Facebook, Inc. v. Power Ventures, Inc.
844 F.3d 1058 (2016)
Premium Feature
Subscribe to Lexplug to listen to the Case Podcast.
Rule of Law:
Access to a protected computer becomes 'without authorization' under the CFAA and California Penal Code section 502 when explicit permission has been unequivocally revoked, and the defendant continues to access the computer despite the revocation and efforts to block such access. The CAN-SPAM Act is not violated if promotional messages are not materially misleading and accurately identify an initiator, especially when users consented to the message's transmission.
Facts:
- Power Ventures, Inc. (Power) operated Power.com, a social networking website designed to aggregate user information from other social networking sites, including Facebook.com.
- Facebook, Inc. (Facebook) operates Facebook.com, requiring users to register and assent to terms of use, and restricting third-party access unless they enroll in Facebook Connect and agree to Developer Terms.
- In December 2008, Power launched a promotional campaign on its website, offering $100 to the first 100 people who brought 100 new friends to Power.com.
- Power's campaign allowed users to share the promotion by creating events, photos, or status updates on their Facebook profiles, which caused messages (internal Facebook messages or external form e-mails from Facebook) to be sent to their Facebook friends.
- External e-mails generated by Facebook's system identified 'Facebook' as the sender in the 'from' line and were signed 'The Facebook Team.'
- On December 1, 2008, Facebook discovered Power's campaign, sent a 'cease and desist' letter instructing Power to terminate its activities, and subsequently tried to block Power's IP addresses.
- Power resisted enrolling in Facebook Connect, circumvented Facebook's IP blocks by switching addresses, and continued its promotional campaign, acknowledging it accessed Facebook's data without Facebook's permission.
- Power's campaign lasted less than two months, ending in late January 2009, and Power ceased doing business altogether in April 2011.
Procedural Posture:
- On December 20, 2008, Facebook, Inc. filed an action against Power Ventures, Inc. and its CEO Steven Vachani (collectively, 'Defendants') in federal district court.
- Facebook moved for summary judgment on its claims alleging violations of the Computer Fraud and Abuse Act (CFAA), the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act), and California Penal Code section 502.
- The district court granted summary judgment in favor of Facebook on all three claims, awarding statutory and compensatory damages, and permanent injunctive relief, while also holding Vachani personally liable for Power's actions.
- Following discovery disputes, a magistrate judge ordered Power to pay $39,796.73 in costs and fees for a renewed Rule 30(b)(6) deposition, a ruling which the district court subsequently upheld by denying Power's motion for reconsideration.
- Defendants timely appealed both the summary judgment decision and the discovery sanctions to the United States Court of Appeals for the Ninth Circuit.
Premium Content
Subscribe to Lexplug to view the complete brief
You're viewing a preview with Rule of Law, Facts, and Procedural Posture
Issue:
1. Does a social networking company violate the CAN-SPAM Act by transmitting promotional messages if the 'from' line accurately identifies one of the message initiators and users consented to the promotion? 2. Does a social networking company violate the Computer Fraud and Abuse Act (CFAA) and California Penal Code section 502 by continuing to access another company's computers after receiving an explicit cease and desist letter and circumventing IP blocks, despite initial arguable user permission? 3. Is a corporate CEO personally liable for the corporation's torts if they were the guiding spirit behind the wrongful conduct?
Opinions:
Majority - Graber, Circuit Judge
No, Power did not violate the CAN-SPAM Act because the transmitted messages were not materially misleading. The court found that Facebook, Power, and the Power users all "initiated" the messages under the CAN-SPAM Act. Since Facebook, one of the initiators, was accurately identified in the "from" line, the header was not misleading under 15 U.S.C. § 7704(a)(1)(B). Furthermore, Power users consented to Power's access to their Facebook data for the promotion, so the access was not obtained by false or fraudulent pretenses, as per § 7704(a)(1)(A). Internal Facebook messages were also deemed not misleading, as they included Power's name and a link, and users authorized their sending. Yes, Power violated the Computer Fraud and Abuse Act (CFAA) and California Penal Code section 502, but only after Facebook explicitly revoked its permission. The court reasoned that Power initially had at least arguable permission to access Facebook's computers through user consent. However, Facebook's December 1, 2008, cease and desist letter unequivocally rescinded this permission, and subsequent IP blocks further demonstrated revocation. Power admitted that it knowingly continued to access Facebook's computers and data without authorization after receiving this notice and circumvented the blocks. This situation is distinct from United States v. Nosal (Nosal I) because it involves an explicit revocation of any access, rather than merely exceeding authorization or violating terms of service. Facebook also met the CFAA's 'loss' requirement, incurring over $5,000 in costs to investigate Power's actions. For California Penal Code section 502, which prohibits 'knowing access and without permission' taking data, Power's continued access after the cease and desist letter similarly constituted a violation. Yes, Steven Vachani, Power's CEO, is personally liable for Power's actions. Vachani was the "guiding spirit" and "central figure" behind Power's promotional scheme, having admitted to controlling and directing Power's actions and conceiving the promotion, which is sufficient for personal liability for corporate torts. The court also affirmed the district court's discovery sanctions against Power, as the defendants failed to object in the district court, thus forfeiting the issue on appeal. Even if not waived, the magistrate judge's findings of Vachani’s unpreparedness and Power’s failure to produce emails were supported by the record. The injunction and damages award were vacated and remanded to the district court for recalculation, limited to the period after Power received the cease and desist letter.
Analysis:
This case significantly clarifies the parameters of 'unauthorized access' under the Computer Fraud and Abuse Act (CFAA), particularly when initial access was arguably consensual. It establishes that an explicit revocation of permission, such as a cease and desist letter, coupled with demonstrable efforts to block access (like IP blocks), effectively terminates authorization, leading to CFAA liability for any subsequent access. The ruling also narrows the application of the CAN-SPAM Act, emphasizing that messages must be 'materially misleading' in their header information to trigger liability, thereby protecting promotional activities where sender identification is accurate and user consent is obtained. This decision provides crucial guidance for online service providers in safeguarding their systems and data against unwanted third-party interactions by reinforcing the legal weight of clear notice and technical enforcement.
