Enigma Software Group USA v. Malwarebytes Inc.

Citation: Not availableDocket: 17-17351

Court: Court of Appeals for the Ninth Circuit; September 12, 2019; Federal Appellate Court

Original Court Document: View Document

SummaryOriginalCytator Case TreatmentBackward CitatorAnalysis

EnglishEspañolSimplified EnglishEspañol Fácil

The Ninth Circuit reversed the district court’s dismissal of Enigma Software Group USA, LLC’s claims against Malwarebytes, Inc. under New York law and the Lanham Act’s false advertising provision, which the lower court dismissed citing Section 230 of the Communications Decency Act (CDA). Enigma alleged that Malwarebytes intentionally configured its software to block access to Enigma's products, thereby diverting customers. The panel clarified that Section 230 provides immunity to software providers for actions that help users block unwanted online content; however, it distinguished this case from Zango, noting that the term “otherwise objectionable” does not encompass software deemed objectionable for anticompetitive motives. The panel found Enigma’s allegations of anticompetitive intent sufficient to proceed. Additionally, the panel determined that the exception for intellectual property claims under Section 230 did not apply, as the false advertising claim did not concern trademarks or intellectual property. The case was remanded for further proceedings. Judge Rawlinson dissented, arguing that Section 230's language is broad and Enigma failed to convincingly limit its application.

Enigma argues that the term “otherwise objectionable” in the Communications Decency Act (CDA) does not sufficiently cover a provider’s objections to a competitor's software aimed at stifling competition. It references Judge Fisher's concurrence in Zango, cautioning against a broad interpretation that could lead to anticompetitive outcomes. The court agrees and reverses the district court’s ruling that misinterpreted Zango, affirming that “otherwise objectionable” does not include objections based on anticompetitive motives. Malwarebytes claims it has legitimate reasons for finding Enigma’s software objectionable, suggesting immunity for Enigma’s state-law claims; however, the court finds Enigma's allegations of anticompetitive intent sufficient to avoid dismissal.

Regarding Enigma's federal claim, the CDA’s immunity provision includes an exception for intellectual property claims, but the court concludes that Enigma’s false advertising claim under the Lanham Act does not pertain to trademarks or intellectual property, thus the immunity exception does not apply. The district court correctly determined that Malwarebytes was immune from liability for false advertising based on Zango’s interpretation of CDA immunity. Nevertheless, the appellate court finds that the district court applied Zango too broadly in dismissing Enigma's federal claim and reverses that judgment as well.

The appeal revolves around the CDA's immunity provision, specifically 230(c)(2), which protects internet service providers from liability for restricting access to content they deem objectionable. The provision was enacted to address concerns about children accessing inappropriate material online and emerged from early legal cases establishing that passive providers are not liable for third-party content unless they undertake filtering responsibilities.

Prodigy Services Co.'s decision to exercise editorial control over content resulted in increased liability compared to other networks like CompuServe, as established in Stratton Oakmont, Inc. v. Prodigy Services Co. This liability was later affected by the Communications Decency Act (CDA) of 1996. During legislative debates, Representative Chris Cox expressed concern that imposing liability on internet providers for filtering offensive content deterred the development of effective filtering software. In response to growing public concern over online pornography, Congress considered two legislative approaches in 1995. The Exon-Coats amendment sought to prohibit the dissemination of pornography at its source, while the Online Family Empowerment Act (OFEA) aimed to promote filtering tools for families, arguing that parents should manage their children's online exposure rather than the government. Ultimately, both approaches were enacted in the CDA, with the Exon-Coats amendment later invalidated in Reno v. ACLU. The OFEA, now part of 47 U.S.C. 230(c)(2), immunizes internet service providers from liability for actions taken to block offensive content, thereby encouraging the development of filtering technologies. The legislative intent behind 230(c)(2) was to address access to pornography while also covering broader categories of objectionable content. Congress outlined policy goals emphasizing user control, parental empowerment, and the preservation of a competitive internet market. The court has previously addressed the scope of Section 230, recognizing that providers of computer security software can leverage immunity, though the breadth of their discretion regarding what is deemed "objectionable" remains less explored.

The concurrence in Zango emphasized the need for limitations on provider control regarding online content blocking, highlighting that such criteria should focus on the content itself rather than the identity of its producer. Enigma Software Group USA, LLC, a Florida-based computer security software company, has been in direct competition with Malwarebytes Inc., a Delaware corporation, since 2008. Both companies develop software aimed at identifying and blocking malware, with Malwarebytes categorizing certain software as Potentially Unwanted Programs (PUPs) based on specific criteria. In late 2016, Malwarebytes updated its PUP-detection criteria to include programs that users reportedly dislike. This change led to Malwarebytes flagging Enigma's popular software, RegHunter and SpyHunter, as PUPs, causing alerts that prohibited users from downloading these programs. Enigma alleges that Malwarebytes's updated criteria are subjective and intended to harm Enigma's business, characterizing it as anticompetitive behavior. As a result, Enigma claims to have suffered customer losses, revenue decline, and reputational damage. Enigma filed a lawsuit against Malwarebytes in early 2017 in the Southern District of New York, asserting four claims: deceptive business practices under New York General Business Law, tortious interference with business relations under New York common law, and false advertising under the Lanham Act.

Malwarebytes successfully sought a change of venue to transfer its case from New York to the Northern District of California, where it is headquartered. The district court granted this request despite Enigma's argument that venue was appropriate in New York due to the effect of Malwarebytes's actions on local users. Following the venue change, Malwarebytes filed a motion to dismiss based on immunity under 47 U.S.C. 230(c)(2) of the Communications Decency Act (CDA). The district court agreed, ruling that Malwarebytes was immune from liability for all of Enigma's claims, aligning with the precedent set in the Zango case, which established that anti-malware providers can block access to material they consider objectionable. The court noted that Malwarebytes's classification of Enigma's programs as potentially unwanted was sufficient to invoke this immunity under state law.

Regarding Enigma's federal claim of false advertising under the Lanham Act, the court considered the intellectual property exception in 47 U.S.C. 230(e)(2). Despite Enigma's assertion that this claim involved intellectual property, the district court determined that the false advertising claim did not relate directly to any intellectual property rights, thus allowing CDA immunity to apply. Ultimately, the district court dismissed Enigma's complaint entirely in favor of Malwarebytes. On appeal, Enigma argued that the district court misinterpreted the Zango decision, claiming it should not grant unlimited discretion to online service providers to block content, especially regarding potential anticompetitive conduct. The appellate court noted that while Zango affirmed immunity for filtering software providers, it did not address limits on a provider's discretion to deem content "objectionable," and this limitation was not raised in the current appeal.

Section 230 immunity applies to Kaspersky's decision to block access to certain content, allowing providers to filter material they deem "objectionable." Judge Fisher’s concurring opinion in Zango raises concerns about interpreting "objectionable" broadly, warning that such an interpretation could enable providers to block content for anticompetitive reasons or malicious intent. Various federal district courts have interpreted Zango's implications differently, with some dismissing lawsuits against Malwarebytes for classifying certain software as potentially unwanted programs (PUPs), while others have acknowledged limitations to Section 230 immunity. Notably, the courts have emphasized that a subjective belief in material's objectionability does not grant unlimited blocking power. The original Zango ruling clarifies that filtering-software providers like Malwarebytes qualify for Section 230 immunity, but it does not preclude scrutiny of their content-blocking decisions. The current legal inquiry focuses on whether Section 230(c)(2) immunity extends to blocking decisions influenced by anticompetitive motives, an issue not addressed in Zango due to the non-competitive nature of the parties involved in that case.

The case marks the first known instance under Section 230 involving direct competitors. Enigma contends that Malwarebytes blocked its programs for anticompetitive reasons, asserting that Section 230 does not grant immunity for such conduct. Malwarebytes argues that it has blanket immunity due to the broad language of Section 230. However, the court rejects this view, emphasizing that the statute's intent is to foster a competitive market online, not to allow companies to undermine competitors. The court highlights that Congress aimed to encourage the development of filtering technologies, not facilitate anti-competitive behavior. It references historical context, noting that earlier interpretations of “otherwise objectionable” were more lenient due to the nascent state of the internet and public concerns over harmful content. The court warns that granting immunity for anticompetitive blocking would undermine user control over online content and contradict the statute's objectives. Although rejecting Malwarebytes’s broad interpretation of immunity, the court also dismisses Enigma’s argument to limit the term “objectionable” to only sexually or violently inappropriate content. Enigma's reliance on the principle of ejusdem generis is countered by the court, which notes that the specific categories listed in Section 230(c)(2) are diverse and may not be comparable.

Enumerated categories that lack similarity do not aid in interpreting a general category; thus, the principle of ejusdem generis is inapplicable. The catchall term likely aims to address forms of unwanted online content not foreseen by Congress in the 1990s. Even if ejusdem generis applied, it would not support Enigma’s limited interpretation of “otherwise objectionable,” as Congress intended to empower internet users to avoid a range of harmful content, including harassment, spam, malware, and adware. Various district courts have deemed unsolicited marketing emails as “objectionable.” The court does not determine the exact relationship between “otherwise objectionable” and the preceding categories but notes that if a provider's objection to blocking materials stems from competitive interests, such objections are outside the statute's categories, negating immunity.

Malwarebytes argues it has legitimate reasons for finding Enigma’s programs, SpyHunter and RegHunter, objectionable due to deceptive practices that mislead users about security threats. Enigma counters that its programs pose no threat and that Malwarebytes’s actions are anticompetitive. The district court previously ruled that if Malwarebytes has the discretion to define “objectionable,” the court need not consider the justification for that designation. However, since Section 230 does not protect a provider from blocking a competitor’s program for anticompetitive reasons, Enigma’s claims must proceed past the motion to dismiss.

Additionally, Enigma's fourth claim involves false advertising under the Lanham Act, alleging that Malwarebytes misrepresented its programs to undermine Enigma’s customer base. Section 230(e)(2) provides an exception for intellectual property claims, indicating that immunity does not apply to Enigma’s Lanham Act claim, which is linked to intellectual property, despite not directly involving an intellectual property right.

The district court correctly rejected the argument that the Lanham Act claims, specifically concerning false advertising, fall under the intellectual property exception to immunity provided by 47 U.S.C. § 230(e)(2). The Lanham Act consists of two main parts: one addressing trademark infringement (15 U.S.C. § 1114) and the other covering false designations of origin and false advertising (15 U.S.C. § 1125). While much of the Act focuses on trademarks, § 1125(a) extends beyond trademark protection and establishes two liability bases: false association and false advertising.

The court noted that the intellectual property exception should be narrowly construed to align with the Communications Decency Act’s (CDA) intent to maintain broad immunity for internet service providers and promote a competitive online marketplace. Previous cases have indicated that this exception does not extend to state law intellectual property claims and must not be interpreted in a way that broadens liability under the Lanham Act for false advertising claims lacking direct ties to established intellectual property rights.

Enigma’s claim alleges that Malwarebytes falsely represented its software to mislead customers, which does not pertain to trademark or other intellectual property rights as defined by the exception. Therefore, the district court correctly determined that Enigma's false advertising claim under § 1125(a) does not qualify as a claim related to intellectual property law under § 230(e)(2).

The district court ruled that Malwarebytes is immune from liability under Section 230 of the Communications Decency Act (CDA), as previously determined in the Zango case. It clarified that the immunity does not cover anticompetitive conduct, which allowed the federal claim to survive dismissal, leading to a reversal of the district court’s judgment and a remand for further proceedings. The dissenting opinion by Judge Rawlinson argues that the immunity granted by the CDA is broad and applies to any action taken by a provider to restrict access to material deemed objectionable, regardless of competitive context. The dissent contends that the majority's attempt to limit this immunity based on the parties being competitors is unsupported by the statute, which grants immunity for filtering or screening such material. The dissent emphasizes adherence to the statutory language and Congressional intent behind the CDA, asserting that any perceived overreach in the statute is beyond the court's authority to correct.