Blog

July 22, 2016 -

Facebook v. Power Ventures Ruling Is a Yellow Light for Scrapers

Accessing and using a website in violation of the terms of use will not trigger civil or criminal liability under the federal Computer Fraud and Abuse Act (CFAA).  However, if you continue to do so after the website owner explicitly tells you your access is unauthorized, or if you attempt to circumvent access restrictions by using technical measures or third-party credentials after being told your permission is revoked, you will be held liable under the CFAA.  That is the simple lesson to be drawn from the decision of the U.S.  Court of Appeals for the Ninth Circuit in Facebook, Inc. v. Power Ventures, Inc., No. 13-17154 (9th Cir. July 12, 2016). While the case did not involve website scraping per se, the court’s ruling nonetheless clarifies key issues faced by scrapers and does not so much reduce CFAA risk as delay it.

Power Ventures operated a social networking site, Power.com, which aggregated users’ social networking information so that they could see all contacts from multiple sites (including Facebook) on a single page.  Power Ventures launched a promotional campaign to attract traffic to Power.com in which it encouraged users to share the promotion with their friends on Facebook.  When a user opted to share, Power Ventures used Facebook’s messaging functionality to send promotional messages to the user’s friends within Facebook or by an e-mail purporting to be from Facebook.   Facebook was not amused and sent Power Ventures a cease and desist letter telling it to stop its activities.  Facebook also attempted to prevent Power Ventures from accessing the site by blocking its IP address, but Power Ventures circumvented this mechanism by simply switching IP addresses.

Facebook sued Power Ventures and its principal under the CFAA as well as under a California anti-hacking statute and the federal CAN-SPAM Act.  The relevant provision in the CFAA creates criminal and civil liability for computer trespass for any person who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any protected computer.”  18 U.S.C. §1030(a)(2)(C).    The CFAA provides a private right of action for any person who suffers damage or loss due to a violation of the applicable section of the statute.  The loss must be at least $5,000 during a one-year period, but the CFAA defines “loss” very liberally to mean “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”  18 U.S.C. §1030(e)(11).  In the Power Ventures case, it was undisputed that Facebook had incurred at least $5,000 in employee time in “analyzing, investigating and responding to Power’s actions.”

The appellate court reversed in part and affirmed in part the lower court’s grant of summary judgment in favor of Facebook on its CFAA claim, holding that Power Ventures violated the CFAA, but only by continuing to access Facebook without permission after receiving Facebook’s cease and desist letter.  First, the court stated emphatically that violation of a website terms of use or other computer use restrictions – without more – cannot give rise to liability under either prong of the CFAA’s “access” prohibition.  (While the court analyzed the question of Power Ventures’ liability as whether or not Power Ventures accessed Facebook “without authorization,” its conclusion is equally applicable to situations where the case turns on whether a defendant’s activities “exceed authorized access,” as in the Nosal I case mentioned below.)  Secondly, CFAA liability exists when a defendant “has no permission to access a computer or when such permission has been revoked explicitly,” and neither technological circumvention measures (like switching IP addresses) nor using a third party to access the computer will change this result.

Throughout its opinion, the court gave short shrift to Facebook’s terms of use, and by extension, to a website owner’s reliance on a terms of use to limit entry to an otherwise accessible site.  Quoting an earlier case, United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc) (otherwise known as “Nosal I”), it noted, “’[n]ot only are the terms of service vague and generally unknown … but website owners retain the right to change the terms at any time and without notice.’ [citation omitted].  As a result, imposing criminal liability for violations of the terms of use of a website could criminalize many daily activities.”  (While Nosal I was a criminal CFAA case, the Ninth Circuit’s analysis and commentary in Power Ventures makes no distinction between criminal and civil CFAA actions.)  The Ninth Circuit’s dismissive attitude toward website terms of use (people don’t read them, and they are changeable at any time) creates a curious tension with the black-letter rule of electronic contracting law that terms of use are generally enforceable, provided that they are posted conspicuously enough to give a user reasonable notice of their terms and by his or her subsequent behavior the user can fairly be said to manifest assent to these terms (such as by using the site when the terms of use prominently state that usage means assent).  The court commented without explanation that since Facebook and Power Ventures had no direct relationship, it did not appear that the latter was even subject to any contractual terms.  However, the fact remains that Facebook has posted terms of use that are clearly applicable to any usage of the site; the court did not analyze the electronic process by which Power Ventures used third-party credentials to access Facebook or the question of whether this process subjected Power Ventures to the terms of use.

According to the court, Power Ventures initially had implied consent to access Facebook, since it had the consent  of Power.com users to utilize Facebook to transmit messages and “reasonably could have thought that consent [from the users] to share the promotion was permission for Power to access Facebook’s computers.”  Thus, Power Ventures did not initially access Facebook “without authorization.”

Facebook’s cease and desist letter changed that – but even so, the court observed in a footnote that Facebook’s mention of violations of the terms of use in its letter was not by itself sufficient to create CFAA liability.  (Interestingly, the court also noted that “[s]imply bypassing an IP address, without more, would not constitute unauthorized use” of a website, since a user may not know he or she has been blocked or else the user may not associate an IP address block with a revocation of access directed at that specific user.)   However, Facebook’s letter also warned Power Ventures that it may have violated federal and state law and “plainly put Power on notice that it was no longer authorized to access Facebook’s computers.”  After Facebook issued the cease and desist letter, permission from the users alone was no longer sufficient to constitute authorization to access Facebook for purposes of the CFAA.

The lesson for scrapers from the Power Ventures case is that, at least in the Ninth Circuit (which includes the tech powerhouse states of California, Oregon and Washington), simply violating a no-scraping clause in a website terms of use should not give rise to CFAA liability.  However, the website owner can promptly turn this around if it wishes by issuing a cease and desist letter that clearly revokes authorization to access the site, at which point civil or even criminal liability under the CFAA can begin to accrue.  (There may be other kinds of clear notice of revocation or limitation of site access authorization for scraping, like a site owner’s use of the robot exclusion standard (robots.txt) protocol, although this was not addressed in the Power Ventures ruling.  Furthermore, scrapers should note that if scraping activities actually slow down or crash a website, a court might be less favorably disposed toward the scraper, and other legal remedies, like the tort of trespass to computer chattels, might be available to the site owner.)  In summary, Power Ventures is a yellow light for scrapers – there is a period of time when you can keep your foot on the gas, but at some point the light may turn red.