Distributor of Software That Blocks (Alleged) Adware and Malware Immune Under 47 U.S.C. § 230 from Suit by Company Whose Software Was Blocked:

I'm afraid I don't have time to blog more about this now, but I thought I'd note it, since it seems like a pretty important cyberspace law decision. The case is Zango, Inc. v. Kaspersky Lab, Inc., handed down today by the Ninth Circuit.

Thanks to How Appealing for the pointer.

From the decision, FN 3:
Zango entered into a consent decree with the Federal Trade Commission in November 2006 following an FTC investigation into Zango’s alleged deceptive practices in violation of 15 U.S.C. §§ 45, 52. Zango did not admit to wrongful conduct; however, the decree bars Zango from using any software (except for “Hotbar”) owned or controlled before January 1, 2006 to display advertising or otherwise communicate with a consumer’s computer. The decree also requires Zango to obtain express consent before installing its programs on consumers’ computers, and to provide customers with an effective means of uninstalling its programs. The earliest the consent order could terminate is 2027.
FN 4:
The National Business Coalition on E-Commerce and Privacy filed an amicus curiae brief in support of Zango’s appeal. The Anti-Spyware Coalition, Business Software Alliance, CAUCE North America, Inc., The Center for Democracy &Technology, The Electronic Frontier Foundation, McAfee, Inc., PC Tools Holdings Pty Ltd., and Sunbelt Software, Inc. filed an amicus brief in support of affirmance.
In light of these FNs, Zango's argument on p7989 does provide a good chuckle:
As Zango notes, the district court based its dismissal exclusively on subparagraph (B). Zango urges us not to affirm on the alternative basis of subparagraph (A), maintaining that a triable issue of fact exists as to Kaspersky’s good faith. However, we have no need to consider subparagraph (A) immunity because we agree with the district court’s disposition under subparagraph (B).
6.25.2009 5:21pm
If a company provided both

(a) an update feature on its products (involving multiple users accessing a server) amd (b) a token filter that restricted access to a single pornographic website),

would it then have complete immunity to block access to whatever it wanted, e.g. websites on competitors products or consumer websites containing negative reviews of its products?

The opinion appears to leave the definition of "objectionable" completely undefined and equally within the discretion of the consumer and the provider? It's a broad term. What does it mean? What happens if the provider's concept of what it considers "objectionable" turns completely different from the consumer's? Does the provider have to even consider consumer's interests or Congressional purposes in making such a determination or is its discretion absolute under the safe harbor? What happens if the provider's concept of "objectionable" is so so different from the ideas Congress appeared to have had in mind or from consumers' perception of their interests, indeed so self-serving, that consumers might think its blocking behavior against their interests and malicious?

Does the safe harbor, with these critical terms left undefined, open the door for companies to block access to each other's products as a competitive tool?

Can a virus-maker get the statute's protection simply by blocking one objectionable site and linking to a server, with immunity to block access to whatever it wants -- the entire internet if the virus-maker has Luddite-type objections to the internet as a whole?

After all, a key difficulty this case illustrates is that one person's "filtering" may be another's "service disruption". Perhaps all that perveyors of service disruption have to do is get a little legal advice and jump through a few simple hoops to get their disruptions to fit into the definition of "filtering" and into the protection of the safe harbor.
6.25.2009 6:22pm
If the 9th Circuit had given "otherwise objectionable" some sort of limiting definition and provided for review to see whether the blocked party might be perceived by a reasonable person as possibly fitting that definition, it would be a different case (although not a different outcome -- the existence of the FTC consent decree against Zango would likely be sufficient by itself to invoke the safe harbor under any reasonable limiting definition of "objectionable".)

But by expressly declining to do this, and leaving the meaning of "objectionable" to reflect whatever the filterer objects to, the case appears to open up the prospect of unexpected kinds of objections leading to filtering being used for offensive as distinct from purely defensive purposes -- perhaps even protecting kinds of filtering that consumers find so offensive that they might consider the filtering itself to be malicious.
6.25.2009 6:35pm
Clearly a correct decision under the controlling safe harbor language of the CDA. But Judge Fisher's concurrence is even more interesting than the actual holding:
Congress plainly intended to give computer users the tools to filter the Internet’s deluge of material users would find objectionable, in part by immunizing the providers of blocking software from liability. See § 230(b)(3). But under the generous coverage of § 230(c)(2)(B)’s immunity language, a blocking software provider might abuse that immunity to block content for anticompetitive purposes or merely at its malicious whim, under the cover of considering such material “otherwise objectionable.” Focusing for the moment on anticompetitive blocking, I am concerned that blocking software providers who flout users’ choices by blocking competitors’ content could hide behind § 230(c)(2)(B) when the competitor seeks to recover damages. I doubt Congress intended § 230(c)(2)(B) to be so forgiving.
To illustrate Judge Fisher's concern with a concrete example: Let's assume that the Windows security software in Microsoft's forthcoming Windows 7 (which likely falls within the statute's definition of "access software provider") is configured by default to block access to Mozilla Firefox download sites. Would Microsoft - a company that has a history of being adjudged to have used its monopoly Windows codebase for anticompetitive purposes - fall within the “good samaritan” safe harbor of the CDA? Could be...

Then again, the CDA safe harbor doesn't pre-empt potential civil liability under the Sherman/Clayton act for actionable anticompetitive conduct, so one could argue that Judge Fisher's concern may be overblown as a practical matter? Except, of course, that proving a Sherman Act §2 rule of reason case is close to impossible as a practical matter?

[on a not-unrelated note: no offense to Professor Volokh's well-reasoned posts on cyber-issues as they intersect with the First Amendment, but this topic in particular makes me wish we could also have the benefit of Professor Kerr's views. Hope he hurries back to VC when his Senate detail is finished!]
6.25.2009 6:51pm
Can a virus-maker get the statute's protection simply by blocking one objectionable site and linking to a server, with immunity to block access to whatever it wants — the entire internet if the virus-maker has Luddite-type objections to the internet as a whole?


You could make this concrete by discussing Conficker C:
Domain Lookup Prevention

At each process initialization, Conficker C applies an in-memory patch to dnsapi.dll (Windows XP, 2K) or dnsrslvr.dll (Vista). It does not patch the DLL files on the filesystem, only their in-memory instances. These DLLs contain the standard Windows APIs for domain name resolution and caching. Conficker modifies Window's DNS lookup and cache services to prevent successful communications with various security product vendors and research sites. The list of blocked domain lookups is shown in Table 1.

(Emphasis added.)
6.25.2009 6:52pm
At least one botnet trojan does "improve" security of the zombie and prevent/clean infections of a number of other trojans.... so the PC will not experience slowdowns and problems from multiple infections -- this prolongs the "life" of the zombie for the botnet.
6.25.2009 9:14pm
AnthonyJ (mail):
Pretty sure Conficker is illegal on other grounds, though in theory if you deliberately installed it it would be legal for it to block your access to AV sites.
6.25.2009 11:35pm

Post as: [Register] [Log In]

Remember info?

If you have a comment about spelling, typos, or format errors, please e-mail the poster directly rather than posting a comment.

Comment Policy: We reserve the right to edit or delete comments, and in extreme cases to ban commenters, at our discretion. Comments must be relevant and civil (and, especially, free of name-calling). We think of comment threads like dinner parties at our homes. If you make the party unpleasant for us or for others, we'd rather you went elsewhere. We're happy to see a wide range of viewpoints, but we want all of them to be expressed as politely as possible.

We realize that such a comment policy can never be evenly enforced, because we can't possibly monitor every comment equally well. Hundreds of comments are posted every day here, and we don't read them all. Those we read, we read with different degrees of attention, and in different moods. We try to be fair, but we make no promises.

And remember, it's a big Internet. If you think we were mistaken in removing your post (or, in extreme cases, in removing you) -- or if you prefer a more free-for-all approach -- there are surely plenty of ways you can still get your views out.