FTC Busts Check-Issuing Website for Unfair Practices–FTC v. Qchex

May 17, 2010 · by · in Content Regulation, Derivative Liability, E-Commerce, Privacy/Security

By Eric Goldman

Federal Trade Commission v. Neovi, Inc., 09-55093 (9th Cir. May 14, 2010)

Qchex allowed registered users to create and send checks via a website. Initially, users could submit bank account information and payee information, and Qchex would manufacture a check and send it (in some cases physically, in other cases electronically, depending on the sender’s request) to the payee. Given that bank account information is widely available (i.e., it’s on every check we send and receive), it sounded like it was trivially easy for fraudsters to submit other people’s bank information and send an official-looking check drawing on an innocent bystander’s account. These bogus checks can wreak havoc on the payment system when they are presented and then bounce (or worse, clear). According to the opinion:

Indeed, over a six-year period, Qchex froze over 13,750 accounts for fraud. Those accounts spawned nearly 155,000 checks, supplied over 37,350 bank account numbers, and were the source of checks totaling more than $402,750,000—an amount more than half of the total drawn during that time.

Eventually, Qchex enhanced its security procedures to deposit a small amount in a bank account and then require the accountholder to report that amount back to Qchex to authenticate the account. For a variety of reasons, this authentication procedure did not eliminate fraud.

The FTC pursued Qchex for unfair trade practices under Section 5 of the FTC Act. Qchex defended on lack of causation, saying the users supplied the relevant information and therefore were responsible for the bum checks. The court’s response:

Qchex created and controlled a system that facilitated fraud and that the company was on notice as to the high fraud rate. Qchex’s approach would immunize a website operator that turned a blind eye to fraudulent business made possible only through the operator’s software. Even if the creation of the checks was impossible without user input, that does not mean Qchex did not create the checks that it later delivered.

(I dig the double/triple/quadruple negative in the last sentence. Say what?)

Even if the court’s statement is true, isn’t this exactly what 47 USC 230 was supposed to immunize? Amazingly, 230 isn’t referenced in the opinion at all, although the court does cite the 230-based Accusearch case in support of its conclusion. It’s not like 230 was unfamiliar to this panel; the opinion author is Judge McKeown, who also authored a pro-230 dissent in the Roommates.com en banc case.

Put the doctrinal finery to one side for a moment. We know Qchex has to go down for its sloppy authentication processes and the calamitous effect on our banking system. Fine. But the legal reasoning in support of this takedown is troubling. First, it’s based on Section 5’s unfairness restrictions, a lightly used prong because “unfairness” is unbelievably subjective and malleable. Second, it’s based on some type of but-for causation theory, which applies universally to many service providers throughout the Internet (i.e., without PayPal, there would be no PayPal fraud). Third, the courts gave typical deference to the FTC—but perhaps too much deference. Finally, the causation discussion superseded any discussion about 47 USC 230–a conspicuous omission given that Qchex’s whole system was premised on user-supplied content.

Having said that, it’s not clear that Qchex’s 230 defense would have succeeded. The court emphasizes that liability is due to Qchex’s conduct, not its users’. The court says “Qchex caused harm through its own deeds—in this case creating and delivering unverified checks.” I expect any other businesses manufacturing inadequately authenticated fake checks will suffer a similar fate. However, I’m not sure this explanation adequately distinguishes between first party and third party content/actions.

It will be interesting to see how the plaintiffs try to misuse the language I quoted above for other types of claims. For example, replace the word “fraud” with “defamation” and see how the language reads. My hope is that the courts will entertain such citations only in FTC Act unfairness cases and not others, but I expect plaintiffs will try to expand its scope nonetheless.

This case brought to mind an old blog post on a site called “Cheezus,” which provided a tool that people could use to create and print fake newspaper articles about another person’s sexual misconduct. (Unlike Qchex, the user printed the resulting article). Cheezus caught my attention when a mischievous teen used the tools to prank his teacher and got disciplined. I thought the site was irresponsible, but under this rationale, is the Cheezus tool also illegal because it engaged in Sec. 5 unfair practices? If not, why not?