Protecting Restaurants from Botnet Manipulation of Online Reviews

In the Internet economy, restaurateurs, especially owners and operators of non-chain restaurants, are often at the mercy of users of review websites and applications such as Yelp and TripAdvisor and social media platforms such as Facebook. While such platforms can serve as a valuable source of free advertising and publicity for restaurants, they can also pose an existential threat to a restaurant’s survival.

According to a 2017 conducted by Professor Michael Luca of Harvard Business School, non-chain restaurants with low or middling Yelp reviews were more likely to go out of business than those with positive Yelp reviews, as demonstrated by the fact that after San Francisco increased its minimum wage, restaurants with 3.5 star average ratings were 14 percent more likely to close, while those with five-star average ratings were no more likely to close. A 2016 study conducted by Professor Luca also found that a one-star increase in a non-chain restaurant’s Yelp rating aggregated from all user reviews led to a five percent to nine percent increase in revenue.

Restaurants whose economic viability often hinges on their Yelp and TripAdvisor ratings now face a grave threat in the form of Botnets capable of manipulating a restaurant’s average rating in a matter of seconds or minutes. Botnets are networks of computers or devices infected with malware that places them under all under the control of a single hacker who can command them all to act in unison with a single key stroke. For example, if a hacker controlling a Botnet consisting of 20,000 computing devices “likes” a post on Twitter, all 20,000 computing devices will immediately “like” the post in question.  Botnets suspected of being controlled by Russian agents were famously used to disseminate political propaganda on social media in the days and weeks leading up to the 2016 United States Presidential Election.

If a hacker controlling a Botnet consisting of 20,000 computing devices 'likes' a post on Twitter, all 20,000 computing devices will immediately 'like' the post in question.

Just as Botnets were used to disseminate and amplify false and misleading content about politicians and political parties in 2016, Botnets can be used to inundate review websites such as Yelp and TripAdvisor and social media platforms such as Facebook with negative reviews about a given restaurant. In 2018, a flight price comparison website reportedly received an email threatening to use Botnets to instantaneously spam online review websites with disparaging posts about its services if it did not pay the sender approximately $10,500 worth of Bitcoin. Given the impact of online reviews on a restaurant’s revenue and viability, restaurateurs who receive such threatening emails may feel as if their businesses are in imminent danger and they have no option but to the pay funds demanded, despite the risk that doing so may encourage the perpetrator to continue to target them. Therefore, such would-be cyber extortionists would likely consider restaurants to be some of the most inviting targets for their schemes.

Moreover, a business owner seeking to eliminate competition and monopolize a local market could hire a hacker to use Botnets to inundate online review and social media platforms with negative reviews about competing restaurants until they are forced to close their doors for good. Similarly, a disgruntled tech-savvy former restaurant employee seeking revenge on his former employer could independently utilize a Botnet to attack his or her former employer with negative reviews.

United States restaurateurs victimized by a deluge of Botnet-generated negative online reviews may have little or no legal recourse, thanks in large part to Section 230, a federal statute enacted in 1996 which immunizes online platforms from civil or criminal liability for content provided by another person or entity.  In recent years, federal courts have held that online review platforms such as Yelp are immune from lawsuits by businesses allegedly disparaged by false negative reviews posted by the platforms’ users. Since it is often very difficult as a practical matter to identify the controllers and creators of Botnets that post negative reviews on online review or social media platforms and even more challenging to serve process upon or collect on a judgment against such parties, many of whom are located in foreign countries hostile to United States interests such as Russia, China, Iran, and North Korea, restaurants victimized by Botnet-manipulated online reviews likely have no practical means of seeking recourse in the form of monetary damages compensating them from the lost revenue resulting from negative online reviews or an injunction ordering the removal of the disparaging and false reviews if they are unable to bring legal actions against the platforms themselves.

United States restaurateurs victimized by a deluge of Botnet-generated negative online reviews may have little or no legal recourse …

Despite these legal obstacles, a restaurant on the receiving end of Botnet-generated negative online reviews may be able to bring an action against the online platform on which the reviews were posted by arguing that a Botnet is not a person or entity for the purpose of Section 230. Although online platforms could argue that a Botnet is simply a tool used by a person or entity and a hacker using a Botnet to post a negative review 20,000 times in a matter of seconds is no different from a typical user who uses an iPhone to post a single negative review, a restaurant could argue that Botnets did not exist and were not contemplated by the Congress that enacted Section 230 nearly a quarter century ago when the Internet was in its infancy and nobody could have reasonably conceived of a circumstance in which a single individual would have the technical ability to almost instantaneously post a single piece of content thousands of times. Given this context in which Section 230 was enacted and the fact that a Botnet itself is neither a natural person nor a legal entity such as a corporation, partnership, or trust, a restaurant could argue that interpreting the statute to immunize online platforms from liability for content posted by Botnets rather than human users would extend the statute beyond its intended meaning and Section 230 should not apply to content posted by Botnets.

Even if courts hold that Section 230 applies to content posted by Botnets the same as content posted by actual human users, Congress could potentially enact a statute amending Section 230 to exempt Botnets and Botnet users from the statute’s definition of a person or entity. Given the recent criticism of Section 230 by politicians across the political spectrum including House Speaker Nancy Pelosi, Republican Senators Ted Cruz of Texas and Josh Hawley of Missouri, and former Vice President Joe Biden, who called for the complete repeal of the statute amidst his ongoing Presidential campaign, the current political climate may be amenable to such reform.

Given the threat of extortionists, competitors, disgruntled employees, and other malicious actors utilizing Botnets to the survival of America’s restaurants, the restaurant industry should advocate for and Congress should strongly consider enacting such reforms, which would provide legal recourse to restaurants victimized by Botnet-mediated disparagement and incentivize large technology companies to implement safeguards to keep their platforms free from Botnets. By enacting such an amendment to Section 230, Congress could protect the survival of thousands of restaurants that provide a living for small business owners and workers across the country and form the backbone of countless local economies.