Facebook’s Lawsuit Protects Its Users Against a Massive Spamming Scheme

On January 26, 2011, the federal district court in the Northern District of California granted Facebook a default judgment against Philip Porembski and PP Web Services LLC for obtaining “login credentials for at least 116,000 Facebook accounts without authorization” and for sending “more than 7.2 million spam messages to Facebook users.” Facebook, Inc. v. Fisher, 2011 WL 250395 *1 (N.D.Cal. Jan. 26, 2011)

This case is a textbook example of how a company can use self help and available federal law to protect itself and its customers. Not only did Facebook bring a halt to the spam that was plaguing its users, but it also extracted from the perpetrators a significant monetary punishment without the assistance of law enforcement. What is noteworthy is that Facebook was able to achieve this result because it had strong policies in place that prohibited the misuse of its site and then took affirmative steps to enforce those policies through an aggressive federal court action based on two federal statutes designed to protect it and the public against computer crime.

In its complaint Facebook alleged that the spam emails asked the “recipients to click on a link to a “phishing” site designed to trick users into divulging their Facebook login information” and that “[o]nce users divulge[d] the information, Defendants use[d] it to send spam messages to the users’ friends, repeating the cycle.” The complaint further alleged that “certain spam messages allegedly redirect[ed] users to websites that pay Defendants for each user visit.” Id. The court granted Facebook a permanent injunction directing the defendants to refrain from their illegal activity and granting Facebook $360,500,000 in damages. Id. at *3.

The lawsuit alleged violations of the Computer Fraud and Abuse Act (“CFAA”), Title 18, U.S.C., Section 1030 et. seq. and the Controlling the Assault of Non-Solicited Pornography and Marketing Act (“CAN-SPAM Act”), 15 U.S.C. § 7701 et seq. The CFAA, primarily a criminal statute, provides civil remedies to a company injured by a violation of the statute, Title 18, U.S.C. Section 1030(g), and the CAN-SPAM Act permits a civil action to be brought by a “provider of Internet access service adversely affected by a violation of” specified sections of the Act. 5 U.S.C. § 7706(g)(4).

The CFAA count was predicated on an unauthorized access to Facebook’s site through a violation of Facebook’s Statement of Rights and Responsibilities (“SRR”) The SRR prohibits users from “any activity . . . that would impair the operation of Facebook’s website, including the use of data mining ‘bots’ to gain access to users’ login information, the posting of unsolicited advertising on the website or circulation of such advertising via e-mail, or any commercial use of the Facebook website without Facebook’s prior authorization.” Id. at *1. The defendant was a Facebook user who was bound by the terms of the SRR. Users are also bound by Facebook’s “strict policies against spam or any other form of unsolicited advertising.” Id.The court granted the permanent injunction based on the following factual findings:

Facebook has received more than 8,000 user complaints, and more than 4,500 Facebook users have deactivated their accounts. Additionally, Facebook has expended large financial and professional resources to upgrade its security measures. Defendants have demonstrated a willingness to continue their activities without regard for Facebook’s security measures or cease and desist requests.
Id. at *3.

If the defendant violates the court’s injunction, he can be fined, imprisoned or both.