The Ninth Circuit Court of Appeals has handed an important victory to the Internet security industry. In its June 25 opinion in Zango, Inc. v. Kaspersky Lab, the court interpreted a statutory immunity generally understood to protect internet service providers (ISPs) to cover also sellers of software that protects users against spyware and adware.

Sunstein Kann Murphy & Timbers LLP represented Kaspersky Lab, the victor in this case. An amicus brief in support of Kaspersky was signed by, among others, the Electronic Frontier Foundation and the Business Software Alliance, entities that do not often pull in the same direction.

Zango, Inc., an operator of websites providing downloadable videos and other programs, sued Kaspersky, alleging that the Kaspersky software improperly classified Zango’s downloads as “adware” and thus improperly blocked potential users from downloading Zango’s programs.

Kaspersky argued that it was immune from Zango’s lawsuit under the safe harbor provision of the Communications Decency Act of 1996. The safe harbor provision was enacted to promote the ability of computer users to shield themselves (and their children) from objectionable content.

Section 230(c)(2) of the Act states :

“No provider or user of an interactive computer service shall be held liable on account of:

(A) any action … taken … in good faith to restrict access to .. material that the provider or user considers to be … objectionable; or

(B) any action taken … to make available … the technical means to restrict access to [objectionable] material.”

This paragraph seems clearly to cover actions taken by ISPs that offer content filtering services. But does it apply to sellers of anti-virus software? And does the absence of the phrase “good faith” in paragraph (B) suggest that it provides even broader protection than paragraph (A)?

These questions presented novel legal issues, attracted national attention and required creative advocacy in order to gain for Kaspersky the right to protect its customers from the adware promulgated by Zango.

Kaspersky was not alone in seeking to protect consumers from Zango’s product offering. In November 2006, Zango entered into a consent decree with the Federal Trade Commission, which had objected to the surreptitious manner in which Zango injected alleged adware or spyware into the computers of consumers, its display of unwanted pop-up ads, and its failure to supply consumers with an easy means of removing the software. Clearly, Zango had not built a reservoir of good will in the internet community.

According to Zango, Kaspersky’s software automatically crippled Zango’s software without giving the user the option to preserve it. Zango alleged that other anti-virus software was less harsh in its treatment of Zango, offering customers a choice to ignore an advisory warning about the software.

Zango brought an action against Kaspersky in Washington state court alleging a variety of business torts, including libel. Kaspersky removed the case to the federal district court, invoked the immunity of Section 230(c), and won a summary judgment. Zango appealed to the Ninth Circuit.

The core question was whether Kaspersky, as a seller of anti-virus software, qualified as the provider of an “interactive computer service” under Section 230(c)(2). The court held that it did, noting that the Kaspersky software updated itself regularly by logging onto a central server that contains new malware definitions.

Zango and its amici advocated for a narrower reading of “interactive computer service,” one that would be limited to software used to access content on the internet. The court rejected this narrow reading by digging into definitions provided by the Act.

These definitions suggest that immunity is available to a “provider of software … tools that … filter, screen, allow or disallow content, [or] pick, choose, analyze or digest content.” Since that is the purpose of the Kaspersky software, the court rejected Zango’s proposed narrow reading of the statute.

Zango had argued to the lower court that the matter was not ripe for summary judgment because there was a question of whether Kaspersky had acted in good faith. In making this point, Zango noted that clause (A) of Section 230(c)(2) imposes a good faith requirement, and argued that the same requirement should be inferred in interpreting clause (B), the language of which contains no such requirement.

The District Court rejected this theory, and Zango failed to preserve it for appeal. Thus, the Court of Appeals upheld the District Court without formally deciding whether Zango’s argument had merit.

A thoughtful concurring opinion worried that the court’s reading might immunize conduct taken for purely anticompetitive reasons. For example, what if a web browser filtered third-party search engine results so as to never yield websites critical of the browser company or favorable to its competitors?

A good faith requirement might, the concurrence notes, alleviate this potential issue. Nonetheless, the concurrence concluded that it is up to Congress, not the courts, to infuse Section 230(c)(2)(B) with a good faith qualification.

In short, the scope of the “Good Samaritan” immunity of Section 230(c) has been widened to include filtering software that updates itself by reference to a central server. Sunstein is proud to have represented Kaspersky Lab in this significant case, which reassures the makers of anti-spyware and anti-spam tools that developing robust user protections puts them on the right side of the law.