Scroll Top

Violating Terms of Service After C&D Letter Ends Authorization Under CFAA

The Ninth Circuit Court of Appeals found that a social media aggregator, using internal and external email based upon a user’s Facebook activities, violated the Computer Fraud and Abuse Act of 1986 (CFAA), 18 U.S.C. § 1030(a)(2)(C). The Court determined that under the CFAA, which prohibits acts of computer trespass by those who are not authorized users or who exceed authorized use, the violations occurred only after the social media aggregator received a cease and desist (C&D) letter from Facebook and nonetheless continued to access Facebook’s computers without permission.  However, the Court found that the social media aggregator did not violate the CAN-SPAM Act, 15 U.S.C. § 7706(g)(1). Facebook, Inc.  v. Power Ventures, Inc., case no 13-17102 (9th Cir.  July 12, 2016) (Available Here).

The trial court had entered summary judgment in favor of Facebook on its claims against Power Ventures, Inc., a social networking company that accessed Facebook users’ data and initiated form e-mails and other electronic messages promoting its website.  The 9th Circuit reversed the trial court’s decision on the CAN-SPAM Act because the emails generated by Power arguably came from both the Facebook user, Power and Facebook itself.

However, social media aggregator Power violated the CFAA which prohibits acts of computer trespass by those who are not authorized users or who exceed authorized use by continuing to send out emails from the Facebook user’s account after Power received a cease and desist letter from Facebook and continued to access Facebook’s computers without permission.  Access to Facebook was needed to send out the Power emails.  In the 9th Circuit, “a violation of the terms of use of a website, without more, cannot be the basis for liability under the CFAA.”

In the present case, Facebook sued Power over Power’s promotional campaign. Power accessed Facebook users’ data and initiated form emails and other electronic messages promoting Power’s website. Initially, Power had implied permission from Facebook. But Facebook sent Power a cease and desist letter and blocked Power’s IP address; nevertheless Power continued its campaign.   Power aggregated the user’s Facebook social networking information and sent out internal (to Facebook) and external emails promoting the Power website.

Due to an aggregation of the user’s social media sites, a Power user thus could keep track of a variety of social networking friends through a single program and could click through the central Power website to individual social networking sites.  Facebook requires third-party developers or websites that wish to contact its users through its site to enroll in a program called Facebook Connect. It requires these third parties to register with Facebook and to agree to an additional Developer Terms of Use Agreement.  Power did not sign this contract.

Power caused a message to be transmitted to the user’s friends within the Facebook system. In other instances, depending on a Facebook user’s settings, Facebook generated an e-mail message.  The “from” line in the e-mail stated that the message came from Facebook; the body was signed, “The Facebook Team.”  Facebook first became aware of Power’s promotional campaign in 2008 and sent a “cease and desist” letter to Power instructing Power to terminate its activities. Facebook tried to get Power to sign its Developer Terms of Use Agreement and enroll in Facebook Connect, Power refused and then Facebook blocked Power’s Internet Protocol (“IP”) address in an effort to prevent Power from accessing the Facebook website.  Power then employed a design around and continued its campaign.

Facebook alleged violations of the CFAA, the CAN-SPAM Act, and California Penal Code section 502 and moved for summary judgment. The district court granted summary judgment to Facebook on all three claims. The district court awarded statutory damages of $3,031,350, compensatory damages, and permanent injunctive relief, and it held that Power owner, Vachani, was personally liable for Power’s actions.

The CAN-SPAM Act grants a private right of action for a “provider of Internet access service adversely affected by a violation of section 7704(a)(1) of this title.” 15 U.S.C. § 7706(g)(1).  Section § 7704(a)(1) makes it unlawful for “any person to initiate the transmission, to a protected computer, of a commercial electronic mail message, or a transactional or relationship message, that contains, or is accompanied by, header information that is materially false or materially misleading.”  The statute provides that the term “materially,” when used with respect to false or misleading header information, includes the alteration or concealment of header information in a manner that would impair the ability of an Internet access service processing the message on behalf of a recipient, a person alleging a violation of this section, or a law enforcement agency to  identify, locate, or respond to a person who initiated the electronic mail message or to investigate the alleged violation, or the ability of a recipient of the message to respond to a person who initiated the electronic message. Id. § 7704(a)(6).

The 9th Circuit noted that the statute provides is violated when an email “header information [] is technically accurate but includes an originating electronic mail address, domain name, or Internet Protocol address the access to which for purposes of initiating the message was obtained by means of false or fraudulent pretenses or representations shall be considered materially misleading.” Id. § 7704(a)(1)(A).  Because more than one person may be considered to have initiated the Power email messages, Power’s users, Power, and Facebook all initiated the messages at issue.  Hence, Power’s actions did not violate the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, or CAN-SPAM Act, which grants a private right of action for a provider of Internet access service adversely affected by the transmission, to a protected computer, of a message that contains, or is accompanied by, header information that is materially false or materially misleading. The Court held that here, the transmitted messages were not materially misleading.

The CFAA prohibits acts of computer trespass by those who are not authorized users or who exceed authorized use. It creates criminal and civil liability for whoever “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer.” 18 U.S.C. § 1030(a)(2)(C).  The statute defines “loss” to mean “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data.”  Facebook employees spent many hours, totaling more than $5,000 in costs (the CFAA minimum damage threshold), analyzing, investigating, and responding to Power’s actions, therefore suffered a loss under the CFAA.

The decision in LVRC Holdings LCC v. Brekka, 581 F.3d 1127 (9th Cir. 2009) had an impact on the Court’s decision in this case.  In LVRC, an employee logged onto his employer’s computer.  Because the employee sent e-mails while he still had authorized access to the company’s computers, his actions did not constitute unauthorized use and did not run afoul of the CFAA.  In the 9th Circuit, the LVRC case broadly describes the application of the CFAA to violations of websites’ terms of service (TOS). “Not only are the terms of service vague and generally unknown . . . but website owners retain the right to change the terms at any time and without notice. As a result, imposing criminal liability for violations of the terms of use of a website could criminalize many daily activities. Accordingly, the phrase ‘exceeds authorized access’ in the CFAA does not extend to violations of [TOS] use restrictions.”

Power users arguably gave Power permission to use Facebook’s computers to disseminate messages.  The consent that Power had received from Facebook users was not sufficient to grant continuing authorization to access Facebook’s computers after Facebook’s express revocation of permission. As for Power’s reaction to the Facebook C&D letter, a Power executive sent an e-mail to Facebook stating that Power engaged in four “prohibited activities”; acknowledging that Power may have “intentionally and without authorization interfered with [Facebook’s] possessory interest in the computer system.”  This email response was used to support the affirmance of the trial court’s decision.  The Court held that after receiving the cease and desist letter from Facebook, Power intentionally accessed Facebook’s computers knowing that it was not authorized to do so, making Power liable under the CFAA.

Related Posts