• by Wendy Davis , Staff Writer @wendyndavis, December 9, 2016

A federal appellate court is standing by its ruling that defunct aggregation service Power Ventures violated a federal hacking law by "scraping" Facebook's site.

The 9th Circuit Court of Appeals today rejected a request by digital rights groups, including the ACLU and Electronic Frontier Foundation, for a new hearing in the long-running dispute. Those organizations argued that the decision could have far-reaching consequences -- including the prosecution of users for violating sites' terms of service.

The battle dates to 2008, when Facebook and Power Ventures became embroiled in litigation. Power aggregated data from a variety of social networking services, enabling people with accounts through MySpace, LinkedIn, Twitter and other services to access all of their information from one portal. To accomplish this, Power asked users to provide log-in information for their social networking sites and then imported people's information.

In late 2008, Facebook sent a letter to Power demanding that it cease and desist accessing the site. Power allegedly refused to comply with Facebook's demand. Instead, the company allegedly continued to draw on the passwords that users had provided in order to access their information.

A three-judge panel of the appeals court ruled in July that Power violated the Computer Fraud and Abuse Act by continuing to access Facebook after receiving the cease-and-desist letter. That law, which provides for private lawsuits as well as criminal penalties, prohibits anyone from accessing computers without authorization.

The judges wrote that violating a Web site's terms service wasn't enough in itself to also violate the anti-fraud law. But advocates argued that the opinion still created uncertainty about the law.

Power asked the 9th Circuit to reconsider that ruling; the EFF and ACLU backed the request. The rights groups argued that Power never "broke into" Facebook's computers, because users voluntarily gave their passwords to Power. The groups also warned that the decision was so broad that it could lead to prosecution of people based on a broad range of common activities.

"Suppose a bank website creates a pop-up notice warning that only credentialed users, not family members, are allowed to access the bank’s computer system. Has the person who nonetheless continues to log in with her spouse’s legitimate credentials to pay a bill, at the spouse’s behest, been given 'notice' that her access is 'without authorization' under the CFAA?," the digital rights groups asked. "What about logging into an airline account to print a boarding pass, or paying a bill directly on a utility or credit card website, on behalf of another person?"

It's not yet known whether Power will ask the Supreme Court to review the decision.