By Robert Milligan and Jeffrey Oh
For the past three years, social media platform Facebook has pursued legal action against social media aggregator Power Ventures (“Power”) over what it has viewed as a blatant violation of state and federal law. Filed by Facebook in December 2008, the suit alleges violations by Power of the CAN-SPAM Act in addition to the Computer Fraud and Abuse Act (“CFAA”) (18 U.S.C. § 1030) and the California Comprehensive Computer Data Access and Fraud Act (California Penal Code § 502). Facebook generally alleged that Power accessed its website in an unauthorized manner, and then utilized this unauthorized access to send unsolicited and misleading commercial emails to Facebook users.
On February 16, 2012, United States District Chief Judge James Ware of the United States District Court for the Northern District of California granted Facebook’s Motions for Summary Judgment on all three counts. The Court’s decision is potentially significant and groundbreaking for social media companies, like Facebook, and social media aggregators, like Power Ventures, concerning data collection by aggregators that violates social media companies’ terms of service. The Court also asked for additional briefing on the amount of damages Facebook should receive and the individual liability of Power’s CEO.
The decision also highlights issues regarding social media sites and spam, as well as the more significant issue of user control of their own data on social media sites. One commentator has remarked that the natural question that begs to be asked is “if Facebook users own their own data, why can’t they choose the way it’s accessed?” Another commentator has stated that the upshot of the decision is that “if users want to access data, they have to do so on Facebook’s terms, and may not do so using a third party tool that is not a part of Facebook’s developer platform. ”
Power Ventures
Launched in August 2008, Power Ventures is a web service designed to offer users of multiple social platforms a one-stop solution for accessing their networks. Using login credentials disclosed by its users, Power gathers data from various sites, such as Facebook, and aggregates it on its own site. For its part, Facebook offers its own application programming interface (API) which allows third-party developers to use Facebook user data in their applications. However, after determining that the Facebook API did not include access to all of the relevant user data they wanted, Power instead allegedly used their users’ login information to access and save cached versions of Facebook pages, scraping these webpage snapshots for data. Additionally, in a “Launch Promotion,” Power allegedly gathered the names of its users’ Facebook friends and offered a chance at a $100 prize in return for agreeing to send them an invite to Power’s service. The subsequent invitations to join were allegedly sent through Facebook’s message service and used a “@facebookmail.com” address instead of a Power.com address.
CAN-SPAM Act
Passed in 2003, the CAN-SPAM Act makes it “unlawful for any person to initiate the transmission, to a protected computer, of a commercial electronic mail message, or a transactional or relationship message, that contains, or is accompanied by, header information that is materially false or materially misleading .” 15 U.S.C § 7704(a)(1). Facebook argued that Power initiated misleading messages to its users inviting them to join Power’s service. Coming from the “@facebookmail.com” address, the message allegedly initiated by Power came from Facebook’s servers and contained no return address where Power could be reached, nor any header information identifying Power as the initiator of the message.
As an Internet access service provider (IAS provider), Facebook is permitted to assert a cause of action (and obtain statutory damages) if it is able to establish standing under the CAN-SPAM Act, i.e. was Facebook “adversely affected” by the alleged violations. Testifying to this essential element, which the Court credited, Facebook documented its expenditures in response to Power’s actions, including associated legal fees as well the cost of increased technical measures to attempt to prevent the spamming.
The Court noted that Power’s spamming activity was ongoing, prolific, and did not stop after requests from the network owner. The Court reasoned that to hold that Facebook originated the emails merely because Facebook servers sent them would ignore the fact that Power intentionally caused Facebook’s servers to do so, and created a software program specifically designed to achieve that effect. The Court also reasoned that the emails did not contain any return address or any address anywhere in the email that would allow a recipient to respond to Power. Thus, the Court concluded that the header information did not accurately identify the party that actually initiated the email and the header information was materially misleading. Consequently, the Court ruled in favor of Facebook, finding Power to be in violation of the CAN-SPAM Act.
Computer Fraud and Abuse Act & California Penal Code § 502
The Computer Fraud and Abuse Act is a federal law designed to, among other things, combat hacking, cracking of computer systems, and other computer-related offenses. In this case, Facebook sued Power under a subsection of the act (18 U.S.C. § 1030(a)(2)(C)) which provides that it is unlawful to “intentionally access[] a computer without authorization or exceed[] authorized access, and thereby obtain[]…information from any protected computer.” Similarly, Facebook also asserted a claim under California Penal Code § 502, a state statute that aims to prevent entities and individuals from “knowingly and without permission” accessing and taking, copying, or making use of data from computers, computer systems, or computer networks. Though Power gained access to Facebook pages using login information provided by its users, the automated process by which Power obtained user data is a violation of Facebook’s terms of use. As a result, Facebook argued that Power did not in fact have authorized access (under Facebook’s own terms of use) to the user profiles it gathered, or the subsequent data therein, and was in violation of both § 502 as well as the CFAA.
While the Court did not agree that simply violating a network’s terms of use was enough to warrant the distinction of “without permission” under § 502, it established a new standard for unauthorized access by distinguishing access which “circumvents technical or code-based barriers in place to restrict or bar a users’s [sic] access.” In support of this additional requirement, Facebook detailed its efforts to block Power’s IP address and access, as well as the adjustment of Power’s software to circumvent this measure. Additionally, Facebook pointed to emails by Power’s CEO, as well as transcripts of discussions with his staff in which the CEO warns them of Facebook’s potential countermeasures and the need to not be detected. Given the Power CEO’s anticipation of potential blocks to Power’s methods, as well as Power’s actual circumvention of Facebook’s IP blocks, the Court ruled that Power did in fact access Facebook’s servers without permission and was in violation of California Penal Code § 502. Similarly, after crediting Facebook’s showing of Power’s violation of § 502 and considering Facebook’s costs to attempt to thwart Power’s unauthorized access, which were in excess of the $5,000 minimum damage or loss threshold mandated by 18 U.S.C. § 1030, the Court also found Power to be in violation of the CFAA.
Conclusion and Takeaways
In response to the decision, interested parties have voiced differing views. Facebook’s lead litigation counsel has been quoted by Bloomberg News as saying: “We will continue to enforce our rights against bad actors who attempt to circumvent Facebook’s privacy and security protections and spam people.” The EFF has criticized the decision stating that the case “demonstrates the difficulties facing those who seek to empower users to interact with closed services like Facebook in new and innovative ways.”
Though successful in proving that Power accessed its site without permission, Facebook’s victory may be bittersweet for the social networking giant. Previously, Facebook relied heavily on its incredibly robust terms of use to safeguard itself from what it viewed as abuse of its service. Now, given the Court’s standard for what constitutes access “without permission,” Facebook, as well as other Internet based services, must focus even more heavily on incorporating protective measures into its website’s code and allocate more resources to promptly respond to threats from outsiders like Power. Monitoring a network the size of Facebook’s for unauthorized access may be a daunting technical task and the security investigation costs significant, yet failing to do so may cost even more to a service dependent upon users who may expect privacy and security. Companies that traffic in secured information should be sure to invest in comprehensive protective measures designed to keep unauthorized users out, whatever their purpose. Crafting a comprehensive terms of use that explicitly outlines what is acceptable is still important to protecting a company from misappropriation or abuse as it helps to establish clear boundaries for authorized access. However, while a strong terms of use is necessary, it is not sufficient to gain the full protections of the CFAA and California Penal Code § 502 for social networking services, such as Facebook, at least acccording to this Court.