July 23, 2010
Judge Denies Facebook’s Request for Judgment on the Pleadings and Strikes Power.com Counterclaims -- Facebook v. Power.com
[Post by Venkat, with additional comments by Eric]
Facebook v. Power Ventures, Inc., Case No. C 08-05780 (N.D. Cal. July 20, 2010)
Background: Facebook and Power Ventures (Power.com) have been locked in a battle over whether Power.com should be allowed to access Facebook on behalf of users outside Facebook’s developer channels. Facebook wants all developers to go through its channel. Power.com seemed to go down in path but decided at some point that it didn’t like Facebook’s developer channel. It accessed (on behalf of its users) Facebook’s network. Facebook sued, and Power.com became an unlikely poster child for why data portability is important.
There’s been a lot of motion practice in this case. Facebook brought the typical array of copyright/computer fraud and abuse act claims that survived a motion to dismiss from Power.com. Power.com brought antitrust counterclaims that the court knocked out (with leave to amend). Facebook focused on its attention on its claims under the California computer crime statute (section 502), and moved for judgment on the pleadings. EFF filed an amicus brief arguing for a narrow construction of the statute. (In the meantime, there was a recusal by the judge who initially drew the case and dealt with the preliminary motions.) The court now deals with Facebook’s request for summary judgment or judgment on the pleadings that Power.com violated section 502, as well as a few other motions.
The Court’s Treatment of the Claims:
Standing under section 502: Power.com argued that Facebook lacked standing under section 502. The court easily disposes of this argument by noting that Facebook was forced (or decided it was prudent) to implement technical measures following its discovery that Power.com accessed its network. The court notes that there’s no dollar amount threshold, and rejects Power.com’s attempt to rely on its declaration that Facebook would not have had to invest any substantial amounts to implement these new technical measures.
Power.com’s liability under section 502: Facebook argued that Power.com accessed Facebook’s network without authorization because it exceeded the scope of the authorization allowed by Facebook’s terms of service. The court looks to the legislative history behind section 502 and declines to give legislative statements the broad-reaching meaning that Facebook urges. Facebook argued that any access in excess of authorization constitutes a violation of section 502, and the court doesn’t seem to agree with this. EFF filed an amicus brief arguing for a narrow interpretation of section 502. EFF also argued that Power.com’s actions did not violate section 502. The court settles on an interpretation of section 502 that requires some sort of circumvention of :
Technical or code-based barriers that a computer network or website administrator erects to restrict the user’s privileges within the system, or to bar the user from the system altogether.
[The court also drops a footnote noting that even though the defendant may not be liable under section 502, the defendant may still be liable for breach of contract. The footnote does not mention claims under the Computer Fraud and Abuse Act.]
Ultimately, the court leaves Facebook room to still make out a claim but says that (under section 502 at least) it can’t merely be based on a terms of service violation:
Power.com’s counterclaims based on Facebook’s alleged anti-competitive conduct: Facebook moved to dismiss Power.com’s antitrust claims against Facebook. The court focuses on Power.com’s allegations about Facebook’s acquisition of monopoly power. According to Power.com, Facebook gained monopoly power through allowing users to invite their friends (and making it easy), allowing people to access other networks through Facebook, while at the same time not allowing people to access Facebook through other networks. Power.com also alleged that Facebook alleged baseless intellectual property claims to dissuage new entrants into the market.
The court rejects these arguments, finding that Facebook has no obligation to allow others to access its network and it can set the terms of access without running afoul of antitrust rules. The court also finds that taking steps to protect its rights does not mean that Facebook is engaging in anti-competitive behavior.
Power.com’s affirmative defenses: The court previously struck Power.com’s affirmative defenses of copyright misuse and fair use. Power.com amended their pleadings and the court lets these affirmative defenses stand. The court’s discussion is a little sparse on whether these defenses actually are viable, but the court declines to strike them on the basis that the allegations provide Facebook with enough facts to put Facebook on notice as to what is being claimed.
I’d say overall it was not a big loss for Facebook. It still has viable claims under the Computer Fraud and Abuse Act and potentially copyright (in addition to auxiliary spam and other) claims. It has a chance to prove a violation of section 502 by showing that Power.com engaged in circumvention of a technical measure (IP address blocking, or additional security measures which Facebook implemented).
This is somewhat of a win for EFF, which got a ruling with a narrow construction under section 502. I’m not sure how useful this ruling will be in the Computer Fraud and Abuse context. Also, the court’s willingness to use circumvention of any technical measure to find a violation of section 502 sets a low bar. Still, in the garden variety context where an individual accesses a network in violation of the terms of service, section 502 claims don’t seem as likely (under the court’s ruling).
Power.com continues to slog it out. I’m guessing it will see this litigation as fairly unprofitable sooner rather than later, particularly with its antitrust claims out the window (I can’t imagine they thought these were terribly viable to begin with, judging by their initial set of allegations). Of course, they can bring their affirmative defenses and engage in some discovery, but this is not likely to bend the will of a company such as Facebook.
ars technica: “Social network aggregator no crook for violating Facebook TOS”
Eric's comments: A very small number of rulings have interpreted California Penal Code Sec. 502, the state law analog to the Computer Fraud & Abuse Act and a partial statutory codification of common law trespass to chattels. Based strictly on the statutory wording, Penal Code 502 (which authorizes civil suits in addition to being a criminal sanction) is the most plaintiff-friendly of the three doctrines because it does not require the plaintiff to show any minimum quantity of loss or harm from the defendant's harm.
This ruling partially reinforces why Penal Code 502 remains the most plaintiff-friendly of the three doctrines. Effectively, Facebook made the requisite showing of harm from Power.com's conduct even though Facebook's only purported harms appear to be remediation efforts. As the court says:
Defendants’ admissions that Facebook attempted to block Power’s access and that Power provided users with tools that allowed them to access the Facebook website through Power.com demonstrates that Facebook expended resources to stop Power from committing acts that Facebook now contends constituted Section 502 violations.
This is a bootstrapped type of loss that will be true in almost every anti-server use case.
The court then takes a decidedly less favorable turn when it comes to the authorization/permission question. Many CFAA rulings have allowed user agreements to delimit the authorized use of the plaintiff's servers. The court rejects that approach here, saying, in effect, that because Penal Code 502 is a criminal statute, allowing the user agreement to establish the boundaries of permitted server use is improper. I agree with that statement (some of you may recall my posts about the Lori Drew prosecution, conviction and dismissal). However, I would note Facebook's lawsuit is a civil case, not a criminal case, so the court could have distinguished between the legal requirements of criminal and civil cases. In particular, it was odd to see the court discussing constitutional limits to criminal prosecutions in a case where neither litigant really cared directly about the scope of criminality.
Even if the contract does not provide adequate notice to defendants, the court allows plaintiffs to delimit the permitted/authorized use of their severs technologically, and transgressions of those technological limits appears to satisfy the Penal Code 502 requirements and the constitutional protections applicable to a criminal prosecution. The court says:
the Court finds that accessing or using a computer, computer network, or website in a manner that overcomes technical or code-based barriers is “without permission,” and may subject a user to liability under Section 502.
This is because defendants are adequately put on notice when they encounter a technical block and try to route around it; therefore, with the technical block requirement, the statute will satisfy even the more stringent notice requirements of criminal law. There remained a factual dispute about Facebook's technical blocking efforts in this case based on the procedural posture of the case, so that point remains open for now.
If this case ends up setting the precedent that a user agreement cannot set the boundaries of authorized uses of computer servers in the California Penal Code Sec. 502 context, then this is a pretty important ruling. However, I don't really believe that result will necessarily be reached in other cases, especially given that Judge Ware disagreed with Judge Fogel's ruling in Facebook v. ConnectU on the same question.
In Cyberlaw I teach that an anti-computer trespass civil claim satisfying the four elements will probably win:
* Third party system use
* Actual notice that use unpermitted
* Technological self-help
If Facebook can show these four elements, it has a good chance at winning the Penal Code 502 case; indeed, this ruling indicates that under Penal Code 502, the damage element is easy to meet and the notice/self-help elements effectively merge together. If you are prepping an anti-trespass case, the more clearly you can show all four elements, the more likely the court will find a legal doctrine to help you.