Jonathan H. Blavin is a partner at the law firm of Munger, Tolles & Olson LLP in San Francisco, California. His practice focuses on intellectual property and antitrust issues. He can be reached at email@example.com.
Less than a year after its release date, the burgeoning social networking site Google+ already has over 90 million users.1 As is the nature with all social networking platforms, Google+’s success will depend upon how many more users join the network and convince their “friends” to do so as well. With roughly 845 million users on Facebook, 500 million on Twitter, and 150 million on LinkedIn,2 that inevitably will mean users from these social networking sites will be joining Google+.
In the wake of Google+’s release, a number of third parties developed tools that allow users to extract and export social data from Facebook and reconstruct their Facebook friends lists on Google+. For example, the tool “Open-Xchange” takes the first and last names of friends from Facebook and matches those names to other e-mail records in users’ accounts. It relies on a Facebook application programming interface (API) to extract the data. Similarly, an extension for the Google Chrome Internet browser (created by an independent programmer) exports not only names but also e-mail addresses, phone numbers, birthdays, and more from Facebook. This tool does not rely upon Facebook’s API for access, but instead extracts data from Facebook pages themselves.3
This article provides an overview of the various legal issues relating to data extraction tools, which are at the center of the increasingly competitive social networking market. In particular, it examines the legality of data extraction tools under the following common law and statutory theories: trespass to chattels; the federal Computer Fraud and Abuse Act (CFAA), 18 U.S.C. §§ 1030 et seq., and its California state law corollary, the California Comprehensive Computer Data Access Act, Cal. Penal Code § 502; tortious interference with contractual relations; the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act), 15 U.S.C. §§ 7701 et seq.; copyright infringement; and the Digital Millennium Copyright Act (DMCA), 17 U.S.C. §§ 1201 et seq. The article also explores the legality of social networking websites’ technological disabling of data extraction tools that allow users to export data to competing websites.
Since the earliest days of the Internet there has been litigation relating to tools used to extract and aggregate data from websites. One of the first and most prominent cases was eBay, Inc. v. Bidder’s Edge, Inc., 100 F. Supp. 2d 1058 (N.D. Cal. 2000). Bidder’s Edge was an auction aggregation site designed to offer online auction buyers the ability to search for items across numerous online auctions without having to search each host site individually.7 It used an automatic crawling tool that searched various auction websites, such as eBay, and “scraped” information from the site. Bidder’s Edge accessed the eBay site approximately 100,000 times a day,8 and the effect of the robots over time was to “consume the processing and storage resources” of eBay’s system.9
The California Supreme Court in Intel Corp. v. Hamidi, 71 P.3d 296 (Cal. 2003), narrowed the potential scope of the eBay decision. There, the court held that a former Intel employee’s e-mails to current Intel employees, despite requests by Intel to stop sending messages, did not constitute a trespass of Intel’s e-mail system. The court rejected the suggestion of the eBay decision that unauthorized use of another’s chattel is actionable even without any present showing of injury, noting that this would not be a correct statement of California or general American law on this point. While one may have no right temporarily to use another’s personal property, such use is actionable as a trespass only if it “has proximately caused injury.” “[I]n the absence of any actual damage the action will not lie.”14
The court made clear that the “injury” required for a trespass to chattels claim must be an “injury to its personal property, or to its legal interest in that property,” i.e., impairing the “quality or value” of a “computer system.”15 The court also rejected injuries premised on “indirect . . . business interests,” such as “reputation, customer goodwill, and employee time,” and held that the time and expense incurred “attempting to block [the employee’s] messages” cannot “be bootstrapped into an injury to Intel’s possessory interest in its computers.”16
Under the reasoning of Hamidi, a social networking site plaintiff would need to establish that a data extraction tool caused an actual, non-de minimis impairment to its physical property or a legal interest in that property, diminishing its quality or value. A plaintiff thus may be unable to establish cognizable injury under a trespass claim premised on indirect business harms, e.g., the resources expended attempting to block a data extraction tool, or the loss of users to competing social networking sites as a result of the tool.
In Facebook, Inc. v. Power Ventures, Inc., No. C 08-05780 JW, 2010 WL 3291750 (N.D. Cal. July 20, 2010), the court explicitly disagreed with the ConnectU court on this point. There, Facebook sued Power.com, a website designed to integrate various social networking or e-mail accounts into a single portal. Power.com users determined which social networking sites they wanted to integrate into a single portal, and then provided their user names and passwords to Power.com for those sites. Power.com then “scraped” user information from the accounts into a single portal. The site also asked Facebook users to select which of their friends should receive a Power.com invitation, and then sent those friends unsolicited e-mails to join Power.com that purportedly came from “Facebook” and used an “@facebookmail.com” address.
For example, would a 12½-year-old user’s creation of a Facebook account, in violation of its 13 years of age requirement, be sufficient to subject him or her to criminal liability under section 502?
In determining where to draw the liability line, the Power Ventures court held that a “distinction can be made between access that violates a term of use and access that circumvents technical or code-based barriers that a computer network or website administrator erects to restrict the user’s privileges within the system, or to bar the user from the system altogether,” and that unlike the former, the latter may “subject a user to liability under Section 502.”22 This focus on technological circumvention essentially turns section 502 into a DMCA-like statute, which is discussed further below. The Power Ventures court recently granted summary judgment for Facebook on its section 502 and CFAA claims, finding that the “undisputed facts establish that Defendants circumvented technical barriers to access Facebook site, and thus accessed the site ‘without permission.’”23
Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by g-chatting with friends, playing games, shopping or watching sports highlights. Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes.26
Unlike the damages limitations on a trespass to chattels claim under the Hamidi decision, the CFAA and section 502 allow plaintiffs to recover for resources expended for attempting to block unauthorized access from social data extraction tools. The CFAA defines “loss” to include “any reasonable cost to any victim, including the cost of responding to an offense.”27 Similarly, section 502 provides that any person who “suffers damage or loss by reason of a violation” of the Act may recover “any expenditure reasonably and necessarily incurred by the owner or lessee to verify that a computer system, computer network, computer program, or data was or was not altered, damaged, or deleted by the access.”28 In Power Ventures, the court held that Facebook had suffered cognizable damage under section 502 sufficient to establish standing where it “attempted to block Power’s access” and “expended resources to stop Power from committing acts that Facebook [contended] constituted Section 502 violations.”29
Some data extraction tools not only extract and export friend data, but also separately e-mail friends to invite them to join the new social networking site. As noted, ConnectU collected e-mail addresses of Facebook users, and then used those e-mail addresses to solicit business for itself. Similarly, Power.com asked Facebook users to select which of their friends should receive a Power.com invitation, and would then send those friends unsolicited e-mails to join Power.com.
To state a claim under CAN-SPAM, a party must allege that the defendant sent e-mails containing “materially false or materially misleading” header information.31 The statute defines false or materially misleading headers to include “information that is technically accurate but includes an originating electronic mail address, domain name, or Internet Protocol address the access to which for purposes of initiating the message was obtained by means of false or fraudulent pretenses or representations.”32
In the ConnectU case, the court dismissed Facebook’s CAN-SPAM claim, with leave to amend, noting that even if there was “deception in connection with the manner in which ConnectU gathered the destination email addresses,” there was “nothing in the complaint suggest[ing] that emails subsequently sent to those addresses included headers that were misleading or false as to the source from which they originated, or in any other manner.”33 By contrast, in Power Ventures, the court recently granted summary judgment for Facebook on its CAN-SPAM claim, holding that although the defendants were the “initiators” of the e-mail messages, their software program “caused Facebook servers to automatically send the e-mails,” which contained an “@facebookmail.com” address.34 Thus, as the header information did “not accurately identify the party that actually initiated the e-mail within the meaning of the Act,” the header information was “materially misleading as to who initiated the e-mail.”35
Data extraction tools also potentially raise copyright infringement issues. As the court made clear in Power Ventures, “Facebook does not have a copyright on user content, which ultimately is the information that Defendants’ software seeks to extract.”36 Nonetheless, the court held that Facebook had adequately pled a claim for copyright infringement because Power.com had made an unauthorized “cache” copy of the Facebook website into a computer’s RAM, which as a collection of noncopyrighted material arranged in an original way was subject to copyright protection.37
Section 1201(a) of the DMCA prohibits “circumvention” or trafficking in tools that “circumvent” a “technological measure that effectively controls access to a work protected under [the Copyright Act].”42 Section 1201(b) of the DMCA prohibits trafficking in technology that circumvents a technological measure that “effectively protects” a copyright owner’s right.43
There has yet to be significant litigation regarding the legality of technological measures disabling social data extraction tools, but this also may be an area of potential legal development. Thus far, courts have been skeptical of such claims.
In the Power Ventures case, the defendants asserted an antitrust counterclaim alleging that while “Facebook solicited (and continues to solicit) internet users to provide their account names and passwords for users’ email and social networking accounts,” and runs “automated scripts to import their lists of friends and other contacts” into Facebook, “Facebook simultaneously prohibited (and prohibits) users from using the same type of utility to access their own user data when it is stored on the Facebook site.”45
The district court dismissed this counterclaim on the pleadings, holding that:
Defendants cite no authority for the proposition that Facebook is somehow obligated to allow third-party websites unfettered access to its own website simply because some other third-party websites grant that privilege to Facebook. In fact, the Ninth Circuit has held that merely introducing a product that is not technologically interoperable with competing products is not violative of Section 2 [of the Sherman Act].46
As the social networking world continues to grow and expand and new competitors like Google+ enter the market, the proliferation of data extraction tools undoubtedly will continue. Although courts widely have found that such tools are subject to and potentially violate several intersecting areas of the law, the fast-moving state of the Internet frequently outpaces legal developments. These doctrines not only raise complex issues regarding the legality of social data extraction tools, but also important questions concerning a user’s “right” to export his or her online life from one social networking site to another. It will be interesting to see how both the technology and the law of social data extraction tools continues to evolve in the months and years to come.
1. Sahil Shaikh, Google Plus Crosses 90 Million User Mark, Technorati (Feb. 7, 2012), http://technorati.com/social-media/article/google-plus-crosses-90-million-user1/.
2. Chris Martin, Twitter Reaches the 500 Million User Mark, Inquirer (Feb. 23, 2012), http://www.theinquirer.net/inquirer/news/2154553/twitter-reaches-500-million-user-mark; Michael McHugh, One Facebook User = Two LinkedIn Users, and Other Things the Stock Market Tells Us, Forbes (Feb. 21, 2012), http://www.forbes.com/sites/ycharts/2012/02/21/one-facebook-user-two-linkedin-users-and-other-things-the-stock-market-tells-us/.
3. Emil Protalinski, Facebook Blocks Google Chrome Extension for Exporting Friends, ZDNet (July 5, 2011), http://www.zdnet.com/blog/facebook/facebook-blocks-google-chrome-extension-for-exporting-friends/1935; Stephen Shankland, Facebook Blocks a Second Contact Export Tool, CNET (July 11, 2011), http://news.cnet.com/8301-30685_3-20078435-264/facebook-blocks-a-second-contact-export-tool/#ixzz1SJk1xg4y.
4. Statement of Rights and Responsibilities, Facebook, http://www.facebook.com/terms.php?ref=pf (last updated Apr. 26, 2011).
5. See supra note 3.
6. Leena Rao, Zing! Larry Page Calls Out “Competitors” (aka Facebook) for Lack of Social Data Portability, TechCrunch (July 16, 2011), http://techcrunch.com/2011/07/16/zing-larry-page-calls-out-
7. eBay, Inc. v. Bidder’s Edge, Inc., 100 F. Supp. 2d 1058, 1061 (N.D. Cal. 2000).
8. Id. at 1062.
9. Id. at 1061.
10. Id. at 1070.
11. Id. at 1069–70.
13. Id. at 1065–66, 1071–72.
14. Intel Corp. v. Hamidi, 71 P.3d 296, 306 (Cal. 2003) (alteration in original) (citations omitted).
15. Id. at 308.
16. Id. at 307–08.
17. 18 U.S.C. § 1030(a)(1).
18. Cal. Penal Code § 502(c).
19. Facebook, Inc. v. ConnectU LLC, 489 F. Supp. 2d 1087, 1089 (N.D. Cal. 2007).
20. Id. at 1090–91.
21. Facebook, Inc. v. Power Ventures, Inc., No. C 08-05780 JW, 2010 WL 3291750, at *9 (N.D. Cal. July 20, 2010).
22. Power Ventures, 2010 WL 3291750, at *11.
23. Facebook, Inc. v. Power Ventures, Inc., No. C 08-05780 JW, 2012 WL 542586, at *10–11 (N.D. Cal. Feb. 16, 2012).
24. See United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010); United States v. John, 597 F.3d 263 (5th Cir. 2010); Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006); EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58, 62–63 (1st Cir. 2003).
25. United States v. Nosal, 2012 WL 1176119, at *7–8 (9th Cir. April 10, 2012).
26. Id. at *4. A potential defendant who distributes data extraction tool software could argue that they are merely selling a tool or technology that enables its users to “access” these websites, and therefore cannot be found directly liable under the CFAA. Although there is a split of authority on the issue, some courts have permitted vicarious liability claims under the CFAA where the defendant affirmatively urged the primary violator to gain unauthorized access to a computer for the defendant’s benefit. See, e.g., Charles Schwab & Co. v. Carter, 2005 WL 2369815, at *7 (N.D. Ill. Sept. 27, 2005) (holding that “imposing vicarious liability would further the CFAA’s purpose.”); Ipreo Holdings LLC v. Thomson Reuters Corp., 2011 WL 855872, at *8 (S.D.N.Y. Mar. 8, 2011) (same); but see Jagex Ltd. v. Impulse Software, 750 F. Supp. 2d 228, 238 (D. Mass. 2010) (rejecting “theory of contributory liability under the CFAA.”); Doe v. Dartmouth-Hitchcock Med. Ctr., 2001 WL 873063, at *5 (D.N.H. July 19, 2001) (same).
27. 18 U.S.C. § 1030(e)(11).
28. Cal. Penal Code § 502(e)(1).
29. Power Ventures, 2010 WL 3291750, at *4.
30. Sole Energy Co. v. Petrominerals Corp., 128 Cal. App. 4th 212, 237–38 (2005).
31. 15 U.S.C. § 7704(a)(1).
32. Id. (emphasis added).
33. Facebook, Inc. v. ConnectU LLC, 489 F. Supp. 2d 1087, 1095 (N.D. Cal. 2007).
34. Facebook, Inc. v. Power Ventures, Inc., No. C 08-05780 JW, 2012 WL 542586, at *8 (N.D. Cal. Feb. 16, 2012).
36. Facebook, Inc. v. Power Ventures, Inc., No. C 08-5780 JF (RS), 2009 WL 1299698, at *4 (N.D. Cal. May 11, 2009).
37. Id. at *4 & n.2.
38. Id. at *4.
40. MDY Indus., LLC v. Blizzard Entm’t, Inc., 629 F.3d 928, 941 (9th Cir. 2010).
42. 17 U.S.C. § 1201(a)(1)(A), (a)(2).
43. Id. § 1201(b)(1).
44. Power Ventures, 2009 WL 1299698, at *5.
45. Power Ventures, 2010 WL 3291750, at *13.
46. Id. (citing Foremost Pro Color, Inc. v. Eastman Kodak Co., 703 F.2d 534 (9th Cir. 1983)).