Federal Court Dismissal of Suit by Alleged Malware Vendor Suggests Broad Immunity for Anti-Virus/Anti-Malware Providers
Posted by Ronnie London and Sarah Duran
The United States District Court for the Western District of Washington(state) has issued a decision in Zango, Inc. v. Kaspersky Lab, Inc. dismissing Zango’s claim relating to Kaspersky’s distribution of computer anti-virus/anti-malware software that, among other things, targeted Zango’s products as objectionable.* Taking a fairly broad view of “safe harbor” immunity built into the Communications Decency Act (CDA) – specifically, in Section 230(c)(2) of the U.S. Code title dedicated to Communications Law – the court rejected Zango’s claims that Kaspersky’s anti-virus software improperly identified Zango’s websites and ads as malware and thus constituted tortious interference with contract and business expectancy, and trade libel, and a violation of Washington state’s Consumer Protection Act. The case is significant because it suggests anti-malware vendors and distributors are entitled to absolute immunity to communicate with their customers about potential malware risks and facilitate their customers’ decisions about other companies’ software, without incurring liability to those companies.
The court interpreted the CDA’s safe harbor, which protects providers and users of interactive computer services for “action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers … objectionable” and for “action taken to enable or make available to information content providers or others the technical means to restrict access to [such] material,” quite broadly, citing other courts’ view (in other Section 230 contexts) that the immunity is “quite robust.” The court also read generously the requirement that immunity is afforded to “providers” of “interactive computer services,” finding Kaspersky to be an “access software provider” that “provides or enables computer access by multiple users to a computer server.” Indeed, the court found Kaspersky's “anti-malware software is exactly the type” contemplated by the CDA as enabling users to filter, screen, allow and/or disallow content that the safe harbor was designed to facilitate blocking.
The court rejected Zango’s argument that it does not provide “objectionable material” within the meaning of the safe harbor. It held that the statute does not require the material to actually be objectionable, but rather only that the provider or user of the software or service deems such material objectionable, a matter on which there was no question regarding Kaspersky’s view of Zango’s software. The court also rejected Zango’s argument that Kaspersky lost immunity by allegedly acting in bad faith in blocking Zango as part of a “scare campaign intended to generate additional interest in [Kaspersky's] software.” The court distinguished between the safe harbor afforded for actions “to restrict access to or availability of material that the provider or user considers to be … objectionable,” which has an explicitly stated good-faith requirement, and actions “to enable or make available … the technical means to restrict access” to such material, which does not include a good-faith condition. Because Kaspersky’s efforts fell within the latter, the court found, it held it was under no duty to act in good faith. However, the court held that “even if there was a good faith requirement,” Zango’s “mere conclusory assertion of bad faith, without more, would be insufficient to withstand summary judgment.”
This decision is significant in several regards. The court dismissed all of Zango’s claims as a matter of law and refused Zango the opportunity to conduct discovery. The dismissal suggests vendors and distributors of anti-malware products and services can claim an absolute immunity, even against allegations of bad faith, to communicate with their customers about potential adware and spyware risks and even to facilitate consumer decisions about software installed by third parties on their computers, without incurring liability to the producers and distributors of the software. Significantly, this “safe harbor” extends, by its terms, to ISPs as well. If there is no good faith requirement for providing anti-malware software to consumers or enabling them to block what they deem unacceptable, future Zango-type lawsuits will become less attractive. As a general proposition, other courts following the broad reading that this court affords the CDA safe harbor will make the prospect of similar litigation less likely, and at a minimum reduce the cost of defending any such cases.
* In the interests of full disclosure, it should be noted that Davis Wright Tremaine LLP was co-counsel for Kaspersky in the case.