Facebook v. Vachani - User Authorization Can Be Revoked By Service Providers
The U.S. Court of Appeals for the Ninth Circuit recently issued a decision that could have far reaching implications for the relationships between companies that provide online services, their customers or users, and third parties. In Facebook v. Vachani, the Ninth Circuit found that Power Ventures violated the Computer Fraud and Abuse Act (“CFAA”) and California Penal Code Section 502. Power Ventures did this by continuing to access Facebook’s computer system after receiving Facebook’s letter to cease and desist such activity. Although Power Ventures had permission from relevant Facebook users, the users’ authorization had been revoked by Facebook itself through its letter.
Vachani’s Business Model
Power Ventures (“Power”), is a company founded by CEO Steven Vachani. As part of its business model, Mr. Vachani operated a social networking site, Power.com. The idea was that Power.com would act as a social network aggregator, by allowing users to see all of their social network contacts across different services on a single page. The user could then use the Power.com service to access the individual social networking sites.
Read on to understand what occurred in the case and what key takeaways it provides for senior decision makers and in-house counsel.The Facts
Power’s business model faced an issue most startups face. How would it attract new users? In December 2008, Power put a message on its website that read “First 100 people who bring 100 new friends to Power.com win $100.” Power included a button with the title “Yes, I do!” When, clicked, Power would add a photo, user, or event to the user’s Facebook profile, and in many cases, cause a message to be transmitted to the user’s Facebook friends. The “from” line of the message claimed the message was from Facebook, and was the message body was signed “The Facebook Team.”
When third-party websites or developers want to contact its users, Facebook requires they enroll in the Facebook Connect program. Facebook also requires third parties to agree to an additional Developer Terms of Use Agreement. When Facebook first learned of Power’s campaign, on December 1st, 2008, it sent Power a cease and desist letter, demanding that Power terminate its activities. Instead, Power refused to sign Facebook’s Developer Terms of Use Agreement and enroll in Facebook Connect. When Facebook blocked the internet protocol (“IP”) addresses used by Power, Power changed the IP addresses it used.
On December 20th, 2008, Facebook filed an action in Federal Court. Power’s activities ran less than two months, during which time it admitted that it took, copied and made use of data from Facebook.com without Facebook’s permission.
Ninth Circuit
On review, the Ninth Circuit considered three separate causes of action brought by Facebook against Power, each of which is considered below.
- Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (“CAN-SPAM”)
CAN-SPAM prohibits messages that are “materially false” or “materially misleading.” 15 U.S.C. § 7706(a)(1).
External emails created by Power’s system identified Facebook as the sender and were signed “Thanks, The Facebook Team.” The Ninth Circuit found that this was not misleading as three parties, Power, Power’s users, and Facebook, were each considered to have “initiated” the message within the meaning of the statute. Inclusion of only one of the initiating parties in the message header is does not violate the statute. Since Facebook was one of the initiating parties, identifying Facebook as the source of the message was not materially misleading or false.
Internal emails created by Power’s system did not violate CAN-SPAM as they neither “impaired the ability of the recipient to ‘respond to a person who initiated the electronic mail message’” or the “ability of Facebook to locate the initiator of the messages.” The message body contained Power’s name and a link to its website. Further, the Facebook user identified as the sender authorized the sending by clicking the “Yes, I do!” button.
Key Takeaways for CAN-SPAM holding:
- Users of a system can provide permission such that the service provider becomes an initiating sender of messages under CAN-SPAM. The message need not identify the specific user who provided the permission, and the provider of the computer system need not provide permission. Service providers should recognize this possibility, and if they feel that the protections of CAN-SPAM are not restrictive enough for their business model and brand protection strategy, they may wish to implement appropriate product architecture protections as well as address the issue in their service contracts with their users.
- By including its name and website information, a third party can reduce the likelihood that messages it generates through user permission on a service provider’s computer system will be found misleading under CAN-SPAM.
2. Computer Fraud and Abuse Act of 1986 (“CFAA”)
The CFAA “provides for two ways of committing the crime of improperly accessing a protected computer: (1) obtaining access without authorization; and (2) obtaining access with authorization but then using that access improperly.”[1] Corporations wishing to use the statue through a private right of action must show that they have “suffer[ed] damage or loss by reason of a violation of this section.”[2]
Facebook was able to satisfy the private right of action by showing that employees spent hours totaling more than $5,000 responding to Power’s activities. The Ninth Circuit found that Power had violated the CFAA by accessing Facebook computer systems without authorization. Authorization had existed when Facebook users gave Power permission to access their Facebook accounts by clicking the “Yes, I do!” button provided by Power on its webpage. However, this authorization was revoked by Facebook itself, when it sent the cease and desist letter, and subsequently blocked Power’s IP address block. Importantly, the Ninth Circuit noted that:
The mention of the terms of use in the cease and desist letter is not dispositive. Violation of Facebook’s terms of use, without more, would not be sufficient to impose liability. Nosal I, 676 F.3d at 862–63. But, in addition to asserting a violation of Facebook’s terms of use, the cease and desist letter warned Power that it may have violated federal and state law and plainly put Power on notice that it was no longer authorized to access Facebook’s computers.
Key Takeaways for CFAA holding:
- Private right of action damages for purposes of the CFAA can be shown through an estimate of the value of employee time. Loss of revenue need not be shown.
- While users can grant authorization to access a service, the service provider can revoke such authorization. Customers of service providers should understand this, and consider providing for it in their contracts with the service provider.
- Currently, a violation of terms of use will not support a violation of the CFAA without more within the Ninth Circuit.
- Service providers that wish to put third parties on notice of a potential CFAA violation should warn the third party that it may have violated federal and state law and plainly put the party on notice that it is no longer authorized to access the service provider’s computer system.
3. California Penal Code Section 502
Section 502 provides for liability where a person ““[k]nowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network.” § 502(c)(2). Unlike the CFAA, “[T]he California statute does not require unauthorized access. It merely requires knowing access.”[3] However, the Ninth Circuit found that Power knowingly accessed Facebook’s computer system without permission after it became aware of Facebook’s cease and desist letter.
The Ninth Circuit further affirmed personal liability for Mr. Vachani as he directed and controlled Power’s offending actions, and the undertaking of those actions was his idea.
Key Takeaways for Section 502 holding:
- Senior corporate decision makers may be personally liable for violations of Section 502, if their involvement is sufficient.
- As such, these decision makers have a vested interest in making sure the business models of the corporations they control do not involve risk of violating Section 502.
What Now?
Users of online services should be aware that permission they provide to a third party may be revoked by the service provider. To the extent that such users wish to ensure that the service provider will not overrule their authorization, they may wish to explicitly provide for this in their service provider agreement.
Companies that depend on accessing user account information and resources should consider carefully how they are accessing such information and resources and what authorization they possess to do so. The legal repercussions should a service provider revoke prior user consent should need to be understood, and the company should understand its options should this occur. Companies should consult experienced legal counsel regarding these risks, especially in light of potential personal liability for senior decision makers.
We will be providing more insight into these issues as the impact of this case becomes more apparent within the technology industry.
[1] Musacchio v. United States, 136 S. Ct. 709, 713 (2016).
[2] 18 U.S.C. § 1030(g). The loss must be at least $5,000. § 1030(c)(4)(A)(i)(I).
[3] United States v. Christensen, 801 F.3d 970, 994 (2015).