Section 230 Applies to Claims Over Hijacked Accounts (Except Maybe Verified Accounts)–Wozniak v. YouTube

More Bitcoin litigation 🙄. This time, malefactors hijacked popular YouTube channels and uploaded videos promoting Bitcoin scams:

First, scammers will breach YouTube’s security to unlawfully gain access to verified and popular YouTube channels with tens or hundreds of thousands of subscribers. The scammers then transfer ownership or control of the channel to themselves or a co-conspirator, rename the channel to impersonate tech celebrities or companies, and delete the channel’s pre-existing content.

Next, they upload and play scam videos they have created using pre-existing images and videos of famous tech entrepreneurs such as plaintiff Wozniak, Bill Gates or Elon Musk speaking at a cryptocurrency or technology conference, which is intended to deceive YouTube users into believing that the celebrity is hosting a live “bitcoin giveaway” event…

The scam video is surrounded with images and text stating that, for a limited time, anyone who sends bitcoin to a specified account, via a QR code included in the video, will receive twice as much in return. The images and text often include trademarks, such as the Apple logo, and a link to a fraudulent web address that incorporates the particular tech entrepreneur’s name. However, after the users transfer their cryptocurrency in an irreversible transaction, they receive nothing in return and the scam is complete

(This gave me flashbacks to the old meme that Bill Gates would give you money if you just forwarded his email).

The plaintiffs are Silicon Valley legend Steve Wozniak, who had his YouTube account hijacked, and 17 scammed individuals. The plaintiffs sued YouTube. YouTube defended on Section 230 grounds. The lower court dismissed the entire complaint due to 230. On appeal, the appellate court doesn’t analyze the multitudinous causes of action individually. Instead, the appeals court analyzes six different theories the plaintiffs advanced to explain why Section 230 shouldn’t apply. The court finds that Section 230 applies to all six theories and upholds the dismissal, though with one theory, the plaintiffs get another chance to try again.

Negligent Security. The plaintiffs argued that YouTube “failed to implement reasonable security measures to protect verified and popular YouTube channels from being regularly hijacked and transformed to broadcast the scam videos.” This is a variation on the negligent design arguments that some courts are misinterpreting, but this court NAILS IT:

this claim seeks to hold YouTube liable for allowing the scam videos to be shown on the hijacked channels. YouTube’s actions allowing the scam videos to be shown on hijacked channels amount to a publishing decision not to prevent or alter the videos

This is Zeran redux. (Remarkably, the opinion doesn’t mention Zeran at all). Recall that Zeran sued AOL for negligence for not handling the e-personation better; and the court said that AOL’s continued publication of the e-personation, even after AOL said it wanted to remove it, was still its publication decision. Over a quarter-century later, we’re still litigating the same issues and, at least in this opinion, reaching the same results.

To get around this, the plaintiffs cited the In re Zoom opinion involving Zoom’s liability for Zoombombing. The court responds:

We agree with the general proposition described in Zoom that section 230 immunity may not apply when a plaintiff alleges harm resulting solely from a security failure or statutory violation, independent of any harmful third-party content resulting from the violation…

the negligence cause of action and the SAC as a whole demonstrate that plaintiffs’ security-based claim is predicated on the harmful content of the scam videos, without which there would likely be no lawsuit

This result is easiest to visualize by  changing the facts. Assume that the malefactors hijacked the YouTube accounts but didn’t change the content at all. In that circumstance, the scam plaintiffs wouldn’t have been defrauded because they never would have gotten a scam promotion. In other words, the scam promotion was the sine qua non to the victims’ harm, and the scam promotion was third-party content to YouTube. So the plaintiffs aren’t really suing over the security breach. It’s a but-for cause of the scam, but the third-party content is also a but-for and proximate cause. So of course Section 230 should apply. This principle seems so obvious and intuitive that I’m consistently baffled when judges nowadays are reaching contrary conclusions.

Negligent Design. The court handles the negligent design claims the same way as the negligent security claims. The court distinguishes Lemmon v. Snap:

While the negligent design claim in Snap was not predicated on any third-party content—indeed, the alleged harm flowed directly and solely from the negligent design and occurred without any third-party content—the same is not true here. Instead, the negligent design claim and the SAC as a whole are predicated on the scam videos, without which there would likely be no lawsuit. While a plaintiff may avoid application of section 230 immunity by alleging a negligent design claim that is independent of third-party content, that is not what plaintiffs alleged in the SAC here.

Failure to Warn. The court distinguishes Doe v. Internet Brands:

plaintiffs’ claim is predicated on the third-party content, of which they assert defendants had a duty to warn. Plaintiffs thus seek to impose liability on defendants resulting from the third-party information they publish on their platform. In Internet Brands, by contrast, the alleged duty to warn existed independent of any third-party content on the defendant’s platform

Claims based on knowingly selling and delivering scam ads and scam video recommendations to vulnerable users.” Section 230 applies to ads, so there’s no workaround there. However, the court distinguished the 9th Circuit’s Gonzalez v. Google decision (is it still good law after the Supreme Court remand?), which held that Section 230 didn’t apply to revenue sharing with terrorist organizations:

plaintiffs do not allege that defendants gave money directly to the third-party scammers. There is no allegation of wrongdoing that is not dependent on the content of the third-party information. While plaintiffs allege that defendants knowingly profited from the advertisements and the associated criminal scheme, Gonzalez did not hold that profiting from third-party advertisements is beyond the scope of section 230 immunity. Instead, it distinguished between activity that depended on the particular content placed on YouTube, and activity that did not, such as directly providing material support to ISIS by giving them money.

The plaintiffs tried a typical “but the algorithms” workaround, but the court distinguishes the goofy Wohl case:

plaintiffs have not alleged that defendants undertook any similar acts to actively and specifically aid the illegal behavior. Instead, they allege only that YouTube’s neutral algorithm results in recommending the scam videos to certain targeted users…There is no allegation that YouTube has done anything more than develop and use a content-neutral algorithm.

Courts have consistently held that such neutral tools do not take an interactive computer service outside the scope of section 230 immunity. [cite to Dyroff].

A reminder that the terms “neutral tools” and “neutral algorithms” are oxymorons and recipes for confusion. Fortunately, the court stayed above that fray.

Claims based on wrongful disclosure and misuse of plaintiffs’ personal information.” These claims included a promissory estoppel claim, trying to use the Barnes v. Yahoo case to get around Section 230. It doesn’t work:

Defendants’ alleged promises here are closer to those in Murphy—more akin to general policies or statements—than those in Barnes—personalized and constituting a clear, well-defined offer.

Another reminder that Section 230 routinely applies to contract and promise-based claims when the goal is to hold the defendant liable for third-party content.

Claims based on defendants’ creation or development of information materially contributing to scam ads and videos.” The plaintiffs complained about the algorithms again, to no avail: “recommending videos and selling advertisements may display and augment the illegal content, but it does not contribute to what makes it illegal.”

The court is more troubled by the overlay of YouTube’s verification system. On one hand, this makes sense. The whole point of an identity verification system is to confirm that the reader can trust the speaker’s identity. If malefactors are free-riding on the verification to abuse user trust, then the verification system has failed completely.

On the other hand, the verification system can’t be a categorical guarantee that the account will never experience a security breach, just as it can’t prevent things like an accountholder surreptitiously handing over authoring rights to unverified third parties (at least until the handoff is detected). So what exactly do consumers think when they see a verification?

The court starts off with an unfortunately garbled statement of the law:

where a website operator either creates its own content or requires users to provide information and then disseminates it, thereby materially contributing to the development of the unlawful information, it may be considered responsible for that information

The first part of this statement is fine. If a website creates and disseminates its own content, then Section 230 doesn’t apply. No arguments there. The other part of the statement is wrong, however. The Roommates.com case noted an exception to Section 230 when a defendant “design[s] your website to require users to input illegal content.” Notice the difference: this court’s recapitulation would strip defendants of Section 230 if the website requires users to “provide information,” whether that information was legal or “illegal.” By definition, every UGC service necessarily requires users to “provide information,” i.e., the UGC. So the court’s recapitulation mangles Roommates.com and, read literally, eliminates Section 230 for every defendant who needs it. That can’t be right. I’m hoping other courts will go back to Roommates.com and bypass this obvious misstatement.

Applying its garbled standard, the court says the plaintiffs allege that:

YouTube is wholly responsible for creating the information concerning the authenticity of the channel owners in the verification badges. Unlike the scam videos themselves, the third-party scammers did not create or develop the verification badges—defendants allegedly did. Nor is there any suggestion in the SAC that the verification badges contain information voluntarily provided by users and thus merely redirect or highlight third-party content. We therefore conclude the SAC adequately alleges that under section 230, YouTube is responsible for creating the information in the verification badges.

Note that the court doesn’t engage with the extensive and conflicting precedent in this area, such as Roland v. LetGo (no 230 for saying that account was verified), Mazur v. eBay (no 230 for saying bidding was “safe”), and Milo v. Martin (230 applies when UGC site self-characterizes as telling the “truth”).

Nevertheless, the court dismisses the complaint because the plaintiffs didn’t adequately show how the verification materially contributed to the fraud. With respect to the scam victims, the “allegations do not demonstrate that the verification badges played any significant or meaningful role in conveying false impressions concerning the source or authenticity of the videos.” As one example, only 7 of the 17 victims claimed they relied on the false verification. The complaint is also light on the timing interrelationships between when the verifications and hijackings occurred. The court gives the plaintiffs the chance to amend their complaint and make another attempt at resurrecting this 230 workaround.

Implications

I believe this opinion could be appealed to the California Supreme Court, but I wonder if either side will do so? YouTube won most of the ruling, so I think they will take their chances on remand. Similarly, though the plaintiffs had their complaint gutted, they have a chance to amend and might decide to prefer to allocate their resources trying to exploit the opening left by the appellate court. [UPDATE: The panel denied a rehearing on April 2. 2024 WL 1406533]

At its core, this is a cybersecurity case. YouTube accounts got hacked and plaintiffs are suing over the consequences. The plaintiffs are essentially proposing to treat YouTube as the financial guarantor of any hacks of verified accounts. YouTube can’t prevent all hacks, nor can any other service. So what do we expect YouTube to do in those circumstances? If YouTube faces unlimited exposures for verified account hacks that it can’t prevent, then it can’t verify accounts, which would be a net loss for everyone. Could YouTube disclaim what it means to be “verified” to reflect the potential intervening activities both within and outside its control? That sounds like a hard consumer education challenge.

Then again, it would be helpful to know what steps YouTube actually did in response to known hacks and how it has attempted to systemically harden the verified accounts from hacks. That shouldn’t necessarily change its legal liability, but I hope YouTube has been making responsible decisions.

Though YouTube is the defendant in this case, this ruling is of high interest to Twitter, which is well-known for having issued blue-check verified accounts to pretenders and interlopers. (I mentioned this concern with the Roland v. LetGo decision too). Twitter is surely praying that YouTube gets a win here.

It’s a relief to see such a strong Section 230 opinion coming from the California Court of Appeals. That court has become an unreliable steward of Section 230, as illustrated most recently by the Liapes trainwreck.

I’ve seen numerous stories frame this ruling as a win for the plaintiffs. Wow, the plaintiffs and their lawyers are really spinning it. I see it completely differently. First, the opinion was a strong and broad endorsement of Section 230 in the face of multiple now-typical plaintiff arguments to get around Section 230. Almost everything the plaintiffs threw at the walls didn’t stick. Second, the court dismissed the complaint entirely, so the plaintiffs have to claw their way back into this case. The court gave the plaintiffs a roadmap to get around Section 230, but there’s no guarantee they will do so. And even if they do, they still have to navigate the prima facie case. So the plaintiffs are a long way from winning, and it’s not at all guaranteed they will get there.

Case Citation: Wozniak v. YouTube, LLC, 2024 WL 1151750 (Cal. App. Ct. March 15, 2024)