In Facebook’s Lawsuit Against Alleged Spammer, Court Denies MaxBounty’s Motion to Dismiss

[Post by Venkat Balasubramani]

Facebook v. MaxBounty, 10-Cv-04712 (N.D. Cal. Sept 14, 2011)

Facebook is suing MaxBounty for allegedly running an affiliate network which dupes people into fanning Facebook pages, promoting the page to their friends, and signing up for third party offers, all based on the promise of free items. Facebook brought a variety of claims, including common law fraud, CAN-SPAM, and the Computer Fraud and Abuse Act. The court previously found that Facebook wall posts can be considered “electronic mail messages” and thus are subject to CAN-SPAM. (Here’s my post on this ruling: “N.D. Cal.: Facebook Posts are Electronic Mail Messages, Subject to CAN-SPAM.”) However, the court said that Facebook had to be more specific regarding some of its allegations. This time around, the court finds that Facebook’s allegations are sufficiently specific, and denies MaxBounty’s motion to dismiss.

Fraud claims: Facebook alleged that MaxBounty’s affiliate manager knew of and encouraged an affiliate that offered a free IKEA gift card. The affiliate manager allegedly provided technical assistance, assured the affiliate that the affiliate’s actions were kosher and, when the affiliate expressed hesitation, offered the affiliate $30,000 to continue. Interestingly, the court doesn’t quite specify what the fraudulent statements were and who was deceived by them. In some ways, this case is somewhat reminiscent of the Reunion.com case involving an alleged “spam a friend” scheme, while that case addressed the issue of whether claims under California’s spam statute were preempted by CAN-SPAM. One other difference is that in this case, Facebook is the one bringing the fraud claims and it’s unclear how Facebook has been duped. The court allows the fraud claim to go forward and also allows claims for aiding and abetting the fraud and for conspiracy.

CAN-SPAM claims: MaxBounty argued that Facebook’s allegations fail to make out a claim that MaxBounty “procured or induced” the transmission of messages at issue. MaxBounty also argued that Facebook failed to specify how the messages at issue contained materially false header information. The court rejects these arguments, noting that the messages sent as part of the campaign do not identify MaxBounty as “the initiator” despite the fact that MaxBounty “initiated the messages by inducing Facebook users to execute malicious computer code that cause[d] messages to be sent automatically to all of their Facebook ‘friends’.”

Computer Fraud and Abuse Act claims: The court refuses to dismiss the CFAA claim, finding that access in violation of the stated restrictions (with a predicate act) can violate the Computer Fraud and Abuse Act. MaxBounty argued that because Facebook granted MaxBounty permission to access the site, MaxBounty did not engage in any “unauthorized access,” but the court says no (citing to U.S. v. Nosal).

__

There are some interesting issues raised in the three claims discussed in the court’s order, but since this lawsuit involves a large network trying to police against alleged spam, the court doesn’t give MaxBounty’s arguments a detailed treatment they may have otherwise deserved. As in many other cases where networks try to shut down interlopers, the causes of action end up being stretched pretty thin.

In the prior post, I mentioned that treating Facebook messages as email messages that are subject to CAN-SPAM does not necessarily jibe with the statute or its requirements. The court says that “none of the messages in question [identified] MaxBounty as the initiator.” The court is not specific about what types of Facebook messages were involved, but it’s possible to see the practical limitations of including this type of a notification on a Facebook message. This is one of the potential problems with calling messages on social networks “electronic mail messages” that are subject to CAN-SPAM.

The CFAA claims similarly push the envelope. Terms of use-based CFAA claims are widely recognized as being overly broad and encapsulating innocent conduct. (Facebook users better watch out!) Senators Franklin and Grassley recently proposed an amendment that would, among other things, remove access in excess of terms of use from the definition of “exceeding authorization.” The court also does not get into the issue of whether MaxBounty can be held liable for the CFAA violations of third parties, a proposition that does not have clear support in the text of the statute or the case law.

Another thing to consider is that Facebook is a platform, and will be subject to attacks from third parties that seek to hold Facebook liable for the actions of third parties in its ecosystem. Could Facebook’s overly broad legal arguments come back to haunt it? Mike Masnick makes a similar point about Craiglist’s enforcement efforts here: “Craigslist Trying To Destroy The Life Of Someone Who Made Posting To Craigslist Easier.” Facebook has ample legal hooks to go after rogues on its network, and it may want to think twice about going in with guns blazing and creating bad precedent in the process.