Malwarebytes’ Right to Flag ‘Potentially Unwanted Applications’ Upheld
A federal judge has dismissed a lawsuit brought against security vendor Malwarebytes, which was accused of illegally classifying two security applications developed by the plaintiff – another software developer – as being harmful.
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
Enigma Software, which has offices in Clearwater, Florida, as well as in Lithuania and Bulgaria,
filed the lawsuit in October 2016 in the U.S. District Court for the Northern District of California.
But on Tuesday, U.S. District Judge Edward J. Davila dismissed the lawsuit.
Enigma Software accused Malwarebytes of classifying two of its applications as “potentially unwanted programs” or PUPs for short: an anti-malware program called SpyHunter and a program designed to clean hard drives and Windows registries called RegHunter.
Enigma contended that Malwarebytes intended to interfere with its customer base and retaliate against the company “for a separate lawsuit Enigma filed against a Malwarebytes affiliate.”
That separate lawsuit involved the online technology forum Bleeping Computer. Enigma sued Bleeping Computer in 2016 after it posted a negative review of SpyHunter. The lawsuit was settled earlier this year and Bleeping Computer excised the review from its site.
In the wake of Judge Davila’s decision, Malwarebytes CEO Marcin Kleczynski says in a blog post that while the decision might sound mundane, “the reality is that this is not only a critical win for Malwarebytes, but for all security providers who will continue to have legal protection to do what is right for their users.”
Kleczynski adds: “As PUPs became more prevalent and problematic, we began offering protection against them too, a choice that is now backed by the U.S. District Court.”
Enigma Software didn’t immediately respond to a request for comment. But the company announced Thursday that it plans to appeal the decision in the Court of Appeals for the 9th Circuit.
The lawsuit is a reminder that more than a decade ago, anti-virus companies began flagging some applications as PUPs. Such applications often exhibit behaviors that information security companies judge to be risky or annoying, such as injecting ads, installing root digital certificates or surreptitiously bundling apps into their installers without notifying users or by hiding that notification in lengthy, impenetrable end-user license agreements.
In February 2016, Malwarebytes called out some of the behaviors that trigger such a classification.
“PUP criteria includes advertising no-nos such as obtrusive pop-ups, web infractions such as altered search results or bookmark insertions, or download offenses, such as prepopulated check boxes or the liberal use of ‘recommended’ next to an option,” the company said.
In response to the lawsuit filed by Enigma, meanwhile, Malwarebytes contended that it has a right to flag Engima’s applications as PUPs under the immunity provision of the Communications Decency Act.
In the dismissal order, Judge Davila agrees, saying that the act absolves a service provider of liability for good-faith decisions to restrict access to material that it deems to be “obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected.”
A key case cited by Malwarebytes involved a dispute between anti-virus vendor Kaspersky Lab and Zango, a now-defunct advertising software application. The software displayed advertisements to users in exchange for free video clips, email emoticons and other freebies.
But Zango was criticized by security experts who alleged that its rogue affiliates used questionable distribution methods and software exploits to forcibly install the application on computers. In November 2006, Zango reached a $3 million settlement with the Federal Trade Commission, which among other contentions alleged that the software was deceptive and difficult to remove.
After Kaspersky Lab put Zango in the PUP category, however, Zango took the anti-virus firm to court. In June 2009, the 9th Circuit Court of Appeals ruled in Kaspersky’s favor, finding the company’s actions were protected by the immunity provision of the Communications Decency Act.
Looking for Customers
Enigma Software may have lost this round of its case against Malwarebytes. But it’s still hoping customers will install its SpyHunter program and stick with it, even if Malwarebytes flags the application.
One of the Enigma Software’s web pages for
The Enigma Software notice states: “We are very sorry for the inconvenience, but this is outside of our control.”
Executive Editor Mathew Schwartz also contributed to this story.