The September 11, 2002 attacks on the World Trade Center in New York killed thousands of Americans. [1] Numerous firefighters and police officers lost their lives in attempts to save innocent civilians. [2] There is little doubt that capitalizing on such tragedy would be cruel and inhumane, yet many items memorializing September 11 were sold soon after the tragedy, and many of those items were sold online. [3]


eBay is the Internet site through which registered users can bid or auction off almost anything imaginable. [4] Memorabilia related to the September 11 attacks is no exception. [5] Immediately after September 11, eBay banned sales of September 11 memorabilia through its website. [6] On December 31, 2001, eBay officials abruptly ended the ban because they felt enough time had passed since the attacks. [7] Since then, numerous items ranging from fire department badges to a dusty pair of boots, supposedly worn at Ground Zero, have appeared for sale on eBay. [8] Although eBay removed some items at New York City’s request, some memorabilia related to the attacks were still available as of February 21, 2002. [9] New York City Mayor Michael Bloomberg was pursuing legal options against eBay at that time. [10]


Whether eBay should be legally liable for sales of September 11 memorabilia by its users and whether eBay should bear any civil liability instead of its users are decade old questions. [11] These questions have clear but unfortunate answers under current legal doctrine. [12] eBay will not be liable for its users’ activities because § 230 of the Communications Decency Act (“CDA”) protects interactive service providers (“ISPs”) from any civil liability for users’ activities online. [13]


Congress enacted § 230 of the CDA in response to two cases in the 1990s that set forth contrasting standards for defamation liability in suits against ISPs related to users’ activity on the Internet. [14] In 1991, the United States District Court for the Southern District of New York concluded that CompuServe, an ISP, was not liable for defamation because it simply enabled users to access the Internet. [15] In 1995, the New York Supreme Court held that Prodigy, which provided a service comparable to CompuServe’s, should be held liable for defamation. [16] Section 230 reflects Congress’s concern that imposing liability on ISPs may discourage self-regulation and impede the free flow of information over the Internet. [17] Section 230, therefore, protects ISPs from liability for their users’ activities, except in limited circumstances. [18]


Although § 230 provides federal immunity to a provider or user of an interactive computer service, it does not extend protection to an information content provider (“ICP”). [19] Section 230(f)(2) broadly defines interactive computer services as entities that serve multiple users over the Internet, and both ICPs and ISPs are included in that definition. [20] An ICP, unlike an ISP, creates or develops information published on the Internet. [21] Once a company qualifies as an ISP under § 230(f)(2) and (c)(1), broad immunity from civil liability applies. [22] A threshold question under § 230, therefore, is whether an entity qualifies as an ISP. [23] The relevant parts of § 230 provide:


(c) Protection for “good samaritan” blocking and screening of offensive material


(1) Treatment of publisher or speaker


No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.


(2) Civil liability


No provider or user of interactive computer service shall be held liable on account of ….


(B) any action taken to enable or make available to information content providers or others the technical means to restrict access to material described in paragraph (1) ….


(f) Definitions as used in this section: ….


(2) Interactive computer service


The term “interactive computer service” means any information service, system, or access software provider that provides or enables computer access by multiple users to a computer server ….


(3) Information content provider


The term “information content provider” means any person or entity that is responsible, in whole or in part, for the creation or development of information provided through the Internet or any other interactive computer service. (emphasis added) [24] [25] In 2001, however, the California Superior Court held that eBay qualifies as an ISP under § 230, in its capacity as an online auction operator. [26]


eBay benefits monetarily from sales of September 11 memorabilia. [27] Moreover, eBay presumably has the ability to block those sales. [28] The profits eBay would forego seems insignificant in comparison to the harms that society sustains by allowing people to capitalize on tragedy. [29] These harms should not go unpunished simply because they occur on the Internet. [30] Although it seems sensible for eBay to bear some responsibility for not banning sales of September 11 memorabilia, the current legal doctrine under § 230 of the CDA leads to the opposite conclusion. [31]


The Internet is a powerful tool to disseminate information at the speed of light. [32] In addition, the landscape of the Internet has changed since the enactment of the CDA in 1996. [33] Traditionally, ISPs only facilitated users’ access to the Internet. [34] Over time these ISPs expanded into non-traditional roles such as providing informational services, forums, or linking, which transcend merely providing access to the Internet. [35] For example, America Online (“AOL”) initially provided its subscribers e-mail accounts and Internet access. [36] As of 2002, however, AOL offers a variety of information and services, including financial news, gossip on Capital Hill, and instant messaging. [37]


Despite the changes and importance of the Internet, the CDA continues to provide immunity to any entity as long as information or statements are created or originated by third parties. [38] While growing numbers of entities qualify as ISPs–for example, eBay and Amazon–the definition of ISP under the CDA remains overbroad. [39] The CDA prohibits courts from applying any additional test to ISPs to determine which ISPs should benefit from immunity. [40] Courts, therefore, do not impose civil liability on ISPs even when imposing liability protects the Internet as a valuable source of information. [41] For example, ISPs are not obligated to authenticate any information posted by a user, even when doing so is feasible. [42] Under such a broad immunity that imposes no incentive to self-regulate, the Internet may lose its utility as a powerful tool to disseminate information because the public will no longer rely on information obtained from the Internet. [43]


This Note explores why Congress’s definition of ISP is inadequate and argues that Congress should narrow the scope of ISP under § 230 by allowing courts to engage in a three-factor balancing test. Part I illustrates the broad definition of “ISP” under § 230, under which any entity that serves multiple users over the Internet can qualify as an ISP. Part II discusses the definition of “ICP” under § 230 and the mutually exclusive distinction between “ISP” and “ICP.” Part II also discusses case law and academic commentary regarding further expansion of that definition. Part III describes the way Internet Wire operates to illustrate further, in Part IV, that the CDA does not encourage ISPs to self-regulate, resulting in harm that can be prevented at a small cost. [44] Part IV argues that the current definition of ISP is inadequate because it applies indiscriminately and because it does not reflect the reality where ISPs serve ICP-like functions. Finally, Part IV proposes a three factor balancing test as a way to narrow the definition of ISP under § 230.


Miree Kim*