The U.S. Court of Appeals for the 9th Circuit has handed down a very important decision on the Computer Fraud and Abuse Act, Facebook v. Vachani, which I flagged just last week. For those of us worried about broad readings of the Computer Fraud and Abuse Act, the decision is quite troubling. Its reasoning appears to be very broad. If I’m reading it correctly, it says that if you tell people not to visit your website, and they do it anyway knowing you disapprove, they’re committing a federal crime of accessing your computer without authorization.
I think this decision is wrong, and that it has big implications going forward. Here’s a rundown of the case and why it matters. I’ll conclude with a thought about a possible way to read the case more narrowly, as well as why I’m not convinced that narrow reading is correct.
I. The Facts
Facebook then sued, claiming that Power’s conduct violated the CFAA, a somewhat similar California unauthorized access statute and the CAN-SPAM Act. Just to keep things simple, I’ll focus this post only on the claims brought under the CFAA.
II. The New Decision
In the new decision, the court holds that Power violated the CFAA when it continued to access Facebook’s computers with users’ permission after receiving the cease-and-desist letter. Oddly, Judge Susan P. Graber’s explanation for why Power violated the CFAA focuses almost exclusively on Power’s state of mind rather than what Power did. The CFAA prohibits intentionally accessing a computer without authorization. Instead of explaining what counts as access “without authorization,” Judge Graber focuses mostly on whether Power had a culpable state of mind with respect to whether it was doing something unwanted.
Here’s the key analysis:
Initially, Power users arguably gave Power permission to use Facebook’s computers to disseminate messages. Power reasonably could have thought that consent from Facebook users to share the promotion was permission for Power to access Facebook’s computers. [FN: Because, initially, Power users gave Power permission to use Facebook’s computers to disseminate messages, we need not decide whether websites such as Facebook are presumptively open to all comers, unless and until permission is revoked expressly.] . . . Power users took action akin to allowing a friend to use a computer or to log on to an e-mail account. Because Power had at least arguable permission to access Facebook’s computers, it did not initially access Facebook’s computers “without authorization” within the meaning of the CFAA.
The record shows unequivocally that Power knew that it no longer had authorization to access Facebook’s computers, but continued to do so anyway. In requests for admission propounded during the course of this litigation, Power admitted that, after receiving notice that its use of or access to Facebook was forbidden by Facebook, it “took, copied, or made use of data from the Facebook website without Facebook’s permission to do so.” (Emphasis added; capitalization omitted.)
. . . In sum, as it admitted, Power deliberately disregarded the cease and desist letter and accessed Facebook’s computers
without authorization to do so. It circumvented IP barriers that further demonstrated that Facebook had rescinded permission for Power to access Facebook’s computers. [FN: Simply bypassing an IP address, without more, would not constitute unauthorized use. Because a blocked user does not receive notice that he has been blocked, he may never realize that the block was imposed and that authorization was revoked. Or, even if he does discover the block, he could conclude that it was triggered by misconduct by someone else who shares the same IP address, such as the user’s roommate or co-worker.] We therefore hold that, after receiving written notification from Facebook on December 1, 2008, Power accessed Facebook’s computers “without authorization” within the meaning of the CFAA and is liable under that statute.
As I read the court’s opinion, the main issue is state of mind. Did you know that the computer owner didn’t want you to visit the website? At first, Power didn’t know Facebook’s view. But after the cease-and-desist letter, Power knew Facebook’s position. As a result, it was a federal crime to use Facebook after having received Facebook’s letter telling it to stay away. If I’m reading the opinion correctly, it appears that every contact with the computer that its owner doesn’t want is “without authorization.” The main question becomes mens rea: The visit becomes a federal crime when the visitor knows that the computer owner doesn’t want it.
Judge Graber offers two explanations for the difference. First:
I don’t follow this.
First, I don’t understand why it matters whether there is an existing contractual relationship. Maybe that’s relevant to whether we are in the illegal “access without authorization” box or the equally illegal “exceeds authorized access” box, which Judge Graber elsewhere notes is a possible difference between this case and Nosal I. But I don’t see how it could be the difference between illegal “access without authorization” and legal authorized access.
IV. The Physical World Analogy
Finally, Judge Graber offers a physical-world analogy that I suspect may really explain the decision.
Suppose that a person wants to borrow a friend’s jewelry that is held in a safe deposit box at a bank. The friend gives permission for the person to access the safe deposit box and lends him a key. Upon receiving the key, though, the person decides to visit the bank while carrying a shotgun. The bank ejects the person from its premises and bans his reentry. The gun-toting jewelry borrower could not then reenter the bank, claiming that access to the safe deposit box gave him authority to stride about the bank’s property while armed. In other words, to access the safe deposit box, the person needs permission both from his friend (who controls access to the safe) and from the bank (which controls access to its premises). Similarly, for Power to continue its campaign using Facebook’s computers, it needed authorization both from individual Facebook users (who controlled their data and personal pages) and from Facebook (which stored this data on its physical servers).
I explained my problem with this kind of analogy in my recent article “Norms of Computer Trespass.” As I see it, the problem is that the trespass norms of private spaces like homes or commercial stores can’t be blindly applied to a public website. Trespass is always norms-dependent, and each kind of space has its own set of norms. In the case of a bank, we recognize that the bank is a private business that only permits visitors that it wants to enter. The trespass norm is that staying when the bank wants you out is a trespass.
Public websites are different, I think. The web is a publishing platform, and everyone is inherently authorized to visit a public website. True, Power did more than just visit the public face of the website. Power also accessed the individual accounts of users acting as their agents. But as I see it, that’s not enough to constitute a computer trespass because it’s within the permission of the user and acting as the user’s agent. The only non-public access was to the virtual space the user controlled, so I think the user’s permission should be enough.
This doesn’t mean that what Power did is necessarily a good thing. Maybe there should be other causes of action against Power for its conduct. But as I see it, the CFAA shouldn’t be one of them based on these facts. Facebook also could suspend the accounts of its users who authorized Power, or it could take technical steps to stop Power’s entry inside Facebook’s network. But I don’t think it should have been allowed to rely on the CFAA to keep Power away with a letter.
V. A Narrower Reading?
One question is whether you can read the decision more narrowly to apply only to accessing an account rather than visiting a website. Here’s the uncertainty: Is the decision saying broadly that you can’t visit the public face of a website after the computer owner said “no,” or is the decision saying more narrowly that you can’t access an individual account with the user’s permission after the computer owner said “no”? I would still disagree with the narrower reading, but it would be a lot less objectionable than the broader one.
Reading over the opinion, though, I don’t see a lot of reason to think the court had the narrower interpretation in mind. Consider these clues. First, Footnote 1 states:
Because, initially, Power users gave Power permission to use Facebook’s computers to disseminate messages, we need not decide whether websites such as Facebook are presumptively open to all comers, unless and until permission is revoked expressly.
The court then cites a law review article “asserting that websites are the cyber-equivalent of an open public square in the physical world.” By not deciding that question, the court appears not to be hinging its analysis on a distinction between visiting the public part of a website and accessing a private account that happens to be accessible over the web. The effect of a cease-and-desist letter appears to be the same in both cases.
Third, the court says that by sending the cease-and-desist letter, “Facebook explicitly revoked authorization for any access[.]” (emphasis in original). It doesn’t say that the authorization was revoked for the account access but not for visiting material accessible to the public on its computers (content such as this, for example, which anyone can access). Again, that suggests the broader reading rather than the narrower reading.
VI. What Next?
Given the wafer-thin distinction between this case and the en banc decision in Nosal I, will the 9th Circuit grant a petition for rehearing en banc? I hope so. As always, stay tuned.