By Robert Milligan and Joshua Salinas
The Ninth Circuit’s important U.S. v. Nosal decision is gaining momentum. On September 14, 2011, a California district court in Facebook v. MaxBounty, the Honorable Jeremy Fogel, presiding, became one of the first courts to apply Nosal, reaffirming that the violation of computer use policies constitutes “exceeding authorized access” under the Computer Fraud and Abuse Act (CFAA). In doing so, Facebook arguably reinforced the legal protections for employers against employees who steal or remove electronic files or data in violation of their employers’ written computer-use restrictions.
Facebook is one of the most popular social networking websites with more than 500 million active users. It requires users to agree to its terms of use, which include regulation and restrictions regarding advertising on its website. Facebook’s advertising guidelines prohibit advertisements that are fraudulent, deceptive, or misleading.
Maxbounty is an online advertising and marketing company that drives internet traffic to its customers’ websites.
Facebook alleged that MaxBounty engaged in impermissible advertising and commercial activity on its website. Facebook alleged that MaxBounty created Facebook pages that were intended to re-direct unsuspecting Facebook users to third-party commercial websites.
Facebook brought a claim, inter alia, under the CFAA against MaxBounty for “knowingly and with intent to defraud, access[ing] of a protected computer without authorization or exceeding authority.” 18 U.S.C. § 1030(a)(4).
MaxBounty moved to dismiss Facebook’s CFAA claim per Federal Rule of Procedure 12(b)(6). MaxBounty argued that it could not act “without authorization” or “exceed authority” because Facebook granted MaxBounty access to the Facebook website.
The district court rejected MaxBounty’s argument, citing Nosal’s holding that “an individual who is authorized to use a computer for certain purposes but goes beyond those limitations is considered by the CFAA as someone who has ‘exceed [ed] authorized access.” U.S. v. Nosal, 642 F. 3d 781, 789 (9th Cir. 2011). The court stated that MaxBounty agreed to Facebook’s terms of use, which placed restrictions on Maxbounty’s use of Facebook’s website.
MaxBounty argued that because Facebook granted it access to the Facebook site, it could not have exceeded its “authorized access” within the meaning of the CFAA. However, the court noted that Facebook alleged that MaxBounty and its affiliates registered for Facebook accounts and accepted Facebook’s terms of use, which places restrictions on their use of the Facebook site. In this light, the court found that Facebook’s allegations were sufficient to state a claim under the CFAA.
This case is significant because it is one of the first cases to apply Nosal’s holding that the violation of computer-use policies constitutes “exceeding authorized access” under the CFAA. As discussed in our prior blog, Nosal provides employers in the Ninth Circuit with a clear CFAA remedy against dishonest employees who exceed their authorized access of their employers’ computer systems. Facebook fortifies that protection and encourages employers to take proactive steps with well written computer-use policies and procedures.