Facebook Files Questionable Lawsuit Over Fake Followers And Likes

from the is-that-truly-hacking? dept

Over the last year or so, a key focus of Facebook’s has been to battle what it calls “coordinated inauthentic behavior.” While the phrase may sound vaguely Orwellian, I actually appreciate the thinking behind it. It’s one thing to say you’re going after “fake accounts” or “propaganda” or “trolls,” but that language is imprecise, and certainly doesn’t provide much clarity for what Facebook is actually targeting. Indeed, using vague language continues to be a massive problem in all sorts of content moderation challenges. So, instead, Facebook focused on “coordinated inauthentic behavior,” which is much more definable, and also neatly encapsulates a lot of activity that most people all agree is at least somewhat problematic in a variety of contexts. I’ve also appreciated some of the actions that Facebook has taken to try to stop or prevent such “coordinated inauthentic behavior.”

What I don’t appreciate is a highly questionable lawsuit Facebook filed on Friday, again supposedly targeting coordinated inauthentic behavior on its platforms: in particular fake likes and fake followers. Now, let’s be clear: no one is suggesting that services that provide fake likes or fake followers are a good thing. They are scams and they are designed to mislead people. I think Facebook has every right to try to delete such fake likes and fake followers from its platforms.

What I’m less sure of, however, is if Facebook should be able to sue the companies (and the individuals behind those companies) for creating such a service. But that’s what Facebook has done. The complaint argues that it’s a CFAA violation (and a violation of California’s version of the CFAA). If you don’t recall, the CFAA (the Computer Fraud and Abuse Act) was the law that was originally designed to go after malicious hackers, but was written in such broad and vague language — regarding things like “unauthorized access” and “exceeding authorized access” — that it’s been used in all sorts of questionable ways, including not obeying a web site’s terms of service. It’s been referred to as “the law that sticks” when no other law can be used against “vaguely icky” activity done on a computer.

One of the most annoying things over the past few years is seeing big internet companies regularly try to use the CFAA and expand what it covers in ways that are extraordinarily broad and could lead to real problems down the road. Facebook has actually done this for years, with a big case being the time it sued a site, Power Ventures, which helped users aggregate all their various social network info. This was not “hacking” in any real sense, and the access was “authorized” by the end user, but Facebook didn’t like it and argued that because it sent Power a cease and desist letter, that any further access violated the CFAA. Unfortunately, the courts have agreed with Facebook, setting a dangerous precedent.

And, now, Facebook has gone back to the well, arguing that setting up fake likes and fake followers also violates the CFAA:

Defendants? access and use of Facebook and Instagram?s computers and computer systems was unauthorized because Defendants accessed Facebook and Instagram?s computer network after Facebook and Instagram disabled their Instagram accounts and sent cease and desist letters to Defendants revoking their access.

Facebook and Instagram computers and servers are protected computers as defined by 18 U.S.C. § 1030(e)(2).

Defendants violated 18 U.S.C. § 1030(a)(4) because they knowingly and with intent to defraud accessed Facebook and Instagram-protected computers by sending unauthorized commands to Facebook and Instagram computers. Defendants sent the commands to Facebook and Instagram computers to manipulate Instagram?s service by fraudulently inflating likes of certain Instagram accounts. Defendants did these acts in exchange for profit.

Defendants violated 18 U.S.C. § 1030(a)(5)(A) because they knowingly and intentionally caused the transmission of a program, information, code, or command, and, as a result of such conduct, intentionally damaged Facebook and Instagram-protected computers.

Now, I dislike fake likes and fake followers on social media just as much (if not more) than the average person. I’m aware of some other news sites that some might consider competitors of ours that have used those tactics to build up larger claimed social media followings. And I can see how that’s unfair.

But is it truly hacking? Is it truly “unauthorized access”? Note that Facebook calls out that it sent cease and desist letters to the defendants, as per the 9th Circuit’s ruling in the Power Ventures case. We warned that such a case would set a dangerous precedent, and once again, here’s Facebook claiming that if it sends a cease and desist to a company for participating in an activity which the Facebook platform allows technologically that it’s magically breaking the law.

To be clear: Facebook should have a free hand in kicking these guys off of the platform — and if it can figure out the accounts posting the fake likes and fake follows, it can and should kick them off as well. But suing the company behind it under an anti-hacking law is a step too far. It’s treating it’s own inability to clean up its own platform as a legal issue. And it’s not difficult to see how such a precedent can be abused legally by all sorts of internet platforms. Perhaps some people don’t mind, and feel that any action taken against spammers/fakers/etc. should be fine. But be careful what you wish for. Allowing this use of the CFAA will only serve to give big internet platforms much more power over what you and anyone else can do on those platforms — including how you might be able to use third party services to better protect your own privacy or take control over your own data.

It’s no surprise, given the Power Ventures case, that Facebook now views the CFAA as a weapon it can use against third party services on its platform. But it provides way too much power to turn issues of Facebook’s own failure to police its own platform into a legal issue dragged into the federal court system.

Filed Under: , , , ,
Companies: facebook, likesocial

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Facebook Files Questionable Lawsuit Over Fake Followers And Likes”

Subscribe: RSS Leave a comment
Media Combo (profile) says:

Re: Re:

Such services have been around since MySpace.. You all remember the "Add-Friends" tool?

Fake engagement is available for virtually every major social media platform, especially Facebook and Twitter, where celebrities, athletes and other public figures have been known to avail themselves of such services.

And pages where one can easily buy Facebook likes like this one https://socialmediacombo.com/product/facebook-likes/ will always be around. The real perception of marketing has changed a lot in 25 years and one technique to have success in nowadays marketing world is by appearing to have 1000s of likes.. This is incredible..

TKnarr (profile) says:

In this particular context I’d consider the CFAA applicable. To put the reasoning in a non-computer context, suppose I own a building and allow access only to people with keys to the building. I’ll give out keys to anyone not banned, but I check their identity first to make sure they aren’t on the banned list and won’t give them a key if they are. I ban you and take away your key so you can’t get back in, and tell you you aren’t authorized to enter. You still want in, so you go and get a fake ID in a different name made up, disguise yourself, come back and get a key under that false identity. If I catch you in the building, am I limited to just throwing you out again or can I also hold you liable for using false pretenses to gain unauthorized entry? I’d argue I can hold you liable. Had you not falsified your identity you’d never have been allowed in, and you supplied that false identity instead of your real one deliberately with the intent to gain access you knew full well you weren’t authorized to have.

This is quite a bit distinct from a building with no locks that you don’t have to supply a false identity to get into after you’ve been banned, or one where even though you’re banned they still issue you a new key whenever you ask.

Sweeney-Glow Sweet Chariots - Custom Cars says:

Clear and specific warnings make criminal intent.

1) "Facebook should have a free hand in kicking these guys off of the platform" — Agree, but the facts here give cause in common law: it’s NOT to be arbitrarily as you so often assert.

2) Duly noticed via letters known received following procedure handed down in decision by a high court. But it’s not enough for you? Setting yourself above 9th Circuit again. What chutzpah.

3) This isn’t what’s commonly called "hacking", no: it’s organized and funded for commercial PROFIT. Money changes everything. Business are NOT "persons", don’t actually have Rights, but are regulated by Commercial Law.

4) "participating in an activity which the Facebook platform allows technologically" — You’re saying that doors allow criminals to walk into banks, therefore they can "legally" walk out with all the cash can grab.

And of course your ONE CONSTANT POSITION is that NO corporation should ever be held liable, not even against another, Facebook.

s/u/b/s/t/i/t/u/t/e /h/o/r/i/z/o/n/t/a/l /r/u/l/e

Also note how I tactfully avoid mentioning that your opinion on "fake followers" is exactly the one I’d expect.

Mason Wheeler (profile) says:

It’s treating it’s own inability to clean up its own platform as a legal issue.

Far be it from me to defend Facebook on… well… just about anything, but in this particular case, isn’t that exactly what it is?

If it were a physical premises rather than a virtual premises, they would have the right to tell someone to leave and not come back, and if the unwelcome person tried to come back after that, they would be trespassing, which is a legal issue. Why treat this differently?

Thad (profile) says:

Re: Re:

If it were a physical premises rather than a virtual premises, they would have the right to tell someone to leave and not come back, and if the unwelcome person tried to come back after that, they would be trespassing, which is a legal issue. Why treat this differently?

Because that’s not what the CFAA is for. It was designed to punish people for illegally accessing computers through breaking or circumventing security in some way; it’s (sometimes) been broadly interpreted to also include violating a network’s terms of service, but that’s not really a good thing.

If you want to go with the trespassing analogy, using the CFAA to punish someone for ban-dodging is like charging a trespasser with burglary. No burglarly occurred; he walked in through the front door after they asked him not to. He did something he shouldn’t have, but that doesn’t mean burglary is the appropriate statute for punishing him.

If Facebook were to pursue this as a contract violation, I’d have less of an issue with that (though I do have some problems with TOS being treated as a contract, and IIRC you and I generally agree on that subject). I might see it as a waste of time, but it wouldn’t have the same problem of stretching the CFAA beyond its intended purpose.

TKnarr (profile) says:

Re: Re: Re:

Perhaps not burglary, but you can charge him with trespassing even if you didn’t stop him from coming in the door. In fact, you can’t charge him with trespassing until after he comes in the door, since before that he hasn’t trespassed.

And you can’t charge him with trespassing until after you’ve told him he’s not allowed in and thrown him out, and he comes back in again. Not even if he started a fight at the bar when the signs at the entrances specifically say fighting isn’t permitted at the bar. His actions give you grounds to throw him out and bar him from entering, but they don’t act retroactively to change the fact that he hadn’t violated the rules at the time he entered and you hadn’t barred him from entry yet.

TripMN says:

Re: Re: Re: Re:

Thad didn’t bite, but I will.

Computers are not like buildings, that analogy falls apart quickly. Your computer sends packets of info (more analogous to a bunch of envelopes) that bounce from server to server until they find a destination that matches the IP address they were told belongs to the right domain. They then present all of the packets of info to the website and the website uses the info in the packets to see what the user wanted, who they say they are, whether they get special considerations. Then the website pens a response and sends it back over the same networks using its own packets.

There is no trespass, they are using the website/API as designed. CFAA should not apply.

Now, the problem is Facebook has found an open ended law (CFAA) that they read as saying that anything they don’t like and breaks their business rules, they can turn around and try to generate a pseudo-law based on it to sue over. There is no law that says being anonymous or using not your real name is a crime, but FB is trying to use its TOS to make it into one… and that’s kind of scary what it says about the power they wield.

TKnarr (profile) says:

Re: Re: Re:2 Re:

If we took your definitions, the CFAA couldn’t apply to anything. No, the CFAA speaks to access, not merely physical access. You don’t physically enter the computer, but your requests do reach it and you do access it (we even speak of making requests over the network and receiving a response as accessing or "going to" a site, that should be a big clue for you right there).

ECA (profile) says:

I can see this..

All persons, are demanded to use REAL names…(if it looks real they dont say much, unless they track your gmail info)

But this is Kinda old, but will Have some BIG ramifications, along with FAKE news.
There is a Big underbelly that has been around along time and it ranks up there with allot of things.

Goto Amazon, and look up the comments.. Yep there is fake stuff there.
Goto most ANY sale site and there is Fake comments about things..
Goto These Fake Drug sites or Herbal drugs and look around the comments.
HOW about our congress persons, UP LATE, inside the congress giving speeches?? Kinda fake there also, as there is no one THERE.
I wont even mention HOW, this could affect REAL voting..(it has)
I wont mention the FCC..Showing how this can be done, by their OWN ignorance.

If we had a vote today and every man, women, child had to raise a hand…There would be about 1/2 the vote from Invisible people, that were created and documented..
This THING was created long ago, to influence our own gov. to create abit of ignorance based on what a Corp can say, and backup with FAKe data, they can get 1000’s of letters agreeing to them..

1 company awhile back WENT threw the list of letters and found 50 people that live in 1 house in 1 town..and the address wasnt even real, no house, no location.
HOW do we find/create/deal with a gov. that hasnt taken the time to Fill out the Little boxes of DATA, that IT SHOULD HAVE..
Its not that they need the name of every person living(they do, birth records and Social sec.), its not that they STILL dont cross reference Birth and death records in EVERY STATE(the old records are a mess, and no way to reference them W/O SS# to prove who is who(1000’s of John smiths)).
How many persons in the past, WANTED TO/HAD TO change there name to protect themself or HIDE from a past mistake?? LOTS..
and it wasnt that hard, and still isnt..(If you know how)

But the Corps have taken it to a level that is hurting ALL of us. And Scammers LOVE it also.. Give a name address and email of Person mentioned and dont REALLy look them up..Or even use a real persons DATA, and you find they are real, but never knew their name was used?? NOT A PROBLEM..(we dont know that the corps or Gov. did anything)

The old saying BUYER BEWARE, has allot of meaning behind it in this country. can we REALLy Check and validate DATA??

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...