Let's start with the basics: Kevin Bollaert is a creep who did some really horrible and shady stuff. He was something of a latecomer to the revenge porn space, basically copying a few of the more popular revenge porn sites that came before him in creating "YouGotPosted." He also copied at least some of the "business model" of Craig Brittain's "IsAnybodyDown" website, which purported to work with a third party (the fictitious "lawyer" "David Blade III") who you could pay to take down those naked pictures someone leaked to the site. In the case of YouGotPosted, Bollaert set up a companion website, called ChangeMyReputation, where you could pay and that site would magically get images taken down off YouGotPosted (there is some dispute over how clear it was that the two sites were connected). There's a decent argument that this is a form of extortion, posting naked photos of someone and then demanding cash to get them taken down -- but there are also cases in slightly different realms (such as online review sites) that suggest such activity is actually protected by Section 230. Bollaert, about as unsympathetic a defendant as you can possibly imagine was convicted
of a variety of things, including not just extortion, but also identity theft, which raises some serious questions, given that Bollaert was only posting info given to him by others.
So when Bollaert got an 18-year sentence
over all of this, many felt the sentence to be fairly extreme -- even among those who felt that Bollaert is a creep who deserves jail time for what he did. As we expected, Bollaert has appealed and is raising some key defenses
, mostly based around Section 230 of the CDA. In short, what he did may have been awful, but you still can't blame the site operator for content uploaded by users. That's the whole crux of CDA 230. If the uploader broke the law in posting content, go after them, not the platform on which the content was uploaded.
In this case, the People seek to chip away at the clear protections provided by the Communications Decency Act. The People claim the statute’s protection did not apply to Yougotposted because Yougotposted administered the website and possessed the authority to pick and choose which information was posted. Here the People’s reliance on speculation and conjecture fails to strip appellant of the statute’s immunity. If the People’s arguments are accepted, the approach would provide an avenue for other litigants to end-run the bright-line protections provided by the statute, jeopardizing service providers and undermining speech in the process. This amounts to bad policy.
Bollaert's lawyers argue, fairly reasonably, that YouGotPosted qualifies for the CDA 230's safe harbors as a service provider. The state argues that he's the content provider, who can be liable, rather than just a platform. Bollaert's lawyer cites all the standard Section 230 cases that establish the fairly broad immunity provided to internet platforms.
Bollaert also argues that what was on YouGotPosted wasn't identity theft at all because any "unlawful purpose" associated with collection of identifying information was done by third parties, rather than Bollaert, and thus, once again, he's protected by Section 230.
In its reply brief
, the State of California hits back at all of this with what seems like an incredibly weak argument. Basically it argues that because Bollaert required submitters to post personal information, that makes him a content provider, rather than a platform:
By requiring users to post personal identifying
information, appellant became an “information content provider” because
he was responsible as a developer and provider of the content he required;
thus, he was no longer a mere “interactive service provider” or “access
software provider”. In any event, because he intended to defraud victims by
concealing his true identity as the operator of both websites, the exception
appellant relies on would not apply.
Not surprisingly, California relies heavily on the infamous Rommates.com ruling
, a rare case where a service provider lost its safe harbors by having a drop down menu that was seen as asking a discriminatory question about roommate preferences, violating fair housing laws. California is arguing that, by requiring uploaders to post user information, YouGotPosted is similar to Roommates.
Here, similar to the situation in Roommate, appellant willfully
obtained individuals’ personal identifying information by soliciting it from
submitters, who were required to include the victims’ full name, location
(“city, state, country”), age, and a link to the victims’ Facebook profile
page in order to submit photographs. As in Roommate, appellant became
responsible for the illegal content of the postings because the illegal content
(i.e., the non-consensual use of someone’s personal identifying information,
including their private photos) was a condition of use. Appellant then used
that information to harass and annoy victims because he knew—with
absolute certainty—that by posting the information, the victims would be
contacted by numerous strangers whom the victims would find threatening.
Appellant also used the information for the unlawful purpose of unlawfully
obtaining money from them by demanding payment in exchange for
removing his posts. This conduct does not magically become lawful
because appellant did it online, or because he recruited third parties to help
him inflict harm on a mass scale.
Except California is playing a little loose with the facts here and mixing and matching things to make its argument look stronger. The key difference was that the roommate preference question was, by itself
, discriminatory and against the law. YouGotPosted asking people for identifying information is not
. Again, this is not
in any way to defend Bollaert or his site. But Section 230 matters quite a lot, and government attempts to limit those protections will have a serious impact on internet platforms and their willingness to allow freedom of expression.
California's lawyers spend a lot of words trying to argue that requesting identifying information with photos magically makes the whole thing illegal -- including claiming that because Bollaert knew that his users would then likely harass the people shown in those photos -- that it makes him liable as the content creator. But that still seems to be a fairly blatant misreading of the law as written and the case law itself.
California also insists that it is identity theft, because of the "fraud" of pushing people to another site to pay to have the photos removed:
Here, the evidence amply demonstrated appellant’s intent to defraud.
When victims asked to have the offending photos removed, they were
either referred to the website “ChangeMyReputation.com,” or they
followed the link to that site.... This extra step was wholly unnecessary. Appellant could have removed the photos by demanding the
money directly from the victims as part of the UGotPosted website. But
appellant presumably realized that the victims would be less inclined to pay
money to the very person responsible for posting their pictures. By creating
a separate website, appellant hoped to deceive the victims into believing
that they were receiving the legitimate services of a neutral third party who
would restore their reputation, and that they were not simply paying
blackmail to an extortionist who was the source of their misery.
to California's attempt to get around Section 230, Bollaert's lawyers basically just repeat "it's a platform and the government hasn't shown any reason it's not."
Here, the People claimed the statute’s protection did not apply to appellant because he administered the “Yougotposted” website and retained the authority to pick and choose which information was posted. This does not make him a content provider. Those actions of appellant are no different than those found by the courts to be protected under the statute.... The People’s argument must fail because accepting their arguments would eviscerate protections provided by the statute, jeopardizing service providers and undermining free speech in the process.
Bollaert also says the whole claim that having two sites suddenly makes it fraud makes no sense at all:
Here, the People produced no evidence in support of their belated claim that appellant possessed personal identification information with the intent to commit fraud. CALCRIM 2401 describes fraud as having deceived another person in order to cause a loss of money or something of value or damage to a legal, financial or property right. The People belatedly raised the claim that payments made through “changemyreputation.com” were obtained by fraud because the victims were not aware that appellant managed both websites. Problems arise with the argument. First, the link to “changemyreputation.com” was visible on “Yougotposted.com.” There was no evidence suggesting appellant was trying to hide the fact that the sites were connected. A number of the victims stated it was “obvious” that the same person was behind both sites. (4RT pp. 305-306.) Additionally, the People’s argument must fail because the victims clearly believe the payment
was to have the photos removed, not because they were “deceived”.
Separate from all of this, both sides also are arguing about the extortion question, noting that a business model that offers to remove content is just a "standard business practice," and not extortion. Part of this argument is, again, buttressed by CDA 230, because the uploaded content was not uploaded by Bollaert himself, so (his lawyers argue) you can't claim that he both uploaded the content and then pushed people to pay him to take it down. It's that "other people uploaded it and thus, 230" claim that Bollaert argues makes this not extortion:
The People argued that appellant used the posting of the photographs on the website to illegally obtain money from those whose photos were posted and to have the photos removed from the “Yougotposted” website. The People argued that appellant threatened to injure the victims or “expose their secrets” by publishing the images on the website. As the CDA provides, interactive computer service providers and access software providers are under no legal obligation to remove postings submitted to their website by third parties, even those postings that are negative in nature. Appellant was simply under no obligation to remove the negative content from his website. He merely offered a service to remove the photos and, by offering such a service, he is engaging in standard business practice and not extortion.
They also argue -- and I will admit that this is a morally
horrifying argument, if potentially legally sound -- that by simply posting the images first, without contacting individuals and asking for money to stop the posting, it's completely different than posting first and then offering a way to pay to take the content down.
In this case the People proceeded on the theory that the third-party postings constituted exposure of a secret affecting the persons portrayed in the photos. The initial reaction is that appellant’s operation of the website and posting information provided solely by third parties simply does not constitute a threat to expose any secret as to the other persons because the alleged secret (photos) was already in the public domain and had been provided by third parties unaccompanied by any demand for payment. In this case there is absolutely no evidence any request was made through either “Yougotposted” or “changemyreputation.com” before the photos had been submitted by the third parties. In this case appellant merely provided a means whereby, for a fee, information already legally posted could be removed.
Bollaert's lawyers also point to the recent lawsuit against Yelp, where some businesses claimed that Yelp would ask them to pay for advertising with a promise of more favorable reviews (and with some arguing that a failure to pay resulted in negative reviews). In that case (Levitt v. Yelp), the court found that even if that was what Yelp was doing (which Yelp denies), it's not extortion:
The court found the plaintiffs had no pre-existing right to a positive review and that Yelp! was in no way obligated to refrain from manipulating reviews or creating negative ones. Yelp! was simply offering a service when it offered to remove negative reviews from its web page and that the offering of that service in exchange for money amounted to a legitimate business practice.
And, of course, Bollaert argues that his situation was similar to Yelp's:
In the present case, appellant, as an interactive computer service provider was under no legal obligation to remove the postings submitted to the website by third parties, even when those postings are negative in nature. As in the above cited cases, Yelp!, Yahoo!, AOL and the dating website in the Carofano case, as well as “TheDirty.com” case, appellant could legally decline to remove any offending content from his website. Offering a fast, efficient removal service through the site “changemyreputation.com” amounted to a legal practice, akin to the practices approved in Yelp!. No crime of extortion occurred. Yelp! offered to remove negative content for money. They were under no obligation to remove those negative reviews and they offered the additional service in exchange for a fee. This is a business practice, not extortion.
The lawyers for the state of California, as you might imagine, don't like this argument very much.
This case, however, is not about incidental harms caused by a
free market economy run amok. Appellant is a criminal who intentionally
harmed thousands of people, not a legitimate businessman. While many
people knew the victims’ secrets (only because appellant had exposed them
on his website), many others had not yet seen the photos and it was that
threat of continued exposure that appellant used to extort money from the
victims. Further, because the website contained the victims’ PII, and
because appellant’s website required posters to provide that PII, appellant
was obligated to remove the content and he was not simply providing a
service that he otherwise had a legal right to perform.
Basically they try to distinguish Bollaert's site from Yelp in a variety of ways. They also note that somewhat different laws apply (federal vs. state) and that posting personal naked photos along with identifying information is very, very, very different from posting negative reviews of a business. Frankly, this argument was the one that I expected
to be most convincing, but which California's lawyers breeze through without much detail.
Obviously, it will be interesting to see where the California state appeals court comes down on all of this. I do think that the identity theft claims are incredibly weak, and that the extortion claims look a lot weaker than I first expected. I really expected stronger arguments from California. And, it's pretty clear that Bollaert's site was something pretty horrible all around. But does that automatically make it illegal? As with many cases targeting the safe harbors of Section 230, there are important issues being raised about what constitutes an internet platform vs. who is responsible for actual content or behavior.
Remember, with the nearly identical site that Bollaert basically copied, the operator there, Craig Brittain, merely got a slap on the wrist
from the FTC for misleading people. It also dragged his name through the mud. Bollaert, at the very least, deserves that level of treatment. But does running a creepy website that enabled
harassment create criminal liability that deserves 18 years in jail? That feels like a dangerous stretch of the law to punish a creep for being a creep. And when we start doing that, we create dangerous precedents for other platforms in situations that maybe aren't so creepy.