UPDATE: On January 18, 2019, the Ninth Circuit affirmed the award of damages and injunctive relief in favor of Facebook. (Facebook, Inc. v. Power Ventures, Inc., No. 17-16161 (9th Cir. Jan. 18, 2019) (unpublished)). The California district court in 2017 had awarded Facebook almost $80,000 in CFAA damages, representing only the period after Facebook sent its cease and desist letter to the defendant and including expenses both for technical measures to block Power Ventures from accessing Facebook servers and expenses for negotiating with Power Ventures to voluntarily stop its activities and destroy the data.  The lower court also granted Facebook’s request for a permanent injunction barring defendant from, among other things, accessing Facebook for a commercial purpose without permission.

  • Unauthorized Access: A former employee, whose access has been revoked, and who uses a current employee’s login credentials to gain network access to his former company’s network, violates the CFAA. [U.S. v. Nosal, 2016 WL 3608752 (9th Cir. July 5, 2016)]
  • Data Scraping: A commercial entity that accesses a public website after permission has been explicitly revoked can be civilly liable under the CFAA. However, a violation of the terms of use of a website, without more, cannot be the basis for liability under the CFAA, a ruling that runs contrary to language from one circuit level decision regarding potential CFAA liability for screen scraping activities (See e.g., EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58 (1st Cir. 2003)). [Facebook, Inc. v. Power Ventures, Inc., No. 13-17102 (9th July 12, 2016)]

This past week, the Ninth Circuit released two important decisions that clarify the scope of liability under the federal Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030.  The Act was originally designed to target hackers, but has lately been brought to bear in many contexts involving wrongful access of company networks by current and former employees and in cases involving the unauthorized scraping of data from publicly available websites.

Both cases, issued by the influential Ninth Circuit, may have important implications for the availability of a federal cause of action for data theft cases and also cases of unauthorized website access by commercial entities.  A lesson from both cases: while a carefully drafted computer use policy or website terms of service is essential to the protection of corporate networks and digital assets, it is but one element of a strategy that should also include technological barriers (when necessary) and other actions that give former employees and unwanted entities notice that corporate network access or permission to access a website or service has been revoked.

United States v. Nosal

In U.S. v. Nosal, 2016 WL 3608752 (9th Cir. July 5, 2016) (“Nosal II”), the defendant Nosal was charged under the criminal provisions of the CFAA with intent to defraud his former employer and aid his competing venture by obtaining access to his former employer’s network via a current employee’s login credentials.  The issue before the court was whether the “without authorization” prohibition of the CFAA extends to a former employee whose computer access credentials were rescinded but who, disregarding the revocation, accesses the computer by using a current employee’s own credentials.

In a 2-1 decision, the panel affirmed the defendant’s CFAA convictions for accessing a protected computer “without authorization” (and also for trade secret theft in violation of the Economic Espionage Act).  The court found that “password sharing,” whereby an ex-employee with revoked privileges asks a current employee for login information to gain entry, fell within the CFAA’s prohibition on access “without authorization” under 18 U.S.C. § 1030(a)(4).   Put simply:  “[O]nce authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party.”

The Nosal case has wended its way through the courts for years, and we previously wrote about the 2012 Ninth Circuit ruling in the case (“Nosal I”), where the Ninth Circuit ruled that information Nosal downloaded while still an employee with login privileges, but done in violation of the company’s computer use policies, did not “exceed authorized access” under the CFAA.   Distinguishing between access restrictions and use restrictions, the court in Nosal I concluded that the “exceeds authorized access” prong of the CFAA does not extend to violations of a company’s use restrictions.

Dissenting in Nosal II, Judge Reinhardt argued that the panel’s ruling threatens to turn the users who engage in the ubiquitous practice of password sharing with friends or relatives into unwitting criminals, particularly since most online services’ terms of use prohibit unauthorized logins and do not generally grant users the authority to share passwords.  In response, the majority stressed that a contrary ruling would remove from the scope of the CFAA any conspiracy to gain entry into a protected computer network by an ex-employee whose access has been affirmatively withdrawn:

“[T]he circumstance here—former employees whose computer access was categorically revoked and who surreptitiously accessed data owned by their former employer—bears little resemblance to asking a spouse to log in to an email account to print a boarding pass.”

Second Show: Facebook v. Power Ventures

In the late show of this Ninth Circuit CFAA double feature, the appeals court issued an opinion in another long-running litigation, Facebook, Inc. v. Power Ventures, Inc., No. 13-17102 (9th Cir. July 12, 2016).  We last wrote about the dispute in 2009.  The panel affirmed in part and vacated in part the district court’s grant of summary judgment in favor of Facebook on its claims against Power Ventures, Inc. (“Power”), the operator of power.com, the now-defunct social networking aggregation service that allowed users to access all of their social network accounts through one interface.  In a marketing campaign to attract new users, Power accessed Facebook users’ data with their permission and initiated form e-mails and other electronic messages promoting its website.  While the court reversed the lower court’s ruling on the CAN-SPAM claims, it affirmed the grant of summary judgment on the CFAA claim, and held that Power violated the CFAA for accessing Facebook’s service after it received a cease and desist letter from Facebook and nonetheless continued to access Facebook’s computers without permission.  The court remanded the case to the district court to reconsider appropriate remedies under the CFAA and California state law equivalent, including any injunctive relief.

The essence of the dispute against Power Ventures was that instead of developing its interface through a Facebook developer program, Power created a Facebook user account and accessed Facebook content through that account. Power’s campaign gave incentives to users to send event invites to other Facebook members to join power.com.  Once a power.com user (and Facebook member) clicked on a button to take part in the campaign, it caused a message to be transmitted to the user’s friends within the Facebook system.  Upon discovery, Facebook sent Power a cease and desist letter and blocked Power’s IP address; nevertheless, Power evaded the controls and continued its campaign for a short period of time. The question presented was whether Power’s actions, likely a violation of Facebook’s terms of use, created liability under the CFAA for unauthorized access?

Without making any ruling regarding the open nature of publicly available websites, the court stated that Power initially had “at least arguable permission to access Facebook’s computers” because it was reasonable to believe that consent from Facebook users to share the promotion was permission enough for Power.”  Yet, at a certain point, the court found that Facebook made it known through a cease and desist letter and IP blocks that Power’s authorization to access its site was revoked.  The court held that any subsequent access to Facebook’s computers was thus “without authorization” within the meaning of the CFAA, making Power liable under the statute.

The Ninth Circuit reasoned that the consent that Power had received from Facebook users was not sufficient to grant continuing authorization to access Facebook’s computers after Facebook’s express revocation of permission.

“[F]or Power to continue its campaign using Facebook’s computers, it needed authorization both from individual Facebook users (who controlled their data and personal pages) and from Facebook (which stored this data on its physical servers). Permission from the users alone was not sufficient to constitute authorization after Facebook issued the cease and desist letter.”

Moreover, citing Nosal II, the Ninth Circuit reiterated that once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by deliberately going through the back door and accessing the computer through a third party.  It also cited Nosal I in restating the court’s reticence in imposing CFAA liability based solely on website terms of use, since such terms can be amended by the site owner and may contain vague language that makes compliance uncertain.  The court distilled two general rules from the Nosal rulings for analyzing authorization under the CFAA:

“First, a defendant can run afoul of the CFAA when he or she has no permission to access a computer or when such permission has been revoked explicitly. Once permission has been revoked, technological gamesmanship or the enlisting of a third party to aid in access will not excuse liability. Second, a violation of the terms of use of a website—without more—cannot be the basis for liability under the CFAA.”

The latter pronouncement is particularly noteworthy, given the looming presence of the oft-cited First Circuit EF Cultural decision from the last decade that suggested that a web scraper may act without “authorization” under the CFAA when it crawls a public website in contravention of posted terms of use containing prohibitions of scraping activities.  However, in recent times, web services have generally not relied solely on posted terms and have typically responded to unwanted scraping activities with technical blocks and the issuance of a cease and desist letter that revokes a specific user’s authorization to access that website.  Notably, the Power Ventures court offered some practical advice for those sending cease and desist letters to entities engaging in unwanted scraping.  In a footnote, the court stated that that: “The mention of the terms of use in the cease and desist letter is not dispositive. Violation of Facebook’s terms of use, without more, would not be sufficient to impose liability.”   Interestingly, the court pointed out that, in addition to asserting a violation of Facebook’s terms of use, the cease and desist letter warned Power that it may have violated federal and state law and “plainly put Power on notice” that it was no longer authorized to access Facebook’s computers.