After a five-year on-and-off court battle, Facebook has won $3 million in damages from social networking integration firm Power Ventures, and its CEO Steve Vachani.
Power Ventures lured Facebook users into handing over access to their contact lists, then spammed everyone they knew with emails urging them to join their site, the now-defunct power.com, which aimed to merge content from users’ various social networks in one central system.
The mails they spammed out to over 60,000 targets had spoofed header details so they appeared to come from facebookmail.com, and claimed to come from “The Facebook Team”, in clear violation of openness requirements in the US CAN-SPAM act.
The case was initially brought in December of 2008, and has dragged on for some time. Some additional charges including copyright infringement claims brought by Facebook were dismissed in early 2011, but the spammers were found to have violated both the CAN-SPAM act and part of California’s Computer Fraud and Abuse Act (CFAA) at another stage of the case in February 2012.
Later the same year Vachani tried to dodge a fine by filing for bankruptcy, which put the case on hold. This claim fell through earlier this year; the case came live again and has finally been put to rest with Facebook the victor to the tune of $50 per spammed email.
The cash will be unlikely to make a significant difference to Facebook’s coffers, but the CFAA violation makes an interesting precedent. The defence lawyers argued that the California statute covers accessing computers without the proper authorization and causing “damage or loss”, terms which are defined specifically for the context. They claimed the defendant’s actions hadn’t caused damage or any significant loss.
Another section of the act, however, includes prohibition of merely obtaining information, with no requirement that the information is of value. Although lawyers will doubtless go on arguing the point, this could perhaps be used to cover just about any hacking case, as “obtaining information” could include simply catching sight of something you shouldn’t have access to, let alone copying or downloading any “tangible” data.
Of course, this is only a California law, but as so many internet firms are based or do business there the local laws have some serious weight. Full details of the case can be found in the court documents covering all the proceedings.
The case highlights the problem of the huge amounts of data that social networking sites hold on their members and the complexity of who can do what with that information. Facebook itself is frequently criticised for iffy privacy rules and making inappropriate use of user data.
A study released a few weeks ago found that social networks are rife with spamming and general nastiness, with Facebook one of the most badly hit.
The report from social media brand protection firm Nexgate claims that 5% of all social media apps are “spammy”, that Facebook and YouTube see 100 times as much spam as other social systems, and that Facebook is hit by 4 times the number of phishing attacks seen elsewhere.
Overall, 1 in every 200 messages sent over social networks contains spam, and, of those, 15% contain URLs linking to other spammy content, porn or malware, according to the study.
With all this spamming going on, there’s clearly a burden of effort on everyone involved to minimise the harm it does.
Users need to make sure they’re cautious with their accounts, not deliberately granting access to their details and contact lists to third-party firms like Power Ventures.
They also need to be wary of the messages being spammed out, ignoring too-good-to-be-true offers and avoiding handing over the cash or personal details that makes spamming worthwhile.
Social networking firms need to ensure their rules are well-designed and firmly policed, covering their own use of information as well as how other firms may try to abuse it. They also need to make sure devious apps and scams can’t trick users into granting access to their information unintentionally.