Imagine receiving a cease-and-desist letter from a business rival accusing your company of violating federal and state computer hacking laws. Your mind begins to race. Did an employee go rogue and commit corporate espionage? You scan through the letter for details – only to learn your company is being accused of simply visiting a competitor’s public website. They are demanding you stop trespassing immediately.
Is this a joke, you ask, or could merely visiting a website be a computer crime?
A decision of the United States Court of Appeals for the Ninth Circuit has thrown the issue of computer trespass into the spotlight. The case involves Facebook and a now-defunct social media startup, Power Ventures (“Power”). Power had sought to offer users a centralized location where they could post to all of their social media sites at the same time. Power and its chief executive and founder, Steve Vachani, were defendants in the case.
Trouble arose when Power launched a promotion encouraging users to bring friends to its site. If a user clicked on an icon, Power caused a message to be sent to the user’s friends within the Facebook system. Facebook never approved this, and Power had not registered as a third-party developer with Facebook. Facebook sent a cease and desist letter to Power and eventually blocked the startup from accessing Facebook from its Internet Protocol (“IP”) address. Power switched IP addresses and continued to access Facebook.
Facebook sued Power, alleging violations of the federal Computer Fraud and Abuse Act (“CFAA”) and a related California statute, among other things. The CFAA prohibits “intentionally accessing a computer without authorization or exceeding authorized access, and thereby obtaining … information from any protected computer.” 18 U.S.C. § 1030(a)(2)(C). The CFAA provides for criminal penalties and civil liability.
On appeal, the Ninth Circuit concluded that Power did not initially violate the CFAA because Power users gave Power permission to access Facebook. However, Power did violate the CFAA when it continued to access Facebook after Facebook rescinded permission (i.e. the cease and desist letter).
The concept of trespass may seem strange when it comes to public websites. If visiting a public (not password-protected) site is as simple as clicking on a link from a search engine or typing in a web address, one would think the site is presumptively open to the public, like a park, library, or mall. It’s unclear whether that’s the case. In Facebook v. Vachani, the Ninth Circuit – the federal appellate court with jurisdiction over Silicon Valley and Seattle – passed on this basic question. The court did, however, explain that it can be a crime to access a computer after being instructed not to do so.
Some scholars, including Professor Orin Kerr of The George Washington University Law School, have read the Ninth Circuit’s decision broadly. They believe the court is advising that it is a federal crime for a person to visit a public website after being told not to visit it.
If that is truly the holding, the implications will be far reaching. Company A could instruct Competitor B not to visit Company A’s website or face criminal charges. News media could ban the subjects of controversial articles from reading those very articles. An online bully could create a website targeting an individual and ban that individual from visiting the site, even if he is merely attempting to gain information for a potential lawsuit against the bully. The scenarios are endless.
There is a narrower way to read this case. Rather than saying it’s a crime to merely visit a public website after being told not to do so, the Ninth Circuit could be saying it’s a crime to access a password-protected account on a public website after being told not to do so.
How ever one reads Facebook v. Vachani, it’s important to take seriously any demand that one cease and desist from visiting a website or accessing a computer, no matter how public the website or computer seems. The law of computer trespass is ambiguous. Until the Ninth Circuit or the U.S. Supreme Court clarifies what constitutes a violation of the CFAA, or until Congress amends the statute, some will surely find ways to exploit the broad language in this case.
- New Guidelines Anticipated Following HHS’s Health Cybersecurity Concept Paper
- EU-U.S. Data Privacy Framework Advances to the Next Stage
- Changes to GLBA Safeguards Rule Affect More Than Traditional Financial Institutions
- Ransomware and Phishing Dangers On the Rise
- FTC to Embark on New Privacy Rulemaking
- Hackers are Leveraging Fear during the COVID-19 Pandemic
- No Trespassing: Can Public Websites Ever Be Off Limits?
- Cybersecurity – Global Ransomware Attack is Top of Mind with U.S. Securities Regulator
- Cybersecurity - a Top Operational Risk in FINRA’s 2017 Regulatory and Examination Priorities Letter
- Following Intense Industry Criticism, New York Overhauls Cybersecurity Requirements for Financial Services Companies