Facebook, Inc. v. Power Ventures, Inc. , 828 F.3d 1068 ( 2016 )


Menu:
  •                 FOR PUBLICATION
    UNITED STATES COURT OF APPEALS
    FOR THE NINTH CIRCUIT
    FACEBOOK, INC., a Delaware           No. 13-17102
    corporation,
    Plaintiff-Appellee,        D.C. No.
    5:08-cv-05780-LHK
    v.
    POWER VENTURES, INC., DBA
    Power.com, a California
    corporation; POWER VENTURES,
    INC., a Cayman Island
    corporation,
    Defendants,
    and
    STEVEN SURAJ VACHANI, an
    individual,
    Defendant-Appellant.
    2               FACEBOOK V. VACHANI
    FACEBOOK, INC., a Delaware                No. 13-17154
    corporation,
    Plaintiff-Appellee,          D.C. No.
    5:08-cv-05780-LHK
    v.
    POWER VENTURES, INC., DBA                  OPINION
    Power.com, a California
    corporation,
    Defendant,
    and
    POWER VENTURES, INC., a
    Cayman Island corporation; and
    Steven Suraj Vachani, an
    individual,
    Defendants Appellants.
    Appeals from the United States District Court
    for the Northern District of California
    Lucy H. Koh, District Judge, Presiding
    Argued and Submitted December 9, 2015
    San Francisco, California
    Filed July 12, 2016
    Before: Susan P. Graber, Kim McLane Wardlaw,
    and Mary H. Murguia, Circuit Judges.
    Opinion by Judge Graber
    FACEBOOK V. VACHANI                              3
    SUMMARY*
    CAN-SPAM Act / Computer Fraud
    The panel affirmed in part and reversed and vacated in
    part the district court’s summary judgment in favor of
    Facebook, Inc., on its claims against Power Ventures, Inc., a
    social networking company that accessed Facebook users’
    data and initiated form e-mails and other electronic messages
    promoting its website.
    Reversing in part, the panel held that Power’s actions did
    not violate the Controlling the Assault of Non-Solicited
    Pornography and Marketing Act of 2003, or CAN-SPAM
    Act, which grants a private right of action for a provider of
    Internet access service adversely affected by the transmission,
    to a protected computer, of a message that contains, or is
    accompanied by, header information that is materially false
    or materially misleading. The panel held that here, the
    transmitted messages were not materially misleading.
    Reversing in part and affirming in part, the panel held that
    Power violated the Computer Fraud and Abuse Act of 1986,
    or CFAA, which prohibits acts of computer trespass by those
    who are not authorized users or who exceed authorized use,
    and California Penal Code § 502, but only after it received a
    cease and desist letter from Facebook and nonetheless
    continued to access Facebook’s computers without
    permission. With regard to authorization, the panel stated that
    a defendant can run afoul of the CFAA when he or she has no
    *
    This summary constitutes no part of the opinion of the court. It has
    been prepared by court staff for the convenience of the reader.
    4                  FACEBOOK V. VACHANI
    permission to access a computer or when such permission has
    been revoked explicitly. Once permission has been revoked,
    technological gamesmanship or the enlisting of a third party
    to aid in access will not excuse liability. The panel also
    stated that a violation of the terms of use of a website,
    without more, cannot be the basis for liability under the
    CFAA.
    The panel vacated the district court’s awards of injunctive
    relief and damages and remanded for consideration of
    appropriate remedies under the CFAA and § 502.
    COUNSEL
    Amy Sommer Anderson (argued), Aroplex Law, San
    Francisco, California; Steven Vachani (argued pro se),
    Berkeley, California, for Defendants-Appellants.
    Eric A. Shumsky (argued), Orrick, Herrington & Sutcliffe
    LLP, Washington, D.C.; I. Neel Chatterjee, Monte Cooper,
    Brian P. Goldman, and Robert L. Uriarte, Orrick, Herrington
    & Sutcliffe LLP, Menlo Park, California, for Plaintiff-
    Appellee.
    Jamie L. Williams (argued), Hanni M. Fakhoury, and Cindy
    A. Cohn, Electronic Frontier Foundation, San Francisco,
    California, as and for Amicus Curiae.
    FACEBOOK V. VACHANI                     5
    OPINION
    GRABER, Circuit Judge:
    One social networking company, Facebook, Inc., has sued
    another, Power Ventures, Inc., over a promotional campaign.
    Power accessed Facebook users’ data and initiated form e-
    mails and other electronic messages promoting its website.
    Initially, Power had implied permission from Facebook. But
    Facebook sent Power a cease and desist letter and blocked
    Power’s IP address; nevertheless Power continued its
    campaign. Facebook alleges that Power’s actions violated the
    Controlling the Assault of Non-Solicited Pornography and
    Marketing Act of 2003 (“CAN-SPAM”), the Computer Fraud
    and Abuse Act of 1986 (“CFAA”), and California Penal Code
    section 502. We hold that Power did not violate the CAN-
    SPAM Act because the transmitted messages were not
    materially misleading. We also hold that Power violated the
    CFAA and California Penal Code section 502 only after it
    received Facebook’s cease and desist letter and nonetheless
    continued to access Facebook’s computers without
    permission. Accordingly, we affirm in part, reverse in part,
    and remand to the district court.
    BACKGROUND
    Defendant Power Ventures, a corporation founded and
    directed by CEO Steven Vachani, who also is a defendant
    here, operated a social networking website, Power.com. The
    concept was simple. Individuals who already used other
    social networking websites could log on to Power.com and
    create an account. Power.com would then aggregate the
    user’s social networking information. The individual, a
    “Power user,” could see all contacts from many social
    6                  FACEBOOK V. VACHANI
    networking sites on a single page. The Power user thus could
    keep track of a variety of social networking friends through
    a single program and could click through the central Power
    website to individual social networking sites. By 2008, the
    website had attracted a growing following.
    Plaintiff Facebook also operates a social networking
    website, Facebook.com. Facebook users, who numbered
    more than 130 million during Power’s promotional campaign,
    can create a personal profile—a web page within the
    site—and can connect with other users. Facebook requires
    each user to register before accessing the website and requires
    that each user assent to its terms of use. Once registered, a
    Facebook user can create and customize her profile by adding
    personal information, photographs, or other content. A user
    can establish connections with other Facebook users by
    “friending” them; the connected users are thus called
    “friends.”
    Facebook has tried to limit and control access to its
    website. A non-Facebook user generally may not use the
    website to send messages, post photographs, or otherwise
    contact Facebook users through their profiles. Instead,
    Facebook requires third-party developers or websites that
    wish to contact its users through its site to enroll in a program
    called Facebook Connect. It requires these third parties to
    register with Facebook and to agree to an additional
    Developer Terms of Use Agreement.
    In December 2008, Power began a promotional campaign
    to attract more traffic to its website; it hoped that Facebook
    users would join its site. Power placed an icon on its website
    with a promotional message that read: “First 100 people who
    bring 100 new friends to Power.com win $100.” The icon
    FACEBOOK V. VACHANI                        7
    included various options for how a user could share Power
    with others. The user could “Share with friends through my
    photos,” “Share with friends through events,” or “Share with
    friends through status.” A button on the icon included the
    words “Yes, I do!” If a user clicked the “Yes, I do!” button,
    Power would create an event, photo, or status on the user’s
    Facebook profile.
    In many instances, Power caused a message to be
    transmitted to the user’s friends within the Facebook system.
    In other instances, depending on a Facebook user’s settings,
    Facebook generated an e-mail message. If, for example, a
    Power user shared the promotion through an event, Facebook
    generated an e-mail message to an external e-mail account
    from the user to friends. The e-mail message gave the name
    and time of the event, listed Power as the host, and stated that
    the Power user was inviting the recipient to this event. The
    external e-mails were form e-mails, generated each time that
    a Facebook user invited others to an event. The “from” line
    in the e-mail stated that the message came from Facebook;
    the body was signed, “The Facebook Team.”
    On December 1, 2008, Facebook first became aware of
    Power’s promotional campaign and, on that same date,
    Facebook sent a “cease and desist” letter to Power instructing
    Power to terminate its activities. Facebook tried to get Power
    to sign its Developer Terms of Use Agreement and enroll in
    Facebook Connect; Power resisted. Facebook instituted an
    Internet Protocol (“IP”) block in an effort to prevent Power
    from accessing the Facebook website from Power’s IP
    address. Power responded by switching IP addresses to
    circumvent the Facebook block. Through this period, Power
    continued its promotion even though it acknowledged that it
    8                  FACEBOOK V. VACHANI
    took, copied, or made use of data from Facebook.com without
    Facebook’s permission.
    Power’s campaign lasted less than two months. On
    December 20, 2008, Facebook filed this action. Toward the
    end of January 2009, Power ended its campaign. In April
    2011, Power ceased doing business altogether. In total, more
    than 60,000 external e-mails promoting Power were sent
    through the Facebook system. An unknown number of
    internal Facebook messages were also transmitted.
    In this action, Facebook alleged violations of the CFAA,
    the CAN-SPAM Act, and California Penal Code section 502
    and moved for summary judgment. The district court granted
    summary judgment to Facebook on all three claims. The
    district court awarded statutory damages of $3,031,350,
    compensatory damages, and permanent injunctive relief, and
    it held that Vachani was personally liable for Power’s actions.
    Discovery disputes persisted after the judgment; a magistrate
    judge ordered Power to pay $39,796.73 in costs and fees for
    a renewed Federal Civil Procedure Rule 30(b)(6) deposition.
    Power filed a motion for reconsideration, which the district
    court denied. Defendants timely appeal both the judgment
    and the discovery sanctions.
    STANDARD OF REVIEW
    We review de novo a grant of summary judgment.
    Johnson v. Poway Unified Sch. Dist., 
    658 F.3d 954
    , 960 (9th
    Cir. 2011). We may affirm the judgment on any ground
    supported by the record and presented to the district court.
    Venetian Casino Resort L.L.C. v. Local Joint Exec. Bd.,
    
    257 F.3d 937
    , 941 (9th Cir. 2001).
    FACEBOOK V. VACHANI                       9
    DISCUSSION
    A. CAN-SPAM Act
    The CAN-SPAM Act grants a private right of action for
    a “provider of Internet access service adversely affected by a
    violation of section 7704(a)(1) of this title.” 15 U.S.C.
    § 7706(g)(1). In relevant part, § 7704(a)(1) makes it unlawful
    for “any person to initiate the transmission, to a protected
    computer, of a commercial electronic mail message, or a
    transactional or relationship message, that contains, or is
    accompanied by, header information that is materially false
    or materially misleading.”
    The CAN-SPAM Act “does not ban spam outright, but
    rather provides a code of conduct to regulate commercial e-
    mail messaging practices.” Gordon v. Virtumundo, Inc.,
    
    575 F.3d 1040
    , 1047–48 (9th Cir. 2009). To prove a violation
    of the statute, Facebook cannot simply identify excessive
    electronic messages. Rather, assuming all facts in favor of
    the non-moving party, the offending messages must be
    “materially false” or “materially misleading.” 15 U.S.C.
    § 7704(a)(1).
    The statute provides that
    the term “materially,” when used with respect
    to false or misleading header information,
    includes the alteration or concealment of
    header information in a manner that would
    impair the ability of an Internet access service
    processing the message on behalf of a
    recipient, a person alleging a violation of this
    section, or a law enforcement agency to
    10                 FACEBOOK V. VACHANI
    identify, locate, or respond to a person who
    initiated the electronic mail message or to
    investigate the alleged violation, or the ability
    of a recipient of the message to respond to a
    person who initiated the electronic message.
    
    Id. § 7704(a)(6).
    A “from” line “that accurately identifies any
    person who initiated the message shall not be considered
    materially false or materially misleading.”                  
    Id. § 7704(a)(1)(B).
    And, further, “header information that is
    technically accurate but includes an originating electronic
    mail address, domain name, or Internet Protocol address the
    access to which for purposes of initiating the message was
    obtained by means of false or fraudulent pretenses or
    representations shall be considered materially misleading.”
    
    Id. § 7704(a)(1)(A).
    Here, two types of messages might rise to the level of
    “materially misleading” under the CAN-SPAM Act: external
    e-mails sent when Power caused a Facebook event to be
    created and internal Facebook messages authored by Power
    that Power users transmitted to their Facebook friends.
    We first consider the external e-mails. Facebook
    generated these e-mails whenever a Power user created a
    Facebook event, promoting Power. The “from” line of the e-
    mails identified “Facebook” as the sender. The body was
    signed “Thanks, The Facebook Team.” The header stated
    that a friend of the recipient invited her to an event entitled
    “Bring 100 friends and win 100 bucks!”
    Because the statute provides that a “from” line that
    accurately identifies a person who initiated the message is not
    misleading, it is relevant whether Facebook, identified in the
    FACEBOOK V. VACHANI                       11
    from line, initiated the messages. The statute defines
    “initiate” as “to originate or transmit such message or to
    procure the origination or transmission of such message, but
    shall not include actions that constitute routine conveyance of
    such message.” 
    Id. § 7702(9).
    It provides that “more than
    one person may be considered to have initiated a message.”
    
    Id. A Power
    user gave Power permission to share a
    promotion, Power then accessed that user’s Facebook data,
    and Facebook crafted and caused form e-mails to be sent to
    recipients. These actions all go beyond the routine
    conveyance of a message. All the actions require some
    affirmative consent (clicking the “Yes, I do!” button) or some
    creative license (designing the form e-mails). Because more
    than one person may be considered to have initiated the
    message, we hold that, within the meaning of the statute,
    Power’s users, Power, and Facebook all initiated the
    messages at issue.
    Because Facebook (among others) initiated the messages,
    the “from” line accurately identified a person who initiated
    the messages. Accordingly, the “from” line is not misleading
    within the meaning of the statute. Similar reasoning also
    leads us to conclude that the header is technically accurate.
    Because a Power user consented to share Power’s promotion
    through an event invitation, a header line that stated that a
    recipient’s friend “invited” the recipient to the event does not
    conceal or misstate a creator of the e-mail.
    It is true that the CAN-SPAM Act includes as materially
    misleading a technically accurate header that includes
    information accessed through false or fraudulent pretenses or
    representations. 
    Id. § 7704(a)(1)(A).
    But Power users
    consented to Power’s access to their Facebook data. In
    clicking “Yes, I do!,” users gave Power permission to share
    12                 FACEBOOK V. VACHANI
    its promotion through event invitations. On this record,
    Power did not use false pretenses or fraudulent
    representations to obtain users’ consent. Therefore, the
    external messages were not materially misleading within the
    meaning of the CAN-SPAM Act.
    We next consider internal messages sent within the
    Facebook system. We can find these messages misleading
    only if they impaired the ability of the recipient to “respond
    to a person who initiated the electronic mail message” or the
    ability of Facebook to locate the initiator of the messages. 
    Id. § 7704(a)(6).
    Two factors convince us that the messages are
    not misleading under this standard. First, the body of the
    messages included both Power’s name and a link to the
    Power website. A reasonable recipient could understand that
    Power had drafted the message or had some part in its
    construction. Second, Facebook users who were identified as
    the senders did authorize the sending of these messages. It
    was not misleading for such users to be identified in internal
    messages sent through the Facebook system.
    Because neither e-mails nor internal messages sent
    through Power’s promotional campaign were materially
    misleading, Power did not violate the CAN-SPAM Act. We
    reverse the district court on this claim and remand for entry
    of judgment in favor of Defendants.
    B. CFAA
    The CFAA prohibits acts of computer trespass by those
    who are not authorized users or who exceed authorized use.
    It creates criminal and civil liability for whoever
    “intentionally accesses a computer without authorization or
    exceeds authorized access, and thereby obtains . . .
    FACEBOOK V. VACHANI                     13
    information from any protected computer.” 18 U.S.C.
    § 1030(a)(2)(C). “The statute thus provides two ways of
    committing the crime of improperly accessing a protected
    computer: (1) obtaining access without authorization; and
    (2) obtaining access with authorization but then using that
    access improperly.” Musacchio v. United States, 
    136 S. Ct. 709
    , 713 (2016). The CFAA provides a private right of
    action for “[a]ny person who suffers damage or loss by reason
    of a violation of this section.” 18 U.S.C. § 1030(g).
    First, we hold that Facebook suffered a loss within the
    meaning of the CFAA. The statute permits a private right of
    action when a party has suffered a loss of at least $5,000
    during a one-year period. 
    Id. § 1030(c)(4)(A)(i)(I).
    The
    statute defines “loss” to mean “any reasonable cost to any
    victim, including the cost of responding to an offense,
    conducting a damage assessment, and restoring the data,
    program, system, or information to its condition prior to the
    offense, and any revenue lost, cost incurred, or other
    consequential damages incurred because of interruption of
    service.” 
    Id. § 1030(e)(11).
    It is undisputed that Facebook
    employees spent many hours, totaling more than $5,000 in
    costs, analyzing, investigating, and responding to Power’s
    actions. Accordingly, Facebook suffered a loss under the
    CFAA.
    We next consider whether Power accessed Facebook’s
    computers knowing that it was not authorized to do so. We
    have previously considered whether a defendant has accessed
    a computer “without authorization” or in a manner that
    “exceeds authorized access” under the CFAA in three
    separate opinions.
    14                 FACEBOOK V. VACHANI
    Most recently, in United States v. Nosal, No. 14-10037,
    slip op. at 1 (9th Cir. July 5, 2016) (“Nosal II”), we
    considered the definition of “without authorization.” In that
    case, an employee, David Nosal, had worked at an executive
    search firm, Korn/Ferry, until he decided to leave and start his
    own competing business. 
    Id. at 8.
    Though Korn/Ferry
    explicitly revoked Nosal’s computer access credentials, Nosal
    enlisted the support of his former executive assistant, who
    remained authorized to access the company computers. He
    used her password to continue accessing company computers
    and privileged information. 
    Id. at 9–10.
    After Nosal was
    prosecuted and convicted under the CFAA, on appeal, we
    were “asked to decide whether the ‘without authorization’
    prohibition of the CFAA extends to a former employee whose
    computer access credentials have been rescinded but who,
    disregarding the revocation, accesses the computer by other
    means.” 
    Id. at 6.
    We concluded that it did. We held that
    “without authorization” is an unambiguous,
    non-technical term that, given its plain and
    ordinary meaning, means accessing a
    protected computer without permission. This
    definition has a simple corollary: once
    authorization to access a computer has been
    affirmatively revoked, the user cannot
    sidestep the statute by going through the back
    door and accessing the computer through a
    third party.
    
    Id. at 4.
    The holding in Nosal II clarified our two earlier cases on
    the CFAA. In LVRC Holdings LCC v. Brekka, 
    581 F.3d 1127
    (9th Cir. 2009), an employee logged onto his employer’s
    FACEBOOK V. VACHANI                      15
    computer, accessed confidential information, and sent e-mails
    from the computer to himself and his wife with the intention
    of starting a competing business. We held that a person is
    “without authorization” under the CFAA “when the person
    has not received permission to use the computer for any
    purpose (such as when a hacker accesses someone’s computer
    without any permission), or when the employer has rescinded
    permission to access the computer and the defendant uses the
    computer anyway.” 
    Id. at 1135.
    Because the employee had
    sent e-mails while he still had authorized access to the
    company’s computers, his actions did not constitute
    unauthorized use and did not run afoul of the CFAA. 
    Id. That fact
    was key; had the employee accessed company
    computers without express permission, he would have
    violated the CFAA. “[I]f [the employee had] accessed
    LVRC’s information on the LOAD website after he left the
    company in September 2003, [the employee] would have
    accessed a protected computer ‘without authorization’ for
    purposes of the CFAA.” 
    Id. at 1136.
    In United States v. Nosal, 
    676 F.3d 854
    (9th Cir. 2012)
    (en banc) (“Nosal I”), an earlier case stemming from the same
    events that led to Nosal II, we considered whether a group of
    employees who logged on to a work computer, downloaded
    information from a confidential database, and transferred it to
    a competing business “exceed[ed] authorized access.” 
    Id. at 856.
    Wary of creating a sweeping Internet-policy mandate,
    we applied the rule of lenity to the CFAA and reversed
    liability for the defendant. 
    Id. at 863.
    The decision broadly
    described the application of the CFAA to websites’ terms of
    service. “Not only are the terms of service vague and
    generally unknown . . . but website owners retain the right to
    change the terms at any time and without notice.” 
    Id. at 862.
    As a result, imposing criminal liability for violations of the
    16                    FACEBOOK V. VACHANI
    terms of use of a website could criminalize many daily
    activities. Accordingly, “the phrase ‘exceeds authorized
    access’ in the CFAA does not extend to violations of use
    restrictions.      If Congress wants to incorporate
    misappropriation liability into the CFAA, it must speak more
    clearly.” 
    Id. at 863.
    From those cases, we distill two general rules in analyzing
    authorization under the CFAA. First, a defendant can run
    afoul of the CFAA when he or she has no permission to
    access a computer or when such permission has been revoked
    explicitly. Once permission has been revoked, technological
    gamesmanship or the enlisting of a third party to aid in access
    will not excuse liability. Second, a violation of the terms of
    use of a website—without more—cannot be the basis for
    liability under the CFAA.
    Here, initially, Power users arguably gave Power
    permission to use Facebook’s computers to disseminate
    messages. Power reasonably could have thought that consent
    from Facebook users to share the promotion was permission
    for Power to access Facebook’s computers.1 In clicking the
    “Yes, I do!” button, Power users took action akin to allowing
    a friend to use a computer or to log on to an e-mail account.
    Because Power had at least arguable permission to access
    Facebook’s computers, it did not initially access Facebook’s
    1
    Because, initially, Power users gave Power permission to use
    Facebook’s computers to disseminate messages, we need not decide
    whether websites such as Facebook are presumptively open to all comers,
    unless and until permission is revoked expressly. See Orin S. Kerr, Norms
    of Computer Trespass, 116 Colum. L. Rev. 1143, 1163 (2016) (asserting
    that “websites are the cyber-equivalent of an open public square in the
    physical world”).
    FACEBOOK V. VACHANI                              17
    computers “without authorization” within the meaning of the
    CFAA.
    But Facebook expressly rescinded that permission when
    Facebook issued its written cease and desist letter to Power
    on December 1, 2008. Facebook’s cease and desist letter
    informed Power that it had violated Facebook’s terms of use
    and demanded that Power stop soliciting Facebook users’
    information, using Facebook content, or otherwise interacting
    with Facebook through automated scripts.2 Facebook then
    imposed IP blocks in an effort to prevent Power’s continued
    access.
    The record shows unequivocally that Power knew that it
    no longer had authorization to access Facebook’s computers,
    but continued to do so anyway. In requests for admission
    propounded during the course of this litigation, Power
    admitted that, after receiving notice that its use of or access
    to Facebook was forbidden by Facebook, it “took, copied, or
    made use of data from the Facebook website without
    Facebook’s permission to do so.” (Emphasis added;
    capitalization omitted.) Contemporaneously, too, soon after
    receiving the cease and desist letter, Power’s CEO sent an e-
    mail stating: “[W]e need to be prepared for Facebook to try
    to block us and the [sic] turn this into a national battle that
    gets us huge attention.” On December 4, 2008, a Power
    executive sent an e-mail agreeing that Power engaged in four
    2
    The mention of the terms of use in the cease and desist letter is not
    dispositive. Violation of Facebook’s terms of use, without more, would
    not be sufficient to impose liability. Nosal 
    I, 676 F.3d at 862
    –63. But, in
    addition to asserting a violation of Facebook’s terms of use, the cease and
    desist letter warned Power that it may have violated federal and state law
    and plainly put Power on notice that it was no longer authorized to access
    Facebook’s computers.
    18                     FACEBOOK V. VACHANI
    “prohibited activities”3; acknowledging that Power may have
    “intentionally and without authorization interfered with
    [Facebook’s] possessory interest in the computer system,”
    while arguing that the “unauthorized use” did not cause
    damage to Facebook; and noting additional federal and state
    statutes that Power “may also be accused of violating,”
    beyond those listed in Facebook’s cease and desist letter. E-
    mails sent later in December 2008 discussed the IP blocks
    that Facebook had imposed and the measures that Power took
    to evade them. Nevertheless, Power continued to access
    Facebook’s data and computers without Facebook’s
    permission.
    The consent that Power had received from Facebook users
    was not sufficient to grant continuing authorization to access
    Facebook’s computers after Facebook’s express revocation of
    permission. An analogy from the physical world may help to
    illustrate why this is so. Suppose that a person wants to
    borrow a friend’s jewelry that is held in a safe deposit box at
    a bank. The friend gives permission for the person to access
    the safe deposit box and lends him a key. Upon receiving the
    key, though, the person decides to visit the bank while
    carrying a shotgun. The bank ejects the person from its
    premises and bans his reentry. The gun-toting jewelry
    borrower could not then reenter the bank, claiming that access
    to the safe deposit box gave him authority to stride about the
    bank’s property while armed. In other words, to access the
    safe deposit box, the person needs permission both from his
    friend (who controls access to the safe) and from the bank
    3
    The activities were: “- Using a person’s Facebook account without
    Facebook’s authorization; - Using automated scripts to collect information
    from their site; - Incorporating Facebook’s site in another database[; and] -
    Using Facebook’s site for commercial purposes[.]”
    FACEBOOK V. VACHANI                             19
    (which controls access to its premises). Similarly, for Power
    to continue its campaign using Facebook’s computers, it
    needed authorization both from individual Facebook users
    (who controlled their data and personal pages) and from
    Facebook (which stored this data on its physical servers).
    Permission from the users alone was not sufficient to
    constitute authorization after Facebook issued the cease and
    desist letter.
    In sum, as it admitted, Power deliberately disregarded the
    cease and desist letter and accessed Facebook’s computers
    without authorization to do so. It circumvented IP barriers
    that further demonstrated that Facebook had rescinded
    permission for Power to access Facebook’s computers.4 We
    therefore hold that, after receiving written notification from
    Facebook on December 1, 2008, Power accessed Facebook’s
    computers “without authorization” within the meaning of the
    CFAA and is liable under that statute.
    Nosal I is materially distinguishable. First, Nosal I
    involved employees of a company who arguably exceeded the
    limits of their 
    authorization. 676 F.3d at 856
    . Here, by
    contrast, Facebook explicitly revoked authorization for any
    access, and this case does not present the more nuanced
    question of exceeding authorization. Nosal I involved a
    defendant who “exceeded authorization,” while this case
    involves a defendant who accessed a computer “without
    4
    Simply bypassing an IP address, without more, would not constitute
    unauthorized use. Because a blocked user does not receive notice that he
    has been blocked, he may never realize that the block was imposed and
    that authorization was revoked. Or, even if he does discover the block, he
    could conclude that it was triggered by misconduct by someone else who
    shares the same IP address, such as the user’s roommate or co-worker.
    20                 FACEBOOK V. VACHANI
    authorization.” Second, although Nosal I makes clear that
    violation of the terms of use of a website cannot itself
    constitute access without authorization, this case does not
    involve non-compliance with terms and conditions of service.
    Facebook and Power had no direct relationship, and it does
    not appear that Power was subject to any contractual terms
    that it could have breached. Finally, Nosal I was most
    concerned with transforming “otherwise innocuous behavior
    into federal crimes simply because a computer is involved.”
    
    Id. at 860.
    It aimed to prevent criminal liability for computer
    users who might be unaware that they were committing a
    crime. But, in this case, Facebook clearly notified Power of
    the revocation of access, and Power intentionally refused to
    comply. Nosal I’s concerns about overreaching or an absence
    of culpable intent simply do not apply here. This case is
    closer to Nosal II, wherein liability attached after permission
    to access computers was expressly revoked, but then the
    defendant deliberately circumvented the rescission of
    authorization.
    Accordingly, we hold that, after receiving the cease and
    desist letter from Facebook, Power intentionally accessed
    Facebook’s computers knowing that it was not authorized to
    do so, making Power liable under the CFAA. We therefore
    affirm in part the holding of the district court with respect to
    the CFAA.
    C. Section 502
    California Penal Code section 502 imposes liability on a
    person who “[k]nowingly accesses and without permission
    takes, copies, or makes use of any data from a computer,
    computer system, or computer network, or takes or copies
    any supporting documentation, whether existing or residing
    FACEBOOK V. VACHANI                        21
    internal or external to a computer, computer system, or
    computer network.” 
    Id. § 502(c)(2).
    This statute, we have
    held, is “different” than the CFAA. United States v.
    Christensen, 
    801 F.3d 970
    , 994 (2015). “[T]he California
    statute does not require unauthorized access. It merely
    requires knowing access.” 
    Id. But despite
    differences in wording, the analysis under
    both statutes is similar in the present case. Because Power
    had implied authorization to access Facebook’s computers, it
    did not, at first, violate the statute. But when Facebook sent
    the cease and desist letter, Power, as it conceded, knew that
    it no longer had permission to access Facebook’s computers
    at all. Power, therefore, knowingly accessed and without
    permission took, copied, and made use of Facebook’s data.
    Accordingly, we affirm in part the district court’s holding that
    Power violated section 502.
    D. Personal Liability
    We affirm the district court’s holding that Vachani is
    personally liable for Power’s actions. A “corporate officer or
    director is, in general, personally liable for all torts which he
    authorizes or directs or in which he participates,
    notwithstanding that he acted as an agent of the corporation
    and not on his own behalf.” Comm. for Idaho’s High Desert,
    Inc. v. Yost, 
    92 F.3d 814
    , 823 (9th Cir. 1996) (internal
    quotation marks omitted). Cases finding “personal liability
    on the part of corporate officers have typically involved
    instances where the defendant was the ‘guiding spirit’ behind
    the wrongful conduct, or the ‘central figure’ in the challenged
    corporate activity.” Davis v. Metro Prods., Inc., 
    885 F.2d 515
    , 523 n.10 (9th Cir. 1989) (internal quotation marks and
    ellipsis omitted).
    22                 FACEBOOK V. VACHANI
    Vachani was the central figure in Power’s promotional
    scheme. First, Vachani admitted that, during the promotion,
    he controlled and directed Power’s actions. Second, Vachani
    admitted that the promotion was his idea. It is undisputed,
    therefore, that Vachani was the guiding spirit and central
    figure in Power’s challenged actions. Accordingly, we affirm
    the district court’s holding on Vachani’s personal liability for
    Power’s actions.
    E. Discovery Sanctions
    We affirm the discovery sanctions imposed against Power
    for non-compliance during a Rule 30(b)(6) deposition.
    Defendants failed to object to discovery sanctions in the
    district court. Failure to object forfeits Defendants’ right to
    raise the issue on appeal. Simpson v. Lear Astronics Corp.,
    
    77 F.3d 1170
    , 1174 (9th Cir. 1996).
    Even assuming the issue was not waived, we “review the
    district court’s rulings concerning discovery, including the
    imposition of discovery sanctions, for abuse of discretion.”
    Goodman v. Staples Office Superstore, LLC, 
    644 F.3d 817
    ,
    822 (9th Cir. 2011). The magistrate judge’s findings that
    Vachani was unprepared, unresponsive, and argumentative
    and that Power Ventures had failed to produce many e-mails
    responsive to Facebook’s requests prior to discovery are
    supported by the record. Accordingly, we hold that the
    discovery sanctions imposed were not an abuse of discretion.
    F. Remedies
    Because we reverse in significant part, we also vacate the
    injunction and the award of damages. We remand the case to
    the district court to reconsider appropriate remedies under the
    FACEBOOK V. VACHANI                      23
    CFAA and section 502, including any injunctive relief. With
    respect to damages, the district court shall calculate damages
    only for the period after Power received the cease and desist
    letter, when Power continued to access data contained in
    Facebook’s servers and memory banks.
    REVERSED in part, VACATED in part, AFFIRMED
    in part, and REMANDED. The parties shall bear their own
    costs on appeal.