The explicitly unauthorized use of a social media account is a violation of the Federal Computer Fraud and Abuse Act (18 U.S.C. Section 1030, et seq.). This was the recent decision of the 9th Circuit Court of Appeals in a case brought by Facebook. (The 9th Circuit handles appeals in Federal cases in the Western United States). Facebook had won a lawsuit against the now defunct social media aggregator Power.com. Power.com sought to promote its service by recruiting customers on Facebook. New customers would give their account information to Power.com and click buttons which would allow Power.com to post on their profiles. Power.com was violating Facebook’s Developer Agreement. Facebook sent a cease and desist letter to Power.com – which Power.com ignored.
Facebook sued Power.com in U.S. District Court for violating the Federal Computer Fraud and Abuse Act (“the Act”). After Facebook won a $3 million judgment, Power.com appealed. Power.com argued on appeal that its actions were not a violation of the Act. The Act became law to make the hacking of computers and the appropriation of information on computers a crime. The Act was specifically designed to fight the hacking of computers for identity theft and espionage.
Recently, the 9th Circuit has expanded the use of the law. A former executive was criminally convicted under the Act after he accessed his ex-employer’s computer network. Since his computer access to the employer’s computer network had been cut off, he borrowed his executive assistant’s login information. He took information from the company’s servers. The former executive was prosecuted under the Act and convicted. He appealed to the 9th Circuit and argued that the Act was an anti-hacking statute and he didn’t hack the company’s systems. The 9th Circuit held that the executive’s actions were a violation of the Act and upheld the criminal conviction. (United States v. Nosal, 2016). The court held that any unauthorized use of a computer, server or computer network that required a secure login was a violation of the Act.
In Facebook’s case, Facebook brought a civil lawsuit. Power.com argued that it did not hack Facebook’s servers. However, the court disagreed. Once the owner of a computer/server revokes permission to use, as Facebook did when it sent its cease and desist, then any unauthorized use afterwards was a violation of the Act. When a person has no authorization to use a computer or if permission has been revoked, then continued use is a violation of the Act.
Power.com argued that it had the permission of 3rd party Facebook users and was using their authorized logins. The court held that such gamesmanship or the enlisting of a 3rd party to gain access did not excuse the illegal nature of Power.com’s activities. (Facebook v. Vachani, et al., 2016). The court did hold that violation of a website’s terms of use, by itself, was not a violation of the Act.
The Facebook case caused mild hysteria in legal circles. Some commentators warned that giving your Netflix login to your child in college was now a crime. This isn’t true. The court stated that violation of the terms of use for a website are not a violation and both cases involved an explicit termination of authorization to use. Giving someone your login to an online service is not a crime – until you are warned not do so.
Implications for business
Businesses now have another tool to combat unauthorized use of their computers and networks and the information on them. Former employees frequently take information off their ex-employers’ computers and networks by using someone else’s login. This might now be a crime and the subject of a Federal lawsuit.
However, businesses must explicitly tell employees and contractors that unpermitted use of logins and accessing computers and networks without authority is forbidden. Businesses need to inform their employees in employment contracts and confidentiality agreements that the employees and contractors sign that they are forbidden to give their logins to anyone else or to use any 3rd person’s login, or to access networks and computers without authorization. For more information or help with such warnings, you can contact us.
Eric D. Morton, is an attorney with Clear Sky Law Group, P.C. He concentrates on business, internet and intellectual property law. He can be reached at emorton@clearskylaw.com or 760-722-6582.