The Facebook v. Power case is an example of how the web scraping legal landscape changes over time. This article elaborates on what impact receiving cease-and-desist letters (“C&D”) or circumventing technical barriers may have in litigation.
Power violated the Computer Fraud and Abuse Act of 1986, or CFAA, which prohibits acts of computer trespass by those who are not authorized users or who exceed authorized use, and California Penal Code § 502, but only after it received a cease and desist letter from Facebook and nonetheless continued to access Facebook’s computers without permission.
Why is that, and why did courts decide to deviate from this interpretation later in the hiQ Labs, Inc. v. LinkedIn (“hiQ Labs v. LinkedIn”)?
Facebook v. Power case summary
Facebook v. Power is a lawsuit in which Facebook, Inc. (“Facebook”) alleged that Power Ventures Inc., a third-party platform aggregating social media sites (“Power”), collected user information from Facebook and got permission from users to take the information from those sites and display them on Power.com so that a user would see all its social media sites there.
Facebook sent a C&D demanding Power stop the activity, which, among other things, violated the Computer Fraud and Abuse Act (“CFAA”) and breached their terms of service (which Power decided to ignore).
That led to litigation in which courts confirmed that Power violated the CFAA by accessing Facebook with the users' permission after receiving the C&D.
CFAA and authorization to access data
The panel stated that violating the terms of use of a website "without more" cannot be the basis for liability under the CFAA. However, there were additional factors.
At first, according to the court, Power had implied authorization to access Facebook’s computers, so it did not violate the statute. But when Facebook sent the C&D, Power, as it admitted, knew that it no longer had permission to access Facebook’s computers at all.
In addition to C&D, Facebook instituted an IP block to prevent Power from accessing the Facebook website from Power’s IP address. Power responded by switching IP addresses to circumvent the block. During this period, Power continued its promotion even though it acknowledged that it took, copied, or used data from Facebook.com without Facebook’s permission.
According to the court, “Once permission has been revoked, technological gamesmanship or the enlisting of a third party to aid in access will not excuse liability.”
In other words, if someone affirmatively revokes your access, you cannot sidestep the statute by accessing the computer through a third party.
A non-Facebook user may not generally use the website to send or post content or otherwise contact Facebook users through their profiles. On the contrary, Facebook requires third-party developers or websites that wish to contact its users through its site to enroll in a program called “Facebook Connect.” These third parties must register with Facebook and agree to an additional Developer Terms of Use Agreement.
Power argued that it is authorized simply because its users integrating their Facebook account into the Power.com platform consented and granted Power access to their Facebook accounts and prevented Facebook scams.
However, the courts concluded that that was not enough. To establish “authorized access,” authorization is required from both individual Facebook users (who control their data and personal pages) and Facebook (which stores this data on its physical servers). Permission from the users alone was insufficient to constitute authorization after Facebook issued the C&D.
hiQ Labs parallel
To understand the development in interpreting "authorized access" under the CFAA, particularly in the web scraping context and the role of C&Ds and setting technical barriers, it is worth comparing the Facebook vs. Power case with the later hiQ Labs v. LinkedIn case.
Both cases involve companies (hiQ Labs and Power Ventures) that were accessing data from social media platforms (LinkedIn and Facebook, respectively) through automated means (web scraping).
In both instances, the platforms attempted to stop this activity by sending C&Ds, asserting that the continued scraping constituted unauthorized access under the CFAA. Also, in both cases, the platforms implemented technical barriers preventing defendants from automated access to the data in question.
In Facebook v. Power, the court held that once Facebook sent a C&D, any further access by Power was unauthorized under the CFAA. The letter effectively revoked any implied authorization Power might have had, mainly because it circumvented technical barriers (e.g., IP blocking).
Similarly, LinkedIn sent a C&D to hiQ Labs, claiming their scraping was unauthorized. However, the Ninth Circuit took a different approach, ruling that scraping publicly available data did not constitute unauthorized access under the CFAA, even after a C&D was issued.
The critical question was whether the accessed data was “publicly available” or not. Publicly available data is any data that is generally available to anyone with an internet connection on the respective website without the need to authenticate, e.g., login to a user account.
Power accessed information on a website that was not considered "publicly available" since accessing it required authentication (logging in with credentials), no matter that the individual users consented to share their data.
In contrast, in the hiQ Labs v. LinkedIn case, the court defined the accessed data as “publicly available” since no authentication was needed to access the data (data is generally accessible just by visiting the website without a need to create a user account). The court further emphasized in the hiQ Labs v. LinkedIn case that the CFAA was not intended to penalize access to publicly available information even if accessed by overcoming technical barriers such as CAPTCHA.
Summary
The Facebook v. Power case illustrates the evolving legal interpretations of web scraping. Power Ventures initially had implied permission to access Facebook data, as its users consented to share their information. However, once Facebook sent a cease-and-desist (C&D) letter and blocked Power's IP, any further access was deemed unauthorized under the Computer Fraud and Abuse Act (CFAA), particularly because Power circumvented technical barriers.
In contrast, the later hiQ Labs v. LinkedIn case took a different approach. The court ruled that scraping publicly available data, even after receiving a C&D and bypassing technical barriers, did not violate the CFAA.
The key distinction between the cases was whether the data being accessed required authentication—Facebook's data did, while LinkedIn’s data did not. This difference in how "authorized access" is defined, based on data accessibility, is central to how courts interpret web scraping under the CFAA.
We are lawyers, but we are not your lawyers. Even though we want to help as much as we can, we do not know the details of your project. For professional legal advice, please talk to a certified lawyer in your country.