On July 12, 2016 the 9th Circuit handed down a consequential ruling involving the CFAA (Computer Fraud and Abuse Act), and how the revocation of authorization to visit a website can set the stage for a federal crime. The crux of this case involved a legal threading of the needle between what does, and does not, constitute liability under the CFAA, specifically, liability arising from “unauthorized access” of a website. The holding of this case paradoxically both clarifies what a website owner must do to set the stage for federal liability under the CFAA, but also muddies the waters on what conduct of a user specifically is seen as “unauthorized access”.
Power Venture was a startup that acted as sort of social media clearinghouse, allowing users to post to many social media platforms at once. In the case of Facebook, users gave Power Ventures access to their accounts allowing Power to gather information from their account, as well as message other Facebook “friends” of the user. Part of this case focused on the messages that Power sent to these Facebook friends associated with their users (Facebook alleged these messages were impermissible spam under a California statute known as CAN-SPAM, but lost this argument) but the more consequential part of this ruling had to do with Facebook’s charge of federal liability under the CFAA for “unauthorized access” of their site. The CFAA states that the intentionally accessing a computer without authorization is a federal crime. Facebook accused Power of this “intentional access without authorization” after it sent Power a cease and desist letter, but Power continued their access to Facebook regardless. Because Facebook had explicitly revoked Power’s access to their site by virtue of the cease and desist letter, the Court held this was the type “unauthorized access” prohibited under the CFAA.
The crucial takeaway of this case comes with its intersection with an earlier 9th Circuit en banc opinion in a case called Nosal I. In Nosal I the court specifically held that violations of a Terms of Service (ToS) agreement, on its face, was not a CFAA violation.
Where the Facebook v. Power case threads the Nosal I needle is in the perceived difference in violating the ToS of a website, and violating a cease and desist letter from a website. In the first case, say the ToS of a website specifically prohibits the access of a social media company like Power Ventures. Power’s access of that site, even though it is not “authorized access” according to the website’s ToS, still does not rise to the level of a CFAA violation. It cannot be taken conclusively that the computer or website owner did not want the potentially violating user to access their site. However, if that very same website were to send Power a cease and desist letter, they are now directly aware of the computer/website owners desire to deny them access. According to the Judge in this case:
“liability attached after permission to access computers was expressly revoked, but then the defendant deliberately circumvented the rescission of authorization”
What seems to be confusing here however is, a computer/website owner could have express language in their ToS denying access to any party, however that party’s access is not deemed “unauthorized” unless that very same language is sent in the form of a cease and desist letter.
In short, you can intentionally violate the ToS, but you cannot intentionally ignore a cease and desist letter. This almost seems to be a distinction without difference. Despite the confusing precedent laid out by this case two things are clear. First, if a website sends you a cease and desist letter revoking your access, it then becomes a federal crime under the CFAA to access said website. Second, the definition of “unauthorized access” creating liability under the CFAA is still in flux and will most certainly be re-defined in the near future.