Last week, the Ninth Circuit heard oral arguments in Facebook v. Power Ventures. There's a $3M judgement at stake, but that's nothing compared to the impact the case could have on the reach of an anti-hacking law, the Computer Fraud and Abuse Act.
That law, once intended to punish hackers who broke into computer systems, has been read by some circuits to prohibit all sorts of unauthorized access, from looking at protected company files to access someone's Facebook information.
The case comes out of a dispute between Facebook and a now-defunct rival social network. Power Ventures operated Power.com, a social network aggregator that allowed users to access their LinkedIn, Twitter, and Facebook accounts all in the same spot. To grow its user base, Power.com launched a "Power 100" campaign. Users could win $100 if they invited 100 of their friends to join. With users' permission, Power would gather information from their Facebook accounts and contact those Facebook users to ask them to switch to Power.com.
Facebook wasn't pleased. For one, it didn't appreciate Power Ventures spamming its users with messages that appeared to come from Facebook itself. Second, it had attempted to halt Venture's access to Facebook's info by blocking its IP address, an obstacle Venture easily circumvented. They sued, in part, under the CFAA and eventually won a $3 million judgement against Power Ventures.
The CFAA Conundrum
That verdict against Power Ventures is now being appealed to the Ninth Circuit and questions about the reach of the CFAA are at its heart. The CFAA creates both criminal and civil penalties for anyone who "intentionally accesses a computer without authorization or exceeds authorized access" to gain information.
That "without authorization" language has proven difficult for courts to interpret, particularly in cases such as this, where users have agreed to allow access but the companies hosting their information have not. For example, is it acting without authorization to scrape information from a competitor's website? To access a user's account, with their permission, on a rival company's computers in order to transfer their information to yours?
At oral arguments last week, which you can watch above, Power Ventures argued that it couldn't have violated the CFAA. "Authorization relates to data ownership," Power argued, and "the data that was copied is the user's data. Facebook expressly disclaimed ownership to this data." Power has been joined by the Electronic Frontier Foundation, which argued in its amicus brief that the Facebook's use of the CFAA is "dangerous to follow-on innovators and consumers and would criminalize widely accepted Internet behavior."
- Ninth Circuit Hears Arguments on IP Address Blocking and Shared Accounts Under the CFAA (The Washington Post)
- Ninth Circuit Saves Distracted Workers from Federal Prosecution (FindLaw's U.S. Ninth Circuit Blog)
- 'Hacking' Case, Remanded by 9th, Results in Conviction (FindLaw's U.S. Ninth Circuit Blog)
- 9th, SCOTUS Each Asked to Review Facebook Privacy Settlements (FindLaw's U.S. Ninth Circuit Blog)