Facebook, Inc. filed suit against its competitor ConnectU, Inc. for allegedly collecting email addresses of Facebook's registered users from its website and then sending unsolicited commercial email messages to Facebook's customers. Facebook claimed that ConnectU hired software companies to write software capable of harvesting email addresses and other information available to registered users of Facebook's site. Facebook asserted several causes of action under California state law and also under the federal anti-spamming law known as CAN-SPAM. In a recent ruling on ConnectU's motion to dismiss, the Court reached some interesting conclusions regarding the applicability of the various statutes to the harvesting of these email addresses. First, Section 502 of the California Penal Code was interpreted broadly to cover situations in which one knowingly and without permission accesses another's website and copies, takes or uses data from the site. ConnectU argued that it did not engage in "hacking," but instead used login information supplied by registered users of Facebook to access the site and therefore, the access to the information was not unauthorized. The Court disagreed and noted that Facebook sufficiently alleged that ConnectU knowingly accessed Facebook's website and took the data without Facebook's permission; therefore, the motion to dismiss was denied. This ruling demonstrated the broad scope of Section 502 in so far as direct permission from the data owner appears necessary in order to take, copy or use information from a website.
Facebook also claimed that ConnectU's actions violated California's anti-spam statutes; however, ConnectU argued that the California statutes were preempted by CAN-SPAM. The Court agreed with ConnectU and found that CAN-SPAM preempted the California statutes dismissing those claims. With respect to the claim under CAN-SPAM, generally a private party cannot bring a cause of action under the Act unless the party is an Internet service provider. While the Court noted that Facebook constituted a provider of Internet access service for purposes of bringing a cause of action under the federal statute, the Court held that ConnectU's activities did not amount to a violation of CAN-SPAM because Facebook did not allege that the email messages contained false or misleading header information. Facebook asserted that it could allege that some of the email messages sent to its registered users included misleading header information so the Court dismissed the claim with leave to amend. This battle seems far from over and it will be interesting to see how this type of email harvesting will be reprimanded, if at all, by the courts. [Facebook, Inc. v. Connectu LLC, et al., 07-CV-01389-RS, N.D. California, Order of May 21, 2007]