kaspersky

kaspersky

Ninth circuit affirms rights of anti-malware companies

In an important case for the anti-malware industry, the United States Court of Appeals for the Ninth Circuit affirmed a lower court ruling that anti-virus firm Kaspersky was protected by section 230 of the Communications Decency Act (CDA) in deciding to block software by Zango, which Kaspersky deemed adware or spyware. StopBadware is a member of the Anti-Spyware Coalition, which filed an amicus brief encouraging the court to find in Kaspersky's favor. (Side note: one of Zango's products was labeled by us as badware prior to this lawsuit.)
At issue were three key questions:

  1. Is Kaspersky an "interactive service provider," which is the entity that is protected by CDA section 230. The courts found that it is, as the term is defined by the legislation to include providers of software intended to filter or disallow objectionable content.
  2. Is adware or spyware "objectionable content," as intended by CDA section 230? The courts found that it is, as the legislation is explicit in allowing the filtering of "content that the provider or user considers obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable."
  3. Does Kaspersky have to prove "good faith" in order to use CDA section 230 as a defense? The courts ruled that no such proof is necessary, as the section that Kaspersky is using as its defense does not include a good faith clause. (In a concurring opinion, one of the judges noted the potential for this section to be abused if there is no good faith requirement, but affirms that in the Zango v. Kaspersky case, Kaspersky does not have to prove good faith.)

The concern about the good faith clause is an important one. In fact, the ASC amicus brief specifically asked the court to consider whether the good faith provision in one section of the legislation could be implicitly applied to another section. The court left this at least somewhat open with the concurring opinion's stated concerns. While the judge's concern was about anti-competitive behavior (e.g., Symantec blocks access to McAfee's website as "objectionable"), one could imagine a case where a piece of badware, installed without a user's permission, tries to hide behind CDA 230 because the software is blocking access to content the "provider" (i.e., the badware distributor) considers objectionable. Hopefully, if such a case occurred, the courts would find that the intent of the law was not to provide enforced blocking on users without their knowledge or permission.
Overall, we're very pleased by the circuit court's decision, as it is critical for anti-malware companies to be able to warn about or block potentially unwanted software without fear of liability.

Tags: 
kaspersky, policy, stopbadware, zango

Zango vs Kaspersky Gains Broad Range of Interest

Posted on May 7, 2008 - 14:51 by lmallek

Brian Krebs "blogged yesterday":http://blog.washingtonpost.com/securityfix/2008/05/tech_groups_back_kasp... about a broad coalition of technology groups supporting Kaspersky, an internet security company, during its legal fight with Zango. Krebs writes that in May 2007 Zango sued Kaspersky "charging that the company interfered with its business" by removing Zango's software, which has been classified as adware by multiple groups.

Kaspersky does not deny that its program removes Zango-based software from computers. In August of 2007 the initial case was dismissed by a judge because the court believed that the Communications Decency Act (CDA) allows companies to remove software in order to protect users from material which may be considered objectionable.

Zango had previously faced off against the FTC in 2006. The "settlement":http://www.ftc.gov/opa/2006/11/zango.shtm that resulted from that investigation required the company to pay $3 million. Caroline McCarthy wrote at "CNet":http://www.news.com/Zango-reaches-settlement-with-FTC/2100-1032_3-613236... that the agreement also stipulated that "the company must adhere to FTC regulations that bar it from loading programs onto customers' computers and monitoring them without their consent." FTC spokesperson Lydia Barnes was quoted as saying: "It violates federal law to secretly install software that forces consumers to get pop-ups that disrupt their computer use."

The current case has drawn significant interest within both the security and business fields. A previous amicus brief was filed in favor of Zango by the National Business Coalition on E-Commerce and Privacy, an organization representing powerful corporate interests according to "Krebs":http://blog.washingtonpost.com/securityfix/2008/05/tech_groups_back_kasp.... Behavioral advertising and many other profitable marketing strategies depend on installing tracking cookies or web beacons on user computers, so they are actions businesses would like to protect. Thomas M. Boyd, attorney for the organization, represents company concerns that "a security software company has unreviewable power to decide that any content is objectionable and to deny user access to that content without any accountability for any damages that action may cause."

The "amicus brief":http://cdt.org/privacy/spyware/20080505amicus.pdf filed this week represents the other side of the issue in a broad coalition including the "Electronic Frontier Foundation (EFF)":http://www.eff.org/, the "Business Software Alliance (BSA)":http://www.bsa.org/, and the "Anti-Spyware Coalition":http://www.antispywarecoalition.org/. Ari Schwartz of the Anti-Spyware Coalition stated: "This is an extremely important case for consumers as to how security software protects them going forward, and whether the onus is put on the security company or [the adware vendor]." It is relevant to all the companies that classify Zango software as "adware" such as Microsoft (which removed 7.1 million instances of Zango software from customer computers) and Symantec (which has a description of Zango's adware attributes "here":http://www.symantec.com/security_response/writeup.jsp?docid=2003-080410-...).

This case remains one to watch, as business and technology duke it out over consumers and rights.

Note: This blog post was updated on May 8, 2008 to make corrections regarding Zango's 2006 involvement with the FTC.

Tags: 
adware, kaspersky, litigation, security, zango