Facebook Can Block Scraper (For Now)–Facebook v. BrandTotal

BrandTotal offered a Chrome extension called “UpVoice.” Once installed, the extension allegedly scraped public and non-public information from the users’ Facebook and Instagram accounts. Facebook attempted to crack down on the extension. It terminated BrandTotal’s Facebook and Instagram pages and sued to shut down the extensions. Google kicked the extension out of its web store, which disabled the extension’s functionality. After this crackdown, BrandTotal allegedly created new Facebook and Instagram accounts and reuploaded a retitled version of its extension to the web store. BrandTotal also counterclaimed against Facebook. The court denied BrandTotal’s TRO.

Irreparable Harm. BrandTotal made a prima facie showing of irreparable harm because “BrandTotal is a small and growing business that has been forced to suspend a major portion of its operations.”

Interference With Contract. The court says BrandTotal is “likely to succeed in showing that Facebook knew BrandTotal had entered contracts where its performance depended on the data it collected.” It further showed that the ads at issue are public, users consent to the extension’s operation, users have a significant interest in their profile data, and Facebook doesn’t have a privacy or IP interest in that data.

Nevertheless, Facebook’s actions had a legitimate business purpose in cracking down on the extension:

Facebook [has a] general interest in policing access to the password-protected portions of its networks…Users on Facebook’s networks choose share information with specific people, and could reasonably be expected to rely on Facebook’s privacy settings and terms of use to prevent automated collection of that information by third parties

Also, “Facebook is bound by an order from an FTC enforcement action requiring it to enforce its terms of use against third parties that have access to users’ information.” It appears this obligation applies to BrandTotal.

Though Facebook didn’t have a protectable privacy interest, the extension raised privacy concerns. First, Facebook believed that “BrandTotal had a history of collecting user data in ways that posed risks to security and privacy.” Second, the extension collected information from non-consenting users on shared computers.

Thus, Facebook could legitimately require:

companies like BrandTotal who seek to collect such data to coordinate with Facebook and obtain approval, even when those companies have no malicious intent and have endeavored to protect users’ privacy and obtain their consent. Facebook provides application programming interfaces (“APIs”) and other “approved means” for users to share their data with third parties. The record indicates that, thus far, BrandTotal has not requested access through those means.

The court summarizes:

To the extent that Facebook’s denial of access to BrandTotal was based on BrandTotal’s failure to coordinate with Facebook and seek approval through established channels, and on Facebook’s perception that BrandTotal had a history of collecting user data in irresponsible ways, the balance tips in favor of allowing Facebook to enforce its prohibition against unapproved automated access. On the other hand, to the extent that Facebook might have been motivated by a desire to prevent BrandTotal from competing against Facebook in the market for advertising analytics, the balance would favor granting relief in order to foster competition and innovation, and allow BrandTotal to honor its contracts with its customers. The apparent failure of either party to initiate dialog as to how BrandTotal might obtain approval from Facebook to conduct that business leaves an open question of Facebook’s intent, and whether Facebook would approve access by BrandTotal if it worked within Facebook’s protocols for authorizing access. The Court concludes that BrandTotal has raised serious questions as to the merits of this claim, but on the current record, it has not established a likelihood of success

I mean, who wins interference with contract claims? Those claims are like moonshots. The fact that it’s even close here reflects the perniciousness of the hiQ v. LinkedIn ruling. The hiQ ruling is leading courts to consider giving free passes to every dubious data snarfer to grab whatever data they want, under the dubious premise that a service’s effort to crack down on them must be pretextually anti-competitive. The Ninth Circuit made this mess. They need to clean it up.

Unfair Competition. Even if Facebook’s TOS says that users own their own data, that doesn’t prevent Facebook from restricting how they access their data.

TOS Restriction on Automated Access. BrandTotal argued that it had not made “automated’ access of Facebook in violation of Facebook’s TOS. The court says BrandTotal’s interpretation “defies any reasonable meaning of that term….BrandTotal designed a computer program to systematically identify, capture, and transmit certain types of data from Facebook’s products without user intervention.” Thus, BrandTotal wasn’t entitled to a declaratory judgment that it didn’t violate the TOS.

Balance of Equities.

Facebook has legitimate interests in maintaining public confidence in its products and avoiding potential liability for data privacy breaches. Ordering Facebook to allow access by BrandTotal, without BrandTotal completing Facebook’s usual vetting process and using the standard APIs for obtaining users’ permission to access their personal data, risks some degree of harm to public confidence in Facebook’s data protection. As for potential liability for a breach, the current record does not indicate major vulnerabilities that would result from the UpVoice product specifically—except perhaps as to the users who have installed UpVoice, and others who might share their computers—and Facebook is unlikely to face liability for complying with an order of this Court requiring it to grant access. The Court also notes that Facebook has endured unauthorized access by BrandTotal for some time, including the several-month period since it began its investigation of BrandTotal in April of this year, without suffering any significant harm that it has identified in the current record. Nevertheless, the potential harm to Facebook’s reputation that could result from granting BrandTotal’s motion—and ordering Facebook to tolerate automated data collection from password-protected portions of its network, by a third party Facebook has not vetted and approved—is serious.

On the other hand, BrandTotal is not able to operate its business while it lacks access to Facebook’s products. As discussed above in the context of irreparable injury, BrandTotal is losing customers, faces new difficulty attracting investment, and is at risk of eventually shutting down. Weighing the potential harm to only the parties to this case, BrandTotal faces far greater consequences from the denial of a TRO than Facebook would suffer if the TRO were granted and BrandTotal’s access restored pending the conclusion of litigation. The balance of equities therefore tips in favor of BrandTotal.

Seriously? The data snarfer has the balance of equities tipping in its favor? Blame hiQ.

Public Interest

BrandTotal’s access to Facebook users’ data circumvents Facebook’s privacy settings. Although users separately consent to sharing most if not all of the data at issue when they install the UpVoice browser extension, BrandTotal’s method of operating outside of Facebook’s platform and APIs means that users who later review their Facebook privacy settings will not see BrandTotal among the third parties with whom they have agreed to share information, and any subsequent changes that users make to their Facebook privacy settings will not limit the information that is shared with BrandTotal. Such circumstances could render Facebook’s privacy settings “deceptive” and create risk of users being “misled”—some of the concerns that spurred the FTC’s enforcement action. Moreover, requiring Facebook to set aside in this instance its normal requirement that third parties seek and obtain Facebook’s permission before collecting data using automated means would mandate the sort of inconsistent enforcement of Facebook’s policies that also concerned the FTC….

Allowing a third party like BrandTotal to compete with Facebook to provide data analytics services about advertising campaigns on Facebook’s networks—advertising for which Facebook is already compensated by the advertisers—would be consistent with a strong public interest in “maximizing the free flow of information on the Internet” and fostering competition and innovation. On balance, however, the Court is not satisfied that those interests wholly prevent Facebook from vetting or regulating third parties that seek to automatically collect large quantities of user data from nonpublic portions of Facebook’s networks….

if Facebook could not take steps to block access by third party developers unless it first builds a strong case of actual harm to its users—without the benefit of the developer working with Facebook to explain its product’s operation and safeguards—malicious actors would likely enjoy longer periods of access to users’ data before facing any enforcement

Implications. As I’ve mentioned in the hiQ post, scraping cases pose a complex mélange of policy considerations, so it’s not surprising that courts are struggling with them. However, the hiQ opinion is being misconstrued as carte blanche freedom for data brokers and analytics services to scrape without restriction. That isn’t the law, and I hope the courts correct that misimpression soon.

Case citation: Facebook Inc. v. BrandTotal LLC, 2020 WL 6562349 (N.D. Cal. Nov. 9, 2020)