In a potentially troublesome decision, a federal district court has found that a start-up violated anti-spam and computer crime laws by creating and marketing a browser to let users view their social networking accounts in one place. The case demonstrates the difficulties facing those who seek to empower users to interact with closed services like Facebook in new and innovative ways.
In Facebook v. Power Ventures, Facebook sued a small company that created a tool for users to access and aggregate their personal information across social networking sites. In 2010, the court ruled that Power didn't access Facebook "without permission" under California computer crime law when it violated Facebook's terms of use, agreeing with arguments we raised in an amicus brief (pdf).
Unfortunately, the latest round of the case has taken a downward turn in ways that could have serious implications for other innovators and users.
First, the court gave a tremendous cudgel to Facebook against commercial users who displease it when it decided that Power violated the federal CAN-SPAM Act by sending "misleading" messages. These messages encouraged users to send Facebook "Event" invitations to their friends to promote Power's service. As EFF pointed out in an amicus brief (pdf), though, the allegedly "misleading" elements of the message are supplied by Facebook itself—and can't be changed by users. This means that any user who sends a commercial message on Facebook is technically in violation of the law, since it appears to come from Facebook. The CAN-SPAM Act, passed in 2003, simply doesn't contemplate closed systems where the service provider controls many elements of a message.
To make matters worse, the CAN-SPAM Act only allows service providers to bring lawsuits, and it lets them seek crippling damages. Here, Facebook sought over $18 million. This is a clear example of a law vulnerable to misuse because technology has changed since it was written, and it wasn't even written a decade ago. EFF will be watching how Facebook and other services with closed messaging systems use CAN-SPAM in the future.
Second, the court found that Power violated state and federal computer crime laws merely by designing its tool to connect to Facebook using multiple IP addresses, which preemptively thwarted Facebook's efforts to keep users from accessing their Facebook accounts though the Power website. This precedent is especially troubling because these laws have both civil and criminal penalties. EFF is concerned that this precedent could be used in the future to criminalize the creation of tools that are capable of bypassing technological barriers, even if they are never actually used to do so, forcing innovators to anticipate every technical block that any interoperable system or program might possibly impose. This is an unworkable rule.
Facebook's case against Power is dangerous as a matter of policy, threatening to put the power of law—including serious criminal penalties—behind Facebook's anti-competitive decision to thwart consumer choice and innovation that doesn't meet its approval. It doesn't bode well for the future and should encourage all of us to think more seriously about the collateral problems created by closed networks.