Tocmail Inc. v. Microsoft Corp., 2020 WL 9210739, No. 20-60416-CIV-SMITH (S.D. Fla. Nov. 6, 2020)
From
the deepest depths of backlog: Tocmail alleged that Microsoft’s deceptive
promotions of its cyber-security service, Safe Links, constituted false
advertising and contributory false advertising. Tocmail alleged that it sold
the only patented solution for cloud-based hacking, specifically the cloud
security flaw of IP-Cloaking. IP Cloaking allegedly allows hackers to pass
security scanners by sending benign links to the scanner and, then, once
approved by the scanner, proceed to send malicious content to the end user. Microsoft
offers a product, Safe Links, that Microsoft claims protects users against
cloud-based hacking. This allegedly harmed Tocmail’s reputation by convincing
over 100 million users of the Microsoft product that its product offers no
value to them.
Drawing
all inferences in Tocmail’s favor, the court found that it properly alleged reputational
and economic harm within the zone of interests protected by the Lanham Act.
Proximate
causation: Microsoft argued that the harms alleged were too speculative. “But
courts have found allegations based on the diversion of business from one party
to the other enough for purposes of pleading proximate causation.”
Specific
alleged falsehoods:
A
Microsoft product video stated, inter alia:
Sophisticated
attackers will plan to ensure links pass through the first round of security
filters by making the links benign, only to weaponize them once the message is
delivered. Meaning that the destination of that link is altered later to point
to a malicious site. Time is important when thwarting this type of attack. 20% of
all clicks happen within just five minutes of when an email is received, and
with Safe Links, we’re able to protect users right at the point of click by
checking the link for reputation and triggering detonation if necessary.
Tocmail
alleged that “it is literally false that Safe Links protects users by
‘thwarting this type of attack’ [that is, the described attacked of
sophisticated hackers].” The court disagreed, because on its face the statement
didn’t claim that Safe Links thwarts this type of attack, but rather that time
is important in thwarting this type of attack. Comment: Necessary implication
is made for these situations. There is no communicative reason for identifying
this type of attack if it’s not one that Safe Link thwarts “right at the point of
click.”
Next
statement:
[A]ttackers
sometimes try to hide malicious URLs within seemingly safe links that are
redirected to unsafe sites by a forwarding service after the message has been
received. The ATP Safe Links feature proactively protects your users if they
click such a link. That protection remains every time they click the link, so
malicious links are dynamically blocked while good links can be accessed.
But
Tocmail alleged that Safe Links does not do this. Microsoft argued that its
statement didn’t make “any promises, guarantees or other representations.” “Defendant’s
argument is belied by the express language of this statement, which promises
customers protections against attackers’ malicious links.” Falsity was
sufficiently alleged.
“You
Don’t Need Any Other Security Products. With ATP You’re Covered”: This was a
statement made by a Microsoft customer (possibly touted by Microsoft), and was
just opinion.
The
name “Safe Links”: “Safe” is sometimes puffery and sometimes not, depending on
context. In the context of a product name, it was “a very general claim that
characterizes classic puffery, as opposed to a specific assertion describing
absolute characteristics of Defendant’s product.”
“Safe
Links Ensures Hyperlinks in Documents are Harmless”: Also sufficiently alleged
to be literally false.
Contributory
false advertising: Tocmail alleged that that “[a]lmost all email cybersecurity
vendors participate in a coordinated, industry-wide deception that promotes
‘time-of-click’ redirection as the solution to links that appear benign to
cloud scanners yet send users to somewhere dangerous.” Microsoft allegedly
works with third parties to offer Safe Links alternatives paired with Microsoft
cloud services, and these “third parties cannot offer their services without
Microsoft providing access.” “Microsoft benefits from its cloud users being
assured that time-of-click redirection guarantees that they will never download
malware from a protected link.” Additionally, Tocmail alleged that “Microsoft
continues to supply its service to those it knows or has reason to know are
engaged in false advertising directly in regards to the service being
supplied.”
This
wasn’t enough to state a claim for contributory false advertising. “[T]he mere
sale of products in the course of an ordinary business relationship, without
more, cannot justify a finding that a defendant induced, encouraged, caused,
procured, or brought about false advertising.” A plaintiff must show that the
defendant “actively and materially furthered the unlawful conduct—either by
inducing it, causing it, or in some other way working to bring it about.” Tocmail
didn’t plead enough details to plausibly infer knowing or intentional
participation by Microsoft.
Posts
No comments:
Post a Comment