Order

Cal. Super. - 6th Dist.September 11, 2020

KOOONONUl-hwwu-t NNNNNNNNNHHHHHHHHHH OONONM-PWNHOKOOONONm-PWNHO SUPERIOR COURT OF CALIFORNIA COUNTY OF SANTA CLARA STEVE WOZNIAK, et al., Case N0.: 20CV370338 Plaintiffs, ORDER CONCERNING (1) DEFENDANTS YOUTUBE, LLC VS. AND GOOGLE LLC’S DEMURRER TO PLAINTIFFS’ SECOND YOUTUBE, LLC, et a1., AMENDED COMPLAINT AND (2) PLAINTIFFS’ RENEWED Defendants. MOTION TO LIFT STAY OF DISCOVERY This action arises from a scam that uses images and Videos 0f plaintiff Steve Wozniak and other famous tech entrepreneurs t0 fraudulently induce individuals t0 transfer their cryptocurrency t0 the scammers. Mr. Wozniak and the other plaintiffs (collectively “Plaintiffs”), who are Victims 0f the scam, allege that defendants YouTube, LLC and Google, LLC (collectively “Defendants”) contribute t0 this scheme in various ways through their operation 0f the YouTube Video-sharing platform. In a June 2021 order (“June Order”), the Court sustained Defendants’ demurrer t0 the First Amended Complaint (“FAC”) 0n the basis that its claims were all barred by Section 230 0f the Communications Decency Act (the “CDA”).1 But the Court granted Plaintiffs leave t0 1 A11 future statutory references are t0 this section unless otherwise stated. ORDER ON SUBMITTED MATTER Electronically Filed by Superior Court of CA, County of Santa Clara, on 1/26/2022 3:15 PM Reviewed By: R. Walker Case #20CV370338 Envelope: 8146318 KOOONONUl-hwwu-t NNNNNNNNNHHHHHHHHHH OONONM-PWNHOKOOONONm-PWNHO amend their complaint. Plaintiffs then moved t0 lift the initial discovery stay in this case, urging they needed evidence within Defendants’ control t0 plead around CDA immunity. In an August 2021 order (“August Order”), the Court denied this motion in its discretion, holding that the public policy supporting CDA immunity generally overrides a plaintiffs right t0 discovery where the operative complaint fails t0 allege any claim avoiding the application 0f Section 230. Plaintiffs filed the operative Second Amended Complaint (“SAC”)2 without the benefit 0f any discovery. (Meet and confer directed by the Court did not result in any agreement by Defendants t0 provide limited discovery.) Now before the Court are Defendants’ demurrer t0 the SAC and Plaintiffs’ renewed motion t0 lift the discovery stay. The Court issued a tentative ruling 0n January 19, 2022, and n0 one contested it at the hearing 0n January 20. The Court now issues its final order, which SUSTAINS the demurrer in its entirety, this time WITHOUT LEAVE TO AMEND, and DENIES the motion t0 lift the discovery stay. I. BACKGROUND As alleged by Plaintiffs} Mr. Wozniak is a Silicon Valley icon who co-founded Apple Computer in the 19703 and has since engaged in many entrepreneurial and philanthropic ventures. (SAC, 1] 18.) He is a widely known, recognized, and beloved public figure. (Ibid) Along with Mr. Wozniak, seventeen individual Victims 0f the scam giving rise t0 this action, who reside across the country and around the world, are named as Plaintiffs. (See id., W 19-35.) YouTube is a Video-sharing platform that generates billions 0f dollars in annual revenue, and a wholly-owned subsidiary 0f Google. (SAC, W 36, 55.) YouTube’s primary source 0f revenue is from selling ads t0 third parties, and both YouTube and Google profit from the personal data 0f users, which allows them t0 sell highly targeted ads. (Id., 1] 54.) 2 A redline comparison 0f the SAC with the FAC is attached t0 the Declaration 0fAndrew Kirtley filed on December 10, 2021. 3 The Court does not take a position 0n the accuracy 0f the allegations in the SAC, but, for purposes 0f considering Defendants’ demurrer, assumes these allegations t0 be true. 2 KOOONONUl-hwwu-t NNNNNNNNNHHHHHHHHHH OONONM-PWNHOKOOONONm-PWNHO A. The Bitcoin Giveaway Scam Plaintiffs allege that, for years, YouTube has been hosting, promoting, and directly profiting from scam Videos and paid promotions that use images and Videos 0f Mr. Wozniak and other famous tech celebrities t0 defraud YouTube users out 0f millions 0f dollars. (SAC, 1] 2.) The scammers use these images and Videos-which are broadcast primarily 0n hijacked YouTube channels-to convince YouTube users that celebrities are hosting live “BTC” 0r “BITCOIN GIVEAWAY” events and that, for a limited time, anyone who sends their bitcoin t0 a specified account will receive twice as much back. (Ibid.) But when users transfer their cryptocurrency, the scam is complete, as the transaction is irreversible. (Ibid) This swindle has existed in cyberspace since at least October 2018, when Coin Rivet (a cryptocurrency-focused news site) reported that Twitter had done well t0 eliminate it from its platform, and that the scam had now made its way t0 YouTube. (SAC, 1] 74.) Media continued t0 report that this scam was appearing 0n YouTube, and that YouTube’s algorithm was “actively promoting” it. (Id,W 75-79.) A version 0f the scam that misappropriates Mr. Wozniak’s name, image, and likeness has repeatedly appeared since at least May 8, 2020. (1d,, 1] 80.) Mr. Wozniak and his wife have made numerous requests that YouTube intervene and remove the Videos, but the problem persists, and Videos promoting this swindle continue t0 appear 0n YouTube. (161., W 81-83.) The other Plaintiffs have also repeatedly informed Defendants 0f the scam and demanded that YouTube take action. (Id., 1] 84.) B. Defendants’ Alleged Contributions t0 the Scam Plaintiffs allege that they have been harmed by “YOUTUBE’S deliberate and inexplicable failure t0 address the promotion 0f a pervasive fraud occurring 0n its platform.” (SAC, 1] 50.) “For months 0n end, the BITCOIN GIVEAWAY scam has been replicated 0n YOUTUBE many times over in substantially the same form.” (161., 1] 52.) These swindle Videos and promotions “are substantially similar in title and appearance, reuse many 0f the same words and phrases, reuse the same celebrities (including WOZNIAK), and reuse the same past Video footage 0f those celebrities.” (Ibid.) “YOUTUBE’S egregious refusal t0 protect its users by taking timely action and its active participation in promoting and profiting from the BITCOIN KOOONONUl-hwwu-t NNNNNNNNNHHHHHHHHHH OONONM-PWNHOKOOONONm-PWNHO GIVEAWAY scam has materially contributed t0 the scam and caused Plaintiffs’ harm.” (161., 1] 54.) According to Plaintiffs, Defendants “have knowingly allowed the BITCOIN GIVEAWAY scam to flourish 0n their platforms, including through lax security practices.” (SAC, 1] 59.) Google promotes its products and services, which include YouTube, as employing “one 0f the most advanced security infrastructures in the world,” and Defendants assure the public that “YouTube doesn’t allow spam, scams, 0r other deceptive practices that take advantage 0f the YouTube community.” (Ibid.) But despite these assurances, “YOUTUBE’S lax security practices make it unreasonably easy for criminals,” including those behind the BITCOIN GIVEAWAY scam, “t0 hijack popular YOUTUBE channels, t0 transfer ownership 0r control 0f those channels, and use them t0 defraud and Victimize YOUTUBE users.” (Id, 1] 60.) “[T]0 this day, YOUTUBE has failed t0 implement adequate security measures 0n its platform t0 prevent, deter, and otherwise combat the rampant hijacking and taking over ofYOUTUBE channels by bad actors.” (Ibid) For example, YOUTUBE should have, but unreasonably failed t0, require multifactor authentication, human review, and/or other reasonable security measures t0 ensure that it was the actual owners 0f channels with tens 0r hundreds 0f thousands 0f subscribers, and not unauthorized third parties, who were engaging in the highly unusual, red-flag channel behavior described above. Given its deep knowledge 0f the [BITCOIN GIVEAWAY] scam, including scammers’ modus operandi in hijacking and taking over popular YOUTUBE channels ..., it was unreasonable for YOUTUBE t0 not require [these] measures before allowing such highly suspicious activity t0 occur 0n verified, long- established, 0r popular YOUTUBE channels. Similarly, YOUTUBE should have, but unreasonably failed t0, require [these] measures when new Video content is uploaded t0 channels with thousands 0f subscribers. (SAC, ‘n 61 .) KOOONONUl-hwwu-t NNNNNNNNNHHHHHHHHHH OONONM-PWNHOKOOONONm-PWNHO YouTube’s other security failures include falsely indicating that the BITCOIN GIVEAWAY scam is legitimate by displaying its own “verification badge” beside the names 0f channels that were furthering the swindle. (SAC, 1] 62.) Plaintiffs allege that through this conduct, YouTube speaks 0n its own behalf, informing users (independent 0f any content 0n the channel) that this account is verified as “the official channel 0f a creator, artist, company, 0r public figure” and therefore can be trusted. (Ibid) Despite YOUTUBE’S representations that its verification badges are a form 0f security and protection that its users can rely 0n, YOUTUBE has continued t0 maintain the verification 0f channels that have been hijacked t0 broadcast BITCOIN GIVEAWAY scam Videos and, in at least one instance, even issued a verification badge t0 a channel at the very time it was actively broadcasting scam Videos. YOUTUBE’S users, including numerous Plaintiffs here, relied on YOUTUBE’S representations that the verified channels are authentic. . .. [T]he channels’ rightful owners made numerous reports t0 YOUTUBE that their channel had been hijacked, yet YOUTUBE failed t0 remove 0r suspend the pre- existing verification badge appearing 0n those channels, and failed t0 award [sic] verification badges t0 channels while they were actively perpetrating the scam. (SAC, 1] 63.) YouTube has also provided the scammers “readymade tools 0f fraud,” such as by giving users free reign t0 rename channels and/or accounts in ways that are obviously misleading, like renaming channels and/or accounts unaffiliated with Mr. Wozniak “Steve Wozniak” 0r “Steve Wozniak Official.” (SAC, 1] 64.) Similarly, YouTube has “falsely represented, and/or knowingly left in place negligently designed Video metrics and other public-facing features 0f its platform that permit the scammers t0 falsely represent, that the scam Videos are ‘live’ when they are not, that large numbers 0f users who are ‘currently watching’ live scam Videos when they are not, and other similarly false 0r misleading statements 0f fact that cause the scam Videos and promotions t0 appear authentic ....” (Id,W 65-66, emphasis in original.) Plaintiffs reasonably relied 0n these Video metrics and related information, and YouTube has KOOONONUl-hwwu-t NNNNNNNNNHHHHHHHHHH OONONM-PWNHOKOOONONm-PWNHO long falsely assured the public that it “doesn’t allow anything that artificially increases the number 0f Views, likes, comments, 0r other metrics either by using automatic systems 0r serving up Videos t0 unsuspecting Viewers.” (Id., 1] 66.) Moreover, Defendants produce Video recommendations and targeted ads by collecting a wide array 0f personal information about their users, and they have continued t0 exploit this information t0 determine which users would be interested in scam Videos, directly recommend such Videos t0 them, and target them with ads. (SAC,W 67-72.) Defendants have continued t0 sell targeted scam ads t0 scammers, and t0 deliver those ads directly t0 Plaintiffs and others who are likely t0 be interested, and who are thus most likely t0 be defrauded by the scheme. (Id., 1] 68.) “Plaintiffs were generally aware 0f and relied 0n the substance 0f Defendants’ representations about providing excellent security, protecting against scams, ensuring the accuracy 0f Video metrics and other Video and channel information, and the responsible use 0f Plaintiffs’ personal data, as reflected in Defendants’ public statements about these topics 0n their websites.” (SAC, 1] 73.) “Plaintiffs and other users continue t0 encounter the same scam Videos, Video discovery ads, and in-stream advertising.” (SAC, 1] 88; see alsoW 89-93.) Meanwhile, YouTube has “robust and sophisticated tools t0 regulate content 0n its platform,” and touts its ability t0 use them t0 detect scams-which its Community Guidelines purport t0 bar. (Id., W 95-96.) It could “block and/or flag for human review the sale 0f advertisements based 0n their verbal content, such as ads that contain the phrases ‘BTC GIVEAWAY’ 0r ‘5000 BTC’ 0r any one 0f the handful 0f words and phrases that consistently and repeatedly appear in the ads that Defendants knowingly sell t0 the scammers,” but has refused t0 d0 so. (Id, 1] 97.) In sum, Defendants have “materially contributed t0 [the scam Videos] by promoting [them] t0 a specific audience identified through its algorithm, by selling targeted ads driving traffic t0 the Videos, by falsely verifying YOUTUBE channels that carry the Videos and doing [nothing] t0 stop displaying its verification badge alongside verified channels that had been hijacked by scammers, and by KOOONONUl-hwwu-t NNNNNNNNNHHHHHHHHHH OONONM-PWNHOKOOONONm-PWNHO providing false 0r misleading information t0 promote the Videos.” (161., 1] 120, emphasis in original.) C. Current Procedural Posture Based 0n these allegations, Plaintiffs currently assert the following causes 0f action in their SAC: (1) misappropriation 0fname 0r likeness (by Mr. Wozniak only); (2) fraud and misrepresentation; (3) aiding and abetting fraud; (4) unfair business practices; (5) negligence; (6) negligent failure t0 warn; (7) negligent design; (8) breach 0f implied contract; and (9) promissory estoppel. II. DEMURRER Defendants demur t0 the SAC 0n the grounds that each 0f its claims is barred by Section 230 and otherwise fails t0 state a cause 0f action. Plaintiffs oppose this demurrer. A. Legal Standard A demurrer tests the legal sufficiency 0f the complaint. (Chen v. PayPal, Inc. (2021) 61 Cal.App.5th 559, 568.) Consequently, it “reaches only t0 the contents 0f the pleading and such matters as may be considered under the doctrine ofjudicial notice.” (Wei! v. Barthel (1955) 45 Cal.2d 835, 837; see also Code CiV. Proc., § 430.30, subd. (a).) “It is not the ordinary function 0f a demurrer t0 test the truth 0f the plaintiff” s allegations 0r the accuracy with which he describes the defendant’s conduct. [T]he facts alleged in the pleading are deemed t0 be true, however improbable they may be.” (Align Technology, Inc. v. Tran (2009) 179 Cal.App.4th 949, 958, internal citations and quotations omitted.) In ruling 0n a demurrer, the Court must liberally construe the allegations 0f the complaint, with a View t0 substantial justice between the parties. (Glennen v. Allergan, Inc. (2016) 247 Cal.App.4th 1, 6.) Nevertheless, while “[a] demurrer admits all facts properly pleaded, [it does] not [admit] contentions, deductions 0r conclusions 0f law 0r fact.” (George v. Automobile Club OfSouthern California (201 1) 201 Cal.App.4th 1112, 1120.) A demurrer Will succeed where the allegations and matters subject t0 judicial notice clearly disclose a defense 0r bar t0 recovery. (Casterson v. Superior Court (2002) 101 Cal.App.4th 177, 183.) KOOONONUl-hwwu-t NNNNNNNNNHHHHHHHHHH OONONM-PWNHOKOOONONm-PWNHO Specifically with regard t0 CDA immunity, “[W]hen a plaintiff cannot allege enough facts t0 overcome Section 230 immunity, a plaintiff’s claims should be dismissed.” (Dyroflv. Ultimate Software G171, Inc. (9th Cir. 2019) 934 F.3d 1093, 1097 (Dyroflfl B. CDA Immunity Many 0f the allegations in the SAC are unchanged from those in the FAC. The June Order explained that those allegations failed t0 state any claim avoiding CDA immunity. The Court incorporates the discussion in the June Order as t0 those pre-existing allegations, as well as the legal standards and general principles governing CDA immunity, and will not repeat it here. Instead, this order will focus 0n the new facts and theories alleged in the SAC: first, the allegations concerning scammers’ “hijacking” 0fYouTube channels and Defendants’ leveraging 0f users’ personal information t0 target them with ads and Videos (which Plaintiffs characterize as “security”- 0r “design”-related claims) and second, the new contract-related causes 0f action. The order will also specifically address Plaintiffs’ newly emphasized failure t0 warn claim. But first, the Court will address a new authority bearing 0n its prior analysis in the June Order: Gonzalez v. Google LLC (9th Cir. 2021) 2 F.4th 871 (Gonzalez). 1. Gonzalez Among the authorities cited in the June Order was the district court’s opinion in Gonzalez v. Google, Inc. (N.D. Cal. 2017) 282 F. Supp. 3d 1150, 1168-1 170, which the Court cited for its holding that allegations that Google shared ad revenue with a terrorist group did not avoid CDA immunity. Gonzalez affirmed the district court, but with a nuance as t0 this part 0f its holding.4 Gonzalez involved claims pursuant t0 the federal Anti-Terrorism Act (ATA) arising from attacks attributed t0 the terrorist group ISIS. The plaintiffs alleged that Google’s and other companies’ “social media platforms allowed ISIS t0 post Videos and other content t0 4 The district court addressed an earlier version 0f the complaint than the Ninth Circuit ultimately did. The complaint before the district court did not allege the “revenue-sharing” theory in the specific manner addressed by the Ninth Circuit. (See Gonzalez v. Google, Inc. (N.D. Cal. 2017) 282 F. Supp. 3d 1150, 1170 [discussing how this theory was raised by the plaintiffs during oral argument but was not alleged in the operative complaint: “Although the SAC highlights one example 0f Google placing a targeted ad with an ISIS Video 0n YouTube, there is n0 allegation that any revenue was actually shared with the user who posted the Video. [Citation] There is also n0 allegation that the user who uploaded the Video is a member 0f ISIS. . . .”].) 8 KOOONONUl-hwwu-t NNNNNNNNNHHHHHHHHHH OONONM-PWNHOKOOONONm-PWNHO communicate [its] message, t0 radicalize new recruits, and t0 generally further its mission. Plaintiffs also claim that Google placed paid advertisements in proximity t0 ISIS-created content and shared the resulting ad revenue with ISIS.” (Gonzalez, supra, 2 F.4th at p. 880.) Like the district court, the Ninth Circuit held that claims based 0n the first theory were barred by Section 230. (Id. at pp. 890-897.) But the “revenue-sharing” theory was different: “This theory is premised 0n the allegation that because it shared advertising revenue with ISIS, Google should be held directly liable for providing material support t0 ISIS pursuant t0 [the ATA] ....” (Id. at pp. 897-898.) The court explained: The Gonzalez Plaintiffs allege that “each YouTube Video must be reviewed and approved by Google before Google will permit advertisements t0 be placed with that Video,” and that “Google has reviewed and approved ISIS Videos” for advertising. The Gonzalez Plaintiffs also allege that, because it approved ISIS Videos for the AdSense program, Google shared a percentage 0f revenues generated from those advertisements with ISIS. (Gonzalez, supra, 2 F.4th at p. 898.) “These allegations are premised 0n Google providing ISIS with material support by giving ISIS money. Thus, unlike the Gonzalez Plaintiffs’ other allegations, the revenue-sharing theory does not depend 0n the particular content ISIS places 0n YouTube; this theory is solely directed t0 Google’s unlawful payments 0f money t0 ISIS.” (Ibid., italics original.) This is not what Plaintiffs allege here. The SAC does not reference the AdSense program 0r allege that Defendants share revenue with the scammers 0r “giv[e] [them] money” in Violation 0f a statute comparable t0 the ATA. Rather, the SAC alleges that Defendants provide tools that the scammers use t0 effectively target Victims, and passively profit from the scheme by selling ads t0 the scammers. These theories are more akin t0 the first theory alleged in Gonzalez that KOOONONUl-hwwu-t NNNNNNNNNHHHHHHHHHH OONONM-PWNHOKOOONONm-PWNHO was barred by Section 230. For the reasons already discussed in the June Order, claims arising from these theories are barred.5 2. “Security”- 0r “Design ”-Related Claims Plaintiffs contend that their new allegations about Defendants failing t0 prevent scammers from “hijacking” YouTube channels and misusing users’ personal information t0 effectively target Victims constitute “security”- 0r “design”-related claims that avoid CDA immunity. They emphasize two authorities in connection with this argument: Lemmon v. Snap, Inc. (9th Cir. 2021) 995 F.3d 1085 (Lemmon) and In re Zoom Video Communs. Privacy Litig. (N.D.Cal. 2021) 525 F. Supp. 3d 1017 (Zoom). a. Lemmon Lemmon addressed a negligent design claim involving a smartphone application that allowed users t0 take photos 0r Videos and superimpose a filter showing their “real-life speed.” (Lemmon, supra, 995 F.3d at pp. 1088-1090.) The teenage children 0f the plaintiffs were using this application when they drove at speeds 0f over 100 miles per hour and, tragically, crashed. (Ibid) The Ninth Circuit held this claim did not “treat [the] defendant as a ‘publisher 0r speaker’ 0f third-party content” as required for CDA immunity t0 apply. (Id. at p. 1091 .) Rather, it presented “a clear example 0f a claim that simply does not rest 0n third-party content”: “[T]he Parents’ negligent design claim faults Snap solely for Snapchat’s architecture, contending that the app’s Speed Filter and reward system worked together t0 encourage users t0 drive at dangerous speeds.” (Ibid) “Notably, the Parents d0 not fault Snap in the least for publishing [a] snap.” (Ibid) 5 A recent case that distinguished Gonzalez is illustrative. In Doe v. Reddit, Inc. (C.D. Cal. Oct. 7, 2021, N0. SACV 21-00768 JVS (KESX)) 2021 U.S.Dist.LEXIS 235993, the district court held that a claim that Reddit was unjustly enriched by knowingly allowing users t0 upload child sexual exploitation material (CSEM) was barred by Section 230. (Id. at *15-16, fn. 5.) It distinguished Gonzalez because the “revenue-sharing” claim there did “not depend 0n the particular content ISIS place[d] 0n YouTube; this theory [was] solely directed t0 Google’s unlawful payments 0f money t0 ISIS.” (Ibid, quoting Gonzalez, supra, 2 F.4th at p. 898.) “Here, by contrast, Plaintiffs’ claim for unjust enrichment is the only one for which the illegality is the receipt 0f advertising revenue. That claim is inherently premised on the CSEM appearing near the advertising being improper.” (Ibid) In other words, the claim, like Plaintiffs’ claims here, arose from harmful third-party content. 10 KOOONONUl-hwwu-t NNNNNNNNNHHHHHHHHHH OONONM-PWNHOKOOONONm-PWNHO Lemmon affirmed that CDS immunity “shields from liability those individuals 0r entities that operate internet platforms, t0 the extent their platforms publish third-party content.” (Lemmon, supra, 995 F.3d at pp. 1090-1091.) And it emphasized that “the Parents’ allegations [we]re not a creative attempt t0 plead around the CDA,” which poses a concern in cases where the claims “at bottom, depend[] 0n a third party’s content, without which n0 liability could [exist].” (Id. at p. 1094.) Here, by contrast, Plaintiffs’ claims d0 ultimately depend 0n third- party scammers posting harmful content. This case does not resemble Lemmon.6 b. Zoom Zoom involved claims “based 0n third parties disrupting Plaintiffs’ Zoom meetings (‘Zoombombing’)” by joining a meeting without authorization and, in most cases, proceeding t0 display harmful and/or offensive content t0 those present. (Zoom, supra, 525 F. Supp. 3d at pp. 1024-1025, 1028.) The district court held that “Section 230(c)(1) mostly immunizes Zoom from [these] Zoombombing claims.” (Id. at p. 1034.) Specifically, t0 the extent the plaintiffs sought 6 As one court recently explained with respect t0 a similar theory, The facts here differ... from those in Lemmon because the nature 0f the alleged design flaw in this case - and the harm that is alleged t0 flow from that flaw - is directly related t0 the posting 0f third-party content 0n Twitter. In particular, Plaintiffs allege that Twitter’s design, which is aimed at “enabling its users t0 disseminate information very quickly t0 large numbers 0f people” through such features as hashtags and algorithms, also enables “sex traffickers t0 distribute [child sexual abuse material (CSAM)] 0n a massive scale.” Conversely, they allege, Twitter is not “designed t0 enable its users t0 easily report CSAM, nor is it designed so that CSAM is immediately blocked pending review when reported.” Nor does Twitter “consistently deploy IP blocking, 0r other measures, t0 prevent users suspended by Twitter for disseminating CSAM from opening new accounts under different names[,]” Plaintiffs allege. These flaws, in essence, seek t0 impose liability 0n Twitter based 0n how well Twitter has designed its platform t0 prevent the posting 0f third-party content containing child pornography and t0 remove that content after it is posted. In other words, t0 meet the obligation Plaintiffs seek to impose 0n Twitter 0n this claim, Twitter would have t0 alter the content posted by its users, in contrast t0 the design defect alleged in Lemmon. Therefore, Lemmon is not 0n point and Plaintiffs’ products liability claim fails under Section 230 immunity. (Doe v. Twitter, Inc. (N.D.Ca1. Aug. 19, 2021, N0. 21-CV-00485-JCS) 2021 U.S.Dist.LEXIS 157158, at *92-93, citations omitted.) 11 KOOONONUl-hwwu-t NNNNNNNNNHHHHHHHHHH OONONM-PWNHOKOOONONm-PWNHO t0 hold Zoom liable for the display 0f harmful content, the CDA barred these claims: “Plaintiffs cannot hold Zoom liable for injuries stemming from the heinousness 0f third-party content.” (Id. at p. 1030.) These claims “(1) challenge the harmfulness 0f specific content provided by third parties; and (2) allege that Zoom should have done more t0 moderate 0r block that harmful content.” (Id. at p. 1034.) The district court affirmed that “Zoom’s failure t0 edit 0r block user- generated content is the very activity Congress sought t0 immunize” Via the CDA. (Id. at p. 1035, internal citation and quotation marks omitted.) But the “security-based subset 0f Plaintiffs’ claims” involving “unauthorized intrusions into private meetings” was different. (Id. at p. 103 1 .) These claims either did not challenge the harmfulness 0f third-party content and/or did not derive from the defendant’s status 0r conduct as a publisher 0r speaker 0f that content. (Id. at pp. 1032-1035.) Beyond the contract-related claims discussed below, Zoom did not clearly articulate exactly what these claims alleged- because Plaintiffs themselves did not. (See id. at p. 1035 [sustaining motion t0 dismiss with leave t0 amend and directing that “Plaintiffs’ second amended complaint should more clearly articulate those [content-neutral] claims”].) But one potential example was summarized at the beginning of the opinion, involving a burlesque dance studio operator’s loss 0f business due t0 uninvited men dropping in t0 her classes. (See id. at p. 1025.) In that example, the mere presence 0f the men in the classes may have caused harm-even if they never said a word 0r shared an image. Unlike the “security-based” claims in Zoom, the claims here challenge the harmfulness 0f content provided by scammers and derive from Defendants’ status as a publisher 0r speaker 0f that content. The claims are more like those that Zoom held were barred by CDA immunity, in that they allege harm arising not from the mere fact 0f a security breach, but from the fact that third parties used that security breach t0 communicate harmful content. Zoom confirms that such claims are barred under Section 230. c. conclusion Plaintiffs’ “security” and “design” theories still “at bottom, depend[] 0n a third party’s content, without which n0 liability could [exist].” (Lemmon, supra, 995 F.3d at pp. 1094.) 12 KOOONONUl-hwwu-t NNNNNNNNNHHHHHHHHHH OONONM-PWNHOKOOONONm-PWNHO Lemmon and Zoom support, rather than undermine, the conclusion that CDA immunity bars these claims. 3. Contract-Related Claims Finally, Plaintiffs urge that their new claims for breach 0f implied contract and promissory estoppel avoid CDA immunity. With respect t0 this argument, they emphasize Zoom and one 0f the primary authorities 0n which it relies, Barnes v. Yahool, Inc. (9th Cir. 2009) 570 F.3d 1096 (Barnes). a. Plaintiffs’ allegations In support 0f the claim for breach 0f implied contract, Plaintiffs allege that they provided Defendants access t0 their personal non-public information as consideration for using the “array of online services, including Gmail and YouTube,” that Defendants provide. (SAC, 1] 186.) By providing and accepting that information, “Plaintiffs and Defendants entered into implied contracts,” pursuant t0 which “Defendants agreed t0 take reasonable steps t0 protect the confidentiality of Plaintiffs’ private non-public information, t0 not use 0r permit others t0 use that information for an unlawful purpose 0r in a way that would foreseeably harm Plaintiffs,” etc., and “not t0 expose Plaintiffs t0 an unreasonable risk 0fharm [while] using Defendants’ websites, such as by Defendants knowingly allowing criminals t0 use” their websites t0 defraud Plaintiffs. (Id., 1] 188.) “Defendants willfully violated Plaintiffs’ privacy interests by routinely selling, sharing, 0r otherwise disclosing Plaintiffs’ personal non-public information t0 criminals behind the BITCOIN GIVEAWAY scam for the purposes selling [sic] scam ads targeted at Plaintiffs” and failed “t0 take reasonable steps t0 avoid exposing Plaintiffs t0 unreasonable risks 0f harm, such as by recommending that they watch scam Videos and by having lax security practices that made YOUTUBE channels unreasonably vulnerable t0 unauthorized access and hijacking by criminals.” (161., 1] 193.) As t0 the promissory estoppel claim, Plaintiffs allege that “Defendants made various public and widely publicized promises about providing excellent security, protecting against scams, ensuring the accuracy 0f Video metrics and other Video and channel information, and using Plaintiffs’ personal non-public information and data in a responsible way ....” (SAC, 13 KOOONONUl-hwwu-t NNNNNNNNNHHHHHHHHHH OONONM-PWNHOKOOONONm-PWNHO 1] 197 [referencing statements alleges at paragraphs 59, 66-68, and notes 4-9 0f the SAC].) Plaintiffs relied 0n these statements by “us[ing] Defendants’ websites and online services more than [they] otherwise would have; refrain[ing] from seeking out alternative services that might present less 0f a risk t0 their privacy, security, and well-being; and [being] significantly less skeptical 0f the legitimacy and accuracy 0f . .. content and information that they Viewed 0n YOUTUBE than they otherwise would have been, including with respect t0 BITCON GIVEAWAY scam Videos and ads.” (Id., 1] 199.) b. analysis “In assessing whether a claim treats a provider as a publisher 0r speaker 0f user-generated content” for purposes 0fCDA immunity, “courts focus not 0n the name 0f the cause 0f action, but whether the plaintiff” s claim requires the court t0 treat the defendant as the publisher 0r speaker 0f information created by another.” (Murphy v. Twitter, Inc. (2021) 60 Cal.App.5th 12, 26 (Murphy), Citing Barnes, supra, 570 F.3d at pp. 1101-1 102 and Cross v. Facebook, Inc. (2017) 14 Cal.App.5th 190, 207 (Cross).) “This test prevents plaintiffs from avoiding the broad immunity 0f section 230 through the creative pleading 0f barred claims 0r using litigation strategy t0 accomplish indirectly what Congress has clearly forbidden them t0 achieve directly.” (Id. at pp. 26-27, quoting Hassell v. Bird (2018) 5 Cal.5th 522, 542, 541 (plur. opn.) (Hassell), internal quotation marks and other notations omitted.) While “some courts have rejected the application 0f section 230 immunity t0 certain breach 0f contract and promissory estoppel claims, many others have concluded such claims were barred because the plaintiff‘s cause 0f action sought t0 treat the defendant as a publisher 0r speaker 0f user generated content.” (Murphy, supra, 60 Cal.App.5th at p. 28 [collecting cases].) That was the case in Murphy, where the plaintiff asserted claims based 0n Twitter’s blocking 0f her content in supposed contravention 0f its own terms 0f service and related policies. Murphy explained that the substance 0f [the] complaint accuses Twitter 0f unfairly applying its general rules regarding what content it will publish Murphy does not allege someone at Twitter specifically promised her they would not remove her tweets 0r would 14 KOOONONUl-hwwu-t NNNNNNNNNHHHHHHHHHH OONONM-PWNHOKOOONONm-PWNHO not suspend her account. Rather, Twitter’s alleged actions in refusing t0 publish and banning Murphy’s tweets, as the trial court in this case observed, “reflect paradigmatic editorial decisions not t0 publish particular content” that are protected by section 230. (Murphy, supra, 60 Cal.App.5th at p. 29.) Murphy distinguished Barnes 0n the ground that in that case, “the plaintiff sought damages for breach 0f a specific personal promise made by an employee t0 ensure specific content was removed from Yahoo’s website.” (Id. at p. 29.) Barnes must be distinguished from our case for the same reason. And Murphy approved Cross, which- like this case-“involved liability for a service provider’s failure t0 remove third party content.” (Id. at p. 31.) Cross arose from the plaintiff’s allegations that Facebook improperly failed t0 remove a page that “incited Violence and generated death threats” against him. (Cross, supra, 14 Cal.App.5th at p. 194.) The court 0f appeal held that the entire complaint, including claims for breach 0f contract and negligent misrepresentation based 0n Facebook’s terms 0f service and related policies, must be struck as unmeritorious pursuant t0 the anti-SLAPP statute. The theory in Cross was similar t0 Plaintiffs’ promissory estoppel theory here: plaintiffs alleged that Facebook’s terms 0f service “ ...pr0hibited harassing and Violent speech against Facebook users [and] made an explicit promise t0 [plaintiff]: ‘We remove credible threats 0f physical harm t0 individuals.’ Facebook also stated that ‘[w]e want people t0 feel safe when using Facebook,’ and agreed t0 ‘remove content, disable accounts, and work with law enforcement when we believe there is a genuine risk 0f physical harm 0r direct threats t0 public safety.” (Cross, supra, 14 Cal.App.5th at p. 201.) But Cross explained that “even if statements in Facebook’s terms could be construed as obligating Facebook t0 remove the pages. . . [,] it would not alter the reality that the source 0f [plaintiff s] alleged injuries, the basis for his claim, is the content 0f the pages and Facebook’s decision not t0 remove them.” (Cross, supra, 14 Cal.App.5th at pp. 201-202.) So despite the 15 KOOONONUl-hwwu-t NNNNNNNNNHHHHHHHHHH OONONM-PWNHOKOOONONm-PWNHO plaintiff’s argument that he only sought t0 enforce Facebook’s “ ‘own promises and 3” representations t0 him (id. at p. 206, italics original), these claims were barred by CDA immunity (id. at pp. 206-207). While styled as claims for breach 0f contract and negligent misrepresentation, the claims treated Facebook as a publisher and sought t0 hold it liable for harmful third-party content. The same is true here, as t0 both the promissory estoppel and implied contract claims. In Zoom, by contrast, the contract-related claims were akin t0 the “security based” claims discussed above, in that they did not depend 0n third-party content. (See King v. Facebook, Inc. (N.D.Cal. Nov. 12, 2021, N0. 21-CV-04573-EMC) 2021 U.S.Dist.LEXIS 219277, at *35, fn. 7 [noting that the implied contract theory in Zoom alleged “Defendant was obligated t0 provide Plaintiffs with Zoom meetings that were suitable for their intended purpose 0f providing secure Video conferencing services, rather than other Video conferencing services vulnerable t0 unauthorized access. . .”].) T0 the extent Zoom suggests that contract-related claims are categorically exempt from CDA immunity, the Court disagrees (see id. at *35-36 [rejecting such a categorical rule]), and in any event, it is bound t0 follow Cross and Murphy 0n this point. Based 0n Cross and Murphy, Plaintiffs’ contract-related claims are barred by Section 230. 4. Failure t0 Warn Finally, Plaintiffs urge that their failure t0 warn claim avoids CDA immunity, citing Doe v. Internet Brands, Inc. (9th Cir. 2016) 824 F.3d 846 (Internet Brands). But in that case, the “failure t0 warn claim ha[d] nothing t0 d0 with Internet Brands’ efforts, 0r lack thereof, t0 edit, monitor, 0r remove user generated content.” (Id. at p. 852.) Here, Plaintiffs’ failure t0 warn claim alleges that Defendants failed t0 take exactly these types 0f actions-the same asserted failures they point t0 in connection with their other claims. (See SAC, W 94-97.) Plaintiffs specifically cite YouTube’s ability “t0 monitor channel activity and t0 identify, flag, and remove fraudulent content ....” (Id. at 1] 95.) T0 the extent that a portion 0f Plaintiffs’ failure t0 warn claim arises from allegations that Defendants had knowledge 0f the scheme at issue and “fail[ed] t0 generate [their] own 16 KOOONONUl-hwwu-t NNNNNNNNNHHHHHHHHHH OONONM-PWNHOKOOONONm-PWNHO warning”-the theory held t0 avoid CDA immunity in Internet Brands-this theory requires Plaintiffs t0 show Defendants had a duty 0f care based 0n misfeasance 0r a “special relationship” with them. (Internet Brands, supra, 824 F.3d at pp. 850, 852 [noting that the existence 0f a “special relationship” was not before the court 0n appeal].) But the Ninth Circuit’s recent opinion in Dyroflrejected this notion in circumstances fundamentally the same as those here: where bad actors allegedly used neutral tools provided by the defendant t0 promote harmful content. (See Dyrofl, supra, 934 F.3d at pp. 1100-1 101 .)7 7 Dyroflexplained: Ultimate Software owed Greer n0 duty 0f care because Experience Project’s features amounted t0 content-neutral functions that did not create a risk 0f harm. Plaintiff rests her “failure t0 warn claim” 0n a misguided premise that misfeasance by Ultimate Software created a duty t0 Greer. When analyzing a duty 0f care in the context 0f third-party acts, California courts distinguish between “misfeasance” and “nonfeasance.” Melton v. Boustred, 183 Cal. App. 4th 521, 531, 107 Cal. Rptr. 3d 481 (2010). Misfeasance is when a defendant makes the plaintiff’s position worse while nonfeasance is when a defendant does not help a plaintiff. Lugtu v. Cal. Highway Patrol, 26 Cal. 4th 703, 716, 110 Cal. Rptr. 2d 528, 28 P.3d 249 (2001). Misfeasance, unlike nonfeasance, creates an ordinary duty 0f care where none may have existed before. See id. Ultimate Software did not make Plaintiff’s son, Greer, worse off because the functions Plaintiff references-recommendations and notifications-were used regardless 0f the groups in which a user participated. N0 website could function if a duty 0f care was created when a website facilitates communication, in a content- neutral fashion, 0f its users’ content. See e.g., Klayman v. Zuckerberg, 753 F.3d 1354, 1359-60, 410 U.S. App. D.C. 187 (D.C. Cir. 2014) (n0 special relationship between Facebook and its users). We decline t0 create such a relationship. Accordingly, the district was correct t0 dismiss Plaintiff‘s duty t0 warn claim. (Dyroflf supra, 934 F.3d at pp. 1100-1 101 .) Contrary t0 Plaintiffs’ argument, Brown v. USA Taekwondo (2021) 11 Cal.5th 204 is not t0 the contrary. (See id. at pp. 214-216 [discussing California’s distinction between misfeasance and nonfeasance and describing how a “special relationship” may create a duty even in cases 0f nonfeasance; affirming that “[w]here the defendant has neither performed an act that increases the risk 0f injury to the plaintiff nor sits in a relation t0 the parties that creates an affirmative duty t0 protect the plaintiff from harm ..., our cases have uniformly held the defendant owes n0 legal duty t0 the plaintiff’].) 17 KOOONONUl-hwwu-t NNNNNNNNNHHHHHHHHHH OONONM-PWNHOKOOONONm-PWNHO C. Conclusion For these reasons as well as the reasons discussed in the June Order, the Court again SUSTAINS Defendants’ demurrer in its entirety based 0n CDA immunity (and 0n the alternative ground that Plaintiffs fail t0 state a claim for failure t0 warn, t0 the extent a portion 0f that claim avoids CDA immunity). Plaintiffs d0 not explain how they could amend their complaint t0 avoid CDA immunity and n0 reasonable possibility 0f this appears t0 the Court. So this time, the Court will not grant leave t0 amend. (See Camsi IV v. Hunter Technology Corp. (1991) 230 Cal.App.3d 1525, 1542 [“absent an effective request for leave t0 amend in specified ways,” it is an abuse 0f discretion t0 deny leave t0 amend “only if a potentially effective amendment were both apparent and consistent with the plaintiff’s theory 0f the case”]; see also Hendy v. Losse (1991) 54 Cal. 3d 723, 742 [“the burden is 0n the plaintiff. .. t0 demonstrate the manner in which the complaint might be amended”].) Finally, because the demurrer must be sustained without reference t0 these documents, the Court DENIES Defendants’ request for judicial notice 0f YouTube’s Terms 0f Service and Privacy Policy as moot. III. MOTION TO LIFT DISCOVERY STAY The August Order explained the Court’s View that the public policy supporting CDA immunity generally overrides a plaintiff’s right t0 discovery where the operative complaint fails t0 allege any claim avoiding Section 230. The Court stands by that reasoning, and the operative complaint still does not state a claim that avoids CDA immunity.8 So the Court again DENIES Plaintiffs’ motion t0 lift the discovery stay. IV. CONCLUSION The Court has sympathy for the Victims 0f this cryptocurrency scam, including Mr. Wozniak. And perhaps Section 230 should be amended t0 give such Victims some avenue 0f relief against YouTube 0r other social media companies. But as the Court understands the 8 Nor d0 Plaintiffs articulate why they need discovery t0 amend their complaint t0 d0 so. Rather, they merely propose four general categories 0f discovery that they wish t0 propound related t0 their existing allegations. 18 KOOONONUl-hwwu-t NNNNNNNNNHHHHHHHHHH OONONM-PWNHOKOOONONm-PWNHO current state 0f the law, such relief against YouTube-at least under these alleged facts-is barred by the CDA. The Court therefore SUSTAINS Defendants’ demurrer WITHOUT LEAVE TO AMEND, and DENIES Plaintiffs’ motion t0 lift the discovery stay. IT IS SO ORDERED. Date: The Honorable Sunil R. Kulkarni Judge 0f the Superior Court 19 January 26, 2022