Ruling shields AOL on 'hostile code'

A federal appeals court says America Online and other Internet service providers are not liable for malicious software instructions sent between subscribers.

Paul Festa Staff Writer, CNET News.com
Paul Festa
covers browser development and Web standards.
Paul Festa
4 min read
In what legal experts describe as a first, a federal appeals court has upheld a ruling that America Online and other Internet service providers are not liable for "hostile code" sent between subscribers.

The U.S. Court of Appeals for the Third Circuit said last week that AOL could not be held accountable for a subscriber's sending of hostile code through its service. John Green, a 54-year-old electronics engineer and founder of JP Green Associates, in Edison, N.J., had accused AOL of failing to enforce its terms of service against a subscriber who sent Green a so-called punter, or malicious software instructions designed to temporarily kick someone off the service.

The court upheld a ruling by the U.S. District Court for the District of New Jersey, which had said an ISP's immunity from prosecution for a subscriber's actions covers not only the sending of actionable words, but also of hostile code.

The court affirmed the lower court's definition of "information" under Section 230 of the Communications Decency Act. That definition includes not only communication of "knowledge or intelligence," but also the sending of an electronic "signal," both courts said.

The decision is the latest in a long-running legal trend that has shielded ISPs--and AOL in particular--against the claims of subscribers who have demonstrated they were libeled or otherwise harmed while using an online service.

Most famously, AOL in 1998 staved off a $30 million suit brought by a White House advisor after Web site writer and AOL subscriber Matt Drudge accused the advisor of spousal abuse. In that case, the court held that the decency law shielded AOL and other ISPs from claims related to editorial content on their networks.

That ruling was followed by the Supreme Court's decision to let stand a lower court ruling that similarly shielded AOL from claims based on content posted by subscribers.

AOL said the application of the CDA's "safe harbor" provision was right in line with prior rulings.

"Obviously we're very pleased with the results," said AOL representative Nicholas Graham. "AOL believed and argued throughout this litigation that Section 230 also applied to the claims on electronic signals made by the plaintiff in the suit, and the court reconfirmed our position."

AOL said it was "proud" to have had a hand in crafting the safe harbor section.

One legal expert, who called the decision unprecedented, said it would help ISPs tamp down abuse by subscribers who try to get one another kicked off an online service.

"As far as I know, this is the first time a court has squarely addressed the liability of an intermediary like AOL for dissemination of harmful code," said Eric Goldman, an assistant professor at Marquette University Law School in Milwaukee, Wis., and former chief counsel for Epinions. "But it's something we've discussed in academic circles for a decade in the context of the transmission of viruses and other harmful content."

Goldman said his tenure as Epinions' chief counsel gave him plenty of experience with subscribers who use an ISP's terms of service to get another member ejected, sometimes over petty complaints. He said last week's ruling, in rejecting claims against AOL for not enforcing its terms of service against senders of the malicious code, would help ISPs and Web sites resist those efforts.

"I think it's a good thing," Goldman said. "The reason this law is so powerful and important is that it prevents what we call veto power, when a user says, 'I don't like that person, kick him off.' Having seen the deal flow on the other side, I know that many of the complaints a company gets are completely bogus."

A lawyer with the online advocacy group the Electronic Frontier Foundation (EFF) agreed that the application of Section 230 to hostile code was novel, but by no means surprising given the intent and language of the statute.

"Certainly there is a difference...between simply saying something defamatory about someone and defending some kind of hostile code," said Lee Tien, senior counsel for the EFF. "But you have to remember that one of the general ideas behind CDA Section 230 was to give service providers some breathing room so they didn't have to be essentially Internet police. If anyone could allege that someone sent hostile code, and draw AOL and other ISPs into the fray, you would not be effectuating Congress's intent."

John Green, who acted as his own counsel, said he may ask for a rehearing from the same court. If he does not choose or is not granted a rehearing, he plans to appeal to the U.S. Supreme Court.

"I don't think (the court) really considered the issues," Green said. "They're trying to use this statute 230 to get out of it...but that's not what this is about."

Green likened the situation to that of Napster, an online file-swapping network that was forced to shut down after being beset by claims from the recording industry that the service was responsible for its members' copyright violations.

Attorneys didn't give the Napster comparison much chance of swaying any court. The CDA explicitly exempted intellectual property claims from the immunity, said the EFF's Tien.