In 1993, a bulletin board system operator named Cubby, Inc. sued CompuServe for defamatory content posted by a user. The court held that CompuServe, as a mere distributor of content it did not create, was not liable. Three years later, Congress codified and expanded this principle in Section 230 of the Communications Decency Act, creating the immunity framework that has shaped internet law for three decades.
Section 230 was designed for a world of human users and passive platforms. The platform provides infrastructure; humans create and consume content; the platform is not treated as the publisher of user-generated content. But what happens when the "user" is an AI agent, and the "content" is an autonomous action taken by that agent using the platform's tools?
Modern AI agents do not merely generate text. They use tools. An agent might invoke a web search API to gather information, a code execution environment to run computations, a payment processing API to complete transactions, an email API to send communications, or a database API to read and write records.
Each of these tools is provided by a third party—a tool provider—that exposes its functionality through an API. The tool provider designed the API for use by software developers and, by extension, their applications. But the tool provider may not have anticipated that its API would be consumed by an autonomous agent capable of chaining multiple tool calls together in pursuit of goals that no human specified in advance.
This is the transformation problem: a web search API that returns search results is a neutral informational tool when a human reads the results and decides what to do. When an agent receives the results and autonomously acts on them—composing a report, making a decision, sending a message—the tool's role in the causal chain has changed. The human decision-maker who once stood between the tool's output and any consequential action has been removed.
Not all tool providers face the same exposure. We find it useful to think about tool provider liability along a spectrum:
At one end of the spectrum are providers of basic infrastructure: cloud computing, data storage, network connectivity. These providers are the farthest removed from the agent's actions and face the least liability exposure. Their services are general-purpose and content-neutral; they have no knowledge of or control over how their infrastructure is used by any particular agent.
In the middle are providers of general-purpose tools: search APIs, email-sending services, calendar management, file storage. These tools have specific functionality but are not designed for any particular use case. When consumed by an agent, they enable actions that the tool provider did not specifically intend—but also did not specifically prevent.
At the other end are providers of tools specifically designed for agent consumption: agent orchestration platforms, tool-calling APIs, agent-specific SDKs. These providers know their tools will be used by autonomous systems and have designed them for that purpose. Their knowledge and intent may increase their exposure.
Section 230(c)(1) provides that "[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider." For tool providers, the question is whether this immunity applies when their service is consumed by an AI agent.
The answer may depend on what role the tool provider plays in the content-creation chain. If a search API returns results that an agent then uses to compose a defamatory message, is the search provider "publishing" the defamatory content? Under current Section 230 doctrine, probably not—the search results themselves are not defamatory, and the agent (or its operator) is the one who created the harmful output.
But consider a different scenario. A tool provider offers an API that generates text in response to prompts. An agent uses this API as part of a multi-step workflow that produces harmful content. Is the tool provider a "publisher" of the harmful content? The line between "tool" and "publisher" becomes blurred when the tool's output is itself content that feeds directly into the harmful action.
The Supreme Court's decisions in Gonzalez v. Google LLC, 598 U.S. 617 (2023), and Twitter, Inc. v. Taamneh, 598 U.S. 471 (2023), addressed related questions in the context of algorithmic recommendation and amplification, but did not squarely address the agentic scenario. In Gonzalez, the Court declined to narrow Section 230 immunity for algorithmic recommendations. In Taamneh, the Court held that mere passive facilitation of user activity does not constitute aiding and abetting under the Anti-Terrorism Act. Both cases provide useful signals, but neither resolves the specific questions that arise when tools are consumed by autonomous agents.
A critical variable in tool provider liability is knowledge. Does the tool provider know that its service is being consumed by an AI agent? Does it know the nature of the agent's task? Does it know the potential for harm?
Many tool providers today do not know whether their API calls come from human-directed software or from autonomous agents. But this is changing. As agent-specific APIs, SDKs, and tool-calling protocols become more common, tool providers will increasingly know—or have reason to know—that their services are being consumed by agents.
Knowledge matters because it affects the foreseeability analysis. If a tool provider knows its service is being used by an autonomous agent, the provider arguably has a duty to consider how the agent might use the tool in harmful ways. If the provider does not know, the case for duty is weaker.