Article 1M7PR Appeals Court: It Violates CFAA For Service To Access Facebook On Behalf Of Users, Because Facebook Sent Cease & Desist

Appeals Court: It Violates CFAA For Service To Access Facebook On Behalf Of Users, Because Facebook Sent Cease & Desist

by
Mike Masnick
from Techdirt on (#1M7PR)
Another week, another CFAA (Computer Fraud & Abuse Act) ruling out of the 9th Circuit Appeals Court. This time it's the infamous Facebook v. Power.com case that's been going on since 2008. When we first came across the case, in early 2009, we insisted that it made no sense. Power.com was trying to set itself up as a sort of "meta" social network, or perhaps a social network management system, where users could have a dashboard for all their different social networks. Facebook didn't like this and sued over a long list of things, including copyright and trademark infringement, unlawful competition, violation of anti-spam laws... and the CFAA. Most of the claims went nowhere, but the CFAA and anti-spam ones lived on (because Power.com had systems for sending emails to users). The copyright claims were troubling, but the CFAA claims were the ones that concerned us the most.

Of course, it's taken many, many years for the case to make its way through the courts, and Power.com ceased even existing about five years ago. And the latest ruling is not just a nail in the coffin, but a potentially problematic CFAA ruling. While the court tosses out the CAN SPAM arguments, it does say that Power's actions were a CFAA violation. It's not as bad as it could have been, because the court doesn't say that merely violating Facebook's terms of service violates the CFAA, but instead narrows it slightly. It says that because Facebook sent a cease and desist letter to Power, from that point on it was on notice that it was not authorized to access Facebook's servers. It was the move to continue getting Facebook user data that sealed the CFAA claim.
Here, initially, Power users arguably gave Powerpermission to use Facebook's computers to disseminatemessages. Power reasonably could have thought that consentfrom Facebook users to share the promotion was permissionfor Power to access Facebook's computers. In clicking the"Yes, I do!" button, Power users took action akin to allowinga friend to use a computer or to log on to an e-mail account.Because Power had at least arguable permission to accessFacebook's computers, it did not initially access Facebook'scomputers "without authorization" within the meaning of theCFAA.

But Facebook expressly rescinded that permission whenFacebook issued its written cease and desist letter to Poweron December 1, 2008. Facebook's cease and desist letterinformed Power that it had violated Facebook's terms of useand demanded that Power stop soliciting Facebook users'information, using Facebook content, or otherwise interactingwith Facebook through automated scripts. Facebook thenimposed IP blocks in an effort to prevent Power's continuedaccess.

The record shows unequivocally that Power knew that itno longer had authorization to access Facebook's computers,but continued to do so anyway.
This is potentially a limited ruling, since there are a lot of specifics here. But it does still seem troubling. If I, as a user, wish to grant a service like Power access to my data, why can't I do so? The court insists that even if it's your information and you want to allow a service like Power to do so, Facebook has the final say -- because of something to do with banks and guns. Really.
The consent that Power had received from Facebook userswas not sufficient to grant continuing authorization to accessFacebook's computers after Facebook's express revocation ofpermission. An analogy from the physical world may help toillustrate why this is so. Suppose that a person wants toborrow a friend's jewelry that is held in a safe deposit box ata bank. The friend gives permission for the person to accessthe safe deposit box and lends him a key. Upon receiving thekey, though, the person decides to visit the bank whilecarrying a shotgun. The bank ejects the person from itspremises and bans his reentry. The gun-toting jewelryborrower could not then reenter the bank, claiming that accessto the safe deposit box gave him authority to stride about thebank's property while armed. In other words, to access thesafe deposit box, the person needs permission both from hisfriend (who controls access to the safe) and from the bank(which controls access to its premises). Similarly, for Powerto continue its campaign using Facebook's computers, itneeded authorization both from individual Facebook users(who controlled their data and personal pages) and fromFacebook (which stored this data on its physical servers).Permission from the users alone was not sufficient toconstitute authorization after Facebook issued the cease anddesist letter.
The analogy seems a bit stretched, though I do get it. These are Facebook's servers -- but it still does seem troubling that Facebook is basically using the CFAA to block what was really just a service trying to make Facebook more useful to users. This wasn't what one would normally think of as "hacking" in any real sense, which is what the CFAA was designed to respond to. And, as we've seen with the CFAA, this ruling seems wide open to abuse by companies. Furthermore, I'm uncomfortable with an argument that is basically the same argument as "if we tell you not to access this open web server, then it's like trespassing." Because it's not like that at all. An open web server is designed to accept traffic. Someone merely telling you that you can't access their website -- even though it's easy to do so technologically -- doesn't seem like it should then be seen as "unauthorized access" in a manner that makes you liable to computer hacking laws. That's a recipe for dangerous results.

At what point is access revoked? Does it require a full cease and desist letter? Or what if I add a drop-down telling visitors from certain IP addresses they're not welcome? What if I just type here that visitors from the state of New York are no longer allowed to visit Techdirt? If they continue to do so, is that a potential CFAA violation in the making? The same court has already ruled that a mere terms of service violation is not a CFAA violation but where's the line between a terms of service violation and a cease-and-desist letter? Or me just telling you to stop visiting my website? It seems wide open to abuse.

The CFAA remains a mess of a law, and rulings like these are likely only going to lead to more litigation around borderline cases. And that's bad. It's going to be bad for users and it's bad for innovation. It's been particularly disappointing to see companies like Facebook and Craigslist coming down on the wrong side of CFAA litigation -- in both cases going after companies who were not "hacking" in any traditional sense, but were rather looking to add useful layers of services on top of existing services. The law is being abused by companies that don't want others to innovate, and that's unfortunate and bad for innovation.

Permalink | Comments | Email This Story
feed?i=usfuY32XKAQ:rxaWxU03kE0:D7DqB2pKE feed?d=c-S6u7MTCTEusfuY32XKAQ
External Content
Source RSS or Atom Feed
Feed Location https://www.techdirt.com/techdirt_rss.xml
Feed Title Techdirt
Feed Link https://www.techdirt.com/
Reply 0 comments