Increase of extortion-fueled reputation attacks points to a need for legal change
Columnist Chris Silver Smith believes that as more people suffer online reputation attacks, lawmakers must modify legislation to help innocent victims fight back.
You do not have to work very long in Online Reputation Management (ORM) before you run into cases involving people who have been victimized by unscrupulous individuals. These bad actors convince these people to give in to their demands to avoid being ruined online. Cases range from human trafficking victims extorted into prostitution to businesses ordered to pay ransoms to avoid financial ruin.
This issue is one of the darkest aspects of the internet, and ironically, it has been facilitated by a portion of the so-called Communications Decency Act (CDA Section 230). It’s time to modify the law to reduce these threats of extortion based on reputation attacks.
The US Legislature added Section 230 onto the Communications Decency Act in 1996, specifically to reduce the onus of policing online materials on the part of internet businesses. Section 230 provides internet companies like Google, Microsoft, Facebook, Twitter, Yelp and others with immunity from liability for publishing information provided by others (user-generated content).
So, when someone puts up a webpage that contains defamatory text that ends up appearing in Google’s or Bing’s search index, the engines are not legally responsible for it. Likewise, when someone posts a photo on Instagram or Pinterest, a status update on Facebook or Twitter, or a review on Yelp, none of those companies are necessarily legally responsible for it, even if it’s fraudulent, defamatory or highly embarrassing.
Section 230 of the CDA was done to save companies money, pure and simple. While supporting and promoting the businesses that have helped build the internet is important, these cost savings have come at the expense of people who have been harmed and who often have no means of undoing the injuries inflicted by their attackers.
The growth of ORM
One way to gauge the scale and impact of Section 230 is in terms of the scale of the Online Reputation Management industry itself. A few years ago, analysts estimated that ORM would grow to be a $5 billion industry, and there seems little doubt that it has grown well beyond that at this point.
Online reputation management firms like mine help companies and individuals displace negative stuff in search engine results and also work to persuade websites to remove items like negative reviews. (We also recommend strategies for companies to elicit more positive reviews from their clients.) A number of legal firms also specialize in online defamation lawsuits. Their main role is to obtain court orders to persuade sites and ISPs to remove damaging materials. Yet more companies specialize in monitoring and alerting clients about online mentions of names and the positive, neutral or negative sentiments of materials posted about them.
And then there’s the dark side — companies whose business models often feel like barely legal forms of extortion. Sites engineered to be as damaging to companies as possible, by the very nature of their site names (such as Ripoff Report, Complaints Board, ScamBoard and Pissed Consumer), encourage consumers to post damaging reviews under the veil of anonymity, without requiring that the materials be truthful or factual. Such companies have founded their businesses on the protection of Section 230 and often cannot be compelled nor persuaded to remove false representations without payment being made, but they may provide options for victims to pay to mitigate the original postings in some way.
Yet skeevier sites post mugshots or arrest records or encourage girlfriend/boyfriend reviews to be written and published. In some instances, removal fees payable to the damaging sites can run into the thousands of dollars, although some will never remove such things at all, no matter what.
How businesses and individual exploit a legal loophole
Criminally minded people have come to realize that people who have damaged reputations or who are motivated to avoid reputation damage can be persuaded to pay out large sums of money. Desperate individuals will pay anything to fix their lives and try to return to normalcy.
Fake reviews
I’ve consulted on a few cases that have involved attacks on companies’ reputations as a means of forcing them to pay out large sums of money. In one instance, unknown individuals targeted a prominent and well-liked dentist, posting negative and fake reviews on sites such as RateMDs, Healthgrades, DR.Oogle and Yelp. The malicious persons had sent an email demanding money and threatening to post, and, after the dentist refused to pay, they posted reviews about her that claimed she had damaged them through incompetence — involving products and procedures that the dentist doesn’t even offer.
Denial-of-service attacks
I recently reported on an even more egregious case involving The Natural Sapphire Company, which was allegedly targeted by their former offshore website development provider. And various companies have received extortion demands involving threats to deploy denial-of-service attacks on their websites if they do not pay up. Such blackmail ploys are intended to be two-edged swords: Not only can companies face the income loss caused by a cyberattack on their vital systems, but they also face damage to their reputations when their services are shown to be vulnerable.
Even more compelling are the extortion schemes that target individuals in many cases.
Revenge porn or “sextortion”
One of my porn revenge victim clients was threatened by a man she had dated for a couple of weeks, who told her that if she did not continue their relationship, he would post nude photos of her to the internet and ensure they made their way to her family and to her workplace. She dismissed the threat, thinking that since she had not given him any nude photos that there was little chance of him following through on the threats. Unfortunately, he had indeed obtained nude photos of her — perhaps by secretly accessing her phone or by hacking the webcam on her laptop to take pics while she was undressing — and he then published the photos, along with false and defamatory statements about her, across hundreds of URLs.
In fact, many individuals and minors have been targeted with these sorts of “sextortion” attempts involving threats of distributing their nude photos unless they cooperate by following the instructions of extortion artists. One can read news stories of these incidents nearly every week. In one extreme case, as reported by the Dallas News, a Google employee tricked a number of female students into sending him nude videos and photos and threatened at least one of them with publishing the images via Pink Meth (a revenge porn website) if she didn’t send him yet more nude photos.
The threat of sextortion has been significant and growing. In 2010, the FBI issued a warning after investigating a case where a man hacked the computers of over 200 women, many of whom were adolescents. In 2016, the US Department of Justice stated that these types of crimes are “increasingly common.”
The challenge of remedying the situation
While at least half of US states now have criminal laws targeting revenge porn, the unfortunate truth is that after a tormentor has perpetrated revenge porn on you, you may find it difficult to get the damaging materials removed from the internet. Google and Bing have both voluntarily agreed to remove revenge porn without requiring court orders, but this only covers removing links from search results to pages where the proscribed items appear. If the items appearing in search results also include text related to a revenge porn attack, or pages containing links to the materials, you may be out of luck.
And, with no legal liability, at least one of the search engines I’ve asked to remove revenge porn dragged their feet for months before finally removing the offending items — so, while they may have voluntarily agreed to remove such stuff, they’re not all that motivated to provide reasonable time frames for doing so. With one revenge porn victim I have assisted, I’ve tried multiple times to persuade Facebook to remove status updates that continue to refer to the victim’s name and the original materials defaming her.
For cases that do not involve revenge porn, the situation is even direr. Search engines and other sites, like directories of business reviews and social media platforms, are largely unmotivated to do anything to help with the removal of damaging materials. These sites will generally say that their users are simply exercising their right to free speech. But freedom of speech does not allow one to say anything and everything — you are not free to publish wild, false, damaging statements about individuals or businesses any more than you are allowed to yell “Fire!” in a crowded theater.
The largest internet companies that provide forums for people to express themselves talk a good game about their anti-harassment policies, but they rarely take it seriously when someone trolls you with claims that you are negligent, a thief, or even a rapist or murderer. In one case I worked on, a prominent surgeon was accused of being a “butcher” by online reviewers who made up fake profiles to increase the apparent numbers of people leaving negative reviews on Yelp and medical review sites.
A court order isn’t always the solution
Some of these sites will voluntarily remove defamatory content if you obtain a court order that identifies the bad stuff. However, obtaining the court order is not a guarantee, and getting it is often more difficult than you may imagine.
Want an irony? Once you’ve gone the whole course and obtained a court order to get stuff removed, these sites may notify your reputation attacker that they are taking down the toxic waste, or they may post public notices about it, linking to copies of the court orders identifying the materials. For an example of this, read my report on how Ripoff Report does this, sometimes helping to further expand the exposure of porn revenge attacks, and even contravening their own stated policy of never revealing identities of people who post on their sites unless legally required to do so.
When your attackers receive these notices, they may then post copies of the notice they were given, or post additional items that similarly defame you. When that happens, guess what? Yes, these sites will insist you obtain yet ANOTHER court order to take down the new items, even though they are clearly fruit from the same poisoned tree! Not helpful at all.
So, what is the answer to all of this?
It’s time to modify Section 230
Certainly, people will behave badly and say and do bad things on the internet. However, more protection for people needs to be built into the law.
The search engines themselves, and social media sites, have effectively become the internet itself for a majority of website visitors. They are the gateway to millions of sites, and people typically pass through before discovering and consuming content. As such, these companies should bear a large degree of responsibility for assisting victims when content within their universe is harming people.
It’s apparent that Section 230 of the CDA is in need of some modification. While it was perhaps reasonable to reduce some consumer protections to foster the nascent internet in its early days and allow it to grow with fewer liabilities, it’s now matured and here to stay. Arguments that placing greater requirements on internet companies (similar to the right to be forgotten consumer protections in Europe) would be too burdensome in terms of overhead costs are not substantial enough to continue allowing people’s lives to be destroyed.
Companies could partner together to reduce these overhead costs if they were motivated to do so, and they already have departments and employees in place to handle legal removal requests — primarily to help protect corporate interests, such as in cases of piracy and copyright infringements.
As more and more people are coming to know the scale of human collateral damage with online reputation attacks, I believe there will be more push for legislators to modify Section 230. As it currently stands, the law and the intransigence of some of the major internet companies are truly aiding and abetting the very real threats of online reputation damage, thus giving power to many types of extortion.
Contributing authors are invited to create content for MarTech and are chosen for their expertise and contribution to the martech community. Our contributors work under the oversight of the editorial staff and contributions are checked for quality and relevance to our readers. The opinions they express are their own.
Related stories