebytes and Enigma offer competitive anti-threat software. Malwarebytes classified Enigma’s software as a “potentially unwanted program,” or PUP, and quarantined the programs. Enigma sued Malwarebytes for that classification/quarantine.

Initially, the district court dismissed the case on Section 230(c)(2)(B) grounds. In a terrible ruling, the Ninth Circuit reversed on the misguided theory that Malwarebytes and Enigma are competitors and thus Malwarebytes may have made its classification decisions based on “anticompetitive animus.” On remand, after 2 more years of litigation, the district court has again dismissed the lawsuit, this time on its lack of merits.

Lanham Act False Advertising. Enigma claimed it was false for Malwarebytes to call its programs “malicious,” “threats,” and PUPs. In Asurvio v. Malwarebytes, the court held that such labels were subjective opinions, not verifiably false. The court says this case is “indistinguishable” from Asurvio. The court says “users of Malwarebytes are aware of why it opines that a given software program may be a PUP based on Malwarebytes’ disclosed criteria and can choose to quarantine or un-quarantine the detected program….Enigma’s allegations that Malwarebytes knew the labels used to describe Enigma’s programs were false are conclusory and need not be accepted as true.”

Tortious Interference. Malwarebytes gives users instructions on how to keep using PUPs, so no tortious interference.

Implications

On the surface, this looks like a decent outcome. The district court granted Malwarebytes’ motion to dismiss on the grounds that Malwarebytes’ classifications are its opinions, not falsifiable statements of fact. On that basis, it seems like Malwarebytes should be equally positioned to win all future disputes on the same basis. Further, the Asurvio case also relied on Section 230(c)(2)(B) despite the plaintiff’s allegation of anticompetitive animus. So long as Malwarebytes can win these kinds of classification challenges on motions to dismiss, it may not really matter how we get here.

(Of course, with a trip to the 9th Circuit and Supreme Court, this particular case has taken four years and many hundreds of thousands of extra dollars due to the Ninth Circuit craziness).

Despite this good outcome, this case has left two lingering scars on Internet law.

First, the Ninth Circuit created a new workaround to Section 230 based on anticompetitive animus. This workaround is completely undefined–is it coextensive with antitrust law, or does apply when competitors have anticompetitive “intent” even if their actions don’t constitute an antitrust violation? The Ninth Circuit dodged this critical issue. As a result, plaintiffs can freely invoke the anticompetitive animus workaround and impose greater defense costs to resolve this issue. This doctrinal ambiguity is particularly pernicious in the cybersecurity context, where the court created incentives for anti-threat vendors to reduce their vigilance against cybersecurity threats that can claim (legitimately or not) competitive status.

Worse, this appears to be at least the fifth time that the Ninth Circuit has created doctrinal workarounds to Section 230 that appear to benefit no one. Other cases that fit this pattern:

• Fair Housing Councils v. Roommates.com. Section 230 didn’t apply to housing discrimination claims, but the Ninth Circuit ruled four years later that the housing discrimination claims never applied at all.
• Barnes v. Yahoo. Promissory estoppel is a pleadaround to Section 230, but plaintiffs can’t win promissory estoppel cases.
• Doe v. Internet Brands. Failure-to-warn claims are a pleadaround to Section 230, but plaintiffs can’t win failure-to-warn claims.
• Lemmon v. Snap. The story is still being written about this ruling, but it seems like it will fit the pattern. The Ninth Circuit said that Section 230 doesn’t apply to design defect claims that aren’t based on third-party content, but we know that the plaintiff is likely to lose the case on its merits based on a nearly identical case that failed in Georgia courts.

Now, add Enigma v. Malwarebytes and its anticompetitive animus exception to this list. If threat classifications are opinions, then plaintiffs will always lose and the Ninth Circuit’s Section 230(c)(2)(B) workaround does nothing but mess up Section 230. Should we applaud the Ninth Circuit for so carefully policing the boundaries of Section 230’s immunities, or should we criticize them for unnecessarily swiss-cheesing Section 230?

Second, on appeal to the Supreme Court, Justice Thomas used the cert denial as an excuse to blog his misguided free-association thoughts about why he hates Section 230. This screed has perniciously inspired plaintiffs to position their Section 230 case for Supreme Court review and motivated #MAGA politicians to pursue ever-worse censorial regulatory ideas. The legacy of Justice Thomas’ blogging will live on long after the Enigma case is over.

Enigma hasn’t yet appealed the latest ruling, but I assume this case will take another trip to the Ninth Circuit.

Case Citation: Enigma Software Group USA, LLC v. Malwarebytes Inc,, 2021 WL 3493764 (N.D. Cal. Aug. 9, 2021)

Enigma v. Malwarebytes Case Library

• District Court dismissal on the merits. Blog post.
• Denial of certiorari, including Justice Thomas’ statement. Blog post.
• Malwarebytes’ petition for certiorari. Amicus briefs from Cybersecurity Experts, EFF, ESET, Internet Association, and TechFreedom. Blog post on amicus briefs.
• The SCOTUS page for Malwarebytes v. Enigma.
• Blog post on Asurvio v. Malwarebytes, an application of the Ninth Circuit’s ruling.
• Ninth Circuit’s amended ruling. Blog post on that ruling.
• Malwarebytes’ petition for rehearing. Supporting amicus briefs from cybersecurity law professors, EFF/CAUCE, ESET, and Internet Association. Blog post on the filings.
• Ninth Circuit ruling. Blog post on that ruling.
• District court opinion. Blog post on that ruling.
• Related decision in Enigma Software v. Bleeping Computer. Blog post on that ruling.

The post As Expected, Malwarebytes Defeats Enigma’s Lawsuit Without Section 230’s Help appeared first on Technology & Marketing Law Blog.

Last year, the Ninth Circuit ruled that a plaintiff could plead around Section 230(c)(2)(B), the safe harbor for providing filtering instructions, by claiming that the filtering was motivated by anticompetitive animus. Last week, the Supreme Court denied certiorari. This isn’t surprising–the Supreme Court takes a low percentage of cases–but it’s too bad the Ninth Circuit ruling won’t be corrected.

Alongside the cert denial, Justice Thomas added a statement railing against Section 230 (starting on page 12). The statement is procedurally troubling and substantively wrong. Some lowlights in the statement:

• The statement repeatedly and casually flips between Section 230(c)(1) and Section 230(c)(2).
• The statement focuses on Section 230(c)(1), even though the question presented to the court solely addressed Section 230(c)(2)(B). Because the court wasn’t briefed on most of the issues Justice Thomas nevertheless discusses, it makes me wonder where Justice Thomas got his information. What news sources is he reading?
• Because the court wasn’t briefed on Section 230(c)(1), he does not acknowledge the many legal, factual, and policy counterarguments to his positions that surely would have been addressed by proper briefing. In other words, without hearing contrary perspectives, his statement is one-sided and under-informed (more on this later).
•  The statement says: “many courts have construed the law broadly to confer sweeping immunity on some of the largest companies in the world.” The Internet giants benefit from Section 230, but so do thousands of less-well-known companies–including the defendant in this case.
• The statement says the Ninth Circuit decision “is one of the few where courts have relied on purpose and policy to deny immunity under §230.” Note the tension in this statement. Hundreds of decisions have denied Section 230 immunity because they relied on the statutory text. Is Justice Thomas saying they should have relied instead on the statute’s “policy and purpose”?
• The statement calls Section 230(c)(1) “definitional.” This is an atextual and highly idiosyncratic way of characterizing the statute. Nearly two decades ago, Easterbrook took a similar position in Doe v. GTE. Virtually every other judge since has not agreed.
• The statement says Section 230(c)(1) “ensures that a company (like an e-mail provider) can host and transmit third-party content without subjecting itself to the liability that sometimes attaches to the publisher or speaker of unlawful content.” It’s a strange move to use email service providers as the Section 230(c)(1) archetype. Email providers rely on Section 230(c)(2)(A) for their spam filters, but it’s rare to see email providers invoke Section 230(c)(1) because they don’t “host” content.
• The statement says Section 230(c)(2) “provides direct immunity from some civil liability.” This is backwards. Section 230(c)(1) provides an immunity from suit; Section 230(c)(2) provides a safe harbor.
• The statement says Section 230(c)(2)’s “limited protection enables companies to create community guidelines and remove harmful content without worrying about legal reprisal.” A few problems here. First, Section 230(c)(1) also necessarily permits “community guidelines” in the form of leave-up policies. Second, Section 230(c)(2)(A) does not let companies stop “worrying about legal reprisal.” They worry about the costs of defense due to the “good faith” prerequisite, which is why so few companies rely on it. Third, this case was about Section 230(c)(2)(B), which relates to the provision of filtering instructions to third parties.
• The statement says historically “Publishers or speakers….could be strictly liable for transmitting illegal content.” This is garbled because “publishers” don’t “transmit” (they, uh, “publish”). Publishers can be strictly liable for publishing content, and “transmitting” content is governed by different legal rules that typically negate strict liability.
• The statement says that historically distributors “acted as a mere conduit without exercising editorial control, and they often transmitted far more content than they could be expected to review.” Once again the statement conflates different functions–this time falsely equating distributors with “conduits” and “transmitters.” To get an example of how this is wrong, consider the bookstore as a distributor. It unavoidably exercises editorial discretion about which books to stock and how to display them, but that doesn’t mean bookstores stand behind every word in every book they carry. But no one would properly call a bookstore a “conduit” or say that it “transmits” content.
• The statement says “§230(c)(1) indicates that an Internet provider does not become the publisher of a piece of third-party content—and thus subjected to strict liability—simply by hosting or distributing that content.” Section 230(c)(1) says plainly that services won’t be treated as publishers of third-party content. On its face, the provision negates all forms of publisher liability. I don’t see how to read the language as saying or implying that it negates only the category of liability uniquely imposed on publishers. Furthermore, publisher/speaker functions should include hosting and distributing, but the statutory text doesn’t imply that it’s limited to those functions. The language covers any function where a defendant is alleged to act as a publisher or speaker.
• The statement says “the statute suggests that if a company unknowingly leaves up illegal third-party content, it is protected from publisher liability by §230(c)(1); and if it takes down certain third-party content in good faith, it is protected by §230(c)(2)(A).” This misapprehends the nature of “publisher liability.” It is impossible to distinguish between the “leave up” and “removal” decisions because they are the result of the exact same editorial decision-making process of publishing.
• The statement says: “Sources sometimes use language that arguably blurs the distinction between publishers and distributors.” I think the statement contains some distinction-blurring language of its own.
• The statement notes inconsistent language between the CDA’s criminal provisions and Section 230, even though it has been repeatedly explained by many experts why the CDA criminal provisions and Section 230 had nothing to do with each other (they were alternative policy proposals smushed together in conference).
• The statement apparently questions if Congress’ goal was to overturn Stratton Oakmont because it didn’t mirror the language in the opinion. The legislative history clearly says “One of the specific purposes of this section is to overrule Stratton-Oakmont v. Prodigy and any other similar decisions which have treated such providers and users as publishers or speakers of content that is not their own because they have restricted access to objectionable material.”
• The statement says “Courts have also departed from the most natural reading of the text by giving Internet companies immunity for their own content” (emphasis added). This is literally false. No court has ever done this.
• The statement says “To say that editing a statement and adding commentary in this context does not ‘creat[e] or develo[p]’ the final product, even in part, is dubious.” It’s a crafty rhetorical move to refer to the “final product” instead of the actual statutory referent “information.” Doing this invites the conclusion that every UGC service loses Section 230 because they package third-party content into a “final product.”
• The statement argues that a broad reading of Section 230(c)(1) renders Section 230(c)(2) superfluous. Barnes v. Yahoo explained how Section 230(c)(2)(A) applies in circumstances where the defendant partially or wholly created or developed the content. The statement instead cites language from e-ventures v. Google. But (1) Google still won the e-ventures case, so its denigration of Section 230(c)(2)(A) became inconsequential, and (2) other courts have since criticized the e-ventures language, including Domen v. Vimeo and Prager University v. Google.
• The statement says “With no limits on an Internet company’s discretion to take down material, §230 now apparently protects companies who racially discriminate in removing content.” Characterizing the cited Sikhs for Justice ruling case as a racial discrimination case is simplistic at best. The case involved advocacy content that the Indian government required to be blocked. Still, it’s true Section 230(c)(1) can protect removals even when the plaintiff claims discrimination. You might even be OK with the application of Section 230(c)(1) in the cases I’m seeing, including Lewis v. Google, where the plaintiff claimed that YouTube discriminated against him for being an American; and the Wilson v Twitter cases, where the plaintiff claimed Twitter discriminated against him because he’s a Christian heterosexual.
• The statement criticizes Section 230’s application to claims involving “alleged product design flaws—that is, the defendant’s own misconduct.” But what are “product design” flaws in this context? That’s just a fancy euphemism for the editorial decisions about how to gather, organize, and publish third-party content.
• The statement says “Paring back the sweeping immunity courts have read into §230 would not necessarily render defendants liable for online misconduct. It simply would give plaintiffs a chance to raise their claims in the first place. Plaintiffs still must prove the merits of their cases, and some claims will undoubtedly fail.” This deeply misunderstands the issues in the Malwarebytes case. By “paring back” the Section 230(c)(2)(B) safe harbor, the new liability exposure distorts the filtering services’ substantive decisions by making them gun-shy; it gives plaintiffs ways to play holdup games and extract settlements for less than the defense costs; it ignores how defense costs can doom services (the death by ten thousand duckbites that Judge Kozinski addressed in the Roommates.com case); and it ignores the other critical procedural benefits provided by Section 230 that enable third-party online speech where other liability schemes would not. As I keep saying, everyone benefits when unmeritorious cases lose fast and early. Giving plaintiffs more time in court doesn’t come for free, and it might be a very bad deal for all of us.

The statement concludes: “Without the benefit of briefing on the merits, we need not decide today the correct interpretation of §230. But in an appropriate case, it behooves us to do so.” Just to be clear, Justice Thomas admits that he wrote the prior ten pages of criticism “without the benefit of briefing.” That undermines the credibility of the entire statement. Nevertheless, the statement tells all plaintiffs that if they appeal their Section 230 cases to the Supreme Court, they have at least one vote ready to go.

When we filed an amicus brief in support of Malwarebytes, one of our fears was that the Supreme Court would ignore the question presented (tightly restricted to Section 230(c)(2)(B)) and do damage to Section 230(c)(1) despite it being outside the scope of the question presented. Justice Thomas’ critical remarks about Section 230(c)(1) show that these fears were well-founded, and I’m a little relieved that the court didn’t take the case. That means Malwarebytes can still win this case on remand (a likely outcome; see the Asurvio ruling), albeit at the cost of unnecessary time and money, and Section 230 lives for another day.

This statement bears some resemblance to Justice Thomas’ statement in early 2019 that the Supreme Court should reconsider the actual malice standard from New York Times v. Sullivan. Like this statement, that statement was anti-media, pro-censorship, and quite unpersuasive. So far, the Supreme Court hasn’t taken up Justice Thomas’ initiative against the actual malice standard. I hope this statement suffers the same fate.

Even if the Supreme Court never takes up Justice Thomas’ arguments, this statement hurts the discourse. It represents yet another inaccurate federal government statement about Section 230 (others include the Trump EO from May and the NTIA petition to the FCC). Collectively, these taxpayer-funded misstatements pollute the discourse and create FUD about Section 230. We have to spend time debating what Section 230 even says, and Section 230 critics can misportray Section 230 to spur mistargeted responses. This makes it impossible to have well-informed “debates” about Section 230 or what, if any, reforms would fix any perceived policy deficiencies.

Case Citation: Malwarebytes, Inc. v. Enigma Software Group USA, LLC,  2020 WL 6037214 (Oct. 13, 2020)

Enigma v. Malwarebytes Case Library

• Denial of certiorari, including Justice Thomas’ statement.
• Malwarebytes’ petition for certiorari. Amicus briefs from Cybersecurity Experts, EFF, ESET, Internet Association, and TechFreedom. Blog post on amicus briefs.
• The SCOTUS page for Malwarebytes v. Enigma.
• Blog post on Asurvio v. Malwarebytes, an application of the Ninth Circuit’s ruling.
• Ninth Circuit’s amended ruling. Blog post on that ruling.
• Malwarebytes’ petition for rehearing. Supporting amicus briefs from cybersecurity law professors, EFF/CAUCE, ESET, and Internet Association. Blog post on the filings.
• Ninth Circuit ruling. Blog post on that ruling.
• District court opinion. Blog post on that ruling.
• Related decision in Enigma Software v. Bleeping Computer. Blog post on that ruling.

The post Justice Thomas Writes a Misguided Anti-Section 230 Statement “Without the Benefit of Briefing”–Enigma v. Malwarebytes appeared first on Technology & Marketing Law Blog.

photo by Anik Shrestha, https://www.flickr.com/photos/anikshrestha/

On Friday, 14 cybersecurity experts filed an amicus brief with the U.S. Supreme Court, supporting Malwarebytes’ certiorari petition to review the Ninth Circuit’s 2019 Enigma v. Malwarebytes ruling regarding 47 U.S.C. 230(c)(2)(B)’s application to spyware classification decisions. The Juelsgaard Intellectual Property and Innovation Clinic prepared the brief; the work was done by two Stanford Law students supervised by Phil Malone, and I supported each draft iteration of the brief.

The SCOTUS cybersecurity experts’ brief built on the amicus brief that Venkat and I prepared to support Malwarebytes’ unsuccessful en banc petition to the Ninth Circuit. The new brief expands the prior arguments and has more signatories.

From the brief’s argument summary:

This case involves a narrow legal issue with broad and exceptionally important implications for cybersecurity. The Ninth Circuit’s ruling will expose Internet users to an array of threats that can compromise their systems and data, corrupt or extract their files, bog down their computers or smartphones, and weaponize their devices against other Internet users.

The decision below erodes the legal immunity provided by Section 230(c)(2)(B), which allows companies to develop robust anti-threat software to protect Internet users. In place of that immunity, the decision creates an opening for expensive and prolonged litigation. To avoid costly litigation and reduce business risk, anti-threat software vendors will opt to become overly conservative in identifying and blocking potential threats. This will leave tens of thousands of government entities, tens of millions of businesses, and hundreds of millions of Internet users more vulnerable to hazardous software.

Malwarebytes’ Petition. Malwarebytes described the question presented (emphasis added):

Section 230(c)(2)(B) of the Communications Decency Act provides immunity from most civil liability to computer-service providers for “any action taken to enable or make available to * * * others the technical means to restrict access to material” that “the provider or user considers to be * * * objectionable.” 47 U.S.C. § 230(c)(2). The court below agreed that none of the narrow, express exceptions to that immunity in Section 230(e) apply here. The question presented is:

Whether federal courts can derive an implied exception to Section 230(c)(2)(B) immunity for blocking or filtering decisions when they are alleged to be “driven by anticompetitive animus.”

This is an appropriately narrow question presented, and it does not implicate other parts of Section 230. If the Supreme Court takes the case, let’s hope it stays that way.

Other Filings. A total of five amicus briefs, including the cybersecurity experts’ brief, supported the certiorari petition. The same players had supported Malwarebytes’ Ninth Circuit en banc petition, except for a new entry from TechFreedom.

EFF Amicus Brief. The brief discusses how the Ninth Circuit’s ruling threatens the EFF’s Privacy Badger tool and undermines the fight against stalkerware.

ESET Amicus Brief. From the argument summary:

ESET takes the unusual step of submitting an amicus brief in support of one of its direct competitors to stress the importance of this issue. Americans are becoming increasingly reliant on the internet and interactive media for political, educational, cultural, and entertainment services. 47 U.S.C. § 230(a)(5). Yet security threats are flourishing, with hundreds of thousands of new forms of objectionable content every day. Congress determined that consumer choice and robust competition are the best way to safeguard consumers, but the Ninth Circuit’s decision frustrates both choice and competition.

Internet Association Amicus Brief.

Congress had good reason to omit a good faith requirement from subsection (c)(2)(B). As discussed above, subsection (A) protects direct blocking or filtering by online service providers—situations where providers act unilaterally to protect themselves or their users from objectionable material. In contrast, subsection (B) only applies where service providers put blocking tools in the hands of users, who must independently and affirmatively decide to use those tools. Here, blocking does not occur unilaterally; it instead requires cooperation between a service provider and a third party….

Congress logically concluded it was unnecessary to include a good faith requirement or to allow Section 230’s protection to turn on disputes about a service provider’s motives. Here, the user’s independent choice operates as a check on the provider’s decisions about what material should be filtered or blocked.

TechFreedom Amicus Brief. From the argument summary:

Subsection 230(c)(2)(B) contains a simple command: “No provider or user of an interactive computer service shall be held liable [for] any action taken to enable or make available . . . the technical means to restrict access to [objectionable] material.” That’s it. But when the Ninth Circuit interpreted this statute, it saw something different. Speculating that a strict textual interpretation would lead to a result that “appear[ed] contrary to [the statute’s] history and purpose,” the court divined words invisible to the human eye: an exception for conduct allegedly motivated by “anticompetitive animus.” That exception is nowhere to be found in the statute that Congress enacted.

Case library

• Malwarebytes’ petition for certiorari. Amicus briefs from Cybersecurity Experts, EFF, ESET, Internet Association, and TechFreedom.
• The SCOTUS page for Malwarebytes v. Enigma.
• Blog post on Asurvio v. Malwarebytes, an application of the Ninth Circuit’s ruling.
• Ninth Circuit’s amended ruling. Blog post on that ruling.
• Malwarebytes’ petition for rehearing. Supporting amicus briefs from cybersecurity law professors, EFF/CAUCE, ESET, and Internet Association. Blog post on the filings.
• Ninth Circuit ruling. Blog post on that ruling.
• District court opinion. Blog post on that ruling.
• Related decision in Enigma Software v. Bleeping Computer. Blog post on that ruling.

The post Cybersecurity Experts Support Supreme Court Review of Enigma v. Malwarebytes Ruling on Section 230(c)(2)(B) appeared first on Technology & Marketing Law Blog.

photo by Anik Shrestha, https://www.flickr.com/photos/anikshrestha/

Section 230(c)(2)(B) says that filtering software makers aren’t liable for their classification decisions. This proposition provides the legal foundation for the anti-threat software industry. However, those expectations were disrupted by the Ninth Circuit’s 2019 in Enigma v. Malwarebytes, which held that Section 230(c)(2)(B) didn’t apply when a plaintiff alleges that the filtering decision was motivated by anticompetitive animus. This amicus brief explains why the 9th Circuit’s ruling is bad for cybersecurity.

Today I’m blogging about what I believe is the first ruling applying Enigma to anti-threat software since the Ninth Circuit ruling. The defendant is the same (Malwarebytes); but this time the plaintiff is Asurvio, which used to be “PC Driver.” I blogged a prior ruling in this case last year. The district court judge shuts down the Section 230(c)(2)(B) workaround.

Section 230(c)(2)(B). In response to Malwarebytes’ motion to dismiss, the court says Asurvio doesn’t compete with Malwarebytes:

[Asurvio] is not a computer security software provider; it does not sell malware detection software designed to scan a computer and report PUPs. Rather, Asurvio sells driver update software. Asurvio’s software programs “work in real time in the background of the operating system to optimize processing and locate and install all missing and outdated software drivers.” Asurvio does not allege that its DRIVER SUPPORT or ACTIVE OPTIMIZATION programs provide any anti-spyware or anti-malware functionality as Malwarebytes does

Asurvio claimed it also provided anti-malware services. The court discounts these services because they are provided only via live technical support, not as a primary service. Asurvio also argued that both parties competed to help users improve their computers’ performance. The court rejects this too: “If the Court were to accept Asurvio’s argument, then any developer of performance optimizing software designed for “self-help” computer users could potentially plead around the broad immunity granted by section 230(c)(2)(B) and render the statutory immunity meaningless.”

Section 230(c)(1). Asurvio complained about critical third-party messages in Malwarebytes’ message boards. The court says that the complaint doesn’t connect the third parties to Malwarebytes, despite the users’ titles as “trusted advisor” and “expert.” Compare the Enigma v. Bleeping Computer opinion from 2016.

Others. The disparagement/Lanham Act claims fail because Malwarebytes’ classifications are not capable of being proven false. The tortious interference claim fails because Asurvio didn’t specify which contract was being interfered with.

Implications

The Enigma ruling sent shockwaves through the anti-threat vendor community because it disrupted a decade of settled legal doctrine. Though it’s logical to fear “anticompetitive” blocking, in reality we know it’s easy to allege anticompetitive blocking and quite hard to prove. So the Enigma ruling created the risk that many previously easy cases would become expensive and time-consuming, even if they were eventually unmeritorious.

This ruling partially assuages those fears. On a motion to dismiss, the court circumscribed the universe of competitors and rejected tendentious attempts to portray non-competitors as competitors. Both of these conclusions bode well for future Section 230(c)(2)(B). Still, this ruling doesn’t change the fact that many existing anti-threat software vendors are in fact sketchy and deserve to be filtered; yet anti-threat vendors will be skittish about calling out their sketchy competitors. This case also contributes towards building a new jurisprudence of competition internal to Section 230(c)(2)(B), an unwanted development given that we have an entire body of law (antitrust law) dedicated to that purpose.

Case citation: Asurvio LP v. Malwarebytes Inc., 2020 WL 1478345 (N.D. Cal. March 26, 2020)

The post Section 230 Protects Classifying Non-Competitive Software as a Threat–Asurvio v. Malwarebytes appeared first on Technology & Marketing Law Blog.