In a novel — some would say wacky — interpretation of the federal Computer Fraud and Abuse Act, an appellate court panel ruled last Tuesday (July 12) that sites can legally ban people, with a subsequent visit to the site punishable by federal criminal law. Envision using this against a spammer, someone whose comments you don't like (the panel said a site can ban anyone it wants for any reason) or a bargain-hunter that is cutting into your margins.
The case delves into the meaning of "authorized visitor," which is tricky to do with a public website. If someone creates an ungated (no password required) site, isn't anyone authorized to visit? Apparently, the panel believes that permission is now needed under federal law.
As always, these cases are decided on the specifics of a case, and lawyers relentlessly argue that it's a narrow or broad ruling, depending on which side of a case they are on. But decision here, by a panel of the U.S. Court of Appeals for the Ninth Circuit, was explicit that a site can ban anyone for any (or no) reason, and the bans are enforceable.
This case involved Facebook and a now-defunct social media company called Power Ventures. The particulars made the issue of permission even more slippery, since all agreed that Power Ventures did indeed have the permission of Facebook users to send emails and perform other functions on their behalf. The ruling said such a third party needs permission from both users and the site owner.
Here's a key example from the panel's ruling: "The consent that Power had received from Facebook users was not sufficient to grant continuing authorization to access Facebook’s computers after Facebook’s express revocation of permission. An analogy from the physical world may help to illustrate why this is so. Suppose that a person wants to borrow a friend’s jewelry that is held in a safe deposit box at a bank. The friend gives permission for the person to access the safe deposit box and lends him a key. Upon receiving the key, though, the person decides to visit the bank while carrying a shotgun. The bank ejects the person from its premises and bans his reentry. The gun-toting jewelry borrower could not then reenter the bank, claiming that access to the safe deposit box gave him authority to stride about the bank’s property while armed. In other words, to access the safe deposit box, the person needs permission both from his friend, who controls access to the safe, and from the bank, which controls access to its premises. Similarly, for Power to continue its campaign using Facebook’s computers, it needed authorization both from individual Facebook users, who controlled their data and personal pages, and from Facebook, which stored this data on its physical servers. Permission from the users alone was not sufficient to constitute authorization after Facebook issued the cease and desist letter."
To be fair, Power's conduct didn't make it look exactly like a law-abiding company. After Power started its campaign, Facebook sent it a cease-and-desist letter, which was ignored. Facebook then blocked Power's IP addresses. Power simply acquired additional IP addresses and used those. Said the panel decision: "Once permission has been revoked, technological gamesmanship or the enlisting of a third party to aid in access will not excuse liability."
When Power sent those messages on behalf of Facebook customers, it didn't sign them with the names of those users (who had given permission). No, it pretended to be Facebook itself, even after Facebook made clear it was opposed to that. Let's call this the chutzpa maneuver.
"The external e-mails were form e-mails, generated each time that a Facebook user invited others to an event. The 'from' line in the e-mail stated that the message came from Facebook. The body was signed, 'The Facebook Team,'" the decision said.
The permission issue here gets yet more complicated. Facebook is a public site, but the parts accessed were restricted to registered users. Those users gave their permission for this third-party company to do its thing. Given that those users clearly had the right to send emails and interact with their friends, can't they grant that permission to someone else?
It's as though an executive gives an executive assistant all of her passwords so that the assistant can handle social media posting duties for the executive. And Facebook said "Nope. Only the actual user may use the site. Otherwise, it's a violation of federal law, if we say so."
The implications here are interesting. A site can ban anyone it wants from visiting. And if it does it properly — to be safe, mimic what Facebook did by sending a cease-and-desist letter (presumably sent certified, requiring a signature) and then block all known IP addresses from the offender — it can send the feds after them.
You want to run a political site but don't want anyone who has a differing viewpoint to visit? Identify the bad thinkers, send them a note and prepare to call the feds if they resurface. What if a media site wants to ban those who block ads? Or a retail site wants to dump bargain-hunters. This can get even better. What if HomeDepot.com wants to ban any and all employees of Lowes.com?
How about a healthcare insurance site that bans people who it thinks have had cancer? Perhaps this could be a great tool for drug-dealing sites wanting to ban anyone the site suspects of working in law enforcement.
The panel's bank example misses the point. A bank is private property. I used to chuckle when someone sent me a note granting me permission to visit their site, as though I needed it. Unless this appellate panel is reversed, those permission-granters may have been right.
This article is published as part of the IDG Contributor Network. Want to Join?