Last week, the Ninth Circuit limited the scope of the Computer Fraud and Abuse Act (CFAA) in affirming a grant of summary judgment against the defendant in Facebook, Inc. v. Power Ventures, Inc., et. al. and affirmed the rule that accessing a website after receiving a cease and desist letter creates liability under the CFAA.

Computer Fraud And Abuse Act

The CFAA prohibits trespassing onto a computer system by parties who are either not authorized users or are exceeding authorized use. It criminalizes, among other things, “knowingly and with intent to defraud, access[ing] a protected computer without authorization, or exceed[ing] authorized access, and by means of such conduct further[ing] the intended fraud and obtain[ing] anything of value[.]”  18 U.S.C. § 1030(a)(4). The CFAA broadly defines a “protected computer” as a computer “which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication in the United States.” 18 U.S.C. § 1030(e)(2)(B). The CFAA also establishes a right of action for private parties who were injured by violations of its provisions. 18 U.S.C. § 1030(g).

Background

Power Ventures, Inc. (Power) operated a now-defunct social networking website, Power.com. Power users could create an account that aggregated their information from other social networking websites and display all their contacts from different networking sites on a single page.

In December 2008, as part of a promotional campaign, Power placed an icon on its website, which asked whether the user wanted to share an event, photo, or status on Facebook, and included a button with the words “Yes, I do!” If a Power user clicked the “Yes, I do!” button, Power would create an event, photo, or status on the user’s Facebook profile and cause a Facebook message to be transmitted to the user’s Facebook contacts. In some instances, based on the user’s settings, it would also generate an external email message, apparently from Facebook, to the user’s contacts. For example, if a Power user clicked the “Yes, I do!” button about sharing an event and created an event, her contacts might have received an external email apparently from Facebook about the event. These emails were form emails automatically generated every time the Facebook user created an event.       

On December 1, 2008, Facebook learned about Power’s promotional campaign and sent a cease and desist letter to Power. When Power would not terminate its campaign, Facebook blocked its Internet Protocol (IP) address to prevent Power from accessing the Facebook website. Power responded by switching its IP address to circumvent the IP address block. In January 2009, Power ended the promotional campaign.

On December 20, 2008, Facebook sued Power for violating the CFAA and other federal and state statutes. The district court granted summary judgment in favor of Facebook on all of its claims, including the CFAA one.

Decision

The Ninth Circuit affirmed the district court’s grant of summary judgment with regard to Facebook’s CFAA claim inFacebook, Inc. v. Power Ventures, Inc. et. al., No. 13-17102. The Court began by holding that Facebook had a private right of action because it had suffered a loss within the meaning of the CFAA as its employee spent “many hours… analyzing, investigating, and responding to Power’s action.” Power, slip opinion at *13.  

The Ninth Circuit next examined whether Power accessed Facebook’s computers “without authorization” or in a manner that “exceed[ed] authorization” in the context of its recent decision in United States v. Nosal, No. 14-10037 (9th Cir. July 5, 2016) (Nosal II) and its prior decision in the same case, United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (Nosal I). In Nosal II, the Ninth Circuit affirmed the CFAA conviction of David Nosal for accessing the computer of his former employer “without authorization.” Nosal used the password of his former executive assistant to access the computer system of his former employer after that employer had explicitly revoked his computer access credentials. See Nosal II, slip opinion, at 9-10.  In Nosal I, the Ninth Circuit held that the employees of a company who logged into the company’s confidential and proprietary database and downloaded sensitive information for a competitor in violation of the company’s computer use policy had not “exceed[ed] authorized access.” See Nosal I, 676 F.3d at 863.  The Court found that, because imposing liability under the CFAA for violations of the terms of use of a website could criminalize many daily activities, violations of use restrictions did not constitute a violation of the CFAA. See id. Therefore, based on Nosal I and II, the Ninth Circuit held that “a defendant can run afoul of the CFAA when he or she has no permission to access a computer or when such permission has been revoked explicitly” but that “a violation of the terms of use of a website—without more—cannot be the basis for liability under the CFAA.” Power, at *16.

Applying these rules, the Ninth Circuit found that Power users arguably gave Power permission to access Facebook’s computer when those users clicked on the “Yes, I do!” button; but, that Facebook openly and expressly rescinded that permission on December 1, 2008 when it sent Power a cease and desist letter instructing Power to stop soliciting the information of Facebook users, using Facebook content, or otherwise interacting with Facebook through automated scripts. See id. at *16–17. Facebook also blocked Power’s IP address. See id. The Court noted that the record was clear that Power was aware that it was not authorized to access Facebook’s computer, but still took steps to evade Facebook’s IP address block to do so. See id. at *18–19. By accessing Facebook’s computer “without authorization,” Power was liable under the CFAA. Id. at *19.

Takeaways

The Power case goes a long way toward mitigating the risk of potential liability under the CFAA created by Nosal II for those companies who use the login credentials of consenting account holders to access third party computers for legitimate business purposes, such as data scraping. Nosal II appeared to imply that accessing a third party website through shared credentials was unauthorized, if the website had a policy against password sharing regardless of whether the account holder consented. The Power case clearly defines the limits of liability under the CFAA for such activity. Password sharing, even if done in violation of a website’s terms of use, does not constitute a violation of the CFAA in the Ninth Circuit. However, once the third party explicitly revokes permission, continued accesses are likely to be considered “without authorization” or “exceed[ing] authorized access” under the CFAA.