Facebook v. Power

In December of 2008, Facebook filed a complaint against a website http://power.com (“Power”). (FN 1.)  Facebook claims that Power has violated Facebook’s terms of service and is offering a product that accesses information stored on Facebook without authorization. (FN 2.) Facebook also claims various intellectual property rights have been infringed upon by Power. (FN 3.) Facebook is asking the Northern District of California Court to order injunctive relief, compensatory damages, putative damages, equitable relief, costs, and attorney fees. (FN 4.)

Facebook, as most of us know, is one of the most popular social networking sites on the internet. In their complaint, Facebook claims to be “dedicated to protecting the privacy and security of its users.” (FN 5.) Facebook permits third party software developers to create applications that run of Facebook’s website, but with a limited license and with specified development protocols and procedures. (FN 6.) One of these procedures requires that these third parties “never solicit, collect, or store Facebook usernames or passwords.” (FN 7.)

The creators of the website Power intended to provide online users with a tool that would allow an individual to view information from various social networking websites all in one place. (FN 8.) For example, a person would sign on to Power and be able to see all their messages from LinkedIn, Facebook, Tumblr at once. Power intended to provide a follow-up technology to social networking platforms. (FN 9.)

Facebook’s first claim is that Power violated Can-Spam (Violation of Controlling the Assault of Non-Solicited Pornography and Marketing) by sending out e-mails that contained misleading information. (FN 10.) Facebook included an example of one of these e-mails.

Image

Facebook is concerned with Power using the “From” line as being from “Facebook”, and by signing the e-mail with “Thanks, The Facebook Team.” (FN 11.) Facebook claims this has caused them harm by damaging their goodwill and reputation, presumably because of their dedication to “protecting the privacy and security of its users.” (FN 12.)

Facebook’s second claim is that Power violated the Computer Fraud and Abuse Act by obtaining and using valuable information from Facebook’s protected computers. (FN 13.) Facebook claims Power accessed this information “without authorization” and “trafficked in login information”, causing Facebook to expend resources to investigate the unauthorized access.  (FN 14.)

Facebook’s third claim is that Power violated California’s Comprehensive Computer Data Access and Fraud Act by accessing, without permission, Facebook data. (FN 15.) Facebook claims that because Power knowingly used Facebook’s services without permission, it violated the California Penal Code Section 502, causing damage to Facebook’s reputation and goodwill and other injuries. The Electronic Frontier Foundation (the EFF) wrote an amicus brief in support of Power arguing against this claim specifically. (FN 16.) The EFF is mostly concerned that this statute is, first and foremost, a criminal statute, and by allowing Facebook to define “authorization” expands the statute in a way that would cause millions of internet users to become criminals. (FN 17.) As an extreme example, they quoted a law review article illustrating this point:

“Imagine that a website owner announces that only right-hand people can view his website, or perhaps only friendly people. Under the contract-based approach, a visit to the site by a left-handed or surly person is an unauthorized access that may trigger state and federal criminal laws.”

(FN 18.) “Here Facebook appears to be alleging that it has a legitimate right to prevent third party application developers from requesting, soliciting, or otherwise obtaining access to user names, passwords or other authentication credentials.” (FN 19.) The EFF’s strong amicus brief might persuade the court that while Power may have violated other acts and infringed on the intellectual property of Facebook, this claim would expand the definition of “without permission” further than it would like.

Facebook claims Power violated the DMCA (Digital Millennium Copyright Act, 17 U.S.C. § 1201) by circumventing technological measures that effectively control access to Facebook’s copyrighted website. (FN 20.) Facebook claims Power traffics in and markets technology designed to circumvent technological measures that control access to Facebook’s copyrighted website. (FN 21.) § 1201 of the DMCA prohibits “making or selling devices or services that are used to circumvent either category of technological measure.” (FN 22.) There is no “fair use” exemption to the act of gaining unauthorized access to a work, “the act of circumventing a technological measure in order to gain access is prohibited.” (FN 23.) A violator can be subject to both criminal and civil liability. (FN 24.) The Electronic Frontier Foundation’s amicus brief was only concerned with violations of the California computer crime statute, but it would follow that they would disagree with Facebook’s definition of “unauthorized” in this context as well.

Despite Facebook’s claim to care deeply about its users, most of us can remember a day when our newsfeeds flooded with quotes from Facebook’s new terms of service along with threats to de-active or even sue. Like most people, I never bothered to read the terms of service, but appreciated the outrage by my Facebook friends. It seems Facebook users, ironically, used Facebook’s own platform to persuade Facebook to revert back to the original terms of service. Facebook’s claim to be “dedicated to protecting the privacy and security of its users” seems to be rather shallow to me. Maybe my view is tainted by the film “The Social Network”, but it makes it hard for me to follow Facebook’s reasoning that “privacy is important, and by violating our terms of service dealing with privacy you have injured our reputation.” (FN 25.)

Footnote 1: http://www.virtualworldlaw.com/FacebookComplaint.pdf

Footnote 2: Id.

Footnote 3. Id.

Footnote 4. Id.

Footnote 5. Id. 

Footnote 6. Id. 

Footnote 7. Id.

Footnote 8. https://www.eff.org/files/filenode/facebook_v_power/poweramicus.pdf

Footnote 9. Id.

Footnote 10. http://www.virtualworldlaw.com/FacebookComplaint.pdf

Footnote 11. Id.

Footnote 12. Id.

Footnote 13. Id.

Footnote 14. Id.

Footnote 15. Id.

Footnote 16. https://www.eff.org/files/filenode/facebook_v_power/poweramicus.pdf

Footnote 17. Id.

Footnote 18. Id.

Footnote 19. http://www.virtualworldlaw.com/2010/07/criminal-liability-for-not-reading-terms-of-service.html

Footnote 20. http://www.virtualworldlaw.com/FacebookComplaint.pdf

Footnote 21. Id.

Footnote 22. https://www.eff.org/files/filenode/facebook_v_power/poweramicus.pdf

Footnote 23. Id.

Footnote 24. Id.

Footnote 25. http://www.thesocialnetwork-movie.com/

Advertisements

~ by Nicole O. on September 9, 2012.

10 Responses to “Facebook v. Power”

  1. Another third party application developer Facebook put a stop to had to do with a third party app pulling all available cell phone numbers from a user’s collection of friends and importing both the friend and their cellphone number to the user’s phone’s contact list. Facebook claimed it was protecting user privacy and security. However, the app did not circumvent any user’s Facebook privacy controls so if a person had not listed or chose to make their phone number available to only certain people, that phone number would not have been accessible. It seems to me that the onus of security in some instances should fall on the user, for it was very handy using such an application to fill my new phone with all my social network contacts.

    In regards to the second complaint, it is unclear to me if Power was actually a third party application developer who had agreed or needed to agree to Facebook’s terms of service. If it was a third party that was not attempting to build software onto/into Facebook’s product, but, rather, a company offering users a service that, upon that user’s express permission and granting of login information, to pull data from the various social accounts and display them in a single place on Power’s service, then I am not sure how Facebook’s terms of service are significant, unless the issue is more singularly that a user of Facebook is bound not to disperse their login information to anyone. But if that is the case then Facebook’s “beef” is misdirected at Power and should be aimed at any user who proffered Power their login credentials. However, if Power was building a Facebook “app” then my above argument is moot.

    There seems to be a possible issue of a virtual property right nature regarding a user’s interest in their login information. Does a user have a right to pass along their user login information to another person or a corporation? Merely ruminating on this question, it seems likely that login information is a license that is freely revocable, thus a user does not have such a right. However, should they? In my thinking I am assuming accounts are free to create, in contrast to a paid service which passing along login credentials would have a factor of fraud in that a third party is circumventing paying the fee. However, in a free account a third party using another’s login credentials would be circumventing the highly coveted and valuable marketing information of user’s personal data and metrics that companies love to collect. One service that helps users get around signing up for a free account is http://www.bugmenot.com . A quick West Law search failed to turn up any cases surrounding this website, though it was mentioned in a Stanford Law article. Anyway, this conversation is somewhat off topic but I know I have a visceral feeling that I somehow have a right to my user data, though it seems my “viscera” is leading my thinking astray as usual.

  2. I agree with most of James’s points here.

    First, it seems that it would make a difference in liability if Power was operating through Facebook’s website as an application or if it was operating via its own website. If Power was operating outside of Facebook, as its own independent website, then I have a difficult time imagining that Power would be held liable for “obtaining and using” unauthorized information from Facebook’s “protected computers,” since it would be only obtaining information directly from users and not from Facebook’s servers. If Power was, indeed, operating through Facebook as an application in which it would store the user’s Facebook username and password, then Facebook’s second claim would hold much more water since it could be argued that Power circumvented Facebook’s terms of service as a third party software developer. The claim would be made even stronger if Power actually took more information through the application once it accessed a username and password (i.e., a user’s location) for its own use or sold the information to other parties. This would also tie into Facebook’s third claim that Power violated California’s criminal statute by accessing information without authorization.

    This is a disturbing topic in regards to privacy and property rights. If Facebook is legitimately claiming that no outside third party software developer is “unauthorized” to obtain its users’ login information, regardless of whether the third party is independent from Facebook completely, then it strikes me as an overreaching abuse of power. Personally, like James, I feel uncomfortable with the idea that Facebook may want to claim its users’ login information or try to exert full control over who a user may pass that information to. If Facebook were allowed to fully control access its users’ login information, then like the EFF’s amicus brief stated, it could potentially open the floodgates and allow Facebook to claim that its users are criminally liable for giving out their login information to anyone that Facebook has not approved, including other companies, family members, friends, etc.. That seems, in my opinion, excessive and extreme. It also brings up the problem of realistic enforcement.

    As for Facebook’s first claim that Power was sending out misleading emails, that to me seems like one of the stronger arguments. Regardless of whether Power was sending those emails out through a Facebook application or through its own independent platform, it is still using Facebook’s name and reputation through the communication. Notwithstanding, if Power was using its software within Facebook to override or hack the technology that Facebook has implemented to protect its users’ privacy, then Facebook should pursue the suit and has a right to be concerned. I definitely would be.

  3. The troubling interpretation of the CFAA is currently in flux. The DOJ ultimately decided not to appeal a Ninth and Fourth circuit case where a violation of an employee use agreement was not “unauthorized access.” Previously the Fifth, Seventh, and Eleventh Circuits held it was. However, the DOJ is also fighting against a proposed clarifying amendment to the CFAA. The proposed amendment to the CFAA specifies that violations of a contract or terms of service alone do not trigger liability. It would require physical access or trespass to the computer. http://www.lawfareblog.com/wp-content/uploads/2012/07/Leahy-Cybercrime-Amendment-to-S3414JEN12557.pdf

    The other part of the amendment would increase the violation to a felony punishable by three years in prison and increase the penalties in the rest of the act. Naturally the DOJ supports this. https://www.cdt.org/blogs/greg-nojeim/3007why-fibbing-about-your-age-relevant-cybersecurity-bill

  4. I would agree with the previous comments that with the exception of Facebook’s first claim, Facebook seems more interested in making a power grab than truly concerned with protecting user information. It may be slightly off topic but I wonder how Facebook’s prohibition against the exchange of login information will play into the ongoing debate over whether employers should be able to ask for employee’s and job applicant’s login information. This past March, Senators Chuck Schumer and Richard Blumenthal requested the Attorney General’s office investigate whether or not employers are breaking federal privacy law when they require employees or applicants to hand over login information suggesting the issue is far from clear. Facebook’s response thus far has not been to pursue legal action against employers despite their campaign against Power, but Facebook chief privacy officer, Erin Egan, has been quoted as saying that legal action is not off the table and again cited Facebook’s concern for users’ privacy.

  5. I read the complaint as alleging that Power was in fact a third party developer, which therefore needed to agree to and abide by Facebook’s terms of service agreement specific to those developers.

    While I know most of us are skeptical about how much Facebook really cares about the privacy of our personal information, third party developers can not and should not be able to access and use our information however they please. I agree with Nicole that while Facebook said it is “dedicated to protecting the privacy and security of its users,” the company is probably more concerned with its users feeling that their information is secure. By failing to pursue claims like these, it wouldn’t take long before Facebook had a reputation of not caring about the privacy of its users.

    In light of this consideration, I was surprised to see that there was a criminal component to these claims and was even more surprised to read that Facebook played such a large role in determining whether the activity was criminal. It makes sense that Facebook would pursue the criminal charges as a deterrent for future terms of service violators, however I share the same concerns that were raised in the amicus brief and the comments above.

    I’m interested to see how the case turns out, especially the claims with criminal components.

  6. While I do believe that Facebook is worried about its reputation being damaged by the use of its name in a “spam” style message encouraging users to use a website outside of the Facebook platform, I do not believe that Facebook is so worried due to its commitment to the protection of the privacy of its users. The current volatile position of Facebook’s stock leaves Facebook in a unique position. While I believe Facebook wants to protect the privacy of its users to maintain any credibility that it has in the market place, I believe that it will compromise the privacy of its users if that is what it takes in order to bridge the gap between potentially valuable producer and valuable producer. No matter how committed the “powers that be” at Facebook may claim to be to privacy protection, when the time comes to meet the bottom line expectations of investors they will likely do whatever it takes to create enough value through the company to maintain their positions as directors of the most powerful social media network in the world, even if that means compromising their “high standards” of protecting the privacy of their users.

  7. Facebook should be very worried about the use of its login information by third parties, beyond just the contractual and monetary risk. A serious technical risk is posed when outside developers have access to large quantities of user login or demographic information. The problem is that these companies can themselves be hacked. So, even if Facebook protects user data effectively with all of its vast resources, a third party developer—often a small company with no more than a few employees and little to no resources to hire security consultants—makes an easy target. And, when such companies get hacked, they tend to lose the login information of the entire body of users of their add-on service—not only one or two users. See, for example, the recent publishing by Anonymous of over millions of unique apple device identifiers the group hacked from the third party App developer BlueToad. http://www.washingtonpost.com/business/technology/publisher-says-udid-hack-matches-data-anonymous-claims-attack-on-godaddy/2012/09/10/eb3d5bc4-fb6e-11e1-b153-218509a954e1_story.html

    Once “in the wild,” this data becomes correlated with other hacked information and the hash values even of somewhat securely stored passwords can be reverse-engineered. Then, since users often use the same email address and password on multiple services, those services become compromised.

  8. I am not a Facebook user, but it seems that most people realize that Facebook is not private. Some people continue to hold on to a delusion of privacy and believe that they can control the limits of how un-private their pages are by choosing who gets to see what. The fact remains that the ability of other Facebook users to “tag” a person in a photo or a comment negates most of the “control” that users may have over their privacy.

    The fact is your activities on Facebook are not private. Facebook themselves use your activities in order to recommend apps, pages you may be interested in, and for other profitable marketing purposes. I recently read an article (a Google search brings up a number of related articles) about Facebook’s ability to predict, not only national trends of when it is more or less likely but also, when a specific user’s relationship will end. Using an algorithm that looks at a user’s friend and un-friend requests, along with the language of the user’s posts and other “indicators” Facebook can predict when a relationship is going to end and will tailor their marketing accordingly.

    Relating this back to the original post and some of the comments, it seems that Facebook is not interested in their users privacy, but in the ability of Facebook alone, and not a third party, to benefit monetarily from the lack of privacy that attaches to anything uploaded to the internet (regardless who uploaded it).

  9. The question that concerns me is what happened to all the data gathered by Powers? Powers received access to a number of profiles. From these profiles they were not only able to access information about that user, but also may have had access to those people connected with that user. As a result information may have been gathered and stored about countless users who had no interactions with Powers at all. Facebook should be responsible for preventing users information from being leaked to third parties. Now it is true that Powers circumvented Facebook’s security measures and violated the third party developer agreement. However, other apps acting within Facebook’s developer agreement are still mining data from users not connected with those developers.
    Take for instance a Facebook app that provides inspirational quotes. One may think that it is just a simple app that sends the user a daily inspirational quote, when in fact it does that and much more. This app which is not even a top offender requests 17 different types of information from the user’s profile. This includes information from that users friends, including their friends’ birthdays, work history, location, checkins, status, and photos. Facebook allows all this information to be transferred without the consent of the user’s friends.

  10. I agree with all the comments from those of us that are concerned with our privacy on facebook. It would seem that with all the different privacy settings and such that facebook really does care about the privacy of its users. The ability of third party developers to access and use such information, however, shatters the glass on that theory. It is also rather disturbing that a third party developer such as Powers would send emails under the guise that they were being sent from the facebook team. In the past I have received emails from the facebook team and have not thought twice about the authenticity of the sender. While the privacy rights of its users may not actually be of the utmost importance to facebook, it does seem that it would want to protect its users from fraudulent use by third party developers when it jeopardizes facebook’s reputation, as it seemed to do in this case. It really makes one think twice about how openly to share information, even on one’s “private” profile.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: