Facebook v. Power Ventures

Citation
Facebook, Inc. v. Power Ventures, Inc., 08-CV-5780 (N.D. Cal. Feb. 16, 2012).

Factual Background
On or before December 1, 2008, defendant began advertising and offering “integration” with plaintiff’s site. Defendant allowed its users to enter their Facebook account information and access Facebook through defendant’s site. Defendant’s service is a violation of the Facebook Terms of Use. In connection with its service, defendant ran a promotion whereby users were entered in a chance to win $100 if they successfully invited and signed up new Power.com users. Existing Power.com users were provided with a list of their Facebook friends and given the opportunity to select friends to receive invitations to join Power.com. These invitations purported to come from Facebook and were sent from an “@facebookmail.com” address. In response to defendant’s campaign, Facebook sent notice of its belief that defendant was accessing plaintiff’s website without authorization and subsequently implemented the first of a series of technical measures to block users from accessing Facebook through Power.com.

Trial Court Proceedings
Facebook, Inc. brought this action against defendant Power Ventures, Inc. for violations of the CAN-SPAM Act, the CFAA, and California Penal Code §502. According to the complaint, defendant used plaintiff’s popular social networking site to send unsolicited and misleading commercial emails to Facebook users. The parties submitted cross motions for summary judgment; plaintiff’s motion was granted and defendant’s was denied.

Defendant’s response to plaintiff’s claims is that (1) because plaintiff’s own servers sent the commercial emails at issue, defendant did not initiate the emails as a matter of law; and (2) defendant did not circumvent any technical barriers in order to access Facebook’s site, precluding liability under the federal Computer Fraud and Abuse Act (CFAA) or California Penal Code §502. Defendant also contends that plaintiff suffered no damage as a result of defendant’s actions, and thus lacks standing to bring a private claim.

The CAN-SPAM Act provides that “[i]t is unlawful for any person to initiate the transmission, to a protected computer, of a commercial electronic mail message, or a transactional or relationship message, that contains, or is accompanied by, header information that is materially false or materially misleading.” 15 U.S.C. §7704(a)(1). The Act also creates a private right of action for internet service providers (“IAS providers”) adversely affected by violations of this provision.

Defendant concedes that plaintiff is an IAS provider and argues only that Facebook was not adversely affected by defendant’s actions. Not all possible harms give rise to a cause of action under the Act. Rather, the harms must reflect those types of harms uniquely encountered by IAS providers. Gordon v. Virtumundo, Inc., 575 F.3d 1040, 1048 (9th Cir. 2009). The Gordon court held that harms must exceed the mere annoyance of spam and identified the costs of investing in new equipment to increase capacity, customer service personnel to address increased subscriber complaints, increased bandwidth, network crashes, and the maintenance of anti-spam and filtering technologies as the sorts of ISP-type harms. In support of its motion, plaintiff submitted evidence of substantial personnel hours expended in attempting to blog user access to Power.com’s services as well as approximately $75,000 in attorney’s fees in pre-litigation communication with the defendant. Since plaintiff documented a minimum of 60,000 instances of spamming by defendant, the costs of responding could not be categorized by the court as negligible.

The CAN-SPAM Act provides that “[t]he term ‘initiate,’ when used with respect to a commercial electronic mail message, means to originate or transmit such message or to procure the origination or transmission of such message, but shall not include actions that constitute routine conveyance of such message.” 15 U.S.C. §7702(9). Although plaintiff’s servers did automatically send the emails in question, they were sent at the instruction of defendant’s program and by and through defendant’s use of the servers and user interface of Facebook. As a matter of law, the emails “originated” from the defendant.

The Act further provides that “header information shall be considered materially misleading if it fails to identify accurately a protected computer used to initiate the message because the person initiating the message knowingly uses another protected computer to relay or retransmit the message for purposes of disguising its origin. Id. §7704(a)(1)(C). In the present case, defendant was the initiator of the email but made use of the plaintiff’s system in such a way to cause the header information to represent that the emails originated from the plaintiff. Further, these emails did not contain any return address or any address where a recipient could respond to cease further communication. While defendant may not have had control over what header information was generated by emails sent through plaintiff’s server, defendant had control over whether it should use plaintiff’s server to send messages and based on its decision can be held liable under the Act.

California Penal Code §502 provides that a person is guilty of a public offense if he, inter alia: (1) knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network; (2) knowingly and without permission uses or causes to be used computer services; or (3) knowingly and without permission accesses or causes to be accessed any computer, computer system, or computer network. Upon review of the evidence submitted by both parties, the court determined the final factor for Section 502 liability, namely the lack of authorization on the part of defendant. The court relied both on evidence of measures implemented by plaintiff to block defendant as well as evidence that defendant intended its software to circumvent known and future measures to block its system’s use.

Finally, the CFAA imposes liability on any party that “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains,” inter alia, “information from any protected computer.” 18 U.S.C. §1030(a)(2). Suit may be brought by any person who suffers damage or loss in an amount above $5,000. Having already ruled in favor of plaintiff on all requirements under the CFAA, the court ruled in favor of plaintiff on its motion for summary judgment on this cause of action as well.