Claims Against Malwarebytes Dismissed for Lack of “Objective Criteria"
While researching current litigation on end point detection software standards (a regularly recommended activity in this novel legal field), certain cases appeared in which it was suggested that software vendor Malwarebytes engaged in questionable business practices to suppress its competition. Within the last 3 years, Malwarebytes defended 3 different lawsuits for allegedly gaining an unfair advantage on its competitors by flagging their anti-malware programs as “Potentially Unwanted Programs” (“PUPs”) and “malicious.”
On August 9, 2021, Judge Edward J. Davila of the North District of California, San Jose Division granted Malwarebytes Motion to Dismiss Enigma’s claims for damages in Enigma Software Grp. USA, LLC v. Malwarebytes, Case No. 5:17-cv-02915-EJD. Similar to Malwarebytes, Enigma is software company with cybersecurity products aimed at combatting malware, ransomware, viruses, Trojans, and hackers. Enigma's flagship anti-malware product, SpyHunter 4, was an adaptive malware detection and removal tool that was available on the market until mid-2018, when SpyHunter 5 was released. SpyHunter 4 removed and remediated malware, as well included other security protection features. Malwarebytes products, collectively referred to as “MBAM,” directly competed with SpyHunter 4.
Between 2008 and October 4, 2016, MBAM did not identify any Enigma product as malicious, threats, or as PUPs. However, on October 5, 2016, Malwarebytes revised its security "criteria," resulting in SpyHunter 4 and RegHunter 2 (another Enigma product) being identified as PUPs and "threats." Accordingly, if a consumer used SpyHunter 4 or RegHunter 2 on a computer and then used MBAM products, the MBAM products automatically quarantined the Enigma products., label them "threats" and PUPs, then disabled the Enigma products.
As Enigma developed solutions to avoid quarantine by MBAM products, Malwarebytes then blocked all “enigmasoftware.com” domains and designated them as "Malicious Website[s]." Two months after SpyHunter 5's introduction, MBAM products again began to detect, quarantine, and block SpyHunter 5 as a PUP and "threat." Despite requests from Enigma, Malwarebytes never provided Enigma with a formal explanation for its designations.
Enigma brought suit against Malwarebytes, alleging that Malwarebytes (1) violated the Lanham Act § 43(a), (2) violated New York General Business Law § 349, (3) constituted tortious interference with Enigma's contractual relations, and (4) constituted tortious interference with Enigma's business relations. After dismissing the NY Business law claims for lack of jurisdiction, Judge Davila then dismissed all other claims in Malwarebytes favor, for lack of well-pleaded facts.
To succeed on a claim under § 43(a) of the Lanham Act, a Plaintiff must allege (1) the defendant made a false statement of fact in a commercial advertisement, (2) the statement actually deceived or has the tendency to deceive a substantial segment of its audience, (3) the statement is material, (4) the defendant caused the statement to "enter interstate commerce," and (5) the plaintiff has been or is likely to be injured as a result of the false statement. Statements of opinion that are not capable of being proven false do not give rise to civil liability. Specifically, Enigma argued that Malwarebytes falsely labeled Enigma’s products and domains as “malicious,” “threats,” and PUPs. In response, Malwarebytes claims that its actions were “objectively verifiable.”
The Court held that Enigma failed to plead specific facts showing that Malwarebytes’ actions were verifiably false. Enigma’s pleadings only subjectively concluded that Malwarebytes’s actions and criteria were wrong. On the claims of tortious interference, the Court held that Enigma not only failed to identify a contractual obligation with which Malwarebytes interfered, but again declined to adequately plead that Malwarebytes knowingly engaged in any independently wrongful act. In sum, the Court concluded that Enigma lacked sufficiently pleaded facts to support its claims – thereby dismissing the entire suit.
Judge Davila made previous, similar, rulings in Malwarebytes’ favor after it was sued for analogous acts against PC Drivers Headquarters, LP (Case No. 5:18-cv-05409-EJD, D. Ca. March 2019) and Asurvio LP (Case No. 5:18-cv-05409-EJD, N.D. Ca. March 2020).
Enigma, Asurvio, and PC Drivers all lacked objective criteria to show that Malwarebytes’ designation of their products as “PUPs” or threats was materially wrong. While the allegations (if true) against Malwarebytes are certainly disturbing, these cases demonstrate how much faster cybersecurity evolves than law. Before pleading Lanham Act claims again, hire an actual cybersecurity attorney – not just a litigator – to craft specific, but flexible criteria to illustrate wanted from unwanted programs. An example of such criteria may include the following: unauthorized administrative acts or data exfiltration prompted by automatic executable files.