ENIGMA SOFTWARE GROUP USA, LLC, Plaintiff-Appellant, v. MALWAREBYTES, INC., Defendant-Appellee.
No. 21-16466
United States Court of Appeals for the Ninth Circuit
Filed June 2, 2023
D.C. No. 5:17-cv-02915-EJD. Appeal from the United States District Court for the Northern District of California, Edward J. Davila, District Judge, Presiding. Argued and Submitted November 8, 2022, Portland, Oregon. Before: Richard R. Clifton and Patrick J. Bumatay, Circuit Judges, and M. Miller Baker,* International Trade Judge. Opinion by Judge Clifton; Concurrence by Judge Baker; Dissent by Judge Bumatay. * The Honorable M. Miller Baker, Judge for the United States Court of International Trade, sitting by designation.
SUMMARY**
**Lanham Act
The panel affirmed in part and reversed in part the district court’s judgment dismissing a lawsuit brought by Enigma Software Group USA LLC, a computer security software provider, against its competitor Malwarebytes, Inc. for designating its products as “malicious,” “threats,” and “potentially unwanted programs“; and remanded for further proceedings.
Enigma’s operative complaint alleged a false advertising claim under Section 43(a) of the Lanham Act,
The district court primarily based the dismissal on its conclusion that Malwarebytes’s designations of Enigma’s products were “non-actionable statements of opinion.” The panel disagreed with that assessment. In the context of this case, the panel concluded that when a company in the computer security business describes a competitor’s software as “malicious” and a “threat” to a customer’s computer, that is more a statement of objective fact than a non-actionable opinion. It is potentially actionable under the Lanham Act provided Enigma plausibly alleges the other elements of a false advertising claim.
The district court held that the tort claims under New York law failed because Malwarebytes was not properly subject to personal jurisdiction in New York. That meant Enigma’s claim for relief under
The common law claims for tortious interference with contractual relations and tortious interference with business relations were also dismissed by the district court. Those torts are recognized as actionable under California law, as they are under New York law, but the district court concluded that Enigma failed to allege essential elements for those claims under California law. The contractual relations claim failed because Enigma did not identify a specific contractual obligation with which Malwarebytes interfered.
The business relations claim was dismissed because that claim required an allegation of independently wrongful conduct, and that requirement was not satisfied following the dismissal of the Lanham Act and
Concurring, Court of International Trade Judge Baker wrote separately to touch on choice of law. He wrote that ordinarily the application of a transferor jurisdiction’s law carries with it the choice-of-law rules of that jurisdiction, but here the parties did not address the choice of law beyond the dispute over whether personal jurisdiction existed in the Southern District of New York. The opinion assumes—as the parties did in their briefing by not addressing choice of law—that under New York choice-of-law rules, New York substantive law applies to Enigma’s state-law claims, save for the claims based on Malwarebytes’ transactions with customers outside of New York.
Judge Bumatay dissented. He wrote that the Lanham Act protects against false or misleading representations of fact, but flagging a competitor’s products as “potentially unwanted,” a “threat,” or “malicious” is no expression of fact—these are subjective statements, not readily verifiable, which means they are opinions. He wrote that by treating these terms as actionable statements of fact under the Lanham Act, the court sends a chilling message to cybersecurity companies—civil liability may now attach if a court later disagrees with your classification of a program as “malware.” He wrote that Enigma’s failure to allege a misstatement of fact is also dispositive on its state-law claims.
COUNSEL
Terry Budd (argued), Budd Law PLLC, Wexford, Pennsylvania; Christopher M. Verdini and Anna Shabalov, K&L Gates LLP, Pittsburgh, Pennsylvania; Edward P. Sangster, K&L Gates LLP, San Francisco, California; for Plaintiff-Appellant.
Moez M. Kaba (argued), Michael H. Todisco, and Warren S. Crandall, Hueston Hennigan LLP, Los Angeles, California; John C. Hueston, Hueston Hennigan LLP, Newport Beach, California; for Defendant-Appellee.
OPINION
CLIFTON, Circuit Judge:
Plaintiff-Appellant Enigma Software Group USA LLC (“Enigma“), a computer security software provider, sued a competitor, Defendant-Appellee Malwarebytes, Inc. (“Malwarebytes“), for designating its products as “malicious,” “threats,” and “potentially unwanted programs” (“PUPs“). Enigma’s operative complaint alleged a false advertising claim under Section 43(a) of the Lanham Act,
Malwarebytes moved to dismiss under
The district court also held that the tort claims under New York law failed because Malwarebytes was not properly subject to personal jurisdiction in New York. That meant Enigma’s claim for relief under New York General Business Law (“NYGBL“) § 349 failed because that statute did not apply to the alleged misconduct. We disagree and conclude that Malwarebytes is subject to personal jurisdiction in New York. As this action was initially filed in New York, the law of that state properly applies.
The common law claims for tortious interference with contractual relations and tortious interference with business relations were also dismissed by the district court. Those torts are recognized as actionable under California law, as they are under New York law, but the district court concluded that Enigma failed to allege essential elements for those claims under California law.
The contractual relations claim failed because Enigma did not identify a specific contractual obligation with which Malwarebytes interfered. The business relations claim was dismissed because that claim required an allegation of independently wrongful conduct, and that requirement was not satisfied following the dismissal of the Lanham Act and
In sum, we affirm in part, reverse in part, and remand for further proceedings.
I. Background and Procedural History
Enigma is a Florida company that markets and sells computer security software nationwide. Its products, according to its Second Amended Complaint (“SAC“), “(i) detect and remove malicious software (i.e., malware)” such as “viruses, spyware, adware, ransomware, and Trojans; (ii) enhance users’ Internet privacy; (iii) offer users the choice to block ‘Potentially Unwanted Programs’ (‘PUPs’); and/or (iv) eliminate security threats and risks from problematic software programs.” SAC ¶ 2.
Malwarebytes is a Delaware corporation, headquartered in California. It is a direct competitor of Enigma in the anti-malware and computer security market. Founded in 2008, its flagship anti-malware products are aimed, according to the complaint, at “detect[ing] and remov[ing] malware, PUPs, and other potentially threatening programs on users’ computers.” SAC ¶ 7.
Enigma commenced this lawsuit against Malwarebytes in the U.S. District Court for the Southern District of New York asserting Lanham Act false advertising and supplemental tort claims under New York law. See Enigma Software Grp. USA, LLC v. Malwarebytes Inc., 260 F. Supp. 3d 401 (S.D.N.Y. 2017). Malwarebytes moved to dismiss for lack of personal jurisdiction and failure to state a claim or, in the alternative, to transfer the case to the Northern District of California under
In the California federal court, Malwarebytes renewed its motion to dismiss, arguing
Enigma appealed the district court’s ruling. This court reversed and remanded, holding that Section 230 did not apply to “blocking and filtering decisions that [we]re driven by anticompetitive animus.” Enigma Software Grp. USA, LLC v. Malwarebytes, Inc., 946 F.3d 1040, 1050 (9th Cir. 2019).
On remand, Enigma filed its SAC asserting four causes of action: (1) false advertising in violation of the Lanham Act,
Enigma alleged that from 2008 to October 2016, Malwarebytes’s products did not identify any of Enigma’s products as “malicious,” “threats,” “PUPs,” or any other type of malware, nor did it quarantine or block consumers from using any of them. SAC ¶ 11. But starting in October 2016, the complaint alleged, Malwarebytes started to do so. Enigma alleged it was in retaliation for Enigma suing an affiliate of Malwarebytes called Bleeping Computer, which held itself out to the public as an independent website reviewing software products. SAC ¶ 11. According to Enigma, Bleeping Computer was not independent and conveyed “false, misleading, and deceptive information” on its website about Enigma and its products, as well as “instruct[ing] users not to install, or to uninstall,” Enigma products and “instead purchase Malwarebytes’ competing products.” SAC ¶ 23. Enigma alleged that Bleeping Computer disseminated this false information in exchange for sales commissions from Malwarebytes. SAC ¶ 11.
Enigma further alleged that Malwarebytes retaliated against it because the former subpoenaed the latter in the Bleeping Computer lawsuit seeking evidence of a “profiteering scheme” between Malwarebytes and Bleeping Computer “employing anticompetitive, unfair trade practices” to Enigma’s detriment.
Malwarebytes moved to dismiss for failure to state a claim, and the district court again dismissed the case, as described above. Regarding the Lanham Act claim, the district court reasoned that Enigma alleged that Malwarebytes’s designations of the former’s products were “just [nonactionable] subjective opinions” rather than “verifiably false.” As to Enigma’s state law claims, the district court concluded that California law applied because New York lacked personal jurisdiction over Malwarebytes. For that reason alone, the district court held, the
In dismissing the case, the district court also denied leave to amend, reasoning that “there are no further facts Enigma can allege to cure the complaint.” Enigma timely appealed.
II. Discussion
We review de novo a district court’s dismissal for failure to state a claim, crediting all factual allegations as true and construing the pleadings in the light most favorable to the non-moving party. Tingley v. Ferguson, 47 F.4th 1055, 1066 (9th Cir. 2022).
A. Lanham Act
Enigma argues that the district court erred in dismissing its Lanham Act claim. Enigma alleged that Malwarebytes designated its products and domains as “malicious,” “threats,” and “PUPs” and that such statements were “factually false” and misrepresented the very purpose of its software. The district court held that these statements were non-actionable statements of opinion. As to the statements that Enigma’s products are “malicious” and “threats,” we disagree.1
To state a claim for false advertising under Section 43(a) of the Lanham Act, Enigma had to allege that (1) Malwarebytes made a false statement of fact in a commercial advertisement; (2) the statement deceived or had the tendency to deceive a substantial segment of its audience; (3) the deception was material, in that it was likely to influence the purchasing decision; (4) the false statement entered interstate commerce; and (5) Enigma has been or is likely to be injured as a result of the false statement. Southland Sod Farms v. Stover Seed Co., 108 F.3d 1134, 1139 (9th Cir. 1997). Because the district court concluded that Malwarebytes’s challenged designations were non-actionable statements of opinion rather than fact, the court did not consider whether the company plausibly alleged the other applicable requirements.2
To show falsity under the Lanham Act, a plaintiff must allege that “the statement was literally false, either on its face or by necessary implication, or that the statement was literally true but likely to mislead or confuse consumers.” Id.; see also Ariix, LLC v. NutriSearch Corp., 985 F.3d 1107, 1121 (9th Cir. 2021) (quoting Coastal Abstract Serv., Inc. v. First Am. Title Ins. Co., 173 F.3d 725, 731 (9th Cir. 1999))
(“An actionable statement is a specific and measurable claim, capable of being proved false or of being reasonably interpreted as a statement of objective fact.“).
We must look to “the totality of the circumstances” when assessing whether a statement implies a factual assertion. Underwager v. Channel 9 Australia, 69 F.3d 361, 366 (9th Cir. 1995). Although “malicious” and “threatening” are “adjectives [that] admit of numerous interpretations,” Partington v. Bugliosi, 56 F.3d 1147, 1158 (9th Cir. 1995), “[t]he context . . . is paramount” because “the reasonable interpretation of a word can change depending on the context in which it appears.” Knievel v. ESPN, 393 F.3d 1068, 1075 (9th Cir. 2005). Malwarebytes’s anti-malware program specifically labeled Enigma’s software as “malicious” and a “threat,” which a reasonable person would plausibly interpret as the identification of malware.3 SAC ¶¶ 143–64. Because whether software qualifies as malware is largely a question of objective fact, at least when that designation is given by a cybersecurity company in the business of identifying malware for its customers, Enigma plausibly alleged that Malwarebytes’s statements are factual assertions.
Our dissenting colleague disagrees. The dissent contends, at 36, that “[c]ontrary to Enigma’s claims, a program isn’t simply ‘potentially unwanted’ or not. A software program isn’t verifiably a ‘threat’ or not. And a website isn’t measurably ‘malicious’ or not. In the cybersecurity context, these terms refer to a spectrum of digital features with no verifiable line to cross to determine when they apply.”
We agree that “potentially unwanted” is too unspecific to provide a basis for a Lanham Act claim, as we noted above at 13, n.3. But the premise of the dissent regarding the terms “threat” and “malicious” rests on an understanding of the meaning of those words in this context that we do not share.
Malware, in its ordinary meaning, refers to software “written with the intent of being disruptive or damaging to (the user of) a computer or other electronic device; viruses, worms, spyware, etc., collectively.” Oxford English Dictionary Online (2022); see also Malware, Black’s Law Dictionary (11th ed. 2019) (defining malware as “software, used to monitor or gain access to another’s computer system without authorization for the purpose of impairing or disabling the system.“).
We think such a definition lends itself to verification. Enigma’s complaint indicates that malware can come in many forms, including “viruses, spyware, adware, ransomware, and Trojans.” SAC ¶ 2. But at bottom, as demonstrated by the dictionary
More importantly, judges are not experts in the cybersecurity field. We should not presume that we are. Enigma has alleged that those terms have implied meaning in that field which was understood by a significant portion of its users, SAC ¶¶ 143–64, such that Malwarebytes’s allegedly false use of those terms can be proved or disproved as a matter of objective fact. Those allegations are not implausible, and the dissent does not claim that they are. To prevail, Enigma must ultimately prove that Malwarebytes’s designation of its software was false. But at the motion to dismiss stage, the allegations are sufficient.
At root, the dissent’s disagreement with our conclusion rests on its purported effort to protect expressions of “opinion” based on its misperception of the First Amendment. It makes that clear from its first paragraph. Dissent at 27. The dissent acknowledges that the protection afforded to commercial speech is limited and that “there can be no constitutional objection to the suppression of commercial messages that do not accurately inform the public.” Dissent at 32 (quoting Cent. Hudson Gas & Elec. Corp. v. Pub. Serv. Comm’n of New York, 447 U.S. 557, 562–63 (1980)). But it does not heed that distinction. As we said in Ariix,
Today, consumers face waves of advertisements amid a sea of product choices. To navigate the seemingly unending stream of advertisements, consumers often depend on independent reviews for candid and accurate assessments. But when someone falsely claims to be independent, rigs the ratings in exchange for compensation, and then profits from that perceived objectivity, that speaker has drowned the public trust for economic gain. Society has little interest in protecting such conduct under the mantle of the First Amendment.
In that case, we held that a five-star rating system comparing nutritional supplement products from the view of the speaker was an opinion not actionable under the Lanham Act. Id. at 1121. If Malwarebytes had said that its product was better than Enigma’s product, that statement
The facts of this case do not closely match Ariix, but the principle is the same. Enigma has alleged that Malwarebytes disparaged Enigma’s products for commercial advantage by making misleading statements of fact. If those allegations are true, and at this stage we must presume that they are, trying to wrap them in a First Amendment flag does not make them any less offensive or any less actionable. “Society has little interest in protecting such conduct under the mantle of the First Amendment.” Id. at 1119.
B. Personal Jurisdiction
Enigma also argues the district court erred in holding that Malwarebytes was not subject to personal jurisdiction in New York and that California law applied to the dispute. We review personal jurisdiction rulings de novo. Ayla, LLC v. Alya Skin Pty. Ltd., 11 F.4th 972, 978 (9th Cir. 2021).
As noted above, the Southern District of New York transferred this case to the Northern District of California.5 Generally, diversity cases transferred under
To apply the state law of the transferor jurisdiction in a
“An exercise of personal jurisdiction in federal court must comport with both the applicable state’s long-arm statute and the federal Due Process Clause.” Burri L. PA v. Skurla, 35 F.4th 1207, 1212 (9th Cir. 2022). New York’s long-arm statute states that a court may exercise specific personal jurisdiction over a non-resident if it “transacts any business within the state,”
“A defendant transacts business within the meaning of
Whether there is personal jurisdiction based on the operation of a website depends on where the website falls on the “spectrum of interactivity.” Weiss v. Barc, Inc., No. 12 CV 7571(TPG), 2013 WL 2355509, at *4 (S.D.N.Y. May 29, 2013). “Passive websites . . . are limited to making information available to users” and do not establish personal jurisdiction. Id. “Interactive websites knowingly transmit goods or services to users and if made available to New York residents, the activities can be sufficient for establishing personal jurisdiction over a defendant.” Id. The website operated by Malwarebytes easily qualifies as interactive under Weiss.
As for whether the claim “arises from” a business transaction, the New York Court of Appeals has held that the “arising from” prong of
Applying these standards, Malwarebytes is subject to personal jurisdiction in New York. First, Malwarebytes “transacts business” in New York through its website, which allows New York–based users to buy and download products.6 Malwarebytes
New York’s exercise of personal jurisdiction is also consistent with the Due Process Clause. See Knight v. Standard Chartered Bank, 531 F. Supp. 3d 755, 763 (S.D.N.Y. 2021)
(S.D.N.Y. 2021) (“[B]ecause the
We therefore reverse the district court‘s holding that New York lacked personal jurisdiction over Malwarebytes and that California law applies to Enigma‘s state law claims. New York has personal jurisdiction over Malwarebytes with respect to its sales to New York-based customers, and therefore New York law applies to Enigma‘s state-law claims based on those transactions. We do not decide whether New York law applies to Malwarebytes‘s transactions with other customers outside the state of New York. That choice of law question is not before us in the current appeal.
C. State-law Claims
1. NYGBL § 349
The district court dismissed Enigma‘s
2. Tortious interference claims
Enigma also argues that the district court erred in dismissing its claims for tortious interference with contractual and business relations. The district court construed the tortious interference claims under California law, but as discussed above, New York law applies to these claims. Reading the complaint in the light most
a. Tortious interference with business relations
To state a claim for tortious interference with business relations, New York requires a plaintiff to establish that:
(1) it had a business relationship with a third party; (2) the defendant knew of that relationship and intentionally interfered with it; (3) the defendant acted solely out of malice, or used dishonest, unfair, or improper means; and (4) the defendant‘s interference caused injury to the relationship.
Kirch v. Liberty Media Corp., 449 F.3d 388, 400 (2d Cir. 2006) (quoting Carvel Corp. v. Noonan, 350 F.3d 6, 17 (2d Cir. 2003)). Enigma‘s complaint plausibly demonstrated each of these factors.
Enigma stated in its complaint that it had contracts with customers who purchased subscription-based licenses to use its SpyHunter 4 and RegHunter 2 software. SAC ¶ 235. Enigma also stated that it and Malwarebytes had some customers in common who, seeking added levels of security, simultaneously used both companies’ products. SAC ¶ 236. Enigma further alleged Malwarebytes took a series of steps to interfere with its prospective relationships with customers. For instance, Enigma stated that Malwarebytes (1) falsely labelled Enigma‘s products as “threats” and “PUPs,” (2) automatically blocked customers from installing Enigma‘s software, and (3) automatically quarantined and preselected Enigma software for deletion. SAC ¶¶ 237-39. The result of this conduct, Enigma alleges, is that Malwarebytes induced Enigma‘s customers to choose either not to install, or to delete, Enigma‘s programs from their computers without any legitimate justification. SAC ¶ 240.
Further, Enigma alleged the prospective relationships with the requisite specificity to establish a claim for tortious interference with business relations. New York requires that a “plaintiff . . . identify a specific customer that the plaintiff would have obtained ‘but for’ the defendant‘s wrongful conduct,” Zetes v. Stephens, 969 N.Y.S.2d 298, 304 (4th Dep‘t 2013), as relief should not be afforded for merely speculative damage, see, e.g., Parekh v. Cain, 948 N.Y.S.2d 72, 76 (2d Dep‘t 2012) (dismissing a claim for tortious interference with business relations because the plaintiff did not identify a third party with which the plaintiff had business relations). For this, Enigma asserted that certain customers downloaded its software before paying for a full subscription. SAC ¶¶ 244-46. Because Enigma points to identifiable customers whose business it lost, its complaint plausibly alleges that it had business relationships with third parties.
The district court‘s dismissal of this claim for Enigma‘s inability to identify an independent wrongful act was erroneous for two reasons. First, Enigma‘s reinstated claims under the
b. Tortious interference with contractual relations
To establish a claim of tortious interference with contract under New York law, a plaintiff must plead the following elements:
(1) the existence of a valid contract between the plaintiff and a third party; (2) the defendant‘s knowledge of the contract; (3) the defendant‘s intentional procurement of the third-party‘s breach of the contract without justification; (4) actual breach of the contract; and (5) damages resulting therefrom.
Kirch, 449 F.3d at 401 (internal quotation marks and citation omitted).
The district court held that the contractual relations interference claim failed because Enigma did not identify any contractual breach that Malwarebytes induced. Although the district court improperly analyzed this claim under California law, the bottom-line result was still correct under New York law.
To state a claim for tortious interference with contractual relations under New York law, a plaintiff must allege that the defendant induced an actual breach of contract. See NBT Bancorp Inc. v. Fleet/Norstar Fin. Grp., Inc., 664 N.E.2d 492, 495-96 (N.Y. 1996) (holding that, although tortious interference can take many forms, New York mandates that actual breach be shown). Here, Enigma alleged that its preexisting customers cancelled their subscriptions and requested refunds because of Malwarebytes‘s conduct. SAC ¶¶ 239-41. And although this amounts to disruption of the contractual relationship between Enigma and its customers, it falls short of alleging any contractual breach by those customers. Because New York law requires such a breach, Enigma has not adequately pled one of the required elements for a claim of tortious interference with contractual relations.
III. Conclusion
We affirm the district court‘s dismissal of Enigma‘s claim of tortious interference with contractual relations. We reverse the district court‘s dismissal of Enigma‘s remaining claims and remand for further proceedings consistent with this opinion. Each party is to bear its own costs.
AFFIRMED in PART, REVERSED in PART, and REMANDED for further proceedings.
BAKER, Judge, concurring:
I join the majority opinion in full and write separately to briefly touch on choice of law. As the opinion acknowledges, ordinarily the application of a transferor jurisdiction‘s law under Van Dusen and Ferens carries with it the choice-of-law rules of that jurisdiction. See Muldoon v. Tropitone Furniture Co., 1 F.3d 964, 965 (9th Cir. 1993) (under Van Dusen and Ferens, “the transferee court must follow the choice-of-law rules of the transferor court“).
Here, however, the parties have not addressed choice of law beyond the dispute over whether personal jurisdiction existed in the Southern District of New York. They appear to agree that if such jurisdiction existed, then New York substantive
BUMATAY, Circuit Judge, dissenting:
When a cybersecurity company flags another company‘s products as “potentially unwanted programs,” “threats,” or “malicious,” could it be liable for false advertising under the
Thus, even in the commercial context, we must be careful not to expand
For these reasons, I respectfully dissent.
I.
Enigma Software Group USA, LLC and Malwarebytes, Inc. develop competing anti-malware software products. “Malware” is a portmanteau of “malicious” and “software.” Oxford English Dictionary Online (2022). So, as the term implies, anti-malware programs are designed to detect and remove potentially unwanted, threatening, or malicious programs from users’ computers. For eight years, from 2008 to 2016, the two companies’ products coexisted on users’ systems without issue. But in 2016, things changed. In October of that year, Malwarebytes announced that it was getting “tougher” on potentially unwanted programs. The move was purportedly a response to software developers’ efforts to circumvent the company‘s detection criteria.
Malwarebytes provided a statement announcing its new criteria:
How do we identify potentially unwanted software?
Analyzing and categorizing potentially unwanted software is a complex problem. Developers of potentially unwanted software rapidly evolve their products. Some even contain a few characteristics that resemble legitimate software to mask the unwanted functionality. It‘s an on-going process, and we work hard to identify common behaviors that help provide you the highest level of protection. In some cases, where the behavior is questionable, we will list the application even if it does not neatly fit into the listed criteria. In other words, we use our judgment.
While we highlight potentially unwanted programs, you then make a choice in the exclusions list and select what you want to keep or remove. Here are some of the criteria we use:
- obtrusive, misleading, or deceptive advertising, branding, or search practices
- excessive or deceptive distribution, affiliate or opt-out bundling practices
- aggressive or deceptive behavior especially surrounding purchasing or licensing
- unwarranted, unnecessary, excessive, illegitimate, or deceptive modifications of system settings or configuration (including browser settings and toolbars)
- difficulty uninstalling or removing the software
- predominantly negative feedback or ratings from the user community
- diminishes user experience
- other practices generally accepted as riskware, scareware, adware, greyware, or otherwise commonly unwanted software by the user community
Malwarebytes informed its users that it must “regularly update” its software to meet these criteria. The company also warned that “sometimes [it] get[s] it wrong” and provided an email address to ask for “reconsideration” of its decisions. Noting the need to respond promptly to “new forms of potentially unwanted software” that “frequently emerge and proliferate,” Malwarebytes “reserve[d] the right to adjust, expand and update [its] criteria without prior notice or announcements.”
Under the new criteria, Malwarebytes’ software designated two of Enigma‘s anti-malware products-“SpyHunter 4” and “RegHunter 2“-as “potentially unwanted programs” and “threats.” As a result, Malwarebytes’ program blocked, quarantined, or disabled SpyHunter 4 and RegHunter 2‘s operation on users’ computers. Enigma contends that Malwarebytes blocked its programs because of “anticompetitive animus” and in retaliation for Enigma suing a Malwarebytes affiliate. According to Malwarebytes, its program flagged SpyHunter 4 and RegHunter 2 as “scareware“-which Malwarebytes defines as programs that detect harmless system files and browser cookies and present them with alarming graphics “to convince users their systems have problems.”
Malwarebytes’ users had at least two options available if they wished to continue using Enigma‘s products. They could exclude Enigma‘s programs from scans by “unchecking” and “ignor[ing]” the detection following Malwarebytes’ instructions, or they could stop using Malwarebytes’ program. But Enigma disputes whether both programs can operate together. It argues that Malwarebytes’ default settings effectively prevent users from excluding Enigma‘s programs from scans, citing complaints from users who struggled to change them.
In December 2016, in response to Malwarebytes’ change of criteria, Enigma issued a “Countermeasure,” which allowed Enigma‘s customers to download an installer that disabled Malwarebytes’ products. Shortly after, Malwarebytes responded by having its anti-malware program block access to Enigma‘s web domains-URLs ending in “.enigmasoftware.com.” Malwarebytes’ program flagged the domains with a pop-up-“Malicious Website Blocked.” Enigma alleges that Malwarebytes’ domain blocking was retaliation for the “Countermeasure.” After some time, Malwarebytes stopped flagging Enigma‘s domains, which Enigma takes as a concession that quarantining its websites was improper.
On remand, the district court again granted Malwarebytes’ motion to dismiss. This time, the district court held that Malwarebytes’ flagging of Enigma‘s products conveyed “non-actionable statements of opinion.” Enigma Software Grp. USA, LLC v. Malwarebytes Inc., 2021 WL 3493764, at *11 (N.D. Cal. 2021). Enigma appealed.
On de novo review, this should have been an easy affirm.
II.
A.
When it comes to the regulation of any speech, we should always begin with the
Of course, the
This is where the
Any person who, on or in connection with any goods or services, . . . uses in commerce any . . . false or misleading description of fact, or false or misleading representation of fact, which . . . in commercial advertising or promotion, misrepresents the nature, characteristics, qualities, or geographic origin of his or her or another person‘s goods, services, or commercial activities[.]
With the
But our court has developed some good guideposts. Commercial speech is actionable if it is “specific and measurable,” “capable of being proved false or of being reasonably interpreted as a statement of objective fact.” Ariix, 985 F.3d at 1121. In other words, “a statement that is quantifiable, that makes a claim as to the specific or absolute characteristics of a product” may be actionable under the
Ariix is a good example of how these principles work. In that case, a nutrition-and-health research company published a guide that compared and reviewed nutritional supplements using a five-star rating system based on 18 criteria. 985 F.3d at 1111. It also awarded a “Medal of Achievement” to nutritional supplements manufacturers that meet two measurable conditions: (1) compliance with FDA‘s “good manufacturing practices” and (2) certification of product labels by an approved laboratory. Id. The research company portrayed itself to the public as independent, presenting only objective data and scientific analyses. But privately the company allegedly had financial ties to one manufacturer of nutritional products. Id. at 1112. The company was then accused of improperly manipulating the rating system and withholding the certification from a competing manufacturer that met the two conditions. Id. at 1112-13.
We first considered whether the company‘s five-star ratings were actionable. 985 F.3d at 1121. We said no. Even though the ratings were purportedly based on “objective and scientific criteria,” we still held that they were not factual. Id. That‘s because “there is an inherently subjective element in deciding which scientific and objective criteria to consider.” Id. As an example, we compared the ratings to college or law school rankings. While objective criteria go into the rankings (like acceptance rates, test scores, and class size), “selecting those criteria involves subjective decision-making.” Id. Thus, we concluded that the ratings were “simply statements of opinion about the relative quality of various nutritional supplement products.” Id.; cf. Underwager v. Channel 9 Australia, 69 F.3d 361, 367 (9th Cir. 1995) (concluding statements must rest “on a core of objective evidence” to be provable as true or false under defamation law).
So boiled down, whether commercial speech is actionable depends on whether the statement implies something that can be proven false.
With this legal background, I turn to Enigma‘s claims against Malwarebytes.
B.
Here, we must determine whether Malwarebytes’ statements calling Enigma‘s products “potentially unwanted,” a “threat,” or “malicious” can be proven false. Given that each warning has an “inherently subjective element,” id. at 1121, the answer is no. Even if Malwarebytes employed these terms to protect its products from competition from Enigma, there are no dispositive, objective criteria that would allow us to police whether the three terms were falsely used against Enigma. In other words, unlike the certification in Ariix, the three statements aren‘t “binary determinations.” Id. Contrary to Enigma‘s claims, a program isn‘t simply “potentially unwanted” or not. A software program isn‘t verifiably a “threat” or not. And a website isn‘t measurably “malicious” or not. In the cybersecurity context, these terms refer to a spectrum of digital features with no verifiable line to cross to determine when they apply. Cf. Underwager, 69 F.3d at 367 (“the term ‘lying’ applies to a spectrum of untruths including ‘white lies,’ ‘partial truths,’ ‘misinterpretation,’ and ‘deception‘” and so is nonactionable). They thus depend on “subjective decision-making,” Ariix, 985 F.3d at 1121, requiring the exercise of judgment to determine when the warning is warranted.
Without a “core of objective evidence” to assess the accuracy of the use of the warnings, Underwager, 69 F.3d at 367, no reasonable factfinder can say that Malwarebytes made a false representation of fact in labeling Enigma‘s products or website as a “threat,” “malicious,” or “potentially unwanted.” In fact, nowhere does Enigma offer an objective, measurable definition of the warnings from which we may draw an implication of testable falsehoods. Instead, Enigma hints that they carry “specific factual meanings” in the cybersecurity field and discovery is required before we may fully understand this. As shown below, this is not enough to state a claim under the
i. Potentially Unwanted Program
Take the phrase “potentially unwanted program.” That designation inherently requires some guesswork-estimating whether a program would be wanted-as made clear by using the term “potentially.” And “unwanted” fits within the type of nonactionable “personal assessments or criticisms” that enjoy
Malwarebytes was thus explicit that subjectivity inhered in its “potentially unwanted program” determinations. As in Ariix, when a company develops a rating or designation containing “inherently subjective element[s],” like the eight criteria here, the designation cannot be actionable. Even if some of Malwarebytes’ criteria could be treated as objective and technical, it would have no impact on the analysis. That‘s because “there is an inherently subjective element in deciding which scientific and objective criteria to consider.” Ariix, 985 F.3d at 1121. And the weight assigned to each criterion would also reflect Malwarebytes’ subjective assessment of what constitutes a “potentially unwanted product.” Id.
In response, Enigma offers no objective, factual definition of its own. Nor does Enigma provide any evidence that the term has an agreed-upon and well-known meaning in the cybersecurity world. Indeed, Enigma‘s own allegations prove the phrase‘s subjective nature. For instance, Enigma‘s complaint alleges “Malwarebytes’ new criteria rejected specific objective or scientific standards in favor of subjective characteristics.” Similarly, Enigma repeatedly criticized Malwarebytes’ criteria as “subjective,” “vague,” and “self-serving“-grounds on which we have previously held statements unactionable under the
ii. Threat
The analysis of the “threat” designation fares no better. Start with its ordinary meaning. Like “potentially” unwanted programs, “threat” generally refers to a ”possible source of harm or danger.” American Heritage Dictionary of the English Language (5th ed. 2011) (emphasis added). Given its tentative nature, it is not an absolute or specific measurement. And, as with “unwanted,” a “source of harm or danger” involves a subjective determination. See, e.g., Hernandez v. Scottsdale Hotel Grp. LLC, 2020 WL 6827745, at *3 (D. Ariz. Nov. 20, 2020) (holding the word “threatening” in a defamation suit “is not provable or falsifiable“). Indeed, Malwarebytes’ user guide emphasizes that some programs or files categorized as “threats” are “not malicious” and “[i]t is up to individual users to research and make this determination.” Malwarebytes User Guide, “Quarantine,” § 8.1 (2016).
Enigma, for its part, doesn‘t contend that there is a single criterion for identifying software as a “threat.” Instead, it suggests that the term is “widely used” and “commonly understood” in cybersecurity-pointing
First, Enigma offers the National Institute of Standards and Technology (“NIST“) glossary for a definition of “threat.” But NIST‘s glossary has no fewer than 20 definitions for “threat.”1 Those definitions range from “[a]ny circumstance or event with the potential to adversely impact organizational operations . . . through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service” to “an activity, deliberate or unintentional, with the potential for causing harm to an automated information system or activity.” Id. Thus, “threat” is defined in only the broadest terms-“potential” for “harm” and “adverse[] impacts“-with no attempt to narrow the field. And NIST prefaces its glossary with the warning that “[t]erminology changes over time” and its definitions may “contain potentially biased terminology.” Id.
Next, Enigma asks us to adopt the International Organization for Standardization‘s (“ISO“) definition of “threat.” It provides that a “threat” is “a potential cause of an unwanted incident, which can result in harm to a system or organization.” ISO/IEC 27000, Info. Sec. Mgmt. Standard, at 10 (2018). The problems with this definition are obvious. It requires a subjective assessment of what is “unwanted,” and it requires some guessing because it applies to anything that “potential[ly]” causes harm. As with “potentially unwanted programs,” such a definition offers no measurable or objective guidance.
Finally, Enigma looks to the definition of “cybersecurity threat” from the
“[A]n action, not protected by the
First Amendment to the Constitution of the United States , on or through an information system that may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system.”
Nothing in these definitions supplies an objective, measurable basis to assess the term‘s veracity. In fact, Enigma‘s identification of multiple meanings for “threats” by itself shows that the term represents an opinion rather than a fact. See Steam Press Holdings, Inc. v. Hawaii Teamsters, Allied Workers Union, Loc. 996, 302 F.3d 998, 1008-09 (9th Cir. 2002) (approving argument that a phrase “subject to multiple interpretations” is not “susceptible of verification“). As we‘ve said, when a term or phrase lacks a “singular” and “concrete” meaning, it cannot be “readily verifiable.” Id. at 1009. So Enigma‘s own attempt to provide meaning to the term only establishes its vague and unfalsifiable nature.
iii. Malicious
Nor does “malicious” have an objective and absolute measurement. In its complaint,
Likewise, whether Enigma‘s “Countermeasure” to disable Malwarebytes’ software was “harmful” and “disruptive” is a matter of opinion. To Malwarebytes, a website that offered a program that deliberately targeted and removed its anti-malware products could fit the bill. To Enigma, its website was innocuous and only allowed its customers the choice to continue to use its products without interference from Malwarebytes. Rather than weighing in on this difference of opinion, we should have allowed the market to decide who is right.
C.
Ignoring the problems with the inherent subjectivity of these terms, the majority presses on with the expansion of
First, Enigma has never alleged that Malwarebytes violated the
To justify the sua sponte amendment of Enigma‘s complaint, the majority looks to Malwarebytes’ user guide, which explains that a default setting for its scan configuration “[t]reat[s] detections” of potentially unwanted programs “as malware.” Maj. Op. 14 n.4. But this allegation is irrelevant because the majority agrees that calling something “potentially unwanted” is “too unspecific” to be actionable under the
Second, while acknowledging that “judges are not experts in the cybersecurity field,” the majority invents its own verifiable definition of “malware” for the field-“software [created] with the intent to gain unauthorized access to a computer for some nefarious purpose.” Id. The majority then concludes that “malware can come in many in forms including ‘viruses, spyware, adware, ransomware, and Trojans.‘” Id. at 14. And finally, the majority says that these terms can be objectively determined. Id. at 14.
Even if Enigma‘s complaint had alleged that Malwarebytes designated Enigma‘s products as “malware” and if this definition were plausible, the majority‘s terminology admits subjectivity. One needn‘t be an expert in cybersecurity to see why. Take “adware.” Adware monitors users’ online activities and habits, typically without their knowledge, and uses the collected data to display targeted advertisements or sell to third parties. Adware usually comes bundled with free software (e.g., games, browser extensions, media players), allowing developers to generate revenue and continue developing useful and free software. Adware can expose sensitive data and slow or disrupt one‘s computer, though it also helps serve users with more relevant ads. And typically, the user has inadvertently authorized and consented to the adware‘s operation via a terms and conditions agreement. In such cases, has the adware been created and employed for “some nefarious purpose?” This is plainly a subjective question that will elicit different responses from different people.
The majority also insists that “[j]ust like the certification at issue in Ariix,” the “malware” designation “can be reduced to ‘a binary determination’ based on ‘falsifiable criteria.‘” Maj. Op. 14. It would seem the majority conflates the ability to phrase something as a binary determination, with the objectivity of that determination. One could also say, “whether green is the best color is objective and verifiable, because either it is the best, or it‘s not the best.” But clearly that‘s a subjective question-appending “it is or it isn‘t” doesn‘t make the determination objective and verifiable. See ZL Techs, Inc. v. Gartner, Inc., 709 F. Supp. 2d 789, 798 (N. D. Cal. May 3, 2010). And calling Enigma‘s products a “threat” or “malicious” is far from Ariix saying a manufacturer didn‘t comply with FDA standards or obtain the appropriate laboratory certification-both falsifiable criteria. Ariix, 985 F.3d at 1122.
* * *
In sum, Enigma cannot base its false advertising claim on nonactionable opinions, like the phrases here. We thus should have affirmed the dismissal of the
III.
Not only is Enigma‘s failure to allege a misstatement of fact dispositive on the
First,
Second, Enigma‘s claim for tortious interference with business relations is not viable under either California or New York law. In California, “interference with prospective economic advantage requires a plaintiff to allege an act that is wrongful independent of the interference itself.” CRST Van Expedited, Inc. v. Werner Enters., Inc., 479 F.3d 1099, 1108 (9th Cir. 2007). “[A]n act is independently wrongful if it is unlawful, that is, if it is proscribed by some constitutional, statutory, regulatory, common law, or other determinable legal standard.” Korea Supply Co. v. Lockheed Martin Corp., 63 P.3d 937, 954 (Cal. 2003). New York has adopted a similar general rule requiring an “independently unlawful act” for tortious interference with a business relationship. Carvel Corp. v. Noonan, 818 N.E.2d 1100, 1103 (N.Y. 2004). There is an “exception” in New York, however, when a defendant engages in “egregious wrongdoing” in the absence of an independent act, like acting for the “sole purpose of inflicting intentional harm on plaintiffs.” Id. at 1102-03 (simplified).
Here, because Enigma‘s
Third, I agree with the majority that Enigma failed to plead tortious interference with a contract-although I would hold it failed to do so under both New York and California law. Enigma‘s claim fails under California law because it doesn‘t allege an “independently wrongful act,” as discussed above. See Ixchel Pharma, LLC v. Biogen, Inc., 470 P.3d 571, 580 (Cal. 2020) (“We therefore hold that to state a claim for interference with an at-will contract by a third party, the plaintiff must allege that the defendant engaged in an independently wrongful act.“). And the claim must be dismissed under New York law because Enigma hasn‘t alleged a breach of a specific contract. See NBT Bancorp Inc. v. Fleet/Norstar Fin. Grp., Inc., 664 N.E.2d 492, 495-96 (N.Y. 1996) (Absent wrongful means, there is no tort “[w]here there has been no breach of an existing contract[.]“).
IV.
For all these reasons, we should have affirmed the district court‘s order. I respectfully dissent.
