Social media sites such as Facebook and LinkedIn have collected personal information on hundreds of millions of subscribers. They have also promised those subscribers that their data will only be shared or used for particular purposes—agreements that are not only enforceable but also are required to be upheld under various FTC consent decrees. On the other hand, much of the data contained about these subscribers is accessible to subscribers with social media accounts. The dilemma is that the data is both “public” (in the sense that it can be seen by those with accounts) and “private” in the sense that it is shared by the subscriber for particular purposes—often only with other approved subscribers.
“UpVoice” is a Chrome extension offered by a company named BrandTotal. The extension, when installed on a user’s machine, scrapes Facebook and Instagram information and sends that information to BrandTotal. Facebook repeatedly tried to shut down the extension, shutting down the company’s social media sites, locking out the extension, removing it from the Google extension store and disabling the functionality. In a corporate game of whack-a-mole, BrandTotal kept creating new accounts or variations of the code to avoid detection and suppression. BrandTotal also sued Facebook, seeking a temporary restraining order prohibiting the social media behemoth from kicking them out. Facebook Inc. v. BrandTotal LLC, 2020 WL 6562349 (N.D. Cal. Nov. 9, 2020)
On Nov. 9, 2020, a federal court in San Francisco ruled on the efficacy of the application for a TRO, finding that BrandTotal was a small company that needed access to Facebook’s information to grow. Without that access, BrandTotal would suffer irreparable harm and would be forced to breach its contracts with those with whom it had promised access to the data. As a Chrome extension, the BrandTotal customers (those who downloaded and installed the extension) consented to the sharing of their Facebook data—which, after all, belonged to the subscriber, not Facebook. So far, so good.
While finding all of this true, the court—at least at the preliminary phase—found that Facebook had legitimate business purposes in preventing the extension from operating. The extension bypassed the security protocols of Facebook and automatically collected information on users (Facebook friends of those who installed the extension) who never consented to the collection of the data in that manner. When a Facebook subscriber set up their privacy settings to permit a “friend” to see something, they did not consent to the scooping up of that data by some app and the use and sale of that data by some unknown company. Moreover, Facebook had settled an FTC complaint and entered into a consent decree whereby the social media company agreed to enforce its own terms of service in a way that would protect the privacy of users. Allowing the scraping would violate both the terms and spirit of its terms of service and would permit the privacy of some Facebook users to be invaded by the scraping software. The software also bypassed and therefore affected Facebook’s privacy and security settings—something the court found that Facebook had a legitimate interest in preventing. The court noted that “BrandTotal had a history of collecting user data in ways that posed risks to security and privacy.”
The court ruled that Facebook had the right to require entities that accessed Facebook’s user data—even with the consent of individual users—to obtain the consent of Facebook to ensure that the privacy and security of the platform itself were protected. This includes a requirement that the method of access—the APIs or other mechanisms—be approved by Facebook. Accessing in a manner not approved by the social media company was “without authorization” and therefore might violate the terms of the federal computer trespass or hacking law, and might subject the company to both civil and criminal liability. Essentially, by not using approved APIs in an approved manner and instead relying on user (subscriber) consent to Chrome extensions, the company might—just might—be “hacking” Facebook.
Is Facebook here protecting the legitimate privacy rights and access to computers? Or is Facebook using its monopoly power to prevent competition? Can Facebook prevent a user from accessing and selling (even to a scraping company) the Facebook data that they are permitted to access? Can Facebook determine the means by which others can access this data? Can Facebook simply prohibit “automated” access (scraping) to data including public data, through Terms of Service?
In the end, BrandTotal was unsuccessful in getting a temporary restraining order against Facebook and an order requiring Facebook to permit the extension to continue. Nonetheless, the case continues. Ultimately, these issues may be decided and pre-empted by the U.S. Supreme Court. Until then, we can expect more battles over when and how people can access computers and data. Scape at your own risk.