Revenge Porn Creep Kevin Bollaert's Appeal Underway... And Actually Raises Some Important Issues
from the but-he's-still-a-creep dept
Let's start with the basics: Kevin Bollaert is a creep who did some really horrible and shady stuff. He was something of a latecomer to the revenge porn space, basically copying a few of the more popular revenge porn sites that came before him in creating "YouGotPosted." He also copied at least some of the "business model" of Craig Brittain's "IsAnybodyDown" website, which purported to work with a third party (the fictitious "lawyer" "David Blade III") who you could pay to take down those naked pictures someone leaked to the site. In the case of YouGotPosted, Bollaert set up a companion website, called ChangeMyReputation, where you could pay and that site would magically get images taken down off YouGotPosted (there is some dispute over how clear it was that the two sites were connected). There's a decent argument that this is a form of extortion, posting naked photos of someone and then demanding cash to get them taken down -- but there are also cases in slightly different realms (such as online review sites) that suggest such activity is actually protected by Section 230. Bollaert, about as unsympathetic a defendant as you can possibly imagine was convicted of a variety of things, including not just extortion, but also identity theft, which raises some serious questions, given that Bollaert was only posting info given to him by others.So when Bollaert got an 18-year sentence over all of this, many felt the sentence to be fairly extreme -- even among those who felt that Bollaert is a creep who deserves jail time for what he did. As we expected, Bollaert has appealed and is raising some key defenses, mostly based around Section 230 of the CDA. In short, what he did may have been awful, but you still can't blame the site operator for content uploaded by users. That's the whole crux of CDA 230. If the uploader broke the law in posting content, go after them, not the platform on which the content was uploaded.
In this case, the People seek to chip away at the clear protections provided by the Communications Decency Act. The People claim the statute’s protection did not apply to Yougotposted because Yougotposted administered the website and possessed the authority to pick and choose which information was posted. Here the People’s reliance on speculation and conjecture fails to strip appellant of the statute’s immunity. If the People’s arguments are accepted, the approach would provide an avenue for other litigants to end-run the bright-line protections provided by the statute, jeopardizing service providers and undermining speech in the process. This amounts to bad policy.Bollaert's lawyers argue, fairly reasonably, that YouGotPosted qualifies for the CDA 230's safe harbors as a service provider. The state argues that he's the content provider, who can be liable, rather than just a platform. Bollaert's lawyer cites all the standard Section 230 cases that establish the fairly broad immunity provided to internet platforms.
Bollaert also argues that what was on YouGotPosted wasn't identity theft at all because any "unlawful purpose" associated with collection of identifying information was done by third parties, rather than Bollaert, and thus, once again, he's protected by Section 230.
In its reply brief, the State of California hits back at all of this with what seems like an incredibly weak argument. Basically it argues that because Bollaert required submitters to post personal information, that makes him a content provider, rather than a platform:
By requiring users to post personal identifying information, appellant became an “information content provider” because he was responsible as a developer and provider of the content he required; thus, he was no longer a mere “interactive service provider” or “access software provider”. In any event, because he intended to defraud victims by concealing his true identity as the operator of both websites, the exception appellant relies on would not apply.Not surprisingly, California relies heavily on the infamous Rommates.com ruling, a rare case where a service provider lost its safe harbors by having a drop down menu that was seen as asking a discriminatory question about roommate preferences, violating fair housing laws. California is arguing that, by requiring uploaders to post user information, YouGotPosted is similar to Roommates.
Here, similar to the situation in Roommate, appellant willfully obtained individuals’ personal identifying information by soliciting it from submitters, who were required to include the victims’ full name, location (“city, state, country”), age, and a link to the victims’ Facebook profile page in order to submit photographs. As in Roommate, appellant became responsible for the illegal content of the postings because the illegal content (i.e., the non-consensual use of someone’s personal identifying information, including their private photos) was a condition of use. Appellant then used that information to harass and annoy victims because he knew—with absolute certainty—that by posting the information, the victims would be contacted by numerous strangers whom the victims would find threatening. Appellant also used the information for the unlawful purpose of unlawfully obtaining money from them by demanding payment in exchange for removing his posts. This conduct does not magically become lawful because appellant did it online, or because he recruited third parties to help him inflict harm on a mass scale.Except California is playing a little loose with the facts here and mixing and matching things to make its argument look stronger. The key difference was that the roommate preference question was, by itself, discriminatory and against the law. YouGotPosted asking people for identifying information is not. Again, this is not in any way to defend Bollaert or his site. But Section 230 matters quite a lot, and government attempts to limit those protections will have a serious impact on internet platforms and their willingness to allow freedom of expression.
California's lawyers spend a lot of words trying to argue that requesting identifying information with photos magically makes the whole thing illegal -- including claiming that because Bollaert knew that his users would then likely harass the people shown in those photos -- that it makes him liable as the content creator. But that still seems to be a fairly blatant misreading of the law as written and the case law itself.
California also insists that it is identity theft, because of the "fraud" of pushing people to another site to pay to have the photos removed:
Here, the evidence amply demonstrated appellant’s intent to defraud. When victims asked to have the offending photos removed, they were either referred to the website “ChangeMyReputation.com,” or they followed the link to that site.... This extra step was wholly unnecessary. Appellant could have removed the photos by demanding the money directly from the victims as part of the UGotPosted website. But appellant presumably realized that the victims would be less inclined to pay money to the very person responsible for posting their pictures. By creating a separate website, appellant hoped to deceive the victims into believing that they were receiving the legitimate services of a neutral third party who would restore their reputation, and that they were not simply paying blackmail to an extortionist who was the source of their misery.Responding to California's attempt to get around Section 230, Bollaert's lawyers basically just repeat "it's a platform and the government hasn't shown any reason it's not."
Here, the People claimed the statute’s protection did not apply to appellant because he administered the “Yougotposted” website and retained the authority to pick and choose which information was posted. This does not make him a content provider. Those actions of appellant are no different than those found by the courts to be protected under the statute.... The People’s argument must fail because accepting their arguments would eviscerate protections provided by the statute, jeopardizing service providers and undermining free speech in the process.Bollaert also says the whole claim that having two sites suddenly makes it fraud makes no sense at all:
Here, the People produced no evidence in support of their belated claim that appellant possessed personal identification information with the intent to commit fraud. CALCRIM 2401 describes fraud as having deceived another person in order to cause a loss of money or something of value or damage to a legal, financial or property right. The People belatedly raised the claim that payments made through “changemyreputation.com” were obtained by fraud because the victims were not aware that appellant managed both websites. Problems arise with the argument. First, the link to “changemyreputation.com” was visible on “Yougotposted.com.” There was no evidence suggesting appellant was trying to hide the fact that the sites were connected. A number of the victims stated it was “obvious” that the same person was behind both sites. (4RT pp. 305-306.) Additionally, the People’s argument must fail because the victims clearly believe the payment was to have the photos removed, not because they were “deceived”.Separate from all of this, both sides also are arguing about the extortion question, noting that a business model that offers to remove content is just a "standard business practice," and not extortion. Part of this argument is, again, buttressed by CDA 230, because the uploaded content was not uploaded by Bollaert himself, so (his lawyers argue) you can't claim that he both uploaded the content and then pushed people to pay him to take it down. It's that "other people uploaded it and thus, 230" claim that Bollaert argues makes this not extortion:
The People argued that appellant used the posting of the photographs on the website to illegally obtain money from those whose photos were posted and to have the photos removed from the “Yougotposted” website. The People argued that appellant threatened to injure the victims or “expose their secrets” by publishing the images on the website. As the CDA provides, interactive computer service providers and access software providers are under no legal obligation to remove postings submitted to their website by third parties, even those postings that are negative in nature. Appellant was simply under no obligation to remove the negative content from his website. He merely offered a service to remove the photos and, by offering such a service, he is engaging in standard business practice and not extortion.They also argue -- and I will admit that this is a morally horrifying argument, if potentially legally sound -- that by simply posting the images first, without contacting individuals and asking for money to stop the posting, it's completely different than posting first and then offering a way to pay to take the content down.
In this case the People proceeded on the theory that the third-party postings constituted exposure of a secret affecting the persons portrayed in the photos. The initial reaction is that appellant’s operation of the website and posting information provided solely by third parties simply does not constitute a threat to expose any secret as to the other persons because the alleged secret (photos) was already in the public domain and had been provided by third parties unaccompanied by any demand for payment. In this case there is absolutely no evidence any request was made through either “Yougotposted” or “changemyreputation.com” before the photos had been submitted by the third parties. In this case appellant merely provided a means whereby, for a fee, information already legally posted could be removed.Bollaert's lawyers also point to the recent lawsuit against Yelp, where some businesses claimed that Yelp would ask them to pay for advertising with a promise of more favorable reviews (and with some arguing that a failure to pay resulted in negative reviews). In that case (Levitt v. Yelp), the court found that even if that was what Yelp was doing (which Yelp denies), it's not extortion:
The court found the plaintiffs had no pre-existing right to a positive review and that Yelp! was in no way obligated to refrain from manipulating reviews or creating negative ones. Yelp! was simply offering a service when it offered to remove negative reviews from its web page and that the offering of that service in exchange for money amounted to a legitimate business practice.And, of course, Bollaert argues that his situation was similar to Yelp's:
In the present case, appellant, as an interactive computer service provider was under no legal obligation to remove the postings submitted to the website by third parties, even when those postings are negative in nature. As in the above cited cases, Yelp!, Yahoo!, AOL and the dating website in the Carofano case, as well as “TheDirty.com” case, appellant could legally decline to remove any offending content from his website. Offering a fast, efficient removal service through the site “changemyreputation.com” amounted to a legal practice, akin to the practices approved in Yelp!. No crime of extortion occurred. Yelp! offered to remove negative content for money. They were under no obligation to remove those negative reviews and they offered the additional service in exchange for a fee. This is a business practice, not extortion.The lawyers for the state of California, as you might imagine, don't like this argument very much.
This case, however, is not about incidental harms caused by a free market economy run amok. Appellant is a criminal who intentionally harmed thousands of people, not a legitimate businessman. While many people knew the victims’ secrets (only because appellant had exposed them on his website), many others had not yet seen the photos and it was that threat of continued exposure that appellant used to extort money from the victims. Further, because the website contained the victims’ PII, and because appellant’s website required posters to provide that PII, appellant was obligated to remove the content and he was not simply providing a service that he otherwise had a legal right to perform.Basically they try to distinguish Bollaert's site from Yelp in a variety of ways. They also note that somewhat different laws apply (federal vs. state) and that posting personal naked photos along with identifying information is very, very, very different from posting negative reviews of a business. Frankly, this argument was the one that I expected to be most convincing, but which California's lawyers breeze through without much detail.
Obviously, it will be interesting to see where the California state appeals court comes down on all of this. I do think that the identity theft claims are incredibly weak, and that the extortion claims look a lot weaker than I first expected. I really expected stronger arguments from California. And, it's pretty clear that Bollaert's site was something pretty horrible all around. But does that automatically make it illegal? As with many cases targeting the safe harbors of Section 230, there are important issues being raised about what constitutes an internet platform vs. who is responsible for actual content or behavior.
Remember, with the nearly identical site that Bollaert basically copied, the operator there, Craig Brittain, merely got a slap on the wrist from the FTC for misleading people. It also dragged his name through the mud. Bollaert, at the very least, deserves that level of treatment. But does running a creepy website that enabled harassment create criminal liability that deserves 18 years in jail? That feels like a dangerous stretch of the law to punish a creep for being a creep. And when we start doing that, we create dangerous precedents for other platforms in situations that maybe aren't so creepy.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: appeal, california, extortion, identity theft, kevin bollaert, revenge porn, section 230
Reader Comments
Subscribe: RSS
View by: Time | Thread
Yelp seems like a horrible decision
[ link to this | view in chronology ]
Re: Yelp seems like a horrible decision
How rapidly must Yelp respond to a compelled removal, and what penalties ought they face for missing that deadline?
Under what conditions could a removal be compelled? Sometimes companies genuinely deserve a bad review. Removing a negative review solely because the company dislikes it would be a disservice to prospective customers.
Should we remove the appearance of extortion by prohibiting Yelp from accepting any payment from reviewed companies? That would eliminate the potential for implying that payment gets you good treatment, but would mean that any company that got a negative review would be unable to advertise on Yelp even if it wanted to do so. For a large company, this could be significant. Large companies inevitably have at least some negative reviews, no matter how well trained their employees are supposed to be.
Should we remove the appearance of extortion by prohibiting Yelp from removing negative reviews? If so, that moves into compelled speech and causes problems when Yelp identifies and wants to remove a clearly bogus review.
The outcome of the Yelp case may be unsettling, but I see no better alternatives. I would be happy to be proven wrong. In my view, an alternative is not better if it compels action, inaction, or speech from any party.
[ link to this | view in chronology ]
Re: Re: Yelp seems like a horrible decision
Since Yelp is in the business of publishing reviews, the ability of a company to silence someone they wronged simply by paying Yelp a fee presents a problem -- an honest company can wind up with a worse reputation on Yelp than a completely crooked one, simply because the honest one doesn't pay someone to lie for them.
[ link to this | view in chronology ]
Re: Re: Re: Yelp seems like a horrible decision
However, one site with the same troll review did not remove it despite the proof provided (a screenshot of the troll admitting to what he'd done) because its business model is to bleed people dry with promises to improve their search results — for a small consideration.
Isn't it fraud to declare that the reviews are an accurate reflection of a customer's experience when you know damn well they're not? It's why I tend to take reviews with a shovel full of salt.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Hilarious and poetic justice.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
State argument might be weak because the moral argument is strong
[ link to this | view in chronology ]
Re: State argument might be weak because the moral argument is strong
[ link to this | view in chronology ]
I actually agree with that morally horrible argument on the extortion front. It is not extortion. The question here is that he created a platform that was focused on letting frustrated males with severe self-esteem and social issues to post nudes and heavier pictures of their ex without consent as a revenge for breaking up.
So there are two issues here: the platform is promoting the violation of the rights of other people and the idiots that feed the platform. The guy must not be blamed for what was posted, this justice hammer has to go down those who posted unless, of course, he doesn't give the details of the jerks to the authorities. But it seems to me that he should be punished for actually setting up the platform with the explicit intention of hosting such activity.
It's not like Instagram where its general purpose is to share pictures but some users may use it for nefarious purposes. Such cases are the exception, not the norm. And the company certainly tries to weed out illegal activity to the best it can, within the law. So maybe he should not be exempted from any liability under 230 but he did set up a platform to conduct violating activities. So what's the law that would work here without setting a horrible 230 ruling?
[ link to this | view in chronology ]
Re:
Corrected to make sense
[ link to this | view in chronology ]
Re: Re:
He set up an associated website in which he impersonated a lawyer (or pretended one was available) who would "expedite" the process thereof. This is the fraudulent part.
IANAL but I'd have the creep for extortion and fraud against everyone who contacted him with requests to remove the content. I'd also say that those who didn't contact him were neither extorted nor defrauded, though they had their right to privacy violated by the creeps who posted them online.
Let us also bear in mind that the website was set up with the explicit purpose of embarrassing women for rejecting men. The problems with attempting to write an anti-shaming law are legion. Basically, you'd have to make it legal to call people out for bad behaviour but set limits on how much abuse you could heap upon them. Since this is highly subjective, good luck with defining the terms well enough without nuking the First Amendment.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Victimizing people, then directing them to pay money to ChangeMyReputation for protection against the victimization caused by the people running ChangeMyReputation (who are the same people running YouGotPosted) is about as clear a case of a protection racket as I've ever seen, except that the victims did not know of the connection between ChangeMyReputation and YouGotPosted, which means you could probably make a case for adding a fraud charge on top of the protection racket charge.
Nothing in this implicates Section 230 rights in any way.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
This perp is only threatening to leave information up on his web site until paid to take it down. Hence, blackmail.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Good luck with your appeal, asshat.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Not so fast
The fact is, Bollaert's site WAS qualitatively different than Yelp, because Bollaert required identifying information to be attributed to the images prior to making them public. According to the government's case (p13), he would vet that information, including the required Facebook link, before greenlighting a submission for public view. By vetting that information for accuracy prior to greenlighting, Bollaert is arguably taking the role of content provider.
There is a substantive difference between Bollaert and Yelp, or even Bollaert and something like r/gonewild. Yelp and gonewild don't approve user's posts, nor do they vet them for accuracy prior to letting users post. In both cases, they let users post without any prior editorial input and only after do they remove objectionable or flagged content. But in both examples, the users make post first and moderation comes later.
What Bollaert was doing was quite different, in that he was curating his user's content BEFORE it was posted and vetting it for accuracy, in the same way that NYT or WaPo editorial staff will (or ideally will, rather) vet a journalist's story for accuracy. In both of these cases, the WaPo and NYT editorial staff didn't create the content itself - the using their CMS did. But they are most certainly liable as content creators, precisely because of the editorial input they have in vetting and greenlighting what goes on their site before it is made public. (Obviously, Bolleart wanted to maximize his financial scheme by making sure users were only posting legitimate pics plus personally identifying information, and not random pics they found on Reddit or 4chan.)
Now, we can argue about whether he deserved such a harsh sentence (in the context of the associated financial scheme, it wasn't that unreasonable). We can argue that Section 230 deserves to be protected with every fiber of our being as one of the few really good telecommunications laws on the book (and I think it does). But arguing that Bollaert himself was only acting as a moderator and that he's not substantively different from a comment section or image board, and thus isn't responsible for what his users posted actually misses the key distinction that moderation a-la-platform-provider happens after the user has already posted it and the public sees it, and editorial control a-la-content-provider happens before the public sees it.
[ link to this | view in chronology ]
It seems to me that the court is conflating two issues here.
Don't get me wrong, I would prefer doxing someone without cause to be more broadly illegal, but that would require constitutional change. The 1st Amendment forbids it.
[ link to this | view in chronology ]
Re: It seems to me that the court is conflating two issues here.
Here's why: Bollaert personally greenlight every submitted post that was made publicly available on his website. IIRC he also personally greenlight all comments as well. The government has communications between Bollaert and the IT guy that set up his website, where Bollaert says something along the lines of 'I control everything and that's the way I want it." In other words, yes, his users were the ones that submitted the pictures, but Bollaert had absolute control over what items (and comments) users saw after submission. That makes him a content provider.
Contrast with Techdirt, who does have Section 230 protection for their comments section - but not for articles on the front page. Why? Because I can post anything I want to here, regardless of how crass, threatening, or illegal. Techdirt doesn't exercise any sort of pre-moderation or comment screening. Which means that they are providing a platform only, and are exempt under section 230 as long as they make a good faith attempt to remove illegal content posted by users. This doesn't apply to the Techdirt front page, however, where the staff of the site does exercise editorial control - Techdirt can still be held liable for defamation in an article, for example.
The key difference is editorial control. Bolleart personally curated every submission and comment, and intentional chose only those submissions that were fully doxxed with personal information. Tying into copyright law, facts are not copyrightable - but collections of facts (i.e. databases, encyclopedias, etc) show creativity and artistry in their arrangement and are copyrightable.
Bollaert might not have "created" the content his users were submitting, but he sure as hell put substantial time and effort into curating a public collection of only the best, most well doxxed nudes his users submitted.
I'm not sure exactly sure what the setup was with IsAnybodyDown/IsAnybodyUp because I'm not a skeezebag, but I would be willing to bet it was a more traditional 'platform' setup where users submitted and voted on each other's submissions - a setup that IS exempt as a platform under section 230 because the users, not the owners of the site, decide what is greenlight for the front page.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
IANAL, cursory search of Google gives (for the U.S):
sex pics @ ~3-4 months/person ((div 2) for aiding and abbeting but (mul 1.2) for repeat offense)
blackmail @ 1 year
sex pics alone would get the guy 25 years, but i'm assuming he should have the option to get out on parole in ~2 years.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Put the publisher/safe-harbor exemption in jeopardy because of this asshat??
I really don't think that the internet ecosystem and community deserves to have the incredibly important and already tenuous safe-harbor exemption put in jeopardy for the sake of a scumbag like Bollaert.
I hope he rots in jail.
[ link to this | view in chronology ]