Many people routinely click on the Agree button without reading the terms of service. Doing so can be perilous for many reasons. A pending case highlights another potential reason to read and abide by the terms of service – potential criminal liability. Granted, there are some unique facts here as discussed below, but it is to everyone’s benefits to read and understand terms of service. For example, for users of a social media site, it is crazy to not understand what personal data is being collected and how it is being used and make an informed decision whether to use that site. For businesses (and investors in businesses) that interact with social media sites, it is critical that you understand and abide by the terms of service to assess whether your business model is “legal” and in compliance with the relevant terms of service. If not, your business (or investment) may be in peril, and in a worst case scenario you may face personal liability. Such was the case for the CEO of MDY when it created a tool that engaged in unauthorized access to Blizzard’s World of Warcraft client software in violation of the relevant terms of service and EULA. In addition to the company being found to infringe, the CEO was held personally liable for $6 million in damages.
Facebook alleges that Power.com induces visitors to surrender their Facebook user names and passwords in order to “integrate” their Facebook account into the Power.com website, in violation of the Facebook’s terms of service.
After notification from Facebook. Power.com allegedly initially agreed to cease the activity and purge the “ill-gotten data,” but apparently later changed its mind and continued its practices. In response, Facebook claims to have implemented technical measures to block access to the site by Power.com but Power.com then allegedly circumvented the technological security measures without authorization in violation of the Computer Fraud and Abuse Act. Facebook also alleged violation of CALIFORNIA PENAL CODE 502(c), the “COMPREHENSIVE COMPUTER DATA ACCESS AND FRAUD ACT” (including Sections 1-4 and 7) and the anti-circumvention provisions of the DMCA, among other claims.
Additionally, Facebook alleges that Power.com used the names to send unsolicited email messages to Facebook users that contained false header information in violation of the CAN-SPAM (CONTROLLING THE ASSAULT OF NON-SOLICITED PORNOGRAPHY AND MARKETING) Act.
Even though this is a civil action the penalties that can flow from a finding of violation of the Computer Fraud and Abuse Act include: (A) a fine or imprisonment for not more than ten years, or both (for a first conviction) and (B) a fine under or imprisonment for not more than twenty years, or both, in the case of a repeat offender. Violation of the relevant sections of the California Penal Code can result in fines and imprisonment up to three years.
The Electronic Frontier Foundation filed an amicus brief in support of Power Ventures; arguing:
Facebook argues that by offering these enhanced services to users, Power violated California’s computer crime law. It grounds its claim in the fact that Facebook’s terms of service prohibit a user from having automated access to a user’s own information and that Power continued to offer the service to Facebook users even after Facebook sent Power a cease and desist letter demanding that it stop. Yet merely providing a technology to assist a user in accessing his or her own data in a novel manner cannot and should not form the basis for criminal liability.
Many commenters have pointed out that taken to an extreme, any online service provider can create ridiculous terms of service and allege that there is a violation. While this may theoretically be true, in reality a court could strike down a frivolous clause if that were the case. However, when a company has a legitimate business interest to protect, and the terms of service relate to that business interest, an argument can be made that such terms should be upheld. Here Facebook appears to be alleging that it has a legitimate right to prevent third party application developers from requesting, soliciting, or otherwise obtaining access to user names, passwords or other authentication credentials. Perhaps this case will shed some light on this issue. Check back as we will provide updates on this case as it progresses.