International Writing Competition 2018 overall runner-up article, for the category: Technological Innovations.
The Supreme Court has ruled that the CFAA punishes whoever has knowingly accessed a computer “without authorization” or “exceed[ed] authorized access.” Musacchio v. United States, 136 S. Ct. 709 (2016). However, what actions are “without authorization” or “exceeding authorized access” is still disputed. Disagreeing with its sister circuits, in United States v. Nosal (“Nosal I“), the Ninth Circuit ruled that the CFAA “is limited to violations of restrictions on access to information, and not restrictions on its use.” (emphasis in original) While the Ninth Circuit opted for “a narrower interpretation” in Nosal I, it seemed to go to the other end of spectrum in Power Ventures and ruled that Power Ventures’ access to Facebook after receiving the cease-and-desist letter was an “access without authorization.” On October 10, 2017, the Supreme Court denied writ of certiorari to the case.
Power Ventures (“Power”) operated a social networking website. As part of Power’s promotional campaign, users could authorize the website to go into their Facebook accounts and gather information for use on Power’s website. Power could also send messages through Facebook on the users’ behalf. When Facebook become aware of this campaign, it sent a cease-and-desist letter to Power and blocked Power’s IP addresses. However, Power continued its campaign by switching IP addresses. Since Power accessed Facebook’s computers after its access was expressly revoked by Facebook, the Ninth Circuit ruled that Power violated the CFAA. However, three big questions loom after Ninth Circuit’s judgment on Power Ventures.
The second issue is whether Facebook needed to send a cease-and-desist letter in order to prove that Power knowingly breached access to Facebook’s computers. As Orin Kerr explains on The Volokh Conspiracy, mens rea was especially important for the Ninth Circuit: access becomes unauthorized “when the visitor knows that the computer owner doesn’t want it.”
The third issue is whether courts should distinguish between access to user data and access to Facebook data. The Court held that “Power continued to access Facebook’s data and computers without Facebook’s permission.” (emphasis added) Facebook’s terms of service clearly read that users “own all of the content and information you post on Facebook, and… can control how it is shared…” The Ninth Circuit did not address this and, instead, focused on Power’s access to Facebook computers. The Ninth Circuit compared Power to a person who had obtained consent to access a friend’s safe deposit box, but entered the bank with a shotgun and was thus denied entry. Just as the bank could deny entry to the person even if the person had permission from his friend, Facebook could deny access to Power even if Power had consent from Facebook’s users. However, while the safe deposit box owner would exceed bank authorization by attempting to enter the bank with a shotgun, Facebook’s users would not exceed the Facebook authorization by attempting to access their data on Facebook’s computers. Put differently, the Court pinpoints the problem as the actor, when the real problem is the act. In Power Ventures, the act becomes a crime only when a third party does it on behalf of a user—the actor rather than the act causes the problem.
Another issue with the Court’s analogy is the comparison between data-scraping and holding a gun. Facebook did not present any evidence showing that Power was doing harm to its system or to other users on Facebook. Is it enough that Facebook disapproves this use, since Power was a competitor? On the other hand, if the Court’s deference is limited, where does it draw the line?
The broad implications of Power Ventures regarding unauthorized access become even more complicated when juxtaposed with hiQ Labs, Inc. v. LinkedIn Corporation. In this case, hiQ has a business that relies on data-scraping and LinkedIn sent hiQ a cease-and-desist letter. However, in granting hiQ’s preliminary injunction against LinkedIn, the District Court ruled that hiQ was likely to succeed on the merits with respect to the CFAA because—unlike Power Ventures—hiQ was relying on public data. However, what is the difference between public data available to everyone and private data that becomes available to the data-scraping company with the consent of the user? Either way, the data-scraping company has access to the users’ data because the user chose to make it available. Perhaps, the final judgment will clarify the distinction.
Orin Kerr of The Volokh Conspiracy writes, “if you want to make it a crime for someone to visit your website, you just need to give them notice that you don’t want them to visit.” If this is the case, this means that major technology companies can use the CFAA to bring civil suits against competitors. In light of the Supreme Court’s denial of certiorari, one must wait and see how future courts will address these issues.
Secil Bilgic is an LL.M. student at Harvard Law School and a Fulbright Scholar from Turkey. She received her LL.B. in Law and B.A. in Political Science from Koc University where she graduated as the top of her class. Her main interest areas are cyber law and international law.