Unpermitted Use of Facebook Violated Federal Hacking Law, 9th Says
A social media company that accessed Facebook user's profiles, with the user's permission but against warnings from Facebook, violated a federal anti-hacking law, the Ninth Circuit ruled on Tuesday. Power.com, a now-defunct social network aggregator, had encouraged its users to recruit others through their Facebook accounts, sending form messages and emails promoting its website. And they persisted after being told to knock it off. That continued access of Facebook, after the company issued a cease and desist, constituted a violation of the Computer Fraud and Abuse Act, the Ninth Ruled.
The ruling is the Ninth Circuit's second decision taking a broad interpretation of the CFAA in as many weeks and it should give any computer user pause.
The CFAA and Power.com
In the late aughts, Power Ventures, a startup helmed by Steven Vachani, operated a website called Power.com, which sought to aggregate users' social media accounts. Sign in to Power.com and you could see all your information from the social web in one spot, bringing together Facebook, MySpace, LinkedIn, what have you.
To promote the service, Power encouraged users to recruit others from Facebook. Asked if they wanted to share Power with friends, Power users could click a button labeled "Yes, I do!" and Power would create an event, photo, or status that would be shared through the user's Facebook profile.
Not pleased with a competitor creeping in on its business (and ignoring the terms of its Developer Agreement), Facebook issued a cease and desist letter to Power, telling it to stop all such activities. Power didn't, and Facebook eventually sued under the CFAA and an anti-spam statute, winning a $3 million judgment in district court.
Nosal II's Immediate Impact
The main question at issue on appeal was whether Power's continued access of Facebook, through Power users' Facebook accounts, constituted a violation of the anti-hacking law. The CFAA creates criminal and civil liability for anyone who "intentionally accesses a computer without authorization or exceeds authorized access" and subsequently "obtains information." Was Power's use of Facebook access "without authorization?"
The Ninth Circuit said yes. While Power initially had an implicit right to access Facebook, that right was terminated when Facebook sent the cease and desist. Everyone after that was unauthorized access, in violation of the CFAA.
In so ruling, the Ninth relied on United States v. Nosal, a case decided just seven days earlier. (You may have heard about that case through the many, many articles declaring that it was now a federal crime to share your Netflix password.) In that case, known as Nosal II, the Ninth ruled that a former employee, David Nosal, had violated the CFAA by using his executive assistant's password to access his former company's computers, after his own access privileges had been terminated.
In that case, the court explained, "once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party." As with Nosal, so too with Power.
Reasons to Be Concerned?
The Ninth Circuit's reading of the CFAA in both Nosal II and the case at hand, Facebook v. Vachani, could greatly expand the reach of the statute's civil liability provisions. If there is one saving grace in the Vachani decision, it's that the Ninth Circuit reaffirmed its prior holding that a violation of a website's terms of use alone does not constitute violation of the CFAA.
But there's not a lot of logic behind that distinction. As Orin Kerr notes on the Volokh Conspiracy blog, "both terms of use and cease-and-desist letters are just written statements about what the computer owner wants you to do with the computer." What is there to distinguish between limits on access in the TOS and those imposed through a letter to a user? Not much.
Under the Ninth's interpretation of the CFAA, the Hollywood Reporter posits, Donald Trump just has to send Hillary Clinton a letter telling her to stay off his website and suddenly an errant click could lead to civil liability. It could even be a crime -- if the Ninth's decision is read broadly.
Back to Kerr:
This was a civil dispute, but the CFAA is also criminal statute. If read broadly, the case seems to say that if you want to make it a crime for someone to visit your website, you just need to give them notice that you don't want them to visit. I gather that as long as you phrase the notice as a command to cease and desist, rather than as just general terms of use, it becomes legally binding.
Related Resources:
- Facebook Can Use Controversial Law to Punish Spammy Startup, Court Rules (Fortune)
- 9th Cir. Debates Reach of Anti-Hacking Law in Facebook Suit (FindLaw's U.S. Ninth Circuit Blog)
-
'Hacking' Case, Remanded by 9th, Results in Conviction - See more at: https://blogs.findlaw.com/ninth_circuit/2013/04/hacking-case-remanded-by-9th-results-in-conviction.html#sthash.lM3qtgHz.dpuf'Hacking' Case, Remanded by 9th, Results in Conviction (FindLaw's U.S. Ninth Circuit Blog)
- Facebook's $20M 'Sponsored Stories' Settlement Survives Challenge (FindLaw's U.S. Ninth Circuit Blog)