Get updates by email

Select Specific Blog Updates

Paul Zimmerman
pzimmerman@mrllp.com
310.299.5500

Photo of M&R Blog

© Tetiana Vitsenko/123RF.COM

Controversial Federal Court Ruling Could Shape Future of Computer Trespass Prosecution

In a controversial decision, the U.S. Court of Appeals for the Ninth Circuit has ruled that it is a federal crime to access a website after being specifically instructed not to by the site’s owner. The court ruled largely in favor of a now-defunct social networking business—Power Ventures, Inc. (“PV”) – finding that the internet startup did not violate an anti-spam statute. However, most strikingly, the court found that PV did violate an anti-hacking law when it tried to circumvent Facebook’s IP block during a promotional campaign. PV was adjudged to have violated the Computer Fraud and Abuse Act (CFAA) by accessing Facebook's site after the company told the startup to stop doing so. This decision has potentially massive implications going forward, as it clearly announces that social media companies, not users, ultimately control information shared on their platforms. Furthermore, it sets significant precedent regarding unauthorized access of websites.

Background

Power Ventures is a website that allows its users to aggregate their contacts across various social media sites. PV would also allow users to initiate an email blast promoting its product via Facebook. Facebook sent PV a cease and desist letter telling them that those actions violated its terms of use, and affirmatively forbade them from accessing Facebook’s website. Facebook also moved to block PV’s IP address. PC circumvented the IP block by changing IP addresses. Facebook sued alleging that PV violated the CFAA by accessing the website after the cease and desist letter and the CAN-SPAM Act (anti-spam law) for sending out the promotional emails.

Mixed Ruling

The Ninth Circuit held that PV did not violate the CAN SPAM ACT. Essentially the court found that because there was an affirmative step by which users could choose to accept to send out the PV promotional emails, and they were sent through Facebook, there was no violation of CAN-SPAM.

However, the Ninth Circuit held that PV did violate the CFAA. The crux of the Ninth Circuit’s decision was not that PV’s acts violated the terms of use of Facebook. Simply violating a website’s terms of use is not a violation of the CFAA.  Instead, the court held that once Facebook sent the cease and desist letter and blocked the IP, then PV’s attempts to access the website violated the CFAA’s prohibition of “intentionally accesses a computer without authorization or exceed[] authorized access, and thereby obtain[] . . . information from any protected computer.” By not abiding by the cease and desist letter and the IP address block, PV was intentionally working to access the website after they were told not to do so. The fact that the users expressly authorized PV to access the information was not enough to authorize access.

The Future of Computer Trespass

According to the Ninth Circuit’s ruling, a simple cease and desist letter from a website to any user could be enough to elevate a simple violation of the terms of use of a website into a violation of the CFAA. It will be interesting to see if subsequent courts require both a cease and desist letter AND an affirmative step like blocking an IP address.  Moreover, this holding places a great deal of power in the hands of major social media sites to control which parties are allowed to access information on their sites, even when users allow access. Third party marketing applications, whose business model is based on social media users sharing their passwords, will now think twice when cautioned by powerful social media companies like Facebook. The user is clearly not the party in control.

This blog post is not offered as, and should not be relied on as, legal advice. You should consult an attorney for advice in specific situations.