Keeper Security Reminds Everyone Why You Shouldn't Use It; Doubles Down On Suing Journalist

from the which-is-harming-its-reputation-more? dept

Back in December, we wrote about a blatant SLAPP suit filed by Keeper Security against Ars Technica and its reporter Dan Goodin. Keeper makes a password manager product, and Goodin wrote an article, based on a flaw discovered by Google’s Tavis Ormandy. The flaw impacted the browser extension that works with Keeper’s application. Keeper took offense to certain elements of the article, and in particular to the idea that Microsoft had forced people to install the flawed software (since the flaw was actually in the browser extension, which is optional). Keeper Security also felt that the article implied that users of its software were vulnerable to a broad attack that put their passwords at risk, when the details suggested it was a more narrow (but still pretty bad) flaw that would require a specific set of circumstances to expose passwords, and there was no evidence that such a set of circumstances existed.

As we noted, however, the lawsuit was clearly bullshit. It was clearly an attempt to stifle negative press about a pretty bad flaw. In February, Ars Technica and Goodin filed both a Motion to Dismiss as well as a Motion to Strike under California’s anti-SLAPP law. Both are well argued and worth reading. The Motion to Dismiss hits on all the expected points on why there’s no legitimate defamation claim. The summary covers the highlights:

Defendants truthfully reported the findings of a noted Google researcher that there was a security vulnerability in Plaintiff?s password manager product, which had been bundled with Microsoft?s Windows 10 operating system. Plaintiff does not dispute that the flaw existed. Nevertheless, in response to Defendants? truthful report, Plaintiff tried to bully Mr. Goodin into editing his news article to use language more to Plaintiff?s liking; Mr. Goodin agreed to make certain edits, and declined others, standing by the accuracy of the reporting.

The would-be ?inaccuracies? Plaintiff identifies in the article are ? at best ? of secondary importance, and do not affect the article?s true ?gist or sting?; for that reason alone, the Complaint fails as a matter of law. Furthermore, most of the statements that the Complaint alleges are ?false and misleading? don?t have anything to do with Plaintiff, but rather, Microsoft. Such statements are not ?of and concerning? Plaintiff and cannot be the basis for a defamation claim. Still other statements are subject to an innocent construction and are pure opinion, and not actionable under Illinois law for those additional reasons. Simply put, Defendants? article uttered no falsehood that could have defamed Plaintiff. Nor does Plaintiff remotely plead publication with actual malice as required by the First Amendment.

Plaintiff?s assertion that ?[t]he goal, and result, of the Article was to injure Keeper and its employees, and disparage Keeper?s products? … is baseless hyperbole. The fact is, Plaintiff brought this lawsuit seeking to punish, and ultimately enjoin, publication of essential journalism on an matter of vital public concern ? cybersecurity ? involving a conceded vulnerability in Plaintiff?s product. The technology community is open and transparent in policing such vulnerabilities, and rightly so. Plaintiff, above all, should be interested in ensuring consumers are protected from potential threats ? not in using litigation to chill public discussion of such threats. Permitting this case to go forward would not only be contrary to law, it would have a profoundly negative impact on important cybersecurity research and reporting generally.

More specifically, the motion highlights that all of the statements at issue in the case fail to meet the standards of defamation in that they are substantially true, subject to “innocent construction” (that is, they can easily be read in a non-defamatory manner), not even about Keeper Security (but about Microsoft) or non-actionable opinions. Furthermore, the motion notes that Keeper Security fails to plead actual malice, which is necessary as Keeper is a public figure (“actual malice” being the Supreme Court’s required standard for defamation cases involving a public figure, and which has a specific definition of defamatory content that the authors knew was false, or which was posted with “reckless disregard” for whether or not it was false).

It’s a pretty typical and well plead motion to dismiss. As for the anti-SLAPP motion, Ars/Goodin’s lawyers decided to argue that choice of law principles require California’s anti-SLAPP law to apply. Illinois, where Keeper is based and where the lawsuit is filed, does have its own anti-SLAPP law, but it’s weaker than California’s. I’m of the belief that it’s proper to apply the anti-SLAPP law of the state of the speaker (even when applying the defamation law and venue of the plaintiff), since that state has the greater interest in protecting the First Amendment rights of its residents, and many courts have agreed. But not all.

Keeper has now (not surprisingly) opposed both motions (here’s the opposition to the MTD and here’s the opposition to the anti-SLAPP claim, both initially spotted by Zack Whittaker). Both of those filings are highly unconvincing.

Its opposition to the motion to dismiss is basically to just repeat certain phrases that it insists are defamatory — taking them completely out of context. This is pretty weak, because once the statements are inevitably put back into context, it’s difficult to see how Keeper has much of a case. It admits that Goodin corrected certain points upon learning of errors, and what’s left are statements that are either mostly true or are clearly opinion. For example, this statement is one that Keeper insists is defamatory:

The flaw was almost identical to one the same researcher disclosed in the same manager plugin 16 months ago that allowed websites to steal passwords.

But that’s clearly an opinion based on disclosed facts about the two flaws. It’s not defamatory at all. Also, the following statement is listed by Keeper as being defamatory, but again, is clearly a statement of non-actionable opinion:

If an outsider can find a bug similar to the 16-month-old vulnerability so quickly and easily, it stands to reason people inside the software company should have found it first.

That Keeper is continuing to push these claims reflects really, really poorly on them. The company insists it had to file this lawsuit to protect its reputation, but it seems quite clear that this lawsuit is what’s harming Keeper’s reputation. As a fan of password managers, I will never recommend Keeper to anyone. And not because of the flaws. Every one of these products discovers flaws eventually. But because it’s suing a journalist for covering it. So the following statement by Keeper in its opposition is pretty ridiculous:

The users of Keeper?s product rely on the integrity of the Keeper product and the reputation of Keeper in deciding to use the Keeper software.

Right. And suing journalists for writing about your flaws is a pretty damn good way to kill that reputation. As we pointed out in our original post on the lawsuit, lots and lots of security experts publicly suggested people stay away from Keeper because of the lawsuit not because of the flaw.

Keeper also claims its not a public figure, and thus doesn’t need to show actual malice (though claims it can). First of all, it absolutely is as public figure under defamation law. As Ars/Goodin’s motion points out, the company itself touts how it’s an “innovator and leader” and “one of the world’s most downloaded.” Second, as for the claims that it can show actual malice, that’s basically laughable. Goodin directly responded to multiple requests for updates with Keeper, changed a few things when he found their argument compelling, but didn’t change parts he didn’t believe needed to be changed. That’s not what someone does when they’re just looking to publish false information. Those are the actions of someone looking to get the story right. That’s not actual malice. Just because Keeper disagrees with Goodin’s editorial choices does not make them actionable.

In response to the anti-SLAPP argument, Keeper basically mocks the idea that California law could possibly apply in Illinois. But, again, it’s not such a crazy idea. Plenty of courts have ruled that the speaker’s location is the proper one to use for anti-SLAPP laws (even when the plaintiff’s state’s defamation laws are used).

Still, the larger issue stands. A softwarer company has filed a clear SLAPP suit against a reporter for reporting on some bad news about their software. That’s horrific, and should tell you all you need to know about Keeper Security and whether or not to use their software.

Filed Under: , , , , , , , ,
Companies: ars technica, keeper security

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Keeper Security Reminds Everyone Why You Shouldn't Use It; Doubles Down On Suing Journalist”

Subscribe: RSS Leave a comment
Anonymous Anonymous Coward (profile) says:

I can't see past the end of my pointy nose.

It certainly boggles the mind that some people (companies) just don’t understand that ‘Whoops, there’s a problem, let us fix that.’ is a better response (from a PR standpoint, which would probably overcome any profit standpoint in the long run) than ‘You point out an error/issue? Defamation!’.

The notion that short term (quarterly) profits are more important than long term (years) profits requires that any stock involved has to be sold in order to realize those profits. If the stock is that volatile, why would any investor buy it in the first place? OK, that volatility might offer opportunities in the buying and selling on market swings (which points out the issue of micro profits obtained in computerized trading), but there is a cost in every sale/buy. Otherwise the ‘profit’ is just on paper. If the investor is just looking for dividends, then aren’t they looking longer term?

Anonymous Coward says:

Say: ever thought of down side to Californication's "laws"

applying in every state? Cause if you residents EVER use a wrong gender pronoun, can be sued! (Okay, I’m not SURE that looniness is “law” yet, but the point stands: that notion will not be only to YOUR advantage.)

As for rest, HMM. I think there’s some facts and not opinion stated: certainly a “tech writer” is assumed to deal in facts. — However, that’s best I got on this item. Lucky it’s not important. Next piece, please.

Mike Masnick (profile) says:

Re: Say: ever thought of down side to Californication's "laws"

  • Cause if you residents EVER use a wrong gender pronoun, can be sued! (Okay, I’m not SURE that looniness is "law" yet, but the point stands: that notion will not be only to YOUR advantage.)*

Huh? What the hell does that have to do with the proper choice of law for anti-SLAPP? Nothing in that would involve enabling Californians to sue elsewhere.

Ninja (profile) says:

Having 3rd parties discover flaws in some service/software is pretty common and would not mean loss of trust per se. How the company handles the disclosure of the flaw however can be damaging. Unfortunately Keeper is far from the exception. The proper response would be to solve the problem as quickly as possible even requesting details from the researcher who discovered the flaw and provide plenty of transparency and information to their customers on what’s being done and how to proceed to secure their passwords and prevent damage as much as possible.

So, yeah, Keeper can die a fiery, Streisand death.

ryuugami says:

Editorial control

Goodin directly responded to multiple requests for updates with Keeper, changed a few things when he found their argument compelling, but didn’t change parts he didn’t believe needed to be changed.

Someone should explain to Keeper that subjects of news articles don’t generally get a final say in the articles’ contents. I think they’re confusing them with "press releases" and "sponsored articles" (a.k.a., ads).

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »