Keeper Security Reminds Everyone Why You Shouldn't Use It; Doubles Down On Suing Journalist

from the which-is-harming-its-reputation-more? dept

Back in December, we wrote about a blatant SLAPP suit filed by Keeper Security against Ars Technica and its reporter Dan Goodin. Keeper makes a password manager product, and Goodin wrote an article, based on a flaw discovered by Google's Tavis Ormandy. The flaw impacted the browser extension that works with Keeper's application. Keeper took offense to certain elements of the article, and in particular to the idea that Microsoft had forced people to install the flawed software (since the flaw was actually in the browser extension, which is optional). Keeper Security also felt that the article implied that users of its software were vulnerable to a broad attack that put their passwords at risk, when the details suggested it was a more narrow (but still pretty bad) flaw that would require a specific set of circumstances to expose passwords, and there was no evidence that such a set of circumstances existed.

As we noted, however, the lawsuit was clearly bullshit. It was clearly an attempt to stifle negative press about a pretty bad flaw. In February, Ars Technica and Goodin filed both a Motion to Dismiss as well as a Motion to Strike under California's anti-SLAPP law. Both are well argued and worth reading. The Motion to Dismiss hits on all the expected points on why there's no legitimate defamation claim. The summary covers the highlights:

Defendants truthfully reported the findings of a noted Google researcher that there was a security vulnerability in Plaintiff’s password manager product, which had been bundled with Microsoft’s Windows 10 operating system. Plaintiff does not dispute that the flaw existed. Nevertheless, in response to Defendants’ truthful report, Plaintiff tried to bully Mr. Goodin into editing his news article to use language more to Plaintiff’s liking; Mr. Goodin agreed to make certain edits, and declined others, standing by the accuracy of the reporting.

The would-be “inaccuracies” Plaintiff identifies in the article are – at best – of secondary importance, and do not affect the article’s true “gist or sting”; for that reason alone, the Complaint fails as a matter of law. Furthermore, most of the statements that the Complaint alleges are “false and misleading” don’t have anything to do with Plaintiff, but rather, Microsoft. Such statements are not “of and concerning” Plaintiff and cannot be the basis for a defamation claim. Still other statements are subject to an innocent construction and are pure opinion, and not actionable under Illinois law for those additional reasons. Simply put, Defendants’ article uttered no falsehood that could have defamed Plaintiff. Nor does Plaintiff remotely plead publication with actual malice as required by the First Amendment.

Plaintiff’s assertion that “[t]he goal, and result, of the Article was to injure Keeper and its employees, and disparage Keeper’s products” ... is baseless hyperbole. The fact is, Plaintiff brought this lawsuit seeking to punish, and ultimately enjoin, publication of essential journalism on an matter of vital public concern – cybersecurity – involving a conceded vulnerability in Plaintiff’s product. The technology community is open and transparent in policing such vulnerabilities, and rightly so. Plaintiff, above all, should be interested in ensuring consumers are protected from potential threats – not in using litigation to chill public discussion of such threats. Permitting this case to go forward would not only be contrary to law, it would have a profoundly negative impact on important cybersecurity research and reporting generally.

More specifically, the motion highlights that all of the statements at issue in the case fail to meet the standards of defamation in that they are substantially true, subject to "innocent construction" (that is, they can easily be read in a non-defamatory manner), not even about Keeper Security (but about Microsoft) or non-actionable opinions. Furthermore, the motion notes that Keeper Security fails to plead actual malice, which is necessary as Keeper is a public figure ("actual malice" being the Supreme Court's required standard for defamation cases involving a public figure, and which has a specific definition of defamatory content that the authors knew was false, or which was posted with "reckless disregard" for whether or not it was false).

It's a pretty typical and well plead motion to dismiss. As for the anti-SLAPP motion, Ars/Goodin's lawyers decided to argue that choice of law principles require California's anti-SLAPP law to apply. Illinois, where Keeper is based and where the lawsuit is filed, does have its own anti-SLAPP law, but it's weaker than California's. I'm of the belief that it's proper to apply the anti-SLAPP law of the state of the speaker (even when applying the defamation law and venue of the plaintiff), since that state has the greater interest in protecting the First Amendment rights of its residents, and many courts have agreed. But not all.

Keeper has now (not surprisingly) opposed both motions (here's the opposition to the MTD and here's the opposition to the anti-SLAPP claim, both initially spotted by Zack Whittaker). Both of those filings are highly unconvincing.

Its opposition to the motion to dismiss is basically to just repeat certain phrases that it insists are defamatory -- taking them completely out of context. This is pretty weak, because once the statements are inevitably put back into context, it's difficult to see how Keeper has much of a case. It admits that Goodin corrected certain points upon learning of errors, and what's left are statements that are either mostly true or are clearly opinion. For example, this statement is one that Keeper insists is defamatory:

The flaw was almost identical to one the same researcher disclosed in the same manager plugin 16 months ago that allowed websites to steal passwords.

But that's clearly an opinion based on disclosed facts about the two flaws. It's not defamatory at all. Also, the following statement is listed by Keeper as being defamatory, but again, is clearly a statement of non-actionable opinion:

If an outsider can find a bug similar to the 16-month-old vulnerability so quickly and easily, it stands to reason people inside the software company should have found it first.

That Keeper is continuing to push these claims reflects really, really poorly on them. The company insists it had to file this lawsuit to protect its reputation, but it seems quite clear that this lawsuit is what's harming Keeper's reputation. As a fan of password managers, I will never recommend Keeper to anyone. And not because of the flaws. Every one of these products discovers flaws eventually. But because it's suing a journalist for covering it. So the following statement by Keeper in its opposition is pretty ridiculous:

The users of Keeper’s product rely on the integrity of the Keeper product and the reputation of Keeper in deciding to use the Keeper software.

Right. And suing journalists for writing about your flaws is a pretty damn good way to kill that reputation. As we pointed out in our original post on the lawsuit, lots and lots of security experts publicly suggested people stay away from Keeper because of the lawsuit not because of the flaw.

Keeper also claims its not a public figure, and thus doesn't need to show actual malice (though claims it can). First of all, it absolutely is as public figure under defamation law. As Ars/Goodin's motion points out, the company itself touts how it's an "innovator and leader" and "one of the world's most downloaded." Second, as for the claims that it can show actual malice, that's basically laughable. Goodin directly responded to multiple requests for updates with Keeper, changed a few things when he found their argument compelling, but didn't change parts he didn't believe needed to be changed. That's not what someone does when they're just looking to publish false information. Those are the actions of someone looking to get the story right. That's not actual malice. Just because Keeper disagrees with Goodin's editorial choices does not make them actionable.

In response to the anti-SLAPP argument, Keeper basically mocks the idea that California law could possibly apply in Illinois. But, again, it's not such a crazy idea. Plenty of courts have ruled that the speaker's location is the proper one to use for anti-SLAPP laws (even when the plaintiff's state's defamation laws are used).

Still, the larger issue stands. A softwarer company has filed a clear SLAPP suit against a reporter for reporting on some bad news about their software. That's horrific, and should tell you all you need to know about Keeper Security and whether or not to use their software.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: anti-slapp, california, dan goodin, defamation, illinois, intimidation, password managers, slapp, vulnerabilities
Companies: ars technica, keeper security


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Anonymous Anonymous Coward (profile), 9 Mar 2018 @ 8:48am

    I can't see past the end of my pointy nose.

    It certainly boggles the mind that some people (companies) just don't understand that 'Whoops, there's a problem, let us fix that.' is a better response (from a PR standpoint, which would probably overcome any profit standpoint in the long run) than 'You point out an error/issue? Defamation!'.

    The notion that short term (quarterly) profits are more important than long term (years) profits requires that any stock involved has to be sold in order to realize those profits. If the stock is that volatile, why would any investor buy it in the first place? OK, that volatility might offer opportunities in the buying and selling on market swings (which points out the issue of micro profits obtained in computerized trading), but there is a cost in every sale/buy. Otherwise the 'profit' is just on paper. If the investor is just looking for dividends, then aren't they looking longer term?

    link to this | view in chronology ]

    • icon
      JoeCool (profile), 9 Mar 2018 @ 9:06am

      Re: I can't see past the end of my pointy nose.

      It's PHBs in charge that do shit like this. The poor devs who actually do all the work are probably all scrambling to find a new company to work for.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Mar 2018 @ 8:55am

    The only important thing is: what does out_of_the_blue think?

    We don't even really know that Mike is right until out_of_the_blue says he's not.

    link to this | view in chronology ]

    • icon
      John Roddy (profile), 9 Mar 2018 @ 9:18am

      Re: The only important thing is: what does out_of_the_blue think?

      He actively tried to strongly disagree, but instead could only barely manage to just shrug it off and demand something else.

      In other words, Ars is 100% guaranteed a victory here.

      link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 9 Mar 2018 @ 9:00am

    Say: ever thought of down side to Californication's "laws"

    applying in every state? Cause if you residents EVER use a wrong gender pronoun, can be sued! (Okay, I'm not SURE that looniness is "law" yet, but the point stands: that notion will not be only to YOUR advantage.)

    As for rest, HMM. I think there's some facts and not opinion stated: certainly a "tech writer" is assumed to deal in facts. -- However, that's best I got on this item. Lucky it's not important. Next piece, please.

    link to this | view in chronology ]

    • icon
      Mike Masnick (profile), 9 Mar 2018 @ 9:16am

      Re: Say: ever thought of down side to Californication's "laws"

      • Cause if you residents EVER use a wrong gender pronoun, can be sued! (Okay, I'm not SURE that looniness is "law" yet, but the point stands: that notion will not be only to YOUR advantage.)*

      Huh? What the hell does that have to do with the proper choice of law for anti-SLAPP? Nothing in that would involve enabling Californians to sue elsewhere.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Mar 2018 @ 9:50am

      Re: Say: ever thought of down side to Californication's "laws"

      What do you think quotation marks do?

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Mar 2018 @ 12:10pm

      Re: Say: ever thought of down side to Californication's "laws"

      Fail. Even for you. What are you even trying to argue here?

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Mar 2018 @ 12:26pm

      Re: Say: ever thought of down side to Californication's "laws"

      Meth is a hell of a drug.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Mar 2018 @ 9:28am

    Is this the mythical secure access to encryption?
    weak sauce
    hahaha

    link to this | view in chronology ]

  • icon
    Ninja (profile), 9 Mar 2018 @ 9:37am

    Having 3rd parties discover flaws in some service/software is pretty common and would not mean loss of trust per se. How the company handles the disclosure of the flaw however can be damaging. Unfortunately Keeper is far from the exception. The proper response would be to solve the problem as quickly as possible even requesting details from the researcher who discovered the flaw and provide plenty of transparency and information to their customers on what's being done and how to proceed to secure their passwords and prevent damage as much as possible.

    So, yeah, Keeper can die a fiery, Streisand death.

    link to this | view in chronology ]

  • identicon
    ryuugami, 9 Mar 2018 @ 2:01pm

    Editorial control

    Goodin directly responded to multiple requests for updates with Keeper, changed a few things when he found their argument compelling, but didn't change parts he didn't believe needed to be changed.

    Someone should explain to Keeper that subjects of news articles don't generally get a final say in the articles' contents. I think they're confusing them with "press releases" and "sponsored articles" (a.k.a., ads).

    link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    icon
    zeynep (profile), 11 Mar 2018 @ 5:54am

    Ankara Web Tasarım

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Apr 2020 @ 1:32pm

    Innovative composite budgetary management

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Apr 2020 @ 1:32pm

    Compatible analyzing matrix

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.