Can Facebook Stop Data Snarfers?–Meta v. BrandTotal
I refer to “data snarfers” as businesses that aggregate (via scraping or APIs) lots of sensitive online personal information to offer analytics, business/competitive intelligence, and similar services. Academic researchers can also fit this paradigm. Many of these businesses legitimately fill important niches in the competitive space, but others are sketchy or outright illegitimate, such as Cambridge Analytica. Any legal policy that encourages data snarfing must simultaneously contend with the potentially anti-competitive and anti-social effects of preventing legitimate players from snarfing, along with the potentially massive privacy and security risks that data snarfers create. How can we reconcile laws that promote pro-competitive data snarfing with regulatory demands to give consumers greater control over their private information? These questions are being addressed (in mostly unsatisfactory ways) in litigation involving hiQ and BrandTotal. This blog post will show how data snarfers vex the courts and expose unfortunate gaps in existing legal doctrines.
* * *
BrandTotal “provides advertising consulting services to corporate clients regarding how those clients’ and their competitors’ digital advertisements are presented to social media users.” To do this, it provides financial incentives to Facebook users to install researchware which lets BrandTotal metaphorically look over those users’ shoulders. BrandTotal’s initial software proactively pinged Facebook and collected responsive information. After the preliminary stages of this litigation, BrandTotal revised its software so that it “merely logs information that Facebook transmits to the user about advertisements in the course of the user’s regular interaction with the website, as well as demographic information that the user specifically enters into UpVoice.” It also uses its own Facebook accounts (called Muppets) to collect information.
Facebook cracked down on BrandTotal and got its researchware kicked out of Google Play. Facebook sued BrandTotal on October 1, 2020, which the court treats as a revocation of BrandTotal’s rights to access Facebook’s servers. The following Facebook claims are still active:
(1) breach of contract, citing the Facebook and Instagram terms of use; (2) unjust enrichment; (3) violation of the Computer Fraud and Abuse Act; (4) violation of California’s Comprehensive Computer Data Access and Fraud Act (“CDAFA,” Cal. Penal Code § 502); (5) intentional interference with Meta’s contracts with its users; and (6) violation of the “unlawful,” “unfair,” and “fraudulent” prongs of the UCL
The parties have vigorously litigated this case. The caption lists 8 BrandTotal lawyers, primarily from Husch Blackwell, and 11 Facebook lawyers from Wilmer Hale (plus at least 4 more from other firms), and they have marshaled some arcane/picayune arguments in an attempt to win at apparently any cost. That adds up to a lot of legal fees. 🤑
Despite (or because of?) the lawyers’ voluminous output and tendentiousness, the judge snarks at both lawyer teams. As just one example (there are a couple dozen such zingers in the opinion): “Meta cites Sheppard, Mullin for the proposition that contracts may only be invalidated as contrary to public policy where they implicate express law, which is the opposite of what that case says.” Oof. I imagine the paying clients were not thrilled to see the judge snarking on their very expensive lawyers.
This 68 page opinion is overwhelming, complicated, and confusing. At the end of it, see if you know if and when Facebook can shut down data snarfers. My topline conclusion: ¯\_(ツ)_/¯
Is Facebook’s TOU Void for Public Policy or Unconscionable?
BrandTotal sought summary judgment that Section 3.2.3 from Facebook’s TOU (what I’ll call the anti-collecting provision) violates public policy and is unconscionable:
You may not access or collect data from our Products using automated means (without our prior permission) or attempt to access data you do not have permission to access.
The court spends 20 pages analyzing the arguments. Law students, this is one of many reasons why your 1L Contracts class is so important. Many hundreds of thousands of dollars of legal fees were spent on these 29 words.
On the void-for-public-policy front, the court starts out by saying: “Meta has at least some interest in policing the manner in which users access data on its social networks—an interest that is at least to some degree shared by its users.” With that framing, the court then addresses BrandTotal’s workaround attempts.
The CCPA/CPRA Attack
BrandTotal argued that the CCPA and CPRA overrode the anti-collecting provision. These arguments were so weak that I can’t believe BrandTotal’s legal team thought they were worth making. (On the plus side: a rare excuse to display both the CCPA and CPRA memes in same post! 🎉).
With respect to the CCPA: “If the CCPA, as duly enacted, in fact established a policy requiring Facebook to allow the sort of access at issue here, the Court would expect BrandTotal to be able to cite some part of the legislation itself, as opposed to merely a sponsor’s aspirational comment in support of its passage.” The court also notes that the CCPA’s right-to-know might permit consumers to find out which ads they were shown, but that doesn’t help BrandTotal snarf the data from consumers’ computers automatically.
With respect to the CPRA, the court points out that it’s not even law yet. (It takes effect January 1). Furthermore, “the CPRA creates substantive law establishing a variety of specific rights, obligations, and procedures—most of which relate to consumers’ rights to understand and limit the manner in which businesses use their personal information, not to expanding the means by which users can interact with social media platforms. BrandTotal has not cited any substantive, codified provision of the CPRA that prevents Meta from enforcing section 3.2.3, and the Court hesitates to infer that the voters intended that effect when they did not enact any law governing the conduct at issue.”
The court acknowledges the argument that “allowing users to record and sell data regarding the advertisements that Facebook shows them would further a public policy of establishing user ownership of personal data and empowering users to share in the financial benefits that flow from that data.” On the other hand, the “potential for automated access and collection of data from a social networking platform to weaken consumer privacy is fairly obvious: many users choose to share information with only certain people, and might reasonably expect that the platform would prevent other users from automatically recording that data and selling it to data aggregators or other third parties for commercial use. While BrandTotal’s programs did not, at least for the most part, collect third-party personal information directly implicating such concerns, that privacy interest nevertheless reflects a valid public policy interest acknowledged in the CPRA and weighing against invalidating contractual prohibitions on unauthorized automated data collection.” Overall, the conflicting norms are enough for the court to reject the void-for-public-policy argument based on the CPRA.
The Antitrust Attack
BrandTotal claimed that the anti-collecting provision was void-for-public-policy because it restricted marketplace competition. However, BrandTotal never accused Facebook of violating antitrust law. BrandTotal instead claimed that Facebook’s clause violated the “spirit” of antitrust law.
The court responds: “BrandTotal has not identified any unusual circumstances of this case that would threaten competition while evading antitrust enforcement under the actual terms of the antitrust laws, nor has it shown a violation of the antitrust laws.” In a footnote, the court adds that BrandTotal didn’t overcome Facebook’s “refusal to deal” prerogative because it made the “essential facilities” argument too late. BrandTotal also tried a stretch argument that Facebook’s provision violates B&P 16600, but it goes nowhere.
With respect to the hiQ precedent, the court says:
The Court therefore does not construe hiQ as suggesting that a contract can be invalidated for its purportedly anticompetitive effects without a showing of harm to competition through the established framework of competition claims, i.e., either the rule of reason or special circumstances recognized as warranting heightened scrutiny.
The Free Speech Attack
BrandTotal indicated that Facebook’s provision conflicted with the US and CA constitutions. The court basically says “what are you even talking about?”:
Nor is it otherwise clear that the effect of this access restriction so burdens users’ ability to speak to what they have seen on Facebook that policies underlying the First Amendment require declaring it unenforceable….BrandTotal’s general interest in free flow of information is defined too vaguely to support setting aside a contract regarding means of access without a showing that the courts or legislature have determined that interest outweighs the competing interest in enforceability of contracts under comparable circumstances.
After 14 hard-fought pages, the court concludes that Facebook’s TOU provision isn’t void-for-public-policy reasons.
Unconscionability
Facebook’s TOU is a contract of adhesion, which renders it procedurally unconscionable. However, the court says it’s not that bad in the context of a sophisticated business party like BrandTotal: “BrandTotal is a business built around collecting data from social networks and other websites. It would reasonably have been expected to seek out and understand those terms before agreeing to them.”
BrandTotal pointed out that the anti-collecting provision survives contract termination, to which the court replies: “it is not manifestly unreasonable for a user to agree, in return for the free services that Meta provides, not to subvert the rules regarding automated access that Meta has put in place for its platforms, even after termination of an account.”
So, after 20 arduous pages, the court concludes that Facebook’s anti-collecting provision is potentially enforceable.
BrandTotal’s Breach of Facebook’s TOU
The court says BrandTotal remains bound by the anti-collecting provision, even after termination. Plus, BrandTotal still has some Muppet accounts. So the TOU applies to BrandTotal.
As for breach, the court says BrandTotal “waived any argument that UpVoice 2021—or any other conduct alleged in Facebook’s amended complaint—did not violate the terms of use as written.” Wait, what? After 20 pages pounding on the anti-collecting provision’s legitimacy, BrandTotal just gave up on the breach angle? In a footnote, the court adds: “There is perhaps some tension between this holding and the Court’s holding below that UpVoice 2021 does not access Meta’s servers for the purpose of the CFAA. Any such tension results at least in part from BrandTotal’s waiver of arguments with respect to breach of contract. The Court does not reach the question of whether BrandTotal could have prevailed on the question of whether UpVoice 2021 breaches section 3.2.3 had it preserved that argument.” So the court is acknowledging internal tension in its own opinion and blaming BrandTotal’s lawyers for this. UGH. What does this ruling imply for any future litigant? Apparently, nothing.
The amount of damages will go to trial.
Facebook’s Trespass to Chattels Claims (CFAA/502)
The court says the CFAA and 502 elements are essentially the same except for the CFAA’s requirement of $5k of loss.
BrandTotal’s new software (UpVoice 2021) only gathers information from users’ computers, not by pinging Facebook’s servers. “Meta cites no case extending the CFAA to comparable conduct, and the statute is at most ambiguous as to whether it could encompass BrandTotal analyzing data on users’ computers that the users are authorized to access from Facebook. Under the rule of lenity, the Court is required to construe such ambiguity narrowly, and holds that the statute does not encompass UpVoice 2021’s data collection, at least where it is installed by individuals who are not subject to any sort of direction by BrandTotal.”
With respect to BrandTotal’s access to non-password-protected pages, the court treats Facebook’s lawsuits as revoking access authorization. Nevertheless, the court dismisses the claim based on hiQ:
where a website is made available to the public without any authentication requirement in at least the first instance, “the concept of ‘without authorization’ does not apply,” even if the owner employs technological measures to block specific users, suspicious activity, or—as here—repeated access beyond a particular threshold. To hold otherwise could bring conduct ranging far beyond the CFAA’s purpose of preventing “hacking” within its scope of potential criminal liability, such as a user accessing a newspaper’s website from a smartphone after receiving notice on their computer that they had reached their monthly limit of free articles. The precedential decision in hiQ and the rule of lenity foreclose such an interpretation of the statute.
So, if Facebook wanted to lower the gates on BrandTotal (or raise them, depending on the portcullis/fence metaphor) accessing the “public” pages on Facebook, what can/should Facebook do? ¯\_(ツ)_/¯
The question of BrandTotal’s access of password-protected pages post-revocation gets sent to trial. The court says that, despite possibly contrary language in Van Buren and hiQ, Facebook’s investigative costs can count towards the $5k loss requirement. Facebook incurred $98k in its incident response, and the jury will decide if $5k or more relates to BrandTotal’s unauthorized access. However, Facebook won the 502 claim because any loss suffices.
As for unauthorized access:
- BrandTotal’s legacy access of Facebook’s servers through its users’ software constituted unauthorized access per Power Ventures. “it is of no consequence whether BrandTotal had permission from its panelists to use their accounts for data collection. Once Meta revoked BrandTotal’s authorization to access its platforms, BrandTotal’s continued use of its various programs to actively collect data while panelists were logged into Facebook—which it had the power to stop, but did not before February of 2021—violated the CFAA.”
- BrandTotal’s post-revocation direct access to password-protected areas violated the CFAA/502.
- Citing Van Buren, the court says “hiring an authorized intermediary to obtain data from a computer the principal is not authorized to access does not violate the statute.”
Other Rulings
- Facebook won part of its unfair competition claims that mirrors other parts of the ruling.
- BrandTotal’s tortious interference counterclaim fails because Facebook justifiably felt that BrandTotal was violating its TOU when it got Google Play to pull the plug.
Implications
This ruling is confusing in part because it’s hard to say who won. Superficially, Facebook won several key rulings, including the breach of contract claim (despite the fact that the court acknowledged the implicit conflict with the CFAA/502 ruling) and parts of the CFAA/502 claims. However, we can’t gauge the full impact of this win until we see what remedies Facebook will get. Will BrandTotal’s damages be sizable/business-ending? What will be the scope of Facebook’s injunctive relief, if any? Those outcomes will dictate what implications this ruling has for BrandTotal’s current researchware, which wasn’t restricted by the CFAA/502, and perhaps give us a little more clarity about the legitimacy of similar data snarfers going forward. Of course, there will be an obligatory stop at the Ninth Circuit before then…
Case citation: Meta Plattforms, Inc. v. BrandTotal, Ltd., 2022 WL 1990225 (N.D. Cal. June 6, 2022)