The U.S. Court of Appeals for the 9th Circuit has handed down a very important decision on the Computer Fraud and Abuse Act, Facebook v. Vachani, which I flagged just last week. For those of us worried about broad readings of the Computer Fraud and Abuse Act, the decision is quite troubling. Its reasoning appears to be very broad. If I’m reading it correctly, it says that if you tell people not to visit your website, and they do it anyway knowing you disapprove, they’re committing a federal crime of accessing your computer without authorization.
I think this decision is wrong, and that it has big implications going forward. Here’s a rundown of the case and why it matters. I’ll conclude with a thought about a possible way to read the case more narrowly, as well as why I’m not convinced that narrow reading is correct.
I. The Facts
Steve Vachani is the chief executive and founder of Power Ventures, which had a website at Power.com. (I’ll refer to Vachani and Power Ventures collectively as “Power.”) Power had a service that let users aggregate their contacts on different social media sites. Power’s software allowed Facebook users to authorize Power to go into their Facebook accounts and gather information for them for use at Power’s website. Power users also authorized the software to send Facebook messages to other Facebook users for them. Facebook didn’t appreciate this, and it sent a “cease and desist” letter to Power telling the company to stop. The cease-and-desist letter told Power that it was violating Facebook’s terms of use and warned Power that it may have violated federal and state law. Facebook also blocked Power’s IP addresses. Power just changed IP addresses and continued operating.
Facebook then sued, claiming that Power’s conduct violated the CFAA, a somewhat similar California unauthorized access statute and the CAN-SPAM Act. Just to keep things simple, I’ll focus this post only on the claims brought under the CFAA.
II. The New Decision
In the new decision, the court holds that Power violated the CFAA when it continued to access Facebook’s computers with users’ permission after receiving the cease-and-desist letter. Oddly, Judge Susan P. Graber’s explanation for why Power violated the CFAA focuses almost exclusively on Power’s state of mind rather than what Power did. The CFAA prohibits intentionally accessing a computer without authorization. Instead of explaining what counts as access “without authorization,” Judge Graber focuses mostly on whether Power had a culpable state of mind with respect to whether it was doing something unwanted.
Here’s the key analysis:
Initially, Power users arguably gave Power permission to use Facebook’s computers to disseminate messages. Power reasonably could have thought that consent from Facebook users to share the promotion was permission for Power to access Facebook’s computers. [FN: Because, initially, Power users gave Power permission to use Facebook’s computers to disseminate messages, we need not decide whether websites such as Facebook are presumptively open to all comers, unless and until permission is revoked expressly.] . . . Power users took action akin to allowing a friend to use a computer or to log on to an e-mail account. Because Power had at least arguable permission to access Facebook’s computers, it did not initially access Facebook’s computers “without authorization” within the meaning of the CFAA.
But Facebook expressly rescinded that permission when Facebook issued its written cease and desist letter to Power on December 1, 2008. Facebook’s cease and desist letter informed Power that it had violated Facebook’s terms of use and demanded that Power stop soliciting Facebook users’ information, using Facebook content, or otherwise interacting with Facebook through automated scripts. Facebook then imposed IP blocks in an effort to prevent Power’s continued access.
The record shows unequivocally that Power knew that it no longer had authorization to access Facebook’s computers, but continued to do so anyway. In requests for admission propounded during the course of this litigation, Power admitted that, after receiving notice that its use of or access to Facebook was forbidden by Facebook, it “took, copied, or made use of data from the Facebook website without Facebook’s permission to do so.” (Emphasis added; capitalization omitted.)
. . . In sum, as it admitted, Power deliberately disregarded the cease and desist letter and accessed Facebook’s computerswithout authorization to do so. It circumvented IP barriers that further demonstrated that Facebook had rescinded permission for Power to access Facebook’s computers. [FN: Simply bypassing an IP address, without more, would not constitute unauthorized use. Because a blocked user does not receive notice that he has been blocked, he may never realize that the block was imposed and that authorization was revoked. Or, even if he does discover the block, he could conclude that it was triggered by misconduct by someone else who shares the same IP address, such as the user’s roommate or co-worker.] We therefore hold that, after receiving written notification from Facebook on December 1, 2008, Power accessed Facebook’s computers “without authorization” within the meaning of the CFAA and is liable under that statute.
As I read the court’s opinion, the main issue is state of mind. Did you know that the computer owner didn’t want you to visit the website? At first, Power didn’t know Facebook’s view. But after the cease-and-desist letter, Power knew Facebook’s position. As a result, it was a federal crime to use Facebook after having received Facebook’s letter telling it to stay away. If I’m reading the opinion correctly, it appears that every contact with the computer that its owner doesn’t want is “without authorization.” The main question becomes mens rea: The visit becomes a federal crime when the visitor knows that the computer owner doesn’t want it.
III. The Thin (Nonexistent?) Line Between Terms of Use and Cease-and-Desist Letters
At this point you may be thinking: Hey, wait, didn’t the en banc 9th Circuit rule in Nosal I that using a computer in violation of its terms of use is not a CFAA violation? If intentionally using a computer in violation of the terms of use is legal authorized access, as the en banc 9th Circuit held in Nosal I, why is intentionally using a computer after receiving a cease-and-desist letter criminal access “without authorization”? In one case, the user goes to the website and sees the terms; in the other, the website owner contacts the user and shows the terms to them. But it’s the same thing, right?
Judge Graber offers two explanations for the difference. First:
[A]lthough Nosal I makes clear that violation of the terms of use of a website cannot itself constitute access without authorization, this case does not involve non-compliance with terms and conditions of service. Facebook and Power had no direct relationship, and it does not appear that Power was subject to any contractual terms that it could have breached.
I don’t follow this.
First, I don’t understand why it matters whether there is an existing contractual relationship. Maybe that’s relevant to whether we are in the illegal “access without authorization” box or the equally illegal “exceeds authorized access” box, which Judge Graber elsewhere notes is a possible difference between this case and Nosal I. But I don’t see how it could be the difference between illegal “access without authorization” and legal authorized access.
Second, both terms of use and cease-and-desist letters are just written statements about what the computer owner wants you to do with the computer. If Facebook’s terms say, “no social media aggregators such as Power.com are permitted to visit,” it’s hard for me to distinguish between between that and a letter to Power saying “we do not permit social media aggregators such as you and therefore you cannot visit.”
If you have to really come up with a difference, I suppose terms of use imply a conditional that cease-and-desist letters don’t. Terms of use requires the visitor to see that his act is prohibited and therefore unwanted. There can be uncertainty about whether that condition is met. But that’s solely a matter of state of mind rather than the act. It goes to whether the act is intentional, which is a separate element of the crime. I don’t understand how one can be criminal “access without authorization” and the other is legal authorized access.
Judge Graber also offers this distinction between terms of use and cease-and-desist letters:
Finally, Nosal I [on terms of use] was most concerned with transforming “otherwise innocuous behavior into federal crimes simply because a computer is involved.” Id. at 860. It aimed to prevent criminal liability for computer users who might be unaware that they were committing a crime. But, in this case, Facebook clearly notified Power of the revocation of access, and Power intentionally refused to comply. Nosal I’s concerns about overreaching or an absence of culpable intent simply do not apply here. This case is closer to Nosal II, wherein liability attached after permission to access computers was expressly revoked, but then the defendant deliberately circumvented the rescission of authorization.
This makes no sense to me. Again, Graber appears to have a misplaced emphasis on state of mind. She is focused on whether people had “culpable intent,” and letting those “unaware” escape liability while those who acted “deliberately” are punished. But that can’t explain why you can intentionally violate terms of use but you can’t intentionally ignore cease-and-desist letters. The state-of-mind question is about a different element of the CFAA — whether the unauthorized access was “intentional,” not whether the act was an unauthorized access in the first place. The difference in the legal treatment of the two acts has to rest on the difference between the acts themselves, not the differences between possible states of mind about those acts.
IV. The Physical World Analogy
Finally, Judge Graber offers a physical-world analogy that I suspect may really explain the decision.
Suppose that a person wants to borrow a friend’s jewelry that is held in a safe deposit box at a bank. The friend gives permission for the person to access the safe deposit box and lends him a key. Upon receiving the key, though, the person decides to visit the bank while carrying a shotgun. The bank ejects the person from its premises and bans his reentry. The gun-toting jewelry borrower could not then reenter the bank, claiming that access to the safe deposit box gave him authority to stride about the bank’s property while armed. In other words, to access the safe deposit box, the person needs permission both from his friend (who controls access to the safe) and from the bank (which controls access to its premises). Similarly, for Power to continue its campaign using Facebook’s computers, it needed authorization both from individual Facebook users (who controlled their data and personal pages) and from Facebook (which stored this data on its physical servers).
I explained my problem with this kind of analogy in my recent article “Norms of Computer Trespass.” As I see it, the problem is that the trespass norms of private spaces like homes or commercial stores can’t be blindly applied to a public website. Trespass is always norms-dependent, and each kind of space has its own set of norms. In the case of a bank, we recognize that the bank is a private business that only permits visitors that it wants to enter. The trespass norm is that staying when the bank wants you out is a trespass.
Public websites are different, I think. The web is a publishing platform, and everyone is inherently authorized to visit a public website. True, Power did more than just visit the public face of the website. Power also accessed the individual accounts of users acting as their agents. But as I see it, that’s not enough to constitute a computer trespass because it’s within the permission of the user and acting as the user’s agent. The only non-public access was to the virtual space the user controlled, so I think the user’s permission should be enough.
This doesn’t mean that what Power did is necessarily a good thing. Maybe there should be other causes of action against Power for its conduct. But as I see it, the CFAA shouldn’t be one of them based on these facts. Facebook also could suspend the accounts of its users who authorized Power, or it could take technical steps to stop Power’s entry inside Facebook’s network. But I don’t think it should have been allowed to rely on the CFAA to keep Power away with a letter.
V. A Narrower Reading?
This is an important case. This was a civil dispute, but the CFAA is also criminal statute. If read broadly, the case seems to say that if you want to make it a crime for someone to visit your website, you just need to give them notice that you don’t want them to visit. I gather that as long as you phrase the notice as a command to cease and desist, rather than as just general terms of use, it becomes legally binding.
One question is whether you can read the decision more narrowly to apply only to accessing an account rather than visiting a website. Here’s the uncertainty: Is the decision saying broadly that you can’t visit the public face of a website after the computer owner said “no,” or is the decision saying more narrowly that you can’t access an individual account with the user’s permission after the computer owner said “no”? I would still disagree with the narrower reading, but it would be a lot less objectionable than the broader one.
Reading over the opinion, though, I don’t see a lot of reason to think the court had the narrower interpretation in mind. Consider these clues. First, Footnote 1 states:
Because, initially, Power users gave Power permission to use Facebook’s computers to disseminate messages, we need not decide whether websites such as Facebook are presumptively open to all comers, unless and until permission is revoked expressly.
The court then cites a law review article “asserting that websites are the cyber-equivalent of an open public square in the physical world.” By not deciding that question, the court appears not to be hinging its analysis on a distinction between visiting the public part of a website and accessing a private account that happens to be accessible over the web. The effect of a cease-and-desist letter appears to be the same in both cases.
Second, when the court explains the difference between terms of use on a website and a cease-and-desist letter, it doesn’t just say that the difference is that terms of use often applies to the public that uses the website while the cease-and-desist letter here was for conduct that required account access. That would have been a ready distinction to make, but the court didn’t make it.
Third, the court says that by sending the cease-and-desist letter, “Facebook explicitly revoked authorization for any access[.]” (emphasis in original). It doesn’t say that the authorization was revoked for the account access but not for visiting material accessible to the public on its computers (content such as this, for example, which anyone can access). Again, that suggests the broader reading rather than the narrower reading.
VI. What Next?
Given the wafer-thin distinction between this case and the en banc decision in Nosal I, will the 9th Circuit grant a petition for rehearing en banc? I hope so. As always, stay tuned.