Anti-malware provider immune under CDA for calling competitor’s product a security threat

kills_bugs

Plaintiff anti-malware software provider sued defendant – who also provides software that protects internet users from malware, adware etc. – bringing claims for false advertising under the Section 43(a) of Lanham Act, as well as other business torts. Plaintiff claimed that defendant wrongfully revised its software’s criteria to identify plaintiff’s software as a security threat when, according to plaintiff, its software is “legitimate” and posed no threat to users’ computers.

Defendant moved to dismiss the complaint for failure to state a claim upon which relief may be granted. It argued that the provisions of the Communications Decency Act at Section 230(c)(2) immunized it from plaintiff’s claims.

Section 230(c)(2) reads as follows:

No provider or user of an interactive computer service shall be held liable on account of—

(A) any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected; or

(B) any action taken to enable or make available to information content providers or others the technical means to restrict access to material described in [paragraph (A)].

Specifically, defendant argued that the provision of its software using the criteria it selected was an action taken to make available to others the technical means to restrict access to malware, which is objectionable material.

The court agreed with defendant’s argument that the facts of this case were “indistinguishable” from the Ninth Circuit’s opinion in in Zango, Inc. v. Kaspersky, 568 F.3d 1169 (9th Cir. 2009), in which the court found that Section 230 immunity applied in the anti-malware context.

Here, plaintiff had argued that immunity should not apply because malware is not within the scope of “objectionable” material that it is okay to seek to filter in accordance with 230(c)(2)(B). Under plaintiff’s theory, malware is “not remotely related to the content categories enumerated” in Section 230(c)(2)(A), which (B) refers to. In other words, the objectionableness of malware is of a different nature than the objectionableness of material that is obscene, lewd, lascivious, filthy, excessively violent, harassing. The court rejected this argument on the basis that the determination of whether something is objectionable is up to the provider’s discretion. Since defendant found plaintiff’s software “objectionable” in accordance with its own judgment, the software qualifies as “objectionable” under the statute.

Plaintiff also argued that immunity should not apply because defendant’s actions taken to warn of plaintiff’s software were not taken in good faith. But the court applied the plain meaning of the statute to reject this argument – the good faith requirement only applies to conduct under Section 230(c)(2)(A), not (c)(2)(B).

Finally, plaintiff had argued that immunity should not apply with respect to its Lanham Act claim because of Section 230(e)(2), which provides that “nothing in [Section 230] shall be construed to limit or expand any law pertaining to intellectual property.” The court rejected this argument because although the claim was brought under the Lanham Act, which includes provisions concerning trademark infringement (which clearly relates to intellectual property), the nature of the Lanham Act claim here was for unfair competition, which is not considered to be an intellectual property claim.

Enigma Software Group v. Malwarebytes Inc., 2017 WL 5153698 (N.D. Cal., November 7, 2017)

About the Author: Evan Brown is a Chicago technology and intellectual property attorney. Call Evan at (630) 362-7237, send email to ebrown [at] internetcases.com, or follow him on Twitter @internetcases. Read Evan’s other blog, UDRP Tracker, for information about domain name disputes.

YouTube not liable for aiding ISIS in Paris attack

The Communications Decency Act provided immunity to Google in a suit brought against it by the family of an American college student killed in the November 2015 attack.

Plaintiffs filed suit against Google (as operator of YouTube) alleging violation of federal laws that prohibit providing material support to terrorists, arising from the November 2015 Paris attack that ISIS carried out. Plaintiffs argued that the YouTube platform, among other things, aided in recruitment and provided ISIS the means to distribute messages about its activities.

Google moved to dismiss the lawsuit, arguing that Section 230 of the Communications Decency Act (47 U.S.C. 230) provided immunity from suit. The court granted the motion to dismiss.

Section 230 Generally

Section 230(c) provides that “[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” Accordingly, Section 230 precludes liability that treats a website as the publisher or speaker of information users provide on the website, protecting websites from liability for material posted on the website by someone else.

JASTA Did Not Repeal Section 230 Immunity

In response to Google’s arguments in favor of Section 230 immunity, plaintiffs first argued that a recent federal statute – the Justice Against Sponsors of Terrorism Act, or “JASTA” – effectively repealed the immunity conferred to interactive computer services by Section 230. Plaintiffs focused on language in the statute that stated that its purpose “is to provide civil litigants with the broadest possible basis, consistent with the Constitution of the United States, to seek relief” against terrorists and those who assist them.

The court rejected plaintiffs’ arguments that JASTA repealed Section 230 immunity. Significantly, the statute did not expressly repeal Section 230’s protections, nor did it do so implicitly by evincing any “clear and manifest” congressional intent to repeal any part of the Communications Decency Act.

Section 230 Need Not Be Applied Outside the United States

Plaintiffs also argued that Section 230 immunity did not arise because the Communications Decency Act should not apply outside the territorial jurisdiction of the United States. According to plaintiffs, Google provided support and resources to ISIS outside the United States (in Europe and the Middle East), ISIS’s use of Google’s resources was outside the United States, and the Paris attacks and plaintiffs’ relative’s death took place outside the United States.

The court rejected this argument, holding that Section 230’s focus is on limiting liability. The application of the statute to achieve that objective must occur where the immunity is needed, namely, at the place of litigation. Since the potential for liability, and the application of immunity was occurring in the United States, there was no need to apply Section 230 “extraterritorially”.

Immunity Protected Google

Google argued that plaintiffs’ claims sought to treat it as the publisher or speaker of the offending ISIS content, thus satisfying one of the requirements for Section 230 immunity. Plaintiffs countered that their lawsuit did not depend on the characterization of Google as the publisher or speaker of ISIS’s content, because their claims focused on Google’s violations of the federal criminal statutes that bar the provision of material support to terrorists.

But the court found that the conduct Google was accused of — among other things, failing to ensure that ISIS members who had been kicked off could not re-establish accounts — fit within the traditional editorial functions of a website operator. Accordingly, despite the plaintiffs’ characterization of its claims, the court found such claims to be an attempt to treat Google as the publisher or speaker of the ISIS videos.

The court similarly rejected plaintiffs’ arguments that Section 230 immunity should not apply because, by appending advertisements to some of the ISIS videos, Google became an “information content provider” itself, and thus responsible for the videos. This argument failed primarily because the content of the advertisements (which themselves were provided by third parties) did not contribute to the unlawfulness of the content of the videos.

Gonzalez v. Google, Inc., — F.Supp.3d —, 2017 WL 4773366 (N.D. Cal., October 23, 2017)

Evan_BrownAbout the Author: Evan Brown is a Chicago technology and intellectual property attorney. Call Evan at (630) 362-7237, send email to ebrown [at] internetcases.com, or follow him on Twitter @internetcases. Read Evan’s other blog, UDRP Tracker, for information about domain name disputes.

Yelp not liable for allegedly defamatory customer reviews

In a recent case having an outcome that should surprise no one, the United States Court of Appeals for the Ninth Circuit has affirmed a lower court’s decision that held Yelp immune from liability under the Communications Decency Act (47 U.S.C. 230 – the “CDA”) over customer reviews that were allegedly defamatory.

Plaintiff sued Yelp for violations under RICO and the Washington Consumer Protection Act, as well as libel under Washington law. Yelp moved to dismiss for failure to state to claim upon which relief may be granted. The lower court found that plaintiff had failed to allege any facts that plausibly suggested Yelp was responsible for the content, and therefore dismissed the case. Plaintiffs sought review with the Ninth Circuit. On appeal, the court affirmed.

The appellate court observed that plaintiff’s complaint, which he filed pro se, “pushed the envelope” of creative pleading. The court observed that plaintiff cryptically – “to the point of opacity” – alleged that Yelp was the one that created and developed the offending content. The court declined to open the door to such “artful skirting” of the Communications Decency Act’s safe harbor provision.

The key question before the court was whether the alleged defamatory reviews were provided by Yelp or by another information content provider. CDA immunity does not extend to situations where the web site itself is responsible for the creation or development of the offending content. The immunity protects providers or users of interactive computer services when the claims being made against them seek to treat them as a publisher or speaker of the information provided by another information content provider.

In this case, the court found that a careful reading of plaintiff’s complaint revealed that he never specifically alleged that Yelp created the content of the allegedly defamatory posts. Rather, plaintiff pled that Yelp adopted them from another website and transformed them into its own stylized promotions. The court found that these “threadbare” allegations of Yelp’s fabrication of allegedly defamatory statements were implausible on their face and were insufficient to avoid immunity under the Communications Decency Act. The court was careful to note that CDA immunity does not extend to content created or developed by an interactive computer service. “But the immunity in the CDA is broad enough to require plaintiffs alleging such a theory to state the facts plausibly suggesting the defendant fabricated content under a third party’s identity.”

The plaintiff had alleged in part that Yelp’s rating system and its use by the author of the allegedly defamatory content resulted in the creation or development of information by Yelp. The court rejected this argument, finding that the rating system did “absolutely nothing to enhance the defamatory sting of the message beyond the words offered by the user.” The court further observed that the star rating system was best characterized as a neutral tool operating on voluntary inputs that did not amount to content development or creation.

Finally, the court addressed plaintiff’s cryptic allegations that Yelp should be held liable for republishing the alleged defamatory content as advertisements or promotions on Google. A footnote in the opinion states that plaintiff was not clear whether the alleged republication was anything more than the passive indexing of Yelp reviews by the Google crawler. The decision’s final outcome, however, does not appear to depend on whether Google indexed that content as Yelp passively stood by or whether Yelp affirmatively directed the content to Google. “Nothing in the text of the CDA indicates that immunity turns on how many times an interactive computer service publishes information provided by another information content provider.” In the same way that Yelp would not be liable for posting user generated content on its web site, it would not be liable for disseminating the same content in essentially the same format to a search engine. “Simply put, proliferation and dissemination of content does not equal creation or development of content.”

Kimzey v. Yelp! Inc., — F.3d —, 2016 WL 4729492 (9th Cir. September 12, 2016)

Evan_BrownAbout the Author: Evan Brown is a Chicago technology and intellectual property attorney. Call Evan at (630) 362-7237, send email to ebrown [at] internetcases.com, or follow him on Twitter @internetcases. Read Evan’s other blog, UDRP Tracker, for information about domain name disputes.

Website operator was too involved with development of content to be immune under Section 230

Defendant started up a website to — in her own words — provide a place for others to have a dialogue and post information about their experiences at Plaintiff’s youth drug rehab facilities. Plaintiff found the content of Defendant’s website offensive, and sued for defamation and intentional interference with prospective economic advantage. Defendant filed a motion to strike under California’s Anti-SLAPP law. The court denied the motion.

In denying the Anti-SLAPP motion, the court found, among other things, that Plaintiff had established a probability of prevailing on most of its claims. This chance of prevailing withstood Defendant’s argument that she was shielded from liability by the Communications Decency Act.

This Act provides that “[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” 47 U.S.C. § 230(c)(1).

Defendant acknowledged that her defense was relevant only to the extent that she was alleging that comments by third parties on her website were defamatory.

She quoted Batzel v. Smith, 333 F.3d 1018 (9th Cir. 2008) to assert that “the exclusion of ‘publisher’ liability necessarily precludes liability for exercising the usual prerogative of publishers to choose among proffered material and to edit the material published while retaining its basic form and message.” She argued that she was entitled to Section 230 immunity because she was an exempt publisher — she either simply posted others’ statements or made minor edits to those statements before posting.

The court did not agree with Defendant’s characterization of her publishing activities.

It found that her posts would not lead a visitor to believe that she was quoting third parties. Rather, in the court’s view, Defendant adopted the statements of others and used them to create her comments on the website. She posted her own articles, and summarized the statements of others.

Moreover, Defendant did more than simply post whatever information third parties provided. She elicited statements through two surveys that contained specific questions to gather information about specific issues. The court found this to disqualify Defendant from Section 230 immunity under the holding of Fair Housing Council v. Roommates.com, LLC, 521 F.3d 1157 (9th Cir. 2008) (wherein the website operator was not immune under the Communications Decency Act because it created discriminatory questions and choice of answers).

Diamond Ranch Academy, Inc. v. Filer, 2016 WL 633351 (D. Utah, February 17, 2016)

Evan Brown is a Chicago attorney advising enterprises on important aspects of technology law, including software development, technology and content licensing, and general privacy issues.

Newspaper not liable for alleged defamatory letter to editor published online

The Appellate Court of Illinois has sided in favor of a local newspaper in a defamation lawsuit brought against the paper over a reader’s allegedly defamatory letter to the editor. The court held that the Communciations Decency Act (at 47 U.S.C. 230) “absolved” the newspaper of liability over this appearance of third party content on the newspaper’s website.

Plaintiff — a lawyer and self-identified civil rights advocate — sent several letters to local businesses claiming those businesses did not have enough handicapped parking spaces. Instead of merely asking the businesses to create those parking spaces, he demanded each one pay him $5,000 or face a lawsuit.

One local resident thought plaintiff’s demands were greedy and extortionate, and wrote a letter to the editor of the local newspaper covering the story. The newspaper posted the letter online. Both the newspaper and the letter’s author found themselves as defendants in plaintiff’s defamation lawsuit.

The letter-writer settled with plaintiff, but the newspaper stayed in as a defendant and moved to dismiss, arguing that federal law immunized it from liability for content provided by the third party letter-writer.

The lower court dismissed the defamation claim against the newspaper, holding that the Communications Decency Act (at 47 U.S.C. §230) protected the newspaper from liability for the third party letter-writer’s comments posted on the newspaper’s website.

Plaintiff sought review with the Appellate Court of Illinois. On appeal, the court affirmed the dismissal.

The Communications Decency Act (at 47 U.S.C §230(c)(1)) says that “[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” The appellate court found that the leter-writer was another information content provider that placed comments on the newspaper’s website. Therefore, it held that the Communications Decency Act “absolved” the newspaper from responsibility.

Straw v. Streamwood Chamber of Commerce, 2015 IL App (1st) 143094-U (September 29, 2015)

Evan Brown is an attorney in Chicago helping clients manage issues involving technology and new media.

Sixth Circuit holds thedirty.com entitled to Section 230 immunity

Plaintiff Jones (a high school teacher and Cincinnati Bengals cheerleader) sued the website thedirty.com and its operator for defamation over a number of third party posts that said mean things about plaintiff. Defendants moved for summary judgment, arguing that the Communications Decency Act — 47 USC § 230(c)(1) — afforded them immunity from liability for the content created by third parties. Articulating a “goofy legal standard,” the district court denied the motion, and the case was tried twice. The first trial ended in a mistrial, and the second time the jury found in favor of plaintiff.

Defendants sought review with the Sixth Circuit Court of Appeals on the issue of whether whether the district court erred in denying defendants’ motion for judgment as a matter of law by holding that the CDA did not bar plaintiff’s state tort claims. On appeal, the court reversed the district court and ordered that judgment as a matter of law be entered in defendants’ favor.

Section 230(c)(1) provides that “[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” At its core, § 230 grants immunity to defendant service providers in lawsuits seeking to hold the service provider liable for its exercise of a publisher’s traditional editorial functions—such as deciding whether to publish, withdraw, postpone or alter content.

But the grant of immunity is not without limits. It applies only to the extent that an interactive computer service provider is not also the information content provider of the content at issue. A defendant is not entitled to protection from claims based on the publication of information if the defendant is responsible, in whole or in part, for the creation or development of the information.

The district court held that “a website owner who intentionally encourages illegal or actionable third-party postings to which he adds his own comments ratifying or adopting the posts becomes a ‘creator’ or ‘developer’ of that content and is not entitled to immunity.” Thus, the district court concluded that “[d]efendants, when they re-published the matters in evidence, had the same duties and liabilities for re-publishing libelous material as the author of such materials.”

The appellate court held that the district court’s test for what constitutes “creation” or “development” was too broad. Instead, the court looked to the Ninth Circuit’s decision in Fair Hous. Council of San Fernando Valley v. Roommates.com, LLC, 521 F.3d 1157 (9th Cir. 2008) and adopted the material contribution test from that opinion:

[W]e interpret the term “development” as referring not merely to augmenting the content generally, but to materially contributing to its alleged unlawfulness. In other words, a website helps to develop unlawful content, and thus falls within the exception to section 230, if it contributes materially to the alleged illegality of the conduct.

In the Sixth Circuit’s language, “[A] material contribution to the alleged illegality of the content does not mean merely taking action that is necessary to the display of allegedly illegal content. Rather, it means being responsible for what makes the displayed content allegedly unlawful.”

In this case, the defendants did not author the statements at issue. But they did select the statements for publication. The court held that defendants did not materially contribute to the defamatory content of the statements simply because those posts were selected for publication. Moreover, the website did not require users to post illegal or actionable content as a condition of use. The website’s content submission form simply instructed users generally to submit content. The court found the tool to be neutral (both in orientation and design) as to what third parties submit. Accordingly, the website design did not constitute a material contribution to any defamatory speech that was uploaded.

Jones v. Dirty World, No. 13-5946 (6th Cir. June 16, 2014)

Evan Brown is an attorney in Chicago advising clients on matters dealing with technology, the internet and new media. Contact him.

How will we handle the legal issues of self-driving cars?

The technology to support self-driving cars is a reality. At this point the challenge is largely economic — it costs around $100,000 to equip a self-driving car with the sensors and other hardware to push it toward autonomy. Another challenge is social. We tie a lot of our identity to our cars and the freedom they afford. This freedom might as well be in our human DNA. There’s no one still living on the planet who knew a time before the automobile.

A third challenge is legal. And it’s much easier to ask the questions than to answer them.

  • How will we set the standards for hardware and software performance?
  • Should we adjust the speed limit?
  • How will we allocate fault when there is an accident?
  • Will the cost of insurance go down if there is less risk on the road?
  • Are we willing to give over so much information when our self-driving cars join the “internet of things”?
  • What protections will we give to automobile makers and the manufacturers of autonomous systems?

On that last question, legislative protection of entire industries is not unprecedented. Gun makers and internet service providers find protection from the unfortunate choices made by the users of their products.

In any event, the self-driving norm is emerging, and is bolstered by new data about how safe and cost-effective it is. There are big savings in terms of dollars and lives. The legal and social issues will have to sort themselves out.

Website operators not liable for third party comments

Spreadbury v. Bitterroot Public Library, 2012 WL 734163 (D. Montana, March 6, 2012)

Plaintiff was upset at some local government officials, and ended up getting arrested for allegedly trespassing at the public library. Local newspapers covered the story, including on their websites. Some online commenters said mean things about plaintiff, so plaintiff sued a whole slew of defendants, including the newspapers (as website operators).

The court threw out the claims over the online comments. It held that the Communications Decency Act at 47 U.S.C. 230 immunized the website operators from liability over the third party content.

Defendant argued that the websites were not protected by Section 230 because they were not “providers of interactive computer services” of the same ilk as AOL and Yahoo. The court soundly rejected that argument. It found that the websites provided a “neutral tool” and offered a “simple generic prompt” for subscribers to comment about articles. The website operators did not develop or select the comments, require or encourage readers to make defamatory statements, or edit comments to make them defamatory.

Has Section 230 immunity passed its apex?

Barnes v. Yahoo!, Inc., No. 05-36189, 9th Cir. May 7, 2009

Yesterday’s decision from the Ninth Circuit in Barnes v. Yahoo is kind of a big deal. Jeff Neuberger observes that Section 230 took a hit. Characterizing it differently, Thomas O’Toole called it a nice win for online publishers. I’m thinking that the halcyon days of robust Section 230 immunity may be on the wane.

Barnes alleged that her ex-boyfriend did some pretty rotten things using various Yahoo services. Since I think my mom reads my blog I won’t elaborate on Prince Charming’s shenanigans. But if the allegations are true, one can understand why Barnes would be mad. Simply stated, they involved nude photos and men looking to cavort showing up where Barnes worked.

Barnes contacted Yahoo and asked it to take the offending content down. Folks there said they would. Months later, when the content remained online, Barnes sued Yahoo for negligent undertaking and promissory estoppel.

The district court dismissed Barnes’ claims, holding that 47 U.S.C. 230 protected Yahoo because, according to that section, “no provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”

It’s no big surprise that the appeallate court affirmed the lower court on the question of negligent undertaking. Barnes’ claim was that Yahoo was negligent in undertaking to remove the content. Since the removal of content is one of the quintessential functions of a publisher, it would contravene Section 230 to hold Yahoo liable for that.

The more intriguing part of the case comes from the court’s reversal on the question of promissory estoppel. Yahoo’s breach of an alleged promise to remove the content was of a different nature than the act of removing the content. “Promising is different because it is not synonymous with the performance of the action promised.” Liability arising from failing to live up to that promise was outside the scope of Section 230. In other words, pursuing Yahoo for breaking its promise to take down the offending content did not treat it as the publisher or speaker of that content.

This holding seems to be another chip away at Section 230 immunity. Smart intermediaries (e.g. website operators) are likely to communicate less now with individuals who feel aggrieved, because the intermediary may fear that anything it says could be construed as a breakable promise putting it at risk for liability.

No CDA immunity for adult-oriented Web site in right of publicity case

Doe v. Friendfinder Network, Inc., — F.Supp.2d —-, No. 07-286, 2008 WL 803947 (D.N.H. March 28, 2008)

Plaintiff Doe learned that a nude image and some biographical information about herself had been used to set up a bogus profile on the adult-oriented personal-ad Web site Adult Friend Finder. She sued the operator of the site alleging a number of claims, like defamation and intentional infliction of emotional distress. She also alleged misappropriation of her right of publicity under state law, and false designation of origin and false advertising under the federal Lanham Act.

Adult Friend Finder moved to dismiss the claims, arguing that the Communications Decency Act (“CDA”) at 47 U.S.C. 230 immunized the site from liability for the information provided by someone other than the site operator. The court agreed with Adult Friend Finder as to the majority of the claims, holding that the claims were barred by the CDA where the plaintiff sought to impose liability on the site as the publisher or speaker of the information.

But the court held that the CDA did not immunize Adult Friend Finder from Doe’s state law claims for violation of the right of publicity, or for violation of the federal Lanham Act.

Section 230(e)(2) provides that “[n]othing in this section shall be construed to limit or expand any law pertaining to intellectual property.” You may recall that last year the Ninth Circuit [in Perfect 10, Inc. v. CC Bill, LLC, 488 F.3d 1102 (9th Cir. 2007)] held that 230(e)(2)’s restriction on immunity only applied to federal claims involving intellectual property (leaving state law claims barred).

The court in this case disagreed with the Ninth Circuit on this point, looking at the plain language of the statute and finding no meaningful distinction between state and federal causes of action involving intellectual property, especially given the presence of the word “any” when decribing “law[s] pertaining to intellectual property.”