Meta Sues Firm For Data Scraping; Claims That Signing Up For New Accounts After Being Banned Is Equivalent Of Hacking
from the why-is-this-a-problem? dept
For years we’ve talked about the infamous Facebook lawsuit against Power.com. As you may recall, this was a key CFAA case against a site, Power.com, that was trying to create a social media aggregator dashboard — in which you could login through a single interface, and access content from and post to a variety of different social media platforms. Facebook alleged that this was a form of hacking — claiming it was “unauthorized access” to Facebook. This was even though there was no actual unauthorized access. Individual users gave Power their login credentials, so everything was completely authorized. After years of winding through the courts, unfortunately, it was decided that this was a violation of the CFAA, mainly because Facebook sent a cease & desist letter, and somehow going against that now made it “unauthorized.” In my mind, this is one of the biggest reasons why Facebook has much less competition today than it otherwise might — because it used the CFAA and cases against Power.com to create a “you can check in, but you can’t check out” kind of data arrangement. Things like Power.com were an empowering system that might have made people much less reliant on Facebook — but it was killed.
In an age now where people are increasingly talking about the importance of data portability and interoperability, something like Power.com would be a useful tool.
So, it’s interesting (and a little disturbing) to see that Facebook’s new corporate identity, Meta, has now sued another company for data scraping. It is notable that in this case, the defendant, Social Data Trading Ltd., is a lot less sympathetic a character than Power.com was. And — more importantly — Facebook is not using the CFAA this time (other cases have suggested that what Facebook got away with in the Power case it would no longer be able to get away with under that law). However, it is trying to use California’s state law equivalent of the CFAA. And now matter how you look at it, it’s still at least a little worrisome that Facebook (ok, whatever, Meta) believes it has a legal right to stop scraping of otherwise public data.
So first, Social Data Trading is not sympathetic. It appears to be a sketchy service in its own right, scraping data on social media users to sell “in-depth insights into the demographics and psychographics of influencers and their audiences.” Meta put in place some technical blocks to try to stop the company from scraping (which seems like fair game), but SDT would then just register new domains and continue scraping. Facebook had apparently tried to stop a predecessor company to Social Data Trading called “Deep.Social,” though the complaint seems to imply that SDT is just a reworking of Deep.Social.
The more difficult issue here is that part of the way that SDT did its scraping was by creating fake accounts on Facebook and Instagram, and then using those fake accounts to scrape the data. And that does bring things into a legally more complex area, but also gives Meta the route around to go after these guys without using the CFAA.
At issue is that when you create one of those accounts… you agree to the terms of service, and those terms say you can’t use the site for “collecting information in an automated way.” Thus, the core argument here is that it’s a breach of contract case, and that the SDT folks agreed to the terms and then broke them by using their fake accounts to scrape.
Since January 2019, Defendant created and used multiple Instagram accounts and agreed to Instagram?s Terms. Defendant agreed to Instagram’s Terms no later than January 30, 2019.
In addition, since September 2020, Defendant has used thousands of Instagram accounts to scrape Instagram.
Defendant breached the Terms by using unauthorized automated means to access Instagram and collect data from Meta computers without permission, including after Meta revoked Defendant?s access to its platform.
Of course, it seems to me that if this is a breach, the remedy should simply be removal of service, not anything more. But Meta claims damages “in excess of $75,000” (the minimum needed to get into federal court).
The second claim in the lawsuit seems… a lot sketchier. It claims violations of California Penal Code Section 502, which is (more or less) California’s equivalent to the CFAA. While, apparently, Meta’s lawyers know enough to not go to the well again on the federal CFAA, the use of the state equivalent is still quite concerning.
Beginning no later than June 2021, Defendant, without permission, knowingly accessed and otherwise used Meta?s computers, computer system, and computer network in order to (a) devise or execute any scheme or artifice to defraud and deceive, and (b) to wrongfully obtain money, property, or data, in violation of California Penal Code ? 502(c)(1).
Beginning no later than June 2021, Defendant, without permission, knowingly accessed and took, copied, and made use of data from Meta?s computers, computer system, and computer network in violation of California Penal Code ? 502(c)(2).
Beginning no later than June 2021, Defendant knowingly and without permission used or caused to be used Meta?s computer services in violation of California Penal Code ? 502(c)(3).
Since June 2021, Defendant knowingly and without permission accessed and caused to be accessed Meta?s computers, computer systems, and/or computer networks in violation of California Penal Code ? 502(c)(7). Defendant accessed Meta?s computer network after Meta disabled its Instagram accounts, blocked its domain, and sent correspondence to Defendant revoking its access.
Because Meta suffered damages and losses as a result of Defendant?s actions and continues to suffer damages and losses as a result of Defendant?s actions, Meta is entitled to compensatory damages in an amount to be determined at trial, attorney fees, any other amount of damages proven at trial, and injunctive relief under California Penal Code ? 502(e)(1) and (2).
Because Defendant willfully violated California Penal Code ? 502, and there is clear and convincing evidence that Defendant committed ?fraud? as defined by section 3294 of the Civil Code, Meta is entitled to punitive and exemplary damages under California Penal Code ? 502(e)(4).
All of this should be concerning to folks. It basically says that if you get kicked off a site and then create a new account… you could face serious consequences (and while this is a civil suit, Section 502 violations can lead to criminal liability as well). This should be cause for alarm. Yes, even if the defendant is a sketchy data operation, and even if Meta really didn’t want them scraping their site, to turn around and use what is, ostensibly, a computer “hacking” law against them for setting up new accounts seems incredibly dangerous and could lead to very bad consequences.
Finally there’s an “unjust enrichment” claim which also seems a bit silly — especially for a company like Facebook, which makes so much of its money by collecting data in surreptitious ways, to argue that another firm doing that back to Facebook is somehow “unjustly” enriching itself is pretty rich.
Still, it’s claim two that should raise some eyebrows, and I wish that Facebook recognized what a dangerous game its playing in trying to argue that signing up for a new account after you’ve been banned somehow violates an anti-hacking law.
Filed Under: analytics, cfaa, data, data scraping, hacking, privacy, public information
Companies: facebook, meta, social data trading
Comments on “Meta Sues Firm For Data Scraping; Claims That Signing Up For New Accounts After Being Banned Is Equivalent Of Hacking”
It's OK everyone.
Re: It's OK everyone.
They’re only scraping Metadata.
Re: Re: It's OK everyone.
But … that’s Meta’sData!
Re: Re: Re: It's OK everyone.
For those who were late to the party, https://www.techdirt.com/articles/20160216/08285633611/australian-tribunal-says-users-ip-address-urls-visited-are-not-personal-information.shtml
It’s not ok to scrape data when you are not a member of FB (metadata) and have never been.
Simply FB has never interested me and I’ve never gone to that place. Some people have a reason to use their services, I’m not one.
Re: Re:
What’s the opposite of insightful?
Re:
If you’re expecting asspats for your oh-so-brave stance, you won’t find them here.
"Facebook versus data scrapers" sounds like "the people lose, the lawyers win".
I can’t wait until this law is used against F-ETA.
Wasn’t Facebook the one who consistently demanded integration and access to every single platform and website with a userbase? Wasn’t Facebook the poster child for collecting everyone else’s data to flog it off to the highest bidder? Them bitching about someone else harvesting data smacks of anticompetitive behavior.
What’s wrong?
I fail to see what’s wrong with that.
If I toss you out of my house and you come back with a different shirt and ID it’s still you again.
When your tossed off the service you are tossed. Continually returning… you should face consequences!
Re: What’s wrong?
Trespassing would be the physical world equivalent and even then it isn’t wholly accurate here. And even then, the statute that Facebook is using which is far more serious and inappropriately applied.
Re: Re: What’s wrong?
In many jurisdictions continual trespass falls under harassment. And could be a felony.
Go means go and no means no.
Re: Re: Re: What’s wrong?
“ Go means go and no means no.”
And yet, you’re still here.
Re: Re: Re: What’s wrong?
"We must do something.
This is something.
Therefore we must do it"
Re: What’s wrong?
Context makes all the difference. You have to consider what the consequences actually are and whether those consequences are proportional to the action on a case-by-case basis. The house analogy isn’t appropriate because going back to someone’s house after getting booted out isn’t on the same level as filling in a form (different name, email, date of birth, etc.) that is by default publically available to anyone connected to the internet.
There’s an assumption that getting kicked off the site the first time was reasonable, which may or may not be true in this case. Scraping by itself shouldn’t be illegal (and also shouldn’t be against terms of service, in my opinion). Most of the time the information being scraped is indeed available to anyone with an account or even anyone who hasn’t been IP banned; the collection merely happens to be automated. What matters is what the scraper does with the data. Maybe Social Data Trading is scraping data for questionable purposes in this particular case, but not every scraper is the same. Even if SDT deserves to be kicked off of Meta’s social media websites, that’s no reason to punish SDT with an anti-hacking law. Creating a new account after having a previous one banned isn’t comparable to, for example, breaking into a stranger’s account or collecting data that isn’t accessible by simply creating an account.
Here’s a better analogy which demonstrates why Meta’s actions are unreasonable.
Facebook is the landlord of an apartment complex. The apartment complex has effectively limitless space (i.e. tens of billions of apartments). Someone working for SDT gets an apartment at Facebook’s complex. The employee (a scraper) goes from door to door collecting information about the apartments. Without entering the rooms the scraper manually collects as much information as possible about the individual tenants. Facebook finds out about and kicks out the scraper. SDT sends a new person to do the same thing. Facebook kicks the new scraper out. It may very well be reasonable for Facebook to kick out every person that SDT sends. However, it should be blatantly unreasonable for Meta to attempt to punish SDT using a statute against breaking and entering. In addition, considering that Meta probably lost little or no money due to the scraping, it’s unreasonable for Meta to claim damages "in excess of $75,000". (In addition, if the data collection that SDT is doing is unreasonable, then the data collection and exploitation that Facebook has long been doing is even more unreasonable.)
Somewhat offtopic remark: Here are the first words of California Penal Code Section 502.
SDT could simply go to Facebook’s website and the law would consider that to be unauthorized "access" to Facebook’s computer system. Just as the CFAA does, California Penal Code Section 502 uses language which is too broad for a statute meant to discourage hacking, but that’s no excuse for Meta to knowingly take advantage of overbroad language.
Re: Re: What’s wrong?
Actually it’s just email address as far as I’m aware.
Here’s the thing though. This is not trespassing alone. It’s taking information. In this situation it’s the equivalent of grabbing papers out of a “bin” and walking off with it.
Public facing or not, they use access to take that information: access that has been prohibited.
At some point it must become criminal: or you give a full pass to all criminals.
Your apartment example would constitute
Systemic harassment for financial gain. A felony in my state.
Just sending a different employee doesn’t exonerate a company.