Should We Cheer The California Attorney General's Revenge Porn Arrest--Or Find It Alarming? (original) (raw)
California Attorney General building (Photo credit: Wikipedia)
The California Attorney General's office announced the arrest of Kevin Christopher Bollaert for his role in a revenge porn scheme. Most folks are cheering the arrest for understandable reasons: revenge porn is odious, especially when victims must pay to remove content. But I wasn't cheering when I saw the prosecutor's explanation of Bollaert's alleged crimes. The complaint exhibits the kind of intellectual corner-cutting we typically see when a prosecutor decides a person should go to jail even if no crime actually fits the facts. Furthermore, the complaint does a lousy job distinguishing between Bollaert's behavior and the ordinary day-to-day activities of user-generated (UGC) websites, exacerbating fears that the California Attorney General's office could capriciously turn against the websites we love and cherish. Once you understand how the prosecutors are (mis?)interpreting the law, I think you'll be cringing too.
Bollaert allegedly operated the "UGotPosted" UGC website that published over 10,000 nude photographs uploaded by users, along with "personal identifying information" of the people depicted in the photos such as their names, locations, ages and links to their Facebook and other social media pages. The complaint further alleges that Bollaert didn't respond to over 2,000 takedown requests from people depicted in the photos. Bollaert allegedly created a second site, ChangeMyReputation, that offered to take down the photos and associated personal information for a fee.
There is nothing commendable about this scheme. It is opportunistic and exploitative. But is it criminal?
Even though the California legislature just passed a new revenge porn crime, the prosecutors didn't mention it (I don't believe it takes effect until January 1). Instead, the complaint alleges that Bollaert committed the crime of felony identity theft. Given that no one created fake online profiles, hacked any bank accounts, or impersonated another person, how did prosecutors reach this surprising conclusion?
Over the years, states have enacted ridiculously broad identity theft laws--so broad that some have been struck down as unacceptably vague. The crime asserted here, Penal Code 530.5(a), has two elements. First, the defendant must willfully obtain personal identifying information. Second, the defendant must use that information for an unlawful purpose.
When applied to actual identity theft, these elements make sense. If I steal your social security number and use it to obtain a credit card that I use to run up fraudulent charges, the two elements are clearly satisfied.
As applied to Bollaert, in contrast, the elements are confusing. (The criminal complaint, as typical for the genre, doesn't explain how the law applies to the facts). How did Bollaert willfully obtain personal identifying information? He allegedly ran a UGC website where users could submit photos and personal information structured into standardized categories. It seems like this allegation would equally describe how all UGC websites "willfully" obtain content from their users.
OK, so how did Bollaert use the personal information for an unlawful purpose? The arrest warrant indicates three different unlawful purposes.
First, the prosecutors allege that pay-to-remove-content constitutes extortion. I think most of us would colloquially refer to an offer to suppress information about a person in exchange for money as "extortion," but did it satisfy the criminal elements of extortion? I believe that's an untested legal question (recall a similar allegation against Topix). On the plus side, the allegations clearly assert that Bollaert himself, not his users, established and controlled the pay-to-remove scheme.
The other two asserted unlawful purposes are (1) online harassment per Penal Code 653m(b) (criminalizing "repeated contact by means of an electronic communication device"), and (2) the civil tort of public disclosure of private facts (citing a troubling precedent, In Re Rolando S.). Unlike the extortion claim, both allegations depend on the behavior of the website's users. The complaint doesn't allege that Bollaert himself made repeated contacts with victims using an electronic communication device, or that Bollaert himself disclosed anyone's private facts. Instead, the complaint alleges that Bollaert ran a UGC website where users performed unlawful activities. But that's exactly what UGC websites do: they let users publish content online for both good and evil. If we hold UGC website operators responsible for the fact that their users sometimes commit crimes, then all UGC website operators are criminals.
Fortunately, that's not the law. In 1996, in 47 USC 230 (Section 230), Congress said that websites aren't liable for third party content, even if the third party violates state criminal law. From my perspective, based on the allegations in the complaint and arrest warrant, the identity theft charges predicated on harassment and privacy violations appear to be preempted by Section 230 (I'm reserving judgment on the extortion-based claims, which I think pose harder questions). If the prosecution gets that far, the prosecutors will surely assert some rarely successful exceptions to Section 230. Prof. Ryan Calo explores that possibility.
I doubt we'll get a judge's take to these crucial Section 230 questions. Like most defendants overwhelmed by a prosecutor's power and resources, Bollaert probably will take a plea deal that lets him enjoy at least some of his remaining years. A plea deal will also allow the California Attorney General's office to issue the inevitable press release proudly touting how it was tough on crime and implicitly asking for our applause. Whether you'll still be applauding probably depends on if you believe the ends can justify the means.