Meta Sues Firm For Data Scraping; Claims That Signing Up For New Accounts After Being Banned Is Equivalent Of Hacking
For years we've talked about the infamous Facebook lawsuit against Power.com. As you may recall, this was a key CFAA case against a site, Power.com, that was trying to create a social media aggregator dashboard -- in which you could login through a single interface, and access content from and post to a variety of different social media platforms. Facebook alleged that this was a form of hacking -- claiming it was "unauthorized access" to Facebook. This was even though there was no actual unauthorized access. Individual users gave Power their login credentials, so everything was completely authorized. After years of winding through the courts, unfortunately, it was decided that this was a violation of the CFAA, mainly because Facebook sent a cease & desist letter, and somehow going against that now made it "unauthorized." In my mind, this is one of the biggest reasons why Facebook has much less competition today than it otherwise might -- because it used the CFAA and cases against Power.com to create a "you can check in, but you can't check out" kind of data arrangement. Things like Power.com were an empowering system that might have made people much less reliant on Facebook -- but it was killed.
In an age now where people are increasingly talking about the importance of data portability and interoperability, something like Power.com would be a useful tool.
So, it's interesting (and a little disturbing) to see that Facebook's new corporate identity, Meta, has now sued another company for data scraping. It is notable that in this case, the defendant, Social Data Trading Ltd., is a lot less sympathetic a character than Power.com was. And -- more importantly -- Facebook is not using the CFAA this time (other cases have suggested that what Facebook got away with in the Power case it would no longer be able to get away with under that law). However, it is trying to use California's state law equivalent of the CFAA. And now matter how you look at it, it's still at least a little worrisome that Facebook (ok, whatever, Meta) believes it has a legal right to stop scraping of otherwise public data.
So first, Social Data Trading is not sympathetic. It appears to be a sketchy service in its own right, scraping data on social media users to sell "in-depth insights into the demographics and psychographics of influencers and their audiences." Meta put in place some technical blocks to try to stop the company from scraping (which seems like fair game), but SDT would then just register new domains and continue scraping. Facebook had apparently tried to stop a predecessor company to Social Data Trading called "Deep.Social," though the complaint seems to imply that SDT is just a reworking of Deep.Social.
The more difficult issue here is that part of the way that SDT did its scraping was by creating fake accounts on Facebook and Instagram, and then using those fake accounts to scrape the data. And that does bring things into a legally more complex area, but also gives Meta the route around to go after these guys without using the CFAA.
At issue is that when you create one of those accounts... you agree to the terms of service, and those terms say you can't use the site for "collecting information in an automated way." Thus, the core argument here is that it's a breach of contract case, and that the SDT folks agreed to the terms and then broke them by using their fake accounts to scrape.
Since January 2019, Defendant created and used multiple Instagram accounts andagreed to Instagram's Terms. Defendant agreed to Instagram's Terms no later than January 30,2019.
In addition, since September 2020, Defendant has used thousands of Instagramaccounts to scrape Instagram.
Defendant breached the Terms by using unauthorized automated means to accessInstagram and collect data from Meta computers without permission, including after Meta revokedDefendant's access to its platform.
Of course, it seems to me that if this is a breach, the remedy should simply be removal of service, not anything more. But Meta claims damages "in excess of $75,000" (the minimum needed to get into federal court).
The second claim in the lawsuit seems... a lot sketchier. It claims violations of California Penal Code Section 502, which is (more or less) California's equivalent to the CFAA. While, apparently, Meta's lawyers know enough to not go to the well again on the federal CFAA, the use of the state equivalent is still quite concerning.
Beginning no later than June 2021, Defendant, without permission, knowinglyaccessed and otherwise used Meta's computers, computer system, and computer network in orderto (a) devise or execute any scheme or artifice to defraud and deceive, and (b) to wrongfully obtainmoney, property, or data, in violation of California Penal Code 502(c)(1).
Beginning no later than June 2021, Defendant, without permission, knowinglyaccessed and took, copied, and made use of data from Meta's computers, computer system, andcomputer network in violation of California Penal Code 502(c)(2).
Beginning no later than June 2021, Defendant knowingly and without permissionused or caused to be used Meta's computer services in violation of California Penal Code 502(c)(3).
Since June 2021, Defendant knowingly and without permission accessed and causedto be accessed Meta's computers, computer systems, and/or computer networks in violation ofCalifornia Penal Code 502(c)(7). Defendant accessed Meta's computer network after Metadisabled its Instagram accounts, blocked its domain, and sent correspondence to Defendantrevoking its access.
Because Meta suffered damages and losses as a result of Defendant's actions andcontinues to suffer damages and losses as a result of Defendant's actions, Meta is entitled tocompensatory damages in an amount to be determined at trial, attorney fees, any other amount ofdamages proven at trial, and injunctive relief under California Penal Code 502(e)(1) and (2).
Because Defendant willfully violated California Penal Code 502, and there is clearand convincing evidence that Defendant committed fraud" as defined by section 3294 of the CivilCode, Meta is entitled to punitive and exemplary damages under California Penal Code 502(e)(4).
All of this should be concerning to folks. It basically says that if you get kicked off a site and then create a new account... you could face serious consequences (and while this is a civil suit, Section 502 violations can lead to criminal liability as well). This should be cause for alarm. Yes, even if the defendant is a sketchy data operation, and even if Meta really didn't want them scraping their site, to turn around and use what is, ostensibly, a computer "hacking" law against them for setting up new accounts seems incredibly dangerous and could lead to very bad consequences.
Finally there's an "unjust enrichment" claim which also seems a bit silly -- especially for a company like Facebook, which makes so much of its money by collecting data in surreptitious ways, to argue that another firm doing that back to Facebook is somehow "unjustly" enriching itself is pretty rich.
Still, it's claim two that should raise some eyebrows, and I wish that Facebook recognized what a dangerous game its playing in trying to argue that signing up for a new account after you've been banned somehow violates an anti-hacking law.