Anti-Phishing Warning Protected by 47 USC 230

By Eric Goldman

Associated Bank Corp. v. EarthLink, Inc., No. 05-C-0233-S (W.D. Wis. Sept. 13, 2005). [BNA subscription required]

EarthLink’s “ScamBlocker” incorrectly identified Associated Bank’s website as a phishing site, so users trying to access the website saw a huge and scary warning that surely caused some users to freak out. Associated Bank sued EarhtLink for tortious interference, negligent/fraudulent representations and Lanham Act 1125(a) injury to business reputation.

EarthLink moved for summary judgment based on 47 USC 230. In support of 230, it submitted an affadavit that it uses a third party vendor to identify phishing sites, so its display of the huge and scary warning was triggered by third party content. Because EarthLink points to the third party, the court grants the summary judgment motion, and Associated Bank’s lawsuit is dismissed.

This situation is more nuanced that the court treated it. If EarthLink merely relayed the opinion of its third party vendor, then no question in my mind that 230 protects EarthLink. See OptInRealBig.com, LLC v. Ironport Sys., Inc., 323 F. Supp. 2d 1037 (N.D. Cal. June 25, 2004) (third parties characterized email as spam).

However, EarthLink did more than that here. While the third party vendor provided the underlying opinion that Associated Bank’s website was a phishing site, it’s unclear who drafted the actual content displayed to users (the anti-phishing warning). To the extent that the language was drafted by EarthLink, EarthLink is the sole provider of that language, even if the triggering event is someone else’s opinion. It seems like we need to know who drafted the warning language.

In that respect, I would distinguish this case from Carafano (where the users parrotted language written by the service provider) because the huge and scary warning included a set of instructions like “Please do not continue to this potentially risky site”–which goes beyond merely communicating the opinion that the site is a phishing site.

In the end, I still think this is a good outcome. Phishing is a real problem, and I think we should encourage intermediaries like EarthLink to help consumers combat the problem even if some misgradings are made. Nevertheless, EarthLink would have been in a clearer legal position if it had merely disseminated the site-is-phishing opinion of the third party vendor rather than possibly using its own words to explain that the site was a phishing site.

A few other questions/observations:

* Associated Bank could try to sue EarthLink’s vendor who graded the site as a phishing site. However, this may be a protected opinion or otherwise excused for lack of scienter.

* Although I’m confident that a claim for “injury to business reputation” should be preempted by 230, the court doesn’t appear to acknowledge that IP claims are not covered by 230. It would be interesting to see how the court distinguished that claim from an IP claim.

* On the top of page 8, there’s some garbled language that begins “Further, had Defendant edited the list of phisher sites it received from the third-party vendor….” I’d like to know how the court intended to finish that sentence. I would finish it “…it would have made no difference” to the legal outcome, but I suspect that’s not where the court was going!