After this month’s discussion on the statutes that prohibit the unauthorized access of email accounts and digital assets, one might wonder how these statutes may apply in a case. However, in the lengthy saga of Facebook v. Power Ventures, the Ninth Circuit issued a determination giving a bright line example of what would not be permissible under the law. So, how did Power Ventures violate these unlawful access laws? How did they attempt to move around the laws? What was Facebook’s argument, that has thus-far prevailed in the courts?
This case focuses on Power’s use of Facebook through the actions of other users. Power, a type of social media aggregator, would allow users to “link” Facebook, Twitter, and other social media accounts to permit control from a single website. From there, Power would “scrape” data under the permission of the Facebook users. However, this was against Facebook’s terms and conditions. Power would also invite users to invite others in spam-like messages, as well as deploying bots. This ultimately resulted in an IP-based ban against Power. Yet, Power evaded those bans and defied a cease and desist letter, prompting Facebook to sue based on CAN-SPAM, Penal Code 502, and CFAA.
While Power prevailed on the CAN-SPAM act–the messages did not have deceptive headers in the opinion of the court–Power failed on its violations of the California Penal Code 502 and Computer Fraud and Abuse Act (CFAA). The court’s focus on the CFAA was a two-pronged issue. There was the access prior to Facebook sending a cease and desist, and the access after it. For the access prior, the Ninth Circuit found that Power users gave it permission to access Facebook’s computers. The analogy was as if a person lets a friend access his/her e-mail account: The user, and not the service provider, would have the ability to give permission to access.
Yet, this would not mean that a service provider is powerless. The court found that Facebook’s cease and desist letter, and other measures were sufficient to state that Penal Code 502 and CFAA were violated. In a real world example the court outlined, it would be as if a person gave a friend permission and access to a safe deposit box at a bank. Then, the friend enters the bank while carrying a rifle, and is barred from the property. Under that rationale, the cease and desist letter was adequate to “revoke” the access that Facebook users gave to Power, and made Power liable for all the access after the revocation.
The Ninth Circuit’s opinion makes two things abundantly clear: First, users are a primary factor in determining authorized access and a service provider can revoke access. If a user already has authorized access, then allowing access to a third party is permissible. However, if the service provider determines that access is undesirable, or otherwise against its terms, any other attempt to access its computers opens others to liability. Second, timing matters as to whether liability opens. For example, access by a former employee before revocation would be permissible, while any access after would not.
At our law firm, we assist clients with legal issues related to internet, technology, and e-commerce transactions. Please contact us to set up an initial consultation.