In the wake of a data leak that exposed millions of users of the infidelity dating website Ashley Madison, a rush of lawsuits have followed, alleging, mostly, that Ashley Madison failed when it came to security.
But a new lawsuit filed against Amazon Web Services, GoDaddy and sites that made the Ashley Madison information searchable has a unique legal strategy: it wants to hold the defendants to blame for aiding and abetting hackers in the spread of stolen data. The three litigious users may have been outed by the leak but they're staying anonymous in court, filing the $3 million suit last week in Arizona District Court as "John Does." Their suit alleges that websites such as ashleymadisoninvestigations.com and ashleymadisonpowersearch.com took stolen information and made it easily available for public perusal, and that Amazon Web Services and GoDaddy became complicit by failing to comply with requests to remove the stolen data from their servers.
"While these persons and entities may labor under the belief that their actions are entrepreneurial rather than criminal," the suit reads, "the fact remains that they are in willful possession of stolen property."
GoDaddy and Black Rock Investigations, which runs ashleymadisoninvestigations.com, both declined to comment on pending litigation. Ashleymadisonpowersearch.com told Fusion that "the weakness of the arguments and blatant misstatement of the law in the complaint only reaffirm that what we are doing is legal." Amazon and other websites named in the suit did not respond to requests for comment.
There's a broad U.S. law, Section 230 of the Communication Decency Act, that protects those on the Internet from getting sued for information provided by others, that would be these companies' and websites' first line of defense. Last year, for example, a Texas state court found that GoDaddy was liable for hosting the revenge porn website Texxxan.com, but the decision was overturned by a higher court because of Section 230. Thus far, it has been basically impossible to win a lawsuit that holds a company or person accountable for online content published or created by others. That's why there were no legal repercussions last year for sites like Imgur where hacked nude photos of celebrities that leaked online were re-posted.
Saying that Amazon and GoDaddy were complicit in the theft is a stretch. As University of Maryland law professor Danielle Citron pointed out, we probably wouldn't want the kind of internet where Amazon could get in trouble for what someone else puts up online. Citron predicted that Amazon and GoDaddy will get the lawsuit dismissed with a Section 230 claim.
But sites such as ashleymadisoninvestigations.com that made hard-to-access information easily searchable and then profited off of it might be easier to pin as bad actors who worked in cahoots with hackers to illegally distribute stolen information. Given the media frenzy surrounding the hack, it would be hard for the sites operators to claim they didn't know the information was stolen.
Courts have started reining in the broad protections of Section 230, and some legal experts think the the Ashley Madison case could potentially reshape who we fault for the way leaked information spreads virally online — and how to stop that spread.
Recently, said Erica Johnstone, a partner in the law firm Ridder, Costa & Johnstone who specializes in defending people who have been harmed online, courts have moved away from what she called an "an absolutist section 230 position."
When a rape victim sued a networking website called Model Mayhem, she alleged that the site knew her attackers were preying on users of the site and failed to warn them. The court dismissed Model Mayhem's Section 230 defense saying that Congress didn't intend Section 230 to be a "all purpose get-out-of-jail-free card for businesses that publish user content on the Internet." Cases against operators of so-called revenge porn sites have used similar strategies, going after site operators for crimes other than simply hosting information.
In the Ashley Madison suit, the John Does argue not simply that the defendants were responsible for making the stolen data available for public consumption but that by doing so they were party to theft.
"By making the Stolen Data available and searchable through [websites] with an eye toward profiting off the implication that Plaintiffs and other Users are adulterers, the [people who ran those sites] engaged in outrageous misconduct," the suit argues.
Johnstone thinks this tactic might have a shot.
"Everyone knows that if defense counsel can force section 230 to show up, it is just about a guaranteed victory for the defense," said Johnstone. "In Model Mayhem, that strategy backfired. It shows mounting judicial skepticism toward a litigation strategy that attempts to transform everything into a section 230 event."
"For a long time, we've seen the expansion of Section 230 and First Amendment principles to erode the ability for government to regulate internet commerce or to courts to issue orders that impinge upon those rights," said Johnstone.
But, she said, "public sentiment is changing quickly on this issue."
"The Ashley Madison hack made public not the private sex lives of celebrities but the private sex lives of millions of private citizens. And it's highlighted how hard it is to get this kind of data offline — the only legal remedy, really, is claiming copyright and filing a takedown notice. Ashley Madison tried this, but of course federal copyright law is no match for the internet's viral public shame machine.
"The public is starting to realize that perhaps we don't want to live in a world where the content we consume is procured by hackers and then third parties arrange a neat system of passing the buck where everyone is immunized by federal law and the public humiliation click bait industry thrives at the expense of real people," said Johnstone.
Other legal experts were skeptical.
"Are these sites exacerbating an already harmful situation. Yes," said Woodrow Hartzog, a privacy law expert at Samford University. "But that doesn't mean they should lose immunity."
Section 230, he said, still provides important protections that keep the internet the free, open place that it is. "Twisting" laws like stolen property to keep information offline, he said, threatens the internet ecosystem.
"It’s not that there’s no legitimate harm here," he said. "There certainly is. It’s that it’s a harm we’re still struggling to answer in the law."
But this new lawsuit may be coming at a time of sea change in how the Internet treats the posting of embarrassing and illegal information. So-called "revenge porn" is being steadily driven off the Internet as platforms like Google and Reddit ban it. Could "revenge data" also be pushed offline? People like Danielle Citron have long called to rethink Section 230, which was authored in the early days of the commercial internet.
Entrepreneurs profiting off of a hack that wreaked havoc on millions of lives were not the people who Section 230 was dreamed up to protect. She said we need more robust protections for stolen data and a provision in the law to easily get it taken down.
"There’s such a wild west feel to all of this," she said. "There’s stolen data sold and it's marketed in this feeding frenzy of humiliation. What kind of civil society allows that?"
But, like most forms of frontier justice, it's a slippery slope. It may not be in the public interest to be able to search whether your neighbor had an Ashley Madison account, but what about your husband, or Congressman? And is it only unacceptable to publish such information when you're directly profiting off of it by charging, or is it also unacceptable if the gain is just for fun?
Publishing something like, say, a Hulk Hogan sex tape, often gets defended as "free speech" and "in the public interest
But the line where "free speech" becomes "stolen property" is still fuzzy.