Categories & Search

When Is Using a Computer a Crime? Rehearing Sought on Ninth Circuit’s “Distressingly Unclear” Answer

Facebook recently won a landmark victory in the Ninth Circuit against a company that accessed Facebook’s computers to help users manage their social network accounts.  Now the company, Power Ventures, Inc., says that the Ninth Circuit’s decision risks creating “widespread confusion” about when it is a crime to use a computer to access a website.

The issue in Facebook, Inc. v. Power Ventures, Inc., No. 13-17102 (9th Cir.), is how to determine when an unauthorized—or explicitly prohibited—use of a computer becomes a violation of the Computer Fraud and Abuse Act of 1986 (“CFAA”).  The facts are fairly straightforward:  Power Ventures allowed users to login and manage their social media and networking accounts from a single place.  Users gave Power their Facebook account information, which allowed the website to access and contact the user’s Facebook friends.  Although Facebook users authorized Power to access their Facebook accounts, Facebook itself did not—and it later sent Power a cease-and-desist letter instructing Power to stop.  Power refused, and began switching its IP addresses to avoid Facebook’s attempts to block it.  Eventually, Facebook sued Power and its CEO for violating CFAA and several state laws, and won on summary judgment in the trial court.  In February 2012, Power was ordered to pay more than $3 million in damages to Facebook.

On appeal, the Ninth Circuit began by observing that CFAA “provides two ways of committing the crime of improperly accessing a protected computer:  (1) obtaining access without authorization; and (2) obtaining access with authorization but then using that access improperly.”  The panel then reviewed Ninth Circuit precedent and distilled “two general rules” from previous cases:  “First, a defendant can run afoul of the CFAA when he or she has no permission to access a computer or when such permission has been revoked explicitly. . . .  Second, a violation of the terms of use of a website—without more—cannot be the basis for liability under the CFAA.”

Here, the panel reasoned, Power’s early use of Facebook content and computers was not “without authorization” under CFAA because Facebook’s users gave Power their permission.  But after Facebook demanded that Power cease and desist, the permission from users was no longer sufficient, and at that point Power’s access and use became “without authorization” under CFAA.

In affirming summary judgment for Facebook, the panel also distinguished the leading Ninth Circuit case on CFAA, United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc), which held that employees with authorization to access their work computers who exceeded that authorization by using the computers in a way that violated company policy could not be held liable under CFAA for access without authorization.  Power’s use was actionable, the panel wrote, because “Facebook explicitly revoked authorization for any access.  Additionally, the panel remarked that because Facebook and Power had “no direct relationship,” this case had nothing to do with non-compliance with terms and conditions of service.  The full decision can be found here.

Power has now petitioned the Ninth Circuit for panel rehearing or rehearing en banc, and has enlisted Orin Kerr, a well-known professor who frequently writes about the intersection of criminal law and technology, to assist in the effort.  The petition contends that the panel’s opinion conflicts with Nosal and “creates tremendous confusion about when using the Internet is a crime.”

First, Power argues, the panel misread Nosal because that case held that violations of written restrictions do not create liability under either the “without authorization” or “exceeds authorized access” components of CFAA.  Nor was the panel correct that Power was not subject to Facebook’s terms of use, because (1) the basis for Facebook’s cease-and-desist letter was that Power had violated those terms, and (2) the terms of use state that anyone who uses Facebook (regardless of what the panel called a “direct relationship”) is subject to Facebook’s terms and conditions.

Second, Power contends that rehearing is necessary because the panel decision “creates a great deal of confusion” about when it is a federal crime to use a computer in violation of a written restriction.  Power asserts that the panel opinion fails to identify the precise boundary between lawful and unlawful behavior, and notes that, while this is only a civil case, the Ninth Circuit’s holdings about CFAA’s scope also apply to criminal prosecutions under CFAA.

And finally, Power argues that rehearing is necessary to protect users’ right to delegate access to their accounts.  Power cites Nosal for its observation that “it’s very common for people to let close friends and relatives check their email or access their online accounts.”  Following the logic of the Facebook ruling, however, that delegation would be criminal whenever the computer owner objects to the delegation.  The user’s delegate, or “agent,” could be held liable for violating CFAA, and even the user could be liable for aiding and abetting.  According to Power, this conclusion “flouts the traditional legal rule that an agent acting on a principal’s behalf has the legal authority of the principal,” and has the unfortunate effect of greatly expanding criminal liability online.

Power Ventures is the latest in a series of rulings by the Ninth Circuit concerning the type of activities giving rise to potential liability under the CFAA.  As always, we will continue to report on this case in the weeks to come.