In August of 2018, flight price comparison website, CheapAir, received an email threatening to spam online review websites and social media platforms with thousands of negative reviews unless CheapAir paid approximately $10,500 worth of Bitcoin, according to an August 28, 2018 article by Joseph Cox of Vice. The sender provided CheapAir with screenshots of disparaging posts about the website that appeared to have been made by botnets rather than human users.

A botnet is a group of computing devices simultaneously controlled by a third party, who can utilize it to share posts thousands of times in a matter of seconds, according to a Feb. 13, 2013, article by Steve Gold of The Guardian. In the weeks leading up to the 2016 United States presidential election and the 2017 Catalonian Independence Referendum, suspected bot accounts shared inflammatory content thousands of times, including posts that seemingly disparaged parties or candidates, according to a Nov. 20, 2018, article by Maria Temming of Science News.

Victims of botnet-mediated disparagement, including businesses that suffer significant financial losses due to the reputational harm stemming from negative online reviews, may find their legal remedies limited by Section 230 of the Federal Communications Decency Act of 1996. The statute, codified at 47 U.S.C.A. §230, provides that "no provider of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider" and defines "information content provider" as "any person or entity that is responsible, in whole or in part, for the creation or development of information provided through the Internet or any other interactive computer service."

The statute, which was introduced by Representative Christopher Cox (R-CA) and Senator Ron Wyden (D-OR) and passed the Senate by an 81-5 vote, was signed into law by President Bill Clinton (D) on Feb. 8, 1996. Rep. Cox stated during the 1995 House debate regarding the statute's passage that it was introduced for the purpose of "protecting computer Good Samaritans, online service providers, anyone who provides a front end to the Internet, let us say, who takes steps to screen indecency and offensive material from their customers" from litigation challenging their editorial discretion regarding content created by third-party users. In a similar vein, the 4^th Circuit reasoned in the 2014 case of Jones v. Dirty World Entertainment Recordings that the statute was enacted "to preserve the vibrant and competitive free market that presently exists for the Internet and other computer services, unfettered by state and federal election," protect free speech by preventing websites and platforms from removing content to avoid potential litigation, and encourage websites and platforms "to self-regulate."

Numerous federal courts, including the 4^th and 9^th Circuits, have held that Section 230 shields websites and social media platforms including business review websites such as Yelp and Consumeraffairs.com from liability for allegedly defamatory content posted about businesses or individuals by users or fraudulent content. In the 2019 case Herrick v. Grindr, the 2^nd Circuit held that a plaintiff cannot overcome Section 230 immunity by alleging that a website or platform had design flaws that made it easier for users to publish or more difficult for the website or platform to remove actionable or unlawful content. Moreover, the 1^st Circuit held in the 2007 case of Universal Communication Systems v. Lycos that a plaintiff cannot overcome Section 230 immunity by alleging that the website or platform had knowledge that content posted by a user was actionable or unlawful.

However, no federal court has addressed whether Section 230 applies to content posted or shared by botnets rather than natural persons, or whether a botnet constitutes a "person or entity" for the purpose of the provision of Section 230 exempting interactive computer services including websites and social media platforms from liability for content provided by an "information content provider" defined as a "person or entity" that creates or develops content.  Given that the statute was enacted in 1996, years before some of the first botnet programs were released in 1999, according to a Sept. 21, 2016, article by Tobias Knecht of Abusix, and Botnets have the capability to post and share content thousands of times in a matter of seconds unlike most, if not all natural persons and corporations, it is foreseeable that a plaintiff victimized by botnet-mediated defamation could argue that Congress did not intend for Section 230 to immunize websites or platforms from liability for content created and disseminated by botnets.

Regardless of whether or not federal courts ultimately hold that Section 230 immunizes websites or platforms from liability for content created, posted or disseminated by botnets, it is possible that Congress could amend the statute to exempt botnets from the definition of an "information content provider." In February of 2018, Senator and 2020 presidential candidate Amy Klobuchar (D-MN), a member of the Senate Judiciary Committee, expressed support during a Meet the Press interview for imposing fines on social media platforms that fail to ban bot accounts attempting to influence public opinion after the government discovers such bot activity.

Further, influential members of Congress across the political spectrum have begun to express an interest in reforming Section 230 to address the current realities of the internet age. On April 11, 2018, President Donald Trump (R) signed a bipartisan bill, the Allow States and Victims to Fight Online Sex Trafficking Act (FOSTA), which exempts federal civil actions and state and federal criminal actions for sex trafficking from Section 230. FOSTA, which passed the Senate by a 97-2 vote, was introduced by Senator Rob Portman (R-OH) and Representative Ann Wagner (R-MO) in response to the 1^st Circuit's 2016 holding that Section 230 barred claims by underage sex trafficking victims against Backpage.com, the website on which they were trafficked.

On June 24, 2019, Sen. Josh Hawley (R-MO) introduced legislation that would exempt large technology companies from Section 230 unless the Federal Trade Commission (FTC) certifies that they do not moderate information in a politically biased manner. In an Aug. 6, 2019, letter to United States Trade Representative Robert Lighthizer, House Energy and Commerce Committee Chairman Frank Pallone (D-NJ) and Greg Walden (R-OR) expressed their opposition to the inclusion of a provision mirroring Section 230 in the United States-Mexico-Canada Agreement (USMCA) since they deemed it "inappropriate for the United States to export language mirroring Section 230 while such serious policy discussions [regarding the statute] are ongoing," and therefore, these types of provisions are not "ripe for inclusion in any trade deal going forward."

Moreover, in July of 2019, Senate Judiciary Committee Chairman Lindsey Graham (R-SC) told reporters that he is considering introducing legislation that would require technology corporations to adhere to current "best practices" in order to be eligible for protection under Section 230. In an April 2019 interview, House Speaker Nancy Pelosi (D-CA) called Section 230 "a gift" to technology corporations, who are not "treating it with the respect that they should" and stated that "it is not out of the question that it could be removed."  In June of 2019, Representative Matt Gaetz (R-FL) suggested, in response to allegations of anti-conservative and anti-Republican editorial bias on social media platforms, that if technology companies "aren't able to demonstrate that they, in fact, are unbiased and neutral," Section 230 should be repealed.

Diane D. Reynolds is a partner at McElroy, Deutsch, Mulvaney & Carpenter who heads the firm's Cybersecurity, Data Protection, and Privacy practice and has an extensive background in mergers and acquisitions, corporate finance, compliance, corporate governance, and strategic growth initiatives. Bradford P. Meisel is an associate at the firm specializing in corporate transactions, cybersecurity, and data privacy.