Most people would not bring along a group of uninvited strangers to a dinner party or, even worse, a wedding. Society has certain expectations around attendance, guest lists, RSVPs, and the like.  And yet, in the digital realm, these social norms may not have the same effect.   What can be done about digital party crashers?  In particular, how can the owner of a social network ward off competitors who seek access to network content by riding users’ coattails?

The Ninth Circuit delivered guidance on this subject in Facebook, Inc. v. Power Ventures, Inc., No. 13-17102 (9th Cir. July 12, 2016).  The facts are fairly straightforward. was a social network platform designed to allow a “power” user to manage her larger social network from a single platform by aggregating the user’s contacts, events, messages and other information across various other platforms.  In 2008, Power held a promotional campaign to attract Facebook users, placing an icon on its site with the message: “First 100 people to bring 100 new friends to win $100.”  A button on the icon read “Yes, I do!” and, when clicked, the Power user had options to allow Power to contact the user’s Facebook contacts.  For instance, the Power user could direct Power to create a Facebook event promoting Power’s services, and Power would send internal Facebook messages to the user’s Facebook contacts about the event.  In some cases, this internal message would trigger Facebook to generate an external message to the recipient’s personal email address to notify the recipient of the invitation.  The “from” line of these emails identified “Facebook” as the sender, and the body of the emails was signed “Thanks, the Facebook Team.”

When Facebook learned of the campaign, Facebook sent Power a cease and desist letter, eventually blocking Power’s IP address. But Power went around the block with a different IP address and continued accessing Facebook’s site.  Facebook then filed a lawsuit, seeking relief under two federal statutes:  the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (“CAN-SPAM Act”), and the Computer Fraud and Abuse Act of 1986 (“CFAA”).  In the resulting opinion, the Ninth Circuit provides some practical guidance on how to address this issue of questionable third party access:

The CAN-SPAM Act affords little relief.

Facebook brought one claim under the CAN-SPAM Act, arguing that the e-mails that Power caused Facebook to generate were materially misleading. The district court agreed with Facebook on this point, but the Ninth Circuit reversed, finding that the external emails were not materially misleading within the meaning of the statute, even when the emails identified Facebook as the sender.  The statute provides that a “from” line that accurately identifies the person initiating the message is not misleading, and, furthermore, multiple persons may be considered to have initiated a message.  In this case, the Ninth Circuit reasoned that since (i) the Power user gave Power permission to access the user’s data for purposes of the promotion, (ii) Power then accessed the data stored on Facebook’s site, and (iii) Facebook generated the emails that were ultimately delivered to the recipients, all three parties were responsible for initiating the message.  Thus, the “from” line identifying Facebook as the sender accurately identified a person initiating the message and was not materially misleading.

Informed consent is key.

The Ninth Circuit may have ruled differently under the CAN-SPAM Act if Power users had not consented to Power’s use of their Facebook data. The Ninth Circuit found it compelling that Power users had to specifically click the “Yes, I do!” button in order to participate in the campaign.  If Power had bypassed this step, and perhaps attempted to send invitations to the user’s Facebook contacts without the user’s permission, Power could have violated another section of the CAN-SPAM Act.  A header of an email can be “materially misleading” if it includes information accessed through false or fraudulent pretenses or representations.  Under these facts, though, the Ninth Circuit found that requiring a user to click the “Yes, I do!” button was sufficient to avoid liability.

Revoking a third party’s permission to access your content should be explicit.

Facebook also brought a claim under the CFAA, which creates liability for acts of computer trespass.  The Ninth Circuit agreed with Facebook that Power violated the CFAA, but only after Power continued to access Facebook’s site after receiving the cease and desist letter.  The Ninth Circuit reasoned that Power’s initial access via the Power user’s consent was at least arguable authorization.  Interestingly, the Ninth Circuit was not concerned with whether the user was authorized by Facebook to grant this level of access to a third party.  Ultimately, however, the court held that the cease and desist letter effectively revoked whatever arguable permission Power had from the user.

In conclusion, it is important to realize that, apart from the question of ownership, the power to control access is also a valuable and distinct right.  In the age of the Internet of Things, data is an increasingly valuable commodity, and we should expect that this issue of users as gatekeepers will remain an integral part of both legal and economic discussions.  In this scenario, Power avoided at least some liability by staying within the scope of the user’s permission.  Power told the user it was going to create an event promoting and then notify the user’s friends of the event.  Power did just that.  But what if Power had gone further?  What if, unbeknownst to the user, Power retained the user’s contact list for analytical purposes, combining it with other users’ lists to catalogue mutual connections or develop data sets that could be used for commercial gain?  Just recently, Facebook came under scrutiny in Germany for data it was collecting from the users of its subsidiary WhatsApp, and Facebook was ordered to delete it.  The possibility of liability increases at the boundaries of consent.