Categories & Search

When Using a Computer Becomes a Crime, Part Two: ACLU, Facebook Weigh In on Ninth Circuit’s Answer

The Electronic Frontier Foundation (“EFF”) and the American Civil Liberties Union (“ACLU”) have weighed in on Facebook’s high-profile dispute with a social media aggregation company over whether it had unlawfully accessed Facebook’s computers.  The EFF and ACLU warned the Ninth Circuit that the panel’s ruling for Facebook risks chilling important investigations and makes “potential criminals out of millions of ordinary Americans on the basis of innocuous online behavior.”  The case is Facebook, Inc. v. Power Ventures, Inc., No. 13-17102. 

We wrote about the facts of the Facebook case here.  As we noted, the question presented is:  when does an unauthorized—or explicitly prohibited—use of a computer become a violation of the Computer Fraud and Abuse Act of 1986 (“CFAA”)?  The panel ruled that once Facebook sent the defendant, Power Ventures, Inc., a letter demanding that it cease and desist accessing Facebook servers, any access after that point became “without authorization” under CFAA.  Power’s use was actionable, the panel wrote, because “Facebook explicitly revoked authorization for any access.”  Additionally, the panel remarked that because Facebook and Power had “no direct relationship,” this case had nothing to do with non-compliance with terms and conditions of service. 

Power’s petition for rehearing argued, among other things, that the panel’s opinion failed to identify the precise boundary between lawful and unlawful behavior, and that if the ruling stands, it could greatly expand civil and criminal liability online, since it could render unlawful such benign uses as letting a friend check one’s email account.

In their joint amicus brief, the ACLU and EFF echo this last point, arguing that the panel’s decision “subjects an untold number of Internet users to prosecution, such that prosecutors can pick and choose” whom to prosecute.  They also assert that the panel’s interpretation of CFAA renders that statute unconstitutionally vague, because the opinion does not provide users with fair notice of when their conduct might cross the line into being “without authorization” under CFAA.  The opinion indicates that a cease and desist letter is plainly sufficient, and that simple terms of use would not be.  But what about a pop-up notice—would that be enough for liability if a customer gives his or her bank or Netflix login credentials to a spouse?  What about email notice, or notice by registered letter?

The ACLU and EFF also argue that the panel’s ruling threatens to chill socially valuable research and journalism on topics ranging from computer security to discrimination.  For example, they contend that “there is growing evidence that proprietary algorithms are causing websites to discriminate against users, including on the basis of race, gender, and other characteristics protected under civil rights laws.”  To investigate this phenomenon, researchers often create various test accounts and compare the offers that are displayed to, say, male versus female users.  But websites often prohibit the creation of such test accounts in their terms of use, and the ACLU and EFF point out that under the panel decision, that prohibition might become a criminal CFAA violation.

In its response to the petition for rehearing, Facebook argues that the court should forget hypotheticals and stick to what actually happened here—“Power’s blatant disregard of Facebook’s personalized message to ‘keep out,’ and its deliberate circumvention of the technical barriers that Facebook erected to enforce that command.”  According to Facebook, the panel correctly held that violating a business’s general rules may not itself amount to trespass (whether of a storefront or a computer system), but defying a targeted instruction to stay away does.  As for the arguments about research from the ACLU and EFF, Facebook responds that any restrictions on use fall outside of CFAA. 

Facebook also reminds the court of some of the more troubling facts in this case.  For example, Power was not only accessing its servers but was also bombarding Facebook users with annoying commercial messages and scraping data from Facebook users’ profiles.

This area of the law continues to be a source of uncertainty for businesses operating online, as well as their users. We will continue to report on this case in the weeks to come.