In Facebook v. Power Ventures, 9th Circuit finds defendant not liable under anti-spam law.
A federal appeals court ruled Tuesday largely in favor of a defunct social networking company—finding that the forgotten startup did not violate an anti-spam statute. However, the court affirmed that Power Ventures did violate an anti-hacking law when it tried to circumvent Facebook’s IP block several years ago as part of a promotional campaign.
A lower court had previously ruled in favor of Facebook, which brought the original case against Power Ventures and its Power.com website and issued an award of $3 million to the social network giant. Power Ventures then appealed that up to the 9th Circuit Court of Appeals. On Tuesday, the appellate court sent the case back down to the District Court for further consideration and a likely reduction of damages.

As Ars reported last year, the case, Facebook v. Power Ventures, revolves around a site known as Power.com, which had tried to be a one-stop shop for social networking—its users could post to Facebook and other sites all in one place.

As part of a promo campaign, Power Ventures offered its customers the chance to win $100 for inviting 100 friends to join. To promote this offer, Power Ventures sent messages through Facebook that came from @ facebookmail.com and appeared to come from "The Facebook Team," giving the impression that the messages had come from Facebook itself. Facebook attempted to block this activity through an IP block, which Power Ventures circumvented. When Power Ventures ignored Facebook’s requests to cease and desist, Facebook then filed a lawsuit in 2008.

In 2011, computer experts testified that "the Defendants developed the PowerScript system and PowerProxy system to scrape information from Facebook, proxy the Facebook website and avoid detection when engaged in such activities. In addition, our analysis shows how Defendants’ programmed access initiated actions that resulted in unwanted commercial ‘spam’ messages being sent to Facebook users soliciting them to join Power.com."

In its 23-page decision, the 9th Circuit found that because Power users affirmatively clicked a button (“Yes I do!”) that Power had the power to share its promotion through event invitations.

“On this record, Power did not use false pretenses or fraudulent representations to obtain users’ consent,” the court ruled. “Therefore, the external messages were not materially misleading within the meaning of the CAN-SPAM Act.”

However, once Facebook had told Power to stop its sketchy behavior, Power was liable under the Computer Fraud and Abuse Act, an anti-hacking law that dates back to the 1980s.

The court explained it this way:

The consent that Power had received from Facebook users was not sufficient to grant continuing authorization to access Facebook’s computers after Facebook’s express revocation of permission. An analogy from the physical world may help to illustrate why this is so. Suppose that a person wants to borrow a friend’s jewelry that is held in a safe deposit box at a bank. The friend gives permission for the person to access the safe deposit box and lends him a key. Upon receiving the key, though, the person decides to visit the bank while carrying a shotgun. The bank ejects the person from its premises and bans his reentry. The gun-toting jewelry borrower could not then reenter the bank, claiming that access to the safe deposit box gave him authority to stride about the bank’s property while armed. In other words, to access the safe deposit box, the person needs permission both from his friend (who controls access to the safe) and from the bank (which controls access to its premises). Similarly, for Power to continue its campaign using Facebook’s computers, it needed authorization both from individual Facebook users (who controlled their data and personal pages) and from Facebook (which stored this data on its physical servers). Permission from the users alone was not sufficient to constitute authorization after Facebook issued the cease and desist letter.

The court also affirmed the personal liability of former Power Ventures CEO Steve Vachani, as he "was the guiding spirit and central figure in Power’s challenged actions." The case will now be sent back to the lower court to adjudicate new damages.