Power Ventures, Inc. offers a service to amalgamate various social-media platforms into one system; each user gives the company his usernames and passwords, including for Facebook. Facebook objected to Power Ventures’ use of Facebook in this manner and sent a cease-and-desist letter. When Power Ventures refused to comply, Facebook sued under the Computer Fraud and Abuse Act (“CFAA”).
The CFAA was designed to prevent hackers from accessing a computer system “without authorization” and has criminal penalties of up to five years in prison. The district court found that Power Ventures had indeed accessed Facebook without authorization and the U.S. Court of Appeals for the Ninth Circuit affirmed that decision. Power Ventures has petitioned the Supreme Court to review the case; Cato has filed an amicus brief supporting that petition.
We explain that there’s a split among the circuit courts as to the legal basis for an entry to be “authorized” under the CFAA. The Fifth and Seventh Circuits use agency law (scope of employer permission), the First and Eleventh Circuits use contract law (established policies), and the Second, Fourth, and Ninth Circuits use property law (the common law of trespass). The ideal resolution would involve an analogy to physical trespass, which various members of Congress involved in drafting the CFAA used to discuss the computer crimes that the law was designed to prevent.
In applying trespass law here, the facts begin to look like a landlord-tenant dispute over a third-party guest. A landlord typically can’t prevent a tenant from inviting guests to access the tenants’ property by using the common areas of the building, without a limitation in the lease. Here, Facebook’s users own the data (information, pictures, etc.) they put on the social network, as Facebook acknowledges, and there’s no guest-access restriction in the terms of service.
Many people share social-network, email, or other passwords without considering such actions to be criminal and the common law is presumed to conform to the customs of the people unless there’s explicit statutory text to the contrary. Otherwise millions of people could unwittingly be made criminals.
This is also the reason why the “rule of lenity” applies in Power Ventures’ favor, because an (at best) ambiguous statute cannot be used to punish someone.
The final reason that the Supreme Court should take the case is its importance to the online economy. Power Ventures is trying to compete with Facebook and Facebook’s ban prevents the market from being able to determine who has the better product. Many other companies, including Google, use a method of automated access similar to that which Power Ventures uses and could be imperiled by the lower court’s ruling. Internet companies need clear legal rules so they know what they can do nationwide without the threat of civil liability or criminal prosecution.
The Supreme Court may decide whether to take Power Ventures v. Facebook before it breaks for its summer recess at the end of June, or it could hold the decision over till the start of the next term in the fall.