The Volokh Conspiracy
Mostly law professors | Sometimes contrarian | Often libertarian | Always independent
From his statement today respecting the denial of certiorari this morning in Malwarebytes, Inc. v. Enigma Software Group USA, LLC:
I write to explain why, in an appropriate case, we should consider whether the text of this increasingly important statute [47 U.S.C. §230] aligns with the current state of immunity enjoyed by Internet platforms….
[The statute:] Enacted at the dawn of the dot-com era, §230 contains two subsections that protect computer service providers from some civil and criminal claims. The first is definitional. It states, "No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider." §230(c)(1). This provision ensures that a company (like an e-mail provider) can host and transmit third-party content without subjecting itself to the liability that sometimes attaches to the publisher or speaker of unlawful content.
The second subsection provides direct immunity from some civil liability. It states that no computer service provider "shall be held liable" for (A) good-faith acts to restrict access to, or remove, certain types of objectionable content; or (B) giving consumers tools to filter the same types of content. §230(c)(2). This limited protection enables companies to create community guidelines and remove harmful content without worrying about legal reprisal.
[The publisher/distributor distinction:] Congress enacted this statute against specific background legal principles. See Stewart v. Dutra Constr. Co. (2005) (interpreting a law by looking to the "backdrop against which Congress" acted). Traditionally, laws governing illegal content distinguished between publishers or speakers (like newspapers) and distributors (like newsstands and libraries).
Publishers or speakers were subjected to a higher standard because they exercised editorial control. They could be strictly liable for transmitting illegal content.
But distributors were different. They acted as a mere conduit without exercising editorial control, and they often transmitted far more content than they could be expected to review. Distributors were thus liable only when they knew (or constructively knew) that content was illegal. See, e.g., Stratton Oakmont, Inc. v. Prodigy Services Co. (N.Y. trial ct. 1995); Restatement (Second) of Torts §581 (1976); cf. Smith v. California (1959) (applying a similar principle outside the defamation context).
The year before Congress enacted §230, one court blurred this distinction…. The court determined that [a service provider's] decision to exercise editorial control over some content "render[ed] it a publisher" even for content it merely distributed. Taken at face value, [in relevant part,] §230(c) alters the Stratton Oakmont rule … [by] indicat[ing] that an Internet provider does not become the publisher of a piece of third-party content—and thus subjected to strict liability—simply by hosting or distributing that content. [But a] dopting the too-common practice of reading extra immunity into statutes where it does not belong, see Baxter v. Bracey (2020) (Thomas, J., dissenting from denial of certiorari [and writing about qualified immunity]), courts have relied on policy and purpose arguments to grant sweeping protection to Internet platforms….
Courts have discarded the longstanding distinction between "publisher" liability and "distributor" liability. Although the text of §230(c)(1) grants immunity only from "publisher" or "speaker" liability, the first appellate court to consider the statute held that it eliminates distributor liability too—that is, §230 confers immunity even when a company distributes content that it knows is illegal. In reaching this conclusion, the court stressed that permitting distributor liability "would defeat the two primary purposes of the statute," namely, "immuniz[ing] service providers" and encouraging "selfregulation." And subsequent decisions … have adopted this holding as a categorical rule across all contexts.
To be sure, recognizing some overlap between publishers and distributors is not unheard of. Sources sometimes use language that arguably blurs the distinction between publishers and distributors…. Yet there are good reasons to question this interpretation.
First, Congress expressly imposed distributor liability in the very same Act that included §230. Section 502 of the Communications Decency Act makes it a crime to "knowingly … display" obscene material to children, even if a third party created that content. This section is enforceable by civil remedy. It is odd to hold, as courts have, that Congress implicitly eliminated distributor liability in the very Act in which Congress explicitly imposed it.
Second, Congress enacted §230 just one year after Stratton Oakmont used the terms "publisher" and "distributor," instead of "primary publisher" and "secondary publisher." If, as courts suggest, Stratton Oakmont was the legal backdrop on which Congress legislated, one might expect Congress to use the same terms Stratton Oakmont used.
Third, had Congress wanted to eliminate both publisher and distributor liability, it could have simply created a categorical immunity in §230(c)(1): No provider "shall be held liable" for information provided by a third party. After all, it used that exact categorical language in the very next subsection, which governs removal of content. §230(c)(2). Where Congress uses a particular phrase in one subsection and a different phrase in another, we ordinarily presume that the difference is meaningful….
[Internet companies' selecting and editing decisions:] Courts have also departed from the most natural reading of the text by giving Internet companies immunity for their own content. Section 230(c)(1) protects a company from publisher liability only when content is "provided by another information content provider." Nowhere does this provision protect a company that is itself the information content provider. And an information content provider is not just the primary author or creator; it is anyone "responsible, in whole or in part, for the creation or development" of the content.
But from the beginning, courts have held that §230(c)(1) protects the "exercise of a publisher's traditional editorial functions—such as deciding whether to publish, withdraw, postpone or alter content." Only later did courts wrestle with the language in §230(f)(3) suggesting providers are liable for content they help develop "in part." To harmonize that text with the interpretation that §230(c)(1) protects "traditional editorial functions," courts relied on policy arguments to narrowly construe §230(f)(3) to cover only substantial or material edits and additions.
Under this interpretation, a company can solicit thousands of potentially defamatory statements, "selec[t] and edi[t] … for publication" several of those statements, add commentary, and then feature the final product prominently over other submissions—all while enjoying immunity. Jones v. Dirty World Entertainment Recordings LLC (CA6 2014) (interpreting "development" narrowly to "preserv[e] the broad immunity th[at §230] provides for website operators' exercise of traditional publisher functions"). To say that editing a statement and adding commentary in this context does not "creat[e] or develo[p]" the final product, even in part, is dubious….
[Internet companies' decisions to remove certain material:] The decisions that broadly interpret §230(c)(1) to protect traditional publisher functions also eviscerated the narrower liability shield Congress included in the statute. Section 230(c)(2)(A) encourages companies to create content guidelines and protects those companies that "in good faith … restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable." Taken together, both provisions in §230(c) most naturally read to protect companies when they unknowingly decline to exercise editorial functions to edit or remove third-party content, §230(c)(1), and when they decide to exercise those editorial functions in good faith, §230(c)(2)(A).
But by construing §230(c)(1) to protect any decision to edit or remove content, courts have curtailed the limits Congress placed on decisions to remove content, see e-ventures Worldwide, LLC v. Google, Inc. (MD Fla. 2017) (rejecting the interpretation that §230(c)(1) protects removal decisions because it would "swallo[w] the more specific immunity in (c)(2)"). With no limits on an Internet company's discretion to take down material, §230 now apparently protects companies who racially discriminate in removing content. Sikhs for Justice, Inc. v. Facebook, Inc. (CA9 2017), aff 'g (ND Cal. 2015) (concluding that "'any activity that can be boiled down to deciding whether to exclude material that third parties seek to post online is perforce immune'" under §230(c)(1)).
[Internet companies' decisions about structuring their output and user interface:] Courts also have extended §230 to protect companies from a broad array of traditional product-defect claims. In one case, for example, several victims of human trafficking alleged that an Internet company that allowed users to post classified ads for "Escorts" deliberately structured its website to facilitate illegal human trafficking. Among other things, the company "tailored its posting requirements to make sex trafficking easier," accepted anonymous payments, failed to verify e-mails, and stripped metadata from photographs to make crimes harder to track. Jane Doe No. 1 v. Backpage.com, LLC (CA1 2016). Bound by precedent creating a "capacious conception of what it means to treat a website operator as the publisher or speaker," the court held that §230 protected these website design decisions and thus barred these claims.
Consider also a recent decision granting full immunity to a company for recommending content by terrorists. Force v. Facebook, Inc. (CA2 2019). The court first pressed the policy argument that, to pursue "Congress's objectives, … the text of Section 230(c)(1) should be construed broadly in favor of immunity." It then granted immunity, reasoning that recommending content "is an essential result of publishing." Unconvinced, the dissent noted that, even if all publisher conduct is protected by §230(c)(1), it "strains the English language to say that in targeting and recommending these writings to users … Facebook is acting as 'the publisher of … information provided by another information content provider.'"
Other examples abound. One court granted immunity on a design-defect claim concerning a dating application that allegedly lacked basic safety features to prevent harassment and impersonation. Herrick v. Grindr LLC (CA2 2019). Another granted immunity on a claim that a social media company defectively designed its product by creating a feature that encouraged reckless driving. Lemmon v. Snap, Inc. (CD Cal. 2020).
A common thread through all these cases is that the plaintiffs were not necessarily trying to hold the defendants liable "as the publisher or speaker" of third-party content. §230(c)(1). Nor did their claims seek to hold defendants liable for removing content in good faith. §230(c)(2). Their claims rested instead on alleged product design flaws—that is, the defendant's own misconduct. Cf. FTC v. Accusearch, Inc. (CA10 2009) (Tymkovich, J., concurring) (stating that §230 should not apply when the plaintiff sues over a defendant's "conduct rather than for the content of the information"). Yet courts, filtering their decisions through the policy argument that "Section 230(c)(1) should be construed broadly," give defendants immunity.
[Conclusion:] Paring back the sweeping immunity courts have read into §230 would not necessarily render defendants liable for online misconduct. It simply would give plaintiffs a chance to raise their claims in the first place. Plaintiffs still must prove the merits of their cases, and some claims will undoubtedly fail. Moreover, States and the Federal Government are free to update their liability laws to make them more appropriate for an Internet-driven society.
Extending §230 immunity beyond the natural reading of the text can have serious consequences. Before giving companies immunity from civil claims for "knowingly host[ing] illegal child pornography," Doe v. Bates (EDTex. 2006), or for race discrimination, Sikhs for Justice, we should be certain that is what the law demands. Without the benefit of briefing on the merits, we need not decide today the correct interpretation of §230. But in an appropriate case, it behooves us to do so.
I like the broad reading of § 230 as a policy matter, and I think it's defensible as a statutory matter. And I think some of the distinctions that Justice Thomas's opinion draws, for instance between platform design features and platform publishing decisions isn't consistent with the text: Deciding how to organize your newspaper, magazine, or book, and what communicative "features" to include in it (e.g., what information to include connected to photographs), is indeed the function of a "publisher," and I think § 230 should reasonably be read as applying that to web sites and other platforms.
But on balance I think Justice Thomas's argument is a forceful and thoughtful analysis of the statutory text, and the common-law backdrop against which the text (especially terms such as "publisher") should be interpreted. And of course it will be especially important in the debate, because it's coming from a Supreme Court Justice (and one who is so admired by some and so disapproved of by others); so I thought I'd pass it along.