The recent arrest of revenge porn site operator Kevin Christopher Bollaert and the defamation ruling against the gossip site The Dirty have brought a 1996 federal law called the Communications Decency Act Section 230 into the media spotlight. The popular narrative of §230 is that it is the essential building block of online freedom of expression, and that attempts to alter it will spell the death of the Internet. Whether the Internet really does protect freedom of expression for all -- as opposed to protecting the freedom of expression for certain groups at the expense of silencing, abusing and inhibiting other groups -- is open to debate, but the need for a correct understanding of §230 is clear.
Unfortunately, the popular understanding of §230 is at best imprecise. Most of what is written about §230 focuses on one isolated passage: "No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider." This portion of §230 is often characterized as granting website owners complete immunity regarding any content posted by users. This characterization is incorrect in two respects.
First, §230 expressly states that no Internet entity has immunity from federal criminal law, intellectual property law or communications privacy law. This means that every Internet service provider, search engine, social networking platform and website is subject to thousands of laws, including child pornography laws, obscenity laws, stalking laws and copyright laws.
Second, §230 immunity only applies to online intermediaries of third-party content. Individuals who directly engage in unlawful online conduct or co-create online unlawful content are not protected. The CDA distinguishes providers of "interactive computer services" from "information content providers." An interactive computer service "provides or enables computer access by multiple users to a computer server," whereas an "information content provider" is any person responsible "in whole or in part... for the creation or development of information." In other words, §230 protects intermediaries from liability for the actions of others, not individuals from liability for their own illegal conduct.
The distinction makes sense: Most of us would probably agree that Facebook, for example, should not be held liable for the posts of its (over) one billion users. Policing such massive content would not only be impractical, but would discourage platforms like Facebook from existing at all. Additionally, it would not be fair to treat Mark Zuckerberg as the speaker of every Facebook post a user makes. But a website owner who directly engages in illegal behavior is very different. A person cannot claim immunity for unlawful conduct simply because he engages in it online. Illegal conduct is not magically rendered legal simply because it happens online instead of offline.
Now the harder questions: Many websites and web platforms offer some mix of content created by users and owners. At what point does a site or service cross the line between being a facilitator of third-party content to being a co-creator of that content? While courts have generally been very generous in granting §230 immunity to online entities even when they play some role in the creation of illegal content, two federal appellate cases have been more exacting. In a 2008 Ninth Circuit case, Fair Housing Council of San Fernando Valley v. Roommates.com, a roommate-matching website was sued for allegedly engaging in housing discrimination. The site raised a §230 defense, arguing that the offending content was created by users, not the site itself. The site required subscribers to disclose information such as gender, family status and sexual orientation, as well as their preferences as to these categories for potential roommates. The site used this information to develop subscriber profiles that displayed these preferences for potential roommates. The court held that the site was an information content provider with respect to the questions it required users to answer, and thus did not have §230 immunity with regard to that content.
Similarly, in the 2009 case FTC v. Accusearch, Inc., the Tenth Circuit denied §230 immunity to a website offering the sale of personal telephone records. The court found that exposing confidential information to public view was "development" of that information for the purposes of §230, making the website an information content provider (subject to liability) rather than an interactive computer service provider (immune from liability).
This brings us back to Nik Richie and Kevin Bollaert. Nik Richie's gossip website The Dirty published defamatory posts about ex-Bengals cheerleader Sarah Jones. The posts were submitted by third-party users, but Richie decided which posts to publish and added his own commentary to one of the defamatory posts. The court denied Richie's §230 claim. In upholding the defamation ruling against the website, the court found that it "did far more than just allow postings by others or engage in editorial or self-regulatory functions."
Bollaert, the revenge porn site owner, has been charged with 31 felony counts of conspiracy, identity theft and extortion for soliciting sexually graphic images of women without their consent. Bollaert's site required users to provide personal identifying information of the women depicted, and Bollaert allegedly also ran a separate website that offered to remove the images for a fee. According to the arrest warrant, Bollaert's solicitation of the images violated California's identity theft laws, which makes it illegal "to willfully obtain someone's personal identifying information, including name, age and address, for any unlawful purpose, including with the intent to annoy or harass." Bollaert will likely raise §230 as a defense to the identity theft charges (It will be more difficult for Bollaert to raise a §230 defense to the extortion charges, as he allegedly engaged in that conduct directly), arguing that he personally did not use the information to harass or invade the privacy of the victims.
It isn't clear what the ultimate outcome of either case will be. The ruling against The Dirty may well be overturned; the identity theft charges against Bollaert may not stick. Both cases present interesting and difficult questions about line-drawing with regard to Internet immunity.
Stepping back, it is also important to consider Congress's goals in passing CDA §230. Popular rhetoric is selective on this point as well. It is true, as so often proclaimed, that the policy goals of §230 include the promotion and protection of free speech principles. Such principles are not self-evident, however. The law states that it is the policy of the Unites States to "preserve the vibrant and competitive free market that presently exists for the Internet... unfettered by Federal or State regulation." As an initial matter, whether the Internet really offers a "free market" for the exchange of ideas is a matter of considerable dispute, and the claim that the Internet is "unfettered by regulation" is demonstrably false (see above re: the thousands of laws that currently govern Internet activity).
Moreover, free speech is not the only value protected by §230. The other, often overlooked goals of §230 include the development of technologies that "maximize user control over what information is received" by Internet users, as well as the "vigorous enforcement of Federal criminal laws to deter and punish trafficking in obscenity, stalking and harassment by means of computer." In other words, the law is intended to promote and protect the values of privacy, security and liberty alongside the values of open discourse. Section 230 is an important and complex law, and it is both dangerous and inaccurate to treat it as a blanket license for online abuse.