Skip to main content
Find a Lawyer
Anita Ramasastry

Do Interactive Websites Have a Legal Duty to Remove Malicious Content?


Tuesday, May 19, 2009

At times, people post damaging false or private information about others on websites, and in Internet chat rooms. What happens if someone finds himself or herself to be the target of such postings – yet the website is slow to de-post, despite promises that it will do so?

A recent decision by the U.S. Court of Appeals for the Ninth Circuit offers some answers.

The Facts of the Case

The facts begin when plaintiff Cecilia Barnes learned that her ex-boyfriend – pretending to be her – had posted nude photos of her on Yahoo, along with her email address, work address and phone number, and an invitation to men to contact her for sexual purposes. The ex-boyfriend had also gone into Yahoo's member chat rooms to direct men to her profile. Soon, as the Ninth Circuit summarized it, "men whom Barnes did not know were peppering her office with emails, phone calls, and personal visits, all in the expectation of sex."

Yahoo's policy provides for the removal of fake profiles if the person making the request provides a copy of her driver's license, which Barnes says she did. However, Barnes alleges that when she contacted Yahoo on several occasions, in an effort to have the profile removed, the site did not remove them. She says that approximately three months after the first of these contacts, a Yahoo representative contacted her and advised her that Yahoo would now put a stop to this unauthorized profile – yet three more months passed, and Yahoo did nothing. Indeed, according to Barnes, Yahoo took no action to de-post the profile until she sued the company.

The court dismissed Barnes's negligence claim against Yahoo, based on Section 230 of the federal Communications Decency Act (CDA). However, it held that Yahoo's promises to her that it would de-post could give rise to a claim under the doctrine of promissory estoppel.

The Section 230 Holding: Barnes's Claim Was Barred by the CDA

Websites like Yahoo, which allow users to post content, are immune from lawsuits for defamation – and other types of suits that depend on a claim that the sites have published or spoken the information that users post on their sites -- under Section 230 of the CDA. The relevant subsection provides that "No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider."

Courts have construed this provision of Section 230 broadly – to immunize Yahoo and similar sites from liability for user content that is posted in chat rooms, on bulletin boards, and elsewhere on the site.

Typically, Section 230 is invoked to gain immunity against a defamation claim based on a user's posting. But Barnes was bringing a negligence claim based on the site's failure to de-post. Were these differences enough to defeat Section 230 immunity? Not according to the Ninth Circuit.

The court reasoned that such a claim still makes Yahoo liable as a publisher, which is just what Section 230 forbids: "Plaintiff alleges she was harmed by third-party content, and that [Yahoo] allegedly breached a common law or statutory duty to block, screen, remove, or otherwise edit that content. Any such claim by plaintiff necessarily treats the service provider as "publisher" of the content…."

Moreover, the court was not persuaded by Barnes's contention that even if Section 230 had protected Yahoo initially, once Yahoo promised to de-post the profile, it had to do so with reasonable speed or be deemed negligent. The court reasoned that "removing content is something publishers do, and to impose liability on the basis of such conduct necessarily involves treating the liable party as a publisher of the content it failed to remove."

For these reasons, the negligence claim was dismissed under Section 230. But Barnes still had another claim.

The Promissory Estoppel Holding: Barnes's Claim Was Allowed to Stand

Barnes also brought a promissory estoppel claim, based on her allegations that Yahoo promised to remove the material and did not do so (until she finally sued). The doctrine of promissory estoppel allows plaintiffs to enforce promises, even in the absence of a full-fledged contract, when the promise caused the plaintiff to substantially rely on the promise to his or her detriment – as Barnes alleges she did.

Not only does Barnes allege that she personally was told the material would be removed, but Yahoo's Terms of Service represent that it will respond to well-founded requests for removal of content.

The Ninth Circuit held that Yahoo's promise to Barnes meant that it had a duty to her, despite Section 230. It reasoned that Section 230 "creates a baseline rule: no liability for publishing or speaking the content of other information service providers. Insofar as Yahoo made a promise with the constructive intent that it be enforceable, it has implicitly agreed to an alteration in such baseline."

At this point in the litigation, Barnes still has to prove that Yahoo's contact with her amounted to a significant promise that would reasonably lead to her reliance.

Why the Ruling Was Right – and Its Implications for the Future

The court was right to take Yahoo's words seriously (assuming it can be proven those words were said and relied upon), and thus to hold websites responsible for making representations to users and to others. Section 230 was meant to hold websites immune from liability based on others' words – not their own.

What does this case mean for the future? On one hand, it indicates that a company that simply does nothing, and makes no promises to do anything, about offensive content cannot be sued on that basis. But on the other hand, such companies are rare. Most reputable websites that are interactive already have made affirmative statements on their sites – in their Terms of Service or elsewhere -- detailing procedures for how users can get offensive, false, or falsified content removed. Will these statements themselves amount to promises that can be enforced based on a theory of promissory estoppels?

Perhaps. The Barnes decision is ambiguous on this point because, there, direct promises to Barnes were paired with promises to all users in the Terms of Service.

Let us hope that, in the future, websites will be prompt and responsive to members of the public, or to their own subscribers when they fall victim to fraudulent and humiliating activities. Barnes should not have continued to suffer the embarrassing – and potentially dangerous -- consequences of a fraudulent posting at all, but if her allegations are true, Yahoo's delay in de-posting may have prolonged her ordeal.

Anita Ramasastry, a FindLaw columnist, is the D. Wayne and Anne Gittinger Professor of Law at the University of Washington School of Law in Seattle and a Director of the Shidler Center for Law, Commerce & Technology. She has previously written on business law, cyberlaw, computer data security issues, and other legal issues for this site, which contains an archive of her columns.

Was this helpful?

Copied to clipboard