Facebook Files Questionable Lawsuit Over Fake Followers And Likes

from the is-that-truly-hacking? dept

Over the last year or so, a key focus of Facebook's has been to battle what it calls "coordinated inauthentic behavior." While the phrase may sound vaguely Orwellian, I actually appreciate the thinking behind it. It's one thing to say you're going after "fake accounts" or "propaganda" or "trolls," but that language is imprecise, and certainly doesn't provide much clarity for what Facebook is actually targeting. Indeed, using vague language continues to be a massive problem in all sorts of content moderation challenges. So, instead, Facebook focused on "coordinated inauthentic behavior," which is much more definable, and also neatly encapsulates a lot of activity that most people all agree is at least somewhat problematic in a variety of contexts. I've also appreciated some of the actions that Facebook has taken to try to stop or prevent such "coordinated inauthentic behavior."

What I don't appreciate is a highly questionable lawsuit Facebook filed on Friday, again supposedly targeting coordinated inauthentic behavior on its platforms: in particular fake likes and fake followers. Now, let's be clear: no one is suggesting that services that provide fake likes or fake followers are a good thing. They are scams and they are designed to mislead people. I think Facebook has every right to try to delete such fake likes and fake followers from its platforms.

What I'm less sure of, however, is if Facebook should be able to sue the companies (and the individuals behind those companies) for creating such a service. But that's what Facebook has done. The complaint argues that it's a CFAA violation (and a violation of California's version of the CFAA). If you don't recall, the CFAA (the Computer Fraud and Abuse Act) was the law that was originally designed to go after malicious hackers, but was written in such broad and vague language -- regarding things like "unauthorized access" and "exceeding authorized access" -- that it's been used in all sorts of questionable ways, including not obeying a web site's terms of service. It's been referred to as "the law that sticks" when no other law can be used against "vaguely icky" activity done on a computer.

One of the most annoying things over the past few years is seeing big internet companies regularly try to use the CFAA and expand what it covers in ways that are extraordinarily broad and could lead to real problems down the road. Facebook has actually done this for years, with a big case being the time it sued a site, Power Ventures, which helped users aggregate all their various social network info. This was not "hacking" in any real sense, and the access was "authorized" by the end user, but Facebook didn't like it and argued that because it sent Power a cease and desist letter, that any further access violated the CFAA. Unfortunately, the courts have agreed with Facebook, setting a dangerous precedent.

And, now, Facebook has gone back to the well, arguing that setting up fake likes and fake followers also violates the CFAA:

Defendants’ access and use of Facebook and Instagram’s computers and computer systems was unauthorized because Defendants accessed Facebook and Instagram’s computer network after Facebook and Instagram disabled their Instagram accounts and sent cease and desist letters to Defendants revoking their access.

Facebook and Instagram computers and servers are protected computers as defined by 18 U.S.C. § 1030(e)(2).

Defendants violated 18 U.S.C. § 1030(a)(4) because they knowingly and with intent to defraud accessed Facebook and Instagram-protected computers by sending unauthorized commands to Facebook and Instagram computers. Defendants sent the commands to Facebook and Instagram computers to manipulate Instagram’s service by fraudulently inflating likes of certain Instagram accounts. Defendants did these acts in exchange for profit.

Defendants violated 18 U.S.C. § 1030(a)(5)(A) because they knowingly and intentionally caused the transmission of a program, information, code, or command, and, as a result of such conduct, intentionally damaged Facebook and Instagram-protected computers.

Now, I dislike fake likes and fake followers on social media just as much (if not more) than the average person. I'm aware of some other news sites that some might consider competitors of ours that have used those tactics to build up larger claimed social media followings. And I can see how that's unfair.

But is it truly hacking? Is it truly "unauthorized access"? Note that Facebook calls out that it sent cease and desist letters to the defendants, as per the 9th Circuit's ruling in the Power Ventures case. We warned that such a case would set a dangerous precedent, and once again, here's Facebook claiming that if it sends a cease and desist to a company for participating in an activity which the Facebook platform allows technologically that it's magically breaking the law.

To be clear: Facebook should have a free hand in kicking these guys off of the platform -- and if it can figure out the accounts posting the fake likes and fake follows, it can and should kick them off as well. But suing the company behind it under an anti-hacking law is a step too far. It's treating it's own inability to clean up its own platform as a legal issue. And it's not difficult to see how such a precedent can be abused legally by all sorts of internet platforms. Perhaps some people don't mind, and feel that any action taken against spammers/fakers/etc. should be fine. But be careful what you wish for. Allowing this use of the CFAA will only serve to give big internet platforms much more power over what you and anyone else can do on those platforms -- including how you might be able to use third party services to better protect your own privacy or take control over your own data.

It's no surprise, given the Power Ventures case, that Facebook now views the CFAA as a weapon it can use against third party services on its platform. But it provides way too much power to turn issues of Facebook's own failure to police its own platform into a legal issue dragged into the federal court system.

Filed Under: cfaa, coordinated inauthentic behavior, fake, followers, likes
Companies: facebook, likesocial


Reader Comments

The First Word

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 30 Apr 2019 @ 9:45am

    The "legal issue" is how Facebook IS policing its platform. It's pure fraud and they are getting rid of it.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 30 Apr 2019 @ 10:01am

    Part of this campaign by Facebook involves stopping Russian trolls like the ones who created fake "resistance" rallies. Remember that protest where only a few alt-right types showed up but thousands of counterprotesters "drowned them out?" Turns out that was a Russian setup.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 30 Apr 2019 @ 1:38pm

      Re:

      “Remember the protest I did not put in becuase you would have looked it up and saw all of us chanting Hitler shit?”

      I don’t know There are a lot of those with you in it on both sides of the Atlantic these lol

      reply to this | link to this | view in chronology ]

  • icon
    TKnarr (profile), 30 Apr 2019 @ 10:11am

    In this particular context I'd consider the CFAA applicable. To put the reasoning in a non-computer context, suppose I own a building and allow access only to people with keys to the building. I'll give out keys to anyone not banned, but I check their identity first to make sure they aren't on the banned list and won't give them a key if they are. I ban you and take away your key so you can't get back in, and tell you you aren't authorized to enter. You still want in, so you go and get a fake ID in a different name made up, disguise yourself, come back and get a key under that false identity. If I catch you in the building, am I limited to just throwing you out again or can I also hold you liable for using false pretenses to gain unauthorized entry? I'd argue I can hold you liable. Had you not falsified your identity you'd never have been allowed in, and you supplied that false identity instead of your real one deliberately with the intent to gain access you knew full well you weren't authorized to have.

    This is quite a bit distinct from a building with no locks that you don't have to supply a false identity to get into after you've been banned, or one where even though you're banned they still issue you a new key whenever you ask.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 30 Apr 2019 @ 11:36am

      Re:

      Wasn't there a case where a mother impersonated someone and drove one of her daughter's friends to suicide and they ruled that creating the fake account was not a CFAA violation?

      reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Sweeney-Glow Sweet Chariots - Custom Cars, 30 Apr 2019 @ 10:34am

    Clear and specific warnings make criminal intent.

    1) "Facebook should have a free hand in kicking these guys off of the platform" -- Agree, but the facts here give cause in common law: it's NOT to be arbitrarily as you so often assert.

    2) Duly noticed via letters known received following procedure handed down in decision by a high court. But it's not enough for you? Setting yourself above 9th Circuit again. What chutzpah.

    3) This isn't what's commonly called "hacking", no: it's organized and funded for commercial PROFIT. Money changes everything. Business are NOT "persons", don't actually have Rights, but are regulated by Commercial Law.

    4) "participating in an activity which the Facebook platform allows technologically" -- You're saying that doors allow criminals to walk into banks, therefore they can "legally" walk out with all the cash can grab.

    And of course your ONE CONSTANT POSITION is that NO corporation should ever be held liable, not even against another, Facebook.

    s/\u/\b/\s/\t/\i/\t/\u/\t/\e /\h/\o/\r/\i/\z/\o/\n/\t/\a/\l /\r/\u/\l/\e

    Also note how I tactfully avoid mentioning that your opinion on "fake followers" is exactly the one I'd expect.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 30 Apr 2019 @ 10:39am

      Re: Clear and specific warnings make criminal intent.

      I like how you're still obsessed with your imaginary horizontal rule conspiracy.

      reply to this | link to this | view in chronology ]

    • icon
      Gary (profile), 30 Apr 2019 @ 10:45am

      Re: Clear and specific Troll

      Hey Blue Balls -

      1) Please show us your hosted site where you can show us how real free speech works without moderation.
      2) Please explain what you think common law means.
      3) Please show what "Common Laws" you accused TD of breaking. (WHich you have done on numerous occasions.)
      4) You lie.

      Thanks!

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 30 Apr 2019 @ 11:36am

      Re: Clear and specific warnings make criminal intent.

      Why can't a platform kick someone off for practically any reason they want? I've never heard of anything that says otherwise.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 30 Apr 2019 @ 1:42pm

        Re: Re: Clear and specific warnings make criminal intent.

        “Why can’t a platform kick anyone off for practically any reason they want?”

        Don’t worry John your multiple personality disorder will have you disagree with that the next time someone blocks your opinions lol

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 30 Apr 2019 @ 1:46pm

          Re: Re: Re: Clear and specific warnings make criminal intent.

          Please disregard this comment.
          It’s really hard to tell when John/blue/whoever he currently is at the moment is sometimes

          reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 30 Apr 2019 @ 4:36pm

      Re: Clear and specific warnings make criminal intent.


      You're a moron


      reply to this | link to this | view in chronology ]

  • icon
    Mason Wheeler (profile), 30 Apr 2019 @ 11:16am

    It's treating it's own inability to clean up its own platform as a legal issue.

    Far be it from me to defend Facebook on... well... just about anything, but in this particular case, isn't that exactly what it is?

    If it were a physical premises rather than a virtual premises, they would have the right to tell someone to leave and not come back, and if the unwelcome person tried to come back after that, they would be trespassing, which is a legal issue. Why treat this differently?

    reply to this | link to this | view in chronology ]

    • icon
      Thad (profile), 30 Apr 2019 @ 11:39am

      Re:

      If it were a physical premises rather than a virtual premises, they would have the right to tell someone to leave and not come back, and if the unwelcome person tried to come back after that, they would be trespassing, which is a legal issue. Why treat this differently?

      Because that's not what the CFAA is for. It was designed to punish people for illegally accessing computers through breaking or circumventing security in some way; it's (sometimes) been broadly interpreted to also include violating a network's terms of service, but that's not really a good thing.

      If you want to go with the trespassing analogy, using the CFAA to punish someone for ban-dodging is like charging a trespasser with burglary. No burglarly occurred; he walked in through the front door after they asked him not to. He did something he shouldn't have, but that doesn't mean burglary is the appropriate statute for punishing him.

      If Facebook were to pursue this as a contract violation, I'd have less of an issue with that (though I do have some problems with TOS being treated as a contract, and IIRC you and I generally agree on that subject). I might see it as a waste of time, but it wouldn't have the same problem of stretching the CFAA beyond its intended purpose.

      reply to this | link to this | view in chronology ]

      • icon
        TKnarr (profile), 30 Apr 2019 @ 12:08pm

        Re: Re:

        Perhaps not burglary, but you can charge him with trespassing even if you didn't stop him from coming in the door. In fact, you can't charge him with trespassing until after he comes in the door, since before that he hasn't trespassed.

        And you can't charge him with trespassing until after you've told him he's not allowed in and thrown him out, and he comes back in again. Not even if he started a fight at the bar when the signs at the entrances specifically say fighting isn't permitted at the bar. His actions give you grounds to throw him out and bar him from entering, but they don't act retroactively to change the fact that he hadn't violated the rules at the time he entered and you hadn't barred him from entry yet.

        reply to this | link to this | view in chronology ]

        • icon
          Thad (profile), 30 Apr 2019 @ 12:18pm

          Re: Re: Re:

          ...this is why I try not to argue by analogy. This is getting pretty far afield from a discussion of a CFAA suit.

          reply to this | link to this | view in chronology ]

          • icon
            TKnarr (profile), 30 Apr 2019 @ 2:37pm

            Re: Re: Re: Re:

            I think it's right on point for the current suit in question, it's just that when converted from computer-network to physical terms the situation suddenly looks obviously different from what some people would like it to look like.

            reply to this | link to this | view in chronology ]

        • identicon
          TripMN, 30 Apr 2019 @ 1:29pm

          Re: Re: Re:

          Thad didn't bite, but I will.

          Computers are not like buildings, that analogy falls apart quickly. Your computer sends packets of info (more analogous to a bunch of envelopes) that bounce from server to server until they find a destination that matches the IP address they were told belongs to the right domain. They then present all of the packets of info to the website and the website uses the info in the packets to see what the user wanted, who they say they are, whether they get special considerations. Then the website pens a response and sends it back over the same networks using its own packets.

          There is no trespass, they are using the website/API as designed. CFAA should not apply.

          Now, the problem is Facebook has found an open ended law (CFAA) that they read as saying that anything they don't like and breaks their business rules, they can turn around and try to generate a pseudo-law based on it to sue over. There is no law that says being anonymous or using not your real name is a crime, but FB is trying to use its TOS to make it into one... and that's kind of scary what it says about the power they wield.

          reply to this | link to this | view in chronology ]

          • icon
            TKnarr (profile), 30 Apr 2019 @ 2:36pm

            Re: Re: Re: Re:

            If we took your definitions, the CFAA couldn't apply to anything. No, the CFAA speaks to access, not merely physical access. You don't physically enter the computer, but your requests do reach it and you do access it (we even speak of making requests over the network and receiving a response as accessing or "going to" a site, that should be a big clue for you right there).

            reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 30 Apr 2019 @ 12:12pm

    I can see this..

    All persons, are demanded to use REAL names...(if it looks real they dont say much, unless they track your gmail info)

    But this is Kinda old, but will Have some BIG ramifications, along with FAKE news.
    There is a Big underbelly that has been around along time and it ranks up there with allot of things.

    Goto Amazon, and look up the comments.. Yep there is fake stuff there.
    Goto most ANY sale site and there is Fake comments about things..
    Goto These Fake Drug sites or Herbal drugs and look around the comments.
    HOW about our congress persons, UP LATE, inside the congress giving speeches?? Kinda fake there also, as there is no one THERE.
    I wont even mention HOW, this could affect REAL voting..(it has)
    I wont mention the FCC..Showing how this can be done, by their OWN ignorance.

    If we had a vote today and every man, women, child had to raise a hand...There would be about 1/2 the vote from Invisible people, that were created and documented..
    This THING was created long ago, to influence our own gov. to create abit of ignorance based on what a Corp can say, and backup with FAKe data, they can get 1000's of letters agreeing to them..

    1 company awhile back WENT threw the list of letters and found 50 people that live in 1 house in 1 town..and the address wasnt even real, no house, no location.
    HOW do we find/create/deal with a gov. that hasnt taken the time to Fill out the Little boxes of DATA, that IT SHOULD HAVE..
    Its not that they need the name of every person living(they do, birth records and Social sec.), its not that they STILL dont cross reference Birth and death records in EVERY STATE(the old records are a mess, and no way to reference them W/O SS# to prove who is who(1000's of John smiths)).
    How many persons in the past, WANTED TO/HAD TO change there name to protect themself or HIDE from a past mistake?? LOTS..
    and it wasnt that hard, and still isnt..(If you know how)

    But the Corps have taken it to a level that is hurting ALL of us. And Scammers LOVE it also.. Give a name address and email of Person mentioned and dont REALLy look them up..Or even use a real persons DATA, and you find they are real, but never knew their name was used?? NOT A PROBLEM..(we dont know that the corps or Gov. did anything)

    The old saying BUYER BEWARE, has allot of meaning behind it in this country. can we REALLy Check and validate DATA??

    reply to this | link to this | view in chronology ]

  • icon
    Chris-Mouse (profile), 30 Apr 2019 @ 6:41pm

    If Facebook wins this, how long before some website sues users for visiting their site while using an adblocker?

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.