Thursday, September 09, 2021

Microsoft dodges some false advertising claims based on its security offerings

Tocmail Inc. v. Microsoft Corp., 2020 WL 9210739, No. 20-60416-CIV-SMITH (S.D. Fla. Nov. 6, 2020)

From the deepest depths of backlog: Tocmail alleged that Microsoft’s deceptive promotions of its cyber-security service, Safe Links, constituted false advertising and contributory false advertising. Tocmail alleged that it sold the only patented solution for cloud-based hacking, specifically the cloud security flaw of IP-Cloaking. IP Cloaking allegedly allows hackers to pass security scanners by sending benign links to the scanner and, then, once approved by the scanner, proceed to send malicious content to the end user. Microsoft offers a product, Safe Links, that Microsoft claims protects users against cloud-based hacking. This allegedly harmed Tocmail’s reputation by convincing over 100 million users of the Microsoft product that its product offers no value to them.

Drawing all inferences in Tocmail’s favor, the court found that it properly alleged reputational and economic harm within the zone of interests protected by the Lanham Act.

Proximate causation: Microsoft argued that the harms alleged were too speculative. “But courts have found allegations based on the diversion of business from one party to the other enough for purposes of pleading proximate causation.”

Specific alleged falsehoods:

A Microsoft product video stated, inter alia:

Sophisticated attackers will plan to ensure links pass through the first round of security filters by making the links benign, only to weaponize them once the message is delivered. Meaning that the destination of that link is altered later to point to a malicious site. Time is important when thwarting this type of attack. 20% of all clicks happen within just five minutes of when an email is received, and with Safe Links, we’re able to protect users right at the point of click by checking the link for reputation and triggering detonation if necessary.

Tocmail alleged that “it is literally false that Safe Links protects users by ‘thwarting this type of attack’ [that is, the described attacked of sophisticated hackers].” The court disagreed, because on its face the statement didn’t claim that Safe Links thwarts this type of attack, but rather that time is important in thwarting this type of attack. Comment: Necessary implication is made for these situations. There is no communicative reason for identifying this type of attack if it’s not one that Safe Link thwarts “right at the point of click.”

Next statement:

[A]ttackers sometimes try to hide malicious URLs within seemingly safe links that are redirected to unsafe sites by a forwarding service after the message has been received. The ATP Safe Links feature proactively protects your users if they click such a link. That protection remains every time they click the link, so malicious links are dynamically blocked while good links can be accessed.

But Tocmail alleged that Safe Links does not do this. Microsoft argued that its statement didn’t make “any promises, guarantees or other representations.” “Defendant’s argument is belied by the express language of this statement, which promises customers protections against attackers’ malicious links.” Falsity was sufficiently alleged.

“You Don’t Need Any Other Security Products. With ATP You’re Covered”: This was a statement made by a Microsoft customer (possibly touted by Microsoft), and was just opinion.

The name “Safe Links”: “Safe” is sometimes puffery and sometimes not, depending on context. In the context of a product name, it was “a very general claim that characterizes classic puffery, as opposed to a specific assertion describing absolute characteristics of Defendant’s product.”

“Safe Links Ensures Hyperlinks in Documents are Harmless”: Also sufficiently alleged to be literally false.

Contributory false advertising: Tocmail alleged that that “[a]lmost all email cybersecurity vendors participate in a coordinated, industry-wide deception that promotes ‘time-of-click’ redirection as the solution to links that appear benign to cloud scanners yet send users to somewhere dangerous.” Microsoft allegedly works with third parties to offer Safe Links alternatives paired with Microsoft cloud services, and these “third parties cannot offer their services without Microsoft providing access.” “Microsoft benefits from its cloud users being assured that time-of-click redirection guarantees that they will never download malware from a protected link.” Additionally, Tocmail alleged that “Microsoft continues to supply its service to those it knows or has reason to know are engaged in false advertising directly in regards to the service being supplied.”

This wasn’t enough to state a claim for contributory false advertising. “[T]he mere sale of products in the course of an ordinary business relationship, without more, cannot justify a finding that a defendant induced, encouraged, caused, procured, or brought about false advertising.” A plaintiff must show that the defendant “actively and materially furthered the unlawful conduct—either by inducing it, causing it, or in some other way working to bring it about.” Tocmail didn’t plead enough details to plausibly infer knowing or intentional participation by Microsoft.

No comments: