I posted a while back about the spread of the Koobface virus via Facebook [link].  The question was whether Facebook could be liable for spreading the virus.  In comments, Professor Goldman pointed out (citing cases) that Facebook is likely protected by Section 230.  Duly noted!

However, in the past month, there have been a slew of stories about people inflicting harm via social networks:

• WSJ, "Beware of Facebook Friends That May Trash Your Laptop":  "The message that popped into Laurie Gale's Facebook inbox last month seemed harmless enough -- a friend had seen a video of Ms. Gale and had sent a link so Ms. Gale could view it. The link led to a video site that prompted her to update her video software, which she did.  Within seconds, everything started shutting itself down . . . ."
  
  
• Ynetnews, "Who Hacked My Facebook Account":  "How does one make a career from breaking into websites? Ask Rafel Ivgi and Nir Goldshlager, who discover security breaches and fix them.  The two men's latest discovery is an SQL injection attack on Facebook's applications. We approached the social network with information on the breach, but the company did not respond and the breach hasn't been fixed."
  
  
• DarkReading, "Twitter Clickjacking Hack Released" "A Web developer has released a proof-of-concept clickjacking attack targeting Twitter that demonstrates how an attacker could take over a member's "update" function on the microblogging site."
  
  
• Threat Level:  "Weak Password Brings Happiness to Twitter Hacker":  "The hacker, who goes by the handle GMZ, told Threat Level on Tuesday he gained entry to Twitter's administrative control panel by pointing an automated password-guesser at a popular user's account. The user turned out to be a member of Twitter's support staff, who'd chosen the weak password "happiness."  Cracking the site was easy, because Twitter allowed an unlimited number of rapid-fire log-in attempts."
  
  
• cNet / Social:  "Teen Blackmailed Classmates Via Facebook" 
  

So what's the basis for liability against the networks?  Two possible ones, both of which seem fairly far-fetched, but could gain traction in time.  Both of these avoid the scope of Section 230, since they don't seek to hold the networks liable for 'content' (this distinction seems flimsy and doesn't get much traction in Section 230 cases but I think it may here).
 
First, the networks have a duty to protect their users.  I mentioned this in the context of the Koobface virus and it still seems viable, particularly where (unlike in the Koobface context) the basis of the claim isn't harmful content made available by the networks.  The networks are the only ones who monitor and address security issues.  They have an obligation to maintain minimum standards.  Particularly when issues are brought to their attention and they are left unaddressed I can see a court being sympathetic.  Heck, even Facebook compares itself to a country, and networks often use the "third space" analogy, so it's not far-fetched to make a premises-based analogy.  Landlords have a duty to maintain and police common areas, there's no reason why networks such as Facebook should not have to do the same.

Second, the networks have a duty to warn their users of the risks of using the networks.  I think this may be the more viable of the two.  Recently, a blog unaffiliated with Facebook offered tips:  "10 Privacy Settings Every Facebook User Should Know".  I'm not a huge Facebook fan but I use it, and many of these tips were just not that obvious to me.  This was just one widely read article on this topic.  This raises the question of whether Facebook should be warning its users of the dangers lurking within.  Should it offer privacy tips?  Should it offer information regarding potential security breaches?  Specific warnings?  Should it come with a user manual?  I don't think the FAQ or the terms of service (which no one reads anyway) contain the type of warnings that are typically required on products. 

I don't know the answers to the above questions, but I'm guessing that enterprising lawyers will find out soon enough.

Added:  a couple of cases actually have discussed a similar issue.  In the Doe v. MySpace case an underage plaintiff who met a miscreant through MySpace sought to hold MySpace liable.  The trial court dismissed [link] and the Fifth Circuit affirmed [link].  The plaintiff in that case argued that MySpace as the virtual premises owner had a duty to protect, and the court didn't buy it.  The trial court (citing to Doe v. GTE Corp., a Seventh Circuit case) discussed this issue a bit more than the court of appeals.  In any event, both courts addressed and rejected plaintiff's argument that liability was not premised on "content".  I still think that a hack or security breach case fundamentally differs, and there's room for courts to come to a different conclusion, but wanted to point out that a few cases have addressed the issue, giving this theory of liability a chilly reception.  (Note to self: when spouting off on theories, make sure to discuss the cases!)