Case: 1:17-cv-09117 Document #: 15 Filed: 02/08/18 Page 1 of 17 PageID #:46

UNITED STATES DISTRICT COURT
FOR THE NORTHERN DISTRICT OF ILLINOIS
EASTERN DIVISION
KEEPER SECURITY, INC.

Case No. 1:17-cv-9117

Plaintiff,
v.

Hon. Joan Humphrey Lefkow

DAN GOODIN and ADVANCE MAGAZINE
PUBLISHERS INC. d/b/a CONDÉ NAST and
ARS TECHNICA,
Defendants.

MEMORANDUM OF LAW IN SUPPORT OF DEFENDANTS’ MOTION TO DISMISS

Natalie J. Spears
Gregory R. Naron
Jacqueline A. Giannini
DENTONS US LLP
233 S. Wacker Drive, Suite 5900
Chicago, IL 60606
Tel: (312) 876-8000
Fax: (312) 876-7934
natalie.spears@dentons.com
gregory.naron@dentons.com
jacqui.giannini@dentons.com

 Case: 1:17-cv-09117 Document #: 15 Filed: 02/08/18 Page 2 of 17 PageID #:47

Defendants in this case are Ars Technica, one of the country’s most respected technology
publications, and its veteran cybersecurity reporter and editor, Dan Goodin. Plaintiff Keeper
Security is a software developer. Defendants truthfully reported the findings of a noted Google
researcher that there was a security vulnerability in Plaintiff’s password manager product, which
had been bundled with Microsoft’s Windows 10 operating system. Plaintiff does not dispute that
the flaw existed. Nevertheless, in response to Defendants’ truthful report, Plaintiff tried to bully
Mr. Goodin into editing his news article to use language more to Plaintiff’s liking; Mr. Goodin
agreed to make certain edits, and declined others, standing by the accuracy of the reporting.
The would-be “inaccuracies” Plaintiff identifies in the article are – at best – of secondary
importance, and do not affect the article’s true “gist or sting”; for that reason alone, the
Complaint fails as a matter of law. Furthermore, most of the statements that the Complaint
alleges are “false and misleading” don’t have anything to do with Plaintiff, but rather, Microsoft.
Such statements are not “of and concerning” Plaintiff and cannot be the basis for a defamation
claim. Still other statements are subject to an innocent construction and are pure opinion, and
not actionable under Illinois law for those additional reasons. Simply put, Defendants’ article
uttered no falsehood that could have defamed Plaintiff. Nor does Plaintiff remotely plead
publication with actual malice as required by the First Amendment.
Plaintiff’s assertion that “[t]he goal, and result, of the Article was to injure Keeper and its
employees, and disparage Keeper’s products” (Compl. ¶ 34) is baseless hyperbole. The fact is,
Plaintiff brought this lawsuit seeking to punish, and ultimately enjoin, publication of essential
journalism on an matter of vital public concern – cybersecurity – involving a conceded
vulnerability in Plaintiff’s product. The technology community is open and transparent in
policing such vulnerabilities, and rightly so. Plaintiff, above all, should be interested in ensuring
consumers are protected from potential threats – not in using litigation to chill public discussion

 Case: 1:17-cv-09117 Document #: 15 Filed: 02/08/18 Page 3 of 17 PageID #:48

of such threats. Permitting this case to go forward would not only be contrary to law, it would
have a profoundly negative impact on important cybersecurity research and reporting generally.
FACTUAL BACKGROUND
Defendant Ars Technica “provides technology news, analysis and other information,
through the website arstechnica.com.” (Compl. ¶¶ 10; 20-21, 29.) Defendant Goodin is a veteran
cybersecurity reporter who since 2012 has been the Security Editor at Ars Technica, “where he
oversees coverage of malware, computer espionage and hardware hacking.” (Id. ¶¶ 11, 27.)
Plaintiff claims it is “an innovator and leader of password management software in the
United States with several million registered users and thousands of business customers” and that
its software is “one of the world’s most downloaded password management and digital vault
software for mobile devices and computers.” (Id. ¶¶ 3, 7.)
Plaintiff “sells and manages a software product called “Keeper® Password Manager &
Digital Vault” for managing user passwords and other private information.” (Id. ¶ 4.) One of the
“components” of that product is a “browser extension.” (Id.) When users “log into the
preinstalled Keeper application,” it “directs users to download and install a separate application,
namely the Keeper Browser Extension” as part of the default set up for all users. (Id. ¶ 6.)1
Plaintiff complains in this lawsuit about a December 15, 2017 Ars Technica online article
written by Mr. Goodin (the “Article”). (See Compl. ¶¶ 25-26 and Exh. 1.) The Article reported
on a critical vulnerability in Plaintiff’s product that had been discovered by Tavis Ormandy, a
respected cybersecurity researcher at Google. Mr. Ormandy’s December 14, 2017 report on the
matter – to which the Article links – is titled “Keeper: privileged ui injected into pages (again)”.
1

The browser extension “allows users to auto-fill login credentials (namely a user name and password)
into websites for access” (id. ¶ 5) – an essential part of the product that Plaintiff touts: “Managing
passwords is simple and intuitive with Keeper. Keeper generates strong passwords, auto-fills passwords
across your apps and sites with KeeperFill™ and organizes passwords on all platforms and devices.” See
https://keepersecurity.com/.

2

 Case: 1:17-cv-09117 Document #: 15 Filed: 02/08/18 Page 4 of 17 PageID #:49

(https://bugs.chromium.org/p/project-zero/issues/detail?id=1481&desc=3 (the “12/17 Ormandy
Rept.”).)2 Mr. Ormandy reports that he discovered a “password manager called ‘Keeper’” was
now “bundled” with Microsoft Windows 10, and found a “bug” in Keeper that amounted to “a
complete compromise of Keeper security, allowing any website to steal any password.” (Id.)
Plaintiff does not dispute Mr. Ormandy’s findings that there was a vulnerability “bug” in
Plaintiff’s product. To the contrary, the Complaint concedes that the bug “was specifically
related to Keeper’s Browser Extension” (Compl. ¶ 41), which Keeper users are prompted to
install (id. ¶ 6), and must install in order to use the product as intended. The existence of the
vulnerability is further conceded by the fact that Plaintiff had to fix it. Shortly after the Article
was published on December 15, Plaintiff posted a comment to the December 2017 Ormandy
report, stating that a new version of the program “was released 24 hours after [Mr. Ormandy’s]
report” and linking to Plaintiff’s blog post on the subject. (See Exh. A, 12/17 Ormandy Rept.,
Cmt. 6.) Plaintiff’s blog post explained:
On Dec 14 2017, Tavis Ormandy (a highly-respected security researcher at
Google) contacted us about a potential vulnerability in our browser extension
update. This potential vulnerability requires a Keeper user to be lured to a
malicious website while logged into the browser extension, and then fakes user
input by using a malicious code injection technique to execute privileged code
within the browser extension.
On Dec 15, 2017 (within 24 hours), we resolved this issue by removing the “Add
to Existing” UI flow and have taken additional steps to prevent this potential
vulnerability from occurring in the future.3
The December 2017 Ormandy Report also notes that Mr. Ormandy had previously filed a
bug report about how Keeper was “injecting privileged UI into pages . . . I checked and, they’re

2

A copy of the December 2017 Ormandy Report that is linked to in the Article is attached hereto as
Exhibit A for the Court’s convenience.
3

A copy of Plaintiff’s December 15, 2017 blog post (https://blog.keepersecurity.com/2017/12/15/updatefor-keeper-browser-extension-v11-4/) that is linked to in the December 2017 Ormandy Report is attached
hereto as Exhibit B for the Court’s convenience.

3

 Case: 1:17-cv-09117 Document #: 15 Filed: 02/08/18 Page 5 of 17 PageID #:50

doing the same thing again with this version.” Mr. Ormandy mounted the same basic test
“attack” on the Keeper product as he did 16 months earlier, in August 2016, and “the same attack
works.” The previous report, dated August 26, 2016, is titled “Keeper: Trusted UI is injected
into untrusted webpage” (https://bugs.chromium.org/p/project-zero/issues/detail?id=917 (the
“8/16 Ormandy Rept.”))4, and it is also linked to in the Article.5
As originally published December 15, 2017, Defendants’ Article (Compl., Exh. 1)
accurately reports the essential facts about the vulnerability in Plaintiff’s product:


Ormandy’s December 2017 Report said that the Keeper Password Manager “contained a
critical flaw he had found in August 2016” and that “[t]he bug . . . represents ‘a complete
compromise of Keeper security, allowing any website to steal any password’”;



“With only basic changes to ‘selectors’” the same test attack (“old proof-of-concept
exploit”) that Ormandy conducted in August 2016 “worked on the [December 2017]
version” of Plaintiff’s product;



“Ormandy said Keeper developers have released a fixed version”; and



“Fortunately, Windows 10 users aren't vulnerable unless they open Keeper and begin
trusting it with their passwords.”
The same day the Article was published, on December 15, 2017, Plaintiff contacted Mr.

Goodin to demand changes be made to the Article’s language. (Compl. ¶¶ 35-38.) Because the

4

The August 2016 Ormandy Report linked to in the Article is attached hereto as Exhibit C for the
Court’s convenience.
5

On August 28, 2016, Plaintiff posted a comment to the 8/16 Ormandy Rept., stating that “This issue has
been fixed with Keeper Browser Extension v10.1.3” and linking to Plaintiff’s blog post on the subject.
(See Exh. C, 8/16 Ormandy Rept., Cmt. 7.) Plaintiff’s blog post explained “based on the analysis
provided by Tavis Ormandy. . . a highly-respected security analyst at Google,” Plaintiff took steps to
“address[] and resolve[]” the vulnerability that Mr. Ormandy identified. A copy of Plaintiff’s August 28,
2016 blog post (https://blog.keepersecurity.com/2016/08/28/security-update-for-keeper-browserextension/) is attached hereto as Exhibit D for the Court’s convenience.

4

 Case: 1:17-cv-09117 Document #: 15 Filed: 02/08/18 Page 6 of 17 PageID #:51

Article was fundamentally accurate, Mr. Goodin only agreed to make certain minor edits and did
not change the key points about which Plaintiff now sues.6
ARGUMENT
I.

Rule 12(b)(6) Dismissal Standard.
Upon scrutiny, the Complaint fails as a matter of law based on Plaintiff’s own allegations

and attachments. A “motion to dismiss must be decided on the face of the complaint, including
material appended to the complaint as exhibits.” Sangston v. Ridge Country Club, No. 92-cv-1981,
1992 WL 317138, at *1 (N.D. Ill., Oct. 29, 1992) (dismissing defamation claim); Bogie v.
Rosenberg, 705 F.3d 603, 609 (7th Cir. 2013) (“district courts are free to consider ‘any facts set
forth in the complaint that undermine the plaintiff’s claim,’” including exhibits, which control over
complaint allegations) (citations omitted). In addition to the Article annexed to the Complaint, the
Court may consider the posts and articles linked to within the Article, as part of the context of the
alleged defamation. Doctor’s Data, Inc. v. Barrett, 170 F. Supp. 3d 1087, 1132 n. 45 (N.D. Ill.
2016) (the courts “have treated hyperlinked material as part of the context of allegedly defamatory
statements”).7 “And while the Court must take all well-pleaded allegations in a complaint as true
for the purposes of determining a motion to dismiss, the Court need not ‘take the plaintiff’s
interpretation of the allegedly defamatory words at face value.’” Ludlow v. Northwestern Univ.,
6

Complaint Exhs. 2 and 3 are versions of the Article that were published after Plaintiff complained about
the Article. (See Compl. ¶¶ 38-39.) Mr. Ormandy also refused Plaintiff’s demands to change the wording
of his Report, explaining why the Report is accurate and in particular why Plaintiff’s browser extension is
not a “separate product to their Keeper desktop application” but instead, as Plaintiff acknowledges, users are
prompted to install the browser extension as part of the “default setup flow” for the product. See Ormandy
Rept., Cmt. 7 dated 12/17/17 (https://bugs.chromium.org/p/project-zero/issues/detail?id=1481&desc=3).
7

See also, e.g., McKee v. Cosby, 874 F.3d 54, 64 (1st Cir. 2017) (defendant’s letter provided links to
articles from which allegedly defamatory statements were drawn, “enabling readers to examine the
sources for themselves and consider the comments in context”; affirming dismissal); Boley v. Atl. Monthly
Grp., 950 F.Supp.2d 249, 262 (D.D.C. 2013) (“[i]n referring to Boley as a warlord in his February 11,
2010 article, Goldberg provided a hyperlink to his January 27, 2010 article, thus incorporating that article
by reference and providing the necessary context for the allegedly defamatory remark”); Nicosia v. De
Rooy, 72 F.Supp.2d 1093, 1103 (N.D. Cal. 1999) (facts on which allegedly defamatory post relied were in
hyperlinked articles, which court “considers . . . part of the context of the embezzlement accusation”).

5

 Case: 1:17-cv-09117 Document #: 15 Filed: 02/08/18 Page 7 of 17 PageID #:52

79 F.Supp.3d 824, 838 (N.D. Ill. 2015) (quoting Lott v. Levitt, 556 F.3d 564, 569 (7th Cir. 2009)
(italics in original)); see also Ashcroft v. Iqbal, 556 U.S. 662, 681 (2009) (conclusory allegations
are “not entitled to be assumed true”); Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 555 (2007).
II.

Plaintiff’s Defamation Claim Fails as a Matter of Law for Multiple Reasons.
A.

Defamation Requires a False Statement, and “Substantially True”
Statements Are Not Actionable.

“[F]alsity is an element of the plaintiff’s defamation claim” under Illinois law.8 Voyles v.
Sandia Mortg. Corp., 196 Ill.2d 288, 299-300 (2001); Phila. Newsp. v. Hepps, 475 U.S. 767, 778
(1986). Equally fundamental, “[t]ruth is a defense, indeed the ultimate defense, to any action for
defamation.” Bradley v. Avis Rental Car Sys., Inc., 902 F. Supp. 814, 820 (N.D. Ill. 1995). A
defendant “need demonstrate only the ‘substantial truth’ of the allegedly defamatory material to
establish the defense of truth”; i.e. that “the ‘gist’ or ‘sting’” of the statements is true. Harrison
v. Chi. Sun-Times, Inc., 341 Ill.App.3d 555, 563 (2003) (affirming dismissal); Haynes v. Alfred
A. Knopf, Inc., 8 F.3d 1222, 1227–29 (7th Cir. 1993) (“if the gist of a defamatory statement is
true,. . . error in detail is not actionable”). The Illinois courts and federal courts applying Illinois
law routinely grant motions to dismiss defamation claims on substantial truth grounds.9

8

“When the defamatory statement is communicated in many different states, it makes sense to apply the
law of the plaintiff’s domicile, and that is the usual result in Illinois.” Kamelgard v. Macura, 585 F.3d
334, 341 (7th Cir.2009). However, under the doctrine of dépeçage, the law of California applies with
respect to the substantive privilege created by that state’s anti-SLAPP statute. See Defts’ Special Mot. to
Strike Pursuant to Cal. C.C.P. § 425.16.
9

All of the following cases affirm or grant dismissal at the pleadings stage on substantial truth grounds:
Kapotas v. Better Gov’t Ass’n, 2015 IL App (1st) 140534; Coghlan v. Beck, 2013 IL App (1st) 120891;
Moore v. PETA, 402 Ill.App.3d 62 (2010); Gist v. Macon Cty, Sheriff’s Dept., 284 Ill.App.3d 367 (1996);
Lemons v. Chronicle Publ. Co., 253 Ill.App.3d 888 (1993); Am. Intern. Hosp. v. Chi. Tribune Co., 136
Ill.App.3d 1019 (1985); Kilbane v. Sabonjian, 38 Ill.App.3d 172 (1976); Ludlow v Northwestern Univ.,
79 F.Supp.3d 824; Mouloki v. Epee, No. 14-cv-5532, 2016 WL 910496 (N.D. Ill. Mar. 10, 2016); Krieger
v. Adler, Kaplan & Begy, No. 94-cv-7809, 1996 WL 6540, at *9 (N.D. Ill., Jan. 5, 1996).

6

 Case: 1:17-cv-09117 Document #: 15 Filed: 02/08/18 Page 8 of 17 PageID #:53

“[A]llegedly defamatory material is not actionable even where it is not technically
accurate in every detail.” Harrison, 341 Ill.App.3d at 563; Pope v. Chronicle Publ. Co., 95 F.3d
607, 613 (7th Cir. 1996). As the Seventh Circuit has emphasized, in evaluating a statement’s
substantial truth, courts should not engage in “fine splitting of semantic hairs” that “might leave
room to argue about its literal truth.” Wesbrook v. Ulrich, 840 F.3d 388, 395 (7th Cir. 2016)
(applying similar Wisconsin law). Instead, when determining the “gist” or “sting” of allegedly
defamatory material, a court must “look at the highlight of the article, the pertinent angle of it,
and not to items of secondary importance which are inoffensive details, immaterial to the truth of
the defamatory statement.” Vachet v. Central Newsp., Inc., 816 F.2d 313, 316 (7th Cir. 1987).
Here, the “gist” of the Article, and its “sting” as it pertains to Plaintiff, is that Plaintiff’s
product had a security vulnerability that it was forced to fix, and the same (or virtually identical)
kind of flaw occurred with respect to the same component 16 months earlier. Both on the face of
the Complaint and by reference to the Article it attaches (and the information linked to therein),
that gist or sting is substantially true. See Am. Intern. Hosp., 136 Ill.App.3d at 1023 (report that
plaintiff had been “refused accreditation” by committee substantially true where allegations of
falsity were “internally contradicted” by document reflecting committee’s decision “not to
accredit”); Krieger, 1996 WL 6540, at *9; Coghlan, 2013 IL App (1st) 120891 at ¶¶ 45-46.
As a result of this reality, the Complaint represents precisely the kind of technical
hairsplitting the courts refuse to indulge when evaluating substantial truth. See, e.g., Ludlow, 79
F.Supp.3d at 839 (stating that professor was placed on “leave of absence” substantially true even
though he had only agreed not to teach spring quarter which was “not technically a leave of
absence”); Lerman v. Turner, No. 10-cv-2169, 2013 WL 4495245, *18 (N.D. Ill. Aug. 21, 2013)
(Lefkow, J.) (statement that professor was “terminated for misusing grant funds for a nonpermitted purpose” substantially true even though “it would have been more technically accurate”
7

 Case: 1:17-cv-09117 Document #: 15 Filed: 02/08/18 Page 9 of 17 PageID #:54

to say she had “only been suspended without pay while the [college’s] review was pending”).10
To begin, Plaintiff’s principal contention is that the admitted vulnerability was “related to
Keeper’s Browser Extension which is not ‘bundled’ or ‘preloaded’” but “must be separately installed.”
(Compl. ¶¶ 41-42.) However, the fact that the bug resides in Plaintiff’s browser extension does not
affect the substantial truth of the statement that, before Plaintiff patched it, a key component of
Plaintiff’s product contained a flaw and someone who used it was subject to security vulnerability. As
Plaintiff concedes (id. ¶ 6), the Keeper application that Microsoft bundled with Windows 10 prompts
users to install the extension. If the product is to be used as intended, the flawed browser extension
must be installed; it’s part of the default installation and integral to how the product is intended to
work. Mr. Ormandy further illuminates this very point. See supra, fn. 6. Thus, the notion that the
Keeper browser extension is wholly “separate” from the Keeper software application is simply
untenable. Even if it were, no greater “sting” is conveyed by the fact that the conceded flaw pertains
to one component of Plaintiff’s product instead of the other. Presumably, Plaintiff vouches for the
security of all the components of its product.
Plaintiff’s other attempts to contrive a different, defamatory sting also fall woefully short.
Plaintiff asserts that the Article misled users to “believe that they were infected simply by having the
Keeper software application installed on their device(s)” with Windows 10. (Compl. ¶ 32.) But the
Article nowhere states or implies any such thing. Just the opposite, it explicitly states that
“Windows 10 users aren’t vulnerable unless they open Keeper and begin trusting it with their
passwords.” (Id. ¶ 30, stmt. #7 (emphasis added).) “Where the plaintiff’s own characterization is
10

And, by way of example, the allegations here also stand in marked contrast to the material and far from
technical errors alleged in Trudeau v. ConsumerAffairs.com, Inc., No. 10-cv-7193, 2011 WL 3898041, *7
(N.D. Ill. Sept. 6, 2011) (Lefkow, J.), which made plaintiff into a convicted criminal awaiting sentencing,
and the subject of a federal fraud judgment, when neither was true. Id. at *7. Unlike Trudeau, the “gist”
of the Article here is not “open to debate” (id.) – the fundamental basis for any alleged defamation of
Keeper is that its product had a bug, and that is concededly true. See id. (noting dismissal warranted “if
the plaintiff more or less concedes the essential truth of the alleged defamatory statement”).

8

 Case: 1:17-cv-09117 Document #: 15 Filed: 02/08/18 Page 10 of 17 PageID #:55

not substantially different from the allegedly defamatory language, such language may be deemed
substantially true.” Harrison, 341 Ill.App.3d at 563. And so it is here.
Plaintiff also asserts that the Article “made false and misleading statements about the Keeper
software application suggesting that it had a 16-month old bug that allowed sites to steal user
passwords.” (Compl. ¶¶ 1, 25, 30, stmt. #2.) The Complaint does not explain how the Article’s “16month-old bug” statement is false – because, again, it is not.
As the Complaint alleges, the “bug” that Mr. Ormandy discovered in December 2017 “was
specifically related to Keeper’s Browser Extension” (id. ¶ 41); the bug he discovered 16 months
earlier, in August 2016, also related to the browser extension and also required Keeper to issue a fix.
(See Exh. C, 8/16 Ormandy Rept. and Keeper’s Cmt. 7 thereto.) Plaintiff concedes that its current
browser extension had a security vulnerability, and does not – because it cannot – dispute that a similar
bug affecting the same component existed 16 months ago. Mr. Ormandy concluded that the nature of
the December 2017 bug was the same as the one he encountered 16 months earlier, and the test code
that he used to expose it was essentially the same. (See Exh. A, 12/17 Ormandy Rept.) That is what
the Article accurately reported. (Compl., Exh. 1 (Dec. 2017 version of Keeper “contained a critical
flaw [Ormandy] had found in August 2016” that was exposed by same test (“proof-of-concept
exploit”) previously used “with only basic changes to the selectors”.)
In short, Plaintiff’s attempt to coax defamatory inferences from true statements fails. Such
inferences “cannot be the basis for liability. The words spoken were true.” Parker v. Bank of
Marion, 296 Ill.App.3d 1035, 1038 (1998) (where statement that plaintiff was “fired for touching
women” was true, inference that he was fired for “sexual harassment” was not basis for liability)..
B.

The Allegedly Defamatory Statements Also Are Not Actionable Because
They Are Subject to an Innocent Construction.

Plaintiff’s Complaint also fails under Illinois’ innocent construction rule for defamation

9

 Case: 1:17-cv-09117 Document #: 15 Filed: 02/08/18 Page 11 of 17 PageID #:56

claims. Anderson v. Vanden Dorpel, 172 Ill. 2d 399, 412-13 (1996). The Illinois innocent
construction rule provides that if, “considered in context, . . . the [allegedly defamatory]
statement may reasonably be innocently interpreted or reasonably be interpreted as referring to
someone other than the plaintiff it cannot be actionable per se.” Pope, 95 F.3d at 613 (citations
omitted). In applying the rule, the import of the entire article must be considered; thus, the
“headline and news report to which it refers must be considered together[.]” Salamone v.
Hollinger Int’l, Inc., 347 Ill. App. 3d 837, 840-41 (2004); Kapotas, 2015 IL App (1st) 140534, ¶
58 (same). And if, read in context, a publication has a reasonable non-defamatory interpretation,
dismissal is warranted; no balancing between competing reasonable interpretations is allowed.
Id.; Lott, 556 F.3d at 568 (“Courts need not weigh the relative value of competing constructions;
instead, any reasonable, nondefamatory interpretation is the one that sticks”; dismissal affirmed).
The “guilty” readings of the Article that Plaintiff proffers are patently unreasonable, and
cannot be actionable under Illinois law. One of Plaintiff’s main assertions is that the Article
“misled users of any computer running Microsoft Windows 10, who were led to believe that they
were infected simply by having the Keeper software application installed on their device(s)” and
“[t]here has been no reported or actual security breach or loss of customer information in
connection with the subject of the Article.” (Compl. ¶¶ 32-33.) First (and again), the Article
nowhere states or implies that users are “infected” per se or that actual breaches had been
reported. Second, Plaintiff’s reading is directly contradicted by a passage that Plaintiff quotes:
“Fortunately, Windows 10 users aren’t vulnerable unless they open Keeper and begin trusting it
with their passwords.” (Id. ¶ 30, stmt. #7 (emphasis added).) Thus, the Article on its face
explicitly defeats Plaintiff’s “guilty” construction.
Similarly misguided, Plaintiff asserts that the Article “omitted material facts about the
purported ‘vulnerability’ that was its subject” – namely, that before the vulnerability “could have
10

 Case: 1:17-cv-09117 Document #: 15 Filed: 02/08/18 Page 12 of 17 PageID #:57

any chance to impact a user,” it would have to be installed and the user visit a “malicious website.”
(Id. ¶ 40.) The vulnerability is not “purported” – it concededly existed and Plaintiff had to fix it.
See supra. But in any event, once again, the Article nowhere suggested that computers were
“infected” per se – just the opposite. To be “vulnerable” to attack users have to “begin trusting
[Keeper] with their passwords.” (Id. ¶ 30, stmt. #7.) Even without that explicit qualification, any
reasonable reader would immediately understand that a security vulnerability is just that: it requires
a malicious actor to take advantage of it.11 Thus, “the common usage” of “vulnerable” in the this
context already incorporates the concept Plaintiff thinks needed to be spelled out, and its attempt to
foist a defamatory construction must fail. Harrison, 341 Ill.App.3d at 570. 12 In essence, Plaintiff
wants to substitute its word choices for that of Defendants. But Plaintiff does not get to re-write
the Article to its own liking. Both Illinois law and the First Amendment protect a newspaper’s
editorial control over “what and what not to publish.” Matchett v. Chi. Bar Ass’n, 125 Ill.App.3d
1004, 1008 (1984) (citing Miami Herald Publ. v. Tornillo, 418 U.S. 241, 258 (1974)).
The innocent construction rule “encourag[es] the robust discussion of daily affairs,” and
“insures that no article will be held libelous unless the editors know that the only reasonable
interpretation which can be given to their article is defamatory.” Dauw v. Field Enterps., 78
Ill.App.3d 67, 71 (1979). Allowing defamation claims to be premised on the kinds of strained
implications that Plaintiff unreasonably draws from the Article would have a chilling effect on the
11

By definition, a “vulnerability” is “[t]he quality or state of being exposed to the possibility of being
attacked or harmed, either physically or emotionally.” (https://en.oxforddictionaries.com/definition/
vulnerability). The same is true .in the computer security context; “Vulnerability is a cyber-security term
that refers to a flaw in a system that can leave it open to attack. …Cutting down vulnerabilities provides
fewer options for malicious users to gain access to secure information.” (https://www.techopedia.com/
definition/13484/vulnerability).
12

Indeed, the Article links to the Ormandy Report, which in turn links to Plaintiff’s own explanation that
“this potential vulnerability requires a Keeper user to be lured to a malicious website while logged into
the browser extension[.]” (12/17 Ormandy Rept., Cmt. 6, and linked blog post, Exhs. A, B hereto.) As
such, readers had all the information and context that Plaintiff thinks they should have had about the
admitted vulnerability. See McKee, 874 F.3d at 64 (links “enabl[ed] readers to examine the sources for
themselves and consider the comments in context”).

11

 Case: 1:17-cv-09117 Document #: 15 Filed: 02/08/18 Page 13 of 17 PageID #:58

robust discussion of computer security vulnerabilities. The public interest – in the security of
elections, infrastructure, and a host of personal information – cannot tolerate that chill.
C.

Plaintiff Complains of Statements That Are “Of and Concerning” Microsoft,
Not Plaintiff, and Statements That Voice Pure, Non-Actionable Opinions.

As noted, the innocent construction rule also holds that if statements can reasonably be
interpreted “as referring to someone other than the plaintiff,” they “cannot be actionable[.]” Pope,
95 F.3d at 613 (citations omitted). That part of the rule adverts to another element of defamation:
that the complained-of statement must be “of and concerning” the plaintiff. Flip Side, Inc. v. Chi.
Tribune Co., 206 Ill.App.3d 641, 654 (1990). In other words, to be actionable, a reader must have
“reasonably understood” the alleged defamation to refer to plaintiff. Beresky v. Teschner, 64
Ill.App.3d 848, 851 (1978). Here, “considered in context,” most of the allegedly “false and
misleading statements” Plaintiff identifies in the Article may be reasonably read as referring to the
conduct of “someone other than the plaintiff” – namely, Microsoft. (See Compl. ¶ 30 stmt. ##1, 3,
4 (Microsoft is “forcing” or “quietly forcing” users to install Keeper); id., stmt. ##8-11
(questioning “the security vetting Microsoft gives to apps it bundles with Windows”).)13
Illinois law also holds that opinions “cannot be ‘false’” and their “expression can never
result in liability for slander or libel[.]” Mittelman v. Witous, 135 Ill. 2d 220, 241 (1989). An
opinion “is actionable only if it implies the allegation of undisclosed defamatory facts as the basis
for the opinion.” Hopewell v. Vitullo, 299 Ill.App.3d 513, 518 (1998) (quoting Restatement
(Second) of Torts, § 566 (emphasis added)). But “[i]f all that the communication does is to express
a harsh judgment upon known or assumed facts, there is no more than an expression of opinion of
13

See, e.g., Chi. City Day Sch., 297 Ill.App.3d at 475-76 (statements criticizing demolition of a historic
structure could reasonably be read as “of and concerning” someone other than plaintiff); Kirchner v.
Greene, 294 Ill.App.3d 672, 681-82 (1998) (news articles’ statements that transfer of custody to biological
father was a “crime” and an “atrocity” were directed to court’s decision not father’s conduct); Harte v. Chi.
Council of Lawyers, 220 Ill. App.3d 255, 261 (1991) (statements that plaintiff lawyer was beneficiary of
judicial “favoritism” were “innocently (indeed logically) construed as criticizing” the court, not plaintiff).

12

 Case: 1:17-cv-09117 Document #: 15 Filed: 02/08/18 Page 14 of 17 PageID #:59

the pure type, and an action of defamation cannot be maintained.” Restatement (Second) of Torts,
§ 566, cmt. d; Mittelman, 135 Ill.2d at 242 (“‘Pure opinion’ . . . denote[s] an expression of opinion
by which the maker of a comment states the facts on which he bases his opinion of the plaintiff and
then expresses a comment as to the plaintiff's conduct, qualifications or character”).
Characterizing Plaintiff’s product as “critically flawed” (Compl. ¶ 30, stmt. #1) is pure
opinion based on disclosed (and substantially true) facts. Likewise, the statement that a copy of
Keeper that came pre-installed “without notice or permission” on Mr. Ormandy’s “newly built
Windows 10 system” was “unwanted” (id., stmt. #5) is Mr. Goodin’s characterization of Mr.
Ormandy’s dismay that Microsoft had, unbidden, included Keeper in his “pristine” Windows 10
system. (See Exh. A, 12/17 Ormandy Rept.)14 Not only is this statement pure opinion, it is “of and
concerning” Microsoft, not Plaintiff, as noted supra. The same is true of the Article’s questioning
of Microsoft’s “process . . . for ensuring the security of third-party apps that get installed on
Windows 10 machines” and “how the Keeper vulnerability slipped through anyway.” (Compl. ¶
30, stmt. ##8-11.) Mr. Goodin is “expressing a subjective view, an interpretation, a theory,
conjecture, or surmise, rather than claiming to be in possession of objectively verifiable facts,”
Haynes, 8 F.3d at 1227, and his queries concern Microsoft’s conduct, not Plaintiff’s.
D.

Plaintiff Does Not Plead Actual Malice As The First Amendment Requires.

In addition, Plaintiff – who claims the mantle of an industry “innovator and leader”
whose password management software is “one of the world’s most downloaded” (Compl. ¶¶ 3,
7) – is, by its own admissions, a public figure. See, e.g., Kessler v. Zekman, 250 Ill.App.3d 172,
179-85 (1993); Telewizja Polska USA, Inc. v. Echostar Satellite Corp., No. 02-cv-3293, 2004
14

The 12/17 Ormandy Rept. links to a discussion on Reddit in which other Windows 10 users noted that
Keeper was now pre-installed, some with evident dismay (“That’s unsettling”; “I removed the crapware
again”; “I've uninstalled this thing 3 times now”; “Just got this installed today via the
WindowsUpdateClient. Ugh”). (See https://www.reddit.com/r/Windows10/comments/6dpj78/keeper
_password _manager_comes_preinstalled_now/).

13

 Case: 1:17-cv-09117 Document #: 15 Filed: 02/08/18 Page 15 of 17 PageID #:60

WL 2367740, *4 (N.D. Ill. Oct. 15, 2004). As such, Plaintiff must meet the constitutional
standard of actual malice to state a claim – i.e., that Defendants purposely published known
falsehoods, or in fact entertained serious doubts as to the truth of the Article prior to publication.
New York Times Co. v. Sullivan, 376 U.S. 254, 279-80 (1964). Plaintiff has not and cannot do
so; merely reciting the actual malice standard in conclusory fashion does not cut it. (See Compl.
¶¶ 43, 52.) “[T]he bare conclusory claim of malice, unaccompanied by allegations from which
the required subjective element of malice might be inferred, is insufficient to survive a motion to
dismiss.” Pippen v. NBC Univ. Media, No. 11-cv-8834, 2012 WL 12903167, *2 (N.D. Ill. Aug.
2, 2012), aff’d, 734 F.3d 610 (7th Cir. 2013) (citing Iqbal, 556 U.S. at 686-87). And Plaintiff’s
allegation that “Goodin failed to speak with Keeper, and failed to verify his facts with Keeper or
Microsoft, before publishing the Article” (Compl. ¶ 31), “is precisely what the Supreme Court
has said is insufficient to establish reckless disregard for the truth.” Pippen, 734 F.3d at 614
(citing Harte-Hanks Commc’ns, Inc. v. Connaughton, 491 U.S. 657, 688 (1989)).
III.

Plaintiff’s Tag-Along Claims For “Commercial Disparagement” and Violation of
the Illinois Deceptive Trade Practices Act Fail as a Matter of Law.
Plaintiff’s claims for “commercial disparagement” and violation of the Illinois Deceptive

Trade Practices Act, 815 ILCS § 510/2 (“DTPA”), are based solely on the same allegedly
defamatory Article, and the same limitations and privileges that doom its defamation claim apply
to these claims, regardless of how Plaintiff chooses to characterize its cause of action.
Permitting Plaintiff to found its other tort claims on the same facts would allow it to avoid the
rules of defamation law, and on this ground alone they should be dismissed.15

15

See, e.g., Brown & Williamson Tobacco Corp. v. Jacobson, 713 F.2d 262, 273-74 (7th Cir. 1983)
(upholding dismissal of tortious interference DTPA claims as “makeweights”; allowing claims would
“enabl[e] the plaintiff to avoid the specific limitations with which the law of defamation -- presumably to
some purpose -- is hedged about”); Genelco, Inc. v. Bower, 181 Ill.App.3d 1, 7 (1989) (applying
defamation privilege to commercial disparagement and tortious interference claims).

14

 Case: 1:17-cv-09117 Document #: 15 Filed: 02/08/18 Page 16 of 17 PageID #:61

Additionally, “Illinois state courts have held that, in effect, the DTPA codified the
common law tort of commercial disparagement.” World Kitchen, LLC v. Am. Ceramic Soc’y, No.
12-cv-8626, 2015 WL 5461564, at *2 (N.D. Ill. Sep. 15, 2015). And such claims are limited to
commercial speech. World Kitchen, LLC v. Am. Ceramic Soc’y, No. 12-cv-8626, 2015 WL
3429380, at *2 (N.D. Ill. May 27, 2015) (plaintiff “must also prove that the alleged speech at
issue, Defendants’ published article, was commercial and not protected by the First
Amendment”) (citing People ex. rel. Hartigan v. Maclean Hunter Publ’g Corp., 119 Ill.App.3d
1049, 1059-61 (1983) (DTPA prohibits “commercial speech”; while defendant’s allegedly
misleading advertising of its “Red Book” manual of vehicle pricing information was potentially
actionable under the Act, the contents of the book were not)).16
Finally, the DTPA does not afford damages, and even if Plaintiff could otherwise state a
claim, it has not “alleged facts sufficient to show a need for injunctive relief,” i.e., has “shown no
basis for assuming a threat of future misrepresentations” Am. Pet Motels v. Chi. Vet. Med. Ass’n,
106 Ill.App.3d 626, 633 (1982).
CONCLUSION
Defendants respectfully request that the Court dismiss the Complaint with prejudice.

Dated: February 8, 2018

Respectfully submitted,
/s/ Natalie J. Spears
One of the attorneys for Defendants

16

In World Kitchen, the evidence showed “that the speech at issue is noncommercial speech and, thus, is
not prohibited by the DTPA.” World Kitchen v. Am. Ceramic Soc’y, No. 12-cv-8626, 2016 WL 3568723,
*7 (N.D. Ill. June 30, 2016). While in World Kitchen, there was a fact issue as to whether defendant trade
association’s statements about plaintiff cookware manufacturer were made with an economic motive, no
such question exists here. The Article was fully First Amendment protected journalism.

15

 Case: 1:17-cv-09117 Document #: 15 Filed: 02/08/18 Page 17 of 17 PageID #:62

CERTIFICATE OF SERVICE
I hereby certify that a true and correct copy of the foregoing MEMORANDUM OF LAW IN
SUPPORT OF DEFENDANTS’ MOTION TO DISMISS was filed with the Clerk of the
Court on February 8, 2018 by using the CM/ECF system, which will send a notice of electronic
filing to all registered users.

/s/ Natalie J. Spears
Natalie J. Spears

16