Background

The issue of fraudulent crypto-related mobile apps has received much attention of late.  Back in July 2022, the FBI issued a notice, warning financial institutions and investors about instances where criminals created spoofed cryptocurrency wallet apps to trick consumers and steal their cryptocurrency. There have also been reports of phishing websites that attempt to trick consumers into entering credentials, thereby enabling hackers to access victims’ crypto wallets. In response to these developments, Senator Sherrod Brown recently sent a letter to Apple, among others, expressing his concern about fraudulent cryptocurrency apps and asking for more information about the particulars of Apple’s process to review and approve crypto apps for inclusion in the App Store.

In a recent ruling, a California district court held that Apple, as operator of that App Store, was protected from liability for losses resulting from that type of fraudulent activity. (Diep v. Apple Inc., No. 21-10063 (N.D. Cal. Sept. 2, 2022)). This case is important in that, in a motion to dismiss, a platform provider was able to use both statutory and contractual protections to avoid liability for the acts of third party cyber criminals.

The Facts and Decision

The case involved claims brought by a putative class of users who downloaded a fraudulent third party digital wallet app that allowed hackers to steal users’ cryptocurrency. An App Store user alleged that she downloaded the fraudulent app that spoofed a legitimate app and, during registration, she typed in her personal information and linked her cryptocurrency to the app by inputting her private key.  Plaintiff soon discovered her cryptocurrency was gone and her account deleted, and subsequently learned that the digital wallet app she had downloaded was really a phishing program created for the sole purpose of stealing users’ crypto and routing it to the hackers’ personal accounts.

Plaintiff sought to hold Apple liable for its role in vetting and making the fraudulent app available in the App Store. In September 2021, Plaintiff brought the putative class action against Apple, as operator of the App Store, alleging claims under various federal laws, including the Computer Fraud and Abuse Act (CFAA), as well as under state consumer protection laws. Plaintiff generally asserted that Apple was liable in authorizing and distributing a fraudulent app in its App Store while representing that its App Store is “a safe and trusted place” and that Apple ensures “that the apps we offer are held to the highest standards for privacy, security, and content….”

Apple moved to dismiss the amended complaint on a number of grounds, including that it was immune under CDA Section 230 for its conduct in hosting the third party digital wallet app and that the limitation of liability provision within its terms of service negated Plaintiff’s claims related to third party apps. The court granted the motion to dismiss, holding that in fact, Apple was protected by Section 230 of the Communications Decency Act (“CDA”) from such liability.  Beyond failing to convince the court that Apple’s actions fell outside CDA Section 230, Plaintiff was also unsuccessful in overcoming the argument that the limitation of liability clause in Apple’s terms was enforceable with respect to the various claims.

The Communications Decency Act

Section 230 of the CDA states that “[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” 47 U.S.C. § 230(c)(1). As courts uniformly recognize, the CDA immunizes online services against all kinds of claims for third-party content that they publish.

After easily determining the App Store is an “interactive computer service” under the CDA, the court had to determine whether Plaintiff’s claims attempted to treat Apple as a publisher or speaker with respect to content on the App Store. Courts have generally found that publishing activity includes reviewing, editing, and deciding whether to publish or to withdraw from publication third-party content, and here, the court found that Apple’s review and authorization of the crypto app for distribution on the App Store was “inherently publishing activity.”

Under the final prong of the CDA, the court quickly found the published material (i.e., the crypto app) was not developed by Apple but was provided by another content provider. The plaintiffs argued that a statutory exception to the CDA for enforcement of federal criminal statutes (47 U.S.C. § 230(e)(1)) should apply to civil claims under federal statutes which provide for both civil and criminal causes of action, including the CFAA; however, the court stated that it was well-settled that § 230(e)(1)’s limitation on CDA immunity extends only to criminal prosecutions, and not to civil actions based on criminal statutes

As for the plaintiffs’ state law consumer protection claims, the court ruled that as asserted, the claims were insufficiently pled and, in any event, essentially sought to hold Apple liable for its publication of the crypto app, conduct already protected by CDA Section 230.

The court also found an alternative basis for dismissal, ruling that the limitation of liability contained in Apple’s terms, which provides that the company is not liable for damages “arising out of or related to use of” third-party apps, was enforceable as against plaintiff’s claims stemming from harms caused by third party apps.

Final Thoughts

Advances in distributed ledger technology for financial services have led to dramatic growth in markets and services related to cryptocurrency and digital assets in general. While this brings the potential of welcome financial innovations, it also opens new avenues for cyber criminals to perpetuate financial scams and theft, including through spoofed crypto apps and phishing sites.

This case suggests that at least under facts such as these, interactive platforms shall not be the source of a remedy for every person or business that is defrauded through a third party application available on their platforms. A different result might impair the ability to do business as a platform provider.  The case is also a more general reminder that CDA Section 230 can be a powerful shield that protects against liability for many types of third party content.

The case further highlights the importance of a well-drafted limitation of liability clause in user agreements.

The case also highlights that providers of all types of interactive services must be very careful in making statements regarding the security of user data. While Apple was able to avoid liability in this case, a slightly different set of facts could possibly have resulted in a different outcomes on some of the issues in this case.

Finally, given the realities of the world of digital fraud in which we live, this case emphasizes that investors must exercise great vigilance before downloading any digital wallet app or inputting their e-wallet credentials into any application.