Thanks for visiting! Welcome to a new way to research case law. You are viewing a free summary from Descrybe.ai. For citation and good law / bad law checking, legal issue analysis, and other advanced tools, explore our Legal Research Toolkit — not free, but close.
Facebook, Inc. v. Power Ventures, Inc.
Citation: 844 F.3d 1058Docket: No. 13-17102, No. 13-17154
Court: Court of Appeals for the Ninth Circuit; July 12, 2016; Federal Appellate Court
The order modifies the opinion issued on July 12, 2016, regarding the case between Facebook, Inc. and Power Ventures, Inc. Power Ventures accessed Facebook user data to promote its own website, initially with implied permission from Facebook. Following a cease and desist letter and an IP block from Facebook, Power continued its promotional activities. Facebook alleges violations of the CAN-SPAM Act, the Computer Fraud and Abuse Act (CFAA), and California Penal Code section 502. The court determined that Power did not violate the CAN-SPAM Act, as the messages were not materially misleading. However, Power violated the CFAA and California Penal Code section 502 after receiving the cease and desist letter by continuing unauthorized access to Facebook’s systems. The court's decision affirms in part, reverses in part, and remands the case to the district court for further action. Power Ventures, led by CEO Steven Vachani, operated Power.com, a platform allowing users to aggregate information from multiple social networking sites. Facebook, with over 130 million users at the time, required registration and adherence to specific terms for access. In December 2008, Power launched a promotional campaign offering incentives for Facebook users to attract others to Power.com, which included options for users to share Power through various types of posts on their Facebook profiles. Power transmitted promotional messages to Facebook users' friends, utilizing both Facebook's internal messaging system and external e-mail notifications, which were automatically generated under certain user settings. When a Power user shared an event, an e-mail was sent to friends, detailing the event's name and time, with Power listed as the host. Facebook became aware of Power's campaign on December 1, 2008, and issued a cease and desist letter the same day, requesting Power to halt its activities. Despite Facebook's efforts to enforce compliance, including proposing a Developer Terms of Use Agreement and blocking Power's IP address, Power circumvented these measures and continued its campaign, acknowledging unauthorized use of Facebook data. The promotional activities lasted less than two months, with over 60,000 external e-mails sent, alongside an unknown number of internal messages. Facebook subsequently filed a lawsuit on December 20, 2008, claiming violations of the CFAA, CAN-SPAM Act, and California Penal Code section 502. The district court ruled in favor of Facebook, granting summary judgment on all claims, awarding over $3 million in statutory and compensatory damages, and imposing permanent injunctive relief, with personal liability for Vachani, a Power representative. Post-judgment, Power faced discovery disputes, leading to an order to pay $39,796.73 in costs for a renewed deposition. Power's motion for reconsideration was denied. The defendants appealed the judgment and discovery sanctions. The summary judgment is reviewed de novo, allowing affirmation on any record-supported ground. The CAN-SPAM Act provides a private right of action for Internet service providers affected by violations, making it unlawful to transmit misleading commercial e-mails. This act does not entirely ban spam but regulates commercial email practices. To establish a violation of the CAN-SPAM Act, Facebook must demonstrate that the electronic messages in question are 'materially false' or 'materially misleading.' The term 'materially' involves any alteration or concealment of header information that impairs identification or response capabilities for recipients or law enforcement. A 'from' line that accurately identifies the message initiator is not considered misleading. Messages can be deemed materially misleading if header information is technically accurate but obtained through false pretenses. In this case, two message types potentially qualify as materially misleading: external emails generated when a user created a Facebook event to promote Power, and internal messages authored by Power users. The external emails identified 'Facebook' as the sender and included a promotional event invitation. Given that the CAN-SPAM Act allows more than one party to be considered as having initiated a message, and since Facebook generated the emails with user consent, it holds that Power users, Power, and Facebook all initiated the messages. Therefore, the 'from' line is not misleading. Additionally, the header indicating a friend's invitation to the event is technically accurate since users consented to Power's access to their data, negating claims of false pretenses. Consequently, the header does not misrepresent the email's origin or creator. Overall, the evidence suggests that Power's actions were legitimate and did not violate the CAN-SPAM Act. External messages sent by Power were not found to be materially misleading under the CAN-SPAM Act, as they included Power's name and a link to the Power website, allowing recipients to associate the messages with Power. Additionally, the identified Facebook users had authorized the messages, affirming that the internal communications were not misleading. Consequently, Power did not violate the CAN-SPAM Act, leading to a reversal of the district court's decision in favor of Power. Regarding the Computer Fraud and Abuse Act (CFAA), it criminalizes unauthorized computer access and provides civil remedies for those harmed. The CFAA defines loss broadly, encompassing costs incurred in response to unauthorized access. Facebook demonstrated a loss exceeding $5,000 due to its employees' extensive efforts analyzing and responding to Power’s actions. The evaluation of whether Power accessed Facebook’s systems without authorization is guided by previous cases. The CFAA distinguishes between accessing a computer without authorization and exceeding authorized access. In a cited case, an employee’s actions were not unauthorized as long as he acted within the scope of his permission. If Power had accessed Facebook's systems after any permission was rescinded, it would have constituted unauthorized access under the CFAA. In United States v. Nosal, 676 F.3d 854 (9th Cir. 2012), the court examined whether employees who accessed a work computer and transferred confidential data to a competitor 'exceeded authorized access' under the Computer Fraud and Abuse Act (CFAA). The court reversed liability for the defendant, applying the rule of lenity and warning against broad interpretations that could criminalize common activities due to vague and changeable website terms of service. It concluded that 'exceeds authorized access' in the CFAA does not encompass mere violations of such terms unless Congress explicitly includes misappropriation liability. Two key rules emerged: first, unauthorized access occurs when there is no permission or when permission is revoked; second, violation of website terms alone does not constitute CFAA liability. This analysis aligned with a subsequent case, United States v. Nosal, 828 F.3d 865 (9th Cir. 2016), where Power initially had permission from Facebook users to use its computers. However, after Facebook rescinded this permission via a cease and desist letter, Power continued accessing Facebook’s systems despite knowing it was unauthorized. Power’s admissions during litigation confirmed that it accessed Facebook data without permission after receiving notice. Internal communications also indicated an awareness of potential legal consequences for continued actions against Facebook's terms. Emails from December 2008 revealed that Power attempted to bypass IP blocks imposed by Facebook and continued unauthorized access to Facebook’s data and systems. The consent from Facebook users was insufficient for ongoing access after Facebook explicitly revoked permission. An analogy illustrates this: if a person is granted access to a friend's jewelry in a bank but is banned from the bank, the person cannot claim continued access based on the initial permission. To access Facebook’s data, Power required authorization from both the users and Facebook, which was revoked. Power admitted to ignoring the cease and desist letter and circumventing IP barriers, thereby accessing Facebook’s computers "without authorization" as defined by the Computer Fraud and Abuse Act (CFAA). This case differs from Nosal I, where the defendant exceeded authorization within a company; here, Facebook clearly revoked access, and Power's actions were not merely violations of terms but outright unauthorized access. The concerns raised in Nosal I about transforming innocuous behavior into federal crimes do not apply, as Power was explicitly notified of the revocation and willfully disregarded it. Consequently, Power is liable under the CFAA, affirming the district court's ruling on this matter. California Penal Code section 502 establishes liability for individuals who knowingly access and utilize data from a computer or network without permission. Unlike the Computer Fraud and Abuse Act (CFAA), the California statute does not require unauthorized access but only knowing access. In this case, Power initially had implied authorization to access Facebook's systems; however, upon receiving a cease and desist letter, Power acknowledged it no longer had permission. This led to a violation of section 502 as Power knowingly accessed and used Facebook's data without authorization. Vachani, as a corporate officer of Power, is personally liable for Power's actions. Corporate officers can be held personally accountable for torts they authorize or participate in, particularly when they are the central figures driving the wrongful conduct. Vachani was the guiding spirit behind Power's promotional scheme, having admitted to controlling its actions and originating the promotion. Discovery sanctions against Power for non-compliance during a deposition were affirmed. Defendants did not object to these sanctions in the district court, resulting in a forfeiture of the right to appeal on that issue. The district court's findings regarding Vachani's lack of preparation and Power's failure to produce requested emails were upheld. The court reversed significant portions of the lower court's decisions, vacated the injunction and damages award, and remanded the case for reconsideration of appropriate remedies under both the CFAA and section 502. Damages shall only be calculated for the period following Power's receipt of the cease and desist letter. The parties will bear their own costs on appeal. Power users initially permitted Power to use Facebook's computers for message dissemination, suggesting that websites like Facebook may be considered open to all unless permission is explicitly revoked. The terms of use mentioned in the cease and desist letter do not alone establish liability; merely violating these terms is insufficient for legal action, as noted in Nosal I. However, the cease and desist letter also indicated potential violations of federal and state law and informed Power that its authorization to access Facebook’s computers was revoked. Specific unauthorized activities included using another person’s Facebook account, employing automated scripts to collect data, integrating Facebook's site into another database, and utilizing Facebook for commercial purposes. Simply bypassing an IP address does not equate to unauthorized use. A blocked user may remain unaware of the block due to a lack of notification, potentially leading to misunderstandings about the reasons for the block, especially if multiple users share the same IP address.