Justice Thomas Writes a Misguided Anti-Section 230 Statement “Without the Benefit of Briefing”–Enigma v. Malwarebytes
Last year, the Ninth Circuit ruled that a plaintiff could plead around Section 230(c)(2)(B), the safe harbor for providing filtering instructions, by claiming that the filtering was motivated by anticompetitive animus. Last week, the Supreme Court denied certiorari. This isn’t surprising–the Supreme Court takes a low percentage of cases–but it’s too bad the Ninth Circuit ruling won’t be corrected.
Alongside the cert denial, Justice Thomas added a statement railing against Section 230 (starting on page 12). The statement is procedurally troubling and substantively wrong. Some lowlights in the statement:
- The statement repeatedly and casually flips between Section 230(c)(1) and Section 230(c)(2).
- The statement focuses on Section 230(c)(1), even though the question presented to the court solely addressed Section 230(c)(2)(B). Because the court wasn’t briefed on most of the issues Justice Thomas nevertheless discusses, it makes me wonder where Justice Thomas got his information. What news sources is he reading?
- Because the court wasn’t briefed on Section 230(c)(1), he does not acknowledge the many legal, factual, and policy counterarguments to his positions that surely would have been addressed by proper briefing. In other words, without hearing contrary perspectives, his statement is one-sided and under-informed (more on this later).
- The statement says: “many courts have construed the law broadly to confer sweeping immunity on some of the largest companies in the world.” The Internet giants benefit from Section 230, but so do thousands of less-well-known companies–including the defendant in this case.
- The statement says the Ninth Circuit decision “is one of the few where courts have relied on purpose and policy to deny immunity under §230.” Note the tension in this statement. Hundreds of decisions have denied Section 230 immunity because they relied on the statutory text. Is Justice Thomas saying they should have relied instead on the statute’s “policy and purpose”?
- The statement calls Section 230(c)(1) “definitional.” This is an atextual and highly idiosyncratic way of characterizing the statute. Nearly two decades ago, Easterbrook took a similar position in Doe v. GTE. Virtually every other judge since has not agreed.
- The statement says Section 230(c)(1) “ensures that a company (like an e-mail provider) can host and transmit third-party content without subjecting itself to the liability that sometimes attaches to the publisher or speaker of unlawful content.” It’s a strange move to use email service providers as the Section 230(c)(1) archetype. Email providers rely on Section 230(c)(2)(A) for their spam filters, but it’s rare to see email providers invoke Section 230(c)(1) because they don’t “host” content.
- The statement says Section 230(c)(2) “provides direct immunity from some civil liability.” This is backwards. Section 230(c)(1) provides an immunity from suit; Section 230(c)(2) provides a safe harbor.
- The statement says Section 230(c)(2)’s “limited protection enables companies to create community guidelines and remove harmful content without worrying about legal reprisal.” A few problems here. First, Section 230(c)(1) also necessarily permits “community guidelines” in the form of leave-up policies. Second, Section 230(c)(2)(A) does not let companies stop “worrying about legal reprisal.” They worry about the costs of defense due to the “good faith” prerequisite, which is why so few companies rely on it. Third, this case was about Section 230(c)(2)(B), which relates to the provision of filtering instructions to third parties.
- The statement says historically “Publishers or speakers….could be strictly liable for transmitting illegal content.” This is garbled because “publishers” don’t “transmit” (they, uh, “publish”). Publishers can be strictly liable for publishing content, and “transmitting” content is governed by different legal rules that typically negate strict liability.
- The statement says that historically distributors “acted as a mere conduit without exercising editorial control, and they often transmitted far more content than they could be expected to review.” Once again the statement conflates different functions–this time falsely equating distributors with “conduits” and “transmitters.” To get an example of how this is wrong, consider the bookstore as a distributor. It unavoidably exercises editorial discretion about which books to stock and how to display them, but that doesn’t mean bookstores stand behind every word in every book they carry. But no one would properly call a bookstore a “conduit” or say that it “transmits” content.
- The statement says “§230(c)(1) indicates that an Internet provider does not become the publisher of a piece of third-party content—and thus subjected to strict liability—simply by hosting or distributing that content.” Section 230(c)(1) says plainly that services won’t be treated as publishers of third-party content. On its face, the provision negates all forms of publisher liability. I don’t see how to read the language as saying or implying that it negates only the category of liability uniquely imposed on publishers. Furthermore, publisher/speaker functions should include hosting and distributing, but the statutory text doesn’t imply that it’s limited to those functions. The language covers any function where a defendant is alleged to act as a publisher or speaker.
- The statement says “the statute suggests that if a company unknowingly leaves up illegal third-party content, it is protected from publisher liability by §230(c)(1); and if it takes down certain third-party content in good faith, it is protected by §230(c)(2)(A).” This misapprehends the nature of “publisher liability.” It is impossible to distinguish between the “leave up” and “removal” decisions because they are the result of the exact same editorial decision-making process of publishing.
- The statement says: “Sources sometimes use language that arguably blurs the distinction between publishers and distributors.” I think the statement contains some distinction-blurring language of its own.
- The statement notes inconsistent language between the CDA’s criminal provisions and Section 230, even though it has been repeatedly explained by many experts why the CDA criminal provisions and Section 230 had nothing to do with each other (they were alternative policy proposals smushed together in conference).
- The statement apparently questions if Congress’ goal was to overturn Stratton Oakmont because it didn’t mirror the language in the opinion. The legislative history clearly says “One of the specific purposes of this section is to overrule Stratton-Oakmont v. Prodigy and any other similar decisions which have treated such providers and users as publishers or speakers of content that is not their own because they have restricted access to objectionable material.”
- The statement says “Courts have also departed from the most natural reading of the text by giving Internet companies immunity for their own content” (emphasis added). This is literally false. No court has ever done this.
- The statement says “To say that editing a statement and adding commentary in this context does not ‘creat[e] or develo[p]’ the final product, even in part, is dubious.” It’s a crafty rhetorical move to refer to the “final product” instead of the actual statutory referent “information.” Doing this invites the conclusion that every UGC service loses Section 230 because they package third-party content into a “final product.”
- The statement argues that a broad reading of Section 230(c)(1) renders Section 230(c)(2) superfluous. Barnes v. Yahoo explained how Section 230(c)(2)(A) applies in circumstances where the defendant partially or wholly created or developed the content. The statement instead cites language from e-ventures v. Google. But (1) Google still won the e-ventures case, so its denigration of Section 230(c)(2)(A) became inconsequential, and (2) other courts have since criticized the e-ventures language, including Domen v. Vimeo and Prager University v. Google.
- The statement says “With no limits on an Internet company’s discretion to take down material, §230 now apparently protects companies who racially discriminate in removing content.” Characterizing the cited Sikhs for Justice ruling case as a racial discrimination case is simplistic at best. The case involved advocacy content that the Indian government required to be blocked. Still, it’s true Section 230(c)(1) can protect removals even when the plaintiff claims discrimination. You might even be OK with the application of Section 230(c)(1) in the cases I’m seeing, including Lewis v. Google, where the plaintiff claimed that YouTube discriminated against him for being an American; and the Wilson v Twitter cases, where the plaintiff claimed Twitter discriminated against him because he’s a Christian heterosexual.
- The statement criticizes Section 230’s application to claims involving “alleged product design flaws—that is, the defendant’s own misconduct.” But what are “product design” flaws in this context? That’s just a fancy euphemism for the editorial decisions about how to gather, organize, and publish third-party content.
- The statement says “Paring back the sweeping immunity courts have read into §230 would not necessarily render defendants liable for online misconduct. It simply would give plaintiffs a chance to raise their claims in the first place. Plaintiffs still must prove the merits of their cases, and some claims will undoubtedly fail.” This deeply misunderstands the issues in the Malwarebytes case. By “paring back” the Section 230(c)(2)(B) safe harbor, the new liability exposure distorts the filtering services’ substantive decisions by making them gun-shy; it gives plaintiffs ways to play holdup games and extract settlements for less than the defense costs; it ignores how defense costs can doom services (the death by ten thousand duckbites that Judge Kozinski addressed in the Roommates.com case); and it ignores the other critical procedural benefits provided by Section 230 that enable third-party online speech where other liability schemes would not. As I keep saying, everyone benefits when unmeritorious cases lose fast and early. Giving plaintiffs more time in court doesn’t come for free, and it might be a very bad deal for all of us.
The statement concludes: “Without the benefit of briefing on the merits, we need not decide today the correct interpretation of §230. But in an appropriate case, it behooves us to do so.” Just to be clear, Justice Thomas admits that he wrote the prior ten pages of criticism “without the benefit of briefing.” That undermines the credibility of the entire statement. Nevertheless, the statement tells all plaintiffs that if they appeal their Section 230 cases to the Supreme Court, they have at least one vote ready to go.
When we filed an amicus brief in support of Malwarebytes, one of our fears was that the Supreme Court would ignore the question presented (tightly restricted to Section 230(c)(2)(B)) and do damage to Section 230(c)(1) despite it being outside the scope of the question presented. Justice Thomas’ critical remarks about Section 230(c)(1) show that these fears were well-founded, and I’m a little relieved that the court didn’t take the case. That means Malwarebytes can still win this case on remand (a likely outcome; see the Asurvio ruling), albeit at the cost of unnecessary time and money, and Section 230 lives for another day.
This statement bears some resemblance to Justice Thomas’ statement in early 2019 that the Supreme Court should reconsider the actual malice standard from New York Times v. Sullivan. Like this statement, that statement was anti-media, pro-censorship, and quite unpersuasive. So far, the Supreme Court hasn’t taken up Justice Thomas’ initiative against the actual malice standard. I hope this statement suffers the same fate.
Even if the Supreme Court never takes up Justice Thomas’ arguments, this statement hurts the discourse. It represents yet another inaccurate federal government statement about Section 230 (others include the Trump EO from May and the NTIA petition to the FCC). Collectively, these taxpayer-funded misstatements pollute the discourse and create FUD about Section 230. We have to spend time debating what Section 230 even says, and Section 230 critics can misportray Section 230 to spur mistargeted responses. This makes it impossible to have well-informed “debates” about Section 230 or what, if any, reforms would fix any perceived policy deficiencies.
Case Citation: Malwarebytes, Inc. v. Enigma Software Group USA, LLC, 2020 WL 6037214 (Oct. 13, 2020)
Enigma v. Malwarebytes Case Library
- Denial of certiorari, including Justice Thomas’ statement.
- Malwarebytes’ petition for certiorari. Amicus briefs from Cybersecurity Experts, EFF, ESET, Internet Association, and TechFreedom. Blog post on amicus briefs.
- The SCOTUS page for Malwarebytes v. Enigma.
- Blog post on Asurvio v. Malwarebytes, an application of the Ninth Circuit’s ruling.
- Ninth Circuit’s amended ruling. Blog post on that ruling.
- Malwarebytes’ petition for rehearing. Supporting amicus briefs from cybersecurity law professors, EFF/CAUCE, ESET, and Internet Association. Blog post on the filings.
- Ninth Circuit ruling. Blog post on that ruling.
- District court opinion. Blog post on that ruling.
- Related decision in Enigma Software v. Bleeping Computer. Blog post on that ruling.