Last week, the Ninth Circuit limited the scope of the Computer Fraud and Abuse Act (CFAA) in affirming a grant of summary judgment against the defendant in Facebook, Inc. v. Power Ventures, Inc., et. al. and affirmed the rule that accessing a website after receiving a cease and desist letter creates liability under the CFAA.
Computer Fraud And Abuse Act
The CFAA prohibits trespassing onto a computer system by parties who are either not authorized users or are exceeding authorized use. It criminalizes, among other things, “knowingly and with intent to defraud, access[ing] a protected computer without authorization, or exceed[ing] authorized access, and by means of such conduct further[ing] the intended fraud and obtain[ing] anything of value[.]” 18 U.S.C. § 1030(a)(4). The CFAA broadly defines a “protected computer” as a computer “which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication in the United States.” 18 U.S.C. § 1030(e)(2)(B). The CFAA also establishes a right of action for private parties who were injured by violations of its provisions. 18 U.S.C. § 1030(g).
Power Ventures, Inc. (Power) operated a now-defunct social networking website, Power.com. Power users could create an account that aggregated their information from other social networking websites and display all their contacts from different networking sites on a single page.
In December 2008, as part of a promotional campaign, Power placed an icon on its website, which asked whether the user wanted to share an event, photo, or status on Facebook, and included a button with the words “Yes, I do!” If a Power user clicked the “Yes, I do!” button, Power would create an event, photo, or status on the user’s Facebook profile and cause a Facebook message to be transmitted to the user’s Facebook contacts. In some instances, based on the user’s settings, it would also generate an external email message, apparently from Facebook, to the user’s contacts. For example, if a Power user clicked the “Yes, I do!” button about sharing an event and created an event, her contacts might have received an external email apparently from Facebook about the event. These emails were form emails automatically generated every time the Facebook user created an event.
On December 1, 2008, Facebook learned about Power’s promotional campaign and sent a cease and desist letter to Power. When Power would not terminate its campaign, Facebook blocked its Internet Protocol (IP) address to prevent Power from accessing the Facebook website. Power responded by switching its IP address to circumvent the IP address block. In January 2009, Power ended the promotional campaign.
On December 20, 2008, Facebook sued Power for violating the CFAA and other federal and state statutes. The district court granted summary judgment in favor of Facebook on all of its claims, including the CFAA one.
The Ninth Circuit affirmed the district court’s grant of summary judgment with regard to Facebook’s CFAA claim in Facebook, Inc. v. Power Ventures, Inc. et. al., No. 13-17102. The Court began by holding that Facebook had a private right of action because it had suffered a loss within the meaning of the CFAA as its employee spent “many hours… analyzing, investigating, and responding to Power’s action.” Power, slip opinion at *13.
Applying these rules, the Ninth Circuit found that Power users arguably gave Power permission to access Facebook’s computer when those users clicked on the “Yes, I do!” button; but, that Facebook openly and expressly rescinded that permission on December 1, 2008 when it sent Power a cease and desist letter instructing Power to stop soliciting the information of Facebook users, using Facebook content, or otherwise interacting with Facebook through automated scripts. See id. at *16–17. Facebook also blocked Power’s IP address. See id. The Court noted that the record was clear that Power was aware that it was not authorized to access Facebook’s computer, but still took steps to evade Facebook’s IP address block to do so. See id. at *18–19. By accessing Facebook’s computer “without authorization,” Power was liable under the CFAA. Id. at *19.