Facebook’s Lawsuit Protects Its Users Against a Massive Spamming Scheme

On January 26, 2011, the federal district court in the Northern District of California granted Facebook a default judgment against Philip Porembski and PP Web Services LLC for obtaining “login credentials for at least 116,000 Facebook accounts without authorization” and for sending “more than 7.2 million spam messages to Facebook users.” Facebook, Inc. v. Fisher, 2011 WL 250395 *1 (N.D.Cal. Jan. 26, 2011)

This case is a textbook example of how a company can use self help and available federal law to protect itself and its customers. Not only did Facebook bring a halt to the spam that was plaguing its users, but it also extracted from the perpetrators a significant monetary punishment without the assistance of law enforcement. What is noteworthy is that Facebook was able to achieve this result because it had strong policies in place that prohibited the misuse of its site and then took affirmative steps to enforce those policies through an aggressive federal court action based on two federal statutes designed to protect it and the public against computer crime.

In its complaint Facebook alleged that the spam emails asked the “recipients to click on a link to a “phishing” site designed to trick users into divulging their Facebook login information” and that “[o]nce users divulge[d] the information, Defendants use[d] it to send spam messages to the users’ friends, repeating the cycle.” The complaint further alleged that “certain spam messages allegedly redirect[ed] users to websites that pay Defendants for each user visit.” Id. The court granted Facebook a permanent injunction directing the defendants to refrain from their illegal activity and granting Facebook $360,500,000 in damages. Id. at *3.

The lawsuit alleged violations of the Computer Fraud and Abuse Act (“CFAA”), Title 18, U.S.C., Section 1030 et. seq. and the Controlling the Assault of Non-Solicited Pornography and Marketing Act (“CAN-SPAM Act”), 15 U.S.C. § 7701 et seq. The CFAA, primarily a criminal statute, provides civil remedies to a company injured by a violation of the statute, Title 18, U.S.C. Section 1030(g), and the CAN-SPAM Act permits a civil action to be brought by a “provider of Internet access service adversely affected by a violation of” specified sections of the Act. 5 U.S.C. § 7706(g)(4).

The CFAA count was predicated on an unauthorized access to Facebook’s site through a violation of Facebook’s Statement of Rights and Responsibilities (“SRR”) The SRR prohibits users from “any activity . . . that would impair the operation of Facebook’s website, including the use of data mining ‘bots’ to gain access to users’ login information, the posting of unsolicited advertising on the website or circulation of such advertising via e-mail, or any commercial use of the Facebook website without Facebook’s prior authorization.” Id. at *1. The defendant was a Facebook user who was bound by the terms of the SRR. Users are also bound by Facebook’s “strict policies against spam or any other form of unsolicited advertising.” Id.The court granted the permanent injunction based on the following factual findings:

Facebook has received more than 8,000 user complaints, and more than 4,500 Facebook users have deactivated their accounts. Additionally, Facebook has expended large financial and professional resources to upgrade its security measures. Defendants have demonstrated a willingness to continue their activities without regard for Facebook’s security measures or cease and desist requests.
Id. at *3.

If the defendant violates the court’s injunction, he can be fined, imprisoned or both.

The 6th Circuit affirms the Computer Fraud and Abuse conviction of an IT Employee

Last week the Sixth Circuit Court of Appeals upheld the criminal conviction for the Computer Fraud and Abuse Act (“CFAA”) of an employee who stole confidential data from his employer’s computers. U.S. v. Batti, 2011 WL 111745 (6th Cir. Jan. 14, 2011). The issues on appeal were limited to whether the government had offered sufficient proof that the value of the data stolen exceeded $5,000 to qualify as a 5 year felony, 18 U.S.C. § 1030 (a)(2)(C)(c)(B)(iii), and whether the district court had abused its discretion in ordering restitution in the amount of $47,565.

These limited issues precluded the Sixth Circuit from addressing the 9th Circuit’s decision in LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1135 (9th Cir. 2009). Brekka stands for the proposition that because an employee has permission to use the company computers, he or she cannot violate the CFAA because an employee’s access to the computers is never “without authorization,” a critical element of the CFAA. However, the facts in Batti and the language in the decision provide clues as to how the 6th Circuit might ultimately rule on this issue.

The defendant had been employed as an information technology employee at Campbell-Ewald, a Michigan advertising firm. The government’s proof of his intrusions into the company computers occurred both during his time as an employee and after his employment had been terminated. While he was still employed, the trial evidence showed that

The defendant accessed Campbell-Ewald’s computer server and copied confidential computer files belonging to Campbell-Ewald’s CEO without authorization. Although these files were normally stored on the CEO’s desktop computer, they had been moved by the company to the company’s server while the CEO’s computer was being replaced. Within these files were “confidential pieces of information … including executive compensation, financial statements of the firm, goals and objectives for senior executives of the company reporting to the chairman, and some strategic plans.

Id. at *1.

The court’s statement that the defendant “accessed” his employer’s computer server and files “without authorization,” would tend to suggest that the court would not agree with the underlying assumption of Brekka that just because an employee has permission to use the company computers, he can never access the company computers “without authorization.” The defendant, an IT employee, likely had permission to access Campbell-Ewald’s computers as part of his duties.

The court’s statement about the defendant accessing the computer without authorization is only dicta, and the defendant’s conviction was based on the additional proof that after he had been discharged “[t]he FBI determined that Batti had accessed Campbell-Ewald’s confidential files no fewer than twenty-one times . . . , twice through a Campbell-Ewald server and nineteen times through the email account of another Campbell-Ewald employee.” Id. Thus, this proof would comport with Brekka’s holding that once employment had been terminated, the employee would no longer have permission to access the company computers, thereby making his access “without authorization.” Brekka, 581 F.3d at 1136.

Moreover, from the facts recited in the opinion, it is unclear whether the defendant obtained information from the company computers during or after his employment. An additional element of the CFAA violation upon which he was convicted is the obtaining of information from the company computers that he had accessed without authorization. See, 18 U.S. C. § 1030(a)(2)(C) (one who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information” commits a crime). There is also no way to know precisely whether the 6th Circuit will join other Circuit Courts in rejecting Brekka, but the direction taken in this case would seem to suggest it will.