Malwarebytes will have to head back to court to justify a decision to block its rival’s antivirus services after an appeals court threw out the security shop's legal justification.

On Thursday, the Ninth Circuit of Appeals overturned [PDF] a decision by a district court back in 2017 that agreed with Malwarebytes when it said it was allowed to do pretty much whatever it wanted with its antivirus scanner, including deciding that rival Enigma’s software was a "potentially unwanted program.”

Malwarebytes claimed that under Section 230 of the Communications Decency Act (CDA) it had immunity in attempting to block content that is violent, of a sexual nature, or "otherwise objectionable.” Enigma argued that its software isn’t "objectionable" and that Malwarebytes was just trying to get back at the company after it sued a tech support blog affiliated with Malwarebytes that published a bad review of Spyhunter’s program.

Surprisingly, the district judge agreed, citing precedent in the 2009 ruling of Zango v Kaspersky where the courts sided with security companies, and threw the case. Enigma appealed and the appeals court agreed with it.

The appeals judges noted that the CDA’s immunity is not “limitless” and noted that in the Zango case, the companies were not competitors. The judge in that case had used an “overly expansive interpretation of the provision that could lead to anticompetitive results,” the court found, noting that: “We hold that the phrase ‘otherwise objectionable’ does not include software that the provider finds objectionable for anti-competitive reasons.”

Yeah, you can't do that

Or, in other words, Section 230 does not give a company carte blanche to do whatever it wants. When it wrote the law “Congress wanted to encourage the development of filtration technologies, not to enable software developers to drive each other out of business,” the judgment notes.

But it was a 2-1 ruling and the dissenting judge argued that, actually, Section 230 was broader than her colleagues imagined. “Congress has not further clarified the statute and Enigma Software has not persuasively made a case for limitation of the statute beyond its provisions,” the dissent argued.

“The majority's real complaint is not that the district court construed the statute too broadly, but that the statute is written too broadly. However, that defect, if it is a defect, is one beyond our authority to correct.”

Of course, the once untouchable Section 230 has been under increasing pressure in the past years as lawmakers and courts have repeatedly run up against its blanket provisions with tech companies claiming that they can’t be obliged to remove content or introduce filters or be sued for what their users do because of the provision.

The clause was subsequently opened up to remove legal protections for sex trafficking in response to the saga of Backpage.com and politicians of all stripes have indicated they will look at adding more exemptions in an effort to make tech giants more accountable.

The decision doesn’t mean that Enigma has won the case, or that Malwarebytes will be obliged to remove its block on its rivals’ products. But it's main legal defense has gone and now it will have to put that case in court with a different argument.

Malwarebytes is, naturally enough, not happy with the decision and has said it will consider appealing the appeal. ®