Legal challenge for Malwarebytes: scrutiny over labeling competing apps as "Unwanted"

A cybersecurity company is accused of mislabeling competitor’s products

Malwarebytes classified Enigma's SpyHunter tool as a PUP

The long-standing legal battle between Malwarebytes and Enigma Software Group has gained momentum with recent development. US Ninth Circuit Court of Appeals has ruled in favor of Enigma, granting the company the opportunity to proceed with its ongoing lawsuit against Malwarebytes. The core issue in this protracted dispute revolves around Malwarebytes’ controversial practice of labeling Enigma’s software as “potentially unwanted programs” (PUPs).

This contentious classification has been at the center of the disagreement between these two cybersecurity companies for multiple years. Enigma Software, a company headquartered in Florida, initiated a legal confrontation against Malwarebytes in 2017 to establish accountability for the latter’s actions.

Malwarebytes, in an act of categorization, blocked Enigma’s software by classifying the SpyHunter tool alongside other potentially unwanted programs (PUPs). As a result, the Enigma program was automatically isolated and eliminated from users’ computer systems. Upon discovering these actions, Enigma promptly pursued legal measures to address the matter. The lawsuit was filed based on tortious interference,^[1] violation of New York business law, and false advertising under the Lanham Act:^[2]

Plaintiff-Appellant Enigma Software Group USA LLC (“Enigma”), a provider of computer security software, filed a lawsuit against a competitor, Defendant-Appellee Malwarebytes, Inc. (“Malwarebytes”), for designating its products as “malicious,” “threats,” and “potentially unwanted programs” (“PUPs”). Enigma’s complaint alleged false advertising under Section 43(a) of the Lanham Act, 15 U.S.C. § 1125(a)(1)(B), and tort claims under New York law.

The unfolding legal conflict carries significant implications for the future conduct of cybersecurity firms. It is poised to establish a precedent that may shape the behavior of other industry players going forward. Furthermore, the repercussions of this case might prompt online service providers to reevaluate their practices to mitigate the risk of facing similar legal challenges in the times ahead.

The legal fight has faced multiple setbacks

The legal battle between Enigma and Malwarebytes has been a tumultuous journey, resembling a roller coaster ride. While Enigma can now celebrate a victory and the opportunity to proceed with further legal actions, its initial attempts were met with disappointment. The lawsuit filed by the company was initially dismissed by a district court in California, citing the 2009 Zango v. Kaspersky case.

This ruling established certain flexibility for security companies in classifying software as malicious. The court justified its dismissal under Section 230(c)(2)(B), which exempts interactive service providers from liability for their content moderation decisions.^[3]

Enigma disagreed with this interpretation and proceeded to initiate an appeal. Its efforts bore fruit when the Ninth Circuit overturned the district court’s ruling in 2019, marking a small step toward victory for Enigma.

Nevertheless, Malwarebytes persists with unwavering determination, continuing its steadfast pursuit of victory in this protracted conflict. Malwarebytes sought a Supreme Court review, but their request was denied in 2020.

The same thing happened to Enigma’s complaint in 2021 when the California district court again dismissed the company’s complaint.^[4] However, undeterred by the previous setback, Enigma reentered the legal arena with renewed vigor as the Ninth Circuit breathed new life into the case. While Enigma’s claim of tortious interference with contractual relations was not included in the revived proceedings, the company remains resolute in its pursuit of justice and continues to fight for its rights.

Change is on the horizon for the cybersecurity industry

It is important to note, that the Ninth Circuit court’s ruling established a deviation from the standard protection afforded to online service providers under Section 230 of the Communications Decency Act. As a result, apprehensions have emerged about the potential hindrance this may pose for security companies when it comes to categorizing software as PUP.

Ninth Circuit Judge Patrick Bumatay has raised important questions about the court’s treatment of these terms as factual assertions under the Lanham Act. He asserts that this approach sends a worrisome signal to cybersecurity companies, as it could potentially result in legal repercussions if a court disagrees with their program classification:^[2]

<…>Lanham Act protects against false or misleading representations of fact, but flagging a competitor’s products as “potentially unwanted,” a “threat,” or “malicious” is not a statement of fact—it is a subjective opinion that is not easily verifiable. Treating these terms as actionable statements of fact under the Lanham Act sends a chilling message to cybersecurity companies, implying that civil liability may arise if a court later disagrees with their classification of a program as “malware.

Hence, the ongoing legal battle has piqued the curiosity of other online service providers who remain uncertain about what lies ahead. Some notable skeptics express grave concerns about the potential negative outcome.

Eric Goldman, a professor at Santa Clara University School of Law, goes as far as characterizing it as a “wrecking ball for internet law”.^[5] His cautionary statement highlights a potential misalignment between the court’s treatment of terms such as “malicious” and “threats” as indisputable facts and the operational realities of the security industry.

The implications of this scenario are far-reaching, as it has the potential to ignite conflicts regarding software classifications, resulting in an amplification of risks and costs associated with such categorizations. Moreover, if security companies opt to withdraw from the industry due to these circumstances, users could find themselves exposed to significantly heightened risks and vulnerabilities.

Legal battle’s impact on cybersecurity’s future remains uncertain

However, Enigma stands firm in its dissenting opinion, offering a different outlook on the situation. Through their latest public declaration, they contend that the Ninth Circuit’s dismissal of Malwarebytes’ First Amendment free speech defense serves to fortify their accusations against the cybersecurity entity. Enigma maintains that in the event their allegations prove valid, seeking refuge behind a First Amendment defense fails to diminish the gravity or enforceability of their claims.^[6] This contrasting viewpoint underscores Enigma’s unwavering determination to assert its allegations.

The unfolding legal clash in the cybersecurity realm carries profound implications for the trajectory of future legal disputes. The denouement of this ongoing battle remains veiled in uncertainty, as the intricate dynamics may yet undergo further metamorphosis upon the case’s return to the district court.

However, amidst this fog of uncertainty, one unassailable truth remains: the resolution of this lawsuit will establish an enduring precedent, shaping the framework by which cybersecurity companies delineate and govern software in the years ahead. Consequently, the attention of industry stakeholders converges upon the Ninth Circuit, with anticipation mounting for the prospect of an en banc^[7] review that would engage the collective wisdom of all judges, transcending the influence of a select few.