The Law and Business of Social Media
April 06, 2020 - Section 230 Safe Harbor, Litigation

Computer Service Providers Face Implied Limits on CDA Immunity

Computer Service Providers Face Implied Limits on CDA Immunity

Often lauded as the most important law for online speech, Section 230 of the Communications Decency Act (CDA) does not just protect popular websites like Facebook, YouTube and Google from defamation and other claims based on third-party content. It is also critically important to spyware and malware protection services that offer online filtration tools.

Section 230(c)(2) grants broad immunity to any interactive computer service that blocks content it considers to be “obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable.” Under a plain reading of the statute, Section 230(c)(2) clearly offers broad protection. With respect to what the phrase “otherwise objectionable” was intended to capture, however, the protections are less clear.

A federal district court in California recently had the opportunity to clarify the scope of this catchall phrase. In Asurvio LP v. Malwarebytes, Inc., the Northern District Court of California held that Section 230 provided Malwarebytes immunity for its allegedly anticompetitive conduct and tossed the case. To fully understand this decision, a comparison with an earlier (but still recent) Ninth Circuit decision, Enigma Software Grp. USA, LLC v. Malwarebytes, Inc., which found otherwise, is critical. Notably, the two cases involved the same defendant, like state and federal claims, and identical defense under Section 230 raised by Malwarebytes. Why, then, did the two decisions result in a different outcome? Certainly, the legislative objective behind Section 230 played a role. But, more importantly, the answer lies in the plaintiffs’ status as a direct competitor, a standard nowhere to be found in Section 230.

Enigma Software Grp. USA, LLC v. Malwarebytes, Inc.

Enigma Software involved directly competing security software developers. Generally, when these providers identify malicious programs based on self-identified criteria and a user later attempts to open or download those programs, the user is alerted of a security risk, discouraged from downloading and advised to block the content. For eight years, Malwarebytes flagged programs it viewed obtrusive, misleading or deceptive as malware. It later started to block programs that it believed its users did not seem to like. Among these blocked programs were Enigma’s most popular competing offerings.

Calling out the practice as anticompetitive, Enigma filed an action against Malwarebytes. Enigma claimed that Malwarebytes was engaging in deceptive business practices in violation of New York state law, interfering with business and contractual relations in violation of New York common law and violating the Lanham Act by deceiving Enigma’s potential consumers. Malwarebytes successfully transferred the case to the Northern District Court of California and countered, claiming that the catchall phrase of Section 230(c)(2) gave Malwarebytes immunity for amending its filtering guidelines, irrespective of any anticompetitive motives, which it, of course, denied existed.

The Ninth Circuit had to decide whether Section 230(c)(2) conferred on online service providers unfettered discretion to screen any material they considered objectionable by providing immunity from liability. In reversing the district court’s dismissal of Enigma’s claims, a split Ninth Circuit panel found that the catchall phrase did not contemplate programs considered objectionable solely for anticompetitive reasons. In reaching this conclusion, the panel turned to the goals Congress sought to achieve with Section 230.

The statutory aims of Section 230 include:

  • Promoting continued development of the Internet and interactive computer services;
  • Preserving the “vibrant and competitive free market” for the Internet and interactive computer services;
  • Encouraging the development of technologies that “maximize user control”; and
  • Removing barriers for the “development and utilization of blocking and filtering technologies” that help restrict minors’ access to indecent online content.

In light of these objectives, the Ninth Circuit held that an unqualified immunity would stifle rather than promote competition and forestall development of online blocking technology. The Ninth Circuit, therefore, found that “otherwise objectionable” does not encompass programs considered objectionable for purely anticompetitive reasons.

In a pointed dissent, Judge Rawlinson noted the court must presume that Congress “says in a statute what it means and means in a statute what it says.” Judge Rawlinson argued that the majority’s real complaint was not that the district court construed the statute too broadly, but that the statute is written too broadly. But, in his view, that defect, if it is a defect, is one beyond the courts’ authority to correct. Judge Rawlinson would have held that the Ninth Circuit had no authority to rewrite the CDA safe harbor. That is Congress’s job.

Asurvio LP v. Malwarebytes, Inc.

Against this backdrop, the Northern District Court of California was once again called upon to explore the scope of the catchall “otherwise objectionable” language. In Asurvio, the plaintiff developed “software solutions that work in real time in the background of the operating system to optimize processing and locate and install all missing and outdated software drivers” and provided “technical support services for the removal of Spyware and Malware and all other facets of personal computer use.” Starting in 2017, Asurvio listed its technical support services in its boilerplate terms and conditions, which included technical support for removing malware. Shortly thereafter, Malwarebytes classified Asurvio’s products as potentially unwanted programs and discouraged its users from using Asurvio’s programs. As in Enigma Software, Asurvio brought claims for tortious interference with contractual relations, unfair competition and violation of the Lanham Act. Just as it did in Enigma Software, Malwarebytes invoked Section 230(c)(2) immunity.

Pointing to Enigma Software, Asurvio argued that Section 230(c)(2) immunity did not protect Malwarebytes for screening Asurvio’s programs for anticompetitive purposes. The district court disagreed. Unlike Enigma, the court found that Asurvio was not Malwarebytes’ direct competitor. Asurvio, the court found, did not develop and market online filtration tools. The court also rejected Asurvio’s attempts to cast itself as a competitor, stating that a broad reading of competition would “render the statutory immunity meaningless.” Thus, because Asurvio did not directly compete with Malwarebytes, the limitations on Section 230(c)(2) recognized in Enigma Software were inapplicable. Malwarebytes was immune from liability, and Asurvio’s claims were altogether dismissed.


By drawing limits on Section 230(c)(2) immunity that appear nowhere in the statute, Enigma Software has been criticized as a “pro-spam, pro-virus and pro-spyware/adware” decision, which harmed both the public and developers of online blocking technologies. While Malwarebytes could not get the full Ninth Circuit to hear the case, it has expressed an intention to seek Supreme Court review and has until mid-May to make that filing.

It remains to be seen whether the Enigma Software decision will get Supreme Court review or whether federal courts outside of the Ninth Circuit will follow the same reasoning, but one thing is certain: Enigma Software introduced into Section 230(c)(2) new limits on Section 230 immunity, which the Asurvio court was obliged to follow. So, questions remain to be answered: how will courts define a direct-competitor? What about partial-competitors? What would be required to prove anticompetitive motives? Will courts impose other implied limitations on Section 230 immunity? How far will the courts go to carve out other conduct from Section 230 immunity? We will see how the law develops in this area.