Facebook to ‘millions of Internet users': Relax, you’re not engaged in computer fraud

September 20, 2016

(Reuters) – The Electronic Frontier Foundation and the American Civil Liberties Union envisioned disaster in an Aug. 19 amicus brief asking the 9th U.S. Circuit Court of Appeals to rehear Facebook’s Computer Fraud and Abuse case against the social networking company Power Ventures. Unless the court acts en banc to clarify the boundaries of the computer fraud statute, EFF and the ACLU warned, a three-judge panel’s ruling for Facebook could “make potential criminals out of millions of ordinary Americans,” for ordinary, innocuous actions like accessing a partner’s account to pay bills or printing out an airline boarding pass for a family member.

That’s a pretty frightening vision. Facebook’s case against Power Ventures, as I’ll explain, involved just civil liability, but the CFAA is also a criminal law. And according to EFF and the ACLU,a three-judge 9th Circuit panel’s decision in the Facebook case could make it a crime to access someone else’s online account, even if you have permission from the account holder.

Facebook responded last week to EFF and the ACLU (and Power Ventures, and, as you would expect, said the amici’s vision of online carnage is a mirage. “The typical couple sharing an online bank account, or an academic researcher studying an internet platform,” isn’t at risk from the 9th Circuit decision, according to Facebook. The panel’s ruling was limited to “the narrow and stark facts of this case,” the company said. Only egregious computer trespassers are at risk, according to Facebook. Ordinary folk have nothing to worry about.

So what are the facts? Ten years ago, Power Ventures created a service that would allow social network users to view their different accounts at a single Power-hosted website. Power.com customers provided the site with log in credentials to Facebook and other social media accounts. Power.com used the information to access and aggregate its customers’ accounts at other sites.

Facebook detected that Power.com was accessing its system and, according to Facebook, bombarding the social media giant’s customers with ads. Facebook demanded that Power.com stay off of Facebook. When negotiations failed, Facebook built technical barriers to block Power.com and sent the company a cease-and-desist letter. Ultimately, after Power.com devised a way to continue accessing Facebook through valid customer log in credentials, Facebook sued in federal court in San Francisco, where it won about $3 million in statutory damages and a permanent injunction against Power Ventures.

The 9th Circuit panel that heard Power Ventures’ appeal last December – Judges Susan Graber, Kim Wardlaw and Mary Murguia – concluded in an opinion in July that Power Ventures had violated the CFAA because it continued to access Facebook’s system after Facebook expressly revoked its permission to do so. Judge Graber’s opinion agreed with Power Ventures that a mere violation of a website’s terms of service is not enough to trigger liability under the CFAA. But the 9th Circuit panel said a defendant runs afoul under the law “when he or she has no permission to access a computer or when such permission has been revoked explicitly,” the opinion said. “Once permission has been revoked, technological gamesmanship or the enlisting of a third party to aid in access will not excuse liability.”

A week before Graber and her colleagues on the Facebook panel issued their ruling in the Power Ventures case, a different three-judge panel at the 9th Circuit upheld the CFAA conviction of executive recruiter David Nosal for stealing information from his former employer, Korn/Ferry, via a confederate who still worked at the company and had legitimate access to the employer’s system. The Nosal panel said only Korn/Ferry had the authority to allow Nosal access.

In their briefs calling for the 9th Circuit to rehear the Power Ventures case, Power and its amici said the Nosal and Power decisions conflicted not only with 9th Circuit precedent, including a previous appellate decision in Nosal’s case, but also with one another. The Power Ventures panel, they argued, held that Power.com was permitted to use log in credentials supplied by Facebook members until Facebook revoked its access; by contrast, the briefs said, the Nosal panel held the defendant wasn’t allowed to tap into Korn/Ferry’s system through a legitimate user. And neither Power Ventures nor Nosal, the briefs argued, was the sort of outside hacker Congress had in mind when it drafted the CFAA.

“It is difficult to articulate a standard from these two cases regarding when, and under what circumstances, an individual with access to a computer may grant access to a third party against the wishes of the computer owner,” the EFF and ACLU brief said. The Power panel’s assurance that CFAA liability does not arise from simply violating a site’s terms of service, the brief said, actually “creates more ambiguity rather than less around what constitutes lack of authorization, and why a cease and desist letter should be treated differently from other forms of written policy restrictions.”

Facebook’s new brief said the other side is trying to complicate a simple, straightforward application of the computer fraud law to an egregious online trespasser. Instead of hypotheticals about online account sharing, Facebook suggested comparing Power Ventures to a real-life rule-breaker. “When a restaurant’s rules say ‘no shirt, no shoes, no service,’ a patron does not commit trespass just by entering barefoot,” the site’s lawyers at Orrick Herrington & Sutcliffe argued. “But if, after being told to leave and not return, he sneaks back in through a window, he has trespassed, even if the reason he was banished is that he violated the proprietor’s rules. The panel recognized that the same is true in the digital realm.”

The CFAA has been notoriously hard for the courts to interpret. I’ve previously described a split among the federal circuits on whether employees with legitimate access to employers’ systems can be prosecuted for using employers’ computers in allegedly unauthorized ways. The most recent rulings on this point, from the 2nd, 4th and 9th Circuits (in the first Nosal decision), have held that employees cannot be prosecuted for violating their employers’ restrictions.

I can see why EFF and the ACLU argue the new Nosal and Power Ventures rulings contradict that precedent because they hold the alleged trespassers responsible for supposedly abusing authorized access. Facebook is right about the unlikeliness of a prosecutor using the 9th Circuit holding in its case to assert the CFAA against, for instance, a wife paying her husband’s credit card bills online or a son reading his ailing dad’s email aloud. Perhaps Facebook v. Power Ventures isn’t the right vehicle to clarify the CFAA. But sooner or later, an en banc court will have to take on that job.

For more of my posts, please go to WestlawNext Practitioner Insights

Follow me on Twitter

No comments so far

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/