Revenge Porn Creep Kevin Bollaert's Appeal Underway… And Actually Raises Some Important Issues
from the but-he's-still-a-creep dept
Let’s start with the basics: Kevin Bollaert is a creep who did some really horrible and shady stuff. He was something of a latecomer to the revenge porn space, basically copying a few of the more popular revenge porn sites that came before him in creating “YouGotPosted.” He also copied at least some of the “business model” of Craig Brittain’s “IsAnybodyDown” website, which purported to work with a third party (the fictitious “lawyer” “David Blade III”) who you could pay to take down those naked pictures someone leaked to the site. In the case of YouGotPosted, Bollaert set up a companion website, called ChangeMyReputation, where you could pay and that site would magically get images taken down off YouGotPosted (there is some dispute over how clear it was that the two sites were connected). There’s a decent argument that this is a form of extortion, posting naked photos of someone and then demanding cash to get them taken down — but there are also cases in slightly different realms (such as online review sites) that suggest such activity is actually protected by Section 230. Bollaert, about as unsympathetic a defendant as you can possibly imagine was convicted of a variety of things, including not just extortion, but also identity theft, which raises some serious questions, given that Bollaert was only posting info given to him by others.
So when Bollaert got an 18-year sentence over all of this, many felt the sentence to be fairly extreme — even among those who felt that Bollaert is a creep who deserves jail time for what he did. As we expected, Bollaert has appealed and is raising some key defenses, mostly based around Section 230 of the CDA. In short, what he did may have been awful, but you still can’t blame the site operator for content uploaded by users. That’s the whole crux of CDA 230. If the uploader broke the law in posting content, go after them, not the platform on which the content was uploaded.
In this case, the People seek to chip away at the clear protections provided by the Communications Decency Act. The People claim the statute?s protection did not apply to Yougotposted because Yougotposted administered the website and possessed the authority to pick and choose which information was posted. Here the People?s reliance on speculation and conjecture fails to strip appellant of the statute?s immunity. If the People?s arguments are accepted, the approach would provide an avenue for other litigants to end-run the bright-line protections provided by the statute, jeopardizing service providers and undermining speech in the process. This amounts to bad policy.
Bollaert’s lawyers argue, fairly reasonably, that YouGotPosted qualifies for the CDA 230’s safe harbors as a service provider. The state argues that he’s the content provider, who can be liable, rather than just a platform. Bollaert’s lawyer cites all the standard Section 230 cases that establish the fairly broad immunity provided to internet platforms.
Bollaert also argues that what was on YouGotPosted wasn’t identity theft at all because any “unlawful purpose” associated with collection of identifying information was done by third parties, rather than Bollaert, and thus, once again, he’s protected by Section 230.
In its reply brief, the State of California hits back at all of this with what seems like an incredibly weak argument. Basically it argues that because Bollaert required submitters to post personal information, that makes him a content provider, rather than a platform:
By requiring users to post personal identifying information, appellant became an ?information content provider? because he was responsible as a developer and provider of the content he required; thus, he was no longer a mere ?interactive service provider? or ?access software provider?. In any event, because he intended to defraud victims by concealing his true identity as the operator of both websites, the exception appellant relies on would not apply.
Not surprisingly, California relies heavily on the infamous Rommates.com ruling, a rare case where a service provider lost its safe harbors by having a drop down menu that was seen as asking a discriminatory question about roommate preferences, violating fair housing laws. California is arguing that, by requiring uploaders to post user information, YouGotPosted is similar to Roommates.
Here, similar to the situation in Roommate, appellant willfully obtained individuals? personal identifying information by soliciting it from submitters, who were required to include the victims? full name, location (?city, state, country?), age, and a link to the victims? Facebook profile page in order to submit photographs. As in Roommate, appellant became responsible for the illegal content of the postings because the illegal content (i.e., the non-consensual use of someone?s personal identifying information, including their private photos) was a condition of use. Appellant then used that information to harass and annoy victims because he knew?with absolute certainty?that by posting the information, the victims would be contacted by numerous strangers whom the victims would find threatening. Appellant also used the information for the unlawful purpose of unlawfully obtaining money from them by demanding payment in exchange for removing his posts. This conduct does not magically become lawful because appellant did it online, or because he recruited third parties to help him inflict harm on a mass scale.
Except California is playing a little loose with the facts here and mixing and matching things to make its argument look stronger. The key difference was that the roommate preference question was, by itself, discriminatory and against the law. YouGotPosted asking people for identifying information is not. Again, this is not in any way to defend Bollaert or his site. But Section 230 matters quite a lot, and government attempts to limit those protections will have a serious impact on internet platforms and their willingness to allow freedom of expression.
California’s lawyers spend a lot of words trying to argue that requesting identifying information with photos magically makes the whole thing illegal — including claiming that because Bollaert knew that his users would then likely harass the people shown in those photos — that it makes him liable as the content creator. But that still seems to be a fairly blatant misreading of the law as written and the case law itself.
California also insists that it is identity theft, because of the “fraud” of pushing people to another site to pay to have the photos removed:
Here, the evidence amply demonstrated appellant?s intent to defraud. When victims asked to have the offending photos removed, they were either referred to the website ?ChangeMyReputation.com,? or they followed the link to that site…. This extra step was wholly unnecessary. Appellant could have removed the photos by demanding the money directly from the victims as part of the UGotPosted website. But appellant presumably realized that the victims would be less inclined to pay money to the very person responsible for posting their pictures. By creating a separate website, appellant hoped to deceive the victims into believing that they were receiving the legitimate services of a neutral third party who would restore their reputation, and that they were not simply paying blackmail to an extortionist who was the source of their misery.
Responding to California’s attempt to get around Section 230, Bollaert’s lawyers basically just repeat “it’s a platform and the government hasn’t shown any reason it’s not.”
Here, the People claimed the statute?s protection did not apply to appellant because he administered the ?Yougotposted? website and retained the authority to pick and choose which information was posted. This does not make him a content provider. Those actions of appellant are no different than those found by the courts to be protected under the statute…. The People?s argument must fail because accepting their arguments would eviscerate protections provided by the statute, jeopardizing service providers and undermining free speech in the process.
Bollaert also says the whole claim that having two sites suddenly makes it fraud makes no sense at all:
Here, the People produced no evidence in support of their belated claim that appellant possessed personal identification information with the intent to commit fraud. CALCRIM 2401 describes fraud as having deceived another person in order to cause a loss of money or something of value or damage to a legal, financial or property right. The People belatedly raised the claim that payments made through ?changemyreputation.com? were obtained by fraud because the victims were not aware that appellant managed both websites. Problems arise with the argument. First, the link to ?changemyreputation.com? was visible on ?Yougotposted.com.? There was no evidence suggesting appellant was trying to hide the fact that the sites were connected. A number of the victims stated it was ?obvious? that the same person was behind both sites. (4RT pp. 305-306.) Additionally, the People?s argument must fail because the victims clearly believe the payment was to have the photos removed, not because they were ?deceived?.
Separate from all of this, both sides also are arguing about the extortion question, noting that a business model that offers to remove content is just a “standard business practice,” and not extortion. Part of this argument is, again, buttressed by CDA 230, because the uploaded content was not uploaded by Bollaert himself, so (his lawyers argue) you can’t claim that he both uploaded the content and then pushed people to pay him to take it down. It’s that “other people uploaded it and thus, 230” claim that Bollaert argues makes this not extortion:
The People argued that appellant used the posting of the photographs on the website to illegally obtain money from those whose photos were posted and to have the photos removed from the ?Yougotposted? website. The People argued that appellant threatened to injure the victims or ?expose their secrets? by publishing the images on the website. As the CDA provides, interactive computer service providers and access software providers are under no legal obligation to remove postings submitted to their website by third parties, even those postings that are negative in nature. Appellant was simply under no obligation to remove the negative content from his website. He merely offered a service to remove the photos and, by offering such a service, he is engaging in standard business practice and not extortion.
They also argue — and I will admit that this is a morally horrifying argument, if potentially legally sound — that by simply posting the images first, without contacting individuals and asking for money to stop the posting, it’s completely different than posting first and then offering a way to pay to take the content down.
In this case the People proceeded on the theory that the third-party postings constituted exposure of a secret affecting the persons portrayed in the photos. The initial reaction is that appellant?s operation of the website and posting information provided solely by third parties simply does not constitute a threat to expose any secret as to the other persons because the alleged secret (photos) was already in the public domain and had been provided by third parties unaccompanied by any demand for payment. In this case there is absolutely no evidence any request was made through either ?Yougotposted? or ?changemyreputation.com? before the photos had been submitted by the third parties. In this case appellant merely provided a means whereby, for a fee, information already legally posted could be removed.
Bollaert’s lawyers also point to the recent lawsuit against Yelp, where some businesses claimed that Yelp would ask them to pay for advertising with a promise of more favorable reviews (and with some arguing that a failure to pay resulted in negative reviews). In that case (Levitt v. Yelp), the court found that even if that was what Yelp was doing (which Yelp denies), it’s not extortion:
The court found the plaintiffs had no pre-existing right to a positive review and that Yelp! was in no way obligated to refrain from manipulating reviews or creating negative ones. Yelp! was simply offering a service when it offered to remove negative reviews from its web page and that the offering of that service in exchange for money amounted to a legitimate business practice.
And, of course, Bollaert argues that his situation was similar to Yelp’s:
In the present case, appellant, as an interactive computer service provider was under no legal obligation to remove the postings submitted to the website by third parties, even when those postings are negative in nature. As in the above cited cases, Yelp!, Yahoo!, AOL and the dating website in the Carofano case, as well as ?TheDirty.com? case, appellant could legally decline to remove any offending content from his website. Offering a fast, efficient removal service through the site ?changemyreputation.com? amounted to a legal practice, akin to the practices approved in Yelp!. No crime of extortion occurred. Yelp! offered to remove negative content for money. They were under no obligation to remove those negative reviews and they offered the additional service in exchange for a fee. This is a business practice, not extortion.
The lawyers for the state of California, as you might imagine, don’t like this argument very much.
This case, however, is not about incidental harms caused by a free market economy run amok. Appellant is a criminal who intentionally harmed thousands of people, not a legitimate businessman. While many people knew the victims? secrets (only because appellant had exposed them on his website), many others had not yet seen the photos and it was that threat of continued exposure that appellant used to extort money from the victims. Further, because the website contained the victims? PII, and because appellant?s website required posters to provide that PII, appellant was obligated to remove the content and he was not simply providing a service that he otherwise had a legal right to perform.
Basically they try to distinguish Bollaert’s site from Yelp in a variety of ways. They also note that somewhat different laws apply (federal vs. state) and that posting personal naked photos along with identifying information is very, very, very different from posting negative reviews of a business. Frankly, this argument was the one that I expected to be most convincing, but which California’s lawyers breeze through without much detail.
Obviously, it will be interesting to see where the California state appeals court comes down on all of this. I do think that the identity theft claims are incredibly weak, and that the extortion claims look a lot weaker than I first expected. I really expected stronger arguments from California. And, it’s pretty clear that Bollaert’s site was something pretty horrible all around. But does that automatically make it illegal? As with many cases targeting the safe harbors of Section 230, there are important issues being raised about what constitutes an internet platform vs. who is responsible for actual content or behavior.
Remember, with the nearly identical site that Bollaert basically copied, the operator there, Craig Brittain, merely got a slap on the wrist from the FTC for misleading people. It also dragged his name through the mud. Bollaert, at the very least, deserves that level of treatment. But does running a creepy website that enabled harassment create criminal liability that deserves 18 years in jail? That feels like a dangerous stretch of the law to punish a creep for being a creep. And when we start doing that, we create dangerous precedents for other platforms in situations that maybe aren’t so creepy.
Filed Under: appeal, california, extortion, identity theft, kevin bollaert, revenge porn, section 230
Comments on “Revenge Porn Creep Kevin Bollaert's Appeal Underway… And Actually Raises Some Important Issues”
Yelp seems like a horrible decision
The quote from the Yelp case is pretty horrifying. I can certainly see the similarity between the cases, but it seems clear that both are extortion.
Re: Yelp seems like a horrible decision
What would you propose as an alternative resolution to the Yelp case? Should Yelp be required to delist negative reviews for a fee not to exceed some statutory value? Should that value be $0?
How rapidly must Yelp respond to a compelled removal, and what penalties ought they face for missing that deadline?
Under what conditions could a removal be compelled? Sometimes companies genuinely deserve a bad review. Removing a negative review solely because the company dislikes it would be a disservice to prospective customers.
Should we remove the appearance of extortion by prohibiting Yelp from accepting any payment from reviewed companies? That would eliminate the potential for implying that payment gets you good treatment, but would mean that any company that got a negative review would be unable to advertise on Yelp even if it wanted to do so. For a large company, this could be significant. Large companies inevitably have at least some negative reviews, no matter how well trained their employees are supposed to be.
Should we remove the appearance of extortion by prohibiting Yelp from removing negative reviews? If so, that moves into compelled speech and causes problems when Yelp identifies and wants to remove a clearly bogus review.
The outcome of the Yelp case may be unsettling, but I see no better alternatives. I would be happy to be proven wrong. In my view, an alternative is not better if it compels action, inaction, or speech from any party.
Re: Re: Yelp seems like a horrible decision
The obvious solution is to base removal of negative reviews on defamation law. If someone sues the reviewer for libel and wins, the review should be removed by Yelp.
Since Yelp is in the business of publishing reviews, the ability of a company to silence someone they wronged simply by paying Yelp a fee presents a problem — an honest company can wind up with a worse reputation on Yelp than a completely crooked one, simply because the honest one doesn’t pay someone to lie for them.
Re: Re: Re: Yelp seems like a horrible decision
If the review is proven to be a troll post Yelp will take it down, I had that experience when a reputation-wrecker troll came after me.
However, one site with the same troll review did not remove it despite the proof provided (a screenshot of the troll admitting to what he’d done) because its business model is to bleed people dry with promises to improve their search results — for a small consideration.
Isn’t it fraud to declare that the reviews are an accurate reflection of a customer’s experience when you know damn well they’re not? It’s why I tend to take reviews with a shovel full of salt.
I love the First Amendment more than I hate revenge porn.
Couldn’t we just have a website where revenge porn operators are forced to pose in extremely embarassing positions, naked / with blowup sheep etc, and then SEO them to the top of google searches for their name?
Hilarious and poetic justice.
Re: Re:
That only works if one feels shame.
Re: Re:
SEO is snake oil. The best way to get them to the top is to share them around and encourage everyone you know to do the same. Bear in mind that what floats to the top for you is targeted according to your own preferences. And people sift the search results, moving things around in the list, every time they check you out. I’ve seen this happen in my own case, it’s why I post links to my blog in the URL line when I want that moving up.
State argument might be weak because the moral argument is strong
The states’ lawyers may have skimped on supporting the charges on the expectation that the defendant’s conduct was so offensive that he would be buried on morality, without regard to the technicalities of the law.
Re: State argument might be weak because the moral argument is strong
Probably at least part of it. It’s definitely morally reprehensible which makes it feel illegal (especially to juries), but it doesn’t make it illegal.
It seems to me that while there may be enough violations to throw him for a short while in prison or at least impose some decent fine there are really sound arguments there.
I actually agree with that morally horrible argument on the extortion front. It is not extortion. The question here is that he created a platform that was focused on letting frustrated males with severe self-esteem and social issues to post nudes and heavier pictures of their ex without consent as a revenge for breaking up.
So there are two issues here: the platform is promoting the violation of the rights of other people and the idiots that feed the platform. The guy must not be blamed for what was posted, this justice hammer has to go down those who posted unless, of course, he doesn’t give the details of the jerks to the authorities. But it seems to me that he should be punished for actually setting up the platform with the explicit intention of hosting such activity.
It’s not like Instagram where its general purpose is to share pictures but some users may use it for nefarious purposes. Such cases are the exception, not the norm. And the company certainly tries to weed out illegal activity to the best it can, within the law. So maybe he should not be exempted from any liability under 230 but he did set up a platform to conduct violating activities. So what’s the law that would work here without setting a horrible 230 ruling?
Re: Re:
*So maybe he should be exempted from any liability under 230 but he did set up a platform to conduct violating activities
Corrected to make sense
Re: Re: Re:
Eh, he’s holding the pictures — and the reputations and possibly the personal safety of the women affected — to ransom with the promise of removing them for “a small consideration.” If that’s not extortion, what is it?
He set up an associated website in which he impersonated a lawyer (or pretended one was available) who would “expedite” the process thereof. This is the fraudulent part.
IANAL but I’d have the creep for extortion and fraud against everyone who contacted him with requests to remove the content. I’d also say that those who didn’t contact him were neither extorted nor defrauded, though they had their right to privacy violated by the creeps who posted them online.
Let us also bear in mind that the website was set up with the explicit purpose of embarrassing women for rejecting men. The problems with attempting to write an anti-shaming law are legion. Basically, you’d have to make it legal to call people out for bad behaviour but set limits on how much abuse you could heap upon them. Since this is highly subjective, good luck with defining the terms well enough without nuking the First Amendment.
Re: Re:
wow I hope you can feel what those victims felt with there pictures on the internet, what if it was a love one that is happens too and then they tell you need to pay money to get the pictures down, shame on you
I don’t see why anyone is talking about section 230 or “identity theft” at all, when there’s something much simpler to charge him with: running a protection racket.
Victimizing people, then directing them to pay money to ChangeMyReputation for protection against the victimization caused by the people running ChangeMyReputation (who are the same people running YouGotPosted) is about as clear a case of a protection racket as I’ve ever seen, except that the victims did not know of the connection between ChangeMyReputation and YouGotPosted, which means you could probably make a case for adding a fraud charge on top of the protection racket charge.
Nothing in this implicates Section 230 rights in any way.
Re: Re:
The only problem is the legal term for protection racket is extortion. The Yelp ruling says it’s not extortion to say, “Suck a pity this (possibly true) information is there for anyone to see, why don’t you pay us some money/buy some ads and we’ll make it go away.”
Re: Re:
No. A protection racket (extortion) is when a perp threatens, or at least hints, that he or his friends will harm the victim or his property unless he obeys orders.
This perp is only threatening to leave information up on his web site until paid to take it down. Hence, blackmail.
Re: Re: Re:
Good point.
He has the power to remove content, ergo, he can be defined as a content provider.
Good luck with your appeal, asshat.
Re: Re:
If that were the law’s definition of a content provider, it would eviscerate sec. 230. Fortunately, neither the courts nor the statutes define that term as you do.
Not so fast
Not so fast, guys. While I would argue that CDA 230 is important enough not to rip it up for a douche like this, I think the government has a valid substantive point here and it’s you guys that are wrong. Doesn’t happen often but there it is.
The fact is, Bollaert’s site WAS qualitatively different than Yelp, because Bollaert required identifying information to be attributed to the images prior to making them public. According to the government’s case (p13), he would vet that information, including the required Facebook link, before greenlighting a submission for public view. By vetting that information for accuracy prior to greenlighting, Bollaert is arguably taking the role of content provider.
There is a substantive difference between Bollaert and Yelp, or even Bollaert and something like r/gonewild. Yelp and gonewild don’t approve user’s posts, nor do they vet them for accuracy prior to letting users post. In both cases, they let users post without any prior editorial input and only after do they remove objectionable or flagged content. But in both examples, the users make post first and moderation comes later.
What Bollaert was doing was quite different, in that he was curating his user’s content BEFORE it was posted and vetting it for accuracy, in the same way that NYT or WaPo editorial staff will (or ideally will, rather) vet a journalist’s story for accuracy. In both of these cases, the WaPo and NYT editorial staff didn’t create the content itself – the using their CMS did. But they are most certainly liable as content creators, precisely because of the editorial input they have in vetting and greenlighting what goes on their site before it is made public. (Obviously, Bolleart wanted to maximize his financial scheme by making sure users were only posting legitimate pics plus personally identifying information, and not random pics they found on Reddit or 4chan.)
Now, we can argue about whether he deserved such a harsh sentence (in the context of the associated financial scheme, it wasn’t that unreasonable). We can argue that Section 230 deserves to be protected with every fiber of our being as one of the few really good telecommunications laws on the book (and I think it does). But arguing that Bollaert himself was only acting as a moderator and that he’s not substantively different from a comment section or image board, and thus isn’t responsible for what his users posted actually misses the key distinction that moderation a-la-platform-provider happens after the user has already posted it and the public sees it, and editorial control a-la-content-provider happens before the public sees it.
It seems to me that the court is conflating two issues here.
In the judge’s shoes, I would rule that Section 230 protects the posting of the images themselves (unless it were shown that they pose an ongoing danger to someone’s health or life, which would justify a takedown order). But even if posting the images and information is legal, requiring a payment to take them down is blackmail, and Bollaert should go to prison for that crime. 18 years seems overboard, though. Two or three years should be enough to deter this crime.
Don’t get me wrong, I would prefer doxing someone without cause to be more broadly illegal, but that would require constitutional change. The 1st Amendment forbids it.
Re: It seems to me that the court is conflating two issues here.
I think this is wrong, just as I think Mr. Masnick is wrong in his assessment of the government’s case and why they think Section 230 doesn’t apply to Bollaert. I also think the government has a very strong case regarding Bollaert’s lack of section 230 safe harbor and will win at least that part on appeal.
Here’s why: Bollaert personally greenlight every submitted post that was made publicly available on his website. IIRC he also personally greenlight all comments as well. The government has communications between Bollaert and the IT guy that set up his website, where Bollaert says something along the lines of ‘I control everything and that’s the way I want it.” In other words, yes, his users were the ones that submitted the pictures, but Bollaert had absolute control over what items (and comments) users saw after submission. That makes him a content provider.
Contrast with Techdirt, who does have Section 230 protection for their comments section – but not for articles on the front page. Why? Because I can post anything I want to here, regardless of how crass, threatening, or illegal. Techdirt doesn’t exercise any sort of pre-moderation or comment screening. Which means that they are providing a platform only, and are exempt under section 230 as long as they make a good faith attempt to remove illegal content posted by users. This doesn’t apply to the Techdirt front page, however, where the staff of the site does exercise editorial control – Techdirt can still be held liable for defamation in an article, for example.
The key difference is editorial control. Bolleart personally curated every submission and comment, and intentional chose only those submissions that were fully doxxed with personal information. Tying into copyright law, facts are not copyrightable – but collections of facts (i.e. databases, encyclopedias, etc) show creativity and artistry in their arrangement and are copyrightable.
Bollaert might not have “created” the content his users were submitting, but he sure as hell put substantial time and effort into curating a public collection of only the best, most well doxxed nudes his users submitted.
I’m not sure exactly sure what the setup was with IsAnybodyDown/IsAnybodyUp because I’m not a skeezebag, but I would be willing to bet it was a more traditional ‘platform’ setup where users submitted and voted on each other’s submissions – a setup that IS exempt as a platform under section 230 because the users, not the owners of the site, decide what is greenlight for the front page.
Wouldn’t the arguments provided by California also make Facebook lose its safe-harbor status under the CDA? They require personal information from their users and posts/info can be used by others (including advertisers) to harass.
CDA applies but the guy vetted the submissions manually, so there’s that. There’s also blackmail.
IANAL, cursory search of Google gives (for the U.S):
sex pics @ ~3-4 months/person ((div 2) for aiding and abbeting but (mul 1.2) for repeat offense)
blackmail @ 1 year
sex pics alone would get the guy 25 years, but i’m assuming he should have the option to get out on parole in ~2 years.
Does he deserve 18 years? Absolutely. There isn’t a valid reason to question that, at least not that I’ve seen. Now whether or not the law was applied properly I can’t say. But he deserves everyday of his sentence. Whenever this man dies, the world will be a better place.
CDA argument is strong, but the purpose of the site invalidates it so it doesn’t really matter.
Put the publisher/safe-harbor exemption in jeopardy because of this asshat??
Bollaert’s websites did not simply “enable” harassment, they were expressly designed to foment, encourage and profit from it.
I really don’t think that the internet ecosystem and community deserves to have the incredibly important and already tenuous safe-harbor exemption put in jeopardy for the sake of a scumbag like Bollaert.
I hope he rots in jail.