In late 2016 and early 2017, hundreds of strangers began showing up at Matthew Herrick’s home and work in New York City, looking for sex. The strangers were not invited by Herrick: according to a lawsuit filed in the Southern District of New York, they were directed to him by fake profiles on the geosocial network Grindr. The lawsuit alleged that the profiles, which in some cases instructed suitors to understand resistance by Herrick as “part of an agreed-upon rape fantasy,” were created by his vengeful ex-boyfriend — and that despite more than 100 complaints, a cease-and-desist letter, and a court injunction, Grindr failed to stop the ex-boyfriend from abusing its application.
In a case that addresses basic tensions between the internet’s founding principles of free speech and the civic responsibilities of its businesses that have attained positions of outsized power, a law written in 1996 has taken center stage.
That law is the Communication Decency Act (CDA). Grindr cited legal immunity under the law’s oft-invoked Section 230, which states that “no provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” For more than two decades, this clause has protected the tech industry from a broad array of liability claims regarding what users publish on its platforms. As the tech industry as grown, so too — to the cheer of those who see the law as an essential protection of the internet’s abiding spirit — has the scope of the law’s interpretation. But for victims of the proliferating scourge of online harassment or abuse, it has meant tech companies bear no legal responsibility to help them when company platforms are being used to facilitate their torment.
Herrick’s lawyers hope to change this. In a novel legal attack, the lawyers argued that, for the purposes of their lawsuit, Grindr does not qualify for Section 230 immunity.They cited Grindr’s claims that it was technologically unable to block the offending user from abusing its application — despite, claimed the plaintiff, the availability of such technology — as evidence of negligence on the part of the software’s designers, and argued that the application posed an unreasonable danger to the public.
There is little question that Grindr — a nearly-decade old LGBTQ dating app based in West Hollywood that is used daily by millions of people worldwide — could have tried harder to protect Herrick. Court briefs allege that a competitor, Scruff, is able to block similar sorts of abusers from its platform within 24 hours of notification. But, in failing to stop it, was Grindr liable in some capacity for the abuse?
With the backing of free-speech advocates and substantial precedent in the courts for broad interpretation of Section 230, Grindr said no. A judge in the Southern District agreed, granting Grindr’s motion to dismiss the lawsuit — meaning that they determined that the CDA clearly protected Grindr, even while fully granting Herrick’s account of the facts.
But on appeal Monday in the Second Circuit in downtown Manhattan, Herrick’s lawyers maintained that the case is significantly more complicated than either Grindr or the lower court have acknowledged. The CDA operates in clear-cut realms and hazy realms, they argue, and Grindr’s behavior in this case calls for a degree of legal scrutiny from which the tech industry has found itself largely exempt.
“There is a standard of care here,” Tor Ekeland, a lawyer for Herrick, told me. “We’re not asking for anything novel or crazy.”
Grindr could have prevented the ongoing abuse, Herrick’s lawyers said: as a carmaker would anticipate the dangers of one of its cars having poor brakes, Grindr ought to have anticipated the app’s risks, and developed the not-particularly-exotic technology to mitigate egregious abuse of its product. In not doing so, they said Grindr was negligent.
Ekeland, citing common technologies like user verification, VPN blocking, and photo DNA analysis, told me that better protecting Herrick would not have been a stretch for Grindr, “but they didn’t bother with it. The only thing they cared about was profit. They were like, ‘we don’t care. We’ll just say ‘CDA.’’”
Grindr would likely dispute such claims. But since the lower court dismissed the case even under the assumption that Herrick’s assertions were accurate, the factual debate never took place on the record, and Grindr’s actual technology systems remain unexamined. This posed a problem in Monday’s oral hearings, during which a significant chunk of time was dedicated not to a question of law but of basic fact: if Grindr’s geolocation technology was used to facilitate the stalking of Herrick (an important, if not necessarily essential tenet of Herrick’s argument). Grindr’s lawyers said this was “implausible”; Herrick’s lawyers, referring to screenshot evidence, took it as a working assumption.
“The court can see how difficult the questions are in this case, how complex,” Ekeland told the judges. “And the need for this case to be remanded [back to district court] so we can see expert testimony from both sides.” (Later Ekeland told me that“everyone is just speculating…as far as I’m concerned. There’s been no testing of the facts.”)
Herrick’s lawyers cited the Second Circuit’s 2016 decision, FTC v. LeadClick, in which a company was denied CDA immunity because it participated in the development of deceptive content published through its platform. The case of Grindr, they argued, might be another occasion to consider whether a company’s actions — or inactions — could negate its immunity under circumstances beyond the scope of the more straightforward claims that they believe the law was actually intended to address.
But what did the authors of the law intend, and could they even have conceived of the internet ecosystem of today? The CDA reflects a contemporary spirit of optimism around a relatively immature internet technology. Section 230 justifies itself with Congress’s then-finding that the internet and its associated services “offer a forum for a true diversity of political discourse, unique opportunities for cultural development, and myriad avenues for intellectual activity” and that ultimately such technology has “flourished, to the benefit of all Americans, with a minimum of government regulation.”
It has flourished indeed, into a present in which internet companies hold unprecedented power and, critics argue, have frequently abdicated the power’s attendant responsibility to society’s most basic institutions, functions, and cultural mores — all while reaping massive profits on the basis of the ever-more intimate data of its ubiquitous user base.
Ekeland said the law is “antiquated” and “utopian,” a “Haight-Ashbury vision of technology being the savior when the reality is a lot darker.”
But for many, a strong and broadly interpreted CDA immunity provision is a keystone defense of the internet’s best qualities, like its facilitation of free speech, and low barriers of entry for small companies who aren’t forced to dedicate scarce resources to closely monitoring their platforms.
Such advocates of broad CDA interpretation see the plaintiff’s argument — that Grindr can be better understood as a dangerous product as opposed to a neutral internet service — as a distinction without a difference, said David Greene, the civil liberties director at the Electronic Frontier Foundation (which jointly filed an amicus brief with another organization in support of Grindr in the Second Circuit).
The same logic could have been applied to the companies for which the law was initially written, he said, and the suit’s basic questions remain effectively identical to those of more traditional challenges to a company’s CDA immunity claims. “Whether Grindr could have reasonably done something I have no idea,” Greene told me. “There’s lots of things I think companies should do that they’re not required by law to do.”
But the goal of a law is to “provide certainty,” he said — an imperative he sees as particularly pressing when a law has free-speech implications. Ultimately, he said, online abuse victims have other avenues of recourse, and where they don’t, such as in a case where an abuser is in another country, the fundamental problem does not concern Section 230 in itself, but rather the legal code in general. The CDA, he said, “is the wrong place to direct your anger.”
But Herrick’s lawyers maintain that legally speaking, the CDA per se is not, in this case, their source of ire.
“I think the bloating of the law by judges interpreting it is the real problem,” said Carrie Goldberg, another attorney representing Herrick on the case. She posed an example: Someone defames you on Facebook and a judge rules Facebook itself is immune to lawsuit for defamation? “That’s a completely proper application of it in my opinion.”
Goldberg regularly represents victims of online sexual privacy violations. As in the Grindr case, her work often specifically involves challenging companies that she believes tolerate clear abuse of their platforms.
“There were cease-and-desist letters sent to Grindr,” she said. “They knew, and they’re still hiding behind the CDA. That’s a real problem. As a litigator, my interest is for case law to determine the scope of how a law should be handled. I’m not particularly motivated to create new laws. I don’t like to beg congress members… to write a law and get it voted on. I’m not a lobbyist… I’m a lawyer. The courtroom is how I try to make change.”
But, she said, “if we lose, than yeah, there does need to be a legislative fix, because my clients all over the place are being impersonated, and no action is taken. And this would create a really sickening world if the tech industry — the most powerful and omniscient industry — basically never has to see the inside of a court and has no liability to the public for the weaponization of their product.”