Meta Sues Firm For Data Scraping; Claims That Signing Up For New Accounts After Being Banned Is Equivalent Of Hacking

from the why-is-this-a-problem? dept

For years we’ve talked about the infamous Facebook lawsuit against As you may recall, this was a key CFAA case against a site,, that was trying to create a social media aggregator dashboard — in which you could login through a single interface, and access content from and post to a variety of different social media platforms. Facebook alleged that this was a form of hacking — claiming it was “unauthorized access” to Facebook. This was even though there was no actual unauthorized access. Individual users gave Power their login credentials, so everything was completely authorized. After years of winding through the courts, unfortunately, it was decided that this was a violation of the CFAA, mainly because Facebook sent a cease & desist letter, and somehow going against that now made it “unauthorized.” In my mind, this is one of the biggest reasons why Facebook has much less competition today than it otherwise might — because it used the CFAA and cases against to create a “you can check in, but you can’t check out” kind of data arrangement. Things like were an empowering system that might have made people much less reliant on Facebook — but it was killed.

In an age now where people are increasingly talking about the importance of data portability and interoperability, something like would be a useful tool.

So, it’s interesting (and a little disturbing) to see that Facebook’s new corporate identity, Meta, has now sued another company for data scraping. It is notable that in this case, the defendant, Social Data Trading Ltd., is a lot less sympathetic a character than was. And — more importantly — Facebook is not using the CFAA this time (other cases have suggested that what Facebook got away with in the Power case it would no longer be able to get away with under that law). However, it is trying to use California’s state law equivalent of the CFAA. And now matter how you look at it, it’s still at least a little worrisome that Facebook (ok, whatever, Meta) believes it has a legal right to stop scraping of otherwise public data.

So first, Social Data Trading is not sympathetic. It appears to be a sketchy service in its own right, scraping data on social media users to sell “in-depth insights into the demographics and psychographics of influencers and their audiences.” Meta put in place some technical blocks to try to stop the company from scraping (which seems like fair game), but SDT would then just register new domains and continue scraping. Facebook had apparently tried to stop a predecessor company to Social Data Trading called “Deep.Social,” though the complaint seems to imply that SDT is just a reworking of Deep.Social.

The more difficult issue here is that part of the way that SDT did its scraping was by creating fake accounts on Facebook and Instagram, and then using those fake accounts to scrape the data. And that does bring things into a legally more complex area, but also gives Meta the route around to go after these guys without using the CFAA.

At issue is that when you create one of those accounts… you agree to the terms of service, and those terms say you can’t use the site for “collecting information in an automated way.” Thus, the core argument here is that it’s a breach of contract case, and that the SDT folks agreed to the terms and then broke them by using their fake accounts to scrape.

Since January 2019, Defendant created and used multiple Instagram accounts and agreed to Instagram?s Terms. Defendant agreed to Instagram’s Terms no later than January 30, 2019.

In addition, since September 2020, Defendant has used thousands of Instagram accounts to scrape Instagram.

Defendant breached the Terms by using unauthorized automated means to access Instagram and collect data from Meta computers without permission, including after Meta revoked Defendant?s access to its platform.

Of course, it seems to me that if this is a breach, the remedy should simply be removal of service, not anything more. But Meta claims damages “in excess of $75,000” (the minimum needed to get into federal court).

The second claim in the lawsuit seems… a lot sketchier. It claims violations of California Penal Code Section 502, which is (more or less) California’s equivalent to the CFAA. While, apparently, Meta’s lawyers know enough to not go to the well again on the federal CFAA, the use of the state equivalent is still quite concerning.

Beginning no later than June 2021, Defendant, without permission, knowingly accessed and otherwise used Meta?s computers, computer system, and computer network in order to (a) devise or execute any scheme or artifice to defraud and deceive, and (b) to wrongfully obtain money, property, or data, in violation of California Penal Code ? 502(c)(1).

Beginning no later than June 2021, Defendant, without permission, knowingly accessed and took, copied, and made use of data from Meta?s computers, computer system, and computer network in violation of California Penal Code ? 502(c)(2).

Beginning no later than June 2021, Defendant knowingly and without permission used or caused to be used Meta?s computer services in violation of California Penal Code ? 502(c)(3).

Since June 2021, Defendant knowingly and without permission accessed and caused to be accessed Meta?s computers, computer systems, and/or computer networks in violation of California Penal Code ? 502(c)(7). Defendant accessed Meta?s computer network after Meta disabled its Instagram accounts, blocked its domain, and sent correspondence to Defendant revoking its access.

Because Meta suffered damages and losses as a result of Defendant?s actions and continues to suffer damages and losses as a result of Defendant?s actions, Meta is entitled to compensatory damages in an amount to be determined at trial, attorney fees, any other amount of damages proven at trial, and injunctive relief under California Penal Code ? 502(e)(1) and (2).

Because Defendant willfully violated California Penal Code ? 502, and there is clear and convincing evidence that Defendant committed ?fraud? as defined by section 3294 of the Civil Code, Meta is entitled to punitive and exemplary damages under California Penal Code ? 502(e)(4).

All of this should be concerning to folks. It basically says that if you get kicked off a site and then create a new account… you could face serious consequences (and while this is a civil suit, Section 502 violations can lead to criminal liability as well). This should be cause for alarm. Yes, even if the defendant is a sketchy data operation, and even if Meta really didn’t want them scraping their site, to turn around and use what is, ostensibly, a computer “hacking” law against them for setting up new accounts seems incredibly dangerous and could lead to very bad consequences.

Finally there’s an “unjust enrichment” claim which also seems a bit silly — especially for a company like Facebook, which makes so much of its money by collecting data in surreptitious ways, to argue that another firm doing that back to Facebook is somehow “unjustly” enriching itself is pretty rich.

Still, it’s claim two that should raise some eyebrows, and I wish that Facebook recognized what a dangerous game its playing in trying to argue that signing up for a new account after you’ve been banned somehow violates an anti-hacking law.

Filed Under: , , , , , ,
Companies: facebook, meta, social data trading

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Meta Sues Firm For Data Scraping; Claims That Signing Up For New Accounts After Being Banned Is Equivalent Of Hacking”

Subscribe: RSS Leave a comment
Lostinlodos (profile) says:

What’s wrong?

“All of this should be concerning to folks. It basically says that if you get kicked off a site and then create a new account… you could face serious consequences ”

I fail to see what’s wrong with that.
If I toss you out of my house and you come back with a different shirt and ID it’s still you again.

When your tossed off the service you are tossed. Continually returning… you should face consequences!

Anonymous Coward says:

Re: What’s wrong?

Context makes all the difference. You have to consider what the consequences actually are and whether those consequences are proportional to the action on a case-by-case basis. The house analogy isn’t appropriate because going back to someone’s house after getting booted out isn’t on the same level as filling in a form (different name, email, date of birth, etc.) that is by default publically available to anyone connected to the internet.

There’s an assumption that getting kicked off the site the first time was reasonable, which may or may not be true in this case. Scraping by itself shouldn’t be illegal (and also shouldn’t be against terms of service, in my opinion). Most of the time the information being scraped is indeed available to anyone with an account or even anyone who hasn’t been IP banned; the collection merely happens to be automated. What matters is what the scraper does with the data. Maybe Social Data Trading is scraping data for questionable purposes in this particular case, but not every scraper is the same. Even if SDT deserves to be kicked off of Meta’s social media websites, that’s no reason to punish SDT with an anti-hacking law. Creating a new account after having a previous one banned isn’t comparable to, for example, breaking into a stranger’s account or collecting data that isn’t accessible by simply creating an account.

Here’s a better analogy which demonstrates why Meta’s actions are unreasonable.
Facebook is the landlord of an apartment complex. The apartment complex has effectively limitless space (i.e. tens of billions of apartments). Someone working for SDT gets an apartment at Facebook’s complex. The employee (a scraper) goes from door to door collecting information about the apartments. Without entering the rooms the scraper manually collects as much information as possible about the individual tenants. Facebook finds out about and kicks out the scraper. SDT sends a new person to do the same thing. Facebook kicks the new scraper out. It may very well be reasonable for Facebook to kick out every person that SDT sends. However, it should be blatantly unreasonable for Meta to attempt to punish SDT using a statute against breaking and entering. In addition, considering that Meta probably lost little or no money due to the scraping, it’s unreasonable for Meta to claim damages "in excess of $75,000". (In addition, if the data collection that SDT is doing is unreasonable, then the data collection and exploitation that Facebook has long been doing is even more unreasonable.)

Somewhat offtopic remark: Here are the first words of California Penal Code Section 502.

It is the intent of the Legislature in enacting this section to expand the degree of protection afforded to individuals, businesses, and governmental agencies from tampering, interference, damage, and unauthorized access to lawfully created computer data and computer systems. The Legislature finds and declares that the proliferation of computer technology has resulted in a concomitant proliferation of computer crime and other forms of unauthorized access to computers, computer systems, and computer data.

SDT could simply go to Facebook’s website and the law would consider that to be unauthorized "access" to Facebook’s computer system. Just as the CFAA does, California Penal Code Section 502 uses language which is too broad for a statute meant to discourage hacking, but that’s no excuse for Meta to knowingly take advantage of overbroad language.

Lostinlodos (profile) says:

Re: Re: What’s wrong?

filling in a form (different name, email, date of birth, etc.)

Actually it’s just email address as far as I’m aware.

Here’s the thing though. This is not trespassing alone. It’s taking information. In this situation it’s the equivalent of grabbing papers out of a “bin” and walking off with it.

Public facing or not, they use access to take that information: access that has been prohibited.

At some point it must become criminal: or you give a full pass to all criminals.

Your apartment example would constitute
Systemic harassment for financial gain. A felony in my state.
Just sending a different employee doesn’t exonerate a company.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...