Privacy, CDA 230, the Espionage Act, and WikiLeaks: My contributions to a global report exploring online intermediary liability

BerkmanShotWorking at the Digital Media Law Project and Cyberlaw Clinic at Havard’s Berkman Center for Internet & Society this past summer was a remarkable experience. I soaked in the beautiful summer sights of Massachusetts, learned from some of brightest minds in the country, and contributed to a number of fascinating projects. One of my main ventures from this summer at Berkman was recently published.

The Berkman Center and the Global Network of Internet and Society Research Centers released a report Feb. 18 called “Governance of Online Intermediaries: Observations from a Series of National Case Studies” (also found here). The report combines studies from various countries around the world to examine the rapidly changing landscape of online intermediary liability across the globe.

Numerous employees at the Berkman Center (including myself) collaborated to write the United States’ portion of the report. Our paper, “Online Intermediaries Case Studies Series: Intermediary Liability in the United States,” delved into various U.S. related online intermediary liability topics and case studies.

I contributed the legal landscape sections for three topics: traditional privacy liability, Sec. 230 of the Communications Decency Act (CDA), and the Espionage Act. I also authored a case study for the report, “The State as Soft Power – The Intermediaries Around WikiLeaks.” Below are the legal landscape primer sections I wrote that are contained in “Online Intermediaries Case Studies Series: Intermediary Liability in the United States.” These portions of the report are meant to summarize current United States policies regarding privacy liability for intermediaries, the protections of Sec. 230 of the Communications Decency Act, and potential claims under the Espionage Act.

Traditional Privacy Liability for Intermediaries

Privacy laws in the United States consist of a patchwork of common law torts and specific statutory enactments, overlaid with nationwide exceptions made in light of the First Amendment.[19] Intermediaries primarily concern themselves with privacy law to the extent it impacts their own businesses operations and practices – for example, how they represent their data handling practices to the public, and how they handle their own data security.

A second form of privacy liability for intermediaries stems instead from the actions taken on behalf of others, and whether the intermediary can ever be held liable for contributing (willingly or not) to those actions. The laws around such invasions of privacy can be generally clustered into two categories: those that address the unlawful gathering of information (e.g., intruding into one’s private spaces or unlawfully recording conversations), and those that address publishing private information (e.g., the “public disclosure of private facts” tort or publishing specific information proscribed by statute[20]). The First Amendment plays a role in this space by both limiting the universe of defendants for intrusion claims[21] and by substantially limiting the types of claims that can be brought regarding the disclosure of private information.[22]

With respect to information gathering, many states recognize a tort called “intrusion upon seclusion,” which punishes one who intrudes into the solitude or seclusion of another in a way that is highly offensive to a reasonable person.[23] Because the defendant’s conduct usually must be intentional for liability to attach, it is rare to see liability extend to disinterested intermediaries.[24] At least one court has found secondary liability could attach to a newspaper for running a classified ad that facilitated intrusion of another, though in that case the plaintiff pleaded that the newspaper published the ad with the intent to invade the plaintiff’s privacy.[25]

Some intrusion laws attempt to indirectly target intrusion by punishing those who later disclose or receive the information that was unlawfully acquired. But First Amendment doctrine prevents the application of such laws to those who did not actively participate in the unlawful acquisition, at least when the information is true and a matter of public concern.[26] This would seem to preclude most information intermediaries from liability for transmitting content that was unlawfully acquired by others.

Laws concerning the disclosure of private information directly can vary considerably, but most states have some form of the tort called “public disclosure of private facts,” which concerns the intentional disclosure to the public[27] of non-newsworthy information about an individual that is highly offensive to a reasonable person.[28]

Unlike defamation or intrusion, the specific mental state of defendants varies considerably between states, so the mens rea does not generally limit liability for disinterested intermediaries in the same way as other torts.[29] That said, the few cases that consider a distributor’s liability tend to impart the same requirement from defamation cases that the distributor know the information to be tortious in order to be held liable.[30] Also, information obtained from public sources are considered protected under the First Amendment,[31] and republishing content originally published widely by others does not lead to liability in most cases, as the fact that the content was published previously means that the information is no longer considered private.[32]

The traditional standards for intermediary liability in privacy are applied in a radically different manner online, in large part due to Section 230 of the Communications Decency Act, which is discussed in the following section.

[19] Daniel J. Solove & Paul M. Schwartz, Information Privacy Law 77 (3d ed. 2009).
[20] For an example of this, see 18 U.S.C. § 2710 (governing when and how a customer’s video rental history may be disclosed).
[21] See notes x–y, infra, and accompanying text.
[22] While the states that recognize a public disclosure tort include a definitional balance that precludes claims against newsworthy information, the Supreme Court has yet to directly consider a challenge to public disclosure torts in other cases. See Geoffrey R. Stone, Privacy, the First Amendment, and the Internet, in The Offensive Internet (Saul Levmore & Martha C. Nussbaum eds. 2010). For more on the history of balancing between free speech and privacy has had a complicated century of history. See Geoffrey R. Stone, Anthony Lewis, Freedom for the Thought That we Hate 59-80 (2009).
[23] Restatement (Second) Torts § 652B.
[24] See, e.g., Marich v. MGM/UA Telecomm., Inc., 113 Cal. App. 4th 415 (2003) (defining intent for California’s intrusion tort). For examples of cases where parties were liable as aiders or abettors of another’s intrusion, see David A. Elder, Privacy Torts § 2:9.
[25] Vescovo v. New Way Enters., Ltd., 60 Cal. App. 3d 582 (1976).
[26] See, e.g., Bartnicki v. Vopper, 532 U.S. 514, 526 (2001) (The First Amendment prevents a radio broadcaster from being punished for disclosing the contents of an unlawfully-intercepted communication); Smith v. Daily Mail Publ’g Co., 443 U.S. 97, 104 (1979); Food Lion, Inc. v. Capital Cities/ABC, Inc., 194 F.3d 505 (4th Cir. 1999) (refusing to escalate damages for breach of duty of loyalty based on subsequent disclosure of information); Doe v. Mills, 536 N.W.2d 824 (Mich. 1995) (knowing receipt of information unlawfully obtained does not lead to intrusion claim for the recipient). Scholars have been mindful to point out that the exact meaning and scope of the “Daily Mail principle” is not entirely clear. Janelle Allen, Assessing the First Amendment as a Defense for Wikileaks and Other Publishers of Previously Undisclosed Government Information, 46 U.S.F. L. Rev. 783, 798 (2012).
[27] This is deliberately made a wider audience than defamation, for which liability attaches when a statement is “published” to a single person. Restatement (Second) Torts § 652D cmt. a.
[28] Restatement (Second) Torts § 652D.
[29] David A. Elder, Privacy Torts § 3:7.
[30] See, e.g., Steinbuch v. Hachette Book Grp., 2009 WL 963588 at 3 (E.D. Ark. April 8, 2009); Lee v. Penthouse Int’l Ltd., 1997 WL 33384309 at 8 (C.D. Cal. March 19, 1997).
[31] See, e.g., The Florida Star v. B.J.F., 491 U.S. 524 (1989).
[32] See, e.g., Ritzmann v. Weekly World News, 614 F. Supp. 1336 (N.D. Tex. 1985); Heath v. Playboy Enters., Inc., 732 F. Supp. 1145 (S.D. Fla. 1990); but see Michaels v. Internet Ent. Grp., Inc., 5 F. Supp. 2d 823 (C.D. Cal. 1998) (disclosure of more than the ways originally revealed in first publication can give rise to claim for republication)

Section 230 of the Communications Decency Act

As noted in the preceding sections, liability for offline content distributors or hosts largely turns on whether the host knows or has reason to know that they are hosting tortious content. In the earliest days of the Internet, courts used these standards to assess liability of online intermediaries, but found that the law created a perverse result. Online intermediaries possessed the technical ability to filter or screen content in the way an offline intermediary never could, but under existing standards this meant that the intermediary would assume liability for all the content over which they had supervisory control. In the most famous case on point, this included a service that was trying specifically to curate a family friendly environment, at a time when the public was greatly concerned about the adult content on the Internet.[33] In order to “to promote the continued development of the Internet and other interactive computer services and other interactive media [and] to preserve the vibrant and competitive free market that presently exists for the Internet and other interactive computer services,” Congress enacted Section 230 of the Communications Decency Act.[34]

Section 230 prevents online intermediaries from being treated as the publisher of content from users of the intermediaries. By the terms of the statute, “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” [35] An “interactive computer service” under Section 230 is defined as “any information service, system, or access software provider that provides or enables computer access by multiple users to a computer server . . . ”[36] Online intermediaries of all sorts meet this definition, including Internet service providers, social media websites, blogging platforms, message boards, and search engines.[37] An “information content provider” in turn is defined as “any person or entity that is responsible, in whole or in part, for the creation or development of information provided through the Internet or any other interactive computer service.”[38]

Section 230 covers claims of defamation, invasion of privacy, tortious interference, civil liability for criminal law violations, and general negligence claims based on third-party content,[39] but it expressly excludes federal criminal law, intellectual property law, and the federal Electronic Communications Privacy Act or any state analogues.[40] Its terms also specify that the coverage is for “another’s” content, thus not protecting statements published by the interactive computer service directly.[41] Thus, to apply Section 230’s protection, a defendant must show (1) that it is a provider or user of an interactive computer service; (2) that it is being treated as the publisher of content (though not with respect to a federal crimes, intellectual property, or communications privacy law); and (3) that the content is provided by another information content provider.

The law was designed in part to foster curation of online content, and courts have found that a wide array of actions can be taken by “interactive computer services” over third-party content are covered by Section 230. These include basic editorial functions, such as deciding whether to publish, remove, or edit content;[42] soliciting users to submit legal content;[43] paying a third party to create or submit content;[44] allowing users to respond to forms or drop-downs to submit content;[45] and keeping content online even after being notified the material is unlawful.[46] This applies to both claims rooted in defamation and those rooted in invasion of privacy.[47]

On the other hand, if the intermediary creates actionable content itself, it will be liable for that content.[48] Courts are also unlikely to find that Section 230 applies when an interactive computer service edits the content of a third party and materially altering its meaning to make it actionable;[49] requires users to submit unlawful content;[50] or if the service promises to remove material and then fails to do so.[51] When an intermediary takes these actions, it is deemed to have “developed” the content by “materially contributing to the alleged illegality of the conduct.”[52]

While stated very simply, the law upsets decades of precedent in the areas of content liability law, and radically alters the burdens on online services for claims based on user content.[53] By limiting any assumed liability for a wide range of content-based claims (and given the other content areas discussed below), Section 230 effectively removes any duty for an interactive computer service to monitor content on its platforms, a tremendous boon for the development of new intermediaries and services.[54] Virtually all liability for content-based torts is pushed from the service to others, often the user. In practical terms, however, this has yet to manifest a windfall for online services; many claims are still brought against online intermediaries, and the question is often litigated extensively and at great expense before courts find that claims are invalid.[55]

As noted above, Section 230 does not cover intellectual property laws, and thus different rules apply in these cases. These are now addressed.

[33] Stratton Oakmont, Inc. v. Prodigy Servs. Co., 1995 WL 323710 (N.Y. Sup. Ct. May 24, 1995). See also Lawrence Lessig, Code 2.0 249-52 (2006) (discussing the Internet anti-pornography efforts happening around the time of the Communications Decency Act debate).
[34] 47 U.S.C. § 230. The section was part of a greater law that sought to relegate the transmission of offensive content to minors, the majority of which was later struck by the Supreme Court. See Reno v. ACLU, 521 U.S. 844 (1997).
[35] 47 U.S.C. § 230(c)(1).
[36] § 230(f)(2).
[37] See Ardia, supra note [[x]], at 387-89.
[38] § 230(f)(3).
[39] See Ardia, supra note [[x]], at 452.
[40] § 230(e)(1)–(4). The Electronic Communications Privacy Act governs the voluntary and compelled disclosure of electronic communications by electronic communications services.
[41] See § 230(c)(1).
[42] See Donato v. Moldow, 865 A.2d 711 (N.J. Super. Ct. 2005).
[43] See Corbis Corporation v., Inc., 351 F.Supp.2d 1090 (W.D. Wash. 2004); see also Global Royalties, Ltd. v. Xcentric Ventures, LLC, 544 F. Supp. 2d 929, 933 (D. Ariz. 2008) (holding that even though a website “encourages the publication of defamatory content,” the website is not responsible for the “creation or development” of the posts on the site).
[44] See Blumenthal v. Drudge, 992 F. Supp. 44 (D.D.C. 1998).
[45] See Carafano v., 339 F.3d 1119 (9th Cir. 2003).
[46] See Zeran v. America Online, Inc., 129 F.3d 327 (4th Cir. 1997). Promising to remove content and then declining to do so, however, can expose an interactive computer service to liability. See Barnes v. Yahoo!, Inc., 570 F.3d 1096 (9th Cir. 2009). For more examples of actions likely to be covered under Section 230, see Online Activities Covered by Section 230, Digital Media Law Project, (last updated Nov. 10, 2011).
[47] See, e.g., Jones v. Dirty World Entertainment Recordings, LLC, 2014 WL 2694184 (6th Cir. 2014) (defamation claim preempted by Section 230); Doe v. Friendfinder Network, 540 F. Supp. 2d 288, 302–303 (D.N.H. 2008) (intrusion upon seclusion and public disclosure of private facts claims preempted).
[48] See MCW, Inc. v., LLC, 2004 WL 833595, No. 3:02-CV-2727-G at * 9 (N.D. Tex. April 19, 2004) (the operator of a website may be liable when it is alleged that “the defendants themselves create, develop, and post original, defamatory information concerning” the plaintiff).
[49] See Online Activities Not Covered by Section 230, Digital Media Law Project, (last updated Nov. 10, 2011).
[50] See Fair Housing Council v., LLC, 521 F.3d 1157, 1175 (9th Cir. 2008) (en banc).
[51] See Barnes v. Yahoo!, Inc, 570 F.3d 1096 (9th Cir. 2009).
[52] See Jones v. Dirty World Entertainment Recordings, LLC, 2014 WL 2694184 (6th Cir. 2014).
[53] See Ardia, supra note [[x]], at 411.
[54] See, e.g., Jack M. Balkin, Old-School/New-School Speech Regulation, 127 Harv. L. Rev. 1, 17 (2014) (“Section 230 immunity . . . ha[s] been among the most important protections for free expression in the United States in the digital age. [It] has made possible the development of a wide range of telecommunications systems, search engines, platforms, and cloud services without fear of crippling liability.”).
[55] Id. at 493.

The Espionage Act

Because of the considerable attention given toward the dissemination of classified government information through the documents released by Chelsea Manning and Edward Snowden, and the profound policy implications of both the information they conveyed and the treatment of those who handle and disseminate such documents to the public, special attention should be given to a particular federal crime that implicates the disclosure of classified information. The Espionage Act of 1917 contains many provisions intended to prohibit interference with military operations and protect national security.[107] These include provisions that criminalize obtaining, collecting, or communicating information that would harm the harm the national defense of the United States.[108] This section was used by the United States government to go after the New York Times and Washington Post for their publication of “The Pentagon Papers,” a classified and damning assessment of United States involvement in the Vietnam War.[109] Most recently, it was used to convict former U.S. Army intelligence analyst Chelsea Manning for leaking classified documents to the organization WikiLeaks.[110]

While all federal criminal law includes the possibility for a charge of aiding and abetting another’s violation of the law,[111] the United States has never successfully prosecuted an information intermediary for disseminating classified information under the Espionage Act.[112] Such a theory would present profound First Amendment issues, and ultimately an intermediary may only be found liable if the intermediary bribed, coerced, or defrauded a government employee to disclose classified information.[113]

[107] See 18 U.S.C. §§ 793–798.
[108] 18 U.S.C. § 793(e).
[109] New York Times Co. v. United States, 403 U.S. 713 (1971).
[110] Cora Currier, Charting Obama’s Crackdown on National Security Leaks, Pro Publica, July 30, 2013, <>. Many others have been charged but not ultimately convicted for violating the Espionage Act or conspiracy to violate the Espionage Act.
[111] 18 U.S.C. § 2; see also § 793(g) (“If two or more persons conspire to violate any of the foregoing provisions of this section, and one or more of such persons do any act to effect the object of the conspiracy, each of the parties to such conspiracy shall be subject to the punishment provided for the offense which is the object of such conspiracy.”).
[112] See Emily Peterson, WikiLeaks and the Espionage Act of 1917: Can Congress Make It a Crime for Journalists to Publish Classified Information?, The New Media and the Law Vol. 35 No. 3, Summer 2011, available at <>.
[113] See Geoffrey R. Stone, Government Secrecy vs. Freedom of the Press, 1 Harv. L. & Pol’y Rev. 185, 217. For more on the general First Amendment right to disclose true matters of public concern, see supra notes x-y and accompanying text.


Federal judge dismisses trademark infringement suit against Coca-Cola over “Zero” products

Last week an Illinois federal judge found that the name of Canadian Blue Spring Water’s “Naturally Zero” product was merely “descriptive” and did not acquire secondary meaning. Therefore, U.S. District Judge John Z. Lee granted Coca-Cola’s motion for summary judgment, dismissing Canadian Blue Spring Water’s trademark infringement suit against the beverage giant. Canadian Blue Spring Water alleged trademark infringement under the Lanham Act against Coca-Cola’s “Zero” line of products that includes Coke Zero, Sprite Zero, and others. In finding the mark to be descriptive, Judge Lee wrote:

“‘Naturally Zero’ immediately conveys to the court that the spring water sold by plaintiffs contains no calories or additives.”

Even if the “Naturally Zero” mark was protectable, Judge Lee wrote that Canadian Blue Spring Water abandoned the mark in 2004 when it didn’t bring the “Naturally Zero” products back into the marketplace and had only produced 500,000 bottles of “Naturally Zero” water.

As pointed out on this trademark guide by the Berkman Center’s Digital Media Law Project, a mark that only describes the product or service is not inherently distinctive and requires “secondary meaning” to earn trademark protection. Secondary meaning exists when consumers come to associate the mark with a certain source of goods or services. In this case, for example, the judge found that “Naturally Zero” merely described the water–it was “natural” and it contained “zero” additives or calories. An example of a descriptive mark would be “spicy chili” (only describing the nature of the product) or “Lambert’s chili” (only describing who produced the chili). Now, if through sales, marketing, etc., “Lambert’s chili” earned secondary meaning in the market and came to be understood by customers as being distinctive, then the mark could potentially earn trademark protection.

trademark spectrum