A social media company that accessed Facebook user's profiles, with the user's permission but against warnings from Facebook, violated a federal anti-hacking law, the Ninth Circuit ruled on Tuesday. Power.com, a now-defunct social network aggregator, had encouraged its users to recruit others through their Facebook accounts, sending form messages and emails promoting its website. And they persisted after being told to knock it off. That continued access of Facebook, after the company issued a cease and desist, constituted a violation of the Computer Fraud and Abuse Act, the Ninth Ruled.
The ruling is the Ninth Circuit's second decision taking a broad interpretation of the CFAA in as many weeks and it should give any computer user pause.
The CFAA and Power.com
In the late aughts, Power Ventures, a startup helmed by Steven Vachani, operated a website called Power.com, which sought to aggregate users' social media accounts. Sign in to Power.com and you could see all your information from the social web in one spot, bringing together Facebook, MySpace, LinkedIn, what have you.
To promote the service, Power encouraged users to recruit others from Facebook. Asked if they wanted to share Power with friends, Power users could click a button labeled "Yes, I do!" and Power would create an event, photo, or status that would be shared through the user's Facebook profile.
Not pleased with a competitor creeping in on its business (and ignoring the terms of its Developer Agreement), Facebook issued a cease and desist letter to Power, telling it to stop all such activities. Power didn't, and Facebook eventually sued under the CFAA and an anti-spam statute, winning a $3 million judgment in district court.
Nosal II's Immediate Impact
The main question at issue on appeal was whether Power's continued access of Facebook, through Power users' Facebook accounts, constituted a violation of the anti-hacking law. The CFAA creates criminal and civil liability for anyone who "intentionally accesses a computer without authorization or exceeds authorized access" and subsequently "obtains information." Was Power's use of Facebook access "without authorization?"
The Ninth Circuit said yes. While Power initially had an implicit right to access Facebook, that right was terminated when Facebook sent the cease and desist. Everyone after that was unauthorized access, in violation of the CFAA.
In so ruling, the Ninth relied on United States v. Nosal, a case decided just seven days earlier. (You may have heard about that case through the many, many articles declaring that it was now a federal crime to share your Netflix password.) In that case, known as Nosal II, the Ninth ruled that a former employee, David Nosal, had violated the CFAA by using his executive assistant's password to access his former company's computers, after his own access privileges had been terminated.
In that case, the court explained, "once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party." As with Nosal, so too with Power.
Reasons to Be Concerned?
Under the Ninth's interpretation of the CFAA, the Hollywood Reporter posits, Donald Trump just has to send Hillary Clinton a letter telling her to stay off his website and suddenly an errant click could lead to civil liability. It could even be a crime -- if the Ninth's decision is read broadly.
Back to Kerr: