Have you ever had your app blocked by one or two anti-virus companies, even though you’ve done everything you could to make your app compliant, and when dozens of other AVs have no problem with it?
This abuse happens because of a poorly drafted and ambiguous portion of a United States federal law: Section 230 of the Communications and Decency Act of 1996. At least one AV company, Malwarebytes (“MB”), seems to believe the law gives it absolute and unlimited power to block any app it wants. In taking this extreme position, MB is departing from the unprecedented cross-industry collaboration and standards-based approach to app governance hailed recently in the pages of the Financial Times. Worse still, there are courts who agree with MB. Indeed, one need look no further than the recent lower court decision in EnigmaSoft v. Malwarebytes to see how this statute continues to plague the industry, and open the door to AV abuse.
Let’s start with the key language of the statute:
“Protection for ‘Good Samaritan’ blocking and screening of offensive material
No provider or user of an interactive computer service shall be held liable on
account of –
A) any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected; or
B) any action taken to enable or make available to information content providers or others the technical means to restrict access to material described in paragraph [(A)].”
After MB disabled EnigmaSoft’s app, which competes with MB, EnigmaSoft sued. EnigmaSoft alleged that MB’s actions were unreasonable and unlawful, aimed at undermining a direct competitor and enriching themselves. Relying on the “any action” language of Section (B), and largely disregarding the “good faith” text of Section (A), MB claimed it was free to restrict access to any app it found “objectionable.” Good faith, MB argued, is irrelevant.
The federal district court sided with Malwarebytes. It held that MB was entitled to block EnigmaSoft’s apps, and pointed to the language of 230(B). EnigmaSoft filed an appeal in the case, which is now before the 9th Circuit Court of Appeals (many CleanApps.org members viewed the live stream of the appeal’s oral argument in February).
For those who missed it, EnigmaSoft’s lawyer, Terry Budd, did an excellent job at oral argument of the appeal, outlining the flawed logic in MB’s claims. He stressed that the language of Section 230 does not allow for such a broad reading, and eloquently explained why MB’s justifications for its actions were neither credible nor supported by Section 230. He argued that sections 230(A) and (B) need to be read in concert – and that reading 230(B) as if 230(A) didn’t exist amounts to a misreading of the law.
MB pushed back on EnigmaSoft’s argument, relying on the plain and isolated language of 230(B), and therefore asserting a much broader interpretation. The judges questioned both lawyers aggressively, and there’s no way to know which way the judges will rule – especially given the different wording in Sections (A) and (B). One thing I do know: the claims by MB’s lawyer that its customers can easily override its decision to block an app is hogwash – it’s not easy at all. And this kind of overly technical, formalistic argument is the very “bury stuff in the fine print” kind of justification that has caused so much harm to consumers.
MB’s argument that it has unfettered discretion to block apps also flies in the face of the statute’s “Good Samaritan” title. After all, the concept of the Good Samaritan is somebody who acts selflessly to help others. By bucking the industry movement for standards, I believe MB is putting its own interests ahead of billions of users – and subverting a great opportunity to help build a Rule of Law for an Internet that has long been dysfunctional and that’s now undergoing a much-needed public reckoning.
The fact is, the downloading industry is safer and fairer because AppEsteem has worked with cybersecurity companies and app makers over the last several years to develop comprehensive app and app-related standards. Highly respected and responsible cybersecurity companies have stepped up and supported these standards and enforced them, blocking harmful apps, delivering a higher level of protection to consumers, providing a new level of transparency to the downloading industry, and helping app makers who compete fairly. And a new breed of ethical and responsible app makers has come together in CleanApps.org to get behind standards and chart a new path that respects consumer security and privacy.
This is the power of standards, and why standards are so pervasive across the economy. They provide clarity, efficiency, safety for consumers, and an even playing field for competitors.
Unfortunately, MB has stubbornly refused to join the recent effort around app standards. It has opted out of the alliance-for-a-cleaner-internet approach, and determined that it will not compromise, elevating its own determinations over standards adopted by the broader industry. It’s claiming absolute and unlimited power.
I don’t think that’s a world any of us really wants. I’m a former prosecutor. I believe law enforcement does noble work and needs the right to protect us. I also believe AVs should be able to block harmful apps. No reasonable person can support a legal system that allows the police or prosecution to do whatever they want. The same should certainly apply to AV companies like MB.
The internet has become a hazardous place in large part because many companies use tricks to confuse and mislead consumers. They make it difficult to understand what’s really happening, especially when it comes to security and privacy (think of the many times Mark Zuckerberg and others have claimed that our privacy is sacrosanct or that the privacy settings are easily adjustable, engaging in a kind of misleading half-truth; yes, a person can change the privacy settings, but it certainly isn’t easy for the unsophisticated). Ironically, MB’s lawyer relied on the same kind of misleading, overly formalistic tactics that AV companies are supposed to be fighting. At a time when the internet needs so much fixing, it’s hard to understand how a one-company-can-do-whatever-it-wants approach makes sense.
And it’s not just the EnigmaSoft case. In a decision handed down by a federal court in California in March, another judge upheld MB’s right to block Driver Support, an app that was certified by AppEsteem as meeting AppEsteem’s strict app requirements and not flagged by any of the dozens of other major AVs. While the court did issue a mixed ruling of sorts, inviting Driver Support to file an amended complaint that could revive some of its claims, the court also staked out similar ground as requested by MB: it ruled that Section 230 provides absolute immunity for an AV to block any app it wants to, for any reason, without regard to good faith – even if the app is certified by one of the fiercest protectors of consumers.
As former Deputy Secretary of the Treasury Sarah Bloom Raskin argued in the Financial Times back in February, and as we maintain here at CleanApps.org, the internet is a safer and fairer place when there are clear, agreed-upon standards. It’s far better if we don’t have to depend on any single tech behemoth – like Facebook – to protect us. It’s safer when there’s a coalition approach and cybersecurity companies, responsible app makers, and app certifiers come together and rally behind common standards. When that happens, consumers are better off. The playing field is level. Competition is fair. Responsible app makers are not disadvantaged. And the app marketplace is healthier and ripe for the kind of innovation that benefits users.
It’s certainly not safer or fairer when a single cybersecurity company can block whatever app is wants, whenever it wants, without regard to those standards, and without a good faith and reasonable basis. But that’s exactly what MB contends Section 230 permits, and some American courts are agreeing. This poses a grave danger, because it could threaten one of our best hopes for a better, safer, and fairer internet.
In the meantime, we can take solace in a number of facts: 1) the 9th Circuit Court of Appeals has yet to rule in the EnigmaSoft case; 2) there’s an active and growing movement to rein in the power of internet platforms and modify Section 230; and 3) Section 230 is an American law, the internet marketplace is global, and there are many, many jurisdictions that don’t endorse such a ham-handed and unfair system of AV authority.
So whatever absolute powers an AV may claim right now under Section 230, there is still plenty of cause for hope. Standards, consumer fairness, and a fair app marketplace may yet win out in the end.