Facebook, Inc. v. Power Ventures, Inc.

Filing 83

Brief of Amicus Curiae in Support of Defendant Power Ventures' 62 Motion for Summary Judgment on Cal. Penal Code 502(c) filed by Electronic Frontier Foundation. (Cohn, Cindy) (Filed on 6/21/2010) Modified on 6/22/2010,(counsel failed to properly link to motion.) (cv, COURT STAFF).

Download PDF
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 CINDY A. COHN (California Bar No. 145997) cindy@eff.org JENNIFER STISA GRANICK (California Bar No. 168423) jennifer@eff.org MARCIA HOFMANN (California Bar No. 250087) marcia@eff.org ELECTRONIC FRONTIER FOUNDATION 454 Shotwell Street San Francisco, CA 94110 Telephone: (415) 436-9333 x134 Fax: (415) 436-9993 (fax) Attorneys for Amicus Curiae Electronic Frontier Foundation UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF CALIFORNIA SAN JOSE DIVISION FACEBOOK, Plaintiff, v. POWER VENTURES, Defendant. ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) Case No. 5:08-cv-05780 JW BRIEF OF AMICUS CURIAE ELECTRONIC FRONTIER FOUNDATION IN SUPPORT OF DEFENDANT POWER VENTURES' MOTION FOR SUMMARY JUDGMENT ON CAL. PENAL CODE 502(C) Date: June 7, 2010 Time: 1:30 p.m. Dep't: Hon. Judge James Ware Case No. 5:08-cv-05780 JW BRIEF OF AMICUS CURIAE a 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 TABLE OF CONTENTS TABLE OF AUTHORITIES.......................................................................................................... ii STATEMENT OF INTEREST OF AMICUS CURIAE................................................................... 1 I. INTRODUCTION AND FACTS............................................................................................. 2 A. Summary Of The Argument .............................................................................................. 2 B. Facebook's Service ........................................................................................................... 3 C. Power's Service ................................................................................................................ 5 D. Facebook's IP Blocking Effort .......................................................................................... 5 E. Facebook's Section 502(c) Claims .................................................................................... 6 II. FACEBOOK USERS WHO CHOOSE TO USE "AUTOMATED MEANS" TO GAIN ACCESS TO THEIR OWN INFORMATION IN CONTRAVENTION OF THE FACEBOOK TERMS OF SERVICE DO NOT VIOLATE CRIMINAL LAW. ..................... 8 A. Section 502(c) Does Not Criminalize Power's Enabling A User To Gain Otherwise Permitted Access to Her Own Data, Even Through Unapproved Means. ........................... 9 B. Section 502(c)'s Federal Corollary, The Computer Fraud And Abuse Act, Prohibits Trespass And Theft, Not Mere Violations Of Terms Of Use............................................ 12 III. IMPOSING CRIMINAL LIABILITY BASED ON TERMS OF SERVICE OR CEASE AND DESIST LETTERS WOULD BE AN EXTRAORDINARY AND DANGEROUS EXTENSION OF CRIMINAL LAW................................................................................... 16 IV. EVASION OF A TECHNOLOGICAL MEASURE PUT IN PLACE TO ENCOURAGE COMPLIANCE WITH TERMS OF SERVICE OR CEASE AND DESIST LETTERS, WITHOUT MORE, DOES NOT INCUR CRIMINAL LIABILITY .................................... 19 A. IP Address Allocation ..................................................................................................... 20 B. IP Address Blocking ....................................................................................................... 22 C. Avoiding Blocking.......................................................................................................... 22 D. Application to This Case ................................................................................................. 23 V. THE RULE OF LENITY REQUIRES THIS COURT TO INTERPRET CRIMINAL LAWS, INCLUDING SECTION 502(C), NARROWLY.................................................................. 24 VI. IMPOSING CRIMINAL LIABILITY IN THIS CASE WOULD CREATE A RULE THAT HOBBLES USER CHOICE, COMPETITION, AND INNOVATION................................. 28 VII. CONCLUSION ................................................................................................................... 31 Case No. 5:08-cv-05780 JW BRIEF OF AMICUS CURIAE i a 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 CASES TABLE OF AUTHORITIES Brett Senior & Assocs., P.C. v. Fitzgerald, 2007 WL 2043377 (E.D. Pa. July 13, 2007)............... 15 Chrisman v. City of Los Angeles, 155 Cal. App. 4th 29 (2007) ............................................... 10, 11 City of Chicago v. Morales, 527 U.S. 41 (1999)..................................................................... 25, 26 Coates v. City of Cincinnati, 402 U.S. 611 (1971) ........................................................................ 27 Diamond Power Int'l, Inc. v. Davidson, 540 F. Supp. 2d 1322 (N.D. Ga. 2007) ..................... 13, 14 eBay, Inc. v. Bidder's Edge, Inc., 100 F. Supp. 2d 1058 (N.D. Cal. 2000) .................................... 11 Educ'al Testing Service v. Stanley H. Kaplan, Educ'al Ctr., Ltd., 965 F. Supp. 731 (D. Md. 1997) ................................................................................................................................................ 13 Facebook, Inc. v. ConnectU LLC, 489 F. Supp. 2d 1087 (N.D. Cal. 2007) ............................. 11, 12 Foti v. City of Menlo Park, 146 F.3d 629 (9th Cir. 1998) ............................................................. 26 Grayned v. Rockford, 408 U.S. 104 (1972)................................................................................... 25 Hanger Prosthetics & Orthotics, Inc. v. Capstone Orthopedic, Inc., 556 F. Supp. 2d 1122 (E.D. Cal. 2008) ................................................................................................................................ 12 In re Apple & AT&T Mobility Antitrust Litigation, 596 F. Supp. 2d 1288 (N.D. Cal. 2008).......... 12 Int'l Ass'n of Machinists and Aerospace Workers v. Werner-Masuda, 390 F. Supp. 2d 479 (D.Md. 2005) ............................................................................................................................ 12, 13, 14 Intel v. Hamidi, 30 Cal. 4th 1342 (2003) ...................................................................................... 11 International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006).................................. 14 Leocal v. Ashcroft, 543 U.S. 1 (2004)........................................................................................... 24 Lockheed Martin Corp. v. Speed, 2006 WL 2683058 (M.D. Fla. Aug. 1, 2006)............................ 15 LVRC Holdings, LCC v. Brekka, 581 F.3d 1127 (9th Cir. 2009)............................................. 14, 15 Mahru v. Superior Court, 191 Cal. App. 3d 545 (1987) ........................................................... 9, 11 Nunez v. City of San Diego, 114 F.3d 935 (9th Cir. 1997) ............................................................ 26 People v. Lawton, 48 Cal. App. 4th Supp. 11 (1996) .................................................................... 10 Register.com, Inc. v. Verio, Inc., 126 F. Supp. 2d 238 (S.D.N.Y. 2000), aff'd in part as modified, 356 F.3d 393 (2d Cir. 2004) ..................................................................................................... 18 Shamrock Foods v. Gast, 535 F. Supp. 2d 962 (D.Ariz. 2008)...................................................... 14 Shurgard Storage Ctrs., Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121 (W.D. Wash. Case No. 5:08-cv-05780 JW BRIEF OF AMICUS CURIAE ii a 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 2000) ................................................................................................................................. 15, 16 United States v. Batchelder, 442 U.S. 114 (1979)......................................................................... 25 United States v. Carr, 513 F.3d 1164 (9th Cir. 2008) ................................................................... 15 United States v. Drew, 259 F.R.D. 449 (C.D. Cal. 2009) .............................................................. 25 United States v. Nosal, 1020 WL 934257 (N.D.Cal. January 6, 2010) .......................................... 15 United States v. Sutcliffe, 505 F.3d 944 (9th Cir. 2007) ................................................................ 26 Zadvydas v. Davis, 533 U.S. 678 (2001) ...................................................................................... 27 STATUTES 18 U.S.C. § 1030....................................................................................................................passim 18 U.S.C. § 1030(a)(2)................................................................................................................. 14 18 U.S.C. § 1030(a)(4)................................................................................................................. 14 18 U.S.C. § 1030(e)(6)................................................................................................................. 15 18 U.S.C. § 2701(a) ..................................................................................................................... 13 California Penal Code § 502(c) ..............................................................................................passim OTHER AUTHORITIES Mark A. Lemley, Terms of Use, 91 Minn. L. Rev. 459 (2006)...................................................... 18 Orin S. Kerr, Cybercrime's Scope: Interpreting "Access" and "Authorization" in Computer Misuse Statutes, 78 N.Y.U. L. Rev. 1596 (2003)............................................................................ 26, 27 Orin S. Kerr, Vagueness Challenges to the Computer Fraud and Abuse Act, Minnesota Law Review (Forthcoming 2010) available at: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=152718727 Restatement (Second) of Agency, §112 (1958) ............................................................................ 15 Case No. 5:08-cv-05780 JW BRIEF OF AMICUS CURIAE iii a 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 STATEMENT OF INTEREST OF AMICUS CURIAE Amicus Electronic Frontier Foundation's interest in this case is the sound and principled interpretation and application of the California computer crime statute, California Penal Code § 502(c). Amicus believes that this brief may assist the Court in its consideration of consumer interests in this matter, as well as the proper scope of section 502(c). Electronic Frontier Foundation ("EFF") is a non-profit, member-supported digital civil liberties organization. As part of its mission, EFF has served as counsel or amicus in key cases addressing user rights to free speech, privacy, and innovation as applied to the Internet and other new technologies. With more than 14,000 dues-paying members, EFF represents the interests of technology users in both court cases and in broader policy debates surrounding the application of law in the digital age, and publishes a comprehensive archive of digital civil liberties information at one of the most linked-to web sites in the world, www.eff.org. Case No. 5:08-cv-05780 JW BRIEF OF AMICUS CURIAE 1 a 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 I. INTRODUCTION AND FACTS A. Summary Of The Argument Power Ventures sought to provide Facebook users with a tool that could, at the users' direction, aggregate their Facebook inbox messages, friend lists and other data with messages and lists from other social networks the individual patronizes, such as Orkut or LinkedIn. Power's product allowed Facebook users to view all of their different social network data in one place. Facebook users benefited from the choice Power offered them in how to access and use their social network data across several different social networks. Facebook argues that by offering these enhanced services to users, Power violated California's computer crime law. It grounds its claim in the fact that Facebook's terms of service prohibit a user from having automated access to a user's own information and that Power continued to offer the service to Facebook users even after Facebook sent Power a cease and desist letter. Facebook further grounds its claim that Power violated criminal law on Power's decision to continue to provide its service to users even after Facebook implemented a simple measure, Internet Protocol address blocking, to stop Power's tool from working for Facebook users. Amicus believes that merely providing a tool to assist an authorized user in accessing his or her own data in a novel manner cannot and should not form the basis for criminal liability. To hold otherwise, as Facebook urges this Court to do, will create a massive expansion of the scope of California criminal law, hinging liability on arbitrary and often confusing terms chosen by websites in the contracts of adhesion they present to users or in their cease and desist letters, thus giving these private parties immense power to decide when criminal liability attaches. This creates both legal uncertainty and the risk of capricious enforcement. These problems are not mitigated simply by looking to whether the server owner adopted, and the user evaded, some technological barrier. The IP blocking used by Facebook here was a crude attempt to enforce its choice of means by which authorized users could access the website; it was not aimed at distinguishing between authorized and unauthorized users. Power's efforts to ensure that Facebook's authorized users could continue to access their own data on Facebook's Case No. 5:08-cv-05780 JW BRIEF OF AMICUS CURIAE 2 a 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 servers despite Facebook's attempts to control the means of access should not trigger criminal liability. Imposing such sanctions here will also hobble user choice and interfere with follow-on innovation, in part by creating a barrier to Facebook users who wish to move their data from Facebook to a competing service. Perhaps the most important fact in this case is that Power's servers only connect with Facebook servers at the behest of a Facebook user, who must provide her own valid username and password to obtain access to Facebook and her own social networking data. Power did not connect to Facebook except as an agent of an authorized user. automation, despite Facebook's terms of service. It is true that the user is choosing While users who choose services such as Power's may breach Facebook's terms of use (if those terms are otherwise enforceable), breaches of these sorts of private contracts should not become criminal conduct, for either the user or for the provider of the automation tool. This is especially the case when Facebook has breach of contract remedies available to it, including termination of a misbehaving user's credentials. Were Facebook's proposed construction of section 502(c) in this case correct, millions of otherwise innocent Internet users are violating criminal law through routine online behavior. Furthermore, allowing a private party to define criminal conduct puts far too much power in the hands of business entities that are not necessarily acting in the public interest. For these reasons, amicus urges the Court to grant summary judgment in favor of Power on Facebook's section 502(c) claims. B. Facebook's Service Social networks are Internet-based services that enable individuals to share their personal information and to communicate with friends, family and acquaintances. Facebook, like other social networks, allows its users to store their own information on Facebook's servers using Facebook's web interface for uploading and viewing the information. The tools allow Facebook users to make lists of friends, publish status updates, post photographs, and create common interest groups.1 1 Facebook Factsheet, http://www.facebook.com/press/info.php?factsheet (last visited Apr. 30, 2010). BRIEF OF AMICUS CURIAE Case No. 5:08-cv-05780 JW 3 a 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 9 5 6 7 8 4 Facebook has been wildly successful at acquiring users. The service claimed over 400 million active users2 and 134 million unique visitors in the month of January 2010 alone.3 In February 2010, Facebook had 49.62% of the US market share of visits to social-networking websites and forums.4 In March 2010, Facebook was the single most visited website in the United States.5 Facebook reports that people spend over 500 billion minutes per month on the service.6 By the company's CEO's favored measure of success, if Facebook were a country it would be the third largest in the world.7 Importantly, Facebook users own the information they store with the company. company's terms of service confirm this and it is not subject to dispute here.8 The Moreover, ownership and control are extremely important to Facebook users, as the company learned in February of 2009 when it modified its terms of use to give Facebook the right to continue to use content indefinitely even after a user attempted to delete it or leave the service altogether. After a huge outcry, the company backpedaled, and reinstituted the old terms that allowed users to delete their content from the site.9 2 3 Facebook Statistics, http://www.facebook.com/press/info.php?statistics (last visited Apr. 30, 2010.) Aaron Prebluda, We're Number Two! Facebook Moves Up One Big Spot in the Charts (Feb. 17, 2010), http://blog.compete.com/2010/02/17/we%25e2%2580%2599re-number-two-facebookmoves-up-one-big-spot-in-the-charts/. Marketing Charts, Top 10 Social-Networking Websites & Forums (Feb. 2010), http://www.marketingcharts.com/interactive/top-10-social-networking-websites-forumsfebruary-2010-12248/. Heather Dougherty, Facebook Reaches Top Ranking in US (March 15, 2010), http://weblogs.hitwise.com/heather-dougherty/2010/03/facebook_reaches_top_ranking_i.html. Facebook Statistics, supra, note 2. John D. Sutter, Facebook Gives Itself a Birthday Face-Lift (Feb. 5, 2010), http://www.cnn.com/2010/TECH/02/05/facebook.birthday/index.html. Facebook's Statement of Rights and Responsibilities confirms: "You own all of the content and information you post on Facebook" and "[f]or content that is covered by intellectual property rights, like photos and videos ("IP content"), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sublicensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook ("IP License"). This IP License ends when you delete your IP content or your account unless your content has been shared with others, and they have not deleted it." Facebook Statement of Rights and Responsibilities § 2 (Apr. 22, 2010), http://www.facebook.com/facebook?ref=pf#!/terms.php?ref=pf. Bill Meyer, Facebook Data-Retention Changes Spark Protest (Feb. 17, 2010), BRIEF OF AMICUS CURIAE Case No. 5:08-cv-05780 JW 4 a 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 10 As part of its business model, Facebook has also steadily increased the amount of information about its users and their activities it offers to third parties. Facebook has an Application Programming Interface, or API, through which third parties can see the information and activities of Facebook's users. Through controversial changes to its terms of service and the functionality of its API, Facebook now offers to certain third parties and advertisers as much information about any particular user and his or her friends as that user personally could have accessed using Power's service.10 Thus, by continuing to press for Power to be liable under criminal law, Facebook's actions appear to be aimed not at protecting users from the sharing of their information with third parties, but at ensuring Facebook's own control (and the corresponding ability to monetize) user information, even against the users themselves. C. Power's Service Power's service allows individuals with valid accounts on social networks to aggregate their information stored with each service, giving them the ability to view their data and friend lists, as well as other information, across multiple services on a single screen. The user can then click through the Power interface to go to any of her social networks and thereafter interact with them through that network's user interface. Power's service is a follow-on innovation to social networking platforms, giving the user more options to view her own information posted to such services. For instance, Power's service allows a user to see all of her friends and contacts in a single list, regardless of which social networks they use. Power also offers the user a tool by which she can easily export her information from social networks into a spreadsheet format, thus aiding users who might want to move their information from one social network to another. Power stopped providing its service to Facebook users at some point during this legal dispute. D. Facebook's IP Blocking Effort In December 2008, Facebook and Power conferred about Power's implementation of user http://www.cleveland.com/nation/index.ssf/2009/02/facebook_dataretention_changes.html. See, e.g., Erick Schonfeld, Microsoft Taps Into Facebook's Open Graph to Launch Docs.com (Apr. 21, 2010), http://www.washingtonpost.com/wpdyn/content/article/2010/04/21/AR2010042103128.html; Matt Rosoff, Pandora and Facebook Get Social Music Right (Apr. 22, 2010), http://news.cnet.com/8301-13526_3-20003210-27.html. BRIEF OF AMICUS CURIAE Case No. 5:08-cv-05780 JW 5 a 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 access to Facebook accounts. Apparently Facebook wanted Power to use Facebook's API rather than connect a user directly to her account information so that Facebook would have more control over how stored data was accessed and manipulated, but Power felt that the API did not allow the full functionality Power wanted to bring to its customers.11 During these negotiations, Facebook blocked the Internet Protocol (IP) address of Power's server, "so that users attempting to access their Facebook accounts through Power's browser would be denied access." Declaration of Steve Vachani ISO Power's Opp. to Mot. for J. On The Pleadings or Partial Summ. J. at ¶ 9, Dkt. 65; see also Exhibit A to Declaration of Julio C. Avalos ISO Facebook's Mot. for J. on the Pleadings or In The Alternative Partial Summ. J., Dkt. 57. As described in detail below, IP blocking is simply a method of preventing a computer with one IP address from connecting to another. This technique has no bearing on computers associated with any other IP address or individual users who connect to the Internet using different machines or access points. If the person originally using the blocked IP address changes to a different IP address for any reason, the block will not affect her any longer. Facebook does not claim that Power disabled its IP blocking, or did any damage to Facebook's servers, but merely that the company changed IP addresses so that its servers would not be blocked and Power users could continue to choose to access their Facebook accounts through the Power interface. Compl. ¶ 58-59. E. Facebook's Section 502(c) Claims Facebook's argument that Power has violated California Penal Code section 502(c) is based on three elements: (1) that the network's terms of service prohibit automated access to a user's information, (2) that the network sent Power a cease and desist letter demanding that it stop providing its service to users, and (3) that Power continued to find ways to provide access to users even after Facebook implemented IP blocking to keep Power from accessing its servers.12 11 25 26 27 28 Amicus expresses no preference between the two sides of this debate. Facebook may have valid reasons for wanting application developers to go through its API, and Power and its users may have valid reasons for wanting the ability to exercise more control over users' data. Two businesses can have valid but competing views about which tools will be valuable to their user bases, which is another reason why applying criminal liability is wholly inappropriate in these kinds of disputes. 12 While avoiding IP blocking does not appear from the papers to be a separate basis for Case No. 5:08-cv-05780 JW BRIEF OF AMICUS CURIAE 6 a 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 First, Facebook relies on two of its terms of service that provide: 3.2. You will not collect users' content or information, or otherwise access Facebook, using automated means (such as harvesting bots, robots, spiders, or scrapers) without our permission. and 3.5. You will not solicit login information or access an account belonging to someone else.13 Facebook's Complaint asserts that Power: 43. "use[s] other users' accounts to access Facebook's computer systems," ... 49. "use[s] automated scripts to collect information from or otherwise interact with the |Facebook's website or to access Facebook's computers for the purpose of scraping user data from Facebook and displaying it on Power.com. Power's liability theoretically derives from giving a Facebook user the choice of using an automated tool contrary to the terms of service. In other words, Facebook claims that Power commits a crime when Facebook users choose to use Power's tool, or any other tool, to automatically access the information they store with Facebook. See Facebook's Mot. for J. on the Pleadings or In The Alternative Partial Summ. J., Dkt. 56 (hereinafter "Facebook's MJOP") at 6 ("Power's actions were indisputably without permission because they exceeded the terms of use."). Importantly, while individuals were not sued here, under Facebook's theory the users also commit a crime when they use Power's service, or any other automated means, to access their Facebook accounts since that also violates Facebook's the terms of service. Second, Facebook claims that Power independently violated criminal law when it continued to provide its service even after Facebook implemented IP blocking and sent Power a cease and desist letter asking it to stop allowing Facebook users to access their data through Power. See Facebook Reply ISO Mot. For J. On The Pleadings or Partial Summ. J. and Opp. To Mot. for Summ. J., Dkt. 66 (hereinafter "Facebook Reply"), at 5-6 ("[O]n December 1, 2008 Facebook notified Power that `Power.com's access of Facebook's website and servers was unauthorized and Facebook's section 502(c) claim, see Facebook Reply at 5-6, at the June 7, 2010 hearing on these motions, it became clear that this evasion was at least one factor the company offered in support of the claim. 13 Facebook Statement of Rights and Responsibilities, supra, note 8. Case No. 5:08-cv-05780 JW BRIEF OF AMICUS CURIAE 7 a 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 violated Facebook's rights.'"). II. FACEBOOK USERS WHO CHOOSE TO USE "AUTOMATED MEANS" TO GAIN ACCESS TO THEIR OWN INFORMATION IN CONTRAVENTION OF THE FACEBOOK TERMS OF SERVICE DO NOT VIOLATE CRIMINAL LAW. When a person is authorized to access certain information, as Facebook users unquestionably are here, mere use of an unapproved technology to access that information cannot constitute a criminal act under California Penal Code section 502(c). The plain language of section 502 prohibits access to computers or information that the user does not have permission to access; it does not prohibit all undesirable uses of computers or information that the user is authorized to obtain. In other words, Section 502 punishes unauthorized access or use of information, but generally not authorized access through unapproved means.14 Moreover, section 502(c)'s federal corollary, the Computer Fraud and Abuse Act (CFAA), has the same limitation. Facebook users have the authority to access and use their own information stored with Facebook, so under either statute they commit no crime when they do exactly that through automated or other disfavored means. Adoption of Facebook's argument here -- that otherwise lawful access is criminal if it is accomplished contrary to any of Facebook's policies or claims in a cease and desist letter -- would create absurd results. For example, as described in more detail in Section III, infra, since Facebook requires users to keep their contact information current and to use accurate information, someone who lies about her age or fails to update her current city after a move would violate criminal law. Even closer to the facts here, Facebook's prohibition on all "automated means" of access could make it criminal for a user to take advantage of the universal web browser feature that stores login information and automatically logs users in to various websites, if she uses that feature to access her Facebook account. Even if the Court agrees that Facebook can contractually prevent users from using automation technology to assist them in accessing their own information, such violations should amount, at most, to breaches of contract. 14 Of course, providing a means of access that disrupts access to Facebook's servers would violate sections 502(c)(5) and (6). BRIEF OF AMICUS CURIAE Case No. 5:08-cv-05780 JW 8 a 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 A. Section 502(c) Does Not Criminalize Power's Enabling A User To Gain Otherwise Permitted Access to Her Own Data, Even Through Unapproved Means. Power provides a tool that allows users to access and manipulate their own data stored with Facebook. Facebook users have permission to access their data -- which they undisputedly own -and Power does not allow users access to any additional information, like other users' passwords or Facebook's proprietary data, beyond what each individual Facebook user is entitled to access. Power's service acts solely with the user's permission, at the user's behest and in the user's interest. Section 502(c) penalizes one who, in relevant part: (1) Knowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data. (2) Knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network. (3) Knowingly and without permission uses or causes to be used computer services. (4) Knowingly accesses and without permission adds, alters, damages, deletes, or destroys any data, computer software, or computer programs which reside or exist internal or external to a computer, computer system, or computer network. ... (7) Knowingly and without permission accesses or causes to be accessed any computer, computer system, or computer network. (Emphasis added). None of the sparse case law arising from section 502(c) supports its extension to authorized userdirected access, such as Power's conduct here. To the contrary, courts have rejected the application of section 502(c) to criminalize the behavior of persons who have permission to access a computer or computer system and the data stored there, but who use that access to do things that violate the rules applicable to the system. Courts have so held even when there is undisputed damage or disruption of services resulting from the access, which is not the situation here. For instance, in Mahru v. Superior Court, 191 Cal. App. 3d 545, 549 (1987), the court rejected the application of section 502(c)(4) to a director of a data processing company who, in a Case No. 5:08-cv-05780 JW BRIEF OF AMICUS CURIAE 9 a 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 dispute over the termination of a service contract with a customer, had instructed his employee to alter the names of certain files on a system the company operated on behalf of the customer, a credit union. Despite finding that the director had actually disrupted the operation of the computer system, and that he had done so maliciously, the court held that section 502(c) was not applicable because the data processor had full rights to access the computer. "Section 502(c) cannot be properly construed to make it a public offense for an employee, with his employer's approval, to operate the employer's computer in the course of the employer's business in a way that inconveniences or annoys or inflicts expense on another person." Id. Similarly, in Chrisman v. City of Los Angeles, the court rejected application of section 502 to a police officer who had violated police procedures by accessing the police computer system for purposes unrelated to work, such as searching information about celebrities. 155 Cal. App. 4th 29, 32 (2007). The court found that the officer had engaged in professional misconduct but was not guilty of criminal unauthorized access. Id. at 34-35. The key difference was that the officer was authorized to access the police computer system, even though his particular purpose in doing so was clearly unauthorized. Id. Thus, "appellant's computer queries seeking information that the department's computer system was designed to provide to officers was misconduct if he had no legitimate purpose for that information, but it was not hacking the computer's `logical, arithmetical, or memory function resources,' as appellant was entitled to access those resources." Id. The court in Chrisman distinguished the police officer's behavior from that of the defendant in People v. Lawton, 48 Cal. App. 4th Supp. 11, 15 (1996). In Lawton, the defendant was a member of the public who used computer terminals at the local library to display employee passwords and other information not accessible to patrons. That defendant, the Chrisman court said, had accessed the computer "to `bypass security and penetrate levels of software not open to the public,' and his offense lay in such bypassing and penetration." 155 Cal. App. 4th at 35 (quoting Lawton, 48 Cal. App. 4th Supp. 11, 12 (1996)). By contrast, the police officer in Chrisman merely "used [the police computer system] to get information to which he was entitled when performing his job, but retrieved it for non-work-related reasons." Id. As a result, section Case No. 5:08-cv-05780 JW BRIEF OF AMICUS CURIAE 10 a 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 502(c) did not apply. As in Mahru and Chrisman, the access challenged here is by authorized users, who are permitted to access Facebook computers to obtain or manipulate their own data stored there, albeit by directing their queries through the Power browser. Power does not give any user -- or itself -access to information other than what she is already allowed to access as a Facebook user. Facebook may not like the means the users choose to employ, or users' purpose in aggregating their Facebook information with information stored with other social networks. Facebook may even terminate such users' accounts under its terms of use. But so long as Power and its users only access information they are already allowed to access and do not misuse that data, no computer crime is committed. This conclusion is especially true here, where there was no harm to Facebook's servers as a result of Power's provision of service. See, e.g., Intel v. Hamidi, 30 Cal. 4th 1342, 1348 (2003) (former employee who sent mass emails to former colleagues on employer's email system not liable for trespass to chattels because the "tort ... may not, in California, be proved without evidence of an injury to the plaintiff's personal property or legal interest" and the claimed injury was disruption or distraction caused to recipients by the contents of the e-mail message, not impairment to the functioning of the computer system.).15 Unlike the defendant in Facebook, Inc. v. ConnectU LLC, 489 F. Supp. 2d 1087 (N.D. Cal. 2007), Power's service only accesses the user's own information and only makes use of that information as the user herself directs. In contrast, ConnectU accessed Facebook user accounts for the purpose of automated collection of a large number of email addresses of non-ConnectU customers, so that the company could send unsolicited commercial email to those persons and try to get them to sign up for ConnectU's service. Id. at 1089. In other words, ConnectU accessed 15 In eBay, Inc. v. Bidder's Edge, Inc., 100 F. Supp. 2d 1058, 1066 (N.D. Cal. 2000), the Court did allow a preliminary injunction on a trespass claim against an auction aggregator based on concern that denial of preliminary injunctive relief would encourage an increase in the disputed activity, and such an increase would present a strong likelihood of irreparable harm. Unlike the situation here, Bidder's Edge aggregated information from eBay without user consent and the court's analysis turned on the likely future actual harm to eBay's servers, which is not demonstrated here; yet even without those key differences amicus submits that Hamidi is the better reasoned analysis. BRIEF OF AMICUS CURIAE Case No. 5:08-cv-05780 JW 11 a 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 email addresses and other information from Facebook users who had not given that company permission to do so, and used that information for their own commercial purposes. In rejecting ConnectU's argument that section 502(c) does not prevent access to Facebook users' email addresses because those customers made them available on Facebook, the court found that Facebook users are "entitled to disclose their email addresses for selective purposes," which presumably did not include receiving commercial solicitations from ConnectU. Id. at 1091 n.5. Here, in contrast, Power's tool is controlled by and serves Facebook's users, not Power. It allows a Facebook user to access her own information and only manipulates that information as the user desires. Facebook's attempts to extend ConnectU to this case, where users are choosing to access their own data through a third party automated service like Power's, should fail. Power's users are authorized Facebook users accessing their own data, which they have full permission to access. When Power's service accesses that data at the user's behest, Power violates no law and commits no crime. B. Section 502(c)'s Federal Corollary, The Computer Fraud And Abuse Act, Prohibits Trespass And Theft, Not Mere Violations Of Terms Of Use. Courts interpreting section 502(c) have looked to the federal corollary, the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 ("CFAA") for guidance. See e.g. Hanger Prosthetics & Orthotics, Inc. v. Capstone Orthopedic, Inc., 556 F. Supp. 2d 1122, 1131-32 (E.D. Cal. 2008) (Because section 502(c) "has similar elements to § 1030" and both parties had "incorporate[d] by reference their arguments regarding § 502 into the arguments regarding § 1030," the court considered the two claims in tandem); In re Apple & AT&T Mobility Antitrust Litigation, 596 F. Supp. 2d 1288, 1309 (N.D. Cal. 2008) (Court's decision on section 502(c) relied on the exact same "reasons discussed in those prior sections" about the plaintiffs' section 1030 claims). The most recent cases interpreting the CFAA have held that if a user is authorized to access a computer and information stored there, doing so is not criminal, even if that access is in violation of a contractual agreement or non-negotiated terms of use. For example, in Int'l Ass'n of Machinists and Aerospace Workers v. Werner-Masuda, 390 F. Supp. 2d 479 (D. Md. 2005), the plaintiff argued that the defendant, a union officer, exceeded her authorization to use the union 12 Case No. 5:08-cv-05780 JW BRIEF OF AMICUS CURIAE a 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 computer when she violated the terms of use to access a membership list with the purpose to send it to a rival union, and not for legitimate union business. Id. at 495-96. The defendant had signed an agreement promising that she would not access union computers "contrary to the policies and procedures of the [union] Constitution." Id. The court rejected the application of section 1030, holding that even if the defendant breached a contract, that breach of a promise not to use information stored on union computers in a particular way did not mean her access to that information was unauthorized or criminal: Thus, to the extent that Werner-Masuda may have breached the Registration Agreement by using the information obtained for purposes contrary to the policies established by the [union] Constitution, it does not follow, as a matter of law, that she was not authorized to access the information, or that she did so in excess of her authorization in violation of the [Stored Communications Act] or the CFAA. . . . Although Plaintiff may characterize it as so, the gravamen of its complaint is not so much that Werner-Masuda improperly accessed the information contained in VLodge, but rather what she did with the information once she obtained it. . . . Nor do [the] terms [of the Stored Communications Act and the CFAA] proscribe authorized access for unauthorized or illegitimate purposes. Id. at 499 (citations omitted).16 Subsequent cases have followed the reasoning of Werner-Masuda based on either plain language or legislative history. In Diamond Power Int'l, Inc. v. Davidson, 540 F. Supp. 2d 1322 (N.D. Ga. 2007), the court similarly rejected a CFAA claim against an employee who violated an employment agreement by using his access to his employer's computer system to steal data for a competitor. The defendant had transferred information from password-protected computer drives to his new employer while still employed with the former company, in violation of a confidentiality agreement. Id. at 1327-31. Identifying the narrower interpretation of "exceeding authorized access" as "the more reasoned view," the court held that "a violation for accessing `without authorization' 16 The Werner-Masuda court similarly interpreted the same language in the Stored Communications Act, 18 U.S.C. § 2701(a) ("SCA"). It found that the SCA "prohibit[s] only unauthorized access and not the misappropriation or disclosure of information." It continued: "there is no violation of section 2701 for a person with authorized access to the database no matter how malicious or larcenous his intended use of that access." (quoting Educ'al Testing Service v. Stanley H. Kaplan, Educ'al Ctr., Ltd., 965 F. Supp. 731, 740 (D. Md. 1997) ("[I]t appears evident that the sort of trespasses to which the [SCA] applies are those in which the trespasser gains access to information to which he is not entitled to see, not those in which the trespasser uses the information in an unauthorized way"). Werner-Masuda, 390 F. Supp. 2d at 496. BRIEF OF AMICUS CURIAE Case No. 5:08-cv-05780 JW 13 a 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 occurs only where initial access is not permitted. Further, a violation for `exceeding authorized access' occurs where initial access is permitted but the access of certain information is not permitted." Id. at 1343. In Shamrock Foods v. Gast, 535 F. Supp. 2d 962 (D. Ariz. 2008), the court relied on Davidson and Werner-Masuda to hold that the defendant did not access the information at issue "without authorization" or in a manner that "exceed[ed] authorized access." Id. at 968. The defendant had an employee account on the computer he used at his employer, Shamrock, and was permitted to view the specific files he allegedly emailed to himself. The CFAA did not apply, even though the emailing was for the improper purpose of benefiting himself and a rival company in violation of the defendant's Confidentiality Agreement. In LVRC Holdings, LCC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), the defendant was a marketing contractor for a residential treatment center for addicts. While so employed, and during negotiations for Brekka to take an ownership interest in the facility, he emailed several of the facilities' files to himself. Id. at 1130. Subsequently, after the talks had terminated unsuccessfully and Brekka was no longer working for the facility, he used his login information to access the center's website statistics system. Id. The company discovered his access, disabled the account and sued Brekka, alleging that he violated 18 U.S.C. §§ 1030(a)(2) and (a)(4) by emailing files to himself for competitive purposes and for accessing the statistics website. Id. The Ninth Circuit upheld summary judgment in favor of Brekka. "For purposes of the CFAA, when an employer authorizes an employee to use a company computer subject to certain limitations, the employee remains authorized to use the computer even if the employee violates those limitations." Id. at 1133. In other words, "[a] person uses a computer `without authorization' under [section 1030(a)(4) only] when the person has not received the permission to use the computer for any purpose (such as when a hacker accesses someone's computer without any permission), or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway." Id. at 1135. The plaintiff in Brekka had pointed to the Seventh Circuit case of International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006), arguing that an employee can lose Case No. 5:08-cv-05780 JW BRIEF OF AMICUS CURIAE 14 a 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 authorization to use a company computer when the employee resolves to act contrary to the employer's interest. The Ninth Circuit explicitly rejected that interpretation because section 1030 is first and foremost a criminal statute that must have limited reach and clear parameters under the rule of lenity and to comply with the void for vagueness doctrine. Brekka, 581 F. 3d at 1134, citing United States v. Carr, 513 F.3d 1164, 1168 (9th Cir. 2008). As described further in Section IV, infra, section 502(c) is also a criminal statute and must be narrowly drawn for the same reason. Following the decision in Brekka, Judge Patel of this Court reconsidered her earlier ruling applying section 1030 in United States v. Nosal, 2010 WL 934257 (N.D. Cal. Jan. 6, 2010). The court reversed itself, holding that no CFAA violation occurred when co-conspirators employed with an executive search placement firm accessed and downloaded firm trade secrets because those co-conspirators were at the time both employed and permitted to access the firm database "in the form of valid, non-rescinded usernames and passwords." Id. at *6. The Court further held that neither Nosal's employment agreement, nor an express policy Nosal and his co-conspirators signed indicating that the accessed material was proprietary, nor a notice stating that the computer system and information therein were confidential, altered the result. Rather, "[a]n individual only "exceeds authorized access" if he has permission to access a portion of the computer system but uses that access to "obtain or alter information in the computer that [he or she] is not entitled so to obtain or alter." Id. at *7, citing 18 U.S.C. § 1030(e)(6) (emphasis in original).17 The cases discussed above contrast with and reject earlier decisions, most importantly Shurgard Storage Ctrs., Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121 (W.D. Wash. 2000), which Facebook cites in support of its Motion. Facebook MJOP at 8. In Shurgard, the district court denied a motion to dismiss a CFAA claim brought by an employee who took employer information from the computer system with him to his next job. Id. at 1129. The court relied on the Restatement (Second) of Agency, § 112 (1958), to hold that when the plaintiff's former employees accepted new jobs with the defendant, the employees "lost their authorization 17 For additional cases rejecting criminal liability under the CFAA when the defendant had authorization to access the system or data in question, but misused that authority, see also Lockheed Martin Corp. v. Speed, 2006 WL 2683058 (M.D. Fla. Aug. 1, 2006); Brett Senior & Assocs., P.C. v. Fitzgerald, 2007 WL 2043377 (E.D. Pa. July 13, 2007). BRIEF OF AMICUS CURIAE Case No. 5:08-cv-05780 JW 15 a 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 and were `without authorization' [under the CFAA] when they allegedly obtained and sent [the plaintiff's] proprietary information to the defendant via e-mail." Shurgard, 119 F. Supp. 2d at 1125. The Shurgard approach has troubling and potentially unconstitutional results, most notably criminalizing employee disloyalty or other transgressions against the mere preferences of a private party. In sum, the better-reasoned and more recent cases in the Ninth Circuit and elsewhere explicitly reject Shurgard and the notion that a terms of service violation could create federal criminal liability. To the extent that the federal cases are influential on this Court's interpretation of California Penal Code § 502(c), they weigh in favor of Power. III. IMPOSING CRIMINAL LIABILITY BASED ON TERMS OF SERVICE OR CEASE AND DESIST LETTERS WOULD BE AN EXTRAORDINARY AND DANGEROUS EXTENSION OF CRIMINAL LAW Many websites or web-based services post their terms behind a "legal notices" or "terms of service" hyperlink that users can only access by scrolling to the bottom of the page and clicking on the link. Nothing about the links indicate that they are exceptionally important, much less that failure to click on them and read the underlying terms could subject the user to criminal penalties. Moreover, many terms of service, including Facebook's, contain clauses which state that the website owner can unilaterally change the terms at any time, and that continued use of the website implies acceptance of the new terms.18 Facebook's own terms of service contain items that are likely routinely violated, thus converting possibly millions of Facebook users into federal criminals. For instance, Facebook's terms of use provide: · 18 You will not provide any false personal information on Facebook. See also, e.g., West Terms of Use, http://west.thomson.com/about/terms-ofuse/default.aspx?promcode=571404 (last visited June 21, 2010) ("By accessing, browsing, or using this website, you acknowledge that you have read, understood, and agree to be bound by these Terms. We may update these Terms at any time, without notice to you. Each time you access this website, you agree to be bound by the Terms then in effect."); AOL Terms of Use, http://about.aol.com/aolnetwork/aolcom_terms (last visited June 21, 2010) ("You are responsible for checking these terms periodically for changes. If you continue to use AOL.COM after we post changes to these Terms of Use, you are signifying your acceptance of the new terms.") BRIEF OF AMICUS CURIAE Case No. 5:08-cv-05780 JW 16 a 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 · · · You will not use Facebook if you are under 13. You will keep your contact information accurate and up-to-date. You will not share your password . . . [or] let anyone else access your account[.] Terms, supra, note 8. In Facebook's view, if a user shaves a few years off of her age in her profile information, or asserts that she is single when she is in fact married, or seeks to hide or obfuscate her current physical location, hometown or educational history for any number of legitimate reasons, she commits a computer crime. A user who is twelve years old violates criminal law every time she uses Facebook. And if a user changes jobs or moves to another city, she must immediately inform Facebook or run the risk that her continued use of the site could lead to criminal sanctions.19 Moreover, a politician or other high-profile user who communicates through Facebook with the general public violates the terms of service if he delegates his password to employees or volunteers to maintain the page. See, e.g., Barack Obama's Facebook Page, http://www.facebook.com/ barackobama (last visited June 20, 2010) (prominently noting that the page is "run by Organizing for America, the grassroots organization for President Obama's agenda for change."). These problems are not specific to Facebook because Facebook's terms of service provisions are not unique. Google bars use of its services by minors ­ probably to protect itself against liability and to try to ensure its terms are binding in the event of a litigated dispute. Google Terms of Service, 2.3 ("You may not use the Services and may not accept the Terms if (a) you are not of legal age to form a binding contract with Google, or (b) you are a person barred from receiving the Services under the laws of the United States or other countries including the country in which you are resident or from which you use the Services."). Surely the company does not 19 It is of no import that law enforcement might not choose to bring these cases. The inability of a reader to distinguish in a meaningful and principled way between innocent and criminal computer usage is the constitutional harm. Foti v. City of Menlo Park, 146 F.3d 629, 638 (9th Cir. 1998). See also Orin S. Kerr, Vagueness Challenges to the Computer Fraud and Abuse Act, Minnesota Law Review (Forthcoming 2010) at 17, available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1527187 ("Courts must adopt a meaning of unauthorized access that does not let the police arrest whoever they like. This means that courts must reject interpretations of unauthorized access that criminalize routine Internet use or that punish common use of computers."). BRIEF OF AMICUS CURIAE Case No. 5:08-cv-05780 JW 17 a 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 mean -- or imagine -- that tens of millions of minors in fact will never use its search engine or other services, or do so only at the risk of criminal liability. In another example, YouTube's Community Guidelines, expressly incorporated into the site's terms of use, prohibit posting videos that show "bad stuff." YouTube Community Guidelines, http://www.youtube.com/t/community_guidelines (last visited June 18, 2010). Uploading "bad stuff" would not only violate YouTube's terms of service, but under Facebook's theory here, also constitute access without permission to the site. Surely YouTube did not draft the "bad stuff" prohibition with criminal liability in mind. Whatever the validity of holding such contracts enforceable for purposes of contract law,20 the terms cannot define the line between lawful conduct and criminal violations. For the same reasons cited above, Power's continued provision of aggregation services to Facebook users even after receipt of Facebook's cease and desist letter does not trigger criminal liability. Facebook users who chose to use Power were still accessing their own data, which they had full rights and permission to access, even if Facebook did not like how or why they did it. No California case supports the claim that a cease and desist letter or other direct notice to a follow-on innovator creates criminal liability when that innovator is merely facilitating otherwise authorized access to user data. Just as with terms of service violations, the computer owner's use preferences do not trigger criminal liability so long as the user has authorized access to the data in question. The relatively early case of Register.com, Inc. v. Verio, Inc., cited by Facebook, is not to the contrary. See Facebook's MJOP at 7, 9. There, the court enjoined automatic searching of the registrant contact information contained in domain registry database after lawyers specifically objected to the defendant's use and sent out a terms of use letter to the defendant. Register.com, Inc. v. Verio, Inc., 126 F. Supp. 2d 238 (S.D.N.Y. 2000), aff'd in part as modified by Register.com, Inc. v. Verio, Inc., 356 F.3d 393 (2d Cir. 2004) (reversing the trial court's CFAA finding on the basis that there was insufficient likelihood of showing the $5,000 damage threshold necessary for 20 See Mark A. Lemley, Terms of Use, 91 Minn. L. Rev. 459, 465, 475-76 (2006) (observing that in civil cases "in today's electronic environment, the requirement of assent has withered to the point where a majority of courts now reject any requirement that a party take any action at all demonstrating agreement to or even awareness of terms in order to be bound by those terms.") (emphasis added). This lax approach simply cannot provide "fair notice" in the criminal context. BRIEF OF AMICUS CURIAE Case No. 5:08-cv-05780 JW 18 a 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 private claims, but upholding a trespass to chattels claim). The defendant did not have the registrants' permission to access their contact information. Here, Power has the permission of particular Facebook users to access their own data.21 If Facebook's proposed construction of section 502(c) in this case were correct, millions of otherwise innocent internet users would potentially be committing frequent criminal violations of the law through ordinary, indeed routine, online behavior. Similarly, allowing a private party to define criminal conduct merely by sending a letter complaining about a competitor's computer usage puts far too much power in the hands of private entities that may or may not have consumer rights and the public interest at heart.22 IV. EVASION OF A TECHNOLOGICAL MEASURE PUT IN PLACE TO ENCOURAGE COMPLIANCE WITH TERMS OF SERVICE OR CEASE AND DESIST LETTERS, WITHOUT MORE, DOES NOT INCUR CRIMINAL LIABILITY At oral argument, Facebook added an additional basis for its claim that Power violated section 502: Power's alleged evasion of Facebook's IP address blocking effort. Yet if the failure to abide by contractual limits on means of access is insufficient to create criminal liability, ignoring or bypassing technological limits that attempt to create those same limits must also be insufficient to create criminal liability. To understand why, it is necessary to explain IP address blocking and how users or entities avoid it to demonstrate (1) that there are many legitimate reasons for changing your IP address to avoid blocking, so the practice should not be categorically discouraged, and (2) 21 22 Facebook's assertion that allowing user permission to serve as the basis for authorized access to a user's own data would be akin to allowing a third party to break into a bank in order to retrieve a user's deposits is both unfounded and hyperbolic. See Facebook Reply at 6. More correctly, Facebook's argument would allow a bank to make it a crime for a bank customer to use certain technology to assist her in making an otherwise legitimate deposit or withdrawal from her own account during regular business hours. For these reasons, this Court should view with caution Judge Fogel's decision denying Power's Motion to Dismiss Facebook's copyright circumvention claim, in which the court determined that, for purposes of a claim of copyright circumvention, the Facebook terms of service deny users the right to authorize circumvention of Facebook's technological protection measures. Amicus questions whether this analysis is correct for purposes of a civil copyright circumvention claim. In any event, at this stage of the litigation, it is clear that even if the terms of service are theoretically relevant to a civil copyright circumvention claim, they cannot serve here as a basis for criminal liability for Facebook users, or their agents, who seek to access to information that the users own. BRIEF OF AMICUS CURIAE Case No. 5:08-cv-05780 JW 19 a 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 IP blocking does not necessarily provide computer security or data privacy, and did not in this case, so this evasion of IP blocking is outside the scope of the computer crime law. A. IP Address Allocation An "IP address" is a numeric value used to identify a computer or set of computers on the Internet. Internet routers use the IP address to decide where to send communications addressed to a particular computer.23 The address is normally written as four numbers separated by periods.24 For example, one of the web servers operated by amicus uses the address 64.147.188.11, while this Court's web server uses 207.41.19.17.25 IP addresses are allocated to Internet service providers (ISPs) in chunks of consecutive addresses out of a worldwide pool of around four billion possible addresses through geographically-based non-profit organizations known as regional Internet registries.26 ISPs can further delegate these addresses to smaller entities such as a business, an Internet café, or a smaller ISP.27 ISPs can also assign an IP address directly to an individual computer. This assignment process is frequently automated and the assignment can be short- or relatively long-term.28 Because IP addresses are allocated in this way, they can convey approximate and general information about a computer's location, how the computer is connected to the Internet or what individual or entity is using that computer to connect.29 But it is equally true that the IP address used by a particular computer can change over time, that individual users connect through different 23 24 21 22 23 24 25 26 27 28 29 25 26 27 28 See Declaration of Seth Schoen ("Schoen Dec'l") at 2, citing Eric A. Hall, Internet Core Protocols: The Definitive Guide, 37-40 (O'Reilly and Associates, 2000). See Schoen Dec'l at 2, citing Radia Perlman, Interconnections Second Edition, 199 (Addison Wesley Longman, 2000). See Schoen Dec'l at 2. See Schoen Dec'l at 3, citing American Registry for Internet Numbers, "Internet Number Resource Distribution," available at https://www.arin.net/knowledge/distribution.pdf. See Schoen Dec'l at 3, citing Hall, supra, at 40-41. See Schoen Dec'l at 3, citing Wikipedia, "IP Address: Static vs dynamic IP addresses," version of June 17, 2010, available at http://en.wikipedia.org/w/index.php?title=IP_address&oldid=368588938#Static_vs_dynamic_IP _addresses. See Schoen Dec'l at 4, citing Kevin F. King, "Personal Jurisdiction, Internet Commerce, and Privacy: The Pervasive Legal Consequences of Modern Geolocation Technologies," available at http://ssrn.com/abstract=1622411 (cited here for its clear description of the relationship between IP address and geolocation, but not for its legal conclusions). BRIEF OF AMICUS CURIAE Case No. 5:08-cv-05780 JW 20 a 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 IP addresses depending on where they are, and that multiple users can connect to the Internet through a single IP address.30 For instance, a laptop will receive a different IP address when it connects to the Internet from different locations.31 If a laptop's owner uses the machine from her workplace in the morning, a café in the afternoon, and her home in the evening, she will present three different IP addresses over the course of a single day. A traveler who brings a laptop to a different city and goes on-line there will receive an IP address unrelated to the IP address he used at home. So will an Internet user who chooses to change residential broadband providers -- for example, by switching from Comcast to AT&T. Even a home Internet user may encounter an IP address that changes over time, since some ISPs vary the address that they assign to a particular computer on different occasions.32 America Online, for instance, provides a different, randomly-selected IP address to every user with each new telephone modem dial-up session.33 Some common Internet technologies such as tunnels, virtual private networks ("VPN"s), and proxy servers will also change the apparent IP address that a user appears to be connecting from. Users have many legitimate reasons to use technologies that will change their apparent IP addresses. 34 30 31 21 22 23 24 25 26 27 28 34 32 33 See Schoen Dec'l at 4, citing Yinglian Xie et al., "How Dynamic Are IP Addresses?," in Proceedings of the 2007 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, available at http://www.sigcomm.org/ccr/drupal/files/fp179-xie.pdf, and Jeff Tyson, "How Network Address Translation Works," available at http://computer.howstuffworks.com/nat.htm/printable. See Schoen Dec'l at 5, citing University of Illinois Campus Information Technologies and Educational Services, "Network Access While Traveling", available at http://www.cites.illinois.edu/network/access/travel.html. See Schoen Dec'l at 5, citing Whatismyipaddress.com, "Dynamic IP Addressing," available at http://whatismyipaddress.com/dynamic-static, and Xie et al., note 7, supra. See Schoen Dec'l at 5, citing Wikimedia Foundation, "Why are AOL users often blocked?," available at https://en.wikipedia.org/wiki/Wikipedia:AOL#Why_are_AOL_users_often_blocked.3F, and AOL, "AOL Outbou