Zounds, right? But that is arguably what the U.S. Court of Appeals for the Ninth Circuit said about the Computer Fraud and Abuse Act in Facebook v. Power Ventures, Inc. on July 12th. Let’s get to it.
Power Ventures and its CEO Steven Vachani operated a social network called Power.com. The concept was simple. People using other social networking sites could create a Power account to aggregate the user’s social networking information. The users could keep track of a variety of social networking friends through a single program and click through the central Power website to individual sites. By 2008, the website had attracted a growing following. Maybe it was even a good idea! I don’t know.
In Dec. 2008, Power began a promotional campaign to attract more traffic to its website; it hoped that Facebook users would join its site. Power placed an icon on its site with a promotional message that read: “First 100 people who bring 100 new friends to Power.com win $100.” The icon included various options for how a user could share Power with others. If a user clicked the “Yes, I do!” button on the icon, Power would create an event, photo, or status on the user’s Facebook profile.
In many instances in this campaign, Power caused messages to be transmitted to the user’s friends within the Facebook system. At other times, depending on a Facebook user’s settings, Facebook generated an e-mail message. If, for example, a Power user shared the promotion through an event, Facebook generated an e-mail message to an external e-mail account from the user to friends. The e-mail message gave the name and time of the event, listed Power as the host, and said the Power user was inviting the recipient to this event. The external e-mails were form e-mails, generated each time a Facebook user invited others to an event. The “from” line in the e-mail stated that the message came from Facebook; the body was signed, “The Facebook Team.”
On Dec. 20, 2008, Facebook sued under the Computer Fraud and Abuse Act, among other causes of actions, and toward the end of Jan. 2009, Power ended its campaign. In April 2011, Power ceased doing business altogether. In total, more than 60,000 external e-mails promoting Power were sent through the Facebook system. An unknown number of internal Facebook messages were also transmitted.
The CFAA in the Ninth Circuit
The CFAA prohibits acts of computer trespass by those who are not authorized users or who exceed authorized use. It creates criminal and civil liability for whoever “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer.” 18 U.S.C. § 1030(a)(2)(C). The CFAA provides a private right of action for “[a]ny person who suffers damage or loss by reason of a violation of this section.” 18 U.S.C. § 1030(g). The court was able to determine quickly that in investigating and responding to Power’s actions, Facebook had suffered a loss.
More critically, did Power access Facebook’s computers knowing it wasn’t authorized to do so? In a very recent case discussed here (Nosal II), a Ninth Circuit panel was “asked to decide whether the ‘without authorization’ prohibition of the CFAA extends to a former employee whose computer access credentials have been rescinded but who, disregarding the revocation, accesses the computer by other means.” The court said yes, and held that “without authorization" is an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission.” Also, “[t]his definition has a simple corollary: once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party.”
Here, initially, Power users arguably gave Power permission to use Facebook’s computers to disseminate messages. Power could reasonably have thought that consent from Facebook users to share the promotion was permission for Power to access Facebook’s computers. But Facebook expressly rescinded that permission when Facebook issued its written cease and desist letter to Power on Dec. 1, 2008.
Power admitted that, after receiving notice that its use of or access to Facebook was forbidden by Facebook, it “took, copied, or made use of data from the Facebook website without Facebook’s permission to do so.” It circumvented IP barriers that further demonstrated that Facebook had rescinded permission for Power to access Facebook’s computers.
Is that right?
Um, not everybody thinks so! Here’s what Orin Kerr, who knows a lot more about computer crime than you or me, says:
The implications could be staggering. It seems entirely possible that the Ninth Circuit could grant a petition for rehearing en banc. We’ll see.