NSO Fires Back At Facebook, Says It's Not Responsible For Malware Deployments By Foreign Governments

from the fair-point-but-doesn't-really-make-NSO-Group-look-any-better dept

NSO Group has finally decided to engage in the lawsuit Facebook filed against it late last year. The Israeli surveillance tech company has shown itself to be pretty cavalier about its market expansion plans. Despite being located in a country surrounded by unfriendly governments, NSO is more than willing to give Israel's enemies something to use against it. Its client list includes Saudi Arabia, United Arab Emirates, Bahrain, and Kazakhstan.

Facebook's lawsuit is questionable and if it wins, it would cause a lot of damage. Facebook is unhappy NSO software uses WhatsApp to deliver malware payloads to targets. But seeking precedent that would criminalize terms of service violations isn't going to help anyone, much less stop NSO from using encrypted messaging apps as attack vectors.

NSO is now firing back. And it makes a point that's true, if not all that sympathetic. It is not its customers. Much like the gun dealer who sells the gun eventually used in a mass shooting, NSO's sales of malware to governments that use them in questionable ways isn't really NSO's fault. It may have provided the surveillance tech, but it is not telling governments who to target or participating in the surveillance directly.

In its first substantive legal filing in the case, filed last week, NSO hit back at WhatsApp and its parent company, Facebook, which it said were seen by governments as “safe spaces for terrorists and other criminals” who – without NSO’s services – could operate “without fear of detection by law enforcement”.

NSO Group also argued that WhatsApp had “conflated” NSO Group’s actions with the actions of NSO’s “sovereign customers”. While NSO Group licenses its signature spying technology, Pegasus, to government law enforcement and intelligence agencies and assists with “training, setup, and installation”, it said it did not operate the technology.

This is NSO arguing it cannot be held responsible for the actions of others. If Facebook doesn't like what these governments are doing with NSO's tech, it's welcome to sue those governments directly. Not that those lawsuits would succeed. We're not the only nation that extends sovereign immunity to government agencies. That's standard operating procedure around the world. This is what NSO is hoping will convince the court to toss the suit.

“For that reason,” the company said in the filing, “permitting this litigation to proceed would infringe critical national security and foreign policy concerns of sovereign governments”.

NSO is also fighting back with a little dirt of its own. Long before it was sued by Facebook, it spent a little time discussing its spyware with the company.

In October 2017, NSO was approached by two Facebook representatives who asked to purchase the right to use certain capabilities of Pegasus, the same NSO software discussed in Plaintiffs' Complaint.

The Facebook representatives stated that Facebook was concerned that its method for gathering user data through Onavo Protect was less effective on Apple devices than on Android devices. The Facebook representatives also stated that Facebook wanted to use purported capabilities of Pegasus to monitor users on Apple devices and were willing to pay for the ability to monitor Onavo Protect users. Facebook proposed to pay NSO a monthly fee for each Onavo Protect user.

Onavo was Facebook's VPN -- one that had little to do with offering privacy to its users. It may have shielded them from others attempting to take a look at their web traffic, but it didn't do anything to prevent Facebook from collecting tons of data on users, which included a whole lot of minors. It was booted from Apple's App Store in 2018 for hoovering up too much sensitive data. Roughly six months later, Facebook killed the faux VPN for good.

Facebook claims this is an "inaccurate" portrayal of its meeting with NSO, but it's not like Facebook has much credibility on the privacy front. Its thirst for data has been unquenchable and its mitigation attempts have been provoked by Congressional inquiries and years of work by privacy activists. It hasn't suddenly become altruistic.

Facebook is right to be concerned about the use of WhatsApp to spread malware. But this lawsuit that attempts to use the already badly-abused CFAA to cover things Facebook doesn't like other people doing is going to cause collateral damage to researchers and journalists, rather than prevent NSO from selling WhatsApp-exploiting malware to government agencies.

Filed Under: cfaa, governments, hacking, liability, malware, privacy
Companies: facebook, nso, whatsapp

Court Sides With Nintendo Over RomUniverse In Atttempt To Dismiss The Former's Lawsuit

from the ninten-did dept

As most of you will know, a year or so ago saw Nintendo suddenly flip a litigious switch and begin going after all the ROM sites that had existed for a decade or more. The timing suggests that the company may have made this move out of a misguided attempt to support its release of several retro consoles that contained many of the games that the public could also simply get for free on these ROM sites. I say misguided because it's not as though Nintendo's aggression suddenly made free online ROMs unavailable. They are all still very much there through various means, but Nintendo's retro consoles sold like gangbusters anyway, because half the appeal in the product is the ease of use and the other half is in having the cool looking retro console next to the television.

Most sites simply folded up and caved. RomUniverse, run by Matthew Storman, was one of the few that attempted to fight back. Despite the site making not just Nintendo Roms available, but also all kinds of other copyrighted media, Storman tried to crowdfund his legal defense before pivoting to representing himself in court. We're still in the early stages of the litigation. Storman sought a dismissal of the case by arguing that First Sale doctrine meant Nintendo had no claim to the Roms being offered on his site coupled with claiming to be a neutral service provider protected by DMCA safe harbors. We said at the time that the move was unlikely to work.

And we were right. The court has now ruled for Nintendo against the motion to dismiss, stating that at best the claims that Storman makes are not properly made at this stage of the litigation, along with some comments that the claims probably aren't going to get Storman where he wants to go anyway.

After considering the arguments from both sides, US District Court Judge Consuelo B. Marshall has sided with Nintendo. In a ruling released yesterday, she denies the various arguments presented by Storman. RomUniverse’s operator wanted the case dismissed based on failure to state a claim, lack of jurisdiction, improper venue, insufficient service of process, and failure to join a party. None of these arguments convinced the court.

Storman, for example, argued that Nintendo is not the owner of previously purchased games because consumers have the right to sell, destroy, or give them away. The Judge didn’t address this in detail but concluded that Nintendo’s copyright registrations are sufficient at this stage.

On the DMCA safe harbor claims specifically, the court acknowledges that it cannot determine whether RomUniverse meets the criteria for those provisions at this stage of the trial, at which no evidence has been presented. Nintendo's entire case here is that Storman's site doesn't act as a third party service provider. Asking the court to find otherwise when Nintendo hasn't been allowed to present evidence yet would make no sense. And, as the court goes on to note, Nintendo sued for trademark infringement and unfair competition claims as well, and DMCA safe harbors don't protect from those claims.

Therefore, the Court would be required to look beyond the pleadings to determine whether Defendant is a service provider who satisfies the statutory requirements for protection pursuant to the DMCA's safe harbors, which is improper on a Rule 12(b)(6) motion to dismiss.

As to Storman's claim that First Sale doctrine means that Nintendo failed to join the actual owners of the games that are the basis of the ROMs on his site, the court points out that's not how any of this works at this stage. Nintendo has alleged that Storman's site is liable and arguing that Nintendo also has to sue everyone else isn't very convincing.

Defendant argues Plaintiff has "failed to join the true and essential owners of copies known only to Plaintiff, or unknown." As discussed supra, Plaintiff sufficiently alleges ownership and "the owner of copyright ...has the exclusive rights to ...reproduce the copyrighted work in copies [and] to prepare derivative works based upon the copyrighted work." 17 U.S.C. § 106(1)-(2). Therefore, Defendant fails to demonstrate there are persons subject to service of process which, in their absence, would prevent the Court from providing complete relief among the existing parties or persons claiming an interest in the subject of this action. See Fed. R. Civ. Proc. 19. Accordingly, the Court denies Defendant's motion to dismiss based on failure to join an indispensable party pursuant to Rule ~12)~b)~~)•

And so the motion to dismiss is denied. We've made the point several times now that Nintendo has better ways to deal with ROM sites than this sort of litigation. That is still true. But none of that changes the fact that Storman and RomUniverse have a mountain to climb if it wants to successfully defend itself from this lawsuit.

Filed Under: copyright, dmca, first sale, liability, matthew stroman, roms
Companies: nintendo, romuniverse

How Years Of Copyright Maximalism Is Now Killing Pop Music

from the originality-is-a-con dept

Almost five years ago, we warned that years of copyright maximalists brainwashing the public about ever expansive copyright and the need for everything to be "owned" had resulted in the crazy Blurred Lines decision that said that merely being inspired by another artist to make a song that has a similar feel, even if it doesn't copy any actual part of the music, was infringing. We warned that this would lead to bad things -- and it has.

Over the last few years, we've been detailing story after story of similar cases being filed. It's become so common that we don't even bother to write about most of the cases. As we've said, though, this really is the industry reaping what they've sowed. It's gotten so crazy that even the RIAA (yes, that RIAA) has felt the need to tell courts that maybe their interpretation of copyright has gone too far in the direction of over-protecting copyright holders.

It's now become such a fact of life that the NY Times has a giant article on how copyright is basically eating pop music these days. It describes a bunch of these cases, and notes that merely "being influenced" makes you liable for copyright infringement, and how that's causing problems for the very concept of pop music:

That is, to put it plainly, bad news for pop stars, and the producers and songwriters who help them craft hits. They are now marks for frivolous litigation premised upon nebulous assertions as well as a complete and willful ignorance of how pop music is actually made.

Occasionally, pop innovates in a hard stylistic jolt, or an outlier comes to rapid prominence (see: Lil Nas X), but more often, it moves as a kind of unconscious collective. An evolutionary step is rarely the product of one person working in isolation; it is one brick added atop hundreds of others.

Originality is a con: Pop music history is the history of near overlap. Ideas rarely emerge in complete isolation. In studios around the world, performers, producers and songwriters are all trying to innovate just one step beyond where music currently is, working from the same component parts. It shouldn’t be a surprise when some of what they come up with sounds similar — and also like what came before.

The whole article is great, including this fantastic line:

It fails to make a distinction between theft and echo, or worse, presumes that all echo is theft. It ignores that the long continuum of pop revisits sonic approaches, melodies, beats and chord progressions time and again. It demands that each song be wholly distinct from everything that preceded it, an absurd and ultimately unenforceable dictate.

All echo is theft. That's definitely the argument that many copyright system supporters have made for years. And now it's coming back to bite them.

But here's the most frustrating part of all of this: even with that one RIAA filing admitting that sometimes copyright could go too far in over-protecting rightsholders, it's not stopping them or other copyright maximalist organizations from still pushing for more expansive, more draconian, more protective copyright reform. Get ready for it, because it's coming. There are efforts to import the EU's dreadful copyright directive, as well as a very strongly backed effort to get rid of the DMCA's safe harbors. And this is coming at a time when actual revenues for artists have continued to shoot skyward.

However, as with so much about copyright, this is all about third parties -- not the artists and creators themselves -- looking for their own monopoly rents. They're looking to figure out how to get a piece of the pie for literally doing absolutely nothing. But if something becomes successful, suddenly they all want a cut, and copyright maximalism has handed them the tools to get exactly that. And, as a result, pop music is under ongoing litigation assault. The labels are making money. The lawyers are making money... and, according to a new Rolling Stone article, the insurance companies are making money:

While some record labels may have the budget to hire on-call musicologists who vet new releases for potential copyright claims, smaller players who can’t afford that luxury are turning toward a tried-and-true form of protection: insurance. Lucas Keller — the founder of music management company Milk and Honey, which represents writers and producers who’ve worked with everyone from Alessia Cara and Carrie Underwood to 5 Seconds of Summer and Muse — recently began encouraging all his songwriter clients to purchase errors-and-omissions insurance, which protects creative professionals from legal challenges to their intellectual property. “We all feel like the system has failed us,” Keller says. “There are a lot of aggressive lawyers filing lawsuits and going ham on people.” (He’s particularly critical of publishers whose rosters are heavier on older catalogs than new acts: “Heritage publishers who aren’t making a lot of money are coming out of the woodwork and saying, ‘We’re going to take a piece of your contemporary hit.’ ”)

Under E&O policies, insurance companies can cover several million dollars of an artist’s costs if they lose a copyright lawsuit. Joe Charles, senior vice president at insurance provider Alliant Insurance Services, says that as many as half of his personal A-list music clients — a roster of stars who already pay for tour insurance and other standard entertainment-industry policies — have recently shown interest in E&O coverage. “When a major claim is all over the press, we’ll get 10 to 20 calls from musicians asking how they can protect themselves and what it will cost,” Charles says.

Notice that all this is money that is not going to the actual artists. The entire premise of the Rolling Stone article is basically that having a hit song is simply too expensive these days, because of bullshit copyright lawsuits that actually have a chance because copyright law has gone insane. Something is clearly broken here, and supporters of the copyright system need to admit that maybe they've gone too far.

Filed Under: blurred lines, copying, copyright, inspiration, insurance, lawsuits, liability, pop music

Marc Benioff Calls For Section 230 To Be Abolished At The Same Time His Company Is Relying On 230 To Get Out Of A Lawsuit

from the dude,-seriously? dept

I like Salesforce founder and CEO Marc Benioff, in part because he doesn't act like most tech CEOs and isn't afraid to speak his mind and actually sound fairly human, rather than a rehearsed automaton who has a gazillion PR people vetting every message. That doesn't mean I always (or even often) agree with him, but I appreciate his willingness to speak his mind. I'm even not that surprised that he's jumped on the bandwagon in calling for Facebook to be broken up, even though the reasons he cites are based on false statements that he's apparently been convinced are true (which... maybe is a little scary) or that it still remains totally unclear to me how breaking up Facebook fixes any of the problems discussed by supporters of such a plan (unless the problem is just "I don't want Facebook to exist.").

Benioff also, oddly, seems unfamiliar with how the 1st Amendment works, in claiming that Congress needs to make it against the law to lie in political ads:

In particular, Benioff took issue with Facebook's recent decision to run political advertisements from the Trump campaign which contain false claims. Benioff said there is "no question" that he would not run such advertisements if he were the head of Facebook, and called on Congress to pass legislation that would require truthful advertising on social media platforms.

There are, of course, truth in advertising laws, but those focus on commercial speech, which has been deemed to be moderately less protected under the 1st Amendment. Political speech, on the other hand, is at the top of the protected food chain, and there's no way that the Supreme Court would bless any law from Congress that would "require truthful advertising on social media platforms."

But what strikes me as really bizarre is that as part of his ill-informed attack on Facebook, he's decided to throw Section 230 of the Communications Decency Act (and, with it, free speech on the internet) under the bus at the exact moment that his own company is heavily relying on Section 230 to get out of a massive lawsuit. In that same CNN interview which generated the headlines about breaking up Facebook, he briefly addresses Section 230 as well:

One of the reasons tech platforms are able to publish such content without consequences is the law typically shorthanded as Section 230, which allows internet platform providers to moderate some content without fear of being held liable for most of what users do on their platforms.

Benioff called Section 230 "the most dangerous law on the books right now," and said it should be "abolished."

He reiterated this statement on Twitter -- a site that literally only exists because of Section 230.

This is wrong and ridiculous on many levels. Section 230 doesn't "indemnify" Facebook, it makes sure that legal liability is properly placed on the party doing the speaking, not the party hosting the speech.

And if anyone should know that, it's Marc Benioff right this very moment. As we detailed earlier this year, Salesforce is currently being sued for sex trafficking by a group of people who were trafficked on Backpage... because Backpage used Salesforce to track its customers. And, the key argument that Salesforce's very expensive lawyers are making... is that Salesforce is protected by CDA 230:

If you're unable to read that it, it shows that the core argument Salesforce is making is that it's protected by Section 230. That's in the legal filing the company made literally one month ago. In it, Benioff's lawyers highlight the importance of Section 230, and also point out that -- despite the claims of the plaintiffs in the case -- the protections of 230 clearly do not apply to content provided by 3rd parties on a platform such as Salesforce (or... Facebook).

I'm not sure if Benioff is so confused that he doesn't understand how Section 230 works, or if he's just uninformed. The fact that he uses the phrase "Facebook is a publisher" suggests, unfortunately, that he's been reading/hearing some of the nonsense about "platform v. publisher" -- a distinction that is not found in the law, but is often played up by online trolls and cranks. I thought Benioff was better than an online troll or crank, but this latest outburst suggests I may have overestimated him.

Salesforce should be able to get this sex trafficking case tossed on 230 grounds, and Section 230 is a key reason why "the cloud" and cloud services -- a space Benioff helped pioneer -- exist. For him to trash 230 and call for it to be abolished is crazy. If anything, an argument can be made that Benioff is savvy enough to know that he can afford expensive lawyers from Gibson, Dunn & Crutcher to get him out of sticky situations based on what the various Salesforce customers have done with his services -- but the many growing SaaS competitors creeping into his market... probably can't. And, hey, abusing the law to block and harm competitors. Why that sounds like an antitrust problem...

Filed Under: 1st amendment, cda 230, free speech, liability, marc benioff, monopoly, political advertising, section 230
Companies: facebook, salesforce

Court Will Decide If AT&T Is Liable For Cryptocurrency Theft Caused By Shoddy Security

from the ill-communication dept

Wireless carriers are coming under increasing fire for failing to protect their users from SIM hijacking. The practice involves posing as a wireless customer, then fooling a wireless carrier to port the victim's cell phone number right out from underneath them, letting the attacker then pose as the customer to potentially devastating effect. Back in February, a man sued T-Mobile for failing to protect his account after a hacker pretending to be him, ported out his phone number, then managed to use his identity to steal thousands of dollars worth of cryptocoins.

T-Mobile customers aren't the only users who've experienced this problem. US entrepreneur and cryptocurrency investor Michael Terpin sued AT&T last summer (pdf) for the same thing: somebody ran a SIM hijacking scam on AT&T, then stole his identity and, in turn, stole $23.8 million in cryptocurrency. And while AT&T tried hard to have the case dismissed, a Los Angeles federal judge last week issued a mixed ruling that nixed AT&T's request to dismiss the case, but demanded that Terpin do a better job highlighting how AT&T is directly responsible:

"Wright agreed with AT&T that Terpin had not adequately explained how the hack of his account led to the theft of his cryptocurrency or why AT&T should bear responsibility. As a result, he dismissed claims that relied on Terpin's claimed $24 million loss. However, Wright dismissed the claims with "leave to amend," meaning that Terpin has 21 days to file a new version of his lawsuit that more fully explains how the cryptocurrency was stolen and why AT&T should be held responsible."

AT&T, as you might expect, has argued in court and in public that it's not liable for, well, anything. Ever.

Carriers frequently aren't keen on talking about the problem, in part because their employees keep getting busted for helping the scammers. And keep in mind AT&T keeps having these kinds of problems. Repeatedly. In just the last few years AT&T has been: fined $18.6 million for helping rip off programs for the hearing impaired; fined $10.4 million for ripping off a program for low-income families; and fined $105 million for helping "crammers" by intentionally making such bogus charges more difficult to see on customer bills.

In short this isn't a company with a great track record when it comes to ethical behavior or protecting its subscribers from scams. Terpin, for his part, has been given an additional three weeks to beef up his case before it proceeds:

"I am grateful that Judge Wright is allowing my case to proceed," Terpin said. "We must hold AT&T accountable. If AT&T demonstrated the same zeal to totally revamp its porous security system as it does to suppress the damning evidence of its callous indifference to its customers, we would not be in court."

Filed Under: cryptocurrency, liability, michael terpin, security, sim hijacking
Companies: at&t

The Failure Of Courts/Regulators To Understand The Difference Between Infrastructure Providers And Edge Providers Is Going To Be A Problem

from the the-impact-is-very,-very-different dept

To some extent we've had this discussion before, as parts of other discussions about the regulation of content online, but it's worth calling it out explicitly: regulating internet infrastructure services the same as internet edge service providers is a really bad idea. And yet, here we are. So few people seem to even care enough to make a distinction. So, let's start with the basics: "edge providers" are the companies who provide internet services that you, as a end user, interact with. Google, YouTube, Facebook, Twitter, Twitch, Reddit, Wikipedia, Amazon's e-commerce site. These are all edge providers as currently built. Infrastructure providers, however, sit a layer (or more) down from those edge providers. They're the services that make the edge services possible. This can include domain registrars and registers, CDNs, internet security companies and more. So, companies like Cloudflare, GoDaddy, Amazon's AWS, among others are examples there.

While tons of people interact with infrastructure players all the time, your average person will never even realize they're doing so -- as the interactions tend to be mediated entirely by the edge providers. For a few years now we've been seeing attempts to move the liability questions up (or, depending on your viewpoint, down) the stack from edge providers to infrastructure players. This raises a lot of significant concerns.

At the simplest level, a big part of the concern is that the only real "remedy" for an infrastructure provider is to cease providing service altogether to the edge provider. This is an incredibly blunt instrument -- as a single accusation of a legal violation could lead an entire service to come crashing down if the infrastructure provider is sufficiently spooked about the potential liability. In short: imagine what happens when a copyright holder sends a DMCA notice not to the site that had an allegedly infringing image uploaded, but rather to that site's domain registrar. If the registrar fears liability, it might revoke the domain entirely (removing service) pulling down an entire website (or, at least, the way in which most people access that website).

There may be good arguments for cases when infrastructure providers should be involved -- perhaps the edge provider cannot be found or is deliberately ignoring actual legal notices. Then you might understand moving to a different level in the stack. But it should be justified.

Instead, it seems like many are simply targeting infrastructure because either they don't understand the difference between infrastructure and edge... or just because they know that its remedy (complete removal of service) is so big that it'll have more impact. Case in point: an Italian court has ordered Cloudflare to terminate the accounts of a few sites that the court has determined to be pirate sites. Assuming that these sites truly are engaged in infringing activities, it seems fine to hold the sites themselves accountable. But that's not what's happening here. Instead, the legal liability is being placed on Cloudflare, a company that provides CDN services, but isn't the actual host of any of the content.

In a ruling handed down by the Commercial Court of Rome late last month, Cloudflare was ordered to immediately terminate the accounts of the contested pirate sites. These include filmpertutti.uno, italiaserie.tv, piratestreaming.watch, cinemalibero.red, and various others.

In addition, Cloudflare was ordered to share the personal details of the site owners and their hosting companies with RTI.

If Cloudflare fails to comply with any of the above, it must pay a fine of €1,000 for each day the infringements continue.

While Cloudflare doesn’t see itself as a hosting provider, the Court concluded that it can be seen as such, under European law. Among other things, its “Always Online” service hosts various website resources even when the site’s servers go offline.

It's that last paragraph that's most important. Basically, that's the court saying "we don't care that you're an infrastructure provider, we're going to treat you as an edge provider." That should worry everyone. Again, unlike an edge provider that might be able to more narrowly target and adjudicate activity that violates laws (or terms of service), Cloudflare's only real ability here is to cut off service entirely. That's a pretty extreme solution.

But it's not just Italian courts doing this. Gizmodo recently had an article with the provocative title, The Dirty Business of Hosting Hate Online. That article details various parts of the web in which truly vile people with pretty despicable views hang out. And, I can completely empathize with why people are both upset and troubled by such corners of the internet. I'm uncomfortable with them as well. But, is their answer to blame the lower level infrastructure providers? The Gizmodo article certainly seems to think so. The entire article reads like an attempt to shame those infrastructure providers into cutting ties.

Four years later, the Council of Conservative Citizens’ website is still online, pumping out stories about “black serial murderers.” Those pieces are now slotted between odes to nationalist politicians like Nigel Farage, advertisements for a white supremacist conference at a Tennessee state park, and a widget tracking the progress of a crowdfunding campaign to help build Donald Trump’s border wall.

All of that content is still out there, waiting to be found by the next Dylan Roof. But the people behind the site aren’t able to spread their message without some help: The group’s website is hosted by a Michigan-based company called Liquid Web and registered by web infrastructure giant GoDaddy, a publicly traded company currently valued at over $12 billion.

There's a lot more in the article, but almost all of it is targeted at infrastructure providers. Indeed, the story's title is a bit misleading, focusing on the "hosting" of content, which is much closer to an edge provider than most infrastructure providers. But do we actually want to live in a world in which registrars are in the business of determining what you're going to do with a domain before allowing you to register it? Imagine if Techdirt's registrar for our domain decided it didn't like our views on copyright? Would be okay with them just shutting us down and "taking" our domain?

There are big questions to be dealt with concerning how internet companies handle content online, from dealing with hate, harassment and abuse, to disinformation and other sketchy practices. And there are lots of important questions to be dealt with concerning what choices edge providers make concerning content moderation on their networks. But to conflate those questions with the questions related to infrastructure providers seems fraught with very bad scenarios of censorship or worse. It's completely reasonable to be concerned about ignorant racists putting up ignorant racist websites. But is the answer to block them from being able to do so entirely? Be careful what you wish for. And how far does that go? If we don't want racists to even be able to set up forums, does that mean we should also bar them from having internet access at all? Cut them off? No phone service either? Where exactly is the line drawn? And I'm sure some people will say that racists have no redeeming values and you have no problem with cutting them off entirely. But let's be upfront about that and think about the implications, because it's quite a long way to go from "this person is an ignorant racist" to "and therefore they shouldn't be able to use the internet at all."

Filed Under: copyright, edge, infrastructure, liability
Companies: cloudflare

The Sixth Circuit Also Makes A Mess Of Section 230 And Good Internet Policy

from the no-good-deed-goes-unpunished dept

Yesterday we wrote about a bad Section 230 decision against Amazon from the Third Circuit. But shortly before it came out the Sixth Circuit had issued its own decision determining that Section 230 could not protect Amazon from another products liability case. But not for the same reason.

First, the bad facts, which may even be worse: the plaintiffs had bought a hoverboard via Amazon, and it burned their house down (and while two of their kids were in it). So they sued Amazon, as well as the vendor who had sold the product.

From a Section 230 perspective, this case isn't quite as bad as the Third Circuit Oberdorf decision. Significantly, unlike the Third Circuit, which found Amazon to be a "seller" under Pennsylvania law, here the Sixth Circuit did not find that Amazon qualified as a "seller" under the applicable Tennessee state law. [p. 12-13] This difference illustrates why the pre-emption provision of Section 230 is so important. Internet platforms offer their services across state lines, but state laws can vary significantly. If their Section 230 protection could end at each state border it would not be useful protection.

But although this case turned out differently than the Third Circuit case and the Ninth Circuit's decision in HomeAway v. City of Santa Monica, it channeled another unfortunate Ninth Circuit decision: Barnes v. Yahoo. In Barnes Yahoo was protected by Section 230 from liability in a wrongful user post. After all, it was not the party that had created the wrongful content. Because it couldn't be held liable for it, it also couldn't be forced to take it down. But Yahoo had offered to take the post down anyway. It was a gratuitous offer, one it didn’t have to make. But, per the Ninth Circuit, once having made it, Section 230 provided no more protection from liability arising from how Yahoo fulfilled that promise.

Which may, on the surface, sound reasonable, except consider the result: now platforms don't offer to take posts down. It just doesn't pay to try to be so user-friendly, because if the platform can't get things exactly right on that front, they can be sued since, per the Ninth Circuit, Section 230 ceases to provide any protection. (And even if the platform might not ultimately face liability, it would still have to face an expensive lawsuit to get there.) So thanks to this case the Ninth Circuit ended up chilling platform behavior that we would have been better off instead encouraging to get more of. It may have won the battle for this person (their lawsuit could proceed) but it lost the war for the rest of the public.

This case from the Sixth Circuit presents a similar problem. Amazon did not have to do anything with respect to hoverboard sales, but it created liability problems for itself when it tried to anyway. Eventually it banned them, but more at issue is that it sent an email to purchasers indicating that there had been reports of problems with them:

“There have been news reports of safety issues involving products like the one you purchased that contain rechargeable lithium-ion batteries. As a precaution, we want to share with you some additional information about lithium-ion batteries and safety tips for using products that contain them.” The email included a link for the “information and safety tips,” a link “to initiate a return,” and a request that the recipient “pass along this information” to the proper person if the hoverboard was purchased for someone else. [p. 5]

The plaintiffs argued that the email Amazon sent was not enough of a warning and that it should have been more clear about the fire hazard. [p. 6] The Sixth Circuit did not decide whether it was adequate or not. What it did decide, however, was that Section 230 was no obstacle to the litigation continuing to explore that question.

Tennessee tort law provides that an individual can assume a duty to act, and thereby become subject to the duty of acting reasonably.

[…]

In this case, Plaintiffs allege that Defendant gratuitously undertook to warn Plaintiff Megan Fox of the dangers posed by the hoverboard when it sent her the December 12, 2015 email, that Defendant was negligent in that undertaking, and that Defendant’s negligence caused them harm. The district court held that § 324A was inapplicable to Plaintiffs’ claims because it “contemplate[d] liability to third parties.” (RE 161, PageID # 2221–22.) And the district court also held that Plaintiffs forfeited any § 323 claim. The first holding was erroneous, and the second we need not address.

[…]

Plaintiffs argue that Defendant undertook to warn Plaintiff Megan Fox when it sent her the December 12, 2015 email, and that Defendant’s negligent warning caused physical harm to the other members of her family. Accordingly, while Defendant’s liability to Plaintiff Megan Fox is properly governed by § 323, Defendant’s liability to the other members of her family is properly governed by § 324A.7 See Grogan, 535 S.W.3d at 872–73. Thus, the district court’s holding that § 324A was inapplicable to Plaintiffs’ Tennessee tort law claim was erroneous.

Applying § 324A to the facts of this case, Defendant chose to send the December 12, 2015 email to Plaintiff Megan Fox, and in doing so plainly sought to warn her of the dangers posed by the hoverboard.

[…]

Thus, we hold that Defendant assumed a duty to warn Plaintiff Megan Fox of the dangers posed by the hoverboard when it sent her the December 12, 2015 email. [p. 13-16]

The decision's explanation of how tort law works is not striking. The problem is that all sorts of state tort law could reach the Internet, and strangle it, if state tort law could reach platforms. And here is a court saying it can, despite the existence of Section 230 generally saying that it can't.

In a way, though, this case is much less dire for the Internet than some of the other cases we've discussed, like Oberdorf, HomeAway, and the Court of Appeals ruling in Armslist. Platforms can still avoid liability. But they will avoid it by curtailing the sort of beneficial activity Section 230 normally wants to encourage. In letting these state law tort claims go forward the decision reads as a big warning sign for platforms not to bother trying to help their users in similar ways. Amazon did not have to send an email, but by trying to reach out to users anyway it tempted trouble for itself it could have avoided if it had instead done nothing.

But if that fact doesn't pull at the heartstrings, remember that the precedent will apply to any other platform, no matter how small. The moral of this story is that it is much safer for all platforms to do nothing than to try to do something. If trying to be helpful to users causes platforms pick up duties that they otherwise would not have had and face liability for not fulfilling them well enough, they won't. They will be discouraged from trying, even though the public would be much better off if they were instead encouraged to continue these efforts. Curtailing Section 230 to allow state tort law to reach platforms now means that instead of getting more of the user-friendly behavior Section 230 tried to encourage, we will now get less.

Filed Under: 3rd circuit, e-commerce, liability, section 230
Companies: amazon

Section 230 Is Not Exceptional, It Is Not Unique, It Is Not A Gift: It's The Codification Of Common Law Liability Principles

from the get-it-straight dept

There are so many myths about Section 230 that seem to need debunking. There's the myth that it requires platforms to be neutral. There's the myth that if you moderate too much you "lose" your status as a "platform." There's the myth that Section 230 of the CDA was "a gift" to big tech. None of those are true, and we've gone into great detail over the past few years about how Section 230 is designed to encourage the most "good" content, and discourage the most "bad" content. It's designed as a pretty straightforward balance, and it actually does a pretty good job of that.

However, along with the claims that 230 is a "gift" to tech companies, is the unfortunate similar myth that 230 is somehow "exceptional" or that it treats internet companies "different than any other company." This has never been true. Instead, it's really about properly applying liability to the party actually violating the law, rather than putting the blame on the tools and services they use to violate the law. Brent Skorup and Jennifer Huddleston at the Mercatus Center have now put out an interesting paper, highlighting how -- far from being a "unique gift" to internet companies -- Section 230 was merely the codification of basic common law principles regarding liability.

The paper carefully traces the history of liability in common law, finding that for decades preceding Section 230, the general common law principles had converged on a concept of "conduit liability," which is more or less what we see in Section 230: you don't blame the "conduit" for merely passing along the message.

As shown above, even before the creation of Section 230, many courts had shifted from the strict liability regime toward conduit liability protections and fault-based requirements. In many circumstances, liability would not have attached even if the distributor had known of the tortious material, because the social and judicial norms favoring practicable moderation practices and free speech had eroded the traditional liability standards. Section 230, in effect, codified the conduit liability protection that was being applied to traditional media distributors and was sometimes applied even after 1996.

As one federal district court noted in 1994, conduit liability “[p]rotection for republication . . . has not been rigorously circumscribed within the wire service context.” In its 1999 Lunney v. Prodigy decision, the highest court in New York expressly classified an internet bulletin board operator as a common-law conduit. An internet service provider and bulletin board operator, the court held, “like a telephone operator, is merely a conduit.” It made no difference to the court, and the “conduit designation” was still applied, even when the bulletin board operator “reserves for itself broad editorial discretion to screen its bulletin board messages” and occasionally exercises that discretion. The court explained that even if Prodigy “exercised the power to exclude certain vulgarities from the text of certain [bulletin board] messages, this would not alter its passive character in the millions of other messages in whose transmission it did not participate, nor would this, in our opinion, compel it to guarantee the content of those myriad messages.”

This doesn't mean, however, that Section 230 serves no purpose. Having 230 the way it is provides significant procedural benefits, in the form of having cases kicked out of court quickly, before they become too expensive. Without that, many of these cases, even though they would ultimately be unsuccessful if the court were able to decide, would be prohibitively expensive for internet platforms, creating, in effect, a censorship-by-lawsuit system. While we discussed that (link above) in a previous paper, the authors of this paper actually put dollar amounts on it:

Still, Section 230 had a salutary effect at a critical time. A report by Engine estimated that without Section 230, the costs of litigation might be prohibitive for many startups even if they might win the case.155 According to the in-house and external attorneys consulted for the report, having to respond to a user-generated content liability claim through a motion to dismiss could cost $15,000 to $80,000, and having to take such a case through discovery could cost a firm $100,000 to more than half a million dollars.

On top of that, Section 230 took away the uncertainty that some random judge might buck the trend -- as happened in the infamous Stratton Oakmont case:

As Ardia points out, the statutory protection provided a “breathing space” and legal certainty after Stratton Oakmont when online providers made decisions regarding third-party content. Stratton Oakmont derailed the legal trend represented by Cubby and the conduit liability cases. A period of uncertainty—and massive “collateral censorship”—would have ensued because online providers do not know in advance where their users are located. Any provider with users in New York would have been potentially subject to liability for users’ posts under the Stratton Oakmont decision. Section 230 precluded that turn of events.

However, the idea that Section 230 is somehow "exceptional" or provides some rare gift that would not otherwise exist is not supported by the history laid out in this paper. Conduit liability -- protecting the conduit for passing on such information -- was (as the paper lays out in great detail) very much the consensus view among courts, thereby making it the accepted common law, even prior to 230.

Finally the paper notes (as have we) that killing Section 230 will harm competition against the big internet companies at a time when we clearly need more competition:

In summary, Section 230 provides a blanket liability shield for big and small firms. Change that cuts down the liability protection will thus impose compliance costs on all firms. Such change should be explicit about those social costs and also explicit about the advantage it will grant larger firms that have the resources to become compliant. In other words, going from a blanket to a tailored shield, however well intended, must account for the chilling effect it will have on innovation by startups and small firms, and for the artificial barrier to entry in the market that will grant additional protection to incumbent firms.

Either way, as the paper concludes, Section 230 merely was codifying basic common law principles of liability:

The Section 230 reform movement is growing, and many of the reform arguments complain that online intermediaries receive a special dispensation regarding publisher liability. The truth is more complicated. Starting in 1931 and for six subsequent decades, courts gradually chipped away the regime of strict liability for publishers and content distributors owing to the practical difficulties of screening all tortious content and to the potential for restricting First Amendment rights. Those courts found that mass media distributors warranted extensive liability protections, including an important protection for conduit liability. The anomalous 1995 Stratton Oakmont decision risked reversing that legal precedent. Yet Congress solved the dissonance by enacting a law that affirmed the precedent and its rationales—the impracticality of holding online content distributors liable and the potential violations of freedom of speech that would ensue from strict liability. Section 230 established a regime of liability protection for online content distributors just when it was needed—at the time internet firms had started to reach audiences of tens of millions—and still provides liability protection for large and small distributors alike. For all the foregoing reasons, we have argued that Section 230 is good policy.

I will note that the authors do make a few suggestions on ways they think Section 230 could be amended in a few specific cases, though they note that the situations where that makes sense should be narrow and well-defined. An interesting read all around.

Filed Under: cda 230, common law, conduit liability, intermediary liability, liability, section 230