The problem of rogue crypto-related mobile apps has received a lot of attention lately. Back in July 2022, the FBI issued a notice warning financial institutions and investors about cases in which criminals were creating fake cryptocurrency wallet apps to deceive consumers and steal their cryptocurrency. There have also been reports of phishing websites attempting to trick consumers into entering credentials, allowing hackers to gain access to victims’ crypto wallets. In response to these developments, Senator Sherrod Brown recently sent a letter to Apple, among others, expressing his concern about rogue cryptocurrency apps and asking for more information on the details of Apple’s process for reviewing and approving crypto apps for the inclusion in the App Store asks.
In a recent ruling, a California district court ruled that Apple, as the operator of this app store, is protected from liability for losses resulting from this type of fraudulent activity. (Diep v Apple Inc., #21-10063 (ND Cal. 2 Sept 2022)). This case is significant because a platform provider could use both legal and contractual safeguards in a dismissal motion to avoid liability for the actions of third-party cybercriminals.
facts and decision
The case concerned claims by a suspected group of users who had downloaded a rogue third-party digital wallet app that allowed hackers to steal users’ cryptocurrency. An app store user claimed that she downloaded the rogue app that spoofed a legitimate app and entered her personal information during registration and linked her cryptocurrency to the app by entering her private key. The plaintiff soon found that her cryptocurrency was gone and her account was deleted, and subsequently learned that the digital wallet app she downloaded was actually a phishing program designed for the sole purpose of stealing users’ crypto to steal and forward them to the hackers’ personal accounts.
The plaintiff sought to hold Apple liable for its role in reviewing and making the fraudulent app available on the App Store. In September 2021, the plaintiff filed the putative class action lawsuit against Apple as the operator of the App Store, asserting claims under various federal statutes, including the Computer Fraud and Abuse Act (CFAA), as well as state consumer protection statutes. The plaintiff generally claimed that Apple was liable for the authorization and distribution of a fraudulent app on its app store, while stating that its app store is “a safe and trusted place” and that Apple guarantees “that the services we offer Apps meet the highest standards of privacy, security and content…”
Apple moved to dismiss the amended complaint on a number of grounds, including that it was immune under CDA Section 230 for its conduct in hosting a third-party digital wallet app and that the limitation of liability provision in its terms of service nullifies the plaintiff’s related claims make third party apps. The court granted the motion to dismiss, finding that Apple was indeed protected from such liability by Section 230 of the Communications Decency Act (“CDA”). Aside from the plaintiff’s failure to persuade the court that Apple’s actions did not fall under CDA Section 230, the plaintiff also failed to refute the argument that the limitation of liability clause in Apple’s terms in be enforceable in relation to the various claims.
The Communications Decency Act
Section 230 of the CDA states that “[n]o Provider or user of an interactive computer service will be treated as a publisher or speaker of information provided by another information content provider.” 47 USC § 230(c)(1). As courts consistently recognize, the CDA immunizes online services from all types of claims for third-party content they publish.
After simply finding that the App Store is an “interactive computer service” under the CDA, the court needed to determine whether the plaintiff’s claims attempted to treat Apple as a publisher or spokesperson with respect to content in the App Store. Courts have generally found that publishing activity involves reviewing, editing, and deciding whether to publish or withdraw third-party content, and here the court found that Apple’s review and authorization of the crypto app for distribution in the App Store “Publishing by nature.”
Under the last point of the CDA, the court quickly found that the material published (i.e. the crypto app) was not developed by Apple but was provided by another content provider. Plaintiffs argued that a statutory exception from the CDA to enforce federal criminal statutes (47 USC § 230(e)(1)) should apply to civil claims under federal statutes that provide for both civil and criminal causes of action, including the CFAA; However, the court found that the limitation of CDA immunity in Section 230(e)(1) extends only to criminal prosecutions and not to civil actions based on criminal statutes
As for the plaintiffs’ federal consumer protection claims, the court ruled that the claims, as asserted, were insufficiently asserted, and in each case essentially attempted to hold Apple liable for the release of the crypto app, conduct that was already apparent is protected by CDA Section 230.
The court also found an alternative basis for termination, ruling that the limitation of liability contained in Apple’s terms, which provides that the company is not liable for damages arising “out of or in connection with the use” of third-party apps, was enforceable Claims by the plaintiff arising from damage caused by third-party apps.
Advances in distributed ledger technology for financial services have led to dramatic growth in markets and services related to cryptocurrency and digital assets in general. While this brings with it the potential for welcome financial innovations, it also opens up new avenues for cybercriminals to continue financial fraud and theft, including through fake crypto apps and phishing sites.
This case suggests that, at least under such facts, interactive platforms should not be the source of a legal remedy for any person or company cheated by a third-party application available on their platforms. A different result could affect the ability to do business as a platform provider. The case is also a more general reminder that CDA Section 230 can be a strong shield, protecting against liability for many types of third-party content.
The case also underscores the importance of a well-formulated liability limitation clause in user agreements.
The case also highlights the need for providers of all types of interactive services to exercise caution when making claims about the security of user data. Although Apple was able to avoid liability in this case, a slightly different set of facts might have led to a different outcome on some of the issues in this case.
Finally, given the realities of the digital fraud world in which we live, this case emphasizes that investors must exercise great vigilance before downloading any digital wallet app or entering their e-wallet credentials into any application.
© 2022 Proskauer Rose GmbH. National Law Review, Volume XII, Number 259