We have written before about website operators' use of the federal Computer Fraud and Abuse Act (CFAA) to combat data scraping. We have also noted a number of recent cases in which courts held that social media platforms, rather than the users of those platforms, have the right to control content on and access to the relevant websites. A recent Ninth Circuit decision, Facebook v. Power Ventures, brings these two trends together.

Power Ventures, the defendant, operated a website that aggregated users' content, such as friends lists, from various social media platforms. In an attempt to increase its user base, Power Ventures initiated an advertising campaign that encouraged users to invite their Facebook friends to Power Ventures' site.

Specifically, an icon on the Power Ventures site gave users the option to "Share with friends through my photos," "Share with friends through events" or "Share with friends through status" and displayed a "Yes I do" button that users could click. If the user clicked the "Yes I do" button, Power Ventures would create an event, photo or status on the user's Facebook profile. In some cases, clicking the button also caused an email to be sent to the user's friends "from" Facebook stating that the user had invited them to a Facebook event.

Upon becoming aware of this activity, Facebook sent Power Ventures a cease and desist letter informing Power Ventures that it had violated Facebook's terms of use and demanding that Power Ventures stop soliciting Facebook users' information. Facebook also blocked Power Ventures' IP address from accessing Facebook. When Power Ventures changed its IP address and continued to access the site, Facebook sued, alleging among other things that Power Ventures had violated the CFAA. As we discussed at greater length in our previous article, the CFAA imposes liability on anyone who "intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer."

In analyzing Facebook's CFAA claim, the court reasoned that Power Ventures did not access Facebook's computers

without authorization initially because "Power users arguably gave Power permission to use Facebook's computers to disseminate messages" and, accordingly, "Power reasonably could have thought that consent from Facebook users to share the promotion was permission for Power to access Facebook's computers." That all changed, however, when Facebook sent Power Ventures the cease and desist letter expressly rescinding whatever authorization Power Ventures may have otherwise had. According to the court, "[t]he consent that Power had received from Facebook users was not sufficient to grant continuing authorization to access Facebook's computers after Facebook's express revocation of permission."

The court employed a colorful analogy to support its reasoning:

Suppose that a person wants to borrow a friend's jewelry that is held in a safe deposit box at a bank. The friend gives permission for the person to access the safe deposit box and lends him a key. Upon receiving the key, though, the person decides to visit the bank while carrying a shotgun. The bank ejects the person from its premises and bans his reentry. The gun-toting jewelry borrower could not then reenter the bank, claiming that access to the safe deposit box gave him authority to stride about the bank's property while armed. In other words, to access the safe deposit box, the person needs permission both from his friend (who controls access to the safe) and from the bank (which controls access to its premises). Similarly, for Power to continue its campaign using Facebook's computers, it needed authorization both from individual Facebook users

(who controlled their data and personal pages) and from Facebook (which stored this data on its physical servers).

Accordingly, the court held that, following receipt of Facebook's cease and desist letter, Power Ventures intentionally accessed Facebook's computers knowing that it was not authorized to do so, making Power Ventures liable under the CFAA.

On one level, Facebook v. Power Ventures can be seen as a battle between two competing social media platforms over valuable user data. Certainly it is easy to understand why Facebook would object to Power Ventures poaching Facebook's data. But the case can also be seen as an example of social media operators exerting the right to control their platforms, and the content and data that users post to those platforms, even against the users' own wishes.

In this sense, one can place Facebook v. Power Ventures in the line of recent cases holding that, at the end of the day, it is the social media platform operator and not the user that controls the platform. And that is an important fact for individuals and companies to keep in mind when they are investing time and money to establish and maintain a social media presence on a platform controlled by someone else.