App Store protected from crypto fraud liability by CDA Immunity

Background

The issue of fake crypto-related mobile apps has received a lot of attention lately. Back in July 2022, the FBI issued a notice warning financial institutions and investors about cases where criminals created fake cryptocurrency wallets to trick consumers and steal their cryptocurrency. There have also been reports of phishing sites attempting to trick consumers into entering credentials, thereby giving hackers access to victims’ crypto wallets. In response to these developments, Senator Sherrod Brown recently sent a letter to Apple, among others, expressing his concern about fake cryptocurrency apps and asking for more information on the details of Apple’s process for reviewing and approving crypto apps for inclusion in the App Store.

In a recent decision, a California district court ruled that Apple, as the operator of that App Store, was protected from liability for losses resulting from that type of fraudulent activity. (Diep v. Apple Inc., No. 21-10063 (ND Cal. Sept. 2, 2022)). This case is significant in that, in a motion to dismiss, a platform provider could use both statutory and contractual protections to avoid liability for the actions of third-party cybercriminals.

The facts and the decision

The case involved claims by a putative class of users who downloaded a fake third-party digital wallet app that allowed hackers to steal users’ cryptocurrency. An App Store user alleged that she downloaded the fraudulent app that spoofed a legitimate app, and during registration, entered her personal information and linked her cryptocurrency to the app by entering her private key. Plaintiff soon discovered that her cryptocurrency was gone and her account deleted, and later learned that the digital wallet app she had downloaded was actually a phishing program designed for the sole purpose of stealing users’ crypto and routing it to the hackers’ personal accounts.

The plaintiff sought to hold Apple responsible for its role in investigating and making the fraudulent app available in the App Store. In September 2021, the plaintiff filed the putative class action against Apple, as the operator of the App Store, alleging claims under various federal laws, including the Computer Fraud and Abuse Act (CFAA), as well as under state consumer protection laws. Plaintiff generally argued that Apple was responsible for authorizing and distributing a fraudulent app in the App Store, while representing that the App Store is “a safe and trusted place” and that Apple ensures “that the apps we offer are held to the highest standards of privacy . . , security and content ….”

Apple moved to dismiss the amended complaint on a number of grounds, including that it was immune under CDA Section 230 for its conduct in hosting the third-party digital wallet app and that the limitation of liability within the terms of service dismissed plaintiff’s claims related to third-party apps . The court granted the motion to dismiss, holding that Apple was indeed protected by Section 230 of the Communications Decency Act (“CDA”) from such liability. In addition to failing to convince the court that Apple’s actions fell outside CDA Section 230, the plaintiff also failed to overcome the argument that the limitation of liability clause in Apple’s terms was enforceable with respect to the various claims.

The Communications Decency Act

Section 230 of the CDA states that “[n]o provider or user of an interactive data service shall be treated as publisher or presenter of all information provided by another provider of information content.” 47 USC § 230(c)(1). As the courts recognize, the CDA immunizes online services from all kinds of claims for third-party content that they publish.

Having simply determined that the App Store is an “interactive computer service” under the CDA, the court had to decide whether the plaintiff’s claims sought to treat Apple as a publisher or speaker with respect to content on the App Store. Courts have generally found that publishing activity includes reviewing, editing, and deciding to publish or withdraw from publishing third-party content, and here the court found that Apple’s review and approval of the crypto app for distribution on the App Store was “inherent publishing activity.”

Under the latest prong of the CDA, the court quickly found that the published material (ie, the crypto app) was not developed by Apple, but was provided by another content provider. The plaintiffs argued that a statutory exception to the CDA for enforcement of federal criminal laws (47 USC § 230(e)(1)) should apply to civil claims under federal statutes providing both civil and criminal causes of action, including the CFAA; however, the court stated that it was well settled that § 230(e)(1)’s limitation on CDA immunity extends only to criminal prosecutions, and not to civil actions based on criminal statutes.

As for the plaintiffs’ state law consumer protection claims, the court ruled that the claims asserted were insufficiently pled and, in any event, essentially sought to hold Apple liable for its publication of the crypto app, conduct already protected by CDA Section 230.

The court also found an alternative basis for dismissal, ruling that the limitation of liability in Apple’s terms, which states that the company is not liable for damages “arising out of or related to the use of” third-party apps, was enforceable against the plaintiff’s claims arising from damages caused by third-party apps.

Final thoughts

Advances in distributed ledger technology for financial services have led to dramatic growth in markets and services related to cryptocurrency and digital assets in general. While this offers the potential for welcome financial innovations, it also opens up new avenues for cybercriminals to perpetuate financial fraud and theft, including through fake crypto apps and phishing websites.

This case suggests that, at least under facts such as these, interactive platforms should not be the source of a remedy for any person or business defrauded through a third-party application available on their platforms. A different result may impair the ability to do business as a platform provider. The case is also a more general reminder that CDA Section 230 can be a powerful shield protecting against liability for many types of third-party content.

The case further highlights the importance of a well-designed limitation of liability clause in user agreements.

The case also highlights that providers of all types of interactive services must be very careful when making statements about the security of user data. While Apple was able to avoid liability in this case, a slightly different set of facts could possibly have resulted in a different outcome on some of the issues in this case.

Finally, given the realities of the world of digital fraud we live in, this case underscores the need for investors to exercise great vigilance before downloading a digital wallet app or entering their e-wallet credentials into any application.

© 2022 Proskauer Rose LLP. National Law Review, Volume XII, Number 259

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *