The Ninth Circuit Court of Appeals found that a social media aggregator, using internal and external email based upon a user’s Facebook activities, violated the Computer Fraud and Abuse Act of 1986 (CFAA), 18 U.S.C. § 1030(a)(2)(C). The Court determined that under the CFAA, which prohibits acts of computer trespass by those who are not authorized users or who exceed authorized use, the violations occurred only after the social media aggregator received a cease and desist (C&D) letter from Facebook and nonetheless continued to access Facebook’s computers without permission. However, the Court found that the social media aggregator did not violate the CAN-SPAM Act, 15 U.S.C. § 7706(g)(1). Facebook, Inc. v. Power Ventures, Inc., case no 13-17102 (9th Cir. July 12, 2016) (Available Here).
The trial court had entered summary judgment in favor of Facebook on its claims against Power Ventures, Inc., a social networking company that accessed Facebook users’ data and initiated form e-mails and other electronic messages promoting its website. The 9th Circuit reversed the trial court’s decision on the CAN-SPAM Act because the emails generated by Power arguably came from both the Facebook user, Power and Facebook itself.
In the present case, Facebook sued Power over Power’s promotional campaign. Power accessed Facebook users’ data and initiated form emails and other electronic messages promoting Power’s website. Initially, Power had implied permission from Facebook. But Facebook sent Power a cease and desist letter and blocked Power’s IP address; nevertheless Power continued its campaign. Power aggregated the user’s Facebook social networking information and sent out internal (to Facebook) and external emails promoting the Power website.
Facebook alleged violations of the CFAA, the CAN-SPAM Act, and California Penal Code section 502 and moved for summary judgment. The district court granted summary judgment to Facebook on all three claims. The district court awarded statutory damages of $3,031,350, compensatory damages, and permanent injunctive relief, and it held that Power owner, Vachani, was personally liable for Power’s actions.
The CAN-SPAM Act grants a private right of action for a “provider of Internet access service adversely affected by a violation of section 7704(a)(1) of this title.” 15 U.S.C. § 7706(g)(1). Section § 7704(a)(1) makes it unlawful for “any person to initiate the transmission, to a protected computer, of a commercial electronic mail message, or a transactional or relationship message, that contains, or is accompanied by, header information that is materially false or materially misleading.” The statute provides that the term “materially,” when used with respect to false or misleading header information, includes the alteration or concealment of header information in a manner that would impair the ability of an Internet access service processing the message on behalf of a recipient, a person alleging a violation of this section, or a law enforcement agency to identify, locate, or respond to a person who initiated the electronic mail message or to investigate the alleged violation, or the ability of a recipient of the message to respond to a person who initiated the electronic message. Id. § 7704(a)(6).
The 9th Circuit noted that the statute provides is violated when an email “header information  is technically accurate but includes an originating electronic mail address, domain name, or Internet Protocol address the access to which for purposes of initiating the message was obtained by means of false or fraudulent pretenses or representations shall be considered materially misleading.” Id. § 7704(a)(1)(A). Because more than one person may be considered to have initiated the Power email messages, Power’s users, Power, and Facebook all initiated the messages at issue. Hence, Power’s actions did not violate the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, or CAN-SPAM Act, which grants a private right of action for a provider of Internet access service adversely affected by the transmission, to a protected computer, of a message that contains, or is accompanied by, header information that is materially false or materially misleading. The Court held that here, the transmitted messages were not materially misleading.
The CFAA prohibits acts of computer trespass by those who are not authorized users or who exceed authorized use. It creates criminal and civil liability for whoever “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer.” 18 U.S.C. § 1030(a)(2)(C). The statute defines “loss” to mean “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data.” Facebook employees spent many hours, totaling more than $5,000 in costs (the CFAA minimum damage threshold), analyzing, investigating, and responding to Power’s actions, therefore suffered a loss under the CFAA.
Power users arguably gave Power permission to use Facebook’s computers to disseminate messages. The consent that Power had received from Facebook users was not sufficient to grant continuing authorization to access Facebook’s computers after Facebook’s express revocation of permission. As for Power’s reaction to the Facebook C&D letter, a Power executive sent an e-mail to Facebook stating that Power engaged in four “prohibited activities”; acknowledging that Power may have “intentionally and without authorization interfered with [Facebook’s] possessory interest in the computer system.” This email response was used to support the affirmance of the trial court’s decision. The Court held that after receiving the cease and desist letter from Facebook, Power intentionally accessed Facebook’s computers knowing that it was not authorized to do so, making Power liable under the CFAA.