Facebook v. Power Ventures

Facebook v. Power Ventures

Facebook filed eight legal complaints in United States federal court against Power Ventures, operators of social aggregator Power.com (story via NYT Bits blog). Facebook claims Power collected Facebook usernames and passwords, stored Facebook data on their servers, used the Facebook trademark without license, sent e-mails posing as Facebook, and knowingly circumvented Facebook’s attempts to block access. The lawsuit, filed on December 30th in San Jose, comes one month after Facebook initially contacted Power.com regarding its violation and attempted to transition Power to an acceptable method of access: Facebook Connect.

Power.com is headquartered in Rio de Janeiro, Brazil with additional offices in San Francisco and Hyderabad, India. Power raised $8 million from Draper Fisher Jurvetson, DFJ affiliate FIR Capital, Esther Dyson, and other investors. Facebook is seeking triple damages for willful violation including all revenue generated by Power.com in the month of December. Facebook may be able to claim $10,000 for each Facebook account accessed by Power under California Penal Code section 502 due to repeat violations.

  1. The password anti-pattern
  2. Social data distribution
  3. Dispute timeline
  4. Tips for business partnerships
  5. Summary

The password anti-pattern

Facebook login bar

Collecting Facebook usernames and passwords is at the heart of the dispute. Power.com impersonates a Facebook user after collecting their username and password. The site imports friends lists from Facebook and other social providers to create a meta profile for its over-networked members trying to keep their many personas in sync. Facebook Connect, announced in May and available for beta testing shortly after, provides account linking between Facebook and other sites, SSL transport, and friend imports. Facebook Connect limits the data flow of Facebook user data in ways a direct login would not. Power.com assumed full user powers as a remote agent of a Facebook user instead of an authorized proxy to accomplish its own goals and violated Facebook terms of service in the process.

I covered some of these data portability issues and best practices in my Data Portability, Authentication, and Authorization post last year.

Social data distribution

[T]he sole end for which mankind are warranted, individually or collectively, in interfering with the liberty of action of any of their number, is self-protection. That the only purpose for which power can be rightfully exercised over any member of a civilized community, against his will, is to prevent harm to others. His own good, either physical or moral, is not a sufficient warrant…In the part which merely concerns himself, his independence is, of right, absolute. Over himself, over his own body and mind, the individual is sovereign.

John Stuart Mill, On Liberty

Modern society mostly allows people to commit self-harm as long as that action is not also harming others. Facebook restricts access to another person’s member data beyond the original intent that person’s sharing. New data use must explicitly receive permission to participate in shared data beyond the walls of Facebook.com (you may invite me into this new context but I am not automatically imported). Data is shared within a friend context on Facebook with the understanding such information is protected and may be limited to only a group of approved friends. Once that friend data starts propagating outside its initial use (by a Facebook member or Facebook itself) the trust associated with sharing data is violated. If you have ever thought twice about posting an e-mail address on a web page out of fear of automated data harvesters you have experienced communicating with a known community of site visitors versus other uses. Facebook wants to be an identity hub of real data about real people and takes certain steps to protect that data exchange.

Power.com knowingly violated the Facebook Terms of Service and encouraged Facebook members to do the same.

Dispute timeline

Power.com launched to a United States audience on December 1, 2008. The site previously focused on the Brazilian market with support for Flogão and Google-owned Orkut since launching in August. Facebook contacted Power.com on December 1, according to the lawsuit, notifying the team of their terms of service violation.

Power Ventures CEO Steven Vachani responded to the Facebook inquiry on December 12 (11 days later) promising to delete all existing Facebook data stored on Power.com servers and implement Facebook Connect as a replacement by December 26. The next business day Facebook acknowledged the e-mail and waited for confirmation of data deletion and Connect switch-over. Vachani confirmed the transition progress on December 22 (4 days before the supposed switch).

Vachani e-mailed Facebook legal council after the close of business on December 26 and communicates a “business decision” not to comply with Facebook’s request to stop collecting and storing Facebook logins on Power.com. Vachani claimed the site would implement Facebook Connect but such integration would take over 5 weeks to complete. Power.com kicks off a “launch promotion” that same day with a $100 reward for the Facebook user who invites the most friends to join Power using their Facebook credentials. Facebook implements an IP-address block against Power.com servers on the evening of December 26 to prevent further abuse.

Power.com circumvents the IP-block by Facebook and continues its marketing campaigns. Power sets up a Facebook event page to promote its $100 signup give-away and uses the existing Facebook accounts in its system to send event invites to friends lists.

Facebook took legal action against Power Ventures on December 30, one business day after the Christmas holiday weekend, to prevent further abuse after civil discussions obviously broke down. Facebook accused Power of trespassing on Facebook servers in San Jose (a modern form of ToS violation), spamming Facebook members (violation of CAN-SPAM), and knowingly circumventing data protections (DMCA), and unlicensed use of the Facebook trademark.

Tips for business partnerships

Power Ventures could take proactive steps to look like a legitimate, responsible business in the eyes of potential business partners such as Facebook.

Create a meaningful WHOIS record

Power.com domain data currently lists “DiscountDomainRegistry” as a technical contact. “Power Assist Inc” is listed as a registrant and “Leigh Power” is listed as an administrative contact. Not good identity management.

Add SSL

If you are going to collect member login credentials from other sites you should at least use a SSL certificate for more secure data transfer. Self-sign if you must, but $30 will buy you a certificate recognized by major browsers. If you can afford extended validation certificates and the verification process that entails, even better.

Register your company with the partner website

Facebook allows its members to join one or more corporate networks. Register your company on Facebook and at least associate executive and developer accounts. This additional verification step helps Facebook identify your employees. Other social networks have similar verification and associations.

Power Ventures is not listed in the Facebook corporate network directory.

Summary

Power.com violated Facebook terms of service by accessing and storing Facebook member data on its servers. Facebook immediately contacted Power regarding this violation and attempted to work with the site as they transitioned to the official data API, Facebook Connect. Power reneged on their agreement hours before promised delivery and immediately launched a marketing campaign to financially reward further violations. Facebook decided enough is enough and blocked Power through technical measures followed by legal measures when the site did not comply.

I have little sympathy for Power and its actions. I hope other sites violated by Power.com such as Google, Microsoft, MySpace, and Hi5 put a stop to websites like Power harvesting user data instead of using permitted access methods such as OAuth. Locating your business in Brazil with servers in Canada and development in India does not shield companies from the consequences of abusive practices.

  • Posted
  • Updated at
  • Comments [6]

6 comments

Commentary on "Facebook v. Power Ventures":

  1. Jason Lefkowitz on wrote:

    OK, dumb question.

    How is Power asking users for their Facebook credentials and then using them to extract user data from Facebook any different from Facebook asking users for, say, their GMail credentials and then using them to extract user data from GMail?

    That’s how Facebook’s “friend finder” works (which has probably done more to normalize the “password anti-pattern” than any other app), so I’m wondering what the distinction is, other than that Google, Yahoo et al never sued Facebook over it.

    • Avner Kashtan on wrote:

      Jason: No real distinction, except that in this case Facebook have a feature that might violate GMail / Hotmail / Yahoo! Mail’s terms of use (and might not, I haven’t checked). Power.com’s entire operation depends on that violation. As Niall said, I’m all for Google / Yahoo! / Microsoft enforcing their ToS in regards to the Facebook Friend Finder in order to minimize this promiscuous password sharing.

  2. Niall Kennedy on wrote:

    The Facebook Friend Finder asks for a e-mail address and password to import every e-mail message to import the sender of every e-mail message you have ever received and compare it against a list of known e-mail addresses in the Facebook database. Facebook also prompts users for AIM login credentials.

    They should be using the Google Contacts API for GMail users, Yahoo! Contacts API for Yahoo! Mail users, and the same Windows Live Contacts API for Windows Live Mail they use to import Windows Live Messenger accounts. They might have a POP fallback if the top mail providers and their exports are not available (e.g. schools, companies).

    Data exchange via from one person to another (name @ machine) is opt-in every time and travels between multiple systems. Facebook is a single system for privacy and data sharing between defined relationship and therefore a bit different on the self-harm vs. social harm front (in my opinion).

    Part of the problem is a lack of enforcement. If Google, Yahoo!, and Microsoft never enforce violations and violating is a shortcut to feature implementation then expect many more harvesters.

  3. Dave Alvino on wrote:

    Nice post. I can see social networking — and even blogs, to a certain extent — becoming, very soon, a much bigger battleground for the types of private info concerns that have usually dominated the e-commerce sphere, due to many of the issues you bring up. The allure of synchronicity between networks across the web, however, has made this type of sharing — authorized or not — far more common (as other comments have pointed out, gmail log-ins are accepted at many a website) so it’s going to be difficult to tell what sites are authorized to extract such info and which are not. In fact, one of the few encryption technologies with any built-in indicators is Extended Validation SSL (which you mention) — in addition to the robust vetting, the site also gets the “green url bar” in most browsers (though not all — hopefully that will change soon, though). I could easily see someone using power.com, totally unaware of its harvesting nature.

    • Mario on wrote:

      I could easily see someone using power.com, totally unaware of its harvesting nature. @Dave

      Exactly.
      Although it’s also beneficial to Facebook to protect its users data like that, it’s undoublty beneficial to Facebook users themselves.
      It’s no use to claim that it’s users data and not Facebook’s when there is still so much user education to be done in this area.
      In the end, it won’t matter the “id provider” I choose to use (Facebook or others), but, in order to enforce privacy settings across different domains, the kind of ToS Facebook applies (and that Power maliciously violates) are inevitable.

  4. Chris Messina on wrote:

    More interesting is that Facebook bans its users from sharing their credentials (yeah, like anyone obeys that):

    Registration Data; Account Security
    In consideration of your use of the Site, you agree to (a) provide accurate, current and complete information about you as may be prompted by any registration forms on the Site (“Registration Data”); (b) maintain the security of your password and identification; (c) maintain and promptly update the Registration Data, and any other information you provide to Company, to keep it accurate, current and complete; and (d) be fully responsible for all use of your account and for any actions that take place using your account.