Appeals Court: It Violates CFAA For Service To Access Facebook On Behalf Of Users, Because Facebook Sent Cease & Desist
from the hmm dept
Of course, it's taken many, many years for the case to make its way through the courts, and Power.com ceased even existing about five years ago. And the latest ruling is not just a nail in the coffin, but a potentially problematic CFAA ruling. While the court tosses out the CAN SPAM arguments, it does say that Power's actions were a CFAA violation. It's not as bad as it could have been, because the court doesn't say that merely violating Facebook's terms of service violates the CFAA, but instead narrows it slightly. It says that because Facebook sent a cease and desist letter to Power, from that point on it was on notice that it was not authorized to access Facebook's servers. It was the move to continue getting Facebook user data that sealed the CFAA claim.
Here, initially, Power users arguably gave Power permission to use Facebook’s computers to disseminate messages. Power reasonably could have thought that consent from Facebook users to share the promotion was permission for Power to access Facebook’s computers. In clicking the “Yes, I do!” button, Power users took action akin to allowing a friend to use a computer or to log on to an e-mail account. Because Power had at least arguable permission to access Facebook’s computers, it did not initially access Facebook’s computers “without authorization” within the meaning of the CFAA.This is potentially a limited ruling, since there are a lot of specifics here. But it does still seem troubling. If I, as a user, wish to grant a service like Power access to my data, why can't I do so? The court insists that even if it's your information and you want to allow a service like Power to do so, Facebook has the final say -- because of something to do with banks and guns. Really.
The record shows unequivocally that Power knew that it no longer had authorization to access Facebook’s computers, but continued to do so anyway.
The consent that Power had received from Facebook users was not sufficient to grant continuing authorization to access Facebook’s computers after Facebook’s express revocation of permission. An analogy from the physical world may help to illustrate why this is so. Suppose that a person wants to borrow a friend’s jewelry that is held in a safe deposit box at a bank. The friend gives permission for the person to access the safe deposit box and lends him a key. Upon receiving the key, though, the person decides to visit the bank while carrying a shotgun. The bank ejects the person from its premises and bans his reentry. The gun-toting jewelry borrower could not then reenter the bank, claiming that access to the safe deposit box gave him authority to stride about the bank’s property while armed. In other words, to access the safe deposit box, the person needs permission both from his friend (who controls access to the safe) and from the bank (which controls access to its premises). Similarly, for Power to continue its campaign using Facebook’s computers, it needed authorization both from individual Facebook users (who controlled their data and personal pages) and from Facebook (which stored this data on its physical servers). Permission from the users alone was not sufficient to constitute authorization after Facebook issued the cease and desist letter.The analogy seems a bit stretched, though I do get it. These are Facebook's servers -- but it still does seem troubling that Facebook is basically using the CFAA to block what was really just a service trying to make Facebook more useful to users. This wasn't what one would normally think of as "hacking" in any real sense, which is what the CFAA was designed to respond to. And, as we've seen with the CFAA, this ruling seems wide open to abuse by companies. Furthermore, I'm uncomfortable with an argument that is basically the same argument as "if we tell you not to access this open web server, then it's like trespassing." Because it's not like that at all. An open web server is designed to accept traffic. Someone merely telling you that you can't access their website -- even though it's easy to do so technologically -- doesn't seem like it should then be seen as "unauthorized access" in a manner that makes you liable to computer hacking laws. That's a recipe for dangerous results.
At what point is access revoked? Does it require a full cease and desist letter? Or what if I add a drop-down telling visitors from certain IP addresses they're not welcome? What if I just type here that visitors from the state of New York are no longer allowed to visit Techdirt? If they continue to do so, is that a potential CFAA violation in the making? The same court has already ruled that a mere terms of service violation is not a CFAA violation but where's the line between a terms of service violation and a cease-and-desist letter? Or me just telling you to stop visiting my website? It seems wide open to abuse.
The CFAA remains a mess of a law, and rulings like these are likely only going to lead to more litigation around borderline cases. And that's bad. It's going to be bad for users and it's bad for innovation. It's been particularly disappointing to see companies like Facebook and Craigslist coming down on the wrong side of CFAA litigation -- in both cases going after companies who were not "hacking" in any traditional sense, but were rather looking to add useful layers of services on top of existing services. The law is being abused by companies that don't want others to innovate, and that's unfortunate and bad for innovation.