No Trespassing: Facebook Sues for Data Scraping

On June 18, Facebook filed a civil lawsuit in a federal court in San Francisco against online mobile platform Massroot8 for “scraping” data about Facebook users in violation of both Facebook’s Terms of Service (ToS) and therefore as criminal trespass in violation of the federal Computer Fraud and Abuse Act. The case once again raises the question of whether a violation of a website’s terms of service or terms of use by itself renders the users “access” to that website to be either “unauthorized” or “in excess of authorization,” giving rise to both criminal liability and civil damages for trespass. Even though the U.S. Court of Appeals for the Ninth Circuit has conclusively said that it does not—and that case is currently on appeal to the U.S. Supreme Court—it does not appear that the precedent has prevented the online giant from once again resurrecting the doctrine that breaches of contract are also crimes.

ToS’d

According to the complaint filed in the U.S. District Court, Northern District of California, Facebook’s ToS contain specific language that prohibits both automated logins and “scraping”—that is, the harvesting of data from the Facebook site. These terms include Section 3.2.1 of Facebook’s Terms which prohibits users from “do[ing] … anything unlawful, misleading, [ ] or fraudulent,” or facilitate or support others in doing so; Section 3.2.2 of Facebook’s Terms prohibits users from “do[ing] anything that could … impair the proper working or appearance of [Facebook] Products;” and Section 3.2.3 of Facebook’s Terms prohibits “access[ing] or collect[ing] data from [Facebook] Products using automated means (without our permission) or attempt[ing] to access data you don’t have permission to access.”

Facebook asserts in the lawsuit that by doing “anything misleading” on the platform, Massroot8 is accessing the platform in excess of its authorization and therefore is committing criminal trespass. The same is true for doing anything that “could impair” the site (whether it does or not), and for accessing data by automated means without permission.

Scraping

The lawsuit alleges that people who signed up on Massroot8’s website provided Massroot8 with legitimate credentials for a Facebook account. The suit claims that “customers registered with massroot8.com with an email address, first and last name, and a password [and] needed a valid Facebook username and password in order to use the service.” The customers would voluntarily link their Facebook account to their massroot8.com account and share their Facebook login credentials with Massroot8. Massroot would thereafter use a series of computers (bots) masquerading as Android phones to connect to Facebook’s mobile platform to “evade Facebook’s technical restrictions against web scraping” and harvest the data from the users who had given Massroot8 their Facebook credentials. The suit alleges that Massroot8 used “5,500 Facebook users’ credentials to obtain, through automated means, their Facebook Friends’ email address, mobile phone number, and date of birth.”

Once more, in plain English: Massroot8 got Facebook customers’ permission to use their credentials to log into the service. The company then logged in and scraped data about its own customers’ Facebook friends.

CFAA

The complaint alleges three causes of action: Massroot8 breached the contract (terms of service), and this breach rendered the company’s access “unauthorized” or “in excess of authorization,” which violated both the federal computer crime law (Computer Fraud and Abuse Act, CFAA, 18 USC 1030) and the California computer crime statute, California Penal Code § 502.

Web scraping is a common technique to “piggyback” off the hard work of others. For example, controversial facial recognition company Clearview AI used automated scraping to collect “public” photographs of people online from Facebook, Instagram and others for its multibillion-person image database for facial recognition. A company called HiQ used automated tools to collect data from people’s “public” LinkedIn page and to perform data analysis on that data. When LinkedIn threatened to sue, HiQ beat them to court, and both the trial court and the federal appeals court ruled that HiQ’s actions—even if in violation of the Terms of Service for LinkedIn, did not “exceed the scope of authorization” and was therefore not a crime.

The HiQ court noted that the CFAA was not intended to punish someone who misappropriated data (in the Massroot8 example, “misappropriating” the Facebook friends’ data), but was intended to punish unauthorized intrusions—in other words, break-ins. In a previous case, former employees of job search company Korn Ferry were alleged to have “exceeded” their authorization to access their work computers when they used a colleague’s userid and password to download a database with the knowledge of the colleague but without the permission of their employer. While the action was a misappropriation of the employers’ data, it was not a “computer trespass.” In fact, in a similar case involving Facebook itself, the same federal appeals court held that “[A] violation of the terms of use of a website — without more — cannot establish liability under the CFAA.”

In the case of Massroot8, Facebook alleges that the act of using mobile bots circumvented a technical measure designed to enforce the contractual “no automated access” provision, and therefore made this something more than a mere violation of contract.

Courts have been struggling with the concept of when someone “trespasses” on a computer. For example, if you write a program to log in to Ticketmaster multiple times to try to get tickets to a concert (remember concerts?) in violation of a Ticketmaster agreement, is that a criminal trespass? What if Ticketmaster has a piece of code designed to detect that and you find a way around that code? To the extent that Facebook is asserting that Massroot8’s actions are misleading and therefore violate Facebook’s Terms of Service, therefore rendering their “access” to Facebook unauthorized, I guess that means I should probably not use a 30-year-old photograph of me (I looked awesome in aviator sunglasses) as my profile picture or I could go to jail, right?

The Supreme Court may yet get the last word on the data scraping issue. A petition for review of the HiQ case was filed with the high court March 9 (Dkt. No. 19-1116). Until then, I may have to take down my Facebook profile picture—or get new sunglasses, perhaps a style from this millennium.

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark