Enigma Software Grp. USA, LLC v. Malwarebytes, Inc., No. 21-16466 (9th Cir. Jun. 2, 2023)
Courts generally seem more likely to find falsifiability
instead of puffery when a speaker makes negative claims about rivals rather
than positive claims about itself. Enigma sued its competitor Malwarebytes for
Lanham Act false advertising and NY business torts for designating its products
as “malicious,” “threats,” and “potentially unwanted programs” (PUPs). The
district court dismissed the complaint on the grounds that these designations
were “non-actionable statements of opinion.” Over a dissent, the court of
appeals reverses, except as to “PUP.” “[W]hen a company in the computer
security business describes a competitor’s software as ‘malicious’ and a ‘threat’
to a customer’s computer, that is more a statement of objective fact than a
non-actionable opinion.” This also required reversal of the NYGBL §349 false advertising
claim and tortious interference with business relations claim, though the
tortious interference with contractual relations claim still failed for want of
specific allegations of interfered-with contracts.
Enigma alleged that its software products “(i) detect and
remove malicious software (i.e., malware)” such as “viruses, spyware, adware,
ransomware, and Trojans; (ii) enhance users’ Internet privacy; (iii) offer
users the choice to block ‘Potentially Unwanted Programs’ (‘PUPs’); and/or (iv)
eliminate security threats and risks from problematic software programs.”
Malwarebytes software also allegedly claims to “detect and
remove malware, PUPs, and other potentially threatening programs on users’
computers.” Enigma alleged that, for eight years, Malwarebytes’s products
didn’t identify any Enigma products as malicious/threats/PUPs, but began to do
so in 2016. This was allegedly in retaliation for Enigma suing an affiliate of
Malwarebytes called Bleeping Computer, which held itself out to the public as
an independent website reviewing software products; in that lawsuit, Enigma
alleged that Bleeping Computer was in fact economically allied with
Malwarebytes.
“Malicious” and “threats,” in this context, were falsifiable
rather than opinion: “terminology that is substantively meaningful and
verifiable in the cybersecurity context.” These terms were not “extremely
unlikely to induce consumer reliance,” but rather “make[] a claim as to the
specific or absolute characteristics of a product” and were accordingly
actionable statements of fact under the Lanham Act. “As Enigma points out, its
products either contain malicious files and threaten the security of users’
computers, or they do not. These statements are not the type of general,
subjective claims typically deemed non-actionable opinions.”
Context was key: “malicious” and “threatening” are
“adjectives [that] admit of numerous interpretations,” but when an anti-malware
program specifically labeled Enigma’s software as “malicious” and a “threat,” a
reasonable person would plausibly interpret that as the identification of
malware. And “whether software qualifies as malware is largely a question of
objective fact, at least when that designation is given by a cybersecurity
company in the business of identifying malware for its customers.” (PUP, by
contrast, was too vague to be factual.)
The majority relied on the “ordinary meaning” of malware: software
“written with the intent of being disruptive or damaging to (the user of) a
computer or other electronic device; viruses, worms, spyware, etc.,
collectively.” This was a verifiable claim encompassing “viruses, spyware,
adware, ransomware, and Trojans.” [Prof. Goldman is going to note that one of
those things is not like the others!] “[T]he term necessarily implies that
someone created software with the intent to gain unauthorized access to a
computer for some nefarious purpose.” Does adware count as unauthorized access
if the ad part is sufficiently disclosed? The majority thought that malware status could be determined
objectively.
And Malwarebytes plausibly accused Enigma of being malware
according to the complaint, which alleged that Malwarebytes’s software tells
users that conducting a recommended “Threat Scan” “scans all the places malware
is known to hide.” If Malwarebytes’s software detected something as a “threat”
or “PUP,” the default configuration was to “treat detections as malware.” Thus,
Enigma customers using Malwarebytes’s software to conduct a “Threat Scan” were allegedly
left with the impression that Enigma’s products were malware; the complaint
alleged that one customer contacted Enigma to inquire why “Malware bites [sic]
says [Enigma’s software] is an infection” and “another customer reported the
‘malware bytes’ program keeps detecting malware every time I try to download
your software.’”
In addition, “judges are not experts in the cybersecurity
field.… Enigma has alleged that those terms have implied meaning in that field
which was understood by a significant portion of its users, such that
Malwarebytes’s allegedly false use of those terms can be proved or disproved as
a matter of objective fact.” That was not implausible for purposes of a motion
to dismiss.
The NYGBL § 349 and tortious interference with business
relations claims were also revived; for the latter, Enigma sufficiently
identified specific customers that it lost by alleging that consumers
downloaded its products to try them out but decided not to buy a full subscription
after Malwarebytes labeled them malware. Even without the Lanham Act/§ 349 claims, a claim for
tortious interference with business relations under New York law does not
require the plaintiff to show an “independent wrongful act.” Instead, Enigma
only needs to allege that Malwarebytes acted “solely out of malice, or used
dishonest, unfair, or improper means,” which it did. But tortious interference
with contract failed because allegations that preexisting customers cancelled
their subscriptions and requested refunds because of Malwarebytes’s conduct did
not allege any contractual breach by those customers.
Judge Bumatay dissented, arguing that the statements at
issue were subjective opinions, not readily verifiable, and thus protected by
the First Amendment. The dissent pointed to Malwarebytes’ statements such as:
Analyzing and categorizing potentially unwanted software is a complex problem. Developers of potentially unwanted software rapidly evolve their products. Some even contain a few characteristics that resemble legitimate software to mask the unwanted functionality. It’s an on-going process, and we work hard to identify common behaviors that help provide you the highest level of protection. In some cases, where the behavior is questionable, we will list the application even if it does not neatly fit into the listed criteria. In other words, we use our judgment….
More details followed that covered both annoying and dangerous features. Malwarebytes also warned that “sometimes [it] get[s] it wrong” and provided an email address to ask for “reconsideration” of its decisions. The flags at issue here labeled two Enigma products as “scareware”—which Malwarebytes defines as programs that detect harmless system files and browser cookies and present them with alarming graphics “to convince users their systems have problems.”
Given the First Amendment protections for opinion even in
commercial speech, when “it is highly debatable” whether a statement is
verifiable enough to be actionable, courts must “err on the side of
nonactionability.” Here, “potentially unwanted,” a “threat,” or “malicious” all
had an “inherently subjective element.” “Even if Malwarebytes employed these
terms to protect its products from competition from Enigma, there are no
dispositive, objective criteria that would allow us to police whether the three
terms were falsely used against Enigma.”
“Threat” was “tentative,” not absolute or specific, and
whether something is a “source of harm or danger” was subjective. [Gotta say,
the dissent is not exactly selling me on this point in this context.] Enigma’s
allegations, including definitions of “threat” from statutes and other
authorities, still had a subjective component. So too with “malicious.”
As for “malware,” Enigma never alleged that Malwarebytes
explicitly labeled Enigma’s software as malware. Instead, it alleged that
Malwarebytes called its programs “threats” or PUPs and its website and domains
were “malicious” and “disruptive.” Malwarebytes’ user guide defines
“potentially unwanted programs” as a “class[] of non-malware,” and explains
that some programs “may [be] categorized as threats” even though they “are not
malicious.” The user guide did discuss malware, but also looked for PUPs in the
same places. “[U]ser guide statements that Malwarebytes’ program treats
something as ‘malware’ or scans where malware is known to be isn’t the same
thing as calling Enigma’s products ‘malware’ in commerce.” [Except the
allegations of the complaint suggest that at least some, presumably reasonable,
consumers, understood the identifications to mean “malware.” The dissent says
that “what Enigma’s customers say about Enigma is not a basis to find Lanham
Act liability against Malwarebytes,” but that’s what misleadingness is.]
The dissent also hits on the problem I noted above: adware
isn’t obviously malware, even if it can be annoying; it isn’t obviously used
for “some nefarious purpose.” Even if you can say “this isn’t malware,” that
doesn’t make it a binary determination. “One could also say, ‘whether green is
the best color is objective and verifiable, because either it is the best, or
it’s not the best.’” It’s still subjective!
The dissent thought the state law claims should also have failed.
Posts
No comments:
Post a Comment