
9th Circuit: It’s a crime to visit a website after being told not to visit it - walterbell
https://www.washingtonpost.com/news/volokh-conspiracy/wp/2016/07/12/9th-circuit-its-a-federal-crime-to-visit-a-website-after-being-told-not-to-visit-it/
======
ramblenode
This opinion is based on a fundamental misunderstanding of how the internet
works.

A client which is on the same network as a server can _request_ data from the
server, and the server chooses how to reply. The internet is just a really big
network, so for an internet-facing computer the assumption is that anyone can
_request_ data. The analogy of the request-response process to physical space
isn't--as the judge claimed--someone entering a building, but rather someone
asking permission to enter the building. Asking permission to enter a bank
with a shotgun is very different from actually entering and is not itself a
crime (as far as I'm aware).

 _Every_ interaction between the client and server begins as a _request_ from
the client. If the server replies "yes, have some data" it's nonsensical that
this could be construed as gaining unauthorized access, as Facebook claims.
Ultimately, Facebook still controls access to its servers; it just hasn't
figured out a good policy for denying certain requests. This is a technical
problem which should be solved through technical means (e.g. blocking IP
addresses) or by changing its terms of service with its users.

Unfortunately, rather than solving the problem itself, Facebook has convinced
the federal government to work on its behalf through an especially blunt
weapon known as the CFAA. This risks changing the entire legal framework in
which everyone else is required to operate. Technology moves much faster than
the laws governing it, so we may not appreciate the full impact of this
decision until later. That should give even proponents some pause.

~~~
tptacek
Someone raises this argument in every thread about the concept of unauthorized
access. I have yet to obtain from those threads a satisfactory answer to this
question:

If what you say about "requests" and "responses" is both true and dispositive
of the issue of authorization, then you're saying that virtually every SQL
injection vulnerability on the Internet is also an "authorized" form of access
to people's backend databases. Nobody should be prosecuted for those either.
After all, most of those attacks take the form of simple HTTP requests --- in
fact, many of them are triggerable simply from GET URLs.

How does this definition of "authorization" make sense?

~~~
gioele
> If what you say about "requests" and "responses" is both true and
> dispositive of the issue of authorization, then you're saying that virtually
> every SQL injection vulnerability on the Internet is also an "authorized"
> form of access to people's backend databases.

I would say that the SQL/HTTP equest with the SQL injection is _per se_ legal.
The damage that it has intentionally caused is what the law should punish.

"You are free to tell me whatever you want, but beware: if you catch me
offguard and make a damage, then you will be punished for it."

~~~
dpark
So you think only _success_ is punishable? So if someone takes a swing at you,
it's only assault if they connect? If someone takes a shot, it's only illegal
if the bullet hits you? If someone tries to break into your house, it's legal
until they get inside?

Or are computers special for some reason?

~~~
washadjeffmad
Computers are special for some reason.

I can't punch you in the face over the computer, but I can take a swing at you
in front of my monitor even I don't know where you are afk. Is that alright
under the law?

That was rhetorical; of course it's alright. I'm doing it right now, for all
you know.

And yeah, it's not possible B&E until you('re caught) B&E. You might have to
commit trespass to get that close, but that's a different law.

The perversion is when you get charged with B&E for walking into a building
open to the public just because security didn't stop you from going inside.

~~~
dpark
> _Computers are special for some reason._

And what reason is that?

> _I can 't punch you in the face over the computer, but I can take a swing at
> you in front of my monitor even I don't know where you are afk. Is that
> alright under the law?_

That's not taking a swing at me. That's you swinging wildly in the air in
front of your monitor. Yes, that's legal, if pointless.

> _And yeah, it 's not possible B&E until you('re caught) B&E. You might have
> to commit trespass to get that close, but that's a different law._

As Thomas noted, attempted breaking and entering is a crime as well.

> _The perversion is when you get charged with B &E for walking into a
> building open to the public just because security didn't stop you from going
> inside._

I'm not sure what you're trying to say here. Are you saying that unauthorized
access is like breaking and entering? A better analog for the case here is
trespass. You won't be guilty of breaking and entering if you enter a mall
after being asked to stay out, but you will be guilty of trespass. No one is
required to post guards to keep you out. Simply tell you is enough to legally
obligate you to stay out.

------
Animats
The court seems to have it right, while the article author doesn't see the
court's reasoning. The issue is whether accessing a web site after being sent
a cease and desist letter telling you to stop is an act for which the accessor
can be assessed damages. (Despite the title, this was a civil case, not a
criminal case.)

A previous case established that accessing a web site in violation of its
terms of use is not a offense under the Computer Fraud and Abuse Act. That's
just a contractual issue.

Here, though, the site operator (Facebook) explicitly sent a cease and desist
letter to the accessing service, telling them to stop doing what they were
doing (which apparently involved some kind of message sending on behalf of
Facebook users). That put the accessing service on notice that they were
accessing the site without authorization. After that, access was considered
unauthorized. Seems reasonable enough.

~~~
syshum
This gets into the whole debate over who owns, or should own, your data

IMO I should have the right to access, and authorize 3rd parties to access,
data stored about me even if it is on a 3rd party platform like facebook. If
Facebook does not want to allow Me or my authorized agents to access this data
then facebook;s only recurse should be to prevent me from using their platform
AND delete any and all they have collected about me.

Here Facebook wants to control how my data is used, stored, and disseminated.
they want the ability to Prevent me or my Authorized Agents from access my
data, but they do not want to be forced to delete said data.

I am a strong advocate of strong Data protection, access, and Right to Know
laws.

Authorization is the key question, for me Power Partners was authorized, by
the USER, that should be all the Authorization they need. Facebook should be
sending notices and cancelling the accounts of the USERS that authorized Power
Partners, not be going after power partners directly.

~~~
tutts
I disagree. That is, I agree that you should ultimately own your data and have
the right to decide what Facebook is allowed to do with it, to have them tell
you what data they have, and to have them delete it. I don't agree that you
should have the right to force them to provide data-related services to you or
anyone else simply because they have your data. If you want another third
party to have access to your data, you can provide it to them directly. Don't
have a server set up with a popular API for that? That doesn't mean you get to
force someone who does to do it for you.

~~~
syshum
I do not believe I advocated for anything like that.

In this case The data was either Scraped via downloading the HTML pages, or
used Facebooks API with the users permission. I believe that should be all
that is required is the user permission, if the USER does something that is a
violation facebook policy then the recourse should be banning of the User, and
removal of all data for that user. Facebook does not want that however. So you
see Facebook does not have to provide anything, but they can not pick and
choose what a person does with the data they are storing about them.

That said there is one Data Service I do believe should be required, I should
be able to request my data from any company to be delivered to me in some kind
of Machine Readable format. XML, JSON, some other structured format. This
could be only on Condition of Closing my account, or some other string
attached, but I should be able to get access to this data.

------
donkeyd
With Facebook buttons being on many websites now, wouldn't Power technically
breach the cease-and-desist by visiting any web site that has a Facebook
button? That's what troubles me about this, websites aren't fixed to a single
location like physical locations are. You can 'access a computer' without
really being aware of it.

~~~
nhebb
Playing devil's advocate, shouldn't this work in reverse? Providing their IP
address, shouldn't someone be able to send Facebook a cease and desist order
to stop trespassing on their system by running Facebook javascript in their
browser (via like buttons) when visiting non-Facebook domains?

~~~
TheSpiceIsLife
I'd recommend you put that devil back in it's bag otherwise we're going to end
up with another annoying law like that EU one that gives rise to the cookie
permission notification, which everyone just clicks to make the stupid banner
go away, thereby granting permission.

~~~
forgotpwtomain
> which everyone just clicks to make the stupid banner go away, thereby
> granting permission.

I don't use Facebook and would be happy to have all their like buttons (which
are tracking me across sites) wiped out from all the sites I visit. Mmatrix
mostly catches them but I wouldn't mind having it on a legal basis.

~~~
toyg
Websites would then just set up proxies to do the same thing. Rather than
adding a JS call on a page, you'd get some sort of FB-provided box that makes
it look like all scripts originate from your domain. This would only hit small
operations without the time or inclination to add extra infrastructure to
support social sharing, everyone else would carry on as before. Maybe an
industry-standard proxy format for shared hosts would emerge at some point,
giving the same power to small actors, and you'd be back to square 1.

~~~
forgotpwtomain
Is that a legal way to avoid a cease and desist? If PowerVentures which was
asked to cease and desist and lost, now outsourced their Facebook API use to a
third-party (still performing the same function) - would the court really not
find against them?

~~~
gm-conspiracy
Based on the judge's reasoning, I would say yes.

Until the 3rd party received its own cease-and-desist, then Power would switch
to another 3rd party provider.

------
numlocked
The physical space analogies in the comments seem reasonable:

"If I am given a formal trespass warning by Wal-Mart which covers the property
of Wal-Mart, going back is a criminal offense. Going into the store is an
offense. Driving in the parking lot, if it is owned by them is an offense. The
different norms of public spaces vs private spaces vs semi-public space goes
out the window when you have been formally trespassed from a place. I don't
see why the exact same rules shouldn't be applied in the context of computer
trespass."

It doesn't quite feel right and my intuition says that the same rules should
NOT be applied in the context of a computer trespass, but I haven't yet
thought of a satisfying counterargument.

~~~
duncanawoods
To me, a website feels more like a newspaper than a physical space. Can the
WaPo legally ban me from reading a copy I find whether its in a news-stand or
on the metro?

We don't try to apply trespass laws to my eyeballs, instead we have copyright
to prevent actions like reselling WaPo content.

~~~
erroneousfunk
Let's say you start harassing the newspaper delivery boy and WaPo decides to
cut off service to your house after he reports it. Also, WaPo sends you a
letter saying that you are prohibited from seeking delivery in the future. You
decide to start living at your neighbor's house and set up a new delivery
service there instead. That's not okay.

With your newsstand example, let's say you go to a newsstand and tear up all
the newspapers while laughing maniacally -- banned for life! Now you can't get
WaPo from the newsstand either. You're not banned by WaPo, and, yes, if you
find a copy on the sidewalk, you're still free to read it, but you're further
limited in your legal options for obtaining it.

Facebook isn't the "eyeball police" but it can refuse to deliver content to
you for violating their terms of service, after notifying you. Because they
own the data and the only way to access it is through their servers, they can
ban you from accessing their servers. Theoretically, if someone prints out
their data and sends it to you, yes, you can read it. But if you initiate the
request/delivery, that's not allowed.

------
vertex-four
To intentionally access a computer system after being told not to by its owner
is, by definition, unauthorized access of a computer system - the core of the
Computer Fraud and Abuse Act. That should be pretty clear.

However, the law in question is old and probably doesn't make much sense any
more. Claiming that the courts made the wrong decision is nonsense - the law
needs to be rewritten.

------
ktRolster
The law is not good, but the court's ruling seems correct and following the
law.

The law says, "Unauthorized access to computer systems is a crime." Facebook
sent them a cease-and-desist letter saying not to access their system anymore.
The court agreed that at that point, they were no longer authorized to access
the system, and that they knew they were not authorized.

So unless the law is unconstitutional, them the only way to solve the problem
is by getting congress to change the law. Maybe that sucks but welcome to
America.

------
rabboRubble
Late to the party, but my 2 cents.

If I'm ordered to avoid a certain house or small non-social website, I can do
that easily.

Facebook on the other hand, goes out of it's way to make contact with me. I
have to use special browser add-ons to keep it from tracking my web behavior
across other sites. Is this contact? What happens if 3rd party sends me
something that is Facebook related and I accidentally click on it?

The order to not contact Facebook reminds me a little of an order to stay away
from any physical location where post or shipping activities are conducted or
offered. Potentially so broad an order that would preclude me from visiting
any location in my community (grocery stores with post offices) or any website
online (www.momandpopwebsite.com with integrated FB social media stuff).

~~~
Spivak
The real-life metaphor doesn't seem to follow. This would be like being banned
from a store and then arguing that their marketing flyer constitutes
permission to reenter.

The courts aren't so black and white that they would prosecute someone for
accidental requests.

But the more important point is that is a 'website' property that you get the
legal right of exclusion on? Is the land metaphor even meaningful?

~~~
rabboRubble
My concern with a court ordering non-contact with Facebook is that Facebook's
omnipresence on the internet would make complying with that order quite
difficult in practice. Simply going online, with intent to go online, would be
sufficient to violate a non-contact order.

In my (perhaps bad) example, the grocery store with an in-store post office,
was to try to extend the blurring of lines between two independent parties in
the physical world. Post office may wish to exclude you from all their places
of operations, but you still gotta eat and get food from somewhere.

To function in this world, you need the ability to get online and if you are
online long enough, you will touch Facebook systems.

------
enjo
I assume this is the same Power Ventures Facebook previously won an important
judgement against:
[https://en.wikipedia.org/wiki/Facebook,_Inc._v._Power_Ventur...](https://en.wikipedia.org/wiki/Facebook,_Inc._v._Power_Ventures,_Inc).

In that case Facebook asserted that it was a copyright violation when Power
Ventures copied data to it's servers, parsed out the pieces they cared about
(for contact aggregation), and dropping the rest. The court agreed, ruling
that making even a temporary copy in computer memory was indeed a copy.

This appears to be another part of that same case, this piece dealing with the
promotional campaign Power Ventures ran. These two have a long history of
litigation.

------
__b__
What if Zuckerberg had received a cease and desist letter when he was
accessing computers without authorization at Harvard?

Before any student willingly sent him personal information, he had to
exfiltrate such information i.e. photos of other students so other students
would be compelled to look at websites he created using said photos.

He did eventually receive a cease and desist letter, and he ignored it. But of
course it was not from the people charged with protecting students' personal
information nor the students themselves. You know the story.

As with Google, under today's culture it's acceptable for Facebook to
aggressively collect personal information in bulk and pay little attention to
obtaining permissions, but it is not acceptable for anyone to attempt to
collect information in bulk from Google or Facebook. This make no sense to me,
but I gues I am just obtuse.

Maybe what Kerr is wondering is when the necessity of sending costly snail
mail cease and desist letters will give way to some less expensive digital
form of notice. When that happens, the _threat_ of the CFAA can be used on a
mass scale. Perhaps then we would see it in every Terms of Service. Maybe we
could create a new HTTP response code: HTTP/1.1 606 CFAA Notice.

------
cm3
How would you know that the link was requested deliberately by a user and not
by JavaScript or some other autonomous network client? You cannot, unless
there's a tamper-proof and indisputable (aka we know how to interpret brain
waves) 24/7 audit log of a person's brain activities. Clients prefetching
resources or even looking up DNS is fully automatic and already happens today.
If this becomes law, a random website need only insert URLs on an otherwise
innocuous page, for someone to get into trouble.

~~~
CPLX
This is the kind of logic that programmer types often apply erroneously to the
legal system.

The answer to your question of how one would determine is the same as it
generally is: humans would examine the available admissible information and
draw a conclusion based on the preponderance of the evidence.

A huge difference between the two rules-based systems is that the legal system
contains judges and juries, who routinely can and do just jump into the middle
of a situation such as you describe and declare that's not what the rules
meant.

Which seems like a good context with which to view this case. Many here are
saying "well in this case it was deliberate but what if..." while others point
out that noting the actions of the defendant as deliberate and purposeful is
not an observation that's exogenous to the system.

~~~
teach
In response to common programmer thinking like this I like to make my students
read "What colour are your bits?"[0].

[0] [http://ansuz.sooke.bc.ca/entry/23](http://ansuz.sooke.bc.ca/entry/23)

------
morekozhambu
Does this apply to google bots and other spiders/crawlers?

~~~
Animats
It would if you sent Google a cease and desist notice. But Google seems to
obey "robots.txt", so you usually don't have to.

~~~
steve19
1\. register lots of domains

2\. send Google cryptic cease and desist for each domain

3\. wait for Google to accidently violate cease and desist

4\. profit

What can possibly go wrong?

~~~
argonaut
The judge, _a human who possesses common sense_ , sees you've registered lots
of domains and spammed C&D letters to Google, calls you out on your BS, and
orders you to pay Google's legal fees?

~~~
kuschku
So, find a Judge in east texas?

~~~
argonaut
Wrong issue. That's for patent lawsuits.

~~~
kuschku
Well, it was more in jest, but the argument I wanted to make was that there
will be a judge allowing that.

Remember Scientology's SeaOrg suing thousands of IRS employees and the IRS?
Those weren't thrown out either.

~~~
ceejayoz
> the argument I wanted to make was that there will be a judge allowing that.

This argument only works if the system doesn't have the ability to appeal.

------
chatmasta
I wonder if the ruling would be different if Power had done the scraping
client-side instead of using its servers. For example, if they had distributed
a tweaked Facebook app for jailbroken devices that allowed users to "log into"
Facebook and scrape data using their own device and Internet connection.

Or, more simply, a third party app that users install on their phone and calls
the "private" Facebook API directly.

Would the same arguments hold?

~~~
cs2818
I have the same question. In this case Facebook was able to identify Power
acting on behalf of users because requests came from a common set of IP
addresses.

If Power had instead provided users with software to run from their own
devices would that change anything?

In both situations this is user authorized behavior and the ability of
Facebook to identify an involved service as assisting users should be
irrelevant.

------
ChicagoBoy11
Could this insane logic be applied in reverse? Suppose I just announce that I
don't allow Facebook to "invade" my computer and to track me while I visit
websites (FB now does this even with logged off users). Could I then sue FB
when those scripts appear inside of pages I visit?

------
seesomesense
The article badly misunderstands the court's ruling

------
Zigurd
I'm usually very wary of slippery slopes but this a business-to-business
dispute. Based on the description, it appears that Facebook has a legitimate
beef because Power's monetization depends on using users' accounts for Power's
gain, and not simply to provide a useful tool for Facebook users. Facebook has
a reasonable case that Power was underhanded. Building contact management
tools that spam your contacts is, sadly, a pretty common dark pattern and
Facebook should want to prevent that happening to Facebook users.

------
fapjacks
So then am I able to put an alert() on my page demanding that all law
enforcement personnel _not_ visit my site? And is this now enforceable? What
about if I demand that black people not visit my page?

In my mind, it's a distant cousin of Sony telling people they can't mess with
their Playstations even though they bought them. This puts _so_ much power
into the hands of the site owner. And it's for a _criminal offense_!

~~~
SolarNet
This case is civil, so I believe that Law Enforcement would have some sort of
indemnity. As for discrimination, I believe certain civil rights laws prevent
U.S. businesses from enforcing a suite like that.

------
gm-conspiracy
Can somebody please clarify, Facebook initiated a civil suit base on the CFAA
violation, after the cease-and-desists?

 _Facebook then sued, claiming that Power’s conduct violated the CFAA_

So, was there a government initiated prosecution for this criminal violation?

How can you use CFAA violations in civil court without a criminal conviction
of the violation?

By using preponderance of evidence in lieu of reasonable doubt seems troubling
for a criminal violation, or is this not the situation?

~~~
dragonwriter
> So, was there a government initiated prosecution for this criminal
> violation?

There was no alleged criminal violation. CFAA provides both civil and criminal
causes of action; the interpretation that this sets a standard for criminal
law is not that this was a criminal violation, but that the requirement which
was being applied applies both to civil and criminal CFAA provisions.

> How can you use CFAA violations in civil court without a criminal conviction
> of the violation?

You can do so because the CFAA explicitly creates a civil cause of action not
dependent on a criminal conviction,

> By using preponderance of evidence in lieu of reasonable doubt seems
> troubling for a criminal violation, or is this not the situation?

There is (in general) no "criminal violation" involved in a civil CFAA action.

~~~
gm-conspiracy
Thank you for the clarification.

I was not aware CFAA provided civil causes of action.

 _but that the requirement which was being applied applies both to civil and
criminal CFAA provisions_

Since it applies to both, the burden of proof in a criminal proceeding, would
still be higher, no?

~~~
dragonwriter
> Since it applies to both, the burden of proof in a criminal proceeding,
> would still be higher, no?

Yes, even where the same fact question applies to establish criminal liability
as exists to establish civil liability, in a criminal case the prosecution
will be obliged to prove the fact beyond a reasonable doubt, while in a civil
action it will only need to be proved by a preponderance of the evidence.

------
sriku
If I understood the ruling right, then I send FB a "cease and desist" letter
prohibiting FB from accessing _my_ computers, et voilà, all carte blanche
privacy violations by FB will go poof because they would be committing a
federal crime if they so much as showed their icon in another website I visit?

~~~
dragonwriter
> If I understood the ruling right

You don't understand the ruling right. Or, possibly, you don't understand how
the web works right -- Facebook doesn't actively reach out to your computer to
show an icon, your computer sends a request to Facebook for the icon.

------
OJFord

        > when it continued to access Facebook’s computers
    

Isn't this the crux of the problem? Viewing it as "accessing" a company's
"computer", rather than making use of a service in any truer "analogue world"
manner?

------
tmaly
Regardless of how you feel about the opinion. The one thing that stood out for
me was the walled garden. If you really want more and more of these cases to
happen, keep using these giant walled gardens like Facebook.

------
mankash666
Disappointing! Especially since the data in question is technically the
ownership of the individual (regardless of what Facebook and it's BS lawyer-
speak makes you believe).

------
lisper
Previous submission 11 days ago:

[https://news.ycombinator.com/item?id=12089068](https://news.ycombinator.com/item?id=12089068)

------
ReFruity
I misread the title as "It's a crime NOT to visit a website after being told
not to visit it" at first and it made a lot more sense that way.

------
pasbesoin
So, I suggest a few prominent web presences communicate to the judge and
prosecution that they are no longer welcome at those sites.

------
Aelinsaar
...This is why we have a SCOTUS.

~~~
ceejayoz
SCOTUS are just as capable of bad decisions as other federal judges. They're
not magical, and we get stuff like Citizens United and Dred Scott.

~~~
dragonwriter
> They're not magical, and we get stuff like Citizens United and Dred Scott.

Leaving aside CU right now, I'm less convinced that Dred Scott was a bad
judicial decision than I am that it reflected the fundamentally irreconcilably
bad state of the Constitutional order when you have entities that, depending
on which subordinate jurisdictions law applies to them, may be either chattel
or persons with all the rights and privileges attendant thereto.

As much as the founders tried to make it work to cover up the deep divisions
that existed in the early US, the basic structure of government set up under
the Constitution just doesn't work well when the basic definition of "what is
a person vs. what is property" isn't consistent across the states.

That's not to say that there isn't an argument that Dred Scott was wrongly
decided, just that the usual argument (which focuses on the immorality, from a
modern viewpoint, of the result) sort of ignores the fact that _any_ system in
which slavery is part of the law will _necessarily_ produce results abhorrent
to modern morality.

~~~
jcranmer
The problem with Dred Scott wasn't the ruling that SCOTUS was asked to rule
on, namely, what the status of a slave was when an owner moved from a slave
state to a free state. That aspect of the decision is fairly defensible under
the given law (basically, you can argue that automatically emancipating the
slave equated to an illegal, uncompensated taking of property). Odious, but
defensible.

The problem of Dred Scott was that SCOTUS basically went on to argue that
blacks, even freed slaves, weren't citizens and could never be citizens, and
also argued that slavery could not be banned in any manner whatsoever by any
level of government. It was a pretty naked attempt to tell the abolitionists
"Slavery exists, and there's nothing you can do about it. Deal with it."

------
csydas
I'm not convinced that the article is entirely on point with the reading of
the case. From the summary, Power Ventures, Inc (Powers) wasn't just visiting
Facebook, they were interacting and removing userdata via a method that was
not through the Facebook Connect program at the time:

>"Facebook has tried to limit and control access to its website. A non-
Facebook user generally may not use the website to send messages, post
photographs, or otherwise contact Facebook users through their profiles.
Instead, Facebook requires third-party developers or websites that wish to
contact its users through its site to enroll in a program called Facebook
Connect."

[...]

>"In many instances, Power caused a message to be transmitted to the user’s
friends within the Facebook system. In other instances, depending on a
Facebook user’s settings, Facebook generated an e-mail message. If, for
example, a Power user shared the promotion through an event, Facebook
generated an e-mail message to an external e-mail account from the user to
friends. The e-mail message gave the name and time of the event, listed Power
as the host, and stated that the Power user was inviting the recipient to this
event. The external e-mails were form e-mails, generated each time that a
Facebook user invited others to an event. The “from” line in the e-mail stated
that the message came from Facebook; the body was signed, “The Facebook Team.”

>"On December 1, 2008, Facebook first became aware of Power’s promotional
campaign and, on that same date, Facebook sent a “cease and desist” letter to
Power instructing Power to terminate its activities. Facebook tried to get
Power to sign its Developer Terms of Use Agreement and enroll in Facebook
Connect; Power resisted. " [1]

It's not made clear from the summary exactly what technical means Powers was
using, but it seems like they were using functionality intended to be only
available to developers via the Connect program and through access of the API
through some other means.

That is, the access that is being described by the judge isn't just visiting a
page, it's doing things like sending messages or photos or creating events as
the user.

I don't really use Facebook and most definitely have not read the ToS for
either developers or users, but it seems to me like the contention is that
Powers was performing actions that should have been done through the Facebook
Connect platform, not via the links they made on their page to have users
post, and the users likely are not permitted within the TOS to grant someone
developer access like this.

I'm not able to comment intelligently on how that should be handled, but I
think that this is very different from the author's position of "it is a crime
to visit a website you're not told to". Powers was very clearly not just
visiting, they were interacting with data and exfiltraing data. Facebook said
"as a dev, you need to access this data this way", Facebook blocked their
method, and Powers circumvented these blocks. That is the contention, not that
Powers "visited".

The rest I will leave for more intelligent people to argue.

[1] -
[https://cdn.ca9.uscourts.gov/datastore/opinions/2016/07/12/1...](https://cdn.ca9.uscourts.gov/datastore/opinions/2016/07/12/13-17102.pdf)

~~~
Dylan16807
What about where it says "Facebook explicitly revoked authorization for _any_
access"? Doesn't that imply that the exact actions they made don't matter?

~~~
csydas
That phrase doesn't actually appear in the summary, and not sure what was
actually in the C&D since it was not linked (and I haven't bothered to look
for it).

My point was more that the Author did not really give a clear picture of what
Powers was doing, which grants a bit more insight as to why FB even started
the suit. I'm not sure that the summary or the article are very clear on what
was forbidden and are using some lay person terms. (e.g., while the machines
being accessed when you get at facebook are computers, we'd likely use a more
precise term, like server, page, API, platform, etc.)

The summary misses a few key elements to make sense to us by and large, and
the use of lay person teminology is causing confusion, and the article
exacerbates this.

------
tomohawk
Just stop using Facebook

------
lasermike026
goto supremeCourt;

