Keeper Security Reminds Everyone Why You Shouldn't Use It; Doubles Down On Suing Journalist

Free Speech

from the which-is-harming-its-reputation-more? dept

Back in December, we wrote about a blatant SLAPP suit filed by Keeper Security against Ars Technica and its reporter Dan Goodin. Keeper makes a password manager product, and Goodin wrote an article, based on a flaw discovered by Google’s Tavis Ormandy. The flaw impacted the browser extension that works with Keeper’s application. Keeper took offense to certain elements of the article, and in particular to the idea that Microsoft had forced people to install the flawed software (since the flaw was actually in the browser extension, which is optional). Keeper Security also felt that the article implied that users of its software were vulnerable to a broad attack that put their passwords at risk, when the details suggested it was a more narrow (but still pretty bad) flaw that would require a specific set of circumstances to expose passwords, and there was no evidence that such a set of circumstances existed.

As we noted, however, the lawsuit was clearly bullshit. It was clearly an attempt to stifle negative press about a pretty bad flaw. In February, Ars Technica and Goodin filed both a Motion to Dismiss as well as a Motion to Strike under California’s anti-SLAPP law. Both are well argued and worth reading. The Motion to Dismiss hits on all the expected points on why there’s no legitimate defamation claim. The summary covers the highlights:

Defendants truthfully reported the findings of a noted Google researcher that there was a security vulnerability in Plaintiff?s password manager product, which had been bundled with Microsoft?s Windows 10 operating system. Plaintiff does not dispute that the flaw existed. Nevertheless, in response to Defendants? truthful report, Plaintiff tried to bully Mr. Goodin into editing his news article to use language more to Plaintiff?s liking; Mr. Goodin agreed to make certain edits, and declined others, standing by the accuracy of the reporting.

The would-be ?inaccuracies? Plaintiff identifies in the article are ? at best ? of secondary importance, and do not affect the article?s true ?gist or sting?; for that reason alone, the Complaint fails as a matter of law. Furthermore, most of the statements that the Complaint alleges are ?false and misleading? don?t have anything to do with Plaintiff, but rather, Microsoft. Such statements are not ?of and concerning? Plaintiff and cannot be the basis for a defamation claim. Still other statements are subject to an innocent construction and are pure opinion, and not actionable under Illinois law for those additional reasons. Simply put, Defendants? article uttered no falsehood that could have defamed Plaintiff. Nor does Plaintiff remotely plead publication with actual malice as required by the First Amendment.

Plaintiff?s assertion that ?[t]he goal, and result, of the Article was to injure Keeper and its employees, and disparage Keeper?s products? … is baseless hyperbole. The fact is, Plaintiff brought this lawsuit seeking to punish, and ultimately enjoin, publication of essential journalism on an matter of vital public concern ? cybersecurity ? involving a conceded vulnerability in Plaintiff?s product. The technology community is open and transparent in policing such vulnerabilities, and rightly so. Plaintiff, above all, should be interested in ensuring consumers are protected from potential threats ? not in using litigation to chill public discussion of such threats. Permitting this case to go forward would not only be contrary to law, it would have a profoundly negative impact on important cybersecurity research and reporting generally.

More specifically, the motion highlights that all of the statements at issue in the case fail to meet the standards of defamation in that they are substantially true, subject to “innocent construction” (that is, they can easily be read in a non-defamatory manner), not even about Keeper Security (but about Microsoft) or non-actionable opinions. Furthermore, the motion notes that Keeper Security fails to plead actual malice, which is necessary as Keeper is a public figure (“actual malice” being the Supreme Court’s required standard for defamation cases involving a public figure, and which has a specific definition of defamatory content that the authors knew was false, or which was posted with “reckless disregard” for whether or not it was false).

It’s a pretty typical and well plead motion to dismiss. As for the anti-SLAPP motion, Ars/Goodin’s lawyers decided to argue that choice of law principles require California’s anti-SLAPP law to apply. Illinois, where Keeper is based and where the lawsuit is filed, does have its own anti-SLAPP law, but it’s weaker than California’s. I’m of the belief that it’s proper to apply the anti-SLAPP law of the state of the speaker (even when applying the defamation law and venue of the plaintiff), since that state has the greater interest in protecting the First Amendment rights of its residents, and many courts have agreed. But not all.

Keeper has now (not surprisingly) opposed both motions (here’s the opposition to the MTD and here’s the opposition to the anti-SLAPP claim, both initially spotted by Zack Whittaker). Both of those filings are highly unconvincing.

Its opposition to the motion to dismiss is basically to just repeat certain phrases that it insists are defamatory — taking them completely out of context. This is pretty weak, because once the statements are inevitably put back into context, it’s difficult to see how Keeper has much of a case. It admits that Goodin corrected certain points upon learning of errors, and what’s left are statements that are either mostly true or are clearly opinion. For example, this statement is one that Keeper insists is defamatory:

The flaw was almost identical to one the same researcher disclosed in the same manager plugin 16 months ago that allowed websites to steal passwords.

But that’s clearly an opinion based on disclosed facts about the two flaws. It’s not defamatory at all. Also, the following statement is listed by Keeper as being defamatory, but again, is clearly a statement of non-actionable opinion:

If an outsider can find a bug similar to the 16-month-old vulnerability so quickly and easily, it stands to reason people inside the software company should have found it first.

That Keeper is continuing to push these claims reflects really, really poorly on them. The company insists it had to file this lawsuit to protect its reputation, but it seems quite clear that this lawsuit is what’s harming Keeper’s reputation. As a fan of password managers, I will never recommend Keeper to anyone. And not because of the flaws. Every one of these products discovers flaws eventually. But because it’s suing a journalist for covering it. So the following statement by Keeper in its opposition is pretty ridiculous:

The users of Keeper?s product rely on the integrity of the Keeper product and the reputation of Keeper in deciding to use the Keeper software.

Right. And suing journalists for writing about your flaws is a pretty damn good way to kill that reputation. As we pointed out in our original post on the lawsuit, lots and lots of security experts publicly suggested people stay away from Keeper because of the lawsuit not because of the flaw.

Keeper also claims its not a public figure, and thus doesn’t need to show actual malice (though claims it can). First of all, it absolutely is as public figure under defamation law. As Ars/Goodin’s motion points out, the company itself touts how it’s an “innovator and leader” and “one of the world’s most downloaded.” Second, as for the claims that it can show actual malice, that’s basically laughable. Goodin directly responded to multiple requests for updates with Keeper, changed a few things when he found their argument compelling, but didn’t change parts he didn’t believe needed to be changed. That’s not what someone does when they’re just looking to publish false information. Those are the actions of someone looking to get the story right. That’s not actual malice. Just because Keeper disagrees with Goodin’s editorial choices does not make them actionable.

In response to the anti-SLAPP argument, Keeper basically mocks the idea that California law could possibly apply in Illinois. But, again, it’s not such a crazy idea. Plenty of courts have ruled that the speaker’s location is the proper one to use for anti-SLAPP laws (even when the plaintiff’s state’s defamation laws are used).

Still, the larger issue stands. A softwarer company has filed a clear SLAPP suit against a reporter for reporting on some bad news about their software. That’s horrific, and should tell you all you need to know about Keeper Security and whether or not to use their software.

Filed Under: anti-slapp, california, dan goodin, defamation, illinois, intimidation, password managers, slapp, vulnerabilities
Companies: ars technica, keeper security