from the is-that-truly-hacking? dept
Over the last year or so, a key focus of Facebook’s has been to battle what it calls “coordinated inauthentic behavior.” While the phrase may sound vaguely Orwellian, I actually appreciate the thinking behind it. It’s one thing to say you’re going after “fake accounts” or “propaganda” or “trolls,” but that language is imprecise, and certainly doesn’t provide much clarity for what Facebook is actually targeting. Indeed, using vague language continues to be a massive problem in all sorts of content moderation challenges. So, instead, Facebook focused on “coordinated inauthentic behavior,” which is much more definable, and also neatly encapsulates a lot of activity that most people all agree is at least somewhat problematic in a variety of contexts. I’ve also appreciated some of the actions that Facebook has taken to try to stop or prevent such “coordinated inauthentic behavior.”
What I don’t appreciate is a highly questionable lawsuit Facebook filed on Friday, again supposedly targeting coordinated inauthentic behavior on its platforms: in particular fake likes and fake followers. Now, let’s be clear: no one is suggesting that services that provide fake likes or fake followers are a good thing. They are scams and they are designed to mislead people. I think Facebook has every right to try to delete such fake likes and fake followers from its platforms.
What I’m less sure of, however, is if Facebook should be able to sue the companies (and the individuals behind those companies) for creating such a service. But that’s what Facebook has done. The complaint argues that it’s a CFAA violation (and a violation of California’s version of the CFAA). If you don’t recall, the CFAA (the Computer Fraud and Abuse Act) was the law that was originally designed to go after malicious hackers, but was written in such broad and vague language — regarding things like “unauthorized access” and “exceeding authorized access” — that it’s been used in all sorts of questionable ways, including not obeying a web site’s terms of service. It’s been referred to as “the law that sticks” when no other law can be used against “vaguely icky” activity done on a computer.
One of the most annoying things over the past few years is seeing big internet companies regularly try to use the CFAA and expand what it covers in ways that are extraordinarily broad and could lead to real problems down the road. Facebook has actually done this for years, with a big case being the time it sued a site, Power Ventures, which helped users aggregate all their various social network info. This was not “hacking” in any real sense, and the access was “authorized” by the end user, but Facebook didn’t like it and argued that because it sent Power a cease and desist letter, that any further access violated the CFAA. Unfortunately, the courts have agreed with Facebook, setting a dangerous precedent.
And, now, Facebook has gone back to the well, arguing that setting up fake likes and fake followers also violates the CFAA:
Defendants? access and use of Facebook and Instagram?s computers and computer systems was unauthorized because Defendants accessed Facebook and Instagram?s computer network after Facebook and Instagram disabled their Instagram accounts and sent cease and desist letters to Defendants revoking their access.
Facebook and Instagram computers and servers are protected computers as defined by 18 U.S.C. § 1030(e)(2).
Defendants violated 18 U.S.C. § 1030(a)(4) because they knowingly and with intent to defraud accessed Facebook and Instagram-protected computers by sending unauthorized commands to Facebook and Instagram computers. Defendants sent the commands to Facebook and Instagram computers to manipulate Instagram?s service by fraudulently inflating likes of certain Instagram accounts. Defendants did these acts in exchange for profit.
Defendants violated 18 U.S.C. § 1030(a)(5)(A) because they knowingly and intentionally caused the transmission of a program, information, code, or command, and, as a result of such conduct, intentionally damaged Facebook and Instagram-protected computers.
Now, I dislike fake likes and fake followers on social media just as much (if not more) than the average person. I’m aware of some other news sites that some might consider competitors of ours that have used those tactics to build up larger claimed social media followings. And I can see how that’s unfair.
But is it truly hacking? Is it truly “unauthorized access”? Note that Facebook calls out that it sent cease and desist letters to the defendants, as per the 9th Circuit’s ruling in the Power Ventures case. We warned that such a case would set a dangerous precedent, and once again, here’s Facebook claiming that if it sends a cease and desist to a company for participating in an activity which the Facebook platform allows technologically that it’s magically breaking the law.
To be clear: Facebook should have a free hand in kicking these guys off of the platform — and if it can figure out the accounts posting the fake likes and fake follows, it can and should kick them off as well. But suing the company behind it under an anti-hacking law is a step too far. It’s treating it’s own inability to clean up its own platform as a legal issue. And it’s not difficult to see how such a precedent can be abused legally by all sorts of internet platforms. Perhaps some people don’t mind, and feel that any action taken against spammers/fakers/etc. should be fine. But be careful what you wish for. Allowing this use of the CFAA will only serve to give big internet platforms much more power over what you and anyone else can do on those platforms — including how you might be able to use third party services to better protect your own privacy or take control over your own data.
It’s no surprise, given the Power Ventures case, that Facebook now views the CFAA as a weapon it can use against third party services on its platform. But it provides way too much power to turn issues of Facebook’s own failure to police its own platform into a legal issue dragged into the federal court system.