Imagine if you could manage all of your social media platforms on one app. Believe it or not, there was an app for that (or, at least a website), created by a company named Power Ventures (“Power”). Back in 2008, Power instituted its “Power 100” campaign, which offered its users the chance to win $100 if they invited 100 friends to join. After asking its users’ permission, Power would access its users’ Facebook accounts to send messages to friends of its users to encourage them to join Power. These messages were sent to friends of Power users from email addresses containing Facebook in the source name (e.g., firstname.lastname@example.org), thus giving the impression that the messages came from Facebook personnel, not from Power.
Lo and behold, the “real” Facebook became aware of Power’s plan and tried to stop it through the use of an IP block, which Power was able to overcome. Facebook continued combatting Power’s activity by sending cease and desist letters, reiterating how Power’s activities went beyond the scope of its authorized use, but Power failed to act in compliance with these requests. Thereafter, Facebook slapped Power with a lawsuit, alleging (among other things) a violation of the Computer Fraud and Abuse Act (“CFAA”), primarily based on Power’s unauthorized use of Facebook data and systems. Four years later in 2012, the U.S. District Court for the Northern District of California found that Power indeed violated Section (a)(2)(C) of the CFAA. The following year, the district court issued an order granting not only a permanent injunction against Power, but also prescribed damages in excess of $3 million to be paid to Facebook.
Status of the Case
As perhaps any party would do following such a dismal outcome at district court, Power decided to appeal to the Court of Appeals for the Ninth Circuit. Oral arguments were heard in December, and a Ninth Circuit court opinion is expected to come down in the coming months.
Ninth Circuit Oral Argument
At oral argument, counsel for Power argued that Power could not have violated the CFAA because it never owned the data at issue in the case. As such, it was beyond Facebook’s power to grant or deny authorization to user accounts to third-parties. Counsel pressed that acting with authorization means one has authorization from the owner of the data; Facebook, according to Power’s counsel, explicitly disclaimed ownership of such data. In other words, because individual Facebook users granted Power access to their accounts, Power was acting within the scope of authorization, and is therefore not liable to Facebook under the CFAA.
From another standpoint came Power’s former CEO, Steve Vachani, who made a statement that Facebook, now a social media giant, is acting anti-competitively by still litigating this case after seven years. Counsel for Facebook disagreed, saying that his client was not being anti-competitive, but rather acting in compliance with its legal obligations.
This is not the only CFAA-related case the Ninth Circuit has faced as of late. Some time ago, the court heard oral arguments for the U.S. v. Nosal case, blogged here. Given the recent interest in this CFAA line of cases, commentators have piped up and expressed their thoughts on the CFAA and its application to password sharing scenarios.
For instance, the Electronic Frontier Foundation (“EFF”) wrote as amici in support of Power’s position, noting that Facebook’s use of the CFAA is “dangerous to follow-on innovators and consumers and would criminalize widely accepted Internet behavior.”
Additionally, Professor Orin Kerr appears to support curbing the interpretation and application of the CFAA to password sharing scenarios and believes any user of a personal account may authorize a third-party agent to access the account, but such would not be the case if the individual were acting within the scope of employment. In other words, if the individual gave her employer’s account credentials to a third-party agent for the third-party’s own purposes, that would not constitute authorization because it would be beyond the employer’s grant of authorization to its employee.
Given the compensatory and equitable damages awarded to Facebook at the district court level, it will be especially interesting to see if the Ninth Circuit upholds the district court findings and damages, especially against a now defunct company. Upholding the district court’s damages award will certainly call practitioners and their clients to attention.
It will also be interesting to see if the Ninth Circuit somehow consolidates its rationale in Nosal into this case, and finally carves a distinction between password sharing in the workplace and personal password sharing scenarios.