Power Ventures operated a social networking site, Power.com, which aggregated users’ social networking information so that they could see all contacts from multiple sites (including Facebook) on a single page. Power Ventures launched a promotional campaign to attract traffic to Power.com in which it encouraged users to share the promotion with their friends on Facebook. When a user opted to share, Power Ventures used Facebook’s messaging functionality to send promotional messages to the user’s friends within Facebook or by an e-mail purporting to be from Facebook. Facebook was not amused and sent Power Ventures a cease and desist letter telling it to stop its activities. Facebook also attempted to prevent Power Ventures from accessing the site by blocking its IP address, but Power Ventures circumvented this mechanism by simply switching IP addresses.
Facebook sued Power Ventures and its principal under the CFAA as well as under a California anti-hacking statute and the federal CAN-SPAM Act. The relevant provision in the CFAA creates criminal and civil liability for computer trespass for any person who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any protected computer.” 18 U.S.C. §1030(a)(2)(C). The CFAA provides a private right of action for any person who suffers damage or loss due to a violation of the applicable section of the statute. The loss must be at least $5,000 during a one-year period, but the CFAA defines “loss” very liberally to mean “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 18 U.S.C. §1030(e)(11). In the Power Ventures case, it was undisputed that Facebook had incurred at least $5,000 in employee time in “analyzing, investigating and responding to Power’s actions.”
According to the court, Power Ventures initially had implied consent to access Facebook, since it had the consent of Power.com users to utilize Facebook to transmit messages and “reasonably could have thought that consent [from the users] to share the promotion was permission for Power to access Facebook’s computers.” Thus, Power Ventures did not initially access Facebook “without authorization.”