DOJ Gets Involved in Antitrust Case Against Symantec and Others Over Malware Testing Standards

The U.S. Department of Justice Antitrust Division has inserted itself into a case that questions whether the Anti-Malware Testing Standards Organization, Inc. (AMTSO) and some of its members are creating standards in a manner that violates antitrust laws.

AMTSO says it is exempt from such per se claims by the Standards Development Organization Act of 2004 (SDOA). Symantec Corp., an AMTSO member, says the more flexible “rule of reason” applies – that it must be proven that standards actually undermine competition, which the recommended guidelines do not.

Malware BugNSS Labs, Inc., is an Austin, Texas-based cybersecurity testing company which offers services including “data center intrusion prevention” and “threat detection analytics.”

In addition to Symantec, AMTSO members include widely recognized names like McAfee and Microsoft, as well as names known well in cybersecurity circles: CarbonBlack, CrowdStrike, FireEye, ICSA, and TrendMicro. NSS Labs also is a member, but says it is among a small number of testing service providers. The organization is dominated by product vendors who easily outvote the service providers like NSS, AV-Comparatives, AV-Test and SKD LABS, NSS maintains, claims disputed by the organization.

On Sept. 19, 2018, NSS Labs filed suit in U.S. District Court for the Northern District of California against AMTSO, CrowdStrike (since voluntarily dismissed), Symantec, and ESET, alleging the product companies used their power in AMTSO to control the design of the malware testing standards, “actively conspiring to prevent independent testing that uncovers product deficiencies to prevent consumers from finding out about them.” The industry standard requires a group boycott that restrains trade, NSS Labs argues, hurting service providers (NSS Labs v. CrowdStrike, et al., No. 5:18-cv-05711-BLF, N.D. Calif.).

The case is before U.S. District Judge Beth Labson Freeman in Palo Alto, who has presided over a number of high-profile matters.

AMTSO moved to dismiss NSS Labs’ suit, citing its exemption from per se antitrust claims because of its status as a standards development organization (SDO). Further, it argues that the group is open to anyone and, while there are three times more vendors than testing service providers in the organization, that reflects the market itself.

On June 26, the DOJ Antitrust Division asked the court not to dismiss the case because further evidence is needed to determine whether the exemption under the SDOAA is justified.

AMTSO countered that the primary reason the case should be dismissed has “nothing to do” with the SDOAA. NSS failed to allege that AMTSO participated in any boycott, the organization says. All the group has done is “adopt a voluntary standard and foster debate about its merits, which is not illegal at all, let alone per se illegal,” the group says, adding that the Antitrust Division is asking the court to “eviscerate the SDOAA.”

Symantec first responded to the suit with a public attack on NSS Labs itself, criticizing its methodology and lack of transparency in its testing procedures, as well as the company’s technical capability and it’s “pay to play” model in conducting public tests. NSS Labs’ leadership team includes a former principal engineer in the Office of the Chief Security Architect at Cisco, a former Hewlett-Packard professional who established and managed competitive intelligence network programs, and an information systems management professional who formerly held senior management positions at Deloitte, IBM and Aon Hewitt.

On July 8, Symantec responded to the Antitrust Division’s statement of interest. It argued that the SDOAA does not provide an exemption from antitrust laws. Instead, it offers “a legislative determination that the rule of reason – not the per se rule” to standard setting activities. “That simply means the plaintiff must prove actual harm to competition, rather than relying on an inflexible rule of law,” Symantec says.

The company wrote that the government may have a point, albeit a moot one. “Symantec does not believe so, but perhaps the Division is right that there is a factual question about whether AMTSO’s membership lacks the balance the statute requires for the exclusion from per se analysis to apply,” Symantec says. Either way, the company argues, it doesn’t matter to the motions for dismissal because the per se rule does not apply.

Judge Freeman has set deadlines for disclosures, discovery, expert designations, and Daubert motions, with a trial date of Feb. 7, 2022.

Commentary

The antitrust analysis of standards setting is one of the sharpest of two-edged swords: When it works properly, it reflects a technology-driven process of reaching an industry consensus that often brings commercialization and interoperability of new technologies to market. When it is undermined, however, it reflects concerted action among competitors that agree to exclude disfavored technologies in a way that looks very much like a group boycott, a per se violation of Section 1 of the Sherman Act.

Accordingly, the Standards Development Organization Advancement Act of 2004 (SDOAA) recognizes that, when they are functioning properly, exempting bone fide standards development organizations (SDOs) from liability for per se antitrust violations can promote the pro-competitive standard setting process. But, when do SDOs “function properly”? The answer is entirely procedural, and is embodied in the statutory definition of SDO: an organization that “incorporate[s] the attributes of openness, balance of interests, due process, an appeals process, and consensus … “

The essential claim in the complaint by NSS Labs, therefore, is that the rules and procedures followed by AMTSO do not provide sufficient procedural safeguards to ensure that the organization arrives at a pro-competitive industry consensus rather than a group boycott for the benefit of one or a few industry players dressed in the garb of standard setting.

This is a factual inquiry that cannot be countered by a legal defense that simply declares the defendant is an SDO and, therefore, immune to suit under the statute. Whether the AMTSO is an SDO under the law or not depends on how it conducts itself, the make-up of its members, and its fidelity to the procedural principles embodied in the statute. The plaintiff’s claim is that AMTSO has not followed the procedural principles required to qualify as an SDO under the Act. This is a purely factual issue and, as such, cannot be resolved on a motion to dismiss.

The DOJ should be commended for urging the court to proceed to discovery to adduce the necessary facts to distinguish between legitimate standard setting and an unlawful group boycott and it should continue to be vigilant in the face of SDOs and would-be SODs that might be tempted to use the wrong side of the standard setting sword to commit anticompetitive acts instead of the right side to produce welfare-enhancing industry consensus.

This is particularly true in vital industries like cybersecurity. Government agencies, businesses, and consumers are constantly and increasingly at risk from ever-evolving cyber threats. It is therefore imperative that the cybersecurity market remains competitive to ensure development of the most effective security products.


© MoginRubin LLP
This article was written by Jonathan Rubin and Timothy Z. LaComb of MoginRubin & edited by Tom Hagy for MoginRubin.
For more DOJ Antitrust activities, see the National Law Review Antitrust & Trade Regulation page.

The Tor Browser Afforded CDA Immunity for Dark Web Transactions

The District of Utah ruled in late May that Section 230 of the Communications Decency Act, 47 U.S.C. §230 (“CDA”) shields The Tor Project, Inc. (“Tor”), the organization responsible for maintaining the Tor Browser, from claims for strict product liability, negligence, abnormally dangerous activity, and civil conspiracy.

The claims were asserted against Tor following an incident where a minor died after taking illegal narcotics purchased from a site on the “dark web” on the Tor Network. (Seaver v. Estate of Cazes, No. 18-00712 (D. Utah May 20, 2019)). The parents of the child sued, among others, Tor as the service provider through which the teenager was able to order the drug on the dark web. Tor argued that the claims against it should be barred by CDA immunity and the district court agreed.

The Onion Router, or “Tor” Network, was originally created by the U.S. Naval Research Laboratory for secure communications and is now freely available for anyone to download from the Tor website.  The Tor Network allows users to access the internet anonymously and allows some websites to operate only within the Tor network. Thus, the Tor Network attempts to provide anonymity protections both to operators of a hidden service and to visitors of a hidden service. The Tor browser masks a user’s true IP address by bouncing user communications around a distributed network of relay computers, called “nodes,” which are run by volunteers around the world. Many people and organizations use the Tor Network for legal purposes, such as for anonymous browsing by privacy-minded users, journalists, human rights organizations and dissidents living under repressive regimes. However, the Tor Network is also used as a forum and online bazaar for illicit activities and hidden services (known as the “dark web”). The defendant Tor Project is a Massachusetts non-profit organization responsible for maintaining the software underlying the Tor browser.

To qualify for immunity under the CDA, a defendant must show that 1) it is an “interactive computer service”; 2) its actions as a “publisher or speaker” form the basis for liability; and 3) “another information content provider” provided the information that forms the basis for liability. The first factor is generally not an issue in disputes where CDA immunity is invoked, as websites or social media platforms typically fit the definition of an “interactive computer service.” The court found that Tor qualified as an “interactive computer service” because it enables computer access by multiple users to computer servers via its Tor Browser.  The remaining factors were straightforward for the court to analyze, as the plaintiff sought to hold Tor liable as the publisher of third-party information (e.g., the listing for the illicit drug).

The outcome was not surprising, given that courts have previously dismissed tort claims against platforms or websites where illicit goods were purchased (such as the recent Armslist case decided by the Wisconsin Supreme Court where claims against a classified advertising website were deemed barred by the CDA).

The questions surrounding the court’s ability to even hear the case also posed interesting jurisdictional questions, as the details of the Tor network are shrouded in anonymity and there are no accurate figures as to how many users or nodes exist within the Utah forum.  The court determined that, under plaintiff’s rough estimation, there were around 3,000-4,000 Utah residents who used Tor daily and perhaps, became part of the service (“Plaintiff has set forth substantial evidence to support the assumption that many of these transactions and relays are occurring in Utah on a daily basis”). In a breezy analysis, the court found that plaintiff had provided sufficient evidence to set forth a prima facie showing that Tor maintains continuous and systematic contacts in the state of Utah so as to satisfy the general jurisdiction standard.

This case is a reminder of the breadth of the CDA, as well as a reminder that many of its applications result in painful and somewhat controversial outcomes.

© 2019 Proskauer Rose LLP.

Article by Stephanie J. Kapinos of Proskauer Rose LLP.

More more on Web & Internet issues see the National Law Review page on Communications, Media & Internet.

 

Recent IT Outsourcing Study Finds Continued Growth Led by Large Organizations

A recently released study assessing current trends in the use of IT outsourcing found that spending on IT outsourcing is rising at a rate in step with IT operational budgets as a whole, led by large organizations (those with IT operating budgets of $20 million or greater) that spend 7.8% of their IT budgets on outsourcing at the median. The study’s findings also highlight a number of trends within organizations’ IT outsourcing priorities:

  • Shifting Trends in Some IT Outsourcing Functions. The study found that the outsourcing of some IT functions is growing, while outsourcing of other functions is shrinking. For example, more organizations are outsourcing IT security, e-commerce systems, and application hosting, while fewer organizations are outsourcing help desk, desktop support, and application maintenance functions.

  • Continued Growth of Software as a Service. Application hosting was the most frequently outsourced IT function identified in the study. It found that 65% of organizations that currently outsource application hosting intend to increase the amount of work outsourced for that function.

  • Outsourcing Versus In-House. Among organizations that outsource IT functions, the study showed help desk and web/e-commerce operations were the IT functions with the largest percentage of work moved to outside service providers. Application hosting and IT security were the IT functions for which organizations tend to perform the most work in-house.

  • Potential for Cost Savings and Value. Among the functions examined by the study, outsourcing of disaster recovery and desktop support were found to have the greatest potential for reducing costs. The outsourcing of web/e-commerce, desktop support, disaster recovery, and IT security were found to deliver the best overall value for organizations by saving money and improving service levels

Copyright © 2015 by Morgan, Lewis & Bockius LLP. All Rights Reserved.

Allvoice Decision Provides Roadmap For Software-based Inventions

In a refreshing break from Alice/Mayo abstract idea based 35 U.S.C. § 101 rejections, the Federal Circuit released a decision invalidating certain claims of U.S. Patent No. 5,799,273 as not being directed to one of the four statutory categories of inventions (see Allvoice Developments US, LLC, v. Microsoft Corp., CAFC 2014-1258, decided May 22, 2015) The matter was on appeal, by Allvoice, from a district court decision invalidating claims 60-68 as non-statutory subject matter. The decision also affirms a non-infringement decision by the district court, while interesting that that portion of the decision is not the focus of this post.

The claims of the ‘273 Patent at issue were directed towards a speech-recognition “interface,” see claim 60 reproduced below. Both the CAFC and the district court interpreted, probably correctly, the claimed interface as software without any tangible form (e.g., not interpreted as instructions on a computer-readable medium or as part of a tangible system).

60.  A universal speech-recognition interface that enables operative coupling of a speech-recognition engine to at least any one of a plurality of different computer-related applications, the universal speech-recognition interface comprising:

input means for receiving speech-recognition data including recognised words;

output means for outputting the recognised words into at least any one of the plurality of different computer-related applications to allow processing of the recognised words as input text; and

audio playback means for playing audio data associated with the recognised words. ’273 Patent, col. 29 ll. 22–34.

Allvoice essentially reinforces the Court’s interpretation by asserting that the claimed speech-recognition interfaces are described in the specification as “interface applications,” and thus the claims are limited to software. Allvoice attempts to clarify their position by further asserting that the claims should be interpreted as reciting “software instructions,” and further asserting that the instructions must necessarily be in a machine readable, physical state, in order to exist. It is interesting to consider whether the decision in this case might have been different if Allvoice had been able to argue an interpretation of the “means” elements as including hardware components of a system. Unfortunately, such an interpretation was either not supported by the specification, or not pursued for other reasons by the litigation team.

The Court dismisses Allvoice’s assertions regarding the implied physical form, stating “this Court has recognized, instructions, data, or information alone, absent a tangible medium, is not a manufacture.” (Citing Digitech Image Techs.,758 F.3d at 1349–50 (rejecting a patentee’s attempt to argue that the disputed claims

were subject matter eligible because the claim language did not describe “any tangible embodiment of this information (i.e., in physical memory or other medium) or claim any tangible part of the digital processing system”).) Earlier in the decision, the Court had already determined that the claims were clearly not directed to a process. Thus, because the claims were not directed to a tangible article and were not process claims, the district court’s invalidity holding was upheld.

The good news from this case is that the Court provides a fairly clear roadmap for claiming software-based inventions – software must be claimed as a process (method) or as instructions on a machine-readable medium (tangible manufacture), at least outside of a system claim. While this case does not seem to cover any “new” ground per se, it does clearly reinforce that claims directed to pure software, such as the recited speech-recognition interfaces, and not fashioned as a process or machine-readable medium are not likely to find favor in the courts.

© 2015 Schwegman, Lundberg & Woessner, P.A. All Rights Reserved.

Microsoft Ordered to Hand Over Data to the U.S. Government

Proskauer Law firm

In April, Microsoft tried to quash a search warrant from law enforcement agents in the United States (U.S.) that asked the technology company to produce the contents of one of its customer’s emails stored on a server located in Dublin, Ireland. The magistrate court denied Microsoft’s challenge, and Microsoft appealed. On July 31st, the software giant presented its case in the Southern District of New York where it was dealt another loss.

U.S. District Judge Loretta Preska, after two hours of oral argument, affirmed the magistrate court’s decision andordered Microsoft to hand over the user data stored in Ireland in accordance with the original warrant. Microsoft argued that the warrant exceeded U.S. jurisdictional reach. However, the court explained that the decision turned on section 442(1)(a) of Restatement (Third) of Foreign Relations. The provision says that a court can permit a U.S. agency “to order a person subject to its jurisdiction to produce documents, objects or other information relevant to an action or investigation, even if the information or the person in possession of the information is outside the United States.” Because Microsoft is located in the U.S. , the information it controlled abroad could be subject to domestic jurisdiction.

Microsoft had the support of large U.S. technology companies, including Apple, AT&T and Verizon. The larger issue for these companies lies in the U.S. government’s power to seize data and content held in the cloud and stored in locations around the world. When a conflict arises between the data sharing laws of the country where the servers are located and U.S. law, it can put these companies in the difficult position to choose to follow one country’s laws over the other.

Microsoft further argued that the ramifications for international policy are substantial. The company argued that compelling production of foreign stored information was an intrusion upon Irish sovereignty. It said that the decision could be interpreted by foreign countries as a green light to make similar invasions into data stored in the U.S. However, Judge Preska dismissed these concerns as diplomatic issues that were incidental and not of the court’s immediate concern.

The order has been stayed pending appeal.

ARTICLE BY

 
OF