This entry was prepared by Sachi Jepson in the firm’s Washington Office
Power Ventures is known as the company with the slogan "all your friends in just one place." The slogan refers to the company’s website, Power.com, created to allow users to aggregate data from their various social networking sites and messaging services. But Power Ventures appears to be quite a bit less powerful vis a vis Facebook, due to a February ruling from a federal district court about Power Ventures’ marketing practices and the applicability of the Computer Fraud and Abuse Act and state impermissible computer access statute.
The saga began in December 2008. Power kicked off its service by encouraging users to recruit new Power.com members (and offering a chance to win $100). To make it easy for users to send recruitment e-mails, Power provided them with lists of their Facebook friends from which they could select people to receive automated invitations from an @facebook.mail.com e-mail address.
Facebook objected to this practice and asked Power to stop, to no avail. Thereafter, Facebook brought suit alleging CAN-SPAM violations, violations of California Penal Code § 502, and violations of the Computer Fraud and Abuse Act. In response, Power filed a countersuit against Facebook alleging “anti-competitive practices.”
In its ruling, the federal district court in the Northern District of California found that Power’s conduct (1) violated CAN-SPAM, (2) violated California Penal Code § 502, and (3) violated the CFAA.
With respect to CAN-SPAM, the court agreed with Facebook that Power’s email headings violated the statute, which states that information is “materially misleading” if it disguises the origin of the email, making it hard for a recipient to identify the sender. The emails inviting Facebook users to sign up for Power.com contained no return address or information enabling recipients to respond directly to Power. Although the body of the emails did discuss Power.com, the court found that the misleading header alone was sufficient to violate CAN-SPAM.
An interesting component of this discussion was the court’s consideration of email “origination.” Since the emails were actually sent by Facebook users, using Facebook’s servers, there is a technical question as to whether Power is solely responsible as the “originator.” Ultimately, the court found that Power’s “Launch Program” and its money inducements were enough to count them responsible for the emails. From the courts’ perspective: “the fact that [Power] used a program that was created and controlled by another to send e-mails with misleading headers does not absolve them of liability for sending those e-mails.”
Finally, the court also found Power liable under the CFAA since significant resources were expended in Facebook’s efforts to stop Power’s unauthorized access. The CFAA holds one liable who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains,” among other things, “information from any protected computer.” 18 U.S.C. § 1030(a)(2). Both civil and criminal liability are possible here. Facebook easily showed it met the $5,000 “loss” threshold for standing under the CFAA—which counts reasonable costs associated with damage assessment and restoration work—through expenses spent trying to stop Power’s unauthorized access. From there, the court found the calculus rather simple. Power had (1) accessed Facebook without permission from Facebook, (2) obtained information from Facebook’s website, and (3) Facebook suffered sufficient damage. Ergo, CFAA violated.