9th Circuit Rules It’s Illegal to Visit a Website After Being Told Not To in Facebook Case

computer keyboard
AP Photo/Damian Dovarganes

A controversial decision was handed down by the 9th circuit U.S. Court of Appeals, which claimed that it’s a federal crime to visit a website after its owner has requested that a user not return to the site.

The case, Facebook v. Vachini, which was decided at the U.S. Court of Appeals at the 9th circuit, says that Internet users who violate the request of website owners to stay away from their site are committing a federal crime. The decision suggests that violators are actually committing the crime of accessing the computer of the site’s owner without authorization.

In the situation analyzed in Facebook v. Vachini, management at Facebook sent a cease-and-desist letter to the operators of Power.com, a social media management tool that allowed users to connect all of their online accounts into one profile. Although many third-party companies take advantage of Facebook’s API network, Power allegedly violated Facebook’s terms of use by authorizing their software to send Facebook messages to other Facebook users.

The court held that Power violated the Computer Fraud and Abuse Act (CFAA) by ignoring the cease-and-desist letter and continuing to allow their users to violate Facebook’s terms of use. In her analysis, Judge Susan P. Graber, who presided over the case, specifically focused on the state of mind of the actors at Power, who she claims willingly disobeyed the cease-and-desist letter from Facebook.

In her explanation, she provided the following analogy to describe the situation between Power and Facebook:

Suppose that a person wants to borrow a friend’s jewelry that is held in a safe deposit box at a bank. The friend gives permission for the person to access the safe deposit box and lends him a key. Upon receiving the key, though, the person decides to visit the bank while carrying a shotgun. The bank ejects the person from its premises and bans his reentry. The gun-toting jewelry borrower could not then reenter the bank, claiming that access to the safe deposit box gave him authority to stride about the bank’s property while armed. In other words, to access the safe deposit box, the person needs permission both from his friend (who controls access to the safe) and from the bank (which controls access to its premises). Similarly, for Power to continue its campaign using Facebook’s computers, it needed authorization both from individual Facebook users (who controlled their data and personal pages) and from Facebook (which stored this data on its physical servers).

Despite this seemingly tight argument, many law scholars have taken issue with this decision. Orin Kerr, who is a Professor of Law at George Washington University and a columnist at The Washington Post, argues that the decision is flawed, claiming that everyone is inherently authorized to visit public websites:

Public websites are different, I think. The web is a publishing platform, and everyone is inherently authorized to visit a public website. True, Power did more than just visit the public face of the website. Power also accessed the individual accounts of users acting as their agents. But as I see it, that’s not enough to constitute a computer trespass because it’s within the permission of the user and acting as the user’s agent.

You can read the essential part of the court’s decision below and decide for yourself whether or not this controversial decision is correct:

Initially, Power users arguably gave Power permission to use Facebook’s computers to disseminate messages. Power reasonably could have thought that consent from Facebook users to share the promotion was permission for Power to access Facebook’s computers. [FN: Because, initially, Power users gave Power permission to use Facebook’s computers to disseminate messages, we need not decide whether websites such as Facebook are presumptively open to all comers, unless and until permission is revoked expressly.] . . . Power users took action akin to allowing a friend to use a computer or to log on to an e-mail account. Because Power had at least arguable permission to access Facebook’s computers, it did not initially access Facebook’s computers “without authorization” within the meaning of the CFAA.

But Facebook expressly rescinded that permission when Facebook issued its written cease and desist letter to Power on December 1, 2008. Facebook’s cease and desist letter informed Power that it had violated Facebook’s terms of use and demanded that Power stop soliciting Facebook users’ information, using Facebook content, or otherwise interacting with Facebook through automated scripts. Facebook then imposed IP blocks in an effort to prevent Power’s continued access.

The record shows unequivocally that Power knew that it no longer had authorization to access Facebook’s computers, but continued to do so anyway. In requests for admission propounded during the course of this litigation, Power admitted that, after receiving notice that its use of or access to Facebook was forbidden by Facebook, it “took, copied, or made use of data from the Facebook website without Facebook’s permission to do so.” (Emphasis added; capitalization omitted.)

. . . In sum, as it admitted, Power deliberately disregarded the cease and desist letter and accessed Facebook’s computers
without authorization to do so. It circumvented IP barriers that further demonstrated that Facebook had rescinded permission for Power to access Facebook’s computers. [FN: Simply bypassing an IP address, without more, would not constitute unauthorized use. Because a blocked user does not receive notice that he has been blocked, he may never realize that the block was imposed and that authorization was revoked. Or, even if he does discover the block, he could conclude that it was triggered by misconduct by someone else who shares the same IP address, such as the user’s roommate or co-worker.] We therefore hold that, after receiving written notification from Facebook on December 1, 2008, Power accessed Facebook’s computers “without authorization” within the meaning of the CFAA and is liable under that statute.

Tom Ciccotta is a classical liberal who writes about Free Speech and Intellectual Diversity for Breitbart. You can follow him on Twitter @tciccotta or on Facebook. You can email him at tciccotta@breitbart.com