Appeals Court Rejects Revenge Pornster's Appeal; Another Bad Section 230 Ruling

from the what's-up,-california? dept

We've noted in the last month or so a series of court rulings in California all seem to be chipping away at Section 230. And now we've got another one. As we noted last month, revenge porn extortion creep Kevin Bollaert had appealed his 18-year sentence and that appeal raised some key issues about Section 230. As we noted, it seemed clear that the State of California was misrepresenting a bunch of things in dangerous ways.

Unfortunately, the appeals court has now sided with the state, and that means we've got more chipping away at Section 230. No one disagrees that Bollaert was a creep. He was getting naked pictures of people posted to his site, along with the person's info, and then had set up a separate site (which pretended to be independent) where people could pay to take those pages down. But there are questions about whether or not Bollaert could be held liable for actions of his users in posting content. Section 230 of the Communications Decency Act (CDA 230) is pretty damn clear that he should not be held liable -- but the court has twisted itself in a knot to find otherwise, basically arguing that Bollaert is, in part, responsible for the creation of the content. This is going to set a bad precedent for internet platforms in California and elsewhere.

The court, not surprisingly, relies heavily on the infamous Roommates.com ruling that also said that site didn't qualify for Section 230 immunity, because it asked "illegal" questions (about housing preferences), and since the site itself had asked those questions, it was liable for creating that "illegal" content. That's different than what happened with Bollaert's UGotPosted site, but the court works hard to insist the two are close enough:

Here, the evidence shows that like the Web site in Roommates, Bollaert created UGotPosted.com so that it forced users to answer a series of questions with the damaging content in order to create an account and post photographs. That content—full names, locations, and Facebook links, as well as the nude photographs themselves—exposed the victims' personal identifying information and violated their privacy rights. As in Roommates, but unlike Carafano or Zeran, Bollaert's Web site was "designed to solicit" (Roommates, supra, 521 F.3d at p. 1170, italics added) content that was unlawful, demonstrating that Bollaert's actions were not neutral, but rather materially contributed to the illegality of the content and the privacy invasions suffered by the victims. In that way, he developed in part the content, taking him outside the scope of CDA immunity.

I can predict that this paragraph is likely to show up in a bunch of other cases. People are going to insist that lots of other platforms that include any form of structure will now be liable if any of the content based on that structure violates the law. That, again, goes directly against the clearly stated purpose of CDA 230. And it's likely to create something of a mess for internet platforms that regularly rely on 230.

The really crazy thing here is that earlier in the ruling, the court noted that it didn't even need to answer the Section 230 question because they already had enough info to support charges of action "with the intent to defraud." But then it answered the CDA 230 issue anyway, and did so badly. No one's going to feel sorry for Bollaert, who is a complete creep. But the wider precedent of this ruling is going to be dangerous and will likely show up in lots and lots of lawsuits against internet platforms going forward.

Filed Under: california, cda 230, kevin bollaert, liability, platforms, revenge porn, section 230
Companies: ugotposted, yougotposted

Revenge Porn Site Owner Kevin Bollaert Sentenced To 18 Years In Prison

from the could-Section-230-free-him? dept

As was noted here in early February, a California court found revenge porn site owner Kevin Bollaert guilty of six counts of extortion, along with 21 counts of identity fraud. Bollaert not only ran revenge porn site YouGotPosted but also operated ChangeMyReputation, from which he would remove photos posted to his revenge porn site for a fee.

Adam Steinbaugh attended Bollaert's sentencing last Friday, tweeting out his observations and insights, including fun facts like:

• Bollaert had $20,000 in cash on him when arrested, apparently from his ChangeMyReputation sideline.
• Bollaert apparently believed Obama would pass restrictive gun laws that would make certain firearms extra valuable, and began stockpiling weapons. But buying 31 guns using only a P.O. Box for an address has a way of attracting ATF agents…and a conviction for making false statements in connection with the purchase of a firearm.
• During sentencing, Bollaert's attorneys mentioned the FTC's wristslap of Craig Brittain as an argument that Bollaert deserved a similarly light punishment.
• The judge quoted an interview with Bollaert where he blew off Marc Randazza's lawsuits.
• A Cub Scout observed the sentencing.

More than six hours after the proceedings began, the judge handed down Bollaert's sentence. A wrist slap it is not.

Kevin Bollaert was sentenced by a San Diego court to 18 years in prison following his February conviction on twenty-seven counts of extortion and identity theft.

This was much harsher than most people expected, even considering the heinousness of Bollaert's actions. Some expected a lighter sentence coupled with an extended probation period, and Steinbaugh's tweets mention a previous plea deal that was rescinded or rejected. None of that matters now. As Steinbaugh points out, if Bollaert serves every year of his term, he'll be in jail longer than some of his site's victims were alive when their pictures were posted.

The sentence will most likely be appealed. Steinbaugh advances the theory that Section 230 protections could be used to undo the extortion and identity theft charges. (Although he is careful to preface his legal speculations with this warning: "It’s rather boring — and I’m probably wrong, but someone has to raise these issues, even in defense of a revenge porn site extortionist. Only Nixon could go to China, I suppose.")

If Bollaert does appeal, he has a good chance at success with respect to the identity theft charges (assuming Bollaert himself didn’t seek out the victims’ personal information). Simply publishing content submitted by users — even if the avowed purpose of the site was to promote invasion of privacy and tortuous conduct — is immunized by §230.

Whether or not the Section 230 argument will work against criminal extortion charges remains to be seen, but previous civil cases seem to present a few possibilities.

The courts which have addressed extortionate behavior in the civil context have indicated that §230 likely immunizes that conduct. §230 applies to website operators even when they exercise traditional editorial functions.

In Ascentive, LLC v. Opinion Corp., a federal district court in New York addressed consumer gripe site PissedConsumer.com’s “Corporate Advocacy Program”, a “premium reputation management service” under which PissedConsumer would remove negative reviews (if the consumer refused to allow PissedConsumer to act as an intermediary in resolving their complaint) and resolve new complaints before they are posted. The plaintiffs brought RICO claims against PissedConsumer, including predicate acts of “commercial bribery or extortion.” The district court, in denying the plaintiffs’ motion for a preliminary injunction, ruled that the plaintiffs had not demonstrated a likelihood of success on the extortion allegations.

As ugly as it seems, the protections afforded operators of sites hosting user-generated content could keep Bollaert from being incarcerated -- or at least take a huge chunk out of his 18-year sentence. But that's the dual edge of these sorts of protections. Much like the First Amendment protects ignorant, hate-filled racists and the Fourth Amendment protects child porn enthusiasts, Section 230 can protect revenge porn site owners from the content submitted to their sites.

Bollaert's sideline removal service complicates things, but despite profiting from both ends of the equation, the content was posted by others and his extortion-esque secondary business never asked for money to prevent the posting of submitted content, but rather the removal of already-posted photos and contact info. Pure, vile nastiness to be sure, but with enough legal loopholes to potentially jeopardize his conviction.

Additionally, Section 230 protections have previously only served to defend site owners in civil cases, rather than against criminal charges. It's highly unlikely this will be applicable to appealing the criminal charges, but these are state charges rather than federal charges, so this may provide him an opportunity to test California's statutory interpretation of Section 230.

If his conviction is overturned (Steinbaugh believes the state will do everything possible to prevent this) using Section 230 as leverage, we can expect more legislative attempts to gut these protections -- from lawmakers who are content ignore the harm it will cause site owners far more respectable than those trafficking in misery and exploitation simply because the targeted activity is so repulsive.

Filed Under: california, extortion, kevin bollaert, revenge porn, section 230, sentencing
Companies: yougotposted

Scumbag Revenge Porn Site Operator Arrested... But Many Of The Charges Are Very Problematic

from the bad-cases-make-bad-laws dept

A fair amount of attention has been paid to the announcement from Kamala Harris, the attorney general for California, that Kevin Bollaert, the operator of a revenge porn site, and corresponding "pay me to take down the revenge porn" site, has been arrested and charged with a variety of crimes, including extortion. Make no mistake about it: Bollaert is a scumbag and these revenge porn sites -- especially those with the extortionate concept of "pay us to take down those nude photos you never wanted posted in the first place" -- are highly problematic. But... as with all kinds of "highly problematic" activities, it all too often happens that law enforcement's zeal to take down the bad guy means they twist laws in dangerous ways that could have significant consequences for plenty of good sites. That appears to be the case here.

Again, Bollaert is a despicable person. A year ago, Adam Steinbaugh was one of the first to detail the nasty practices of "YouGotPosted" (or "UGotPosted") and the companion site "ChangeMyReputation." However, as Eric Goldman details, there are a bunch of dangerous problems with the charges that Harris filed against Bollaert, mainly in that many of them seem to blame him for the way users use the site -- something that the site is protected from under Section 230:

The other two asserted unlawful purposes are (1) online harassment per Penal Code 653m(b) (criminalizing “repeated contact by means of an electronic communication device”), and (2) the civil tort of public disclosure of private facts (citing a troubling precedent, In Re Rolando S.). Unlike the extortion claim, both allegations depend on the behavior of the website’s users. The complaint doesn’t allege that Bollaert himself made repeated contacts with victims using an electronic communication device, or that Bollaert himself disclosed anyone’s private facts. Instead, the complaint alleges that Bollaert ran a UGC website where users performed unlawful activities. But that’s exactly what UGC websites do: they let users publish content online for both good and evil. If we hold UGC website operators responsible for the fact that their users sometimes commit crimes, then all UGC website operators are criminals.

Fortunately, that’s not the law. In 1996, in 47 USC 230 (Section 230), Congress said that websites aren’t liable for third party content, even if the third party violates state criminal law. From my perspective, based on the allegations in the complaint and arrest warrant, the identity theft charges predicated on harassment and privacy violations appear to be preempted by Section 230

It's no secret that the various state attorneys general, including Harris, would love to wipe out Section 230. So perhaps she sees this as a chance to take a case so emotionally charged that she can get a favorable ruling. That's dangerous, since as Goldman notes, this would effectively wipe out Section 230 for many, many sites that allow user contributed content.

A second problem with the complaint is that it relies on an identity theft law used against Bollaert. But anyone looking at the situation would know right away that this isn't any kind of identity theft. Again, Goldman explains:

The crime asserted here, Penal Code 530.5(a), has two elements. First, the defendant must willfully obtain personal identifying information. Second, the defendant must use that information for an unlawful purpose.

When applied to actual identity theft, these elements make sense. If I steal your social security number and use it to obtain a credit card that I use to run up fraudulent charges, the two elements are clearly satisfied.

As applied to Bollaert, in contrast, the elements are confusing. (The criminal complaint, as typical for the genre, doesn’t explain how the law applies to the facts). How did Bollaert willfully obtain personal identifying information? He allegedly ran a UGC website where users could submit photos and personal information structured into standardized categories. It seems like this allegation would equally describe how all UGC websites “willfully” obtain content from their users.

The one area where the claim may actually make some sense is the extortion claim -- as that definitely seems questionable. However, once again, this can run into some problems. For example, you can see a perfectly legitimate service that charges some sort of processing fee to take down content that had been previously posted. Merely charging to remove content, by itself, shouldn't be seen as extortion. Hell, we've recently had comment spammers who apparently got punished by Google's search rankings email us about removing the comment spam they were able to sneak through our spam filters. When I mentioned how silly this was on Twitter, many people suggested that we should charge the spammers to remove their spam comments. That actually seems like a reasonable (if amusing) idea. But would that be extortion? Under the claims against Bollaert, it's possible that such an action would be considered the same thing -- but I doubt most people would think the request to spammers would be extortion (not that we've done it either way).

And that leaves this whole case in a tricky spot. Bollaert's site was a problem. What he was doing was despicable in so many ways it's almost difficult to keep track of them all. But, if the case is allowed against him, it's quite possible that very bad precedents will be set that lead to significant problems for tons of legitimate sites. As Goldman notes, however, there's a good chance it will never get this far. Bollaert almost certainly will take a plea deal, and Harris will get yet another headline about how she's protecting the citizens of California, even if her legal theories might undermine its economy -- and many of the sites that people around the globe enjoy.

Filed Under: california, extortion, identity theft, kamala harris, kevin bollaert, liability, revenge porn, section 230
Companies: changemyreputation, yougotposted