Facebook, Inc. v. Power Ventures, Inc.
844 F.3d 1058
| 9th Cir. | 2016Background
- Power Ventures operated Power.com, which aggregated users’ social-network data; users could click a "Yes, I do!" button to share promotions to their Facebook friends.
- Power’s December 2008 promotion caused Facebook to transmit form emails and internal messages that identified Facebook as the sender and listed Power as host of events; over 60,000 external emails were sent.
- Facebook sent a written cease-and-desist letter and implemented IP blocks on December 1, 2008; Power admitted it continued to access and copy Facebook data and circumvented IP blocks.
- Facebook sued Power and CEO Steven Vachani under the CAN-SPAM Act, the CFAA, and California Penal Code § 502; the district court granted summary judgment for Facebook on all claims and awarded damages and injunctive relief.
- The Ninth Circuit affirmed liability for unauthorized access (CFAA) and violation of § 502 after the cease-and-desist, reversed on the CAN-SPAM claim (messages not materially misleading), affirmed Vachani’s personal liability, and vacated/ remanded remedies to limit damages to conduct after the cease-and-desist.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Whether Power violated CAN-SPAM by sending messages with misleading headers/from lines | Facebook: messages identified Facebook as sender and thus were materially misleading | Power: users authorized the messages; headers and from-lines accurately reflected initiation | Reversed: messages were not materially false/misleading because Facebook (and users) also initiated messages and headers were technically accurate |
| Whether Power violated the CFAA by accessing Facebook computers | Facebook: Power accessed without authorization after receiving cease-and-desist and circumvented IP blocks | Power: initial user consent authorized access; at most violated site terms, which do not trigger CFAA liability | Affirmed in part: Power liable under CFAA for access after Facebook explicitly revoked permission by written notice and IP blocks |
| Whether Power violated California Penal Code § 502 | Facebook: Power knowingly accessed and copied Facebook data without permission after notice | Power: initial user consent permitted access; no ongoing permission after user consent ended | Affirmed: Power knowingly accessed and used Facebook data without permission after the cease-and-desist |
| Whether Vachani is personally liable and whether discovery sanctions/damages were proper | Facebook: Vachani was the guiding spirit and directed the campaign; sanctions and damages appropriate | Power: challenge to personal liability and sanctions | Affirmed personal liability and discovery sanctions; vacated damages/injunctions for reconsideration limited to post-notice period |
Key Cases Cited
- LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir.) (permission rescinded converts authorized access into "without authorization" under CFAA)
- United States v. Nosal, 676 F.3d 854 (9th Cir. en banc) (terms-of-use violations alone do not constitute "exceeds authorized access" under CFAA)
- United States v. Nosal, 828 F.3d 865 (9th Cir. 2016) (clarifies scope of CFAA after Nosal I)
- Gordon v. Virtumundo, Inc., 575 F.3d 1040 (9th Cir.) (CAN-SPAM regulates materially false or misleading header information)
- United States v. Christensen, 801 F.3d 970 (9th Cir.) (distinguishing California § 502 from the CFAA)