7-day free trial Book a demo
Can Facebook Make Data-scraping Illegal?

Can Facebook Make Data-scraping Illegal?

Posted by david-hand | 18 May 2018

International Writing Competition 2018 overall runner-up article, for the category: Technological Innovations.


When the Computer Fraud and Abuse Act (“CFAA”) was enacted in 1986, the internet was still in its early stages. Computer Fraud and Abuse Act, 18 U.S.C. § 1030. This is why, though the Act has been amended several times, its vague wording often times leads to instances of under- or, as seems to be the case in Facebook v. Power Ventures, over-criminalization. Facebook, Inc., v. Power Ventures, Inc., 844 F.3d 1058 (9th Cir. 2016). In the age of data-scraping and largely ignored terms of uses, it seems that CFAA does not provide clear answers to the questions posed by various technological developments.

The Supreme Court has ruled that the CFAA punishes whoever has knowingly accessed a computer “without authorization” or “exceed[ed] authorized access.” Musacchio v. United States, 136 S. Ct. 709 (2016). However, what actions are “without authorization” or “exceeding authorized access” is still disputed. Disagreeing with its sister circuits, in United States v. Nosal (“Nosal I“), the Ninth Circuit ruled that the CFAA “is limited to violations of restrictions on access to information, and not restrictions on its use.” (emphasis in original) While the Ninth Circuit opted for “a narrower interpretation” in Nosal I, it seemed to go to the other end of spectrum in Power Ventures and ruled that Power Ventures’ access to Facebook after receiving the cease-and-desist letter was an “access without authorization.” On October 10, 2017, the Supreme Court denied writ of certiorari to the case.

Power Ventures (“Power”) operated a social networking website. As part of Power’s promotional campaign, users could authorize the website to go into their Facebook accounts and gather information for use on Power’s website. Power could also send messages through Facebook on the users’ behalf. When Facebook become aware of this campaign, it sent a cease-and-desist letter to Power and blocked Power’s IP addresses. However, Power continued its campaign by switching IP addresses. Since Power accessed Facebook’s computers after its access was expressly revoked by Facebook, the Ninth Circuit ruled that Power violated the CFAA. However, three big questions loom after Ninth Circuit’s judgment on Power Ventures.

One issue is whether a cease-and-desist letter must be issued on particular grounds in order to trigger liability under the CFAA. The Court found that Power had violated the CFAA when it continued its activities after receiving cease-and-desist letter from Facebook. However, it is unclear whether Facebook’s cease-and-desist letter was issued because of a violation of its terms of service. Under Nosal I, violation of Facebook’s terms of use alone would not be sufficient to impose liability under the CFAA. In their amicus brief, the Cato Institute underscored the fact that, “[n]othing in the terms of use limits the user’s ability to allow Power Ventures to access his property.” However, the Court did not address this issue, and instead focused solely on the importance of sending a cease-and-desist letter that made it clear to Power that it no longer had authorization to access Facebook’s computers.

The second issue is whether Facebook needed to send a cease-and-desist letter in order to prove that Power knowingly breached access to Facebook’s computers. As Orin Kerr explains on The Volokh Conspiracy, mens rea was especially important for the Ninth Circuit: access becomes unauthorized “when the visitor knows that the computer owner doesn’t want it.”

The third issue is whether courts should distinguish between access to user data and access to Facebook data. The Court held that “Power continued to access Facebook’s data and computers without Facebook’s permission.” (emphasis added) Facebook’s terms of service clearly read that users “own all of the content and information you post on Facebook, and… can control how it is shared…” The Ninth Circuit did not address this and, instead, focused on Power’s access to Facebook computers. The Ninth Circuit compared Power to a person who had obtained consent to access a friend’s safe deposit box, but entered the bank with a shotgun and was thus denied entry. Just as the bank could deny entry to the person even if the person had permission from his friend, Facebook could deny access to Power even if Power had consent from Facebook’s users. However, while the safe deposit box owner would exceed bank authorization by attempting to enter the bank with a shotgun, Facebook’s users would not exceed the Facebook authorization by attempting to access their data on Facebook’s computers. Put differently, the Court pinpoints the problem as the actor, when the real problem is the act. In Power Ventures, the act becomes a crime only when a third party does it on behalf of a user—the actor rather than the act causes the problem.

Another issue with the Court’s analogy is the comparison between data-scraping and holding a gun. Facebook did not present any evidence showing that Power was doing harm to its system or to other users on Facebook. Is it enough that Facebook disapproves this use, since Power was a competitor? On the other hand, if the Court’s deference is limited, where does it draw the line?

The broad implications of Power Ventures regarding unauthorized access become even more complicated when juxtaposed with hiQ Labs, Inc. v. LinkedIn Corporation. In this case, hiQ has a business that relies on data-scraping and LinkedIn sent hiQ a cease-and-desist letter. However, in granting hiQ’s preliminary injunction against LinkedIn, the District Court ruled that hiQ was likely to succeed on the merits with respect to the CFAA because—unlike Power Ventures—hiQ was relying on public data. However, what is the difference between public data available to everyone and private data that becomes available to the data-scraping company with the consent of the user? Either way, the data-scraping company has access to the users’ data because the user chose to make it available. Perhaps, the final judgment will clarify the distinction.

Orin Kerr of The Volokh Conspiracy writes, “if you want to make it a crime for someone to visit your website, you just need to give them notice that you don’t want them to visit.” If this is the case, this means that major technology companies can use the CFAA to bring civil suits against competitors. In light of the Supreme Court’s denial of certiorari, one must wait and see how future courts will address these issues.

 

About the author

 

Secil Bilgic is an LL.M. student at Harvard Law School and a Fulbright Scholar from Turkey. She received her LL.B. in Law and B.A. in Political Science from Koc University where she graduated as the top of her class. Her main interest areas are cyber law and international law.

Related Blogs

Law librarian identity
Posted by matt-terrell | 4th December 2018
Guest author Kristin Hodgins is a project director and law library director working in the public sector in Victoria, British Columbia, Canada. Her article discusses how many do not know...
Posted by david-hand | 3rd December 2018
From barristers to international law firms to law schools, legal research is an important activity. It is what enables legal professionals to keep up to date with the law and...
Posted by david-hand | 3rd December 2018
We are pleased to announce JustisOne Alerting. In today’s fast-paced world it is more important than ever for legal practitioners across the world to be aware of recent developments in...