from the why-is-this-a-problem? dept
For years we've talked about the infamous Facebook lawsuit against Power.com. As you may recall, this was a key CFAA case against a site, Power.com, that was trying to create a social media aggregator dashboard -- in which you could login through a single interface, and access content from and post to a variety of different social media platforms. Facebook alleged that this was a form of hacking -- claiming it was "unauthorized access" to Facebook. This was even though there was no actual unauthorized access. Individual users gave Power their login credentials, so everything was completely authorized. After years of winding through the courts, unfortunately, it was decided that this was a violation of the CFAA, mainly because Facebook sent a cease & desist letter, and somehow going against that now made it "unauthorized." In my mind, this is one of the biggest reasons why Facebook has much less competition today than it otherwise might -- because it used the CFAA and cases against Power.com to create a "you can check in, but you can't check out" kind of data arrangement. Things like Power.com were an empowering system that might have made people much less reliant on Facebook -- but it was killed.
In an age now where people are increasingly talking about the importance of data portability and interoperability, something like Power.com would be a useful tool.
So, it's interesting (and a little disturbing) to see that Facebook's new corporate identity, Meta, has now sued another company for data scraping. It is notable that in this case, the defendant, Social Data Trading Ltd., is a lot less sympathetic a character than Power.com was. And -- more importantly -- Facebook is not using the CFAA this time (other cases have suggested that what Facebook got away with in the Power case it would no longer be able to get away with under that law). However, it is trying to use California's state law equivalent of the CFAA. And now matter how you look at it, it's still at least a little worrisome that Facebook (ok, whatever, Meta) believes it has a legal right to stop scraping of otherwise public data.
So first, Social Data Trading is not sympathetic. It appears to be a sketchy service in its own right, scraping data on social media users to sell "in-depth insights into the demographics and psychographics of influencers and their audiences." Meta put in place some technical blocks to try to stop the company from scraping (which seems like fair game), but SDT would then just register new domains and continue scraping. Facebook had apparently tried to stop a predecessor company to Social Data Trading called "Deep.Social," though the complaint seems to imply that SDT is just a reworking of Deep.Social.
The more difficult issue here is that part of the way that SDT did its scraping was by creating fake accounts on Facebook and Instagram, and then using those fake accounts to scrape the data. And that does bring things into a legally more complex area, but also gives Meta the route around to go after these guys without using the CFAA.
At issue is that when you create one of those accounts... you agree to the terms of service, and those terms say you can't use the site for "collecting information in an automated way." Thus, the core argument here is that it's a breach of contract case, and that the SDT folks agreed to the terms and then broke them by using their fake accounts to scrape.
Since January 2019, Defendant created and used multiple Instagram accounts and
agreed to Instagram’s Terms. Defendant agreed to Instagram's Terms no later than January 30,
2019.
In addition, since September 2020, Defendant has used thousands of Instagram
accounts to scrape Instagram.
Defendant breached the Terms by using unauthorized automated means to access
Instagram and collect data from Meta computers without permission, including after Meta revoked
Defendant’s access to its platform.
Of course, it seems to me that if this is a breach, the remedy should simply be removal of service, not anything more. But Meta claims damages "in excess of $75,000" (the minimum needed to get into federal court).
The second claim in the lawsuit seems... a lot sketchier. It claims violations of California Penal Code Section 502, which is (more or less) California's equivalent to the CFAA. While, apparently, Meta's lawyers know enough to not go to the well again on the federal CFAA, the use of the state equivalent is still quite concerning.
Beginning no later than June 2021, Defendant, without permission, knowingly
accessed and otherwise used Meta’s computers, computer system, and computer network in order
to (a) devise or execute any scheme or artifice to defraud and deceive, and (b) to wrongfully obtain
money, property, or data, in violation of California Penal Code § 502(c)(1).
Beginning no later than June 2021, Defendant, without permission, knowingly
accessed and took, copied, and made use of data from Meta’s computers, computer system, and
computer network in violation of California Penal Code § 502(c)(2).
Beginning no later than June 2021, Defendant knowingly and without permission
used or caused to be used Meta’s computer services in violation of California Penal Code
§ 502(c)(3).
Since June 2021, Defendant knowingly and without permission accessed and caused
to be accessed Meta’s computers, computer systems, and/or computer networks in violation of
California Penal Code § 502(c)(7). Defendant accessed Meta’s computer network after Meta
disabled its Instagram accounts, blocked its domain, and sent correspondence to Defendant
revoking its access.
Because Meta suffered damages and losses as a result of Defendant’s actions and
continues to suffer damages and losses as a result of Defendant’s actions, Meta is entitled to
compensatory damages in an amount to be determined at trial, attorney fees, any other amount of
damages proven at trial, and injunctive relief under California Penal Code § 502(e)(1) and (2).
Because Defendant willfully violated California Penal Code § 502, and there is clear
and convincing evidence that Defendant committed “fraud” as defined by section 3294 of the Civil
Code, Meta is entitled to punitive and exemplary damages under California Penal Code § 502(e)(4).
All of this should be concerning to folks. It basically says that if you get kicked off a site and then create a new account... you could face serious consequences (and while this is a civil suit, Section 502 violations can lead to criminal liability as well). This should be cause for alarm. Yes, even if the defendant is a sketchy data operation, and even if Meta really didn't want them scraping their site, to turn around and use what is, ostensibly, a computer "hacking" law against them for setting up new accounts seems incredibly dangerous and could lead to very bad consequences.
Finally there's an "unjust enrichment" claim which also seems a bit silly -- especially for a company like Facebook, which makes so much of its money by collecting data in surreptitious ways, to argue that another firm doing that back to Facebook is somehow "unjustly" enriching itself is pretty rich.
Still, it's claim two that should raise some eyebrows, and I wish that Facebook recognized what a dangerous game its playing in trying to argue that signing up for a new account after you've been banned somehow violates an anti-hacking law.
Filed Under: analytics, cfaa, data, data scraping, hacking, privacy, public information
Companies: facebook, meta, social data trading