American Bar Association
Media Alerts
Media Alerts - Facebook v. Vachani - Ninth Circuit
Decrease font size
Increase font size
September 7, 2016
  Facebook v. Vachani - Ninth Circuit
Headline: Computer Fraud and Abuse Act of 1986 ("CFAA") was not violated when Power accessed Facebook, Inc.'s ("Facebook") computers, knowing that Power was not authorized to do so.

Areas of Law:[/B] Privacy Law, Electronic Communication Law, Evidence, Torts

Issues Presented:

Whether the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 ("CAN-SPAM Act"), 15 U.S.C. §§ 7701-7713, was violated by either: (1) external emails sent when Power Ventures, Inc. ("Power") caused a Facebook event to be created or (2) internal Facebook messages authored by Power that Power users transmitted to their Facebook friends.

Whether the Computer Fraud and Abuse Act of 1986 ("CFAA"), 18 U.S.C. § 1030 et. seq., was violated when Power accessed Facebook, Inc.'s ("Facebook") computers, knowing that Power was not authorized to do so.

Whether Cal. Penal Code § 502 was violated when Power accessed Facebook's computers, knowing that Power was not authorized to do so.

Brief Summary: Now defunct social networking company, Power Ventures, Inc. ("Power"), engaged in a promotional campaign wherein Power accessed Facebook, Inc.'s ("Facebook") user data and initiated electronic messages promoting Power's website. While Power initially had implied permission to do so from Facebook through Facebook's users, Facebook later expressly revoked said permission via a cease and desist letter to Power. Notwithstanding Facebook's cease and desist letter, Power continued its unauthorized promotional campaign, thereby resulting in Facebook bringing suit for violations of the CAN-SPAM Act, the CFAA, and Cal. Penal Code § 502.

Following entry of summary judgment against Power on all three claims, Power appealed on three issues: (1) whether the CAN-SPAM Act, was violated by either (a) external emails sent when Power caused a Facebook event to be created or (b) internal Facebook messages authored by Power that Power users transmitted to their Facebook friends; (2) whether the CFAA was violated when Power accessed Facebook's computers, knowing that Power was not authorized to do so; and (3) whether Cal. Penal Code § 502 was violated when Power accessed Facebook's computers, knowing that Power was not authorized to do so.

The Ninth Circuit panel thereafter found that: (1) the CAN-SPAM Act was not violated by external emails sent when Power caused a Facebook event to be created because multiple parties initiated the disputed messages and the "from" line accurately identified a person who initiated the disputed messages and a Power user consented to share Power's promotion through an event invitation; (2) the CAN-SPAM Act was not violated by internal Facebook messages by power that Power users transmitted to their Facebook friends because the body of the messages included Power's identity and a link to Power's website and Facebook users who were identified as the senders authorized the sending of the messages; (3) the CFAA and Cal. Penal Code § 502 were violated when a party accesses a computer where there is no permission to do so or where such permission has been explicitly revoked; and (4) the CFAA is not violated merely by violating a website's terms of use alone.

Significance: The Ninth Circuit panel establishes that: (1) the CAN-SPAM Act was not violated by external emails sent when Power caused a Facebook event to be created because multiple parties initiated the disputed messages and the "from" line accurately identified a person who initiated the disputed messages and a Power user consented to share Power's promotion through an event invitation; (2) the CAN-SPAM Act was not violated by internal Facebook messages by Power that Power users transmitted to their Facebook friends because the body of the messages included Power's identity and a link to Power's website and Facebook users who were identified as the senders authorized the sending of the messages; (3) the CFAA and Cal. Penal Code § 502 were violated when a party accesses a computer where there is no permission to do so or where such permission has been explicitly revoked; and (4) the CFAA is not violated merely by violating a website's terms of use alone.

Extended Summary: Power was a social networking website where individuals who already used other social networking websites could log on to Power.com and create an account. Power would thereafter aggregate the user's social networking information from various social networking websites on a single page thereby enabling the user to keep track of a variety of social networking friends through a single program. Facebook also operates a social networking website, Facebook.com, where users must register and agree to Facebook's terms of use before website access is granted. Once registered, a Facebook user can create and customize their profile by adding personal information, photographs, or other content.

In general, a non-Facebook user is not allowed to use Facebook.com to send messages, post photographs, or otherwise contact Facebook users through their profiles. Rather, Facebook requires non-Facebook users that want to contact Facebook users through Facebook.com to enroll in a program called "Facebook Connect," whereby these third parties are required to register with Facebook and agree to a separate Developer Terms of Use Agreement.

In December 2008, Power initiated a promotional campaign to attract more traffic to Power.com. In hopes of attracting Facebook users, Power placed an icon on Power.com that read, "[f]irst 100 people who bring 100 new friends to Power.com win $100." A button in the icon included the words, "[y]es I do!" and if a user clicked the button, then Power would create an entry on the user's Facebook profile in the form of an event, photo, or status. In many instances, Power either caused a message to be transmitted to the user's "friends" within Facebook's system or, depending on the user's Facebook settings, caused Facebook itself to generate an email message.

Facebook became aware of Power's promotional campaign on December 1, 2008, and on that same date, Facebook sent a cease and desist letter to Power, thereby instructing Power to cease its promotional campaign. Power also declined to sign Facebook's Developer Terms of Use Agreement and enroll in Facebook Connect. In an attempt to prevent Power from continuing its promotional campaign, Facebook instituted an Internet Protocol ("IP") block, but Power circumvented Facebook's efforts by switching IP addresses. Through this period, Power continued its promotional campaign, notwithstanding that Power knew that it took, copied, or made use of Facebook.com data without Facebook's permission to do so.

Facebook thereafter sued Power in district court, alleging violations of the CAN-SPAM Act, the CFAA, and Cal. Penal Code § 502 and moved for summary judgment. The district court found in favor of Facebook on all three claims and similarly denied Power's motion for reconsideration.

Power thereafter raised three issues on appeal: (1) whether the CAN-SPAM Act, was violated by either (a) external emails sent when Power caused a Facebook event to be created or (b) internal Facebook messages authored by Power that Power users transmitted to their Facebook friends; (2) whether the CFAA was violated when Power accessed Facebook's computers, knowing that Power was not authorized to do so; and (3) whether Cal. Penal Code § 502 was violated when Power accessed Facebook's computers, knowing that Power was not authorized to do so.

On the first issue, the Ninth Circuit panel first noted that for a message to violate the CAN-SPAM Act, it must be "materially misleading" or "materially false." 15 U.S.C. § 7704(a)(1). Under 15 U.S.C. § 7704(a)(6), "materially," when used in the context of false or misleading header information, includes the:

alteration or concealment of header information that would impair the ability of an Internet access service processing the message on behalf of a recipient, a person alleging a violation of this section, or a law enforcement agency to identify, locate, or respond to a person who initiated the electronic mail message or to investigate the alleged violation, or the ability of a recipient of the message to respond to a person who initiated the electronic message.

Moreover, a "from" line that "accurately identifies any person who initiated the message shall not be considered materially false or materially misleading." 15 U.S.C. § 7704(a)(1)(B). In addition, "header information that is technically accurate but includes an originating electronic mail address, domain name, or Internet Protocol address the access to which for purposes of initiating the message was obtained by means of false or fraudulent pretenses or representations" is considered to be "materially misleading." 15 U.S.C. § 7704(a)(1)(A).

The Ninth Circuit panel then identified two types of message that could rise to the level of "materially misleading" under the CAN-SPAM Act: (1) external emails sent when Power Ventures, Inc. ("Power") caused a Facebook event to be created and (2) internal Facebook messages authored by Power that Power users transmitted to their Facebook friends.

As to the external emails, the Ninth Circuit panel took note of the fact that the "from" line of the emails identified Facebook as the sender, that the body of the email was signed "Thanks, The Facebook Team," and that the header stated that a friend of the recipient invited the user to an event entitled "Bring 100 friends and win 100 bucks." Because the CAN-SPAM Act provides that a "from" line that accurately identifies a person who initiated the message is not "misleading" (see 15 U.S.C. § 7704(a)(1)(B)), the Ninth Circuit panel found it relevant whether Facebook "initiated" the messages. The CAN-SPAM Act defines "initiate" to mean "to originate or transmit such message or to procure the origination or transmission of such message, but shall not include actions that constitute routine conveyance of such message.," and importantly, more than one person may be considered to have initiated the message. 15 U.S.C. § 7702(9).

The Ninth Circuit panel then reasoned that because: (1) a Power user granted Power permission to share the promotion, (2) Power accessed that user's Facebook data after receiving such permission, (3) Facebook created and caused form emails to be sent to recipients, that these actions all required some affirmative consent or some creative license, and (4) the CAN-SPAM Act expressly provides that more than one person may be considered to have initiated the message, Power's users, Power, and Facebook all initiated the disputed messages and the "from" line was therefore not misleading within the meaning of the CAN-SPAM Act.

On balance, the Ninth Circuit panel acknowledged that although the CAN-SPAM Act includes as materially misleading, a technically accurate header that includes information accessed through false or fraudulent pretenses or representations, Power users consented to Power's access of their Facebook data and permitted Power to share its promotional campaign through event invitations. As such, the Ninth Circuit panel held that Power did not use false pretenses or fraudulent representations to obtain consent from users and that the external messages were therefore not "materially misleading" within meaning of the CAN-SPAM Act.

In regards to the internal messages sent within Facebook's system, the Ninth Circuit panel noted that the messages could only be deemed "misleading" if they impaired the ability of the recipient to "respond to a person who initiated the electronic mail message" or the ability of Facebook to locate the initiator of the message. 15 U.S.C. § 7704(a)(6). Under this standard, the Ninth Circuit panel held that the disputed messages were not misleading because: (1) the body of the messages included Power's identity and a link to Power.com and (2) Facebook users who were identified as the senders did in fact authorize the sending of the messages.

As such, on the issue of whether the external emails or internal emails violated the CAN-SPAM Act, the Ninth Circuit panel held that Power did not violate the CAN-SPAM Act, reversed the district court's entry of summary judgment, and remanded for entry of judgment in favor of Power.

On the second issue of whether the CFAA was violated when Power accessed Facebook's computers knowing that Power was not authorized to do so, the Ninth Circuit panel noted that under the CFAA there are two ways of committing a crime of improperly accessing a protected computer: "(1) obtaining access without authorization; and (2) obtaining access with authorization, but then using that access improperly." Musaccio v. United States, 136 S.Ct. 709, 713 (2016). Following the precedent of LVRC Holdings LCC v. Brekka, 581 F.3d 1127 (9th Cir. 2009) and United States v. Nosal, 676 F.3d 854 (9th Cir. 2012), respectively, the Ninth Circuit panel further distilled two general rules in analyzing authorization under the CFAA: (1) a defendant can violate the CFAA when he or she lacks permission to access a computer or where permission has been explicitly revoked and (2) merely violating a website's terms of use alone cannot be the basis for liability under the CFAA.

Under these standards, the Ninth Circuit panel reasoned that initially, Power users impliedly gave Power permission to use Facebook's computers to distribute messages because it was reasonable that Power could have construed that consent from Facebook's users to share Power's promotional campaign was permission for Power to access Facebook's computers. However, once Facebook issued its cease and desist letter to Power, Facebook expressly revoked any such permission. Moreover, Facebook further solidified its revocation of any implied permission to access its computers by imposing IP blocks in an effort to prevent Power from accessing Facebook's computers.

Equally important to the Ninth Circuit panel was the fact that Power admitted during discovery that it had continued to take, copy, and make use of data from Facebook's website notwithstanding clearly and unequivocally knowing that Power was expressly forbidden from using or accessing Facebook's data. Internal Power emails similarly showed that Power's officers and executives acknowledge engaging in various prohibited activities without Facebook's permission.

Based on these facts, the Ninth Circuit panel held that Power's admissions showed that: (1) Power deliberately disregarded the case and desist letter; (2) Power accessed Facebook's computers without authorization to do so; and (3) Power circumvented IP barriers to access Facebook's computers notwithstanding lacking authorization to do so. As such, the Ninth Circuit panel affirmed the district court's finding that Power had violated the CFAA because Power accessed Facebook's computers "without authorization" and was thereby liable under the CFAA.

On the third and final issue of whether Cal. Penal Code § 502 was violated when Power accessed Facebook's computers knowing that Power was not authorized to do so, the Ninth Circuit panel noted liability exists under Cal. Penal Code § 502 merely by knowingly accessing a computer system or computer network. United States v. Christensen, 801 F.3d 970, 994 (2015).

As in its CFAA analysis, the Ninth Circuit panel noted that Power had implied authorization to access Facebook's computers and that no violation of Cal. Penal Code § 502 occurred until Facebook sent its cease and desist letter to Power, at which time Power - concededly - knew that it no longer had any permission whatsoever to access Facebook's computers. By continuing to knowingly accessing Facebook's computers and taking, copying, and making use of Facebook's date, the Ninth Circuit panel held that Power violated Cal. Penal Code § 502 and thereby affirmed the district court's finding.

To read the full opinion, please visit:

https://cdn.ca9.uscourts.gov/datastore/opinions/2016/07/12/13-17102.pdf

Panel: Susan P. Graber, Kim McLane Wardlaw, and Mary H. Murguia, Circuit Judges

Argument Date: December 9, 2015

Date of Issued Opinion: July 12, 2016

Docket Number: 13-17102

Decided: Reversed in part, vacated in part, affirmed in part, and remanded

Case Alert Author: Ryan Arakawa

Counsel:
Amy Sommer Anderson (argued), Aroplex Law, San Francisco, California; Steven Vachani (argued pro se), Berkeley, California, for Defendants-Appellants.

Eric A. Shumsky (argued), Orrick, Herrington & Stucliffe LLP, Washington, D.C.; I. Neel Chatterjee, Monte Cooper, Brian P. Goldman, and Robert L. Uriarte, Orrick, Herrington & Sutcliffe LLP, Menlo Park, California, for Plaintiff-Appellee.

Jamie L. Williams (argued), Hanni M. Fakhoury, and Cindy A. Cohn, Electronic Frontier Foundation, San Francisco, California, as and for Amicus Curiae.

Author of Opinion: Judge Susan P. Graber

Circuit: Ninth Circuit

Case Alert Supervisor: Professor Ryan T. Williams

    Posted By: Ryan Williams @ 09/07/2016 01:12 PM     9th Circuit  

FuseTalk Enterprise Edition - © 1999-2018 FuseTalk Inc. All rights reserved.

Discussion Board Usage Agreement

Back to Top