The Ninth Circuit Court of Appeals recently ruled in HiQ Labs, Inc. v. LinkedIn that automated web scraping of publicly accessible websites does not violate the Computer Fraud and Abuse Act (CFAA), even if the website owner objects to the scraping. This marks the second time in this case where the Ninth Circuit found that scraping public websites is not the type of “breaking and entering” into computers that the CFAA prohibits.
We recently reported on the Facebook v. Power Ventures case, in which Facebook alleged, among other things, that Power.com using automated tools to populate a portal that aggregates a user’s social networking profiles violates its terms of service and the Computer Fraud and Abuse Act and an analogous provision of the California Penal Code. On July 20, 2010, the court said it was unclear whether Power.com was a “user” for purposes of the terms of service, but even if it was, feared that finding all user violations of a terms of service as access “without permission,” would create
constitutional problems with the statute. The Court added that terms of service are not well equipped to inform users of what activities might subject them to criminal penalties. The court, in part, relied on the fact that site operators can unilaterally change the terms of service at anytime.
The court did find that Facebook has a potential claim under the California law based on Power.com accessing Facebook’s site by circumventing technical or code-based measures. That claim will go forward.
The court rejected Power.com’s argument that Facebook did not even have standing to bring the suit because it did not incur any damage or loss. The court found that because Facebook took steps to prevent access, even “a few clicks of a mouse” was sufficient to satisfy the requisite damage or loss for it to have standing, noting that the statute authorizes claims if there is “any amount of damage or loss.”
This decision could have significant ramifications for social media platform providers. It highlights the need for a comprehensive strategy, including both legal and technical measures to prevent unwanted activity on their sites.
Here is a copy of the Facebook Decision
Many people routinely click on the Agree button without reading the terms of service. Doing so can be perilous for many reasons. A pending case highlights another potential reason to read and abide by the terms of service – potential criminal liability. Granted, there are some unique facts here as discussed below, but it is to everyone’s benefits to read and understand terms of service. For example, for users of a social media site, it is crazy to not understand what personal data is being collected and how it is being used and make an informed decision whether to use that site. For businesses (and investors in businesses) that interact with social media sites, it is critical that you understand and abide by the terms of service to assess whether your business model is “legal” and in compliance with the relevant terms of service. If not, your business (or investment) may be in peril, and in a worst case scenario you may face personal liability. Such was the case for the CEO of MDY when it created a tool that engaged in unauthorized access to Blizzard’s World of Warcraft client software in violation of the relevant terms of service and EULA. In addition to the company being found to infringe, the CEO was held personally liable for $6 million in damages.
Facebook alleges that Power.com induces visitors to surrender their Facebook user names and passwords in order to “integrate” their Facebook account into the Power.com website, in violation of the Facebook’s terms of service.
After notification from Facebook. Power.com allegedly initially agreed to cease the activity and purge the “ill-gotten data,” but apparently later changed its mind and continued its practices. In response, Facebook claims to have implemented technical measures to block access to the site by Power.com but Power.com then allegedly circumvented the technological security measures without authorization in violation of the Computer Fraud and Abuse Act. Facebook also alleged violation of CALIFORNIA PENAL CODE 502(c), the “COMPREHENSIVE COMPUTER DATA ACCESS AND FRAUD ACT” (including Sections 1-4 and 7) and the anti-circumvention provisions of the DMCA, among other claims.
Additionally, Facebook alleges that Power.com used the names to send unsolicited email messages to Facebook users that contained false header information in violation of the CAN-SPAM (CONTROLLING THE ASSAULT OF NON-SOLICITED PORNOGRAPHY AND MARKETING) Act.
Even though this is a civil action the penalties that can flow from a finding of violation of the Computer Fraud and Abuse Act include: (A) a fine or imprisonment for not more than ten years, or both (for a first conviction) and (B) a fine under or imprisonment for not more than twenty years, or both, in the case of a repeat offender. Violation of the relevant sections of the California Penal Code can result in fines and imprisonment up to three years.
The Electronic Frontier Foundation filed an amicus brief in support of Power Ventures; arguing:
Facebook argues that by offering these enhanced services to users, Power violated California’s computer crime law. It grounds its claim in the fact that Facebook’s terms of service prohibit a user from having automated access to a user’s own information and that Power continued to offer the service to Facebook users even after Facebook sent Power a cease and desist letter demanding that it stop. Yet merely providing a technology to assist a user in accessing his or her own data in a novel manner cannot and should not form the basis for criminal liability.
Many commenters have pointed out that taken to an extreme, any online service provider can create ridiculous terms of service and allege that there is a violation. While this may theoretically be true, in reality a court could strike down a frivolous clause if that were the case. However, when a company has a legitimate business interest to protect, and the terms of service relate to that business interest, an argument can be made that such terms should be upheld. Here Facebook appears to be alleging that it has a legitimate right to prevent third party application developers from requesting, soliciting, or otherwise obtaining access to user names, passwords or other authentication credentials. Perhaps this case will shed some light on this issue. Check back as we will provide updates on this case as it progresses.