Appeals Court: It Violates CFAA For Service To Access Facebook On Behalf Of Users, Because Facebook Sent Cease & Desist

from the hmm dept

Another week, another CFAA (Computer Fraud & Abuse Act) ruling out of the 9th Circuit Appeals Court. This time it's the infamous Facebook v. Power.com case that's been going on since 2008. When we first came across the case, in early 2009, we insisted that it made no sense. Power.com was trying to set itself up as a sort of "meta" social network, or perhaps a social network management system, where users could have a dashboard for all their different social networks. Facebook didn't like this and sued over a long list of things, including copyright and trademark infringement, unlawful competition, violation of anti-spam laws... and the CFAA. Most of the claims went nowhere, but the CFAA and anti-spam ones lived on (because Power.com had systems for sending emails to users). The copyright claims were troubling, but the CFAA claims were the ones that concerned us the most.

Of course, it's taken many, many years for the case to make its way through the courts, and Power.com ceased even existing about five years ago. And the latest ruling is not just a nail in the coffin, but a potentially problematic CFAA ruling. While the court tosses out the CAN SPAM arguments, it does say that Power's actions were a CFAA violation. It's not as bad as it could have been, because the court doesn't say that merely violating Facebook's terms of service violates the CFAA, but instead narrows it slightly. It says that because Facebook sent a cease and desist letter to Power, from that point on it was on notice that it was not authorized to access Facebook's servers. It was the move to continue getting Facebook user data that sealed the CFAA claim.

Here, initially, Power users arguably gave Power permission to use Facebook’s computers to disseminate messages. Power reasonably could have thought that consent from Facebook users to share the promotion was permission for Power to access Facebook’s computers. In clicking the “Yes, I do!” button, Power users took action akin to allowing a friend to use a computer or to log on to an e-mail account. Because Power had at least arguable permission to access Facebook’s computers, it did not initially access Facebook’s computers “without authorization” within the meaning of the CFAA.

But Facebook expressly rescinded that permission when Facebook issued its written cease and desist letter to Power on December 1, 2008. Facebook’s cease and desist letter informed Power that it had violated Facebook’s terms of use and demanded that Power stop soliciting Facebook users’ information, using Facebook content, or otherwise interacting with Facebook through automated scripts. Facebook then imposed IP blocks in an effort to prevent Power’s continued access.

The record shows unequivocally that Power knew that it no longer had authorization to access Facebook’s computers, but continued to do so anyway.

This is potentially a limited ruling, since there are a lot of specifics here. But it does still seem troubling. If I, as a user, wish to grant a service like Power access to my data, why can't I do so? The court insists that even if it's your information and you want to allow a service like Power to do so, Facebook has the final say -- because of something to do with banks and guns. Really.

The consent that Power had received from Facebook users was not sufficient to grant continuing authorization to access Facebook’s computers after Facebook’s express revocation of permission. An analogy from the physical world may help to illustrate why this is so. Suppose that a person wants to borrow a friend’s jewelry that is held in a safe deposit box at a bank. The friend gives permission for the person to access the safe deposit box and lends him a key. Upon receiving the key, though, the person decides to visit the bank while carrying a shotgun. The bank ejects the person from its premises and bans his reentry. The gun-toting jewelry borrower could not then reenter the bank, claiming that access to the safe deposit box gave him authority to stride about the bank’s property while armed. In other words, to access the safe deposit box, the person needs permission both from his friend (who controls access to the safe) and from the bank (which controls access to its premises). Similarly, for Power to continue its campaign using Facebook’s computers, it needed authorization both from individual Facebook users (who controlled their data and personal pages) and from Facebook (which stored this data on its physical servers). Permission from the users alone was not sufficient to constitute authorization after Facebook issued the cease and desist letter.

The analogy seems a bit stretched, though I do get it. These are Facebook's servers -- but it still does seem troubling that Facebook is basically using the CFAA to block what was really just a service trying to make Facebook more useful to users. This wasn't what one would normally think of as "hacking" in any real sense, which is what the CFAA was designed to respond to. And, as we've seen with the CFAA, this ruling seems wide open to abuse by companies. Furthermore, I'm uncomfortable with an argument that is basically the same argument as "if we tell you not to access this open web server, then it's like trespassing." Because it's not like that at all. An open web server is designed to accept traffic. Someone merely telling you that you can't access their website -- even though it's easy to do so technologically -- doesn't seem like it should then be seen as "unauthorized access" in a manner that makes you liable to computer hacking laws. That's a recipe for dangerous results.

At what point is access revoked? Does it require a full cease and desist letter? Or what if I add a drop-down telling visitors from certain IP addresses they're not welcome? What if I just type here that visitors from the state of New York are no longer allowed to visit Techdirt? If they continue to do so, is that a potential CFAA violation in the making? The same court has already ruled that a mere terms of service violation is not a CFAA violation but where's the line between a terms of service violation and a cease-and-desist letter? Or me just telling you to stop visiting my website? It seems wide open to abuse.

The CFAA remains a mess of a law, and rulings like these are likely only going to lead to more litigation around borderline cases. And that's bad. It's going to be bad for users and it's bad for innovation. It's been particularly disappointing to see companies like Facebook and Craigslist coming down on the wrong side of CFAA litigation -- in both cases going after companies who were not "hacking" in any traditional sense, but were rather looking to add useful layers of services on top of existing services. The law is being abused by companies that don't want others to innovate, and that's unfortunate and bad for innovation.

Filed Under: 9th circuit, cease and desist, cfaa, terms of service
Companies: facebook, power.com

Facebook Apparently Won't Let Users Talk About Facebook's Lawsuit With Power.com

from the how-do-you-like-your-free-speech dept

Yet another reminder of why relying on Facebook for conversations or discussions is highly problematic. We've noted in the past that Facebook doesn't allow any links to The Pirate Bay, even if the links are perfectly legal. But it appears to also be blocking mentions of its ongoing lawsuit with Power.com, which we were discussing just last week. Eric Goldman's blog also had a blog post about the ruling (well worth reading, by the way). Goldman regularly mentions his blog posts on Twitter and has his Twitter account set to automatically post his updates to his Facebook account as well. He noticed, oddly, that the tweet about the Power.com case somehow did not make it to his Facebook account, and tried to post it manually... and was blocked. Apparently, Facebook ridiculously overaggressive "spam filters" block any and all mentions of Power.com.

After a little more experimentation, I discovered that every instance of the character string "power.com" is blocked in Facebook. Therefore, every time I put "power.com" into my status reports or in comments to those status reports--even if it's the only content in the post/comment--I get the "blocked content" message. However, it's easily avoided; I can post "power . com" (notice the spaces before and after the period) just fine. Basically, Facebook is using a very dumb word filter.

While Facebook didn't respond to Goldman's initial claim that this content was flagged in error, he reached out to press contacts there, who tried to defend the blanket "dumb word filter ban," by saying that Power.com had done some spammy abusive things with user accounts. While that may be true, that's no reason to block any and all mentions of Power.com especially when the company is currently involved in an important lawsuit with Facebook. Even if there are legitimate reasons for the "dumb word filter," it makes Facebook look petty and as if it's trying to deny all discussion of the important legal issues involved in the lawsuit.

Goldman points out that one aspect of the Power.com lawsuit is that the company is claiming Facebook is violating antitrust law. Given that, it seems like it might not look good for Facebook to (clumsily) block all conversations about Power.com. That would appear to play directly into Power.com's claims of anti-competitive behavior.

Filed Under: discussions, social networks, spam
Companies: facebook, power.com

Good News: Violating Terms Of Service Is Not Hacking; Bad News: Circumventing Weak Tech Blocks Might Be

from the some-good,-some-bad dept

We've been covering the ridiculous lawsuit that Facebook has been pursuing against Power.com for a while now, specifically worrying about how, if Facebook prevailed, it could mean that violating an online terms of service in accessing your own data, could make you a criminal. That outcome seemed ridiculous, but the way Facebook read federal computer fraud statutes, it was possible. Thankfully, the court has shot down that argument.

But it's not all good news. In the same ruling, the court did say that Power.com (an aggregator of data from various social networks) still may have violated computer hacking laws by changing its IP address. That's because Facebook had blocked Power.com's old IP address to try to block the site from accessing user account data. As the EFF explains:

In other words, it may be a crime to circumvent technological barriers imposed by a website, even if those measures are taken only to enforce the terms of service through code. There's nothing inherently wrong or unlawful about avoiding IP address blocking, and there are valid reasons why someone might choose to do so, including to sidestep anticompetitive behavior by other Internet services. As long as an end user is authorized to access a computer and the way she chooses doesn't cause harm, she should be able to access the computer any way she likes without committing a crime.

Of course, given the way the DMCA handles circumvention for copyright (it's not legal even if for legal uses), perhaps there's some precedent for this kind of ridiculous, totally counter-intuitive outcome.

Filed Under: circumvention, fraud, hacking, terms of service
Companies: facebook, power.com

Could Accessing Your Own Data On Facebook Make You Criminally Liable?

from the hopefully-a-court-says-otherwise dept

We've been following the rather bizarre and dangerous lawsuit filed by Facebook against Power.com, an online service that tries to let users aggregate various social networking activity into a single service. All Power.com does is let a willing user have Power.com's tools log into Facebook and reuse/reformat the data within its own framework. From a user's perspective, this could be quite useful. From Facebook's perspective this is both a violation of copyright law and a violation of computer hacking laws. Why? Because Facebook says so. That is, it says so in its terms of service, and it's arguing that in ignoring the terms of service, Power.com is criminally hacking.

The EFF has filed a new amici brief in the case pointing out the logical problems with this argument. It's saying that if a user chooses to access his or her own data that is stored in Facebook, using a tool of his or her own choice... that can open themselves up to criminal liability, just because it violates some random term in Facebook's terms of service. That clearly seems to go way beyond the purpose of anti-computer hacking laws:

This is not an esoteric business issue, because the legal theories Facebook is pushing forward would make it a crime not to comply with terms of service. People have already faced criminal charges for violating a site's terms of use policy. For example, in United States v. Lori Drew, a woman was charged with violating the federal computer crime law for creating a false profile that was used to communicate inappropriately with a teenager who eventually committed suicide. EFF filed an amicus brief in that case arguing that terms of service do not define criminal behavior, and the charges were eventually dismissed. We also defended Boston College computer science student Riccardo Calixte, whose computers, cellphone and iPod were seized by local police who claimed that he violated criminal law by giving a fake name on his Yahoo account profile. A justice of the Massachusetts Supreme Judicial Court ordered police to return the property after finding there was no probable cause to search the room in the first place.

Using criminal law to enforce private website operators' terms of use puts immense coercive power behind measures that may be contrary to the interests of consumers and the public. EFF believes that users have the right to choose how they access their own data, and that services like Power's give users more options. So long as the add-on service does not access off-limits information and is not harmful to server functionality, authorized users who choose add-on technologies like Power's commit no crime. Frighteningly, under Facebook's theory, millions of Californians who disregard or don't read terms of service on the websites they visit would risk criminal liability.

Filed Under: hacking, terms of service
Companies: facebook, power.com

Facebook Abusing Computer Crime Law To Block Useful Service

from the it's-not-hacking dept

We noted recently that the courts (and plaintiffs in lawsuits) have been stretching computer hacking laws in dangerous ways. The laws that were clearly intended to cover situations of malicious hackers breaking into a computer system they have no right to be in are being twisted around, such that contractual language is being used to make all sorts of access "unauthorized" under the terms of the law. For example, we noted a case where using an employer's computer to access information for personal use... could be seen as "unauthorized access" and, thus, criminal computer hacking.

Last year, we wrote about a bizarre lawsuit where Facebook sued Power.com, a website that tried to aggregate various social networks into a single interface. That could be pretty useful. Facebook didn't like it and sued. But just because Facebook doesn't like something, it doesn't make it illegal. What if users want to access Facebook that way? Facebook tossed out a variety of legal theories, including the idea that this was criminal hacking, because it was unauthorized access. How is it unauthorized? Well, here Facebook got creative. It has, hidden within its terms of service the note that accessing Facebook through "automatic means" is forbidden. Facebook says that Power.com's aggregator is "automatic means" (which seems questionable), and thus accessing Facebook via Power.com is no longer authorized. Since the access is not authorized, then it's... unauthorized access, aka hacking, and a crime under California's computer crime statute.

The EFF has now filed an amicus brief in the case, pointing out that this would be a ridiculous stretch of California's computer crime law:

"California's computer crime law is aimed at penalizing computer trespassers," said EFF Civil Liberties Director Jennifer Granick. "Users who choose to give their usernames and passwords to aggregators like Power Ventures are not trespassing. Under Facebook's theory, millions of Californians who disregard or don't read terms of service on the websites they visit could face criminal liability. Also, any Internet company could use this argument as a hammer to prevent its users from easily leaving the service as well as to shut down innovators and competitors."

Even the simple use of the automatic login feature of most browsers would constitute a violation under Facebook's theory, since those services are "automatic means" for logging in. But the risk for users is even broader. If any violation of terms of use is criminal, users who shave a few years off their age in their profile, claim to be single when they are married, or change jobs or addresses without updating Facebook right away would also have violated the criminal law.

Hopefully, the court agrees...

Filed Under: computer crime, hacking, unauthorized access
Companies: facebook, power.com

Trying To Understand: Facebook's Lawsuit Against Power.com Makes No Sense

from the help-me-out-here... dept

Facebook has apparently sued social networking aggregator Power.com for a variety of things, including copyright and trademark infringement, unlawful competition and violation of the computer fraud and abuse act. I'm having trouble seeing how Power.com violates any of these things. Power.com, like plenty of other aggregator services, lets you bring together all your different social networking profiles in one spot. That seems like it could be valuable if you use a lot of those services. It doesn't do anything fraudulently, and it does not appear to misrepresent that it is a separate service. Users have to decide whether it's worth providing their username and password to Power.com, but it's not as if Power.com tricks anyone into doing so or does so in a misleading way. There's no confusion, so it's difficult to see what the trademark problem is about. It seems like a pretty big stretch for Facebook to also claim that showing the content from a user's profile is copyright infringement as well. Computer fraud? Please. Unlawful competition? Again, it may be (slightly) competitive, but it appears to actually improve the value of Facebook, rather than diminish it.

This is a pretty weak response from Facebook. Basically, it looks like Facebook trying to exert undue control over what other websites and services can do, and it's not clear that it has any real legal basis for doing so. It's a shame that a company like Facebook is becoming a legal bully at such a young age. I would have expected better. In the end, though, if Facebook keeps up actions like this, it will only hasten the shift to other social networks that don't try to limit what their users can do. Facebook might want to take a lesson from the eventual flop of Friendster after that social network was accused of being too controlling.

Filed Under: aggregator, copyright, fraud, trademark, unlawful competition
Companies: facebook, power.com