The story [cNet] of the Koobface virus spreading through Facebook raises interesting questions about a social network's potential liability for failing to protect against this type of harm.

The natural inclination is to assume immunity for Facebook based on Section 230, but I'm not sure it helps Facebook in this case.  Section 230 is a federal statute that provides immunity to websites (providers of "interactive computer services") for certain types of liability based on content provided by a third party.  While Section 230 has been held to immunize these types of entities against a variety of harm due to third party content, the text of the statute merely states that a provider of an interactive computer service shall not be treated as "a publisher or speaker".  Presumably, the statute only provides immunity for injury or claims which arise out of being a publisher or speaker and not other claims which are still content-related.  At least one lower federal court has given credence to this distinction in a similar context, finding in favor of the FTC in a case where the FTC alleged unfair trade practices in the course of defendants' publishing confidential phone records that were improperly obtained.  The court agreed with the FTC and held that the website was not shielded by Section 230 since it was not being held liable for its acts as a publisher or speaker.  (Online Liability Blog; previous post regarding the Facebook SMS lawsuit.)  I think a similar case can be made here that if someone were to sue Facebook for not doing enough to prevent the spread of the virus, they are not suing Facebook for being a "publisher or speaker" of the third party content (i.e., the virus).  (Note:  your mileage may vary on this point, and there multiple visions of what Section 230 was intended to accomplish and where it's headed.  For an excellend podcast on this topic with Professors Lichtman, Goldman, and Solove, see here (bonus/CLE credit in certain states).  The show is titled "Privacy in a Networked World" and is welll worth listening to.)

So what are the types of claims that may be viable against Facebook here?  Tough to say, and a lot probably depends on Facebook's security efforts (which are likely subject to serious secrecy efforts) and what exactly Facebook did to prevent the spread of the virus once they new about it (they probably acted quickly).  The theory that intuitively appeals (but which has no basis in statute or caselaw) is the "duty to police common areas" from premises liability law.  Plaintiffs sometimes are successful in holding the owner or landlord liable for attacks in common areas of apartment buildings or condos, or for failing to adequately police these common areas.  Depending on the state, this duty is sometimes imposed by court created doctrine, sometimes by the legislature, and sometimes the legislature overrules the court on the existence of the duty.  In short, it's a "good policy" and "fairness"-driven judicial doctrine.  I can't think of any cases off-hand in the network context where this has come up, but I'm sure it will in the future.  Of course, there's the slight issue of Facebook's Terms of Service disclaiming liability and instructing users to not post any confidential or sensitive information on their profiles.  I would think unless an end user (or group of end users) have suffered significant harm, a court would be skeptical of the need to recognize Facebook's "duty to protect".

I guess other laws may come into play as well, such as maybe if special types of information is compromised as a result (such as health or financial information)? 

All of this sounds fairly academic . . . until some crack journalist or disgruntled employee reveals a bad fact - who knows, maybe Facebook was warned of a security flaw and failed to take action to fix it?  Will courts be receptive to these types of claims?  At this point maybe less so, but in about 10 years, the majority of judges will be on Facebook, making it much easier to make the case.

More:  Professor Goldman (in comments below) sees this as an easy case of no liability for Facebook and points to Green v. AOL and Doe v. MySpace.  Both cases definitely point in the direction of Section 230 immunity, but I can see a judge that is not friendly to Facebook distinguishing these cases.  In particular, Doe sought to hold MySpace liable for third party off-line conduct but the cause of the conduct (vis a vis MySpace) was content published by it.  Arguably, this is easier to fit into the "speaker or publisher" box than failing to police the network for harm effected via the network.  Green is a bit closer on point, and although the court frames the issue in a way that more closely parallels these facts, I'm not sure its "publisher/speaker" analysis will be as persuasive in light of later decisions chipping away at Section 230:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

“The only question . . . is whether holding AOL liable for its alleged negligent failure to properly police its network for content transmitted by its users - here, the “punter” signal and the derogatory comments - would “treat” AOL “as the publisher or speaker” of that content.” In other words, “Green . . . attempts to hold AOL liable for decisions relating to the monitoring, screening, and deletion of content from its network - actions quintessentially related to a publisher’s role. Section 230 “specifically proscribes liability” in such circumstances.”

Seems like the court is looking to the good samaritan filtering provisions (which immunize networks for their filtering decisions - e.g., Kaspersky/Pallorium) to bolster its reading of speaker immunity.  Ultimately, it could come down to how the court views Section 230 from a policy standpoint.  I guess it may not make sense to distinguish between content which is intended to communicate and content such as programs/downloads?  I could see how opening up networks for liability against harmful content in the latter category would be equally disruptive to the internet as we know it . . . .  I think we'll see this issue hashed out again.  Green was decided in the AOL circuit and dealt with what seemed like a personal vendetta with a small damage dispute.  [Correction: Green was decided in the Third Circuit, which does not include Virginia, but it's close enough!]