EFF Weighs in on Facebook v. Power Ventures — Facebook v. Power Ventures

[Post by Venkat]

Facebook v. Power Ventures, Case No. 5:08-cv-05780 JW (N.D. Cal.) (Facebook Motion) (EFF Amicus Brief)

Facebook and Power Ventures have been locked in a dispute over whether Power Ventures can access Facebook’s website and network outside of Facebook’s authorized developer channels. The dispute yielded an interesting ruling on Power.com’s motion to dismiss. The parties are both seeking summary judgment on the issue of whether Power.com’s conduct violates California Penal Code section 502(c). EFF recently weighed in with an amicus brief which makes the already interesting dispute even more interesting.

The Dispute: Facebook brought Computer Fraud and Abuse Act claims and copyright claims (along with a slew of other claims) against Power.com. Setting aside the peripheral trademark and CAN-SPAM claims, Facebook’s key allegations are that (1) Power.com accessed Facebook’s network “without authorization” in violation of the Computer Fraud and Abuse Act (and section 502(c), the California computer crime statute); (2) Power.com accessed Facebook’s network in violation of the Facebook terms of use; and (3) Power.com copied the copyrighted portions of the Facebook website in the process of allowing Facebook users to access Facebook through Power.com’s interface. (There’s also an anti-circumvention claim tied to the unauthorized copying claim.) The court denied Power.com’s motion to dismiss. (See coverage of the court’s initial ruling on Power.com’s motion to dismiss from Tom O’Toole, Jeff Neuburger, and Cyberlaw Cases.)

At this point, the parties are jousting over whether Power.com’s conduct violates California Penal Code section 502(c). I’m surprised the parties are focusing their initial battle around this statute, rather than the Computer Fraud and Abuse Act. That said, given that California courts have held that Computer Fraud and Abuse Act decisions are persuasive when it comes to interpreting Section 502(c), what the court does here will be a good indication of what the court will do with the Computer Fraud and Abuse Act claim.

EFF’s Amicus Brief: The brief comes at an opportune time for Power.com. I speculated earlier as to whether Power.com would settle this dispute, but given the recent barrage of negative publicity surrounding Facebook (including planned protests/mass deactivations (or deletions ?) of Facebook accounts, and criticism from numerous high profile users and technology commentators), this round of motions could ratchet up the pressure on Facebook. [As a sidenote, Judge Fogel, who originally presided over the dispute and who seemed sympathetic to Facebook’s position, recused himself. He didn’t give any reasons for the recusal (nor is he required to). I’m not sure what effect this will have on the dispute, but I thought it was worth mentioning.]

EFF urges for a narrow interpretation of section 502(c) in a way that avoids liability to Power.com. The EFF brief argues that finding liability based on access in excess of Facebook’s terms of service is similar to attempting to hold Lori Drew liable for creating a MySpace profile in violation of MySpace terms of service. (“[In] Facebook’s view . . . [a] user who is twelve years old violates the criminal law every time she uses Facebook.”) According to EFF this results in allowing a private entity to define the bounds of criminal conduct, and does not give end users sufficient advance notice of what’s permitted and what is criminal conduct. Notwithstanding the difficulties in analogizing a criminal case to a civil one, EFF’s argument resonates, in light of the fact that Facebook has changed its terms of service over the past few years. (EFF: “Facebook’s Eroding Privacy Policy: a Timeline.”) Facebook’s terms are difficult to read and digest for a lawyer; for a non-lawyer end user, they are even tougher. Although length is not a proxy for whether a document is understandable, a popular refrain on the internet was that Facebook’s terms are longer than the Constitution.

Does Access in Violation of Facebook’s Terms of Service Violate the CFAA: There are cases holding that repeated unauthorized access of a website through automated means may violate the CFAA (for example: EF Cultural Travel BV v. Zefer Corp.; EF Cultural Travel BV v. Explorica, Inc.; Southwest Airlines v. Farechase, Inc.; Register.com, Inc. v. Verio, Inc.). Power.com does not have an easy road when it comes to legal precedent. EFF’s brief cites to a recent case from the employment context where the Ninth Circuit narrowly interpreted the Computer Fraud and Abuse Act (LVRC Holdings, LLC v. Brekka, discussed by Jeff Neuburger here). Brekka was a case where an employee accessed his employer’s computers and servers for his own purposes (and contrary to his employer’s interests). The employer never expressly rescinded Brekka’s access. The Ninth Circuit granted summary judgment in favor of the employee (Brekka), reasoning that once authorized, the authorized user cannot violate the CFAA unless the authorization has been rescinded or where the authorized user “exceeds authorized access” – i.e., by accessing the computer to obtain or alter information” that the authorized user is not entitled to obtain or alter. The court in Brekka acknowledges that the Seventh Circuit took a different approach in International Airport Centers v. Citrin, where it concluded that an employee can lose “authorization” when the employee “resolves to act contrary to the employer’s interest.”

There’s one key difference between Brekka and this case, which is that in this case, there was never any dispute as to whether Power.com or Facebook end users are authorized to access Facebook’s servers through Power.com’s service. In any event, Facebook sent Power.com a cease and desist letter making clear that Facebook viewed Power.com’s access as unauthorized. Interestingly, one of the CFAA sections covers unauthorized access where the defendant “obtains information” which the defendant is not entitled to obtain. Arguably Facebook end users are not “entitled” to obtain information from Facebook through channels that are not authorized by Facebook. However, the information that end users are looking to access is clearly not Facebook’s – it’s the end users own data. (The Computer Fraud and Abuse Act has several different sections, but broadly, it requires (1) access or the transmission of information that is unauthorized; (2) which causes damage or effects fraud, and (3) with a certain level of culpability. The EFF’s internet law treatise page on the CFAA is a good resource for background.)

The CFAA component of this dispute reminds me in some ways of Southwest Airlines v. BoardFirst, a case where Southwest Airlines tried to shut down BoardFirst’s service, which assisted passengers in checking in to Southwest’s flights. The court denied Southwest’s motion for summary judgment, and the parties ultimately settled. The court’s ruling denying Southwest’s motion for summary judgment [scribd] contains some good discussion about whether access in excess of a website terms of use constitutes a violation of the Computer Fraud and Abuse Act. As that case makes clear, however, even if there are problems with Facebook’s Computer Fraud and Abuse Act claim, Facebook most certainly has a valid terms of service-based claim. Finding that there’s been no terms of service violation would require some serious judicial contortions, and would undermine a pretty basic principle that a website owner is free to define the bounds of access of its website through a terms of service. There have been decisions which have invalidated portions of terms of service based on the fact that the terms are grossly unfair (or are unconscionable) but it’s tough to see this part of Facebook’s terms fitting into this category. (On a related note, Professor Goldman recently blogged about Miller v. Facebook, a case where Facebook successfully invoked the venue provision of its user agreement to get a copyright dispute transferred from Georgia to California.)

Facebook also has a copyright claim. As tenuous as Facebook’s copyright claims may be, there are cases which support Facebook’s position, and a judge in this case has already ruled that Power.com doesn’t get a pass if it is found to have accessed Facebook’s copyrighted material (even for the purpose of allowing end user access).

__

While recent events have made Power.com’s arguments more tenable, I think it still has a tough battle, among other things because it’s a competitor of sorts. That said, there are a variety of factors which make this case a harder one for Facebook than I initially thought. It is interesting to see people rally around Power.com, who judging from Facebook’s pleadings, has some baggage – the type that makes a clear win for Power.com unlikely. As far as data portability goes, Power.com is an unlikely champion. On the other hand, Facebook doesn’t look so great blocking Power.com’s efforts.

Other Third Party Services: Another interesting aspect to this dispute is that a plethora of third party services have arisen which arguably address the privacy and data concerns of Facebook’s end users. Are these services allowed to access end user data in violation of Facebook’s terms? Facebook has tried to force some of these applications to stop, but I think some of these applications may have a more compelling argument than Power.com, which is just a point of aggregation for various social networking profiles. For example, if Facebook didn’t provide a way for end users to delete their user data, could a third party provide this service?

1. Openbook: “Facebook helps you connect and share with the people in your life. Whether you want to or not.” An interesting site that lets you search public Facebook status updates to show how often embarrassing information is shared through Facebook.

2. ReclaimPrivacy.org: a “website provides an independent and open tool for scanning your Facebook privacy settings.”

3. Seppukoo: an app that lets you kill your online profiles – in response to a Facebook cease and desist [pdf], the site stopped killing Facebook accounts.

Facebook has a good argument that it needs to regulate access for security reasons. Along these lines, Facebook recently implemented “anti-hacking” features which may make access through third party channels more difficult.

Other coverage:

Techdirt: “Facebook Abusing Computer Crime Law To Block Useful Service

ReadWriteWeb: “Facebook Suing Power.com for Auto-Logging

EFF: “EFF Seeks to Protect Innovation for Social Network Users

Wendy Davis: “EFF: Violating Terms Of Service Isn’t Computer Fraud