We’ve devoted considerable attention on our blog to Section 230 of the Communications Decency Act, which immunizes online service providers/hosts from liability for user-generated content. Site operators are protected from liability even though they knew (or should have known) that user-generated content contained defamation, privacy invasions, intentional infliction of emotional distress, civil rights violations, and state criminal activity. Providing a safe harbor for ISPs, search engines, and social networks is a good thing. If communication conduits like ISPs did not enjoy Section 230 immunity, they would surely censor much valuable online content to avoid publisher liability. The same is true of search engines that index the vast universe of online content and produce relevant information to users in seconds and, for that matter, social media providers that host millions, and some billions, of users. Without Section 230, search engines like Google and Bing and social media providers like Yelp, Trip Advisor, Facebook, YouTube, and Twitter might not exist. The fear of publisher liability would have inhibited their growth. For that reason, Congress reaffirmed Section 230’s importance in the SPEECH Act of 2010, which requires U.S. courts to apply the First Amendment and Section 230 in assessing foreign defamation judgments.
In the past few months, prosecutors have arrested notorious revenge porn site operators Hunter Moore, Kevin Bolleart, and Casey Meyering. Those arrests have raised the question, what about Section 230? Hunter Moore’s arrest is the least controversial. Although Section 230 immunity is broad sweeping, it isn’t absolute. It exempts from its reach federal criminal law, intellectual property law, and the Electronic Communications Privacy Act. As Section 230(e) provides, the statute has “[n]o effect” on “any [f]ederal criminal statute” and does not “limit or expand any law pertaining to intellectual property.” Federal prosecutors indicted Moore for conspiring to hack into people’s computers in order to steal their nude images. According to the indictment, Moore paid a computer hacker to access women’s password-protected computers and e-mail accounts to steal nude photos for financial gain—profits for his revenge porn site Is Anyone Up. Site operators may be held accountable for violating federal criminal law.
What about revenge porn operators Bolleart and Meyerson who are facing state criminal charges? Generally speaking, site operators are not transformed into “information content providers” (who are not immunized from liability) unless they co-developed or co-created the allegedly criminal/tortious content, such as by paying for the illegal content and reselling it or drafting some of the contested content themselves. California Attorney General Kamala Harris’s prosecutions of both Bolleart and Meyerson press the question whether Section 230’s immunity extends to sites that effectively engage in extortion by encouraging the posting of sensitive private information and profiting from its removal.
Let’s take Bolleart’s case. It’s based on a similar theory as the case against Meyerson, who runs WinbyState, a private revenge porn site with a connected site that charges for the take down of photos. In December 2013, Bollaert, operator of revenge porn site UGotPosted, was indicted for extortion, conspiracy, and identity theft. His site featured the nude photos, Facebook screen shots, and contact information of more than 10,000 individuals. The indictment alleged that Bollaert ran the revenge porn site with a companion takedown site, Change My Reputation. According to the indictment, when Bollaert received complaints from individuals, he would send them e-mails directing them to the takedown site, which charged up to $350 for the removal of photos. Attorney General Harris explained that Bollaert “published intimate photos of unsuspecting victims and turned their public humiliation and betrayal into a commodity with the potential to devastate lives.”
Bollaert will surely challenge the state’s criminal law charges on Section 230 grounds. His strongest argument is that charging for the removal of user-generated photos is not tantamount to co-developing them. Said another way, charging for the removal of content is not the same as paying for, or helping develop, it. That is especially true of the identity theft charges because Bollaert never personally passed himself off as the subjects depicted in the photos. Nonetheless, the state has a strong argument that the extortion charges fall outside Section 230’s immunity because they hinge on what Bollaert himself did and said, not on what his users posted. Only time will tell if that sort of argument will prevail. Even if the California AG’s charges are dismissed on Section 230 grounds, federal prosecutors could charge Bollaert with federal criminal extortion charges. Sites that encourage cyber harassment and charge for its removal (or have a financial arrangement with removal services) are engaging in extortion. At the least, they are actively and knowingly conspiring in a scheme of extortion. Of course, this possibility depends on the enforcement of federal criminal law vis-à-vis cyber stalking, which as we have seen is stymied by social attitudes and insufficient training.