May 27, 2010
EFF Weighs in on Facebook v. Power Ventures -- Facebook v. Power Ventures
[Post by Venkat]
Facebook and Power Ventures have been locked in a dispute over whether Power Ventures can access Facebook's website and network outside of Facebook's authorized developer channels. The dispute yielded an interesting ruling on Power.com's motion to dismiss. The parties are both seeking summary judgment on the issue of whether Power.com's conduct violates California Penal Code section 502(c). EFF recently weighed in with an amicus brief which makes the already interesting dispute even more interesting.
At this point, the parties are jousting over whether Power.com's conduct violates California Penal Code section 502(c). I'm surprised the parties are focusing their initial battle around this statute, rather than the Computer Fraud and Abuse Act. That said, given that California courts have held that Computer Fraud and Abuse Act decisions are persuasive when it comes to interpreting Section 502(c), what the court does here will be a good indication of what the court will do with the Computer Fraud and Abuse Act claim.
EFF's Amicus Brief: The brief comes at an opportune time for Power.com. I speculated earlier as to whether Power.com would settle this dispute, but given the recent barrage of negative publicity surrounding Facebook (including planned protests/mass deactivations (or deletions ?) of Facebook accounts, and criticism from numerous high profile users and technology commentators), this round of motions could ratchet up the pressure on Facebook. [As a sidenote, Judge Fogel, who originally presided over the dispute and who seemed sympathetic to Facebook's position, recused himself. He didn't give any reasons for the recusal (nor is he required to). I'm not sure what effect this will have on the dispute, but I thought it was worth mentioning.]
Does Access in Violation of Facebook's Terms of Service Violate the CFAA: There are cases holding that repeated unauthorized access of a website through automated means may violate the CFAA (for example: EF Cultural Travel BV v. Zefer Corp.; EF Cultural Travel BV v. Explorica, Inc.; Southwest Airlines v. Farechase, Inc.; Register.com, Inc. v. Verio, Inc.). Power.com does not have an easy road when it comes to legal precedent. EFF's brief cites to a recent case from the employment context where the Ninth Circuit narrowly interpreted the Computer Fraud and Abuse Act (LVRC Holdings, LLC v. Brekka, discussed by Jeff Neuburger here). Brekka was a case where an employee accessed his employer's computers and servers for his own purposes (and contrary to his employer's interests). The employer never expressly rescinded Brekka's access. The Ninth Circuit granted summary judgment in favor of the employee (Brekka), reasoning that once authorized, the authorized user cannot violate the CFAA unless the authorization has been rescinded or where the authorized user "exceeds authorized access" - i.e., by accessing the computer to obtain or alter information" that the authorized user is not entitled to obtain or alter. The court in Brekka acknowledges that the Seventh Circuit took a different approach in International Airport Centers v. Citrin, where it concluded that an employee can lose "authorization" when the employee "resolves to act contrary to the employer's interest."
There's one key difference between Brekka and this case, which is that in this case, there was never any dispute as to whether Power.com or Facebook end users are authorized to access Facebook's servers through Power.com's service. In any event, Facebook sent Power.com a cease and desist letter making clear that Facebook viewed Power.com's access as unauthorized. Interestingly, one of the CFAA sections covers unauthorized access where the defendant "obtains information" which the defendant is not entitled to obtain. Arguably Facebook end users are not "entitled" to obtain information from Facebook through channels that are not authorized by Facebook. However, the information that end users are looking to access is clearly not Facebook's - it's the end users own data. (The Computer Fraud and Abuse Act has several different sections, but broadly, it requires (1) access or the transmission of information that is unauthorized; (2) which causes damage or effects fraud, and (3) with a certain level of culpability. The EFF's internet law treatise page on the CFAA is a good resource for background.)
Facebook also has a copyright claim. As tenuous as Facebook's copyright claims may be, there are cases which support Facebook's position, and a judge in this case has already ruled that Power.com doesn't get a pass if it is found to have accessed Facebook's copyrighted material (even for the purpose of allowing end user access).
While recent events have made Power.com's arguments more tenable, I think it still has a tough battle, among other things because it's a competitor of sorts. That said, there are a variety of factors which make this case a harder one for Facebook than I initially thought. It is interesting to see people rally around Power.com, who judging from Facebook's pleadings, has some baggage - the type that makes a clear win for Power.com unlikely. As far as data portability goes, Power.com is an unlikely champion. On the other hand, Facebook doesn't look so great blocking Power.com's efforts.
Other Third Party Services: Another interesting aspect to this dispute is that a plethora of third party services have arisen which arguably address the privacy and data concerns of Facebook's end users. Are these services allowed to access end user data in violation of Facebook's terms? Facebook has tried to force some of these applications to stop, but I think some of these applications may have a more compelling argument than Power.com, which is just a point of aggregation for various social networking profiles. For example, if Facebook didn't provide a way for end users to delete their user data, could a third party provide this service?
1. Openbook: "Facebook helps you connect and share with the people in your life. Whether you want to or not." An interesting site that lets you search public Facebook status updates to show how often embarrassing information is shared through Facebook.
2. ReclaimPrivacy.org: a "website provides an independent and open tool for scanning your Facebook privacy settings."
Facebook has a good argument that it needs to regulate access for security reasons. Along these lines, Facebook recently implemented "anti-hacking" features which may make access through third party channels more difficult.
Techdirt: "Facebook Abusing Computer Crime Law To Block Useful Service"
ReadWriteWeb: "Facebook Suing Power.com for Auto-Logging"
EFF: "EFF Seeks to Protect Innovation for Social Network Users"
Wendy Davis: "EFF: Violating Terms Of Service Isn't Computer Fraud"