NSS Labs files antitrust suit against multiple cybersecurity vendors

EULA restrictions are not the primary allegation filed in the lawsuit. I believed Cloudstrike is the only vendor that has test publication restrictions in its EULA.

The primary allegation is conspiracy against NSS Labs are noted in the below except from the lawsuit filing:

https://www.nsslabs.com/default/assets/File/2018-09-18-NSS-Complaint.pdf

Personally, I believe the conspiracy bit will be hard to prove in court. Even if such a meeting took place, all the participants are AMTSO members. After all the "flack" that resulted from NSS Labs test presentation at the RSA conference, this meeting could be construed as an attempt to revisit existing AMTSO current best practices and standards in an attempt to create revisions to them that would be agreeable to the majority of AMTSO members. If such revisions were subsequently implemented which it appears they were, they would have to be agreed to by a majority of AMTSO members I believe. Also as in most trade organizations, individual membership status is not always at equal levels. Some members might be part of a committee for example that has a final say in what is eventually adopted revision wise.

As far as point no. 66 above, this is no different than a manufacturer refusing to have their product tested and then publicly commented upon by a concern that is not properly certified to test the product. No one can be forced into who will or will not publically test their product. On the other hand, NSS Labs can privately do so without public comment. Note: non-open source computer software is not public domain property. Nor is it subjected to legal rules regarding public domain property.

Finally, note that computer software is unique in that it has a EULA that governs it use.

 

This doesn't hold water, or answer my question.

I have been following AV-Test, AV-Comparatives, NSS Labs, West Coast Labs, ICSA Labs and other labs for many years as part of my real job. And of course the ratings go up and down. Why wouldn't they? Did you expect the ratings to remain consistent year after year? Do you expect competitors to just let those on top to remain on top? Do you not expect vendors to constantly make changes and [hopefully] improvements to their programs? Do you expect the fight and progress made against the bad guys to not ebb and flow?

So I ask again, who do you suggest consumers listen to when choosing a security solution? Norton? McAfee? ESET? The neighborhood whizkid? I say we have no other choice but to read the reviews from the various testing labs. Testing labs that are free to establish their own testing criteria and be free to publish those results without restrictions (or approval from the vendors).

Are labs necessary evils? Probably. But again, what other choice do most consumers have?

And while people do indeed develop a favorite solution, many, I would hope most users are wise enough to realize there may be better security solutions out there and what once was popular and effective, may no longer be. So they switch. Have you been using the same security solution for the last 10 years? I doubt it.

Of course it doesn't. Why would it? To use a current-events analogy, this is just Candidate B throwing mud back at Candidate A - and we all know all candidates lie.

There are many innuendos in that AMTSO note that are just nonsense for their implications. For example, it "implies" NSS Labs gave testing information to one vendor but not another. Says who? Where is the evidence of such favoritism? It is just one lawyer tossing up anything to cast doubt. It also implies NSS Labs cannot substantiate their findings. Where is the evidence NSS Labs can not do that?

And look at this from the AMTSO response,

Really? Vendors inserting terms in the EULA that no testing or publishing the results of that testing is allowed unless the vendor authorizes it - that's ethical and fair?

That's what I see is what the lawsuit is all about - NSS Labs (or you or me) being able to test and publish those test results. AMTSO is trying to obfuscate the issue with all sorts totally unrelated innuendos and underhanded accusations.

Anybody can sue anyone for anything - if they have the money for the shysters... err... lawyers. That does not mean they can win. The threat of such a suit is a common intimidation tactic used by many unscrupulous entities in the hopes those without deep pockets will not even bother. Look at the Enigma vs Bleeping Computer lawsuit.

Those are pretty serious claims and if true, would be significant.

That's pure speculation! You have no clue what happened in that room. That meeting could be construed as an attempt deceive the public and monopolize the industry for personal gains!

Whether it is easy or hard to prove is another issue. You don't know what evidence they have. They may have an eyewitness who was at the meeting who is willing to talk.

@ itman - Why are you taking such a strong stand against consumers when you don't know the facts? I don't get that. I am not criticizing - I am trying to understand. I don't see why you don't think testing labs should be free to test and publish - AS LONG AS they test each product the same way.

NSS Labs must have good reason to believe those allegations are true or it would not be worth all the expense to pursue this. I believe the charges could be exaggerated, but I also believe there is probably some basis in fact.

And regardless if there is, or is not any conspiracy, (1) vendors should not be allowed to block any lab from testing and publishing those results and (2) AMTSO and the vendors should not be able to dictate how testing can be done.

Yes, testing must be done fairly. But it should not be up to the vendors to decide if a test is fair, or not.

 

What the courts need to address is the legality of existing software EULA agreement provisions. Until that is done, a developer is free to stipulate any provision as long as it does not violate any existing law.

NSS Labs is free to test and publish whatever they want. No one is physically restricting them from doing so. Of course, this will subject them to legal action by any AV vendor that has specifically stated their software cannot be tested without their express permission per its EULA agreement or by formal written notification to NSS Labs of the same. Nor can NSS Labs publicly state that their testing procedures conform to AMTSO standards or guidelines; in other words they are not testing the software as other AMTSO member AV labs are doing so.

 

Maybe this example will help understand what is going on here.

In the U.S., Consumer Reports has a lab division that conducts consumer product testing. Like NSS Labs, they periodically publish public reports with comparative product rankings. However and similar to NSS Labs, you can only see the detailed reports if you become a paid member.

The difference here is Consumer Reports reviews are their "opinions" exclusively. There is no governing organization to which they belong to which recommends how their tests are to be performed or sanctions that their results conforms to those standards.

Consumer Reports can perform such activity since consumer products do not have a EULA restricting how they can be used by the purchaser.

 

I agree. The problem there is courts tend to have a very narrow focus when they make decisions. I note the EU courts in Europe started to address transferring OEM Windows licenses. But they ended up raising more questions because their ruling only mentioned "unused" licenses from a volume license pack. That is, can a company sell/transfer 5 unused licenses from a 20 volume license pack, against the terms of the EULAs? It seems they can. But can a home user - who also agreed to the terms of the EULA - legally transfer an OEM license to their new computer? According to the terms of the EULA, no. And as it stands, that is legally binding.

Why is that important to you? I see that as a very good thing which is why I don't understand the criticisms here against NSS Labs.

If all the testing labs used the exact same AMTSO guidelines, what would be the point in referring to different labs when picking a product. Are you really getting a different opinion from a different viewpoint?

Do all bad guys create malware using a single standard? No.

As a long time subscriber to Consumer Reports, it is not that simple at all. Yes, they are "opinions" but those opinions are based on very extensive actual testing. For example, they will go buy "off the shelf" (never directly from the maker unless anonymously) 10 lawn mowers. Then they will mow and mow and mow some more for an entire season or longer actually measuring, with real test equipment, noise, fuel consumption, evenness, etc. Those are just facts, not opinions.

Then they will also poll all their readers, asking if their mowers needed repairs, etc.

Another thing to note is Consumer Reports never has any product advertising. They are a non-profit. They always use secret shoppers to buy off the shelf. I wish all review sites had similar policies. But sadly, many cannot afford to buy off the shelf, or not accept advertising money. So they end up testing vendor supplied samples (that could be tweaked to score well) and displaying ads for the very products under test. CR's methods leave no room for even the appearance of improprieties. A very good thing.

Just to be clear, I am not defending NSS Labs. I am defending consumers. Consumers should have the right to read reviews that were created unhindered by restraints imposed by the makers of the products under review.

 

It will be up to the court to decide if a AV vendor has the right to restrict testing of his software to an AV Lab that does not conform to AMTSO standards. In reality, what NSS Labs is trying to get is a court ruling that would render any resultant vendor lawsuit for such violation null and void upon filing. My best guess is the court will not go that far in its ruling. It will probably rule that NSS Labs can test whatever it wants but not give it protection against any subsequent law suit regarding the validity of the test results.

Bottom line - I really don't know what this current law suit will accomplish.

 

Honestly, Average Joe won't care a bit about the law suit; as good noobs, they will keep basing their decision by reading PC Mag LOL

 

"In a statement sent to CRN Malwarebytes CEO Marcin Kleczynski claimed that the vendor had previously been contacted by NSS Labs and asked to pay "tens of thousands of dollars" to participate in the test, but declined because of the testing methods employed."

"NSS Labs does not charge for, and never will charge for, participation in public tests," he said."

Are there any similar such accusations against NSS? I would assume that it'd be relatively easy for Malwarebytes to prove this if it were true. At the very least it seems to suggest that the Malwarebytes score seems to come from the fact that they didn't pay. Then again, Malwarebytes is scoring relatively similar on MRG tests on-demand. If it were true, I can't see any reason why you wouldn't post that communique publicly.

 

Refer to the AMTSO blog posting excerpt in reply #20. From what is posting there, one can assume there are.

 

I am assuming the court will rely on existing lease law in the U.S. much of which is based on English common law for precedents in this case. A EULA is a lease. In a lease, the property owner can specify whatever terms they want. If one or more of those terms violates existing laws, the court will not allow the property owner to enforce it.

So the cruck of the issue is does a EULA restriction to prevent public disclosure of software test results without explicit permission violate any U.S. federal or local jurisdiction laws. Note that confidentiality clauses in employment agreements for example are legal in the U.S. Also I don't believe free speech laws in the U.S. are at all applicable here since those only apply to individuals and public media entities such as newpapers, TV, etc..

 

Yes, but I don't see why the AMTSO standards matter. They are not a government regulatory agency. It is not like the need to comply with USDA, FDA, EPA, or FAA regulations. It is not like these are traffic laws. This is just AMTSO trying to strong-arm how anti-malware programs are tested.

Who cares? As long as testing is done fairly - that is, equally between the products, it should not matter.

As far as paying for testing, I note Plug Load Solutions charges PSU makers to have their PSUs tested for 80 PLUS compliance certifications. If they don't pay, they cannot sport the 80 PLUS logo on their products. So nothing new there.

 

Hum ……….. I thought I explained this at the beginning of the thread. Again, AMTSO has no enforcement powers - period. They only publish testing standards that have been mutually agreed upon by a consensus of AMTSO members.

NSS Lab is accusing them of being a conspirator in "some diabolical plot" with the other co-defendants to undermine NSS Labs ability to test without constraints, the co-defendant's software. If none of this makes any sense, I agree. The lawsuit should be dismissed as lacking merit.

 

I will also add this comment which is sheer speculation on my part.

I can't help but feel something else is "at play" with this lawsuit. It is no secret that the Next Gen vendors are not allied with current AMTSO standards and guidelines. As far as they are concerned, the standards unduly favor the major AV vendor products to the detriment of their "new and improved" AI(supposedly) detection methods. It would not surprise me in the least if NSS Labs is receiving financial backing in this lawsuit by the Next Gen vendors. This would also explain the reason for dragging AMTSO into this lawsuit. Doing so adds further credibility to their never ending claims that at least, the AV lab industry as a whole is not properly testing their products and at the extreme, conspiring against them. This in turn nullifies their current test scoring status.

 

Right. You did. But you still seem to be defending the position of the anti-malware program makers who don't want others testing their program unless they test using their defined parameters. I'm not for that.

They agreed to those standards, but not that ONLY those standards can be used.

That leads me to your next comment where you said,

Not sure it is about "properly" testing, but rather "thoroughly" testing for all possible scenarios.

For example, which is the best pickup truck?

Lab A measures 0 - 60MPH times and declares Truck C is "The Best Truck".

Lab B measures towing capacities and declares Truck D is "The Best Truck".

Lab C measures stopping distances and declares Truck F is "The Best Truck".

Why only those 3 test parameters? Because that's what Brands C, D and F and those 3 labs agreed to. So what happens? We get bombarded with commercials by all three brands claiming to be "The Best Truck", and they are all right. But does that really help the consumer?

But then Consumer Reports comes along and tests trucks. Only they measures 0 - 60MPH, towing, stopping, emergency handling, comfort, fuel efficiency, infotainment usability, crash survivability, gauges, knobs and buttons, noise, and more and declares Truck T is the "The Best Truck".

Is the Consumer Reports rating invalid because the tests were not using the same standards?

 

AMTSO was formed for the purpose of bringing a jointly agreed upon method to test AV software. However, the organization brought other benefits to the AV lab test industry. One of the most important is an implied agreement between members that if an AV lab adhered to AMTSO standards when testing a member AV product, the lab would not have adverse action taken against it. I also assume that somewhere in the AMTSO guidelines is that AV labs fully collaborate with any AV vendor whose product is tested; the most important agreement being the right by the AV vendor to refuse participation in any or all tests conducted by the lab.

Adverse action in this context means litigation against an AV lab by the AV vendor in the form of a libel lawsuit. To address many of your previous comments, anyone in the U.S. can publish anything. However, they are not given absolute legal protection against anything included that publication. Remember that AV software development is a multi-billion dollar industry. As such, the AV vendors can expended considerable monetary resources in employing the best legal resources available. Regardless of the merit of this litigation against AV labs if it became a standard practice, AV labs would cease to exist due the financial strain they were subjected to defending against never ending litigation against them.

It therefore behooves AV labs to become AMTSO members and adhere to their standards. It is also "common business sense" to adhere to AV vendor software use restrictions within a EULA or otherwise. An old truism is "if you go looking for trouble, you will most certainly find it."

I am sure you will disagree with this current AV lab testing status. The reality is it is not all that different than way business is done in most U.S. industry segments. If you take it upon yourself to go "rogue," you better be prepared to pay the price for doing so.

 

There may be more to this lawsuit than meets the eye (or actually may be less). Until we see the particulars any further conversation is nothing but conjecture.

[Personally I think it is Much Ado about Nothing (and sour grapes), but what do i know?].

 

Following up on my last above posting, perhaps it is time governments get involved in the regulation of the software security industry in regards to settings standards in regards to overall product capability against malware. On face value, it is most warranted given the overwhelming impact computer technology has upon individuals and businesses. It is reasonable to assume that if this were to happen, it would spell the end of the private AV lab test industry as we know it today.

I don't believe this is something that either the AV software or lab test industries want to happen. I therefore strongly advise NSS Labs to drop their lawsuit and settle their differences within the existing AMTSO framework.

 

I agree. And of course, all can change once the court makes its ruling.

"A" standard method, not the "only" method and not really the point. And as I noted way back in post #7, it does not make that method mandatory. Again, from your link on page 4,

Again, you seem to be defending the industry's claim that they should be the sole regulator and overseer of their own testing methodologies. Where are the checks and balances?

When has self-regulation ever worked? When it comes to profits vs what's best for the consumer, the consumer always looses. And I think it important to point out this is NOT just about consumers' computers getting infected. It is about their identities being stolen, bank accounts getting drained, credit ruined all the way to, and including physical assaults, stalking, and death!

Wow! Read between the lines! That says, "do it our way or suffer the consequences!"

That's just strong-arm, intimation, mobster talk! You are just convincing me NSS Labs is on the right track.

Edit Add:

To be clear, I am not a fan of big government and more regulations. But since this involves public safety (which IS the number 1 job of governments), I agree something should be done.

But I do NOT agree the government should be setting the standards - other than "minimum" standards to include what can, and what cannot be restricted in terms of testing.

I totally disagree. The automobile safety standards are highly regulated. Do those regulations end or restrict private car testing labs? No. If anything, car testing by private/commercial testing facilities has expanded and increased.

The end of private AV lab test industry as we know it would only happen if AMTSO gets its way and only their tests and methods are allowed. For sure, the bad guys would rejoice!

 

For sure the car industry would disagree with your #1. The pharmaceutical industry might agree, however.

Your point #2 is probably true.

Point #3 is totally unfair. Consumers should not have to become security experts just to ensure their families are safe using their computers.

 

Since NSS Labs filed an anti-trust law suit, it would be appropriate to review recent U.S. law in this regard as it applies to trade organizations. Remember, AMTSO is in effect a trade organization. I have underlined the relevant points:

https://www.ftc.gov/news-events/blogs/competition-matters/2014/05/antitrust-associations

The most above important statement is what I highlighted in bold. It will be a "stretch" to convince the court that NSS Labs is a consumer or that restrictions against by the defendants in any way have a direct impact on consumers.

 

That does not mean we, as consumers, can't fight for fairness.

But they represent the interests of consumers and that is what matters - as does your highlighted parts!

 

Your kidding - right? NSS Labs sole business model is the testing of enterprise and SMB security software.

 

I am going to wrap up my comments in this thread with the following. In the U.S.:

1. There are no laws to prevent you from driving a business competitor out of business. If your intent is to gain exclusive market share for the purpose of engaging in predatory price fixing practices to the detriment of the general public, you could be subjected to government review in regards to violation of anti-trust laws.

2. There are no laws to prevent you from selling or not selling your product to whom you chose as long as you don't violate any existing laws in the process; i.e. anti-discrimination laws for example.

3. There are no laws that prevent you from restricting the use of your product as long as they don't unduly restrict upon the purchaser's use of the product for its intended purpose. In this regard, computer security software intended use is to protect the OS and app software along with resultant data on the device it is installed on.