It’s the Beginning of the End of the Internet’s Legal Immunity

On Wednesday the Senate commerce committee unanimously voted to send the “Stop Enabling Sex Traffickers Act of 2017” (SESTA) to the Senate floor. SESTA, the original version of which was introduced in August by a bipartisan group of senators, would make technology companies liable to state criminal prosecutions and federal or state civil suits if they have knowledge of user-generated content that facilitates sex trafficking but fail to act (for example, by taking the content down or blocking the offending users). SESTA accomplishes this by amending Section 230 of the Communication Decency Act of 1996 (CDA), a cornerstone of internet law, which generally immunizes technology companies from lawsuits that seek to treat them as publishers or speakers of content that the companies’ users generate or share.

Despite this important procedural vote, SESTA’s enactment is far from a done deal; shortly after the bill was voted out of committee, Sen. Ron Wyden, an original co-sponsor of CDA 230 and a consistent SESTA critic, announced that he was putting a senatorial hold on SESTA, blocking further action on the bill. And SESTA still faces strong opposition from some digital civil-society groups — the Electronic Frontier Foundation has called it “disastrous for free speech online.” But in a significant victory for the bill’s supporters, major technology companies have in the past several days declared their support. SESTA, a rare site of bipartisan cooperation in Congress (the bill currently has dozens of Republican and Democratic co-sponsors), has a very real chance of becoming law.

If it does, its effects will go far beyond sex trafficking. In the short term it might inspire similar bills, including ones to combat national-security threats online. And in the long term it could fundamentally reshape how we regulate the internet.

First, some background on CDA 230. Section 230(c)(1), the heart of the provision, provides that a website or other internet service shall not “be treated as the publisher or speaker of any information provided by” a user or other party. Although federal criminal prosecutions are exempted from CDA 230 immunity, the statute nevertheless provides a broad liability shield to internet companies when a lawsuit turns on user-generated content. And as currently written, CDA 230 prevents a state attorney general or a victim of sex trafficking from suing a company on the grounds that the company hosted sex-trafficking content. By eliminating immunity where the company was “knowingly assisting, supporting, or facilitating” sex-trafficking, SESTA would permit many of those suits to proceed.

SESTA goes far beyond Congress’s most recent effort to combat online sex-trafficking: the 2015 SAVE Act (Section 118 of the Justice for Victims of Trafficking Act of 2015), which made it a federal crime to knowingly sell advertisements for sex trafficking. The SAVE Act was designed to go after websites like Backpage, an online classifieds service that hosts prostitution advertisements and whose repeated success in invoking CDA 230 to fight off sex-trafficking suits has been a major impetus behind SESTA (and its companion House bill, the “Allow States and Victims to Fight Online Sex Trafficking Act of 2017”). Unlike the SAVE Act, SESTA would make technology companies liable not only for paid advertisements but also for known user posts that promote sex trafficking. Importantly, SESTA does not require companies to proactively search out and take down sex-trafficking content: A standard notice-and-takedown system—by which users flag offending materials which the companies then review and remove if appropriate—would likely be enough for companies to keep their CDA 230 immunity. (For more detailed legal analysis of SESTA and its relationship to existing law, including the SAVE Act and CDA 230, Eric Goldman has been providing excellent commentary, albeit highly critical of the legislation.)

CDA 230 is universally regarded as a landmark internet law. By shielding technology companies, especially start-ups, from liability, it’s credited with facilitating the innovation and explosive growth of the early internet. And by freeing companies from having to worry about liability for what their users post, it largely eliminated the spectre of “collateral censorship”: when, as Felix Wu explains, “a (private) intermediary suppresses the speech of others in order to avoid liability that otherwise might be imposed on it as a result of that speech.” Because the First Amendment doesn’t prevent private companies from blocking content or users from their platforms, CDA 230, not the Constitution, is the most important legal driver of digital free expression. For these reasons, CDA 230 enjoys near-mythic status among internet activists and technology companies. Talk of restricting its liability shield is a third rail of internet-policy debates, and the law has remained largely untouched in its over-two-decade lifespan—a remarkable feat given how much the internet has changed since the mid-1990s and how central to modern society it has since become.

It was thus unsurprising that, when SESTA was first introduced over the summer, leading technology companies came out in strong opposition to the bill. Both on their own behalf (as Google did) and through trade groups like the Internet Association (here and here), the companies argued that SESTA’s abridging of CDA 230 immunity would hurt small websites and technology companies, disincentivize companies from investigating their services for sex-trafficking content (to avoid the liability that would attach given knowledge of such content), lead companies to over-censor user content, and encourage other countries to restrict internet freedom for their own citizens. But the companies ultimately came out in favor of a slightly revised version of SESTA that keeps the major features of the original bill intact. Why the tech giants came around on SESTA is still somewhat unclear. Pressure to play nice, especially in the wake of the scandal over Russia’s use of social media companies to interfere in the 2016 election, certainly played a part. The larger technology companies also probably recognized that SESTA’s real danger is not to them but rather to start-ups and small companies that lack the infrastructure and resources to handle the increased moderation load and litigation exposure that SESTA brings.

In the end, the big tech companies may have simply decided that SESTA was not the hill they wanted to die on and that it would be wiser to postpone a CDA 230 showdown for when they wouldn’t have to take a stand against a group as sympathetic as sex-trafficking victims. Whatever their reasons, the tech companies may have created a serious long-term problem for themselves. By cutting back on CDA 230 immunity, SESTA fundamentally changes the paradigm for thinking about internet regulation and sets a precedent for future immunity restrictions. Goldman has made a similar argument: “Given Congress’ prevailing hostility to Internet companies, it’s possible SESTA will break open the regulatory floodgates and Congress will turn Section 230 into Swiss cheese where every victim advocacy group gets their ‘justice.’” One can argue over whether Goldman’s dim view of the swiss-cheesification of CDA 230 is justified, but his broader prediction as to SESTA’s effects on internet regulation is no doubt correct. SESTA’s enactment would be a very big deal for the future of the internet, with implications going far beyond the issue of sex trafficking.

An obvious question is whether Congress will seek to replicate SESTA when it comes to national-security offenses. After all, why should we deny victims of terrorism and their families the chance to get justice if they can trace their harms to terrorism-facilitating content that technology companies knowingly permitted be posted or shared? On Lawfare, Benjamin Wittes and Zoe Bedell have previously explored the effects of CDA 230 on suits against technology companies like Twitter and Facebook for providing material support to terrorists. Although they argued that CDA 230 shouldn’t bar such suits, federal courts have so far disagreed; for example, in May, a federal district court threw out a material-support suit against Facebook in part on CDA 230 grounds, and another court dismissed a similar lawsuit against YouTube/Google late last month. If terrorism victims continue to find the doors to the courthouse blocked by CDA 230, we could easily see a material-support version of SESTA introduced in Congress soon.

SESTA would spur copycat legislation for another reason: Its very existence would threaten lawsuits that are structurally similar to those that fall under SESTA’s scope (sex trafficking) but that allege other types of illegal underlying conduct, whether material support, fraud, harassment, or any manner of conduct that, absent CDA 230, would expose websites and platforms to liability. This is because companies could point to SESTA as evidence that, since Congress felt it necessary to enact SESTA, CDA 230 immunity should, as a matter of statutory interpretation, be read expansively absent clear legislative language to the contrary. This argument, while beneficial to defendants in the short term, could prove a pyrrhic victory if it leads to additional SESTA-style narrowing of CDA 230 immunity.

Zooming out from the particulars of the bill itself, SESTA is an example of how long-lasting regulatory paradigms can suddenly destabilize. Laws and their corresponding social norms enjoy a close and mutually reinforcing relationship. As I’ve described previously, CDA 230 immunity has allowed companies to argue (accurately) that they are not legally responsible for the content their users post; this lack of legal responsibility in turn strengthens their normative argument that, because they’re merely platforms, we shouldn’t want to hold them responsible for user content. And this argument in turn has helped fend off attempts to chip away at CDA 230. Tight law-norm feedback loops of this sort can create durable and long-lasting equilibria, as we’ve seen over the multi-decade history of CDA 230. But such equilibria are susceptible to external shocks — here the combination of sex trafficking as an area of serious public-policy concern and a changing political and social landscape that’s less favorably inclined to technology companies and increasingly unwilling to defer to their judgment and policy preferences.

If SESTA is enacted, it will break this equilibrium by taking away the argument that CDA 230 immunity is sacrosanct and that limitations on it should be excluded from the policy conversation. SESTA will thus make conceptual space for the kind of regulation—including, as the bill does, through enforcement of federal regulatory goals by state governments and private litigants — that technology companies have until now successfully fended off. As someone who’s generally impatient with internet-exceptionalism arguments — in particular, invocations of platform status as a trump against any and all liability — I think that the increased conceptual flexibility that SESTA brings to debates over internet regulation is a good thing.

At the same time, the fact that we should stop treating CDA 230 as untouchable doesn’t mean that limiting it in any particular case — whether through SESTA or some other legislation — is good policy. SESTA’s detractors make valid arguments about its dangers to free expression (because it incentivizes collateral censorship on the part of risk-averse companies), innovation (especially for startups and small websites), and even to sex-trafficking victims themselves (if SESTA forces sex-trafficking content to migrate to more underground platforms where it is harder to monitor).That’s why SESTA’s effects will be so important — the bill will no doubt serve as a template for future efforts at internet regulation, and its effects will be key evidence.