Section 230 Protect Apple’s App Store from Claims Over Cryptocurrency Theft–Diep v. Apple
This lawsuit relates to the “Toast Plus” app that was available in Apple’s app store. The plaintiffs claim it was a spoof app designed to steal cryptocurrency worth $5k in Diep’s case and $500k in Nagao’s case (ouch). The plaintiffs’ “claims are based on Apple’s part in authorizing and negligently distributing a ‘phishing’ / ‘spoofing’ app in its App Store, the Toast Plus application, while continuing to affirmatively represent that the App Store is a ‘a safe and trust[ed] place.'”
Apple successfully defends on Section 230 grounds using the standard three-part test.
ICS Provider. “Apple creates and maintains the App Store as a virtual marketplace where it makes apps primarily created by other developers available to consumers.”
Publisher/Speaker Claims. “plaintiffs’ computer fraud and privacy claims are based on Apple’s reproduction of an app, Toast Plus, intended for public consumption, via the App Store. Plaintiffs make much of Apple’s “rigorous vetting process” and suggest that Apple had a role in the development of the app or at least knew of the developers’ malintent…Plaintiffs here seek to hold Apple liable for the same conduct, reviewing and deciding whether to exclude the Toast Plus app—conduct that can only be described as publishing activity.” Cite to Opperman v. Path.
Third-Party Content. The plaintiffs admitted the app came from third parties.
Exclusions for Federal Criminal Law. Section 230 applies to civil claims based on federal crimes, citing Gonzalez v. Google. The court then says: “Section 230(e)(1) does not limit immunity in civil actions based on CFAA and ECPA.” This is a problematic statement. While it’s true with respect to Section 230(e)(1), Section 230(e)(4) says “Nothing in this section shall be construed to limit the application of the Electronic Communications Privacy Act of 1986.” Oops.
The court summarizes:
Plaintiffs’ allegations all seek to impose liability based on Apple’s role in vetting the app and making it available to consumers through the App Store. Apple qualifies as an interactive computer service provider within the meaning of the first prong of the Barnes test. Plaintiffs seek to hold Apple liable for its role in reviewing and making the Toast Plus app available, activity that satisfies the second prong of the Barnes test as publishing activity. And plaintiffs’ allegations do not establish that Apple created the Toast Plus app; rather, it was created by another information content provider and thus meets the third prong of the Barnes test. For each of these reasons, as well as the inapplicability of an exemption, Apple is immune under § 230 for claims based on the conduct of the Toast Plus developers.
The plaintiffs disavowed a claim based solely on Apple’s “safe” representation. Instead, the plaintiffs anchored the claim in a mix of the “safe” representation and Apple’s allegedly derelict content moderation. The court says the “consumer protection claims, as pleaded, seek to hold Apple liable for its publication of the Toast Plus app, but as discussed above, Apple is immune for such conduct pursuant to §230.”
Interestingly, the interplay between a “safety” representation and Section 230 has a venerable history (unfortunately uncited), dating back to the Mazur v. eBay case from 2008. In general, courts should not permit a false advertising claim based on a “safe” representation where the representation is rendered untrue by third-party content. Otherwise, plaintiffs can always weaponize statements from a defendant’s website to route around Section 230.
The court also implies that the plaintiffs made a failure-to-warn claim, which should bypass Section 230 per the Internet Brands case, but the court didn’t discuss that possibility.
In a footnote, the court adds: “plaintiffs’ consumer protection claims may additionally suffer from a lack of proximate cause where the intervening fraud of the Toast Plus developers complicates a showing that the loss of cryptocurrency was the result of Apple’s allegedly unfair conduct.”
Limitation of Liability
Apple’s disclaimer says it’s not liable for damages “arising out of or related to use of” third-party apps also works. Thus, “in addition to the applicability of § 230 immunity, plaintiffs’ claims must be dismissed because of the applicability of the Terms’ limitation of liability for third-party apps.” This is a highly defense-favorable reading of the contract provision. It’s also another example where changing Section 230 would not change the outcome of this case.
This opinion may be vulnerable on appeal on a few grounds, including Section 230’s application to the ECPA and failure-to-warn claims. Nevertheless, because the court alternatively ruled on non-230 grounds, it’s likely this case will fail regardless of Section 230’s disposition.
This ruling adds to the growing precedent that app stores benefit from Section 230. See also Ginsburg v. Google (re Telegram), Coffee v. Google (re loot boxes), Free Kick Master v. Apple, and Evans v. HP (re the Chubby Checker).
On the same day, in the same district (N.D. Cal.), Judge Davila issued an opinion (In re Apple App Store Simulated Casino-Style Games Litigation) finding that Apple’s app store partially did not qualify for Section 230 immunity for virtual casino apps when the plaintiffs alleged that the app stores acted like bookies. Are the two opinions are consistent with each other? I’m not sure. To be clear, the casino app opinion said the app stores qualified for Section 230 protection for two of the three plaintiffs’ theories, so both opinions found app stores can qualify for Section 230. But could the plaintiffs in this case have taken advantage of the Section 230 exclusion identified in the casino apps case? It may depend on whether Apple paid any money to the Toast Plus app or acted as a payment processor.
Although the court didn’t make a big deal about it, the court concluded that Section 230 preempted a CFAA claim. I understand why this makes sense–the app allegedly committed the CFAA violation, not the app store–but it’s still a provocative and possibly unprecedented ruling. As a practical matter, I don’t believe there’s a “secondary” claim for CFAA violations, so I think the plaintiffs would have lost this claim even without Section 230.
I know many people are fans of buying, and investing in, cryptocurrencies, but seeing incidents like this highlight to me the immaturity of the asset class. Speaking just for myself, I wouldn’t want to have a large position in cryptocurrency without adequate protection against theft or other losses, such as insurance. We take for granted the protections against risks of loss in the banking system (e.g., FDIC insurance). Cryptocurrency won’t really be a mature asset class ready for late-adopters until there are similar protections. A lawsuit against an app store would not be a meaningful substitute, even if it were tenable.
Case citation: Diep v. Apple, Inc., 2022 WL 4021776 (N.D. Cal. Sept. 2, 2022)