9th Circuit Creates Problematic “Failure To Warn” Exception to Section 230 Immunity–Doe 14 v. Internet Brands
Doe sued Internet Brands, Inc., the owner of Model Mayhem, alleging that two unrelated individuals drugged and assaulted her (and recorded her for a pornographic video). It’s unclear precisely how the assailants used Model Mayhem, but the court merely says that they “used the website to lure [Doe] to a fake audition.” Doe asserted a negligence claim against Internet Brands, alleging that it knew of the specific assailants in question and had a duty to warn her.
Specifically, Internet Brands had purchased Model Mayhem in 2008, and later sued the sellers for failing to disclose the potential for civil liability arising from the activities of these same two assailants. A copy of Doe’s complaint, which lays out the chronology, is here: [pdf]. The two individuals were arrested in 2007, Internet Brands bought the site in 2008, and sued the sellers in 2010. By August 2010, Doe claims that Internet Brands had the requisite knowledge. [Kash Hill gets into more detail about the case’s background.]
The Ninth Circuit reverses, concluding that Section 230 does not bar Doe’s duty to warn claim. According to the court, this isn’t a case that’s based on Model Mayhem’s failure to remove content. In fact, the assailants are not even have alleged to have posted any content (“The Complaint alleges only that “Jane Doe” was contacted by [the assailants] through ModelMayhem.com using a fake identity.”). In contrast to being a case about the removal of third party content, the court says it’s about content (i.e., a warning) that Model Mayhem itself failed to provide.
The court also says that imposing failure to warn liability is consistent with the overall purposes of Section 230, which as set forth in sections (c)(1) and (b) encourages self-regulation of offensive content and seeks to protect the free-flow of information via intermediaries. [I don’t know what the word is for when someone cites to authority that’s the exact opposite of what it is cited for, but this is what happened here.] [Eric’s thoughts: reading comprehension failure? judicial activism? intellectual dishonesty?]
Sure, imposing a duty to warn imposes some costs on an internet business and may have a “marginal chilling effect”. However, the court says that finding the claims against Model Mayhem are barred by Section 230 would stretch Section 230 beyond its “narrow” language and purpose, and would give Model Mayhem a “get out of jail free card” which is not what Section 230 was intended to do. Model Mayhem is a “publisher or speaker” of third party content and this is the but-for cause of her injury, but:
[p]ublishing activity is a but-for cause of just about everything Model Mayhem is involved in. It is an internet publishing business.
In other words, interpreting Section 230 broadly would make it pretty tough to bring any sort of claim against Model Mayhem.
The court does note that it is not expressing any opinion on the merits of the duty-to-warn claim.
This is a bombshell ruling and is similar in some ways to Garcia v. Google. Both involve a sympathetic plaintiff and a bad (in this case, horrific) set of facts, but both rulings also totally diverge from established precedent, and both create gaping doctrinal holes. (Here, there were a bunch of cases dealing with the exact same fact pattern that go the other way, e.g., Doe v. MySpace; Beckman v. Match.com; Doe II v. MySpace.)
There are a lots of unsatisfying answers and things that leave you scratching your head, but perhaps the biggest qualm is that Doe would have likely lost on the merits, so it seems unnecessary for the court to do a total 180 from existing precedent and create what is a gaping hole in Section 230. First, Doe’s duty to warn claim depends on finding a “special relationship”, and courts typically find that websites do not have special relationships with users. (See, e.g., Rosenberg v. Harwood, the Google maps case; and the Armslist case.) It’s unclear what the basis is for one here. Second, Model Mayhem is the provider of an information (content) product and courts are reluctant, for First Amendment reasons, to impose liability against publishers based on mere negligence principles. In other words, even without Section 230 (say, if this were a case involving printed classified ads), Doe would have a tough time making a case.
As to the Section 230 analysis, it is tough to grok the court’s distinction between claims based on a disclaimer or warning that the provider is required to publish (not barred by Section 230) and claims based on user-submitted content itself (barred by Section 230). This is the type of creative workaround that countless plaintiffs have tried and courts have consistently rejected. Perhaps an absurd scenario, but you could stretch the court’s logic to say that while websites can’t be held liable for hosting defamatory content, they can be held liable for failing to provide disclaimers about that content.
If you accept the argument that Model Mayhem has an obligation to warn (seemingly about specific activity), doesn’t this mean that all intermediaries have an obligation to warn about possibly harmful users, including content that such users may post? For that matter, do websites have a duty to warn about all manner of possible dangers that users may be exposed to when communicating with others via a website? This also brings to mind another point of the court ruling: it takes pains to say that liability in this case is not based on content the assailants made available, so Model Mayhem was used solely as a channel for communications. This means that sites that merely allow users to chat with each other could also be on the hook for failure to provide warnings about dangerous users?
One obvious practical effect of the ruling will be that websites that have undertaken measures to screen and get rid of problem users (e.g., sex offenders) now have a serious disincentive to do so, since Section 230 no longer is a bar to failure to warn claims. If it comes across a specific user with a past that is indicative of dangerousness and fails to warn, it may be on the hook. It’s possible that a website or network will have to warn users about all possibly dangerous users that it comes across through any means (e.g., through its screening process, user disputes, unsolicited emails from other users, warrant requests, email scans). To the Facebooks and Googles of the world, this is probably a staggering burden. It’s not only significant for social networks, but also for sharing economy sites.
The ruling also raised many practical questions about implementation. How exactly a website would provide notice to users about other specific users—the court suggests this would take the form of a “post or email warning” but does this mean that users will now be barraged with myriad warnings about possible dangers that lurk in websites? What is the form of the warning? I assume a standard disclaimer (which Model Mayhem likely had in place) is insufficient; it seems like the court was talking about websites having to provide specific warnings. Would sending a warning put a site at greater risk if the warning turns out to be inadequate in form or substance? Could networks be at risk from the subjects in question (perhaps for defamation claims) when they send this type of a warning? [Eric’s answer to that last question: yes] So many questions here.
I’m not sure what the 9th Circuit has against Section 230: Roommates; Barnes v. Yahoo; and now this. (It seems like Roommates and Barnes have not been exploited by the plaintiffs, but this ruling will be different.) The ruling diverges from the clear trend, which even in recent cases has continued to recognize robust immunity (Klayman; the Dirty; NJ/WA Backpage rulings). I’m guessing there will be a request to rehear this case, along with interest and participation from a long list of amici.
Eric’s Comments: It’s so hard to take this opinion seriously because the court’s hack job was so transparent. As Venkat explains, the plaintiff’s failure-to-warn claim is almost certainly doomed on its prima facie elements. A standard customer-vendor relationship isn’t a “special” relationship for negligence purposes, and the underlying event triggering the lawsuit was a third party’s criminal act that ought to cut off ModelMayhem’s contributing causation. Could you imagine a print newspaper being negligent for failing to warn any job-seeking advertisers that rapists were reading the classified ads? In fact, the court repeatedly notes that it wasn’t trying to prejudice the lower court’s further proceedings on the prima facie case, but this sends a pretty strong hint to the district court judge that the Ninth Circuit thinks this case should fail. So knowing that its ruling wouldn’t affect the ultimate outcome, this Ninth Circuit panel felt emboldened to muck around with Section 230.
Yet, if a case is DOA anyway, we want to find a limiting principle–like Section 230–that screens it out quickly. Recall the Roommates.com case, where Roommates.com won a 230 dismissal at the trial court in 2004. 8 years later, in 2012, the Ninth Circuit says there never was a valid claim because the case never satisfied its prima facie elements. Justice was served in the sense that the dismissal was ultimately grounded on the legally correct principles, but 8 extra years of litigation is hardly justice being served. That’s not a reason to distort Section 230’s scope, but it is a good reason why appellate court panels should be extra-cautious when it comes to Section 230.
The adverse consequences from this opinion go beyond just this case. Similar to the PDX v. Hardin case I recently discussed, the court rips open a hole in Section 230’s immunity for any situation where the plaintiff pleads a failure-to-warn claim. Hmm, I wonder how plaintiffs might respond…is it possible they’ll plead a failure-to-warn claim in every complaint that might otherwise be preempted by Section 230? After all, there’s always something more that websites could warn their users about. For example, if a Yelp reviewer gets sued for posting a defamatory review, the user could sue Yelp for “failure to warn” because Yelp knows its authors are sometimes sued for defamation. Or if Larry Klayman is unhappy about finding anti-Semitic content on Facebook, he can sue Facebook for failing to warn him that he might encounter anti-Semetic content. Or if a boyfriend assaults a girlfriend because of what she said in her Facebook post, the girlfriend could sue Facebook for failing to warn her that sometimes Facebook status posts lead to domestic violence.
Websites could try to mitigate this possibility by disclosing every risk they can possibly think of. Is that the world we want? We’re already overwhelmed by long online user agreements that no one reads, and we’re already overwhelmed with so many warnings and disclosures in our lives that we can’t process and follow them all. If we take this opinion seriously, it will compound the existing over-disclosure problem. Worse, it will provide little or no real value to users given that few of them read the website disclosures (and fewer still will read them if they further balloon in length as this opinion encourages).
If Section 230 is categorically inapplicable to the failure-to-warn claim, the examples I gave above could survive a motion to dismiss–even though we know that most, if not all, of the failure-to-warn claims are going to fizzle out eventually. So the opinion imposes significant and needless costs on defendants and the court system to adjudicate unmeritorious claims. This runs contrary to the warnings of the Roommates.com case, which said:
Websites are complicated enterprises, and there will always be close cases where a clever lawyer could argue that something the website operator did encouraged the illegality. Such close cases, we believe, must be resolved in favor of immunity, lest we cut the heart out of section 230 by forcing websites to face death by ten thousand duck-bites, fighting off claims that they promoted or encouraged—or at least tacitly assented to—the illegality of third parties.
The opinion was embarrassingly lackadaisical about this inevitable unwanted consequence. If Section 230 doesn’t work, but failure-to-warn does, the plaintiffs’ backdoor claims undermine the overall immunity effect of Section 230. It’s as if the opinion author didn’t understand the substitutive effects between a “failure to warn” claim and Section 230-preempted claims.
The opinion also didn’t properly address the precedent. We’ve seen numerous “negligence” claims preempted by Section 230, going all of the way back to Zeran v. AOL, which was a negligence case, not a defamation case. The opinion’s most obvious omission was the Fifth Circuit’s Doe v. MySpace case, also involving an offline sexual assault facilitated by the UGC site’s online publication tools. In that case, the court said the plaintiff’s “case is predicated solely on MySpace’s failure to implement basic safety measures to protect minors,” to which the court responded:
Their claims are barred by the CDA, notwithstanding their assertion that they only seek to hold MySpace liable for its failure to implement measures that would have prevented Julie Doe from communicating with Solis.
Technically, the Doe case was a “failure-to-protect” case, not a “failure-to-warn” case, but it’s a distinction without a difference. Couldn’t Doe just as easily have sued MySpace for failing to warn her about the possibility of an offline sexual assault? It’s the same basic argument as her “failure to protect” claim.
Another even more directly relevant precedent was Beckman v. Match.com, another offline assault facilitated by UGC publication tools. The court found Section 230 applicable because:
There is nothing for Match.com to negligently misrepresent or negligently fail to warn about other than what a user of the website may find on another user’s profile on the website.
The court didn’t discuss either Doe v. MySpace or the Beckman case. Why not? One possible reason is Internet Brands’ breathtakingly short appellate brief didn’t raise them (the Beckman case hadn’t been decided at the time, but it would have been a good subsequent supplement).
Finally, I would like to say a bit about the merits of the court’s Section 230 legal analysis. Section 230 doesn’t make a declarative statement about liability; it simply makes a declarative statement about “treatment as a publisher or speaker.” I understand the court’s thinking that a “failure to warn” claim never treats a UGC site as a publisher or speaker. Nevertheless, judicial interpretations of Section 230’s language over the past 2 decades make it clear that Section 230 applies when a UGC site exercises its editorial functions. The court makes the nails-on-chalkboard strawman assertion that “Congress has not provided an all purpose get-out-of-jail-free card for businesses that publish user content on the internet.” Duh–no one argued otherwise. Instead, the real question is whether the “failure to warn” claim is based on ModelMayhem’s exercise of editorial functions, and I think the answer is emphatically yes. Editorially publishing the plaintiff’s profile was the “but for” causation in this case; which (unlike the court’s strawman BS arguments) would not be the case for many other types of claims, such as wage-and-hour, income tax demands or failure to issue data breach notifications. So everyone agrees that Section 230 isn’t a categorical get-out-of-jail card, but when the underlying harm is allegedly caused by a UGC website publishing user content to a tortious/criminal actor, that’s clearly a Section 230 case as clarified by hundreds of precedent cases.
[Note: the Ninth Circuit’s Riggs v. MySpace case made it clear that the plaintiff’s own content can qualify as “information provided by another information content provider” for purposes of a Section 230 analysis.]
Case Citation: Jane Doe No. 14 v. Internet Brands, Inc., 2014 WL 4627993 (9th Cir. Sept. 17, 2014)