In a case brought by Facebook, a U.S. district court recently concluded that a website that offered to integrate multiple social networking accounts into a single social networking “experience” violated the Controlling the Assault of Non-Solicited Pornography and Marketing Act (“CAN-SPAM Act”), the Computer Fraud and Abuse Act (“CFAA”), and California Penal Code § 502. Facebook, Inc. v. Power Ventures, Inc., 2012 WL 542586 (N.D. Cal. Feb. 16, 2012).
Power Ventures, which operated the “experience” website, began a “Launch Promotion” in December 2008 that promised users the chance to win $100 if they successfully invited and signed up new users to Power Venture’s website, www.power.com. As part of the promotion, Power Ventures provided participants with a list of their Facebook friends, obtained by Power Ventures through Facebook without Facebook’s authorization, and asked each participant to select which of his or her friends should receive a Power Ventures invitation. The invitations sent to participants’ Facebook friends appeared to come from Facebook, as they used an “@facebook.com” address, not a Power Ventures address.
Facebook sued Power Ventures and its CEO, and moved for summary judgment on the grounds that Power Ventures: (1) sent misleading commercial emails through Facebook’s network in violation of the CAN-SPAM Act; and (2) utilized technical measures to access Facebook without authorization in violation of the CFAA and California Penal Code § 502.
The court held for Facebook and against Power Ventures on all of the claims. First, the court concluded that Power Ventures was liable under the CAN-SPAM Act, which makes it unlawful for a person to initiate the transmission of a commercial email that contains header information that is misleading or false. The court first ruled that Facebook had standing to sue under the statute because Facebook expended significant resources to block Power Ventures’ prolific spamming, which included over 60,000 separate instances. Next, the court determined that Power Ventures “originated” misleading emails under the Act and was liable, even though the Facebook server actually sent the messages. In particular, Power Ventures was liable because it: (1) created a “Launch Program” that caused Facebook’s server to automatically send emails with a “@facebook.com” email address, (2) imported Facebook users’ friends to a guest list, and (3) authored the text of the message to the friends. Even if the Facebook users themselves could be said to have “initiated” the messages, Power Ventures initiated them as a matter of law by procuring the users to authorize the messages by offering monetary awards.
The court also concluded that Power Ventures violated California Penal Code § 502, which prohibits a person from (1) knowingly accessing and without permission taking, copying, or using any computer data, system, or network; (2) knowingly and without permission using or causing to be used computer services; or (3) knowingly and without permission causing to be accessed any computer, computer system, or computer network. Power Ventures was liable because it circumvented technical barriers to access Facebook’s site. Although Power Ventures did not take additional steps to circumvent individual IP blocks imposed by Facebook, it designed its system to render such blocks ineffective. Similarly, Power Ventures was liable under the CFAA because it “intentionally accesse[d] a computer without authorization” and thereby obtained “information.” 18 U.S.C. § 1030(a)(2).
This case simply shows that if you manipulate another’s website or server, even if you’re not technically “hacking,” you might be held civilly liable (especially if you’re manipulating the server of a huge company like Facebook). Technical defenses (e.g., Facebook actually sent the emails) may not get you off the hook.