District Court Adopts “Technical Barriers” Approach to California Computer Crime Law

The case is Facebook, Inc. v. Power Ventures, Inc., 2010 WL 3291750 (N.D. Cal 2010) (Ware, J.), handed down July 20. It’s largely a replay of the legal issues raised by the Lori Drew case but under the California computer crime statute, Cal. Penal Code Sec. 502. In the case, Facebook sued a company (Power Ventures) for having accessed Facebook in ways that are prohibited by Facebook’s Terms of Use. Facebook argued that the Terms of Use violation violated the state statute, which punishes one who “knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network.” The Electronic Frontier Foundation filed an amicus brief arguing that the court had to construe the state statute narrowly to exclude TOU violations under the void for vagueness doctrine. The District Court agreed, and held that the statute is violated only when some sort of technical barrier is breached. The court’s analysis after the jump:

EFF contends that interpreting Section 502 broadly to allow liability where the absence of permission is based only on the violation of a contractual term of use or failure to fully comply with a cease and desist letter would render the statute unconstitutionally vague, stripping the statute of adequate notice to citizens of what conduct is criminally prohibited. (Amicus Brief at 24-28.) EFF further contends that giving the statute the broad application that Facebook seeks could expose large numbers of average internet users to criminal liability for engaging in routine web-surfing and emailing activity. ( Id.)

“It is a fundamental tenet of due process that ‘[n]o one may be required at peril of life, liberty or property to speculate as to the meaning of penal statutes.” Lanzetta v. New Jersey, 306 U.S. 451, 453 (1993). Thus, a criminal statute is invalid if it “fails to give a person of ordinary intelligence fair notice that his contemplated conduct is forbidden.” United States v. Harriss, 347 U.S. 612 (1954). Where a statute has both criminal and noncriminal applications, courts must interpret the statute consistently in both contexts. Leocal v. Ashcroft, 543 U.S. 1, 11 n. 8 (2004). In the Ninth Circuit, “[t]o survive vagueness review, a statute must ‘(1) define the offense with sufficient definiteness that ordinary people can understand what conduct is prohibited; and (2) establish standards to permit police to enforce the law in a non-arbitrary, non-discriminatory manner.’ “ United States v. Sutcliffe, 505 F.3d 944, 953 (9th Cir.2007).

The Court finds that interpreting the statutory phrase “without permission” in a manner that imposes liability for a violation of a term of use or receipt of a cease and desist letter would create a constitutionally untenable situation in which criminal penalties could be meted out on the basis of violating vague or ambiguous terms of use. In the words of one commentator, “By granting the computer owner essentially unlimited authority to define authorization, the contract standard delegates the scope of criminality to every computer owner.” FN21 Users of computer and internet services cannot have adequate notice of what actions will or will not expose them to criminal liability when a computer network or website administrator can unilaterally change the rules at any time and are under no obligation to make the terms of use specific or understandable to the general public. Thus, in order to avoid rendering the statute constitutionally infirm, the Court finds that a user of internet services does not access or use a computer, computer network, or website without permission simply because that user violated a contractual term of use. FN22

FN21. Orin S. Kerr, Cybercrime’s Scope: Interpreting “Acess” and “Authorization” in Computer Misuse Statutes, 78 N.Y.U. L.Rev. 1596, 1650-51 (2003).

FN22. This is not to say that such a user would not be subject to a claim for breach of contract. Where a user violates a computer or website’s terms of use, the owner of that computer or website may also take steps to remove the violating user’s access privileges.

If a violation of a term of use is by itself insufficient to support a finding that the user’s access was “without permission” in violation of Section 502, the issue becomes what type of action would be sufficient to support such a finding. The Court finds that a distinction can be made between access that violates a term of use and access that circumvents technical or code-based barriers that a computer network or website administrator erects to restrict the user’s privileges within the system, or to bar the user from the system altogether.FN23 Limiting criminal liability to circumstances in which a user gains access to a computer, computer network, or website to which access was restricted through technological means eliminates any constitutional notice concerns, since a person applying the technical skill necessary to overcome such a barrier will almost always understand that any access gained through such action is unauthorized. Thus, the Court finds that accessing or using a computer, computer network, or website in a manner that overcomes technical or code-based barriers is “without permission,” and may subject a user to liability under Section 502.

FN23. See generally Kerr, supra note 20.

Applying this construction of the statute here, the Court finds that Power did not act “without permission” within the meaning of Section 502 when Facebook account holders utilized the Power website to access and manipulate their user content on the Facebook website, even if such action violated Facebook’s Terms of Use. However, to the extent that Facebook can prove that in doing so, Power circumvented Facebook’s technical barriers, Power may be held liable for violation of Section 502. Here, Facebook relies solely on the pleadings for its Motion. In their Answer, Defendants do not directly admit that the tools Power provided to its users were designed to circumvent the technical barriers that Facebook put in place to block Power’s access to the Facebook website. Thus, the Court finds that there is a genuine issue of material fact as to whether Power’s access or use of the Facebook website was “without permission” within the meaning of Section 502.

EFF contends that even if Power evaded the technical barriers that Facebook implemented to deny it access, Power’s conduct does not fall within the scope of Section 502 liability. (Amicus Brief at 19-28.) More specifically, EFF contends that it would be inconsistent to allow liability for ignoring or bypassing technical barriers whose sole purpose is to enforce contractual limits on access while denying liability for violating those same contractual limits when technological means of restricting access are not employed. ( Id. at 19.) Thus, according to EFF, Power’s efforts to circumvent Facebook’s IP-blocking efforts did not violate Section 502 because Facebook was merely attempting to enforce its Terms of Use by other means.FN24 ( Id. at 23-24.) The Court finds EFF’s contentions unpersuasive in this regard. EFF has not pointed to any meaningful distinction between IP address blocking and any other conceivable technical barrier that would adequately justify not finding Section 502 liability in one instance while finding it in the other. Moreover, the owners’ underlying purpose or motivation for implementing technical barriers, whether to enforce terms of use or otherwise, is not a relevant consideration when determining the appropriate scope of liability for accessing a computer or network without authorization. There can be no ambiguity or mistake as to whether access has been authorized when one encounters a technical block, and thus there is no potential failure of notice to the computer user as to what conduct may be subject to criminal liability, as when a violation of terms of use is the sole basis for liability.

I agree with the Court’s approach as a normative matter, as you might guess (and guess again).