Appeals Court: It Violates CFAA For Service To Access Facebook On Behalf Of Users, Because Facebook Sent Cease & Desist
from the hmm dept
Another week, another CFAA (Computer Fraud & Abuse Act) ruling out of the 9th Circuit Appeals Court. This time it's the infamous Facebook v. Power.com case that's been going on since 2008. When we first came across the case, in early 2009, we insisted that it made no sense. Power.com was trying to set itself up as a sort of "meta" social network, or perhaps a social network management system, where users could have a dashboard for all their different social networks. Facebook didn't like this and sued over a long list of things, including copyright and trademark infringement, unlawful competition, violation of anti-spam laws... and the CFAA. Most of the claims went nowhere, but the CFAA and anti-spam ones lived on (because Power.com had systems for sending emails to users). The copyright claims were troubling, but the CFAA claims were the ones that concerned us the most.Of course, it's taken many, many years for the case to make its way through the courts, and Power.com ceased even existing about five years ago. And the latest ruling is not just a nail in the coffin, but a potentially problematic CFAA ruling. While the court tosses out the CAN SPAM arguments, it does say that Power's actions were a CFAA violation. It's not as bad as it could have been, because the court doesn't say that merely violating Facebook's terms of service violates the CFAA, but instead narrows it slightly. It says that because Facebook sent a cease and desist letter to Power, from that point on it was on notice that it was not authorized to access Facebook's servers. It was the move to continue getting Facebook user data that sealed the CFAA claim.
Here, initially, Power users arguably gave Power permission to use Facebook’s computers to disseminate messages. Power reasonably could have thought that consent from Facebook users to share the promotion was permission for Power to access Facebook’s computers. In clicking the “Yes, I do!” button, Power users took action akin to allowing a friend to use a computer or to log on to an e-mail account. Because Power had at least arguable permission to access Facebook’s computers, it did not initially access Facebook’s computers “without authorization” within the meaning of the CFAA.This is potentially a limited ruling, since there are a lot of specifics here. But it does still seem troubling. If I, as a user, wish to grant a service like Power access to my data, why can't I do so? The court insists that even if it's your information and you want to allow a service like Power to do so, Facebook has the final say -- because of something to do with banks and guns. Really.
But Facebook expressly rescinded that permission when Facebook issued its written cease and desist letter to Power on December 1, 2008. Facebook’s cease and desist letter informed Power that it had violated Facebook’s terms of use and demanded that Power stop soliciting Facebook users’ information, using Facebook content, or otherwise interacting with Facebook through automated scripts. Facebook then imposed IP blocks in an effort to prevent Power’s continued access.
The record shows unequivocally that Power knew that it no longer had authorization to access Facebook’s computers, but continued to do so anyway.
The consent that Power had received from Facebook users was not sufficient to grant continuing authorization to access Facebook’s computers after Facebook’s express revocation of permission. An analogy from the physical world may help to illustrate why this is so. Suppose that a person wants to borrow a friend’s jewelry that is held in a safe deposit box at a bank. The friend gives permission for the person to access the safe deposit box and lends him a key. Upon receiving the key, though, the person decides to visit the bank while carrying a shotgun. The bank ejects the person from its premises and bans his reentry. The gun-toting jewelry borrower could not then reenter the bank, claiming that access to the safe deposit box gave him authority to stride about the bank’s property while armed. In other words, to access the safe deposit box, the person needs permission both from his friend (who controls access to the safe) and from the bank (which controls access to its premises). Similarly, for Power to continue its campaign using Facebook’s computers, it needed authorization both from individual Facebook users (who controlled their data and personal pages) and from Facebook (which stored this data on its physical servers). Permission from the users alone was not sufficient to constitute authorization after Facebook issued the cease and desist letter.The analogy seems a bit stretched, though I do get it. These are Facebook's servers -- but it still does seem troubling that Facebook is basically using the CFAA to block what was really just a service trying to make Facebook more useful to users. This wasn't what one would normally think of as "hacking" in any real sense, which is what the CFAA was designed to respond to. And, as we've seen with the CFAA, this ruling seems wide open to abuse by companies. Furthermore, I'm uncomfortable with an argument that is basically the same argument as "if we tell you not to access this open web server, then it's like trespassing." Because it's not like that at all. An open web server is designed to accept traffic. Someone merely telling you that you can't access their website -- even though it's easy to do so technologically -- doesn't seem like it should then be seen as "unauthorized access" in a manner that makes you liable to computer hacking laws. That's a recipe for dangerous results.
At what point is access revoked? Does it require a full cease and desist letter? Or what if I add a drop-down telling visitors from certain IP addresses they're not welcome? What if I just type here that visitors from the state of New York are no longer allowed to visit Techdirt? If they continue to do so, is that a potential CFAA violation in the making? The same court has already ruled that a mere terms of service violation is not a CFAA violation but where's the line between a terms of service violation and a cease-and-desist letter? Or me just telling you to stop visiting my website? It seems wide open to abuse.
The CFAA remains a mess of a law, and rulings like these are likely only going to lead to more litigation around borderline cases. And that's bad. It's going to be bad for users and it's bad for innovation. It's been particularly disappointing to see companies like Facebook and Craigslist coming down on the wrong side of CFAA litigation -- in both cases going after companies who were not "hacking" in any traditional sense, but were rather looking to add useful layers of services on top of existing services. The law is being abused by companies that don't want others to innovate, and that's unfortunate and bad for innovation.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 9th circuit, cease and desist, cfaa, terms of service
Companies: facebook, power.com
Reader Comments
Subscribe: RSS
View by: Time | Thread
Amateurs writing legislation
[ link to this | view in thread ]
If they are going to use real world examples at least use good ones.
[ link to this | view in thread ]
Re: Amateurs writing legislation
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
Wait, why is this problematic?
An open web server is designed to accept traffic from the general public. An open store is designed to accept walk-in business from the general public.
My first job out of high school was at a Wendy's. There was this one young lady who kept coming in and being disruptive, and after a couple months she did something--I don't remember what, exactly--that really crossed a line. The store manager was in that day, and he came out and personally told her to leave, and that if she ever came back he would call the police and have her arrested for trespassing.
Did he or did he not have the right to do this, even though it's a business that's open to the general public?
If not, why not? And if so, why is the Facebook situation any different? Isn't it a basic tenet on Techdirt that you don't get something fundamentally different (and certainly not in a way that should be regarded differently by the law) by taking something common and well-understood from the real world and slapping "on the Internet" on the end of it?
[ link to this | view in thread ]
Re: Amateurs writing legislation
You could not be more wrong. the axiom "Never attribute to malice what may be adequately explained by stupidity" is product of a fools delusion.
Government itself is a beast, a collection of self serving people that are by no means stupid. In fact, any attempt to attribute its activity to anything but malice is to turn a blind eye on an institution of men that has proven across time to be nothing more than a corruption, a perversion saddled on the backs of free people!
[ link to this | view in thread ]
Re: Re: Amateurs writing legislation
[ link to this | view in thread ]
Re:
This is the Post Office having someone arrested because I gave them the keys to my PO box to pick up my mail for me.
[ link to this | view in thread ]
Re:
So the big open door that everyone else on the Internet saw became a big, giant locked gate with signs saying "Keep Out" as far as the company was concerned.
[ link to this | view in thread ]
Re: Re: Re: Amateurs writing legislation
"Yes, you would also die. Sound is just pressure waves through air which our ears can hear, and since decibels are logarithmic they increase really quickly. A whisper is 40 dB, talking is 60, and hearing damage starts at 85. The loudest scream ever was 116 dB at 8 feet. A train horn is about 130.
At 150 decibels you stop being able to breath. You feel like you are underwater from the amount of air being hurled at you. Past 160 flashlights and other battery-powered equipment will begin to fail due to electrical interference and your brain and eyes will start getting permanent damage.
Humans exposed to 170 decibels have about a 50% chance of surviving.
Above that the scale just kinda falls apart (edit: As many comments have pointed out, decibels aren't really an appropriate measure for things above this energy, because sound starts doing weird things. 194 dB is the same as the ambient air pressure in PSI at sea level, so beyond that it's not so much a sound as it is a blast or shockwave.) Around 185 dB you get the types of forces involved in tornadoes or pressure blasts from large bombs, capable of destroying everything in their path. The largest bomb used in Europe during WWII only made 220 decibels, and the bombs used on Hiroshima and Nagasaki created 250. Krakatoa's eruption was 310 and blew out concrete walls 300 miles away. Tambora, the loudest sound ever recorded, was 325 decibels and had enough energy to dig a crater 12 miles wide and as deep as Yosemite.
500 decibels would likely annihilate large sections of whatever landmass you were on, possibly with enough force to launch debris into space.
TL;DR: Yes, 500 dB for a thousandth of a second will make you go deaf. 120 decibels is usually considered the lower limit on instantaneous hearing loss. So don't stick your head in a jet engine or a subwoofer at a music festival, it might break your ears -- or kill you."
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
A system can scrape content from a web site without disrupting it. Facebook is happy to have Google send robots to visit their site. Facebook simply doesn't like this other company visiting their site.
This is very different than someone disrupting the operation of a walk in store.
Whether or not Power should visit Facebook's site, the CFAA is a law that has, is and will be abused. Unlike trespassing law.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re:
Trespassing laws are often abused by police looking for a pretext to stop protests and demonstrations they don't like. Most laws can be abused when the government representatives in charge of enforcement become corrupt. The appeals court system is supposed to be the checks and balances to that abuse of trust, but in many cases that's no longer true thanks to hideously bad laws like the CFAA and a "zero tolerance" culture.
[ link to this | view in thread ]
Response to: Mason Wheeler on Jul 13th, 2016 @ 12:33pm
[ link to this | view in thread ]
Re: Re:
You use an adblocker to visit facebook. Facebook adds a mechanism to detect it and displays a pop-up that says, "please disable adblockimg software." You click "ok" and it dismisses the pop-up, but you leave the adblocker on and continue accessing the site.
Have you violated the CFAA and made yourself subject to many years in federal prison? You have ignored the notification and circumvented protections.
[ link to this | view in thread ]
Response to: Mason Wheeler on Jul 13th, 2016 @ 12:33pm
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
It's no different than having your own vehicle but you use your neighbor's license plate to drive around the city, even if your neighbor gave you permission. Simply because that license plate belongs to the state where it was issued.
[ link to this | view in thread ]
[ link to this | view in thread ]
I'm with the above Mr Wheeler, to an extent.
If I hold a party at my house - with an open-door policy and the whole street invited - I still have the right to throw people out and keep them out if they misbehave.
Morally and legally, I have that right, I value that right and I expect that right to continue in the future.
Likewise, if I run a pub, a shop, a post office or anything else, if patrons won't follow the rules and behave appropriately, I'll want them to leave. In many cases, it would even be my legal obligation to ensure that they do so.
Other party-guests don't have any moral or legal right to over-rule my wishes and let the unwelcome, abusive drunkard in via the back door - and the unwanted customer has no right to climb into my shop via an unlocked window.
For something closer to home, there isn't a crowdfunding site or torrent site anywhere that doesn't have rules that will get you banned if you break them. I think even Techdirt won't hesitate to swing the banhammer, if you spam links to child porn all over the comments.
In this specific instance, the idiots at Power.com were offered every warning and multiple opportunities to either follow the rules or walk away entirely unharmed. If they'd possessed even a single working brain-cell between them, there's every chance they might still be a going concern.
They chose to ignore those chances and continued to take the piss out of Facebook, instead. The outcome for Power.com is entirely on their own heads, 100%. Their stupidity is no excuse.
All that said, I agree with Mr Masnick about the CFAA: it's a terrible law that seems to escalate everything to DefCon 1 as soon as it's invoked - and from the judgment in this case, the sequence of events seems to have been warnings, followed by a C&D, followed by a multi-million dollar CFAA case.
It's a bit extreme, like watching someone use a three-tonne, rocket assisted, concrete sledgehammer, fired out of an exploding, radioactive shark, to kill one small, annoying bee.
While it's unclear if Power.com would have actually been smart enough to step away, I do think a less ridiculously over-powered law, the equivalent of a lesser tresspassing law in the real world, would have served the situation - and the American public - a little bit better. :)
[ link to this | view in thread ]
THe court got it right, it's not troubling at all
There are a few simple things at play here. First and foremost, before anything, is the concept that Facebook usernames and passwords were being shared with a third party. It is pretty much a TOS violation for the original user. It's also really bad for site security for Facebook, as there is a site they don't control that would have a fairly high number of their passwords. A hack of this third party site would generate harm to Facebook.
Most importantly, Facebook is not an open store. It's a close community that requires individuals, groups, and companies to sign up for their own accounts and to access the site in that manner. There is no inherent right to access the material of others, unless made public.
Facebook did nothing wrong. In fact, they did everything right and dotted every I (blocking IP Range) and crossing every T (issuing a cease and desist) in the process. Like it or not, they deserve the ruling.
Now, the CFAA law is a bitch, it's big and heavy and very powerful, and in this case is being used to squish an ant sized problem. It's easy to get distracted by all the legal machinery whirring and clicking to get this all done. If you focus on the issue (users giving access to third parties) then you might realize why the ruling went the way it did.
We should celebrate that the courts are getting it right, even with such a huge law to apply.
[ link to this | view in thread ]
Re:
Do you then also have the right to forbid the next-door neighbor that you don't like from looking in your direction or listening to the loud music coming from your house? Hey, I mean it's your party, right?
[ link to this | view in thread ]
dB
If you're going to correct someone, at least capitalize "dB" correctly. Mr. Bell thanks you...
[ link to this | view in thread ]
Re: dB
Or at least a tenth of him does.
[ link to this | view in thread ]
Re: Re:
Techdirt and other sites push this case as being:
... and many commenters here - yourself included, I think - are assuming that this is a fair description of the matter.
Unfortunately, if you read the actual judgment, which Mr Masnick helpfully links to at the top, you'll find it's not really what the case was about.
Power.com was a website designed to combine all of a users social networks into one big network. Potentially, that's a great idea. Very useful. So far, so good.
The problem was that it did this in the most idiotic way possible.
Looking at the judgment and at previous reports, the first issue is that in order to use the "more useful" service, users had to give Power.com all of their usernames and passwords for all of their social networks.
All of which were then stored permanently on Power.com's own website.
I mean, what the fuck. That's not just bad design, that's utterly fucking retarded.
You don't need to be a security expert to realise that one data breach at Power.com would have resulted in all it's users losing access to all of their social networks in one go - and very likely fuel a massive storm of spam and / or malware across all of those networks.
They could have stored the information locally, on users' computers, or they could have used Facebook Connect - you know, those little widgets on dozens of sites that allow you to share stuff, if you want to - but they just didn't want to.
The second issue was the spam. If users were unwise enough to share Power.com with friends, it would create and send emails to the users' friends and contacts - and the 'reply' field in the emails claimed the emails were from "The Facebook Team", rather than from Power.com or from the user.
Presumably, Facebook had to deal with most of the spam complaints, rather than Power.com.
I'm not certain about the point, but it seems like the only way for FB users to stop a power.com user from spamming them would be for them to unfriend and block the unwise users, hurting FB's network.
FB blocking the site seems like a very reasonable response to that.
In the latest judgment, an earlier finding of liability for being spammers has been overturned, but only on a legal technicality. There's no real doubt they were guilty as hell, by any common definition.
Facebook apparently reached for the nuclear option only after a month of correspondence, trying to get them to stop. The most they could get out of Power.com before the lawsuit was basically "yeah, we might switch to Facebook Connect in a month, maybe, if we feel like it".
I'm no big fan of Facebook, but for fuck's sake. You can't intentionally create this many risks and problems for a big company and not expect to get kicked around for it.
I'm all in favour of the little guy standing up for fair use, but this really doesn't seem to be one of those kinds of cases.
Quite frankly, given all the above, I think Power.com got off lightly.
[ link to this | view in thread ]
Employers beware
[ link to this | view in thread ]
Re: Re: Re:
Says you, huh?
"Looking at the judgment and at previous reports, the first issue is that in order to use the 'more useful' service, users had to give Power.com all of their usernames and passwords for all of their social networks."
Okey dokey, let's take a look at that then, shall we? Was that against FB's terms of service? If not, then what's the problem? If so, then why weren't the *users* who shared their passwords prosecuted? They were the ones, after all, who supposedly agreed to the terms in the first place. Care to answer that one?
[ link to this | view in thread ]
Re: Re: Re: Re:
In any event, the T&C's ceased to matter, once Facebook kicked and banned Power.com: a revoked agreement has no force.
FB has no problem with users doing stupid things with their private passwords - users do that sort of thing all the time, on every service. Dealing with that is an expected and normal cost of online business.
FB had - and no doubt continues to have - problems with commercial companies who damage part of the social network, put the network's security at large-scale risk, evade network spam-controls and leave FB to pick up the complaints for said spam.
FB has a bigger problem with idiot companies who refuse to stop abusing the service, even after those idiot companies have admitted there's issues.
It has a bigger problem again, with idiot companies who do an end-run around FB's IP blocks - and an even bigger problem yet again, when those idiots shout their mouths off in the press about how they think they're protected by fair use and can do what they like.
When you've got two companies involved in delicate negotiations, having the chief idiot go to the New York Times and say the equivalent of "fuck you, Facebook, we got in by the back window and y'all can't do nothing" is not a smart move.
As far as corporate executives and lawyers are concerned, them's fighting words. Even Power.com must have known that.
Bear in mind that FB had nothing like this much of an issue with other network aggregators and FB-modifying addons, all doing the same job, that existed before, during and after Power.com's time.
Even when FB gets stroppy - and it still does, from time to time, with some third-parties - it typically asks for changes before breaking out banhammers. Actual legal action seems to be extremely rare.
Say whatever else you like about Facebook - and we could all call them all kinds of bastard over privacy issues - they don't appear to be prosecution-happy by any convincing measure.
Power.com brought this on themselves.
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
Strange, my little FB apologist friend, I don't remember asking you to. Just checked my comment. Nope, definitely didn't. Are you delusional?
Still, you didn't really answer the question. But then I didn't really expect you to either. Yeah, you went off on a tirade basically defending using selective law enforcement to punish people who annoy large corporations, but that's about it. You make me sick.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re:
... And with that, the most obvious troll on the thread becomes very obvious indeed.
Can I give you some free advice? If you're going to troll a site like Techdirt, you might want to be a bit more savvy than that.
I've never intentionally trolled anyone else myself, but I do like to know how it works, so I can generally avoid getting sucked into anyone else's dramas. You might find some observations helpful...
• Create and Embrace the Right Identity.
The best kind of traitors are the ones who stab you in the back, when you least expect it - not the ones nobody ever turns their backs upon. Put some effort into it. Create and articulate a name and personality that suggests a genuinely interested commenter, not just some random clown who can't even be bothered to register.
I mean, who's 'Lesath' supposed to be? You're either named after the star in the stinger of the Scorpio constellation, or you're named after the obscure Death-Eater in the Harry Potter books. Neither one suggests anything other than a troll.
Even if I didn't know the name up front, I have Google, same as everyone else. You might as well have called yourself Trolly McTrollface, for all the good it's done you.
• Know Your Website and Your Targets.
On a younger site full of twelve-year-olds, your tactics might work quite well, at least for a while. On an ancient site like Techdirt, especially with an old hand like me, it all falls apart straight away.
You'll rarely get much drama out of trolling someone who knows what you are the minute you click 'submit'. The only reason you got any reply at all is because I've been in a good mood for the last two days and I'm feeling both wordsome and magnanimous. Normally, I'd have ignored you completely.
• Know Your Topic.
Don't just skim the article, read it properly and - more importantly -
look into the links given and the background from elsewhere, so you can engage with people in a convincing way.
Mr Masnick tells the honest truth only about half the time in his articles. The rest of the time, as here, he'll selectively omit or misrepresent facts to shape the story into the narrative he wants to sell.
(I don't condemn him for that, by the way - this is how professional American journalism seems to be done, as tragic as it is.)
Leaving aside the fact that this is a six-year-old, largely done and dusted case, there's huge potential for drama in that dishonesty alone. It's wasted potential, because you didn't know what you were writing about, beyond Mr Masnick's own words.
• Use the Right Tactics.
It's not 2006 anymore: for the most part, the old strategies just won't cut it, unless you're dealing with preteens or one of the more ridiculous kinds of zealot.
Cheap tricks like cognitive dissonance don't hold up anymore: too many people know exactly what they're seeing, when they see it - and will write you off as a troll, right then and there, no more drama.
As for you panicking and flinging insults around, like the Messiah in Preacher flinging his own shit through the bars of his cage... no. Just no.
The best approach seems to be to try to present yourself as a protagonist in an ensemble, one who simply disagrees with another poster, rather than an endless antagonist.
Look at Whatever, the pensionable troll below. He almost has the right idea about identity, but he does nothing except disagree. Does anyone take that seriously? Of course not. No-one ever cares what he has to say. He's tedious and incapable of invoking any real interest in his words.
There's no drama in being universally ignored.
Perhaps you can do better.
That about covers everything, I think. I'll let you have the last word, because you're a troll and, well, trolls gonna troll, as one might say. Do think about what I've said, though, Lesath.
Happy trails, sonny. :)
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in thread ]
Re: THe court got it right, it's not troubling at all
You might perhaps be able to ding the third parties for having solicited the users to commit a violation, but not for committing the violation themselves.
[ link to this | view in thread ]
Re:
A better analogy and question is, can one "trespass" an ATM? I don't mean physically breaking into it, or even hacking it. I'm talking about using an ATM (one not on the bank's property, let's say for purposes of argument) as it's intended to be used -- is there any real sense in which you can be said to be trespassing it? Even you had previously robbed an affiliated bank and had been barred from their property, is swiping a debit card in one of the ATMs a trespass?
[ link to this | view in thread ]