The Yale Law Journal


Imposing Tort Liability on Websites for Cyber- Harassment

15 Dec 2008

Several female law students were the subject of derogatory comments on, a message board about law school admissions. When one of the women asked the website administrator to remove certain comments, the administrator discussed her request in an online post, prompting further attacks. An undergraduate student’s rape was revealed on a gossip site,, where posters engaged in a cruel session of “blame the victim.” Another student on that site was falsely identified, by name, as being a stalker, bi-polar, and suicidal. When officials at her university asked to remove the most egregious posts, the company refused.

These recent examples have brought the vexing problem of cyber-harassment to the public’s attention. Under § 230 of Title 47 of the U.S. Code, websites are not liable as publishers for the content on their sites so long as they are not involved in the creation of the objectionable content. Accordingly, much of the relevant scholarship has focused on repealing § 230 or imposing liability upon posters.

The immunity that website sponsors—the entities that own the domain name and control the activity on a website—have as publishers should not mean that they have no obligation whatsoever for the activity on their website. Website sponsors have a proprietary interest in their websites. Accordingly, they should be subject to the same standard of conduct as other proprietors.

I. Section 230 Immunity

Legal duties and social norms guide how business owners respond to activity on their premises. Those legal duties and social norms are still in flux regarding the responsibility of website sponsors. Website sponsors have reaped the benefits of proprietorship, enforcing those benefits through contracts (such as clickwraps and browsewraps) that establish the terms of use for their visitors. For example, many websites have privacy policies that enable them to exploit users’ personal information for marketing or advertising purposes.

At the same time, website sponsors have managed to escape many of the responsibilities of proprietorship. Section 230 immunity was intended to protect “good Samaritan” internet service providers from liability for blocking or screening obscene material and to encourage the development of the Internet. Court decisions, however, have applied § 230 immunity too broadly. Unfortunately, the very section intended to enable websites to monitor offensive material is now being used to shield websites that traffic in such content. For example, claims that it is not liable for content posted by users because it is an interactive service provider.

This is not to suggest that websites should be subject to the same type of liability that currently attaches to newspaper publishers. Because of the quantity of user-generated content and the speed with which it is produced, websites may be unable to edit and review all posted material in the same way that newspaper publishers currently do. But to say that websites should not be subject to the same liability as offline publishers and distributors does not mean that they should have no liability whatsoever. This is especially so given that often the only practical remedy available to a victim of cyber-harassment is an appeal to the website administrator to take down the offending communication.

II. Websites As “Proprietors”

While commentators dispute whether websites are “property,” they generally agree that website sponsors maintain some proprietary interest in their websites and domain names. Websites are businesses, even if they don’t sell products or have a physical “storefront.” Website sponsors may commercialize their websites in indirect ways, such as through advertising revenue or by using their websites as marketing tools for other products or services. Accordingly, website sponsors should be liable to visitors if they fail to exercise reasonable care just as other business owners are liable to their invitees. Because publicly accessible websites invite all Internet users and benefit from viewer traffic, all visitors to publicly accessible sites should be considered invitees, even if they choose not to post or register with the website.

Prosser states that a possessor of business premises must “exercise the power of control or expulsion which his occupation of the premises gives him over the conduct of a third person who may be present, to prevent injury to the visitor at his hands,” but only where the possessor had “reason to believe . . . that the conduct of the other will be dangerous to the invitee.” The Restatement (Second) of Torts states:

A possessor of land who holds it open to the public for entry for his business purposes is subject to liability to members of the public while they are upon the land for such a purpose, for physical harm caused by the accidental, negligent, or intentionally harmful acts of third persons or animals, and by the failure of the possessor to exercise reasonable care to (a) discover that such acts are being done or are likely to be done, or (b) give warning adequate to enable the visitors to avoid the harm, or otherwise protect them against it.

Courts have found proprietors liable even for nonphysical harm caused by third parties. In one case, the Supreme Court of Alabama held that a hotel could be liable for invasion of privacy based upon the actions of someone who was not an agent of the hotel. The plaintiffs in that case alleged that a “peeping Tom” had access to their room through holes in the wall. The Alabama Supreme Court held that “the proprietor of a hotel may . . . be held liable for the actions of a third party,” and stated that a jury could reasonably conclude that the hotel could have discovered and repaired the peeping holes through reasonable inspection.

Websites might not be physical storefronts, but that is no reason for a court to limit their business premises liability. Website sponsors benefit from and encourage activity on their website. Like traditional proprietors, they are in the best position to avoid harm caused by such activity.

Consequently, while websites are immune from liability as publishers under the Communications Decency Act, they should be liable as proprietors for a failure to exercise reasonable care to protect site visitors from foreseeable harm by cyber-harassers.

III. The Exercise of “Reasonable Care”

Websites can take several steps to demonstrate “reasonable care.” They can implement and enforce user guidelines. They can incorporate user-moderated controls into their websites, such as “Report Abuse” buttons. They can strip or threaten to strip a harasser of anonymity. They can expel abusive posters. Website sponsors would not be required to remove offending content upon request. But the website sponsor’s response—or nonresponse—to take down requests must be reasonable given the circumstances.


To acknowledge that a website has responsibilities to its visitors does not impose an undue burden upon websites; rather these obligations mirror the obligations that all business owners have in the conduct of their businesses. Given that a victim of cyber-harassment has no real remedy beyond appealing to the website, tort liability encourages websites to respond in a socially responsible manner without imposing an unrealistic duty to prescreen or censor materials.

Nancy Kim is an associate professor at California Western School of Law.

Preferred Citation: Nancy Kim, Imposing Tort Liability on Websites for Cyber-Harassment, 118 Yale L.J. Pocket Part 115 (2008),