Case: 1:17-cv-09117 Document #: 14 Filed: 02/08/18 Page 1 of 3 PageID #:43

UNITED STATES DISTRICT COURT
FOR THE NORTHERN DISTRICT OF ILLINOIS
EASTERN DIVISION
KEEPER SECURITY, INC.
Plaintiff,
v.

Case No. 1:17-cv-9117
Hon. Joan Humphrey Lefkow

DAN GOODIN and ADVANCE MAGAZINE
PUBLISHERS INC. d/b/a CONDÉ NAST and
ARS TECHNICA,
Defendants.
DEFENDANTS’ MOTION TO DISMISS
PURSUANT TO FED. R. CIV. P. 12(B)(6)
Defendants Dan Goodin and Advance Magazine Publishers Inc. (d/b/a Condé Nast and
Ars Technica), by their attorneys, respectfully request that the Court dismiss the Complaint of
Plaintiff Keeper Security, Inc. for failure to state a claim pursuant to Federal Rule of Civil
Procedure 12(b)(6).
1.

Plaintiff, a software developer, is suing Defendants, a respected online technology

publication and its California-based cybersecurity reporter and editor, based on an news article
(the “Article”) truthfully reporting the findings of a noted Google researcher that there was a
security vulnerability in Plaintiff’s password manager product, Keeper.
2.

Plaintiff’s Complaint asserts claims for defamation, commercial disparagement

and violation of the Illinois Deceptive Trade Practices Act (“DTPA”), 815 ILCS § 510/2. The
defamation claim fails as a matter of law because the Article is substantially true; subject to an
innocent construction; voices non-actionable opinions, makes statements that are not “of and
concerning” Plaintiff; and Plaintiff does not and cannot plead publication with actual malice as
required by the First Amendment. Plaintiff’s tag-along tort claims fail for the same reasons, and

 Case: 1:17-cv-09117 Document #: 14 Filed: 02/08/18 Page 2 of 3 PageID #:44

also because the Article is not commercial speech and the DTPA only affords injunctive relief
for which there is no basis here.
3.

Defendants are filing herewith a memorandum of law in support of their motion.

WHEREFORE, Defendants respectfully request that the Court dismiss Plaintiff’s claims
in their entirety and with prejudice pursuant to Federal Rule of Civil Procedure 12(b)(6).

Dated: February 8, 2018

Respectfully submitted,
/s/ Natalie J. Spears
One of the attorneys for Defendants

Natalie J. Spears
Gregory R. Naron
Jacqueline A. Giannini
DENTONS US LLP
233 S. Wacker Drive, Suite 5900
Chicago, IL 60606
Tel: (312) 876-8000
Fax: (312) 876-7934
natalie.spears@dentons.com
gregory.naron@dentons.com
jacqui.giannini@dentons.com

2

 Case: 1:17-cv-09117 Document #: 14 Filed: 02/08/18 Page 3 of 3 PageID #:45

CERTIFICATE OF SERVICE
I hereby certify that a true and correct copy of the foregoing DEFENDANTS’ MOTION TO
DISMISS PURSUANT TO FED. R. CIV. P. 12(B)(6) was filed with the Clerk of the Court on
February 8, 2018 by using the CM/ECF system, which will send a notice of electronic filing to
all registered users.

/s/ Natalie J. Spears
Natalie J. Spears

3

 Case: 1:17-cv-09117 Document #: 15 Filed: 02/08/18 Page 1 of 17 PageID #:46

UNITED STATES DISTRICT COURT
FOR THE NORTHERN DISTRICT OF ILLINOIS
EASTERN DIVISION
KEEPER SECURITY, INC.

Case No. 1:17-cv-9117

Plaintiff,
v.

Hon. Joan Humphrey Lefkow

DAN GOODIN and ADVANCE MAGAZINE
PUBLISHERS INC. d/b/a CONDÉ NAST and
ARS TECHNICA,
Defendants.

MEMORANDUM OF LAW IN SUPPORT OF DEFENDANTS’ MOTION TO DISMISS

Natalie J. Spears
Gregory R. Naron
Jacqueline A. Giannini
DENTONS US LLP
233 S. Wacker Drive, Suite 5900
Chicago, IL 60606
Tel: (312) 876-8000
Fax: (312) 876-7934
natalie.spears@dentons.com
gregory.naron@dentons.com
jacqui.giannini@dentons.com

 Case: 1:17-cv-09117 Document #: 15 Filed: 02/08/18 Page 2 of 17 PageID #:47

Defendants in this case are Ars Technica, one of the country’s most respected technology
publications, and its veteran cybersecurity reporter and editor, Dan Goodin. Plaintiff Keeper
Security is a software developer. Defendants truthfully reported the findings of a noted Google
researcher that there was a security vulnerability in Plaintiff’s password manager product, which
had been bundled with Microsoft’s Windows 10 operating system. Plaintiff does not dispute that
the flaw existed. Nevertheless, in response to Defendants’ truthful report, Plaintiff tried to bully
Mr. Goodin into editing his news article to use language more to Plaintiff’s liking; Mr. Goodin
agreed to make certain edits, and declined others, standing by the accuracy of the reporting.
The would-be “inaccuracies” Plaintiff identifies in the article are – at best – of secondary
importance, and do not affect the article’s true “gist or sting”; for that reason alone, the
Complaint fails as a matter of law. Furthermore, most of the statements that the Complaint
alleges are “false and misleading” don’t have anything to do with Plaintiff, but rather, Microsoft.
Such statements are not “of and concerning” Plaintiff and cannot be the basis for a defamation
claim. Still other statements are subject to an innocent construction and are pure opinion, and
not actionable under Illinois law for those additional reasons. Simply put, Defendants’ article
uttered no falsehood that could have defamed Plaintiff. Nor does Plaintiff remotely plead
publication with actual malice as required by the First Amendment.
Plaintiff’s assertion that “[t]he goal, and result, of the Article was to injure Keeper and its
employees, and disparage Keeper’s products” (Compl. ¶ 34) is baseless hyperbole. The fact is,
Plaintiff brought this lawsuit seeking to punish, and ultimately enjoin, publication of essential
journalism on an matter of vital public concern – cybersecurity – involving a conceded
vulnerability in Plaintiff’s product. The technology community is open and transparent in
policing such vulnerabilities, and rightly so. Plaintiff, above all, should be interested in ensuring
consumers are protected from potential threats – not in using litigation to chill public discussion

 Case: 1:17-cv-09117 Document #: 15 Filed: 02/08/18 Page 3 of 17 PageID #:48

of such threats. Permitting this case to go forward would not only be contrary to law, it would
have a profoundly negative impact on important cybersecurity research and reporting generally.
FACTUAL BACKGROUND
Defendant Ars Technica “provides technology news, analysis and other information,
through the website arstechnica.com.” (Compl. ¶¶ 10; 20-21, 29.) Defendant Goodin is a veteran
cybersecurity reporter who since 2012 has been the Security Editor at Ars Technica, “where he
oversees coverage of malware, computer espionage and hardware hacking.” (Id. ¶¶ 11, 27.)
Plaintiff claims it is “an innovator and leader of password management software in the
United States with several million registered users and thousands of business customers” and that
its software is “one of the world’s most downloaded password management and digital vault
software for mobile devices and computers.” (Id. ¶¶ 3, 7.)
Plaintiff “sells and manages a software product called “Keeper® Password Manager &
Digital Vault” for managing user passwords and other private information.” (Id. ¶ 4.) One of the
“components” of that product is a “browser extension.” (Id.) When users “log into the
preinstalled Keeper application,” it “directs users to download and install a separate application,
namely the Keeper Browser Extension” as part of the default set up for all users. (Id. ¶ 6.)1
Plaintiff complains in this lawsuit about a December 15, 2017 Ars Technica online article
written by Mr. Goodin (the “Article”). (See Compl. ¶¶ 25-26 and Exh. 1.) The Article reported
on a critical vulnerability in Plaintiff’s product that had been discovered by Tavis Ormandy, a
respected cybersecurity researcher at Google. Mr. Ormandy’s December 14, 2017 report on the
matter – to which the Article links – is titled “Keeper: privileged ui injected into pages (again)”.
1

The browser extension “allows users to auto-fill login credentials (namely a user name and password)
into websites for access” (id. ¶ 5) – an essential part of the product that Plaintiff touts: “Managing
passwords is simple and intuitive with Keeper. Keeper generates strong passwords, auto-fills passwords
across your apps and sites with KeeperFill™ and organizes passwords on all platforms and devices.” See
https://keepersecurity.com/.

2

 Case: 1:17-cv-09117 Document #: 15 Filed: 02/08/18 Page 4 of 17 PageID #:49

(https://bugs.chromium.org/p/project-zero/issues/detail?id=1481&desc=3 (the “12/17 Ormandy
Rept.”).)2 Mr. Ormandy reports that he discovered a “password manager called ‘Keeper’” was
now “bundled” with Microsoft Windows 10, and found a “bug” in Keeper that amounted to “a
complete compromise of Keeper security, allowing any website to steal any password.” (Id.)
Plaintiff does not dispute Mr. Ormandy’s findings that there was a vulnerability “bug” in
Plaintiff’s product. To the contrary, the Complaint concedes that the bug “was specifically
related to Keeper’s Browser Extension” (Compl. ¶ 41), which Keeper users are prompted to
install (id. ¶ 6), and must install in order to use the product as intended. The existence of the
vulnerability is further conceded by the fact that Plaintiff had to fix it. Shortly after the Article
was published on December 15, Plaintiff posted a comment to the December 2017 Ormandy
report, stating that a new version of the program “was released 24 hours after [Mr. Ormandy’s]
report” and linking to Plaintiff’s blog post on the subject. (See Exh. A, 12/17 Ormandy Rept.,
Cmt. 6.) Plaintiff’s blog post explained:
On Dec 14 2017, Tavis Ormandy (a highly-respected security researcher at
Google) contacted us about a potential vulnerability in our browser extension
update. This potential vulnerability requires a Keeper user to be lured to a
malicious website while logged into the browser extension, and then fakes user
input by using a malicious code injection technique to execute privileged code
within the browser extension.
On Dec 15, 2017 (within 24 hours), we resolved this issue by removing the “Add
to Existing” UI flow and have taken additional steps to prevent this potential
vulnerability from occurring in the future.3
The December 2017 Ormandy Report also notes that Mr. Ormandy had previously filed a
bug report about how Keeper was “injecting privileged UI into pages . . . I checked and, they’re

2

A copy of the December 2017 Ormandy Report that is linked to in the Article is attached hereto as
Exhibit A for the Court’s convenience.
3

A copy of Plaintiff’s December 15, 2017 blog post (https://blog.keepersecurity.com/2017/12/15/updatefor-keeper-browser-extension-v11-4/) that is linked to in the December 2017 Ormandy Report is attached
hereto as Exhibit B for the Court’s convenience.

3

 Case: 1:17-cv-09117 Document #: 15 Filed: 02/08/18 Page 5 of 17 PageID #:50

doing the same thing again with this version.” Mr. Ormandy mounted the same basic test
“attack” on the Keeper product as he did 16 months earlier, in August 2016, and “the same attack
works.” The previous report, dated August 26, 2016, is titled “Keeper: Trusted UI is injected
into untrusted webpage” (https://bugs.chromium.org/p/project-zero/issues/detail?id=917 (the
“8/16 Ormandy Rept.”))4, and it is also linked to in the Article.5
As originally published December 15, 2017, Defendants’ Article (Compl., Exh. 1)
accurately reports the essential facts about the vulnerability in Plaintiff’s product:


Ormandy’s December 2017 Report said that the Keeper Password Manager “contained a
critical flaw he had found in August 2016” and that “[t]he bug . . . represents ‘a complete
compromise of Keeper security, allowing any website to steal any password’”;



“With only basic changes to ‘selectors’” the same test attack (“old proof-of-concept
exploit”) that Ormandy conducted in August 2016 “worked on the [December 2017]
version” of Plaintiff’s product;



“Ormandy said Keeper developers have released a fixed version”; and



“Fortunately, Windows 10 users aren't vulnerable unless they open Keeper and begin
trusting it with their passwords.”
The same day the Article was published, on December 15, 2017, Plaintiff contacted Mr.

Goodin to demand changes be made to the Article’s language. (Compl. ¶¶ 35-38.) Because the

4

The August 2016 Ormandy Report linked to in the Article is attached hereto as Exhibit C for the
Court’s convenience.
5

On August 28, 2016, Plaintiff posted a comment to the 8/16 Ormandy Rept., stating that “This issue has
been fixed with Keeper Browser Extension v10.1.3” and linking to Plaintiff’s blog post on the subject.
(See Exh. C, 8/16 Ormandy Rept., Cmt. 7.) Plaintiff’s blog post explained “based on the analysis
provided by Tavis Ormandy. . . a highly-respected security analyst at Google,” Plaintiff took steps to
“address[] and resolve[]” the vulnerability that Mr. Ormandy identified. A copy of Plaintiff’s August 28,
2016 blog post (https://blog.keepersecurity.com/2016/08/28/security-update-for-keeper-browserextension/) is attached hereto as Exhibit D for the Court’s convenience.

4

 Case: 1:17-cv-09117 Document #: 15 Filed: 02/08/18 Page 6 of 17 PageID #:51

Article was fundamentally accurate, Mr. Goodin only agreed to make certain minor edits and did
not change the key points about which Plaintiff now sues.6
ARGUMENT
I.

Rule 12(b)(6) Dismissal Standard.
Upon scrutiny, the Complaint fails as a matter of law based on Plaintiff’s own allegations

and attachments. A “motion to dismiss must be decided on the face of the complaint, including
material appended to the complaint as exhibits.” Sangston v. Ridge Country Club, No. 92-cv-1981,
1992 WL 317138, at *1 (N.D. Ill., Oct. 29, 1992) (dismissing defamation claim); Bogie v.
Rosenberg, 705 F.3d 603, 609 (7th Cir. 2013) (“district courts are free to consider ‘any facts set
forth in the complaint that undermine the plaintiff’s claim,’” including exhibits, which control over
complaint allegations) (citations omitted). In addition to the Article annexed to the Complaint, the
Court may consider the posts and articles linked to within the Article, as part of the context of the
alleged defamation. Doctor’s Data, Inc. v. Barrett, 170 F. Supp. 3d 1087, 1132 n. 45 (N.D. Ill.
2016) (the courts “have treated hyperlinked material as part of the context of allegedly defamatory
statements”).7 “And while the Court must take all well-pleaded allegations in a complaint as true
for the purposes of determining a motion to dismiss, the Court need not ‘take the plaintiff’s
interpretation of the allegedly defamatory words at face value.’” Ludlow v. Northwestern Univ.,
6

Complaint Exhs. 2 and 3 are versions of the Article that were published after Plaintiff complained about
the Article. (See Compl. ¶¶ 38-39.) Mr. Ormandy also refused Plaintiff’s demands to change the wording
of his Report, explaining why the Report is accurate and in particular why Plaintiff’s browser extension is
not a “separate product to their Keeper desktop application” but instead, as Plaintiff acknowledges, users are
prompted to install the browser extension as part of the “default setup flow” for the product. See Ormandy
Rept., Cmt. 7 dated 12/17/17 (https://bugs.chromium.org/p/project-zero/issues/detail?id=1481&desc=3).
7

See also, e.g., McKee v. Cosby, 874 F.3d 54, 64 (1st Cir. 2017) (defendant’s letter provided links to
articles from which allegedly defamatory statements were drawn, “enabling readers to examine the
sources for themselves and consider the comments in context”; affirming dismissal); Boley v. Atl. Monthly
Grp., 950 F.Supp.2d 249, 262 (D.D.C. 2013) (“[i]n referring to Boley as a warlord in his February 11,
2010 article, Goldberg provided a hyperlink to his January 27, 2010 article, thus incorporating that article
by reference and providing the necessary context for the allegedly defamatory remark”); Nicosia v. De
Rooy, 72 F.Supp.2d 1093, 1103 (N.D. Cal. 1999) (facts on which allegedly defamatory post relied were in
hyperlinked articles, which court “considers . . . part of the context of the embezzlement accusation”).

5

 Case: 1:17-cv-09117 Document #: 15 Filed: 02/08/18 Page 7 of 17 PageID #:52

79 F.Supp.3d 824, 838 (N.D. Ill. 2015) (quoting Lott v. Levitt, 556 F.3d 564, 569 (7th Cir. 2009)
(italics in original)); see also Ashcroft v. Iqbal, 556 U.S. 662, 681 (2009) (conclusory allegations
are “not entitled to be assumed true”); Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 555 (2007).
II.

Plaintiff’s Defamation Claim Fails as a Matter of Law for Multiple Reasons.
A.

Defamation Requires a False Statement, and “Substantially True”
Statements Are Not Actionable.

“[F]alsity is an element of the plaintiff’s defamation claim” under Illinois law.8 Voyles v.
Sandia Mortg. Corp., 196 Ill.2d 288, 299-300 (2001); Phila. Newsp. v. Hepps, 475 U.S. 767, 778
(1986). Equally fundamental, “[t]ruth is a defense, indeed the ultimate defense, to any action for
defamation.” Bradley v. Avis Rental Car Sys., Inc., 902 F. Supp. 814, 820 (N.D. Ill. 1995). A
defendant “need demonstrate only the ‘substantial truth’ of the allegedly defamatory material to
establish the defense of truth”; i.e. that “the ‘gist’ or ‘sting’” of the statements is true. Harrison
v. Chi. Sun-Times, Inc., 341 Ill.App.3d 555, 563 (2003) (affirming dismissal); Haynes v. Alfred
A. Knopf, Inc., 8 F.3d 1222, 1227–29 (7th Cir. 1993) (“if the gist of a defamatory statement is
true,. . . error in detail is not actionable”). The Illinois courts and federal courts applying Illinois
law routinely grant motions to dismiss defamation claims on substantial truth grounds.9

8

“When the defamatory statement is communicated in many different states, it makes sense to apply the
law of the plaintiff’s domicile, and that is the usual result in Illinois.” Kamelgard v. Macura, 585 F.3d
334, 341 (7th Cir.2009). However, under the doctrine of dépeçage, the law of California applies with
respect to the substantive privilege created by that state’s anti-SLAPP statute. See Defts’ Special Mot. to
Strike Pursuant to Cal. C.C.P. § 425.16.
9

All of the following cases affirm or grant dismissal at the pleadings stage on substantial truth grounds:
Kapotas v. Better Gov’t Ass’n, 2015 IL App (1st) 140534; Coghlan v. Beck, 2013 IL App (1st) 120891;
Moore v. PETA, 402 Ill.App.3d 62 (2010); Gist v. Macon Cty, Sheriff’s Dept., 284 Ill.App.3d 367 (1996);
Lemons v. Chronicle Publ. Co., 253 Ill.App.3d 888 (1993); Am. Intern. Hosp. v. Chi. Tribune Co., 136
Ill.App.3d 1019 (1985); Kilbane v. Sabonjian, 38 Ill.App.3d 172 (1976); Ludlow v Northwestern Univ.,
79 F.Supp.3d 824; Mouloki v. Epee, No. 14-cv-5532, 2016 WL 910496 (N.D. Ill. Mar. 10, 2016); Krieger
v. Adler, Kaplan & Begy, No. 94-cv-7809, 1996 WL 6540, at *9 (N.D. Ill., Jan. 5, 1996).

6

 Case: 1:17-cv-09117 Document #: 15 Filed: 02/08/18 Page 8 of 17 PageID #:53

“[A]llegedly defamatory material is not actionable even where it is not technically
accurate in every detail.” Harrison, 341 Ill.App.3d at 563; Pope v. Chronicle Publ. Co., 95 F.3d
607, 613 (7th Cir. 1996). As the Seventh Circuit has emphasized, in evaluating a statement’s
substantial truth, courts should not engage in “fine splitting of semantic hairs” that “might leave
room to argue about its literal truth.” Wesbrook v. Ulrich, 840 F.3d 388, 395 (7th Cir. 2016)
(applying similar Wisconsin law). Instead, when determining the “gist” or “sting” of allegedly
defamatory material, a court must “look at the highlight of the article, the pertinent angle of it,
and not to items of secondary importance which are inoffensive details, immaterial to the truth of
the defamatory statement.” Vachet v. Central Newsp., Inc., 816 F.2d 313, 316 (7th Cir. 1987).
Here, the “gist” of the Article, and its “sting” as it pertains to Plaintiff, is that Plaintiff’s
product had a security vulnerability that it was forced to fix, and the same (or virtually identical)
kind of flaw occurred with respect to the same component 16 months earlier. Both on the face of
the Complaint and by reference to the Article it attaches (and the information linked to therein),
that gist or sting is substantially true. See Am. Intern. Hosp., 136 Ill.App.3d at 1023 (report that
plaintiff had been “refused accreditation” by committee substantially true where allegations of
falsity were “internally contradicted” by document reflecting committee’s decision “not to
accredit”); Krieger, 1996 WL 6540, at *9; Coghlan, 2013 IL App (1st) 120891 at ¶¶ 45-46.
As a result of this reality, the Complaint represents precisely the kind of technical
hairsplitting the courts refuse to indulge when evaluating substantial truth. See, e.g., Ludlow, 79
F.Supp.3d at 839 (stating that professor was placed on “leave of absence” substantially true even
though he had only agreed not to teach spring quarter which was “not technically a leave of
absence”); Lerman v. Turner, No. 10-cv-2169, 2013 WL 4495245, *18 (N.D. Ill. Aug. 21, 2013)
(Lefkow, J.) (statement that professor was “terminated for misusing grant funds for a nonpermitted purpose” substantially true even though “it would have been more technically accurate”
7

 Case: 1:17-cv-09117 Document #: 15 Filed: 02/08/18 Page 9 of 17 PageID #:54

to say she had “only been suspended without pay while the [college’s] review was pending”).10
To begin, Plaintiff’s principal contention is that the admitted vulnerability was “related to
Keeper’s Browser Extension which is not ‘bundled’ or ‘preloaded’” but “must be separately installed.”
(Compl. ¶¶ 41-42.) However, the fact that the bug resides in Plaintiff’s browser extension does not
affect the substantial truth of the statement that, before Plaintiff patched it, a key component of
Plaintiff’s product contained a flaw and someone who used it was subject to security vulnerability. As
Plaintiff concedes (id. ¶ 6), the Keeper application that Microsoft bundled with Windows 10 prompts
users to install the extension. If the product is to be used as intended, the flawed browser extension
must be installed; it’s part of the default installation and integral to how the product is intended to
work. Mr. Ormandy further illuminates this very point. See supra, fn. 6. Thus, the notion that the
Keeper browser extension is wholly “separate” from the Keeper software application is simply
untenable. Even if it were, no greater “sting” is conveyed by the fact that the conceded flaw pertains
to one component of Plaintiff’s product instead of the other. Presumably, Plaintiff vouches for the
security of all the components of its product.
Plaintiff’s other attempts to contrive a different, defamatory sting also fall woefully short.
Plaintiff asserts that the Article misled users to “believe that they were infected simply by having the
Keeper software application installed on their device(s)” with Windows 10. (Compl. ¶ 32.) But the
Article nowhere states or implies any such thing. Just the opposite, it explicitly states that
“Windows 10 users aren’t vulnerable unless they open Keeper and begin trusting it with their
passwords.” (Id. ¶ 30, stmt. #7 (emphasis added).) “Where the plaintiff’s own characterization is
10

And, by way of example, the allegations here also stand in marked contrast to the material and far from
technical errors alleged in Trudeau v. ConsumerAffairs.com, Inc., No. 10-cv-7193, 2011 WL 3898041, *7
(N.D. Ill. Sept. 6, 2011) (Lefkow, J.), which made plaintiff into a convicted criminal awaiting sentencing,
and the subject of a federal fraud judgment, when neither was true. Id. at *7. Unlike Trudeau, the “gist”
of the Article here is not “open to debate” (id.) – the fundamental basis for any alleged defamation of
Keeper is that its product had a bug, and that is concededly true. See id. (noting dismissal warranted “if
the plaintiff more or less concedes the essential truth of the alleged defamatory statement”).

8

 Case: 1:17-cv-09117 Document #: 15 Filed: 02/08/18 Page 10 of 17 PageID #:55

not substantially different from the allegedly defamatory language, such language may be deemed
substantially true.” Harrison, 341 Ill.App.3d at 563. And so it is here.
Plaintiff also asserts that the Article “made false and misleading statements about the Keeper
software application suggesting that it had a 16-month old bug that allowed sites to steal user
passwords.” (Compl. ¶¶ 1, 25, 30, stmt. #2.) The Complaint does not explain how the Article’s “16month-old bug” statement is false – because, again, it is not.
As the Complaint alleges, the “bug” that Mr. Ormandy discovered in December 2017 “was
specifically related to Keeper’s Browser Extension” (id. ¶ 41); the bug he discovered 16 months
earlier, in August 2016, also related to the browser extension and also required Keeper to issue a fix.
(See Exh. C, 8/16 Ormandy Rept. and Keeper’s Cmt. 7 thereto.) Plaintiff concedes that its current
browser extension had a security vulnerability, and does not – because it cannot – dispute that a similar
bug affecting the same component existed 16 months ago. Mr. Ormandy concluded that the nature of
the December 2017 bug was the same as the one he encountered 16 months earlier, and the test code
that he used to expose it was essentially the same. (See Exh. A, 12/17 Ormandy Rept.) That is what
the Article accurately reported. (Compl., Exh. 1 (Dec. 2017 version of Keeper “contained a critical
flaw [Ormandy] had found in August 2016” that was exposed by same test (“proof-of-concept
exploit”) previously used “with only basic changes to the selectors”.)
In short, Plaintiff’s attempt to coax defamatory inferences from true statements fails. Such
inferences “cannot be the basis for liability. The words spoken were true.” Parker v. Bank of
Marion, 296 Ill.App.3d 1035, 1038 (1998) (where statement that plaintiff was “fired for touching
women” was true, inference that he was fired for “sexual harassment” was not basis for liability)..
B.

The Allegedly Defamatory Statements Also Are Not Actionable Because
They Are Subject to an Innocent Construction.

Plaintiff’s Complaint also fails under Illinois’ innocent construction rule for defamation

9

 Case: 1:17-cv-09117 Document #: 15 Filed: 02/08/18 Page 11 of 17 PageID #:56

claims. Anderson v. Vanden Dorpel, 172 Ill. 2d 399, 412-13 (1996). The Illinois innocent
construction rule provides that if, “considered in context, . . . the [allegedly defamatory]
statement may reasonably be innocently interpreted or reasonably be interpreted as referring to
someone other than the plaintiff it cannot be actionable per se.” Pope, 95 F.3d at 613 (citations
omitted). In applying the rule, the import of the entire article must be considered; thus, the
“headline and news report to which it refers must be considered together[.]” Salamone v.
Hollinger Int’l, Inc., 347 Ill. App. 3d 837, 840-41 (2004); Kapotas, 2015 IL App (1st) 140534, ¶
58 (same). And if, read in context, a publication has a reasonable non-defamatory interpretation,
dismissal is warranted; no balancing between competing reasonable interpretations is allowed.
Id.; Lott, 556 F.3d at 568 (“Courts need not weigh the relative value of competing constructions;
instead, any reasonable, nondefamatory interpretation is the one that sticks”; dismissal affirmed).
The “guilty” readings of the Article that Plaintiff proffers are patently unreasonable, and
cannot be actionable under Illinois law. One of Plaintiff’s main assertions is that the Article
“misled users of any computer running Microsoft Windows 10, who were led to believe that they
were infected simply by having the Keeper software application installed on their device(s)” and
“[t]here has been no reported or actual security breach or loss of customer information in
connection with the subject of the Article.” (Compl. ¶¶ 32-33.) First (and again), the Article
nowhere states or implies that users are “infected” per se or that actual breaches had been
reported. Second, Plaintiff’s reading is directly contradicted by a passage that Plaintiff quotes:
“Fortunately, Windows 10 users aren’t vulnerable unless they open Keeper and begin trusting it
with their passwords.” (Id. ¶ 30, stmt. #7 (emphasis added).) Thus, the Article on its face
explicitly defeats Plaintiff’s “guilty” construction.
Similarly misguided, Plaintiff asserts that the Article “omitted material facts about the
purported ‘vulnerability’ that was its subject” – namely, that before the vulnerability “could have
10

 Case: 1:17-cv-09117 Document #: 15 Filed: 02/08/18 Page 12 of 17 PageID #:57

any chance to impact a user,” it would have to be installed and the user visit a “malicious website.”
(Id. ¶ 40.) The vulnerability is not “purported” – it concededly existed and Plaintiff had to fix it.
See supra. But in any event, once again, the Article nowhere suggested that computers were
“infected” per se – just the opposite. To be “vulnerable” to attack users have to “begin trusting
[Keeper] with their passwords.” (Id. ¶ 30, stmt. #7.) Even without that explicit qualification, any
reasonable reader would immediately understand that a security vulnerability is just that: it requires
a malicious actor to take advantage of it.11 Thus, “the common usage” of “vulnerable” in the this
context already incorporates the concept Plaintiff thinks needed to be spelled out, and its attempt to
foist a defamatory construction must fail. Harrison, 341 Ill.App.3d at 570. 12 In essence, Plaintiff
wants to substitute its word choices for that of Defendants. But Plaintiff does not get to re-write
the Article to its own liking. Both Illinois law and the First Amendment protect a newspaper’s
editorial control over “what and what not to publish.” Matchett v. Chi. Bar Ass’n, 125 Ill.App.3d
1004, 1008 (1984) (citing Miami Herald Publ. v. Tornillo, 418 U.S. 241, 258 (1974)).
The innocent construction rule “encourag[es] the robust discussion of daily affairs,” and
“insures that no article will be held libelous unless the editors know that the only reasonable
interpretation which can be given to their article is defamatory.” Dauw v. Field Enterps., 78
Ill.App.3d 67, 71 (1979). Allowing defamation claims to be premised on the kinds of strained
implications that Plaintiff unreasonably draws from the Article would have a chilling effect on the
11

By definition, a “vulnerability” is “[t]he quality or state of being exposed to the possibility of being
attacked or harmed, either physically or emotionally.” (https://en.oxforddictionaries.com/definition/
vulnerability). The same is true .in the computer security context; “Vulnerability is a cyber-security term
that refers to a flaw in a system that can leave it open to attack. …Cutting down vulnerabilities provides
fewer options for malicious users to gain access to secure information.” (https://www.techopedia.com/
definition/13484/vulnerability).
12

Indeed, the Article links to the Ormandy Report, which in turn links to Plaintiff’s own explanation that
“this potential vulnerability requires a Keeper user to be lured to a malicious website while logged into
the browser extension[.]” (12/17 Ormandy Rept., Cmt. 6, and linked blog post, Exhs. A, B hereto.) As
such, readers had all the information and context that Plaintiff thinks they should have had about the
admitted vulnerability. See McKee, 874 F.3d at 64 (links “enabl[ed] readers to examine the sources for
themselves and consider the comments in context”).

11

 Case: 1:17-cv-09117 Document #: 15 Filed: 02/08/18 Page 13 of 17 PageID #:58

robust discussion of computer security vulnerabilities. The public interest – in the security of
elections, infrastructure, and a host of personal information – cannot tolerate that chill.
C.

Plaintiff Complains of Statements That Are “Of and Concerning” Microsoft,
Not Plaintiff, and Statements That Voice Pure, Non-Actionable Opinions.

As noted, the innocent construction rule also holds that if statements can reasonably be
interpreted “as referring to someone other than the plaintiff,” they “cannot be actionable[.]” Pope,
95 F.3d at 613 (citations omitted). That part of the rule adverts to another element of defamation:
that the complained-of statement must be “of and concerning” the plaintiff. Flip Side, Inc. v. Chi.
Tribune Co., 206 Ill.App.3d 641, 654 (1990). In other words, to be actionable, a reader must have
“reasonably understood” the alleged defamation to refer to plaintiff. Beresky v. Teschner, 64
Ill.App.3d 848, 851 (1978). Here, “considered in context,” most of the allegedly “false and
misleading statements” Plaintiff identifies in the Article may be reasonably read as referring to the
conduct of “someone other than the plaintiff” – namely, Microsoft. (See Compl. ¶ 30 stmt. ##1, 3,
4 (Microsoft is “forcing” or “quietly forcing” users to install Keeper); id., stmt. ##8-11
(questioning “the security vetting Microsoft gives to apps it bundles with Windows”).)13
Illinois law also holds that opinions “cannot be ‘false’” and their “expression can never
result in liability for slander or libel[.]” Mittelman v. Witous, 135 Ill. 2d 220, 241 (1989). An
opinion “is actionable only if it implies the allegation of undisclosed defamatory facts as the basis
for the opinion.” Hopewell v. Vitullo, 299 Ill.App.3d 513, 518 (1998) (quoting Restatement
(Second) of Torts, § 566 (emphasis added)). But “[i]f all that the communication does is to express
a harsh judgment upon known or assumed facts, there is no more than an expression of opinion of
13

See, e.g., Chi. City Day Sch., 297 Ill.App.3d at 475-76 (statements criticizing demolition of a historic
structure could reasonably be read as “of and concerning” someone other than plaintiff); Kirchner v.
Greene, 294 Ill.App.3d 672, 681-82 (1998) (news articles’ statements that transfer of custody to biological
father was a “crime” and an “atrocity” were directed to court’s decision not father’s conduct); Harte v. Chi.
Council of Lawyers, 220 Ill. App.3d 255, 261 (1991) (statements that plaintiff lawyer was beneficiary of
judicial “favoritism” were “innocently (indeed logically) construed as criticizing” the court, not plaintiff).

12

 Case: 1:17-cv-09117 Document #: 15 Filed: 02/08/18 Page 14 of 17 PageID #:59

the pure type, and an action of defamation cannot be maintained.” Restatement (Second) of Torts,
§ 566, cmt. d; Mittelman, 135 Ill.2d at 242 (“‘Pure opinion’ . . . denote[s] an expression of opinion
by which the maker of a comment states the facts on which he bases his opinion of the plaintiff and
then expresses a comment as to the plaintiff's conduct, qualifications or character”).
Characterizing Plaintiff’s product as “critically flawed” (Compl. ¶ 30, stmt. #1) is pure
opinion based on disclosed (and substantially true) facts. Likewise, the statement that a copy of
Keeper that came pre-installed “without notice or permission” on Mr. Ormandy’s “newly built
Windows 10 system” was “unwanted” (id., stmt. #5) is Mr. Goodin’s characterization of Mr.
Ormandy’s dismay that Microsoft had, unbidden, included Keeper in his “pristine” Windows 10
system. (See Exh. A, 12/17 Ormandy Rept.)14 Not only is this statement pure opinion, it is “of and
concerning” Microsoft, not Plaintiff, as noted supra. The same is true of the Article’s questioning
of Microsoft’s “process . . . for ensuring the security of third-party apps that get installed on
Windows 10 machines” and “how the Keeper vulnerability slipped through anyway.” (Compl. ¶
30, stmt. ##8-11.) Mr. Goodin is “expressing a subjective view, an interpretation, a theory,
conjecture, or surmise, rather than claiming to be in possession of objectively verifiable facts,”
Haynes, 8 F.3d at 1227, and his queries concern Microsoft’s conduct, not Plaintiff’s.
D.

Plaintiff Does Not Plead Actual Malice As The First Amendment Requires.

In addition, Plaintiff – who claims the mantle of an industry “innovator and leader”
whose password management software is “one of the world’s most downloaded” (Compl. ¶¶ 3,
7) – is, by its own admissions, a public figure. See, e.g., Kessler v. Zekman, 250 Ill.App.3d 172,
179-85 (1993); Telewizja Polska USA, Inc. v. Echostar Satellite Corp., No. 02-cv-3293, 2004
14

The 12/17 Ormandy Rept. links to a discussion on Reddit in which other Windows 10 users noted that
Keeper was now pre-installed, some with evident dismay (“That’s unsettling”; “I removed the crapware
again”; “I've uninstalled this thing 3 times now”; “Just got this installed today via the
WindowsUpdateClient. Ugh”). (See https://www.reddit.com/r/Windows10/comments/6dpj78/keeper
_password _manager_comes_preinstalled_now/).

13

 Case: 1:17-cv-09117 Document #: 15 Filed: 02/08/18 Page 15 of 17 PageID #:60

WL 2367740, *4 (N.D. Ill. Oct. 15, 2004). As such, Plaintiff must meet the constitutional
standard of actual malice to state a claim – i.e., that Defendants purposely published known
falsehoods, or in fact entertained serious doubts as to the truth of the Article prior to publication.
New York Times Co. v. Sullivan, 376 U.S. 254, 279-80 (1964). Plaintiff has not and cannot do
so; merely reciting the actual malice standard in conclusory fashion does not cut it. (See Compl.
¶¶ 43, 52.) “[T]he bare conclusory claim of malice, unaccompanied by allegations from which
the required subjective element of malice might be inferred, is insufficient to survive a motion to
dismiss.” Pippen v. NBC Univ. Media, No. 11-cv-8834, 2012 WL 12903167, *2 (N.D. Ill. Aug.
2, 2012), aff’d, 734 F.3d 610 (7th Cir. 2013) (citing Iqbal, 556 U.S. at 686-87). And Plaintiff’s
allegation that “Goodin failed to speak with Keeper, and failed to verify his facts with Keeper or
Microsoft, before publishing the Article” (Compl. ¶ 31), “is precisely what the Supreme Court
has said is insufficient to establish reckless disregard for the truth.” Pippen, 734 F.3d at 614
(citing Harte-Hanks Commc’ns, Inc. v. Connaughton, 491 U.S. 657, 688 (1989)).
III.

Plaintiff’s Tag-Along Claims For “Commercial Disparagement” and Violation of
the Illinois Deceptive Trade Practices Act Fail as a Matter of Law.
Plaintiff’s claims for “commercial disparagement” and violation of the Illinois Deceptive

Trade Practices Act, 815 ILCS § 510/2 (“DTPA”), are based solely on the same allegedly
defamatory Article, and the same limitations and privileges that doom its defamation claim apply
to these claims, regardless of how Plaintiff chooses to characterize its cause of action.
Permitting Plaintiff to found its other tort claims on the same facts would allow it to avoid the
rules of defamation law, and on this ground alone they should be dismissed.15

15

See, e.g., Brown & Williamson Tobacco Corp. v. Jacobson, 713 F.2d 262, 273-74 (7th Cir. 1983)
(upholding dismissal of tortious interference DTPA claims as “makeweights”; allowing claims would
“enabl[e] the plaintiff to avoid the specific limitations with which the law of defamation -- presumably to
some purpose -- is hedged about”); Genelco, Inc. v. Bower, 181 Ill.App.3d 1, 7 (1989) (applying
defamation privilege to commercial disparagement and tortious interference claims).

14

 Case: 1:17-cv-09117 Document #: 15 Filed: 02/08/18 Page 16 of 17 PageID #:61

Additionally, “Illinois state courts have held that, in effect, the DTPA codified the
common law tort of commercial disparagement.” World Kitchen, LLC v. Am. Ceramic Soc’y, No.
12-cv-8626, 2015 WL 5461564, at *2 (N.D. Ill. Sep. 15, 2015). And such claims are limited to
commercial speech. World Kitchen, LLC v. Am. Ceramic Soc’y, No. 12-cv-8626, 2015 WL
3429380, at *2 (N.D. Ill. May 27, 2015) (plaintiff “must also prove that the alleged speech at
issue, Defendants’ published article, was commercial and not protected by the First
Amendment”) (citing People ex. rel. Hartigan v. Maclean Hunter Publ’g Corp., 119 Ill.App.3d
1049, 1059-61 (1983) (DTPA prohibits “commercial speech”; while defendant’s allegedly
misleading advertising of its “Red Book” manual of vehicle pricing information was potentially
actionable under the Act, the contents of the book were not)).16
Finally, the DTPA does not afford damages, and even if Plaintiff could otherwise state a
claim, it has not “alleged facts sufficient to show a need for injunctive relief,” i.e., has “shown no
basis for assuming a threat of future misrepresentations” Am. Pet Motels v. Chi. Vet. Med. Ass’n,
106 Ill.App.3d 626, 633 (1982).
CONCLUSION
Defendants respectfully request that the Court dismiss the Complaint with prejudice.

Dated: February 8, 2018

Respectfully submitted,
/s/ Natalie J. Spears
One of the attorneys for Defendants

16

In World Kitchen, the evidence showed “that the speech at issue is noncommercial speech and, thus, is
not prohibited by the DTPA.” World Kitchen v. Am. Ceramic Soc’y, No. 12-cv-8626, 2016 WL 3568723,
*7 (N.D. Ill. June 30, 2016). While in World Kitchen, there was a fact issue as to whether defendant trade
association’s statements about plaintiff cookware manufacturer were made with an economic motive, no
such question exists here. The Article was fully First Amendment protected journalism.

15

 Case: 1:17-cv-09117 Document #: 15 Filed: 02/08/18 Page 17 of 17 PageID #:62

CERTIFICATE OF SERVICE
I hereby certify that a true and correct copy of the foregoing MEMORANDUM OF LAW IN
SUPPORT OF DEFENDANTS’ MOTION TO DISMISS was filed with the Clerk of the
Court on February 8, 2018 by using the CM/ECF system, which will send a notice of electronic
filing to all registered users.

/s/ Natalie J. Spears
Natalie J. Spears

16

 Case: Document #2 15-1 Filed: 02/08/18 Page 1 of 3 PageID #:63

Case: 1:17-cv-09117 Document #: 15-1 Filed: 02/08/18 Page 2 of 3 PageID #:64
https://bugs.chromium.org/p/project-zero/issues/detail?id=1481&desc=3

Go

3 captures

Monorail
New issue

Issues

Project: project-zero ▼
Search

Open issues

Issue 1481

Starred by 1 user
Status: Fixed
Owner: taviso@google.com
Closed: Today
Cc:

16

2016 2017 2018

16 Dec 2017 - 31 Dec 2017

project-...@google.com

Deadline-90
Finder-taviso
Severity-Critical
CCProjectZeroMembers
Product-Keeper
Vendor-Keeper
Reported-2017-Dec-13

People

Development process

⍰
f

NOV DEC JAN

▾ About this capture

History

for

Search

Sign in
Advanced search

Search tips

keeper: privileged ui injected into pages (again)
Proj ect Member

Reported by taviso@google.com, Dec 14 (2 days ago)

Back to list

I recently created a fresh Windows 10 VM with a pristine image
Description #3 (taviso@google.com, Yesterday)
from MSDN, and found that a password manager called "Keeper" is
now installed by default. I'm not the only person who has noticed this:
https://www.reddit.com/r/Windows10/comments/6dpj78/keeper_password_manager_comes_preinstalled_now/
I assume this is some bundling deal with Microsoft. I've heard of Keeper, I remember filing a bug a while ago
about how they were injecting privileged UI into pages (
issue 917
). I checked and, they're doing the same
thing again with this version. I think I'm being generous considering this a new issue that qualifies for a
ninety day disclosure, as I literally just changed the selectors and the same attack works.
Nevertheless, this is a complete compromise of Keeper security, allowing any website to steal any password.
Here is a working demo that steals your twitter password:
https://lock.cmpxchg8b.com/keepertest.html

Sign in to add a comment

❎

Please consider adding regression tests before releasing an update for this issue.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

Windows 7-2017-12-13-16-3337.png
43.2 KB View Download

Proj ect Member

Comment 1 by taviso@google.com, Dec 14 (2 days ago)

Description: Show this description
Proj ect Member

Comment 2 by taviso@google.com, Yesterday (31 hours ago)

Description: Show this description
Proj ect Member

Comment 3 by taviso@google.com, Yesterday (31 hours ago)

Keeper replied "we should have a fix built tomorrow and I will let you know when it has been published".
We discussed possible fixes, it sounds like they're just going to disable the feature for now.

Proj ect Member

Comment 4 by taviso@google.com, Today (21 hours ago)

Status: Fixed
Keeper have told me they've released a fixed version.
Proj ect Member

Comment 5 by taviso@google.com, Today (9 hours ago)

Labels: -Restrict-View-Commit

Comment 6 by cr...@keepersecurity.com, Today (4 hours ago)
Version 11.4.4 was released 24 hours after the report. Here's our blog post:
https://blog.keepersecurity.com/2017/12/15/update-for-keeper-browser-extension-v11-4/

 Case: 1:17-cv-09117 Document #: 15-1 Filed: 02/08/18 Page 3 of 3 PageID #:65
►

Sign in to add a comment

About Monorail

Feedback on Monorail

Terms

Privacy

 Case: Document #2 15-2 Filed: 02/08/18 Page 1 of 3 PageID #:66

2/6/2018

Update for Keeper
Browser
Extension
11.4.4 - Keeper
Case: 1:17-cv-09117 Document
#: 15-2
Filed:
02/08/18
PageBlog
2 of 3 PageID #:67

(https://keepersecurity.com/)

Update for Keeper Browser Extension 11.4.4
On Dec 8 2017, Keeper released a major new browser extension update (Version 11.3) that
introduced several new features and improvements to the user experience, including improved form
filling and automation features.
On Dec 14 2017, Tavis Ormandy (a highly-respected security researcher at Google) contacted us
about a potential vulnerability in our browser extension update. This potential vulnerability requires a
Keeper user to be lured to a malicious website while logged into the browser extension, and then
fakes user input by using a malicious code injection technique to execute privileged code within the
browser extension.
On Dec 15, 2017 (within 24 hours), we resolved this issue by removing the “Add to Existing” UI flow
and have taken additional steps to prevent this potential vulnerability from occurring in the future.
Even though no customers were adversely affected by this potential vulnerability, we take all reported
security issues, vulnerabilities and bug reports seriously. The security and protection of customer
information and data is our top priority at Keeper.
From the time we were notified of this issue, we resolved it and issued an automatic browser
extension update to our customers within 24 hours (Dec 15, 2017).
All customers running Keeper’s browser extension on Edge, Chrome, Firefox and Safari have already
received Version 11.4.4 (or newer version) through their respective web browser extension update
process. Customers can also manually install the latest version of the KeeperFill browser extension by
visiting Keeper’s download page (https://keepersecurity.com/download.html). All previous versions of
the browser extension have been deprecated and therefore, will no longer function.
No reports of any customers affected by this bug have been reported to Keeper. Mobile Apps and
Desktop Applications were not affected and do not require updates.
Please contact us at security@keepersecurity.com with any questions about this security update. For
general help, contact us at support@keepersecurity.com.
Thank you for staying protected with Keeper.

 December 15, 2017

 Craig Lurey

Search

RecentCookies
Postshelp us make our services better. By using our services, you agree to our use of cookies.
https://keepersecurity.com/blog/2017/12/15/update-for-keeper-browser-extension-v11-4/



Ok
1/2

 2/6/2018

Update for Keeper
Browser
Extension
11.4.4 - Keeper
Case: 1:17-cv-09117 Document
#: 15-2
Filed:
02/08/18
PageBlog
3 of 3 PageID #:68

CES Raises Privacy Awareness Concerns (https://keepersecurity.com/blog/2018/01/27/ces-privacy-concerns/)
How Can I Store and Protect My Digital Certificates and Access Keys?
(https://keepersecurity.com/blog/2018/01/26/storing-digital-certs-access-keys/)
Thank You For Being a Part of Our Amazing 2017! (https://keepersecurity.com/blog/2018/01/05/thank-part-amazing2017/)
Important Cybersecurity Information About “Meltdown” and “Spectre”
(https://keepersecurity.com/blog/2018/01/04/important-cybersecurity-information-meltdown-spectre/)
Response to Princeton’s Center for Information Technology Policy Article
(https://keepersecurity.com/blog/2018/01/02/response-princetons-center-information-technology-policy-article/)




(https://www.linkedin.com/company/keeper-security-inc-)




(https://twitter.com/keepersecurity)




(https://www.facebook.com/keeperapp)
Terms of Use (https://keepersecurity.com/termsofuse.html)
Privacy Policy (https://keepersecurity.com/privacypolicy.html)
Copyright © 2018 Keeper Security, Inc.

Cookies help us make our services better. By using our services, you agree to our use of cookies.
https://keepersecurity.com/blog/2017/12/15/update-for-keeper-browser-extension-v11-4/

Ok
2/2

 Case: Document #2 15-3 Filed: 02/08/18 Page 1 of 3 PageID #:69

Case: 1:17-cv-09117 Document #: 15-3 Filed: 02/08/18 Page 2 of 3 PageID #:70
https://bugs.chromium.org/p/project-zero/issues/detail?id=917

Go

6 captures

Monorail
New issue

12

2016 2017 2018

27 Aug 2016 - 10 Jan 2018

Project: project-zero ▼
Search

Open issues

Issue 917

Starred by 2 users
Status: Fixed
Owner: taviso@google.com
Closed: Nov 2016
Deadline-90
Finder-taviso
Severity-High
Reported-2016-Aug-25
Product-Keeper
Vendor-Keeper

Sign in to add a comment

Issues

People

Development process

⍰
f

FEB DEC JAN

▾ About this capture

History

for

Search

❎

Sign in
Advanced search

Search tips

Keeper: Trusted UI is injected into untrusted webpage
Proj ect Member

Reported by taviso@google.com, Aug 26 2016

Back to list

I took a quick look at Keeper, a password manager for Windows, Mac, Linux. The extension injects it's trusted UI
into untrusted webpages with a content script. I don't think that's safe to do.
I'm not a web developer, but you can see what I mean in the attached example. I only tested it in Chrome.
A more polished example is obviously possible.
The example does this:
1. Click the little keeper icon you add to input boxes, that's just: document.getElementById('keeper-icon2').click();
2. Click the search button in the popup that appears.
3. Search for "Google", e.g. document.getElementById('keeper-search-box-input').value="Google"
4. wait for the search results to appear, then hide the iframe.
5. When the user is about to click, display it and then wait for the password to be inserted.
6. Now the page can read the password.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Comment 1
Proj ect Member

Deleted
Comment 2 by taviso@google.com, Aug 26 2016

I tried to make the example more reliable.

keeper.html
5.0 KB View

Comment 3
Proj ect Member

Download

Deleted
Comment 4 by taviso@google.com, Aug 26 2016

Keeper sent me an updated build that removes the search feature I was using. I suppose that solves the immediate
problem. I noticed that the way messages were passed didn't seem safe though.
For example, it's possible to log someone into your account and then when they save their passwords, they're
effectively giving them to you.
For example a website can do this:
x = window.open("https://keepersecurity.com/vault/");
x.postMessage({client: "ext", cmd: "logout"},"*")
x.postMessage({client: "ext", cmd: "login", login: "attacker@account.com", password: "attackerspassword"}, "*")
And now whenever you save a password, you're unknowingly saving it to the attackers. I asked why there isn't a
check for message.origin == "chrome-extension://...", etc.

Proj ect Member

Comment 5 by taviso@google.com, Aug 27 2016

I uploaded the example here for testing.
https://lock.cmpxchg8b.com/keeper.html
Proj ect Member

Comment 6 by taviso@google.com, Aug 27 2016

Labels: -Restrict-View-Commit
Summary: Keeper: Trusted UI is injected into untrusted webpage (was: Keeper: trusted UI is injected into untrusted webpage)

 Case: 1:17-cv-09117 Document #: 15-3 Filed: 02/08/18 Page 3 of 3 PageID #:71
It looks like the 10.1.3 update is live on the chrome web store, removing view restriction.

Comment 7 by cr...@keepersecurity.com, Aug 28 2016
This issue has been fixed with Keeper Browser Extension v10.1.3 which is live on Chrome web store.
blog post related to the issue:

Below is the

https://blog.keepersecurity.com/2016/08/28/security-update-for-keeper-browser-extension/

Proj ect Member

Comment 8 by taviso@google.com, Nov 1 2016

Status: Fixed

►

Sign in to add a comment

About Monorail

Feedback on Monorail

Terms

Privacy

 Case: 1:17-cv-09117 Document #2 15-4 Filed: 02/08/18 Page 1 of 3 PageID #:72

2/6/2018

Security Update
Keeper
Browser
Extension - Page
Keeper Blog
Case: 1:17-cv-09117 Document
#: for
15-4
Filed:
02/08/18
2 of 3 PageID #:73

(https://keepersecurity.com/)

Security Update for Keeper Browser Extension
by Craig Lurey, CTO at Keeper Security, Inc. – August 26, 2016
Keeper holds the security of our customers and their data as our highest priority. To mitigate the
possibility of an online clickjacking attack during a browser session, we have updated our Keeper
Browser extension. We have made two security enhancements based on the analysis provided by
Tavis Ormandy (https://twitter.com/taviso?lang=en), a highly-respected security analyst at Google.
Yesterday, we received a report regarding this potential security risk. It related to a security threat that
could potentially be exploited by a clickjacking attack using an on-page feature of the browser
extension. In this scenario, a malicious website with intent to attack the extension could entice a user
to click on the Keeper lock icon and take advantage of our “Search” feature with the goal of attempting
to extract a credential from the vault.
We immediately addressed and resolved this potential vulnerability by removing the “Search” and
“Add to Existing Record” features from the on-page browser extension user interface as seen below:

(https://blog.keepersecurity.com/wp-

content/uploads/2016/08/sign-in.png)
Removing the Search feature

(https://blog.keepersecurity.com/wp-

content/uploads/2016/08/add-to-existing.png)
Removing the “Add to Existing Record” feature
Cookies help us make our services better. By using our services, you agree to our use of cookies.
https://keepersecurity.com/blog/2016/08/28/security-update-for-keeper-browser-extension/

Ok
1/2

 2/6/2018

Security Update
Keeper
Browser
Extension - Page
Keeper Blog
Case: 1:17-cv-09117 Document
#: for
15-4
Filed:
02/08/18
3 of 3 PageID #:74

This change has been published on the Chrome, Firefox, Safari and IE extension and will
automatically update for all users.
If you have any questions about this extension update, please contact support@keepersecurity.com.

 August 28, 2016

 Keeper Security

Search



Recent Posts
CES Raises Privacy Awareness Concerns (https://keepersecurity.com/blog/2018/01/27/ces-privacy-concerns/)
How Can I Store and Protect My Digital Certificates and Access Keys?
(https://keepersecurity.com/blog/2018/01/26/storing-digital-certs-access-keys/)
Thank You For Being a Part of Our Amazing 2017! (https://keepersecurity.com/blog/2018/01/05/thank-part-amazing2017/)
Important Cybersecurity Information About “Meltdown” and “Spectre”
(https://keepersecurity.com/blog/2018/01/04/important-cybersecurity-information-meltdown-spectre/)
Response to Princeton’s Center for Information Technology Policy Article
(https://keepersecurity.com/blog/2018/01/02/response-princetons-center-information-technology-policy-article/)




(https://www.linkedin.com/company/keeper-security-inc-)




(https://twitter.com/keepersecurity)




(https://www.facebook.com/keeperapp)
Terms of Use (https://keepersecurity.com/termsofuse.html)
Privacy Policy (https://keepersecurity.com/privacypolicy.html)
Copyright © 2018 Keeper Security, Inc.

Cookies help us make our services better. By using our services, you agree to our use of cookies.
https://keepersecurity.com/blog/2016/08/28/security-update-for-keeper-browser-extension/

Ok
2/2

 Case: 1:17-cv-09117 Document #: 16 Filed: 02/08/18 Page 1 of 2 PageID #:75

UNITED STATES DISTRICT COURT
FOR THE NORTHERN DISTRICT OF ILLINOIS
EASTERN DIVISION
KEEPER SECURITY, INC.
Plaintiff,
v.

Case No. 1:17-cv-9117
Hon. Joan Humphrey Lefkow

DAN GOODIN and ADVANCE MAGAZINE
PUBLISHERS INC. d/b/a CONDÉ NAST and
ARS TECHNICA,
Defendants.
NOTICE OF DEFENDANTS’ MOTION TO DISMISS PURSUANT TO
FED. R. CIV. P. 12(B)(6)
PLEASE TAKE NOTICE that on Wednesday, February 14, 2018 at 9:30 a.m. or as
soon thereafter as counsel may be heard, the undersigned shall appear before the Honorable Joan
Humphrey Lefkow, or any other Judge sitting in her stead, in Room 2201 of the Dirksen Federal
Building, 219 S. Dearborn Street, Chicago, Illinois and shall then and there present Defendants’
Motion to Dismiss Pursuant to Fed. R. Civ. P. 12(b)(6), a copy of which is hereby served upon
you.

Dated: February 8, 2018

Respectfully submitted,
/s/ Natalie J. Spears
One of the attorneys for Defendants

Natalie J. Spears
Gregory R. Naron
Jacqueline A. Giannini
DENTONS US LLP
233 S. Wacker Drive, Suite 5900
Chicago, IL 60606
Tel: (312) 876-8000
Fax: (312) 876-7934
natalie.spears@dentons.com
gregory.naron@dentons.com
jacqui.giannini@dentons.com

 Case: 1:17-cv-09117 Document #: 16 Filed: 02/08/18 Page 2 of 2 PageID #:76

CERTIFICATE OF SERVICE
I hereby certify that a true and correct copy of the foregoing NOTICE OF DEFENDANTS’
MOTION TO DISMISS PURSUANT TO FED. R. CIV. P. 12(B)(6) was filed with the Clerk
of the Court on February 8, 2018 by using the CM/ECF system, which will send a notice of
electronic filing to all registered users.

/s/ Natalie J. Spears
Natalie J. Spears

 Case: 1:17-cv-09117 Document #: 17 Filed: 02/08/18 Page 1 of 7 PageID #:77

UNITED STATES DISTRICT COURT
FOR THE NORTHERN DISTRICT OF ILLINOIS
EASTERN DIVISION
KEEPER SECURITY, INC.
Plaintiff,
v.

Case No. 1:17-cv-9117
Hon. Joan Humphrey Lefkow

DAN GOODIN and ADVANCE MAGAZINE
PUBLISHERS INC. d/b/a CONDÉ NAST and
ARS TECHNICA,
Defendants.
DEFENDANTS’ SPECIAL MOTION TO STRIKE PURSUANT TO
CALIFORNIA ANTI-SLAPP ACT, CAL. C.C.P. § 425.16
Defendants Dan Goodin and Advance Magazine Publishers Inc. (d/b/a Condé Nast and
Ars Technica), by their attorneys, respectfully request that the Court strike and dismiss the
Complaint of Plaintiff Keeper Security, pursuant to the California anti-SLAPP Act, California
Code of Civil Procedure (“C.C.P.”) § 425.16.
1.

Plaintiff is a software developer. Defendants, a highly respected online

technology publication and its California-based cybersecurity reporter and editor, truthfully
reported the findings of a noted Google researcher that there was a security vulnerability in
Plaintiff’s password manager product, Keeper. Plaintiff does not dispute that the flaw existed.
Yet, in response to Defendants’ news article (the “Article”), Plaintiff attempted to bully
Defendants into editing the Article to use language more to Plaintiff’s liking. When Defendants
refused to make all of Plaintiff’s demanded edits, standing by the Article’s accuracy, Plaintiff
brought this lawsuit.
2.

For the reasons set forth in Defendants’ motion to dismiss under Rule 12(b)(6),

incorporated by reference herein, Plaintiff’s Complaint is without merit as a matter of law. It

 Case: 1:17-cv-09117 Document #: 17 Filed: 02/08/18 Page 2 of 7 PageID #:78

was filed to punish publication of journalism on an matter of vital public concern -cybersecurity -- involving a conceded vulnerability in Plaintiff’s product. The technology
community is vigilant in policing such vulnerabilities, and permitting this case to go forward
would have a profoundly chilling effect on cybersecurity research and reporting generally.
3.

California’s anti-SLAPP statute is designed to protect against such threats to free

speech rights. C.C.P. § 425.16.1 It does so by providing a remedy “to expose and dismiss at an
early stage such non-meritorious actions which chill... ‘the valid exercise of the constitutional
rights of freedom of speech[.]’” Lafayette Morehouse, Inc. v. Chronicle Publ. Co., 37
Cal.App.4th 855, 858-59 (1995). Frequent targets of lawsuits filed to “dissuade or punish” news
reporting activity, the news media were among those whose First Amendment rights the statute
was designed to protect. Id. To protect reporting on “issue[s] of public interest,” the statute has
been held to apply to defamation-based causes of action against the news media. Id. at 864;
Braun v. Chronicle Publ., Inc., 52 Cal.App.4th 1036, 1043-45 (1997).
The California Anti-SLAPP Law Applies To Plaintiff’s Claims Given That The Article
Was Researched, Written And Edited In California By A California Citizen And Resident.
4.

Illinois courts follow the most significant contacts test to determine which law is

applicable in a conflict of law situation. Chi v. Loyola Univ. Med. Ctr., 787 F.Supp.2d 797, 801
(N.D. Ill. 2011). Illinois also applies the doctrine of dépeçage whereby a case should be cut up
into individual issues, each subject to a separate choice-of-law analysis. Id. In the specific case

1

State anti-SLAPP statutes are substantive and therefore applicable in federal court. Trudeau v.
ConsumerAffairs.com, Inc., No. 10-cv-7193, 2011 WL 3898041, *5 (N.D. Ill. Sept. 6, 2011) (Lefkow, J.);
Chi v. Loyola Univ. Med. Ctr., 787 F. Supp. 2d 797, 808-809 (N.D. Ill. 2011). The Seventh Circuit has
not addressed this issue, see Intercon Solutions, Inc. v. Basel Action Network, 791 F.3d 729, 732 (7th Cir.
2015) (“how the procedural aspects of other states’ anti-SLAPP statutes work in federal court will have to
await some other case”); however, the Ninth Circuit has consistently held that “the motion to strike and
attorneys’ fees provisions of California’s anti-SLAPP statute apply” in federal diversity cases. Makaeff v.
Trump University, LLC, 736 F.3d 1180, 1181 (9th Cir. 2013).

2

 Case: 1:17-cv-09117 Document #: 17 Filed: 02/08/18 Page 3 of 7 PageID #:79

of an anti-SLAPP statute, the choice-of-law question regarding the anti-SLAPP law is treated
separately from “whether a statement is defamatory.” Id. at 803.
5.

The purpose behind an anti-SLAPP law, “to encourage the exercise of free

speech,” requires that “the place where the allegedly tortious speech took place and the domicile
of the speaker are central to the choice-of-law analysis on this issue.” Id. “A state has a strong
interest in having its own anti-SLAPP law applied to the speech of its own citizens, at least
when, as in this case, the speech initiated within the state’s borders.” Id. (even though plaintiff
lived and suffered injury elsewhere, state with strongest interest in applying its own SLAPP law
was where speech originated); accord Underground Solutions, Inc. v. Palermo, 41 F. Supp. 3d
720, 723-24 (N.D. Ill. 2014).
6.

Under these choice of law principles, even though Illinois law applies to the

merits of Plaintiff’s defamation and other claims, the protections of California’s anti-SLAPP
statute must be available to the Article since it was researched, written, and edited in California
by Defendant Goodin -- a citizen and permanent resident of California, as Plaintiff itself alleges
in the Complaint. (Compl. ¶ 11.) See Underground Solutions, 41 F. Supp. 3d at 724-26
(complaint allegations that defendant made defamatory statements and was a Tennessee resident
indicated that “at least some of [his] alleged defamatory activities occurred in Tennessee,” and
therefore that state’s anti-SLAPP law applied).2 In short, California “has the clearest interest in
applying its anti-SLAPP law vis-à-vis one of its own citizens,” and to news reporting activities
within its borders. Id. at 725.

2

See also Resolute Forest Prods., Inc. v. Greenpeace Int’l, No. 17-cv-02824-JST, 2017 WL 4618676, *4
(N.D. Cal. Oct. 16, 2017) (“the ‘state with the “predominant” interest’ in applying its law ‘normally is the
state in which [the underlying] conduct occurs,’ which would likely be California, as the individual
Greenpeace and Stand defendants largely reside and work in San Francisco … California’s anti-SLAPP
statute applies to Defendants’ motions to strike”) (citation omitted).

3

 Case: 1:17-cv-09117 Document #: 17 Filed: 02/08/18 Page 4 of 7 PageID #:80

Plaintiff’s Complaint Should Be Stricken Under The California Anti-SLAPP Statute.
7.

A court considering a motion to strike under the California anti-SLAPP statute

engages in a two-part inquiry. First, the defendant must make a prima facie showing that the
plaintiff’s suit “arises from an act in furtherance of the defendant’s rights of petition or free
speech.” Second, “once the defendant has made a prima facie showing, the burden shifts to the
plaintiff to demonstrate a probability of prevailing on the challenged claims.” Vess v. CibaGeigy Corp. USA, 317 F.3d 1097, 1110 (9th Cir. 2003) (citations omitted). By invoking this
statute, a defendant can obtain early dismissal of a lawsuit before spending the time and
incurring the costs to defend against meritless First Amendment-chilling litigation. Upon
application, a prevailing defendant is entitled to recover its reasonable attorney’s fees. C.C.P. §
425.16(c)(1).3
8.

A defendant meets its prima facie burden under the California anti–SLAPP statute

by showing that the suit arises out of the exercise of his right of petition or free speech. See
C.C.P. § 425.16(b)(1). The statute defines “act[s] in furtherance of a person’s right of petition or
free speech” as, inter alia, “any written or oral statement or writing made in a place open to the
public or a public forum in connection with an issue of public interest” or “conduct in
furtherance of the exercise of the ... constitutional right of free speech in connection with a
public issue or an issue of public interest.” C.C.P. § 425.16(e)(3), (4). The statute is “construed
broadly” and “an issue of public interest “ includes “any issue in which the public is interested.”
Nygard, Inc. v. Uusi–Kerttula, 159 Cal.App.4th 1027, 1042 (2008).4

3

Along with the filing of this Motion, Defendants have written to Plaintiff’s counsel to request Plaintiff
consider voluntarily dismissing the Action immediately in order to avoid unnecessary fees and costs.
4

In contrast, the Illinois anti-SLAPP statute (the “Citizen Participation Act,” 735 ILCS 110/5, et seq.), is
limited to speech “aimed at procuring favorable government action.” Trudeau, 2011 WL 3898041, at *6
(holding statute’s purpose is “promoting public participation in government” and that it did not apply
where “[t]here was no use of the governmental process involved in authoring and publishing the article”);

4

 Case: 1:17-cv-09117 Document #: 17 Filed: 02/08/18 Page 5 of 7 PageID #:81

9.

Defendants have satisfied the first prong of the California anti-SLAPP statute,

because there is no question the Article is a publication made in a public forum in connection
with a matter of public interest and that publication constituted “conduct in furtherance of the
exercise of the ... constitutional right of free speech in connection with a public issue or an issue
of public interest.” C.C.P. § 425.16(e)(3), (4); see, e.g., Barrett v. Rosenthal, 40 Cal.4th 33, 41,
n. 4 (2006) (“Web sites accessible to the public ... are ‘public forums’ for purposes of the antiSLAPP statute.”); Wong v. Tai Jing, 189 Cal.App.4th 1354, 1366 (2010) (“consumer information
that goes beyond a particular interaction between the parties and implicates matters of public
concern that can affect many people is generally deemed to involve an issue of public interest for
purposes of the anti-SLAPP statute”).
10.

Under the second prong, Plaintiff must then demonstrate that there is a probability

it will prevail on the claims. C.C.P. § 425.16(b)(1), (b)(2). To establish a “reasonable
probability” the plaintiff needs to “state[ ] and substantiate[ ] a legally sufficient claim.” Jarrow
Formulas, Inc. v. LaMarche, 31 Cal.4th 728, 741(2003) (citations omitted). “Under this
standard, the claim should be dismissed if the plaintiff presents an insufficient legal basis for it,
or if, on the basis of the facts shown by the plaintiff, ‘no reasonable jury could find for the
plaintiff.’” Makaeff v. Trump University, LLC, 715 F.3d 254, 261 (9th Cir. 2013) (citations
omitted). See, e.g., Balzaga v. Fox News Network, LLC, 173 Cal.App.4th 1325, 1342 (2009)
(where defamation claim “fail[ed] as a matter of law” because statement was not “reasonably
susceptible of the false and defamatory meaning attributed to it by plaintiffs,” anti-SLAPP
motion was “properly granted”).

see also Underground Solutions, 41 F. Supp. 3d at 726 (unlike Tennessee’s anti-SLAPP statute,
“California’s statute includes no such limitation of the speech in question to statements made to
government officials”).

5

 Case: 1:17-cv-09117 Document #: 17 Filed: 02/08/18 Page 6 of 7 PageID #:82

11.

Plaintiff’s defamation and tag-along tort claims all fail as a matter of law for all

the reasons set forth in Defendants’ contemporaneously filed Motion to Dismiss which
Defendants incorporate here -- specifically, the Article is substantially true, subject to an
innocent construction, voices non-actionable opinions, and makes statements that are not “of and
concerning” Plaintiff, but rather, Microsoft. As such, Plaintiff cannot meet its burden under the
second prong of the California anti-SLAPP analysis. See Resolute Forest Prods., 2017 WL
4618676, at *13 (“if Plaintiffs cannot plead a plausible cause of action under the FRCP 12(b)(6)
standard, then Plaintiffs as a matter of law cannot meet the probability of success on the merits
standard” under the California anti-SLAPP statute). Thus, the claims against Defendants must
be stricken and dismissed under C.C.P. § 425.16(b).
WHEREFORE, Defendants respectfully request that this Court strike Plaintiff’s
Complaint pursuant to California Code of Civil Procedure § 425.16, and award Defendants their
attorneys’ fees in an amount to be determined.
Dated: February 8, 2018

Respectfully submitted,
/s/ Natalie J. Spears
One of the attorneys for Defendants

Natalie J. Spears
Gregory R. Naron
Jacqueline A. Giannini
DENTONS US LLP
233 S. Wacker Drive, Suite 5900
Chicago, IL 60606
Tel: (312) 876-8000
Fax: (312) 876-7934
natalie.spears@dentons.com
gregory.naron@dentons.com
jacqui.giannini@dentons.com

6

 Case: 1:17-cv-09117 Document #: 17 Filed: 02/08/18 Page 7 of 7 PageID #:83

CERTIFICATE OF SERVICE
I hereby certify that a true and correct copy of the foregoing DEFENDANTS’ SPECIAL
MOTION TO STRIKE PURSUANT TO CALIFORNIA ANTI-SLAPP ACT, CAL. C.C.P.
§ 425.16 was filed with the Clerk of the Court on February 8, 2018 by using the CM/ECF
system, which will send a notice of electronic filing to all registered users.

/s/ Natalie J. Spears
Natalie J. Spears

7