As Facebook turned ten years old last month, a legal case it brought against Power Ventures almost six years ago demonstrates the continued hurdles facing developers who seek to empower users to interact with closed services like Facebook in new and creative ways. In a new amicus brief, we caution the Ninth Circuit Court of Appeals not to extend crippling civil and criminal liability on services that provide competing or follow-on innovation.
Power Ventures made a web-based tool that allowed users to log into all of their social networking accounts in one place and aggregate messages, friend lists, and other data so they could see all their information in one place. To promote its service, it offered a $100 reward to users who could invite, through the Facebook Events system, a certain number of friends to sign up for Power's service. Because of the way Facebook designed its Events system, the messages appeared to come from Facebook directly, although the messages clearly identified the individual user who sent the invitation, as well as Power's service. Facebook eventually blocked one of several IP addresses Power used to connect to Facebook, and Power eventually stopped allowing Facebook users to use Power's service.
In 2008, Facebook sued Power, claiming it had violated the Computer Fraud and Abuse Act (CFAA) and California Penal Code § 502 when it allowed users to access Facebook data after it blocked a specific IP address Power was using to connect to Facebook data. Facebook also claimed that Power violated the CAN-SPAM Act, the federal law that prohibits sending commercial emails with materially misleading information, when Power encouraged users to invite their friends to try Power. We've filed a number of amicus briefs in this case, arguing that Facebook's theories of liability were wrong and dangerous, and that users have the right to choose how they access their data.
While the district court initially agreed with us that Facebook could not prove a CFAA violation by merely showing that Power violated Facebook's terms of service, it nonetheless ruled in 2012 that Power was liable to Facebook under the CFAA and CAN-SPAM and, in 2013, ordered Power to pay more than $3 million in damages to Facebook, a significant amount that was remarkably less than the staggering $18 million Facebook initially sought. Power is now bankrupt and the case is before the Ninth Circuit, where we again filed an amicus brief in support of Power.
On the CFAA claims, our brief explains working around an IP address block is a common non-criminal act in most instances. The CFAA is intended to go after hackers who circumvent technical restrictions in order to access data they are not otherwise entitled to, not users who utilize a third-party service to access their own data. Plus circumventing a technical block merely enforcing Facebook's terms of service is not a violation of the CFAA. The only way to determine whether Power was violating the CFAA was to look at Power's motivation for working around Facebook's IP block. Here, the facts were in dispute: Facebook claimed Power was trying to circumvent the IP block, but Power claimed its business practice was to use multiple IP addresses and when one was blocked, it stopped trying to access Facebook. But the court never resolved this factual dispute, instead finding that using technology that merely has the capability to circumvent a technical restriction—regardless of what the technology actually did circumvent or regardless of the user's motivation for trying to circumvent—is enough to violate the CFAA. This is a dangerous idea, criminalizing innovations like Power's service, and turning Facebook users that used Power to access their own data into criminals.
Facebook's CAN-SPAM claims are just as dangerous. Congress passed CAN-SPAM to go after big time spammers who hide their identities in order to bombard users with malware and phishing schemes. Captive email systems like Facebook's, where a user has no control over the header information of the message, were not contemplated in CAN-SPAM, which was signed into law on December 16, 2003—two months before Facebook was even launched. Plus the messages weren't misleading since a Facebook user that got an invitation knew all three parties to the communication: the friend who sent the invite, Facebook who facilitated the message, and Power who's service was being promoted. But by finding Power liable, the lower court puts all Facebook users who use Events at unreasonable legal risk. For example, if a Facebook user is in a band and, using Facebook Events, invites friends to a local show with a small cover charge, that user has arguably sent a "misleading" commercial message under CAN-SPAM because, even though the friend sent the message, the header information will show the message came from Facebook. That user could be guilty of a crime and liable for a significant financial penalty for every message sent. This is an absurd interpretation of the law that criminalizes routine Internet behavior.
Facebook's claims here are dangerous, threatening to put the power of law—including serious criminal penalties—behind Facebook and other companies' anti-competitive decisions to thwart consumer choice and innovation that doesn't meet their approval. The information put into a social networking site belongs to the user, who should be able to access, export, and aggregate the data as they please. Hopefully the Ninth Circuit will understand and appreciate this, reversing a lower court decision that equates consumer choice with legal risk.