The District of Utah ruled in late May that Section 230 of the Communications Decency Act, 47 U.S.C. §230 (“CDA”) shields The Tor Project, Inc. (“Tor”), the organization responsible for maintaining the Tor Browser, from claims for strict product liability, negligence, abnormally dangerous activity, and civil conspiracy.
The claims were asserted against Tor following an incident where a minor died after taking illegal narcotics purchased from a site on the “dark web” on the Tor Network. (Seaver v. Estate of Cazes, No. 18-00712 (D. Utah May 20, 2019)). The parents of the child sued, among others, Tor as the service provider through which the teenager was able to order the drug on the dark web. Tor argued that the claims against it should be barred by CDA immunity and the district court agreed.
The Onion Router, or “Tor” Network, was originally created by the U.S. Naval Research Laboratory for secure communications and is now freely available for anyone to download from the Tor website. The Tor Network allows users to access the internet anonymously and allows some websites to operate only within the Tor network. Thus, the Tor Network attempts to provide anonymity protections both to operators of a hidden service and to visitors of a hidden service. The Tor browser masks a user’s true IP address by bouncing user communications around a distributed network of relay computers, called “nodes,” which are run by volunteers around the world. Many people and organizations use the Tor Network for legal purposes, such as for anonymous browsing by privacy-minded users, journalists, human rights organizations and dissidents living under repressive regimes. However, the Tor Network is also used as a forum and online bazaar for illicit activities and hidden services (known as the “dark web”). The defendant Tor Project is a Massachusetts non-profit organization responsible for maintaining the software underlying the Tor browser.
To qualify for immunity under the CDA, a defendant must show that 1) it is an “interactive computer service”; 2) its actions as a “publisher or speaker” form the basis for liability; and 3) “another information content provider” provided the information that forms the basis for liability. The first factor is generally not an issue in disputes where CDA immunity is invoked, as websites or social media platforms typically fit the definition of an “interactive computer service.” The court found that Tor qualified as an “interactive computer service” because it enables computer access by multiple users to computer servers via its Tor Browser. The remaining factors were straightforward for the court to analyze, as the plaintiff sought to hold Tor liable as the publisher of third-party information (e.g., the listing for the illicit drug).
The outcome was not surprising, given that courts have previously dismissed tort claims against platforms or websites where illicit goods were purchased (such as the recent Armslist case decided by the Wisconsin Supreme Court where claims against a classified advertising website were deemed barred by the CDA).
The questions surrounding the court’s ability to even hear the case also posed interesting jurisdictional questions, as the details of the Tor network are shrouded in anonymity and there are no accurate figures as to how many users or nodes exist within the Utah forum. The court determined that, under plaintiff’s rough estimation, there were around 3,000-4,000 Utah residents who used Tor daily and perhaps, became part of the service (“Plaintiff has set forth substantial evidence to support the assumption that many of these transactions and relays are occurring in Utah on a daily basis”). In a breezy analysis, the court found that plaintiff had provided sufficient evidence to set forth a prima facie showing that Tor maintains continuous and systematic contacts in the state of Utah so as to satisfy the general jurisdiction standard.
This case is a reminder of the breadth of the CDA, as well as a reminder that many of its applications result in painful and somewhat controversial outcomes.
© 2023 Proskauer Rose LLP.