Facebook’s Lawsuit Against Competitive Email Harvesting Continues–Facebook v. ConnectU

By Eric Goldman

Facebook, Inc. v. ConnectU LLC, 2007 WL 1514783 (N.D. Cal. May 21, 2007)

A universal truth of the digital era: a website displaying user email addresses will be targeted by email harvesters sweeping up those email addresses to spam the users–either to poach a competitor or to send bona fide spam. This is hardly a new phenomenon; I can’t believe it’s been almost a decade since eBay’s competitor Onsale harvested eBay users’ addresses and sent competitive spam (an action which prompted eBay to encourage users to adopt handles that weren’t the users’ email addresses).

Social networking sites have lots of user contact info that makes them juicy targets for the harvesters, so they have had to be particularly vigilant against spammers. In this case, Facebook sued a competitive social networking site, ConnectU, for a harvesting/spam attack. (This isn’t the only battlefront between the parties; in separate litigation, ConnectU claims that Facebook stole ConnectU IP). In this ruling, ConnectU moves to dismiss Facebook’s claims, with limited success.

The most interesting ruling relates to California Penal Code 502. If you haven’t looked at this statute recently, you’ll be amazed at its breadth and the fact that it provides for civil remedies in the penal code. The operative provision here restricts “Knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network.” Apparently, ConnectU provided a tool that enabled Facebook users to provide ConnectU with their login credentials, which ConnectU then used to grab data from Facebook’s servers. (I tested on very similar facts in my 2006 Cyberlaw exam–see Q2). The court has no problem saying that, as alleged, ConnectU knew it was accessing Facebook’s servers and took data without Facebook’s permission. There have been other 502 rulings in California, but this ruling reminds us of the statute’s scope and its utility as an anti-trespass doctrine.

The court also dismisses (with a grudging leave to amend) Facebook’s various anti-spam statutory claims. First, the court holds that Cal. B&P 17529.4 and 17538.45 are both preempted by CAN-SPAM. I’ve lost track of all of the state anti-spam preemption cases, but I think it’s significant that the court casually wiped these two California statutes off the books. Second, the court dismisses Facebook’s federal CAN-SPAM claim because Facebook didn’t allege that ConnectU’s emails contained false/misleading header info. (Even if there was falsity, the Mummagraphics court suggests it would have to be material to be actionable).