Computer Fraud And Abuse Act Violated By Bundling Facebook And Other Social Networking Accounts Without Authorization

A California federal court recently issued a substantial monetary award in favor of Facebook and permanent injunction against a website that enabled its users to aggregate their data in social networking sites and messaging services.

Summary of the case. Power Ventures, Inc. (PVI) operates a website called power.com which integrates multiple social networking accounts. In late 2008, PVI began permitting participants to access their Facebook accounts through power.com. Then, PVI launched a promotion in which participants were offered an opportunity to receive a cash payment by selecting Facebook “friends” to whom power.com advertising should be sent. The advertising did not mention PVI and implied that it came from Facebook.

When it learned of the promotion, Facebook blocked power.com’s access to Facebook accounts. In addition, Facebook sued PVI and its principal owner-officer, Vachini, alleging various causes of action including violation of the Computer Fraud and Abuse Act (“CFAA”). All parties moved for summary judgment. In February 2012, Facebook’s motion was granted. Facebook, Inc. v. Power Ventures, Inc., Case No. 08-05780 (C.D. Calif., Feb. 16, 2012) (Ware, J.). A few days ago, the defendants’ motion for reconsideration was denied. Id.(Sept. 25, 2013) (Koh, J.).

The court’s February 2012 ruling that PVI violated the CFAA. The CFAA prohibits obtaining “information” by accessing, without authority, a protected computer. 18 U.S.C. §1030(a)(2)(C). The statute also prohibits accessing a protected computer without authorization and obtaining “anything of value” provided that it is worth $5,000 or more. §1030(a)(4). Judge Ware found that PVI violated §1030(a)(2)(C) by accessing Facebook’s website without authorization and obtaining “information.” Further, the court found that Facebook had standing to sue because its documented costs incurred in thwarting PVI’s continued unauthorized access exceeded $5,000. Facebook’s motion for summary judgment against PVI was granted. Unresolved were what relief to award and whether Vachani also was liable.

Denial of reconsideration. Due to a number of intervening events, a decision on the unresolved issues and on the defendants’ motion for reconsideration was not announced until 17 months after the original ruling. Those events included the filing and later dismissal of PVI’s and Vachani’s bankruptcy petitions. In addition, while the automatic bankruptcy stay was in effect, Judge Ware resigned from the bench, and the case was reassigned to Judge Koh.

The defendants’ first argument in support of reconsideration was that no violation of CFAA was shown because Judge Ware did not find that the “information” PVI obtained from Facebook had “value.” Section 1030(a)(4) criminalizes unauthorized access to a protected computer and obtaining “anything of value” of at least $5,000. Curiously, however, the word “value” is not mentioned in §1030(a)(2) which simply prohibits obtaining “information” from unauthorized access to a protected computer, even, apparently, if the information has no value. Judge Koh held that Judge Ware’s finding of a violation of §1030(a)(2) was warranted.

PVI also said that no violation of the CFAA was shown because the defendants were not alleged to have destroyed any information or data. Many CFAA complaints do allege that a defendant destroyed computerized information or data, but neither §1030(a)(2) nor §1030(a)(4) requires such an allegation.

The defendants challenged Facebook’s standing to sue because, allegedly, no harm was demonstrated. Section 1030(a)(5)(C) criminalizes accessing a protected computer without authorization which “causes damage and loss.” Judge Koh held that Facebook satisfied the statutory standing requirement by showing that Facebook incurred “damage and loss” by “responding to an offense” and “conducting a damage assessment” (§1030(e)(11)).

Finally, with regard to Vachani’s liability, Judge Koh cited Ninth Circuit authority for a finding of personal liability when a corporate officer or director authorizes, directs, or participates in corporate wrongdoing. Drawing all reasonable inferences in Vachani’s favor, she said that the undisputed evidence proved that he authorized and directed the statutory violation.

For the foregoing reasons, Judge Koh held that Facebook was entitled to compensatory damages from both defendants. Since all of the requisites for obtaining a permanent injunction were satisfied, the defendants also were enjoined from committing further violations of the CFAA.

Takeaways. Many reported CFAA decisions concern either (a) an employee’s or ex-employee’s alleged unauthorized access to computerized information obtained for the purpose of engaging in unfair competition, or (b) hacking into a computer. The allegations in Facebook are different. Judge Koh summarized Facebook’s CFAA claim as: The defendants induced “Facebook users to provide their login information,” used “that information to ‘scrape’ Facebook’s proprietary material,” and proceeded to “display Facebook’s material on power.com. Facebook asserts that it never gave Defendants permission to use its material in that way.” PVI’s position was that it did not circumvent any technical barriers in order to access the Facebook site, and Facebook’s own servers sent the emails at issue, and so PVI did not violate the CFAA.

Arguably, at its core, Facebook may be said to hold that the CFAA prohibits accessing a computer network without express authorization and obtaining (a) information, regardless of its value, or (b) anything else that has substantial value. If so, the decision may support the proposition, for example, that actions as common as accessing without permission someone’s social media site in order to gather information or valuable data concerning the user of that site violates the CFAA.