Lazy legislating by Congress has resulted in the usurping of consumer choice in the cybersecurity market recently.
This is related to a federal case originally filed in the Southern District of New York by Enigma Software Group USA, LLC vs. Malwarebytes, Inc. (case 1:16-cv-07885), in which Enigma Software contends that Malwarebytes has intentionally and maliciously harmed it through unfair, predatory business practices.
A little known legal loophole in the Communications Decency Act (CDA § 230(c)(2), entitled “Protection for ‘Good Samaritan’ blocking and screening of offensive material) is at the center of a legal interpretation that has allowed Malwarebytes to arbitrarily attack its competitors while knowingly limiting the ability of consumers to maintain overlapping layers of protection against hacking and cyber espionage.
The statute reads, “No provider or user of an interactive computer service [“ICS”] shall be held liable on account of:
(A) any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected; or
(B) any action taken to enable or make available to information content providers or others the technical means to restrict access to material described in paragraph 1.”
Subsection “B” is intended to be directly tied to Subsection “A.” Congress however made a grammatical error in Subsection “B” in stating that, “any action taken to enable or make available to information content providers or others the technical means to restrict access to material described in paragraph 1.” It should have stated, “any action taken to enable or make available to information content providers or others the technical means to restrict access to material described in paragraph A.”
“Paragraph A” states that if you restrict access, it should be done in “good faith”. Malwarebytes contends that in their reliance on subsection “B” there is no good faith requirement because the words “good faith” aren’t included in the language.
That argument should have failed for a couple of reasons. First because “Subsection B” was intended to be tied to the type of content listed in “Paragraph A” where good faith is a requirement.
Another reason is Malwarebytes’ argument sets a dangerous precedent because it would mean that even though under the law “good faith” is a requirement of “Paragraph A” under “Subsection B” a company could be allowed to act in bad faith.
This all began as a result of Enigma Software filing suit against an entity known as Bleeping Computer, LLC, Malwarebytes was subpoenaed to produce documents that looked to establish the true business relationship between Bleeping Computer and Malwarebytes, and according to the lawsuit, “Malwarebytes unilaterally revised the ‘criteria’ it uses to identify PUPs in October of 2016 and announced the revision to the public through a blog post by its CEO. This was Malwarebytes’ first announced change in its PUP criteria since 2013, and the new ‘policy’ included only subjective criteria that Malwarebytes could, and has, implemented at its own malicious whim to identify SpyHunter 4 and RegHunter as PUPs and ‘threats.’”
“PUPs” are Potentially Unwanted Programs. These programs are then automatically quarantined and disabled as “threats” by Malwarebytes for its customers. Malwarebytes “PUP” criteria was changed to include extremely arbitrary and vague language, including “diminished user experience.”
The targeted program, Enigma Software’s SpyHunter 4, has scored high grades from independent testing laboratories in 3rd party testing for its effectiveness in blocking malware and threats on user’s computers.
By Malwarebytes’ logic, not only can Malwarebytes block any competing product, but any anti-virus software can block a competitor at will, giving customers effectively the option of only using one program to protect their devices. This type of practice would be contradictory to what is generally recommended within the cybersecurity industry where it is consistently espoused that users are better protected by having multiple layers of anti-virus software.
This legal battle is about choice. Choice is always good. This school of thought has apparently been lost on self-declared Silicon Valley bosses. Malwarebytes is attempting to operate a monopoly advocating unlimited and unchecked power. Absent is concern for the average consumer who would rather sample the individual benefits of the variety of software choices available to them. Consumer advocacy groups should also make it a point to ask for a good faith requirement surrounding any decision by software companies to block, disable or otherwise render useless software programs by a competitor.
This case will now be heading to the Court of Appeals for the 9th Circuit.