February 21, 2012
Facebook Gets Decisive Win Against Pseudo-Competitor Power.com -- Facebook v. Power.com
[Post by Venkat Balasubramani, with comments from Eric]
Facebook, Inc. v. Power Ventures, Inc., et al., C 08-05780 JW (N.D. Cal.; Feb. 16, 2012)
The long-running dispute between Facebook and Power Ventures came to a close last week, with Judge Ware granting Facebook’s motion for summary judgment on Facebook's claims under CAN-SPAM, California Penal Code section 502, and the Computer Fraud and Abuse Act. The power.com domain name went up for auction in 2011 and it appears that the domain name was not owned by Power Ventures, the defendant in this lawsuit. [Update: see an update below regarding the ownership of the domain name.]
Facebook alleged that Power Ventures allowed Power.com users to access their Facebook profiles through Power.com’s interface, and also induced its users to send emails to other Facebook users telling them to try out Power.com. The specifics of how Power Ventures' conduct differed from other Facebook apps isn't entirely clear, although it is clear that Power.com did not participate in Facebook’s authorized developer program, and Facebook undertook some technical efforts to prevent the access of Facebook by Power.com and its users. As with the enforcement efforts of many networks, Facebook’s approach here raises some questions as to how courts will view other similar efforts of people who are a part of the Facebook ecosystem. The big question Professor Goldman always raises--and I think is relevant here--is to what extent there may be blowback from this ruling to Facebook (or its partners) in other cases. The case also raised data portability issues and issues relating to the scope of California Penal Code section 502. Likely for this reason, EFF participated as an amicus.
Standing: The first question regarding Facebook’s CAN-SPAM claims was whether Facebook had standing to sue. Citing Gordon v. Virtumundo, the court says that Facebook has standing under CAN-SPAM to the extent it can show that it suffered harm that is of the type “uniquely encountered by” providers of internet access services. Virtumundo said end users don’t have standing under CAN-SPAM, and end users cannot manufacture standing by casting themselves as ISPs. The plaintiff in that case signed up for hosting services provided by third parties and did not suffer any particular “adverse effects” from the spam, other than the annoyance of having to delete it. Here the court says that the evidence produced by Facebook demonstrates that it suffered unique adverse effects as an ISP: (1) Power.com users sent approximately 60,000 emails, and (2) Facebook undertook specific efforts to stop these emails. (The evidence offered by Facebook seemed equivocal as to whether it was directed to stopping unwanted communications from Power.com end users or whether Facebook was concerned with restricting Power.com's access of Facebook's networks. Facebook's enforcement efforts spilled over into both categories, but the evidence seemed more suited to a Computer Fraud and Abuse Act claim than a CAN-SPAM claim.)
Did Power.com ‘Initiate’ the Messages: CAN-SPAM defines "initiate" to include those who “originate or transit” a message, or “procure” its origination or transmission. Routine conveyance of a message is excluded from the definition of initiate. Facebook argued that Power.com initiated the messages because it ran a contest for Power.com users signing up their Facebook friends (if you signed up more than 100 users, Power.com would pay you $100). The court concludes that this inducement is sufficient to categorize Power Ventures as one of those who “initiated” the messages, even though end users selected which friends would be emailed, and Facebook’s servers filled in the header information when the user requested an email to be sent.
Were the Emails Misleading: The final question with respect to the CAN-SPAM claims were whether the messages were misleading in any way. Power.com understandably argued that the messages were sent through Facebook, came from a Facebookmail.com email address, and therefore the messages could not contain any misleading header information. Power.com also argued that text of the messages contained information about Power.com, and Power.com could not have changed the headers of the emails because it did not have any control over the headers. The court says all of this is irrelevant:
[the] emails did not contain any return address, or any address anywhere in the e-mail, that would allow a recipient to respond to [Power.com]. Thus, as the header information does not accurately identify the party that actually initiated the e-mail within the meaning of [CAN-SPAM], the Court finds that the header information is materially misleading as to who initiated the email.
Whoa. The court does not cite to Mummagraphics, where the 4th Circuit rejected the same basic argument. (See "Fourth Circuit Rejects Anti-Spam Lawsuit--Omega World Travel v. Mummagraphics.") Mummagraphics' key holding is that in order to be actionable, an email header must be materially misleading, and if there the recipient would reasonably know where the email was coming from then there should be no CAN-SPAM violation. Here the emails were sent through Facebook's platform by end users, so Power Ventures has an even better argument than the defendant in Mummagraphics that the header information was not misleading.
California Penal Code Section 502
We also need to do some planning to make sure we [access data from Orkut] in a way where we are not really detected. Possible rotating IP’s or something. Don’t really understand this too well. . . . . We need to plan this very carefully since we will have only one chance to do it.
In granting summary judgment, the court says there is no reason “to distinguish between methods of circumvention built into a software system to render barriers ineffective and those which respond to barriers after they have been imposed.”
Computer Fraud and Abuse Act Claim
The court also grants summary judgment on the Computer Fraud and Abuse Act claim, finding that the access of Facebook’s servers by Power.com was “without authorization,” and Facebook satisfies the $5,000 damage threshold.
This case looked like it was teed up to highlight a data portability issue and the question of whether Facebook can keep third parties who don’t go through its authorized developer channels but who act at the request of end users out of its network. The court’s decision gives short shrift to both of those issues. There is probably not much precedent to the contrary (if any), but Power.com’s access of “information” from Facebook’s servers was ostensibly done at the request of Facebook end users, and the information that Power.com extracted was the contact information (friend lists) of Facebook end users. Thus, Facebook's allegations regarding Power.com's actions shouldn't in theory come within the Computer Fraud and Abuse Act. True, there were some additional facts which made Power.com’s arguments tougher from an optics standpoint, but the end result is that if users want to access data, they have to do so on Facebook’s terms, and may not do so using a third party tool that is not a part of Facebook’s developer platform. (To my knowledge, the Computer Fraud and Abuse Act as written does not look to whose data is accessed, so the statute allows the result achieved by Facebook in this case.)
The CAN-SPAM ruling is remarkable--and screwy--on a number of levels. Several courts have ruled that emails sent through networks (such as MySpace or Facebook) are covered by CAN-SPAM, but those decisions did not confront the practical issue of how an emailer can comply with CAN-SPAM with respect to emails that are sent by an end user via a network such as Facebook--i.e., where those who "initiate" a message cannot alter the content of the messages. (See "N.D. Cal.: Facebook Posts are Electronic Mail Messages, Subject to CAN-SPAM -- Facebook v. Maxbounty.") I wonder whether Facebook considered the practical aspects of this ruling: retailers who send messages through Facebook are not CAN-SPAM compliant! End users don’t have standing to sue, but retailers and companies who induce end users to send messages through their friends can be considered to "initiate" these messages, and under the court’s ruling, since the messages come from Facebook (via facebookmail.com) and do not contain the retailer's header information, these message are materially misleading under CAN-SPAM.
Update: I originally speculated whether Facebook would try to go after the power.com domain name or the proceeds of the auction. Via email, Scott Smith, the CEO of RokME Inc., who is brokering the sale of the power.com domain name, reminded me that the power.com domain name was leased to Power Ventures:
Several years ago Power Assist Inc. the owner of Power.com leased the domain to Power Ventures Inc. During the course of the lease Power Ventures Inc. operated Power.com as a social network aggregation site and did some things that Facebook disagreed with. At that time Facebook sued Power Ventures Inc. and by association, Power.com was noted in the filings. That is the only connection.
The lease on the domain Power.com ended last February. Once the lease ended the owner was free of any further obligations and decided to sell the domain. My company - RokMe Inc. was hired to broker the sale. . . .
Since that time there has been no connection with Power Ventures Inc. or its owner Steve Vachani. It has taken this long for the case to wind its way through the courts and because of the earlier association, the domain Power.com was unfortunately caught up in the web of their legal wrangling.
Ugh. Bad facts make bad law, and this case has plenty of badness to go around. Power.com was a lousy poster child for a test case on data liberation. Yet, the court's results are troubling for everyone--including Facebook!--and I can only hope future courts recognize the opinion's goofiness when deciding whether to accord it any weight.
The CAN-SPAM ruling is the most troubling. Running through the elements tendentiously, the judge finds a technical violation of the CAN-SPAM elements, but this element-by-element review leads to a tone-deaf outcome overall. Stripping away the detail, users were using Facebook's messaging tools to talk with each other. Sure, Power.com was interested in that conversation and facilitated it in a number of ways, but calling Power.com a spammer because users talked to other users is baffling. It's a little like the misguided underpinnings of the FTC Endorsement and Testimonial Guidelines; this case similarly treats Power.com like an "advertiser" and thus makes it liable for how users talked to each other. Huh?
As Venkat points out regarding retailers, this ruling could set up other Facebook users for a similar fate if they get Facebook users to use Facebook's native tools to talk to each other. This could be counterproductive for Facebook's long-term interests if businesses (and others) start to fear that Facebook now has the discretion to sue them as a spammer whenever it wants.
Similarly counterproductive to Facebook's interests is the expansive interpretations of the CFAA and Penal Code 502. Facebook grabs a lot of content from third parties without permission--for example, every time a user posts a link, Facebook grabs and republishes snippets of the linked page without permission. Is that a CFAA/502 violation BY FACEBOOK? Facebook might have other defenses, but it seems to have negated any "we're just a proxy for the users" defense. Because I'm a cyberlaw purist, I hope Facebook doesn't get hoisted on its own petard; but if it ever does happen, it will be hard to suppress a slight schadenfreude smile.
Clearly, though, Facebook is signalling that it won't download email addresses from third party sources like Gmail without the third party's permission--like for its "find a friend" feature. After all, even if Facebook has the user's permission to access the user's own data, that's legally meaningless without the data source's permission as well. The net result is that data sources can erect fences around user data despite the user's wishes.
Indeed, the most tone-deaf aspect of the ruling is the anti-competitive backdrop to Facebook's enforcement action, which doesn't even get a nod from this opinion. Personally, I would not have trusted Power.com with my personal data, so losing them as a competitive option is no big deal to me. Facebook positions this case about user protection. Their formal statement: "We are pleased that the court ruled in our favor. We will continue to enforce our rights against bad actors who attempt to circumvent Facebook's privacy and security protections and spam people," said Craig Clark, Lead Litigation Counsel, Facebook. But I don't find it all that credible that Facebook was motivated solely by a desire to protect us as users from a dangerous Power.com. (Indeed, I believe Power.com could have sucked down an immense amount of user data through Facebook's APIs with, at most, minimal oversight by Facebook). The other obvious possible motivation: Facebook didn't like Power.com's competition, so it shut down Power.com's access to Facebook's users. With its massive leadership in its niche, it seems only a matter of time before antitrust regulators start sniffing around Facebook. Its enforcement action against Power.com probably won't spur that, but Facebook will have to tread cautiously with future blatant shutdowns of competitors.