Unauthorized Scraping, Porting of Social Network Data Prompt Bushels of Prickly Legal Questions
Automated extraction of Facebook profile information by competing social networks or for integration on personal portals raises a bar exam’s worth of liability issues not only for the outside companies but also even for users who authorize their activity, legal experts said Tuesday. Many of the questions remain wide open, leaving the terrain uncertain for all the businesses involved, they said on an American Bar Association webcast. Companies are “facing very different and irreconcilable theories of what is going to make them liable,” said Sebastian Kaplan of the Fenwick & West law firm. A Senate measure would shift the terrain against Facebook and other sites that restrict data portability, he said.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Porting and scraping of social-network data raises questions of violation of the federal Computer Fraud and Abuse Act (CFAA), similar state computer-crime laws such as California’s Penal Code Section 502, the old common-law tort of trespass to chattels, tortious interference with contractual relations for encouraging violations of terms of service, the CAN-SPAM Act for the use of email addresses taken, copyright, the Digital Millennium Copyright Act’s ban on circumvention of technical protections of content, and the privacy of users’ friends whose information is taken, said Kaplan and Jonathan Blavin of Munger Tolles.
Facebook specifically has been at the center of lawsuits over data extraction at least partly because the company’s terms of service ban unauthorized use of technologies to accomplish it, it disables extraction tools and it has threatened enforcement action against users, Blavin said. Facebook ultimately settled a case it had brought against ConnectU, of the Winkelvoss twins of The Social Network fame, for scraping email addresses to use for solicitations. Facebook won by summary judgments against the operators of Power.com, which integrated social media and email. Google allows much more open access to data and has made this a sales point in trying to compete with Facebook, Blavin said.
A crucial question is whether a company must erect technical barriers to access, rather than just contractual ones like terms of service, to gain the protection of the CFAA or a state computer-crime statute, Kaplan said. In April the full 9th U.S. Circuit Court of Appeals ruled that the federal law was meant as an anti-hacking measure, so only technical barriers qualify, he said. But the 7th and 11th circuits have put out broader interpretations, favorable to plaintiffs, he said.
The Personal Data Privacy and Security Act, S-1151, by Sen. Patrick Leahy, D-Vt., as amended, would clarify that violation of a contractual obligation alone isn’t the kind of unauthorized access punished by the CFAA, Kaplan said. The bill passed the Judiciary Committee but hasn’t gotten a Senate vote. Social networks will be creative in doing whatever they can to frame their information protections as technical, Kaplan predicted.