That's not Facebook's argument. Their argument is that a contract exists with their user. In that contract, the user agreed not to use 'automated' means of access.
Then, when the user has Power perform automated access, Facebook claims that a criminal law violation has occurred, because that's unauthorized access under their terms. They want that to be treated just like other California Penal Code unauthorized access -- access like exploiting a bug or stealing someone's password to view or change info never intended for you.
EFF says only a contractual violation has occurred; violating some arbitrary company-chosen 'terms of use' shouldn't be enough to trigger criminal enforcement.
It's an interesting and difficult distinction. So many of these systems and terms are defined by the arbitrary choices of coders and lawyers. At one level of abstraction, it's against the will of the system provider -- Facebook -- so it could be seen like a break-in.
But at another level, it's just a contract, and Facebook has other contract-enforcement options short of criminal prosecution: cancel the account, sue for actual damages, and so forth. If Facebook can define what's a 'crime' via arbitrary clickthrough terms, suddenly users and Power staff could wind up in jail for a terms-of-use violation that had no other economic damages.
"They want that to be treated just like other California Penal Code unauthorized access -- access like exploiting a bug or stealing someone's password to view or change info never intended for you."
Things have been stark raving mad since the Digital Millenium craziness act. Just like the software patent scene has been starkers since Amazon One-Click.
In most jurisdictions, I think in even when a sign like that's posted, you do at least have to ask the offender to leave before you can call the cops. If they walk into your restaurant without a shirt, you ask them to leave, and they refuse, then they're guilty of trespassing. But if they do leave when asked, you can't go ahead and press charges.
I believe an exception is if you've posted "NO TRESPASSING" signs, making it clear that it's private property to which all entry is prohibited. But if you've invited the general public in subject to conditions, and someone violates a condition, they haven't yet committed a crime, unless they also refuse to leave when you try to eject them.
In Facebook's case, I'd say they've invited the general public to use their service, subject to some conditions, and so no law should be involved unless they've specifically asked the person involved to stop using their service and the person continues anyway.
You will not collect users' content or information, or otherwise access Facebook, using automated means (such as harvesting bots, robots, spiders, or scrapers) without our permission.
So Facebook can give permission, and clearly have given permission via some interfaces.
If Power could have done everything they wanted to do via the official developer APIs, no doubt the case would be different.
Power continued even after Facebook asked them to stop (and further tried to block Power's IPs) -- so at least some of the access occurred when permission, if any, was clearly not given.
But is that a crime? Or a contractual violation or tort?
The idea is that there is "unauthorized access" to Facebook's computers, that is, the user accessed Facebook's systems in some way that Facebook didn't like. Facebook wants absolute jurisdiction over who and what can see information stored on their servers and they want the civil justice system to enforce this will on their behalf after-the-fact.
Under Facebook's claims, people could get arrested for something as small as using a browser or operating system that Facebook didn't like. If this idea is accepted, then Facebook can pretty much say anything and if you violate that thing and then access Facebook, Facebook would seek criminal penalties for your violation. For instance, if Facebook says "no person that doesn't own a pair of Nikes can access Facebook, under our new Nike sponsorship deal", and someone who doesn't own Nikes still accesses Facebook, Facebook would consider this "unauthorized access" and get mad. Or, if Facebook decides it doesn't like born in Florida, and they write "No one born in Florida may access Facebook", and you still access Facebook after being born in Florida, Facebook will try to get the police to come and arrest you.
Open Graph API is not unauthorized access because Facebook allows people to use it.
Under Facebook's claims, people could get arrested for something as small as using a browser or operating system that Facebook didn't like.
Under Facebook's terms, you could retrieve some Facebook pages from your cache, write a parser to parse your data and use it to harvest your data to a CSV file, and even this would be a violation.
Then, when the user has Power perform automated access, Facebook claims that a criminal law violation has occurred, because that's unauthorized access under their terms. They want that to be treated just like other California Penal Code unauthorized access -- access like exploiting a bug or stealing someone's password to view or change info never intended for you.
EFF says only a contractual violation has occurred; violating some arbitrary company-chosen 'terms of use' shouldn't be enough to trigger criminal enforcement.
It's an interesting and difficult distinction. So many of these systems and terms are defined by the arbitrary choices of coders and lawyers. At one level of abstraction, it's against the will of the system provider -- Facebook -- so it could be seen like a break-in.
But at another level, it's just a contract, and Facebook has other contract-enforcement options short of criminal prosecution: cancel the account, sue for actual damages, and so forth. If Facebook can define what's a 'crime' via arbitrary clickthrough terms, suddenly users and Power staff could wind up in jail for a terms-of-use violation that had no other economic damages.
So the issues are tricky, but important.