Malwarebytes facing legal hurdle: labeling rival apps as "Unwanted" under scrutiny

The curious case of unwanted programs

In a significant turn of events, the US Ninth Circuit Court of Appeals has ruled that Enigma Software Group can pursue its longstanding lawsuit against rival cybersecurity firm Malwarebytes. The case revolves around Malwarebytes' controversial labeling of Enigma's software as “potentially unwanted programs” or PUPs, sparking a contentious battle that has questioned the very principles of online service providers' operations.

Based in Florida, Enigma has been striving to hold Malwarebytes accountable for its actions since 2017. This battle began when Malwarebytes first blocked Enigma's software, a move that was met with a lawsuit from the latter citing tortious interference,^[1] violation of New York business law, and false advertising under the Lanham Act:^[2]

Plaintiff-Appellant Enigma Software Group USA LLC (“Enigma”), a computer security software provider, sued a competitor, Defendant-Appellee Malwarebytes, Inc. (“Malwarebytes”), for designating its products as “malicious,” “threats,” and “potentially unwanted programs” (“PUPs”). Enigma’s operative complaint alleged a false advertising claim under Section 43(a) of the Lanham Act, 15 U.S.C. § 1125(a)(1)(B), and tort claims under New York law.

This response was sparked by Malwarebytes' labeling of Enigma's SpyHunter tool as a PUP, causing the software to automatically quarantine and remove the program from users' computers. Enigma, naturally, protested this classification.

The roller coaster legal battle

Originally, a district court judge in California dismissed Enigma's claim, relying on the 2009 Zango v. Kaspersky decision, which provides security firms with some degree of freedom in classifying software as harmful. The case dismissal was justified by Section 230(c)(2)(B), which exempts interactive service providers from liability for their content moderation decisions.^[3]

However, the tides turned when Enigma appealed, and in 2019, the Ninth Circuit reversed the district court's decision. This created an exception to Section 230 of the Communications Decency Act, which usually protects online service providers, raising concerns about the potential discouragement of security companies from labeling software as harmful.

Despite the setback, Malwarebytes remained resolute, seeking a review from the Supreme Court, which was denied in 2020. In 2021, the California district court dismissed^[4] Enigma's complaint again after the Ninth Circuit urged a reconsideration. However, Enigma made a comeback once more, with the Ninth Circuit reviving the case last week, except for Enigma's claim of tortious interference with contractual relations.

The impact on the cybersecurity industry

This case's significance extends far beyond the parties involved. As Eric Goldman, professor at Santa Clara University School of Law, puts it, “This case is like a wrecking ball for internet law.”^[5] He warns that the court's decision to treat terms like “malicious” and “threats” as binary facts could misalign with the actual operations of the security industry.

This could potentially increase disputes about software classifications, escalating the risks and costs involved in such classifications. If the consequences of these decisions cause security companies to withdraw from the industry, users could be left at a heightened risk.

In a similar vein, Ninth Circuit Judge Patrick Bumatay raised concerns about the court's treatment of these terms as actionable facts under the Lanham Act. He argues that it sends a chilling message to cybersecurity companies, potentially facing them with civil liability if a court disagrees with their classification of a program as “malware:”^[2]

<…>Lanham Act protects against false or misleading representations of fact, but flagging a competitor’s products as “potentially unwanted,” a “threat,” or “malicious” is no expression of fact—these are subjective statements, not readily verifiable, which means they are opinions. He wrote that by treating these terms as actionable statements of fact under the Lanham Act, the court sends a chilling message to cybersecurity companies—civil liability may now attach if a court later disagrees with your classification of a program as “malware.”

Enigma, however, perceives the situation differently. In their recent statement, they assert that the Ninth Circuit's rejection of a First Amendment free speech defense adds weight to their allegations against Malwarebytes. They insist that if their allegations are indeed true, trying to protect them with a First Amendment defense does not lessen their severity or actionability.^[6]

What's ahead

This ongoing case is anticipated to define the future trajectory of legal disputes within the cybersecurity industry. As the case returns to the district court, the terms of the battle could change once more. However, one thing remains certain – the outcome of this lawsuit will set a significant precedent for how cybersecurity firms classify and manage software in the future. With that in mind, all eyes are now on the Ninth Circuit and the looming specter of a potential en banc^[7] review, a situation where all the judges, rather than just a trio, would be involved in the review.