Lessons from the Power Ventures Case Include “Terms of Use Can Create Computer Fraud and Abuse Act Liability”

The saga began in December 2008. Power kicked off its service by encouraging users to recruit new Power.com members (and offering a chance to win $100). To make it easy for users to send recruitment e-mails, Power provided them with lists of their Facebook friends from which they could select people to receive automated invitations from an @facebook.mail.com e-mail address.

Facebook objected to this practice and asked Power to stop, to no avail. Thereafter, Facebook brought suit alleging CAN-SPAM violations, violations of California Penal Code § 502, and violations of the Computer Fraud and Abuse Act. In response, Power filed a countersuit against Facebook alleging “anti-competitive practices.”

In its ruling, the federal district court in the Northern District of California found that Power’s conduct (1) violated CAN-SPAM, (2) violated California Penal Code § 502, and (3) violated the CFAA.

With respect to CAN-SPAM, the court agreed with Facebook that Power’s email headings violated the statute, which states that information is “materially misleading” if it disguises the origin of the email, making it hard for a recipient to identify the sender. The emails inviting Facebook users to sign up for Power.com contained no return address or information enabling recipients to respond directly to Power. Although the body of the emails did discuss Power.com, the court found that the misleading header alone was sufficient to violate CAN-SPAM.

An interesting component of this discussion was the court’s consideration of email “origination.” Since the emails were actually sent by Facebook users, using Facebook’s servers, there is a technical question as to whether Power is solely responsible as the “originator.” Ultimately, the court found that Power’s “Launch Program” and its money inducements were enough to count them responsible for the emails. From the courts’ perspective: “the fact that [Power] used a program that was created and controlled by another to send e-mails with misleading headers does not absolve them of liability for sending those e-mails.”

On the issue of California Penal Code § 502, the court Order dated July 30, 2011 explained that an entity accessing a computer network in ways that violated the network’s Terms of Use, without more, is not enough to establish that the use was “without permission” within the meaning of § 502. However, the court found that Power did more than simply access the network. In a bit of technical ninjutsu, Power anticipated that Facebook would attempt to block them and preemptively created a system to rotate IP addresses. Even though Power did nothing after Facebook started blocking IP address to further circumvent the blocks, the court had little sympathy, asserting that it found “no reason to distinguish between methods of circumvention built into a software system to render barriers ineffective and those which respond to barriers after they have been imposed.”

Finally, the court also found Power liable under the CFAA since significant resources were expended in Facebook’s efforts to stop Power’s unauthorized access. The CFAA holds one liable who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains,” among other things, “information from any protected computer.” 18 U.S.C. § 1030(a)(2). Both civil and criminal liability are possible here. Facebook easily showed it met the $5,000 “loss” threshold for standing under the CFAA—which counts reasonable costs associated with damage assessment and restoration work—through expenses spent trying to stop Power’s unauthorized access. From there, the court found the calculus rather simple. Power had (1) accessed Facebook without permission from Facebook, (2) obtained information from Facebook’s website, and (3) Facebook suffered sufficient damage. Ergo, CFAA violated.

The case is significant for its CFAA implications, since the court’s opinion supports a broad definition of illegal access under the CFAA to include violations of a website’s Terms of Use. The CFAA is a statute intended to reduce hacking but increasingly used to impose criminal charges. Just a few years ago, it was unthinkable to come up against criminal charges for violating a website’s Terms of Use.  But the notion is becoming thinkable. Coupled with a string of decisions holding employees criminally liable for violating workplace policies (e.g. US v. Nosal, US v. Rodriguez, and US v. John), this decision raises serious questions about the scope and limitations of liability under the CFAA.

Interestingly, the court deemed Power’s access to Facebook “unauthorized,” even though Facebook users themselves authorized Power’s interactions. After all, Facebook users are the ones who own the content to their own profiles. But it was Facebook’s Terms of Use that carried the case, in the end. Before potential Facebook users create an account they must agree to these Terms—which prohibit automated scripts that collect information from Facebook, commercial use of Facebook without permission, or impersonation of anyone or anything through Facebook. The Terms were where the court looked to determine whether Power’s access to Facebook was authorized for CFAA purposes.

The lesson to be learned from the Power Ventures’ experience is that it is time for companies to re-examine (or become aware of) the website policies of sites they access, lest they unwittingly come under civil and perhaps even criminal CFAA charges. Also, cautious, meticulous drafting of one’s Terms of Use is key to reserving a vehicle for legal redress.

Authored by Sachi Jepson