Ninth Circuit Does More Ninth Circuit Things in its Latest Section 230 Ruling–Diep v. Apple

Yet another cryptocurrency fraud case. 🙄 I previously described this case:

This lawsuit relates to the “Toast Plus” app that was available in Apple’s app store. The plaintiffs claim it was a spoof app designed to steal cryptocurrency worth $5k in Diep’s case and $500k in Nagao’s case (ouch). The plaintiffs’ “claims are based on Apple’s part in authorizing and negligently distributing a ‘phishing’ / ‘spoofing’ app in its App Store, the Toast Plus application, while continuing to affirmatively represent that the App Store is a [sic] ‘a safe and trust[ed] place.’”

The district court dismissed the case, largely on Section 230 grounds. On appeal, the Ninth Circuit affirms (in a non-precedential opinion) much of the Section 230 ruling–even an obvious legal error by the district court–but unfortunately revives some of the claims in a tone-deaf way.

* * *

This case raises the common question of whether Section 230 protects app stores from liability for harmful apps in their stores. Numerous prior cases have confirmed that it does.

This court agrees that app stores qualify as ICS providers and apps are third-party content. The only remaining question is whether the claims treat Apple as a publisher/speaker.

The court says the claims for CFAA, ECPA, Maryland’s Wiretapping and Electronic Surveillance Act, and negligence are all publisher/speaker claims because each “refers, as the basis for culpability, to Apple’s authorization, monitoring, or failure to remove Toast Plus from the App Store.”

The application of Section 230 to the CFAA is an interesting conclusion that the court didn’t tease out. If an app is misusing the computer it’s installed on, that’s not intrinsically a publisher/speaker function. However, Apple’s sole role in that process is to “publish” the app in its app store. By the time the app reaches the computer it’s allegedly misusing, Apple’s role is done. In that sense, then the CFAA claim is like a secondary trespass claim–the app does the trespass, the app store only allegedly facilitates the trespass. It would have been great to see the court spell this out in more than a sentence. The issue of offsite harms being covered by Section 230 is a perennial topic.

While the same logic would theoretically apply to Apple’s liability for the ECPA claim and the Maryland state law equivalent (they are presumably also secondary statutory violations), Section 230 clearly doesn’t apply to those claims for a different reason. Section 230(e)(4) expressly says:

Nothing in this section shall be construed to limit the application of the Electronic Communications Privacy Act of 1986 or any of the amendments made by such Act, or any similar State law.

Yet, both the district court and the appeals court erroneously applied Section 230 to these claims. I noted that error in my prior blog post, but I guess the plaintiffs didn’t read my post or the statute closely enough to raise this obvious point on appeal (see their brief, which mentions 230(e)(4) only in its jurisdictional statement); nor did the 9th Circuit apparently reread the statute either. As a result, the Ninth Circuit reaches the shocking and ultimately embarrassing conclusion that Section 230 preempts ECPA and analogous state law claims. 🤷‍♂️

The appeals court also says that Section 230 applies to privacy claims, including California’s CCPA and Maryland’s Personal Information Protection Act, because “plaintiffs failed to plead adequately a theory of injury under these state data privacy statutes that is fully independent of Apple’s role in monitoring or publishing third-party content” (cleaned up).

The good news for Apple mostly stops there. The court says that Section 230 doesn’t apply to the California UCL, California LRA, and the Maryland Consumer Protection Act because:

These state law consumer protection claims do not arise from Apple’s publication decisions as to whether to authorize Toast Plus. Rather, these claims seek to hold Apple liable for its own representations concerning the App Store and Apple’s process for reviewing the applications available there.

What exactly did Apple say that forms its possible basis of liability? The opinion doesn’t say, and the plaintiffs’ appellant brief isn’t precise about this either. In my prior post, I noted: “The plaintiffs disavowed a claim based solely on Apple’s “safe” representation. Instead, the plaintiffs anchored the claim in a mix of the “safe” representation and Apple’s allegedly derelict content moderation.”

As I just discussed regarding the Wozniak case, courts have split on if and when Section 230 applies to first-party marketing representations that are rendered untrue by third-party content. This is a critical inflection point for Section 230 jurisprudence. Plaintiffs can ALWAYS find SOME onsite disclosure regarding the service’s third-party content or content moderation practices that they CLAIM is untrue. If permitted by courts, plaintiffs can easily nullify Section 230 by cherrypicking and decontextualizating these onsite disclosures. Plus, the defendants can’t support their motion to dismiss by showing the truth of their claims, so the workaround gives plaintiffs a fast-track to discovery and summary judgment, which negates Section 230’s procedural benefits. The appeals court, in a non-precedential opinion, breezily blasts past all of this nuance and complexity. Sigh.

The appeals court also says Apple’s TOS limitations of liability don’t apply because “Apple cannot disclaim liability for its own false, misleading, or fraudulent statements.” The court says the plaintiff nevertheless failed to satisfy the applicable heightened pleading standards, but it reversed the district court’s decision not to permit amendment of the complaint. So the plaintiffs get another chance on their consumer protection claims, free from Section 230 and the other defense-favorable provisions cited by the district court.

Case Citation: Diep v. Apple Inc., 2024 WL 1299995 (9th Cir. March 27, 2024)