Should companies be able to use a federal hacking law to go after those who access their website when they’ve been told to go away? It looks like the answer is yes.
A California appeals court on Tuesday sided with Facebook in a closely-watched case involving a law that lets companies seek civil and criminal penalties against those who access their websites without permission.
The case involves a defunct start-up called Power Ventures that tried to start a social network of its own in 2012, and promised on its website that the “First 100 people who bring 100 new friends to Power.com win $100.”
Those who clicked on the link allowed Power to send a series of email and internal Facebook messages inviting their friends to signup. In response, Facebook attempted to cut off the startup’s access to its website and also sent a cease-and-desist letter telling Power to knock it off.
Despite the warning, Power continued to find ways to continue to wheedle its way onto Facebook’s platform, and send emails that appeared to be from “Facebook.”
Long story short, Facebook sued, and a federal judge awarded the company $3 million on the grounds that Power had violated an anti-spam law and an anti-hacking law called the Computer Fraud and Abuse Act (CFAA). The appeal has drawn attention because CFAA has long been a source of contention in tech circles.
Critics claim the law gives prosecutors too much power, and risks turning activities like sharing passwords or visiting a website without permission into federal crimes. In the Power case appeal, the activist group the Electronic Frontier Foundation intervened on Power’s behalf to warn the lower court had applied the CFAA too broadly.
But, in its ruling on Tuesday, the 9th Circuit Court of Appeals unanimously sided with Facebook. In its decision, a three judge panel concluded Power violated the CFAA because the company continued using Facebook’s website even being explicitly warned to stop.
A Facebook spokesperson praised the ruling in a statement.
“We filed this case almost eight years ago to protect Facebook’s systems and community. Today’s ruling confirms that Power and Vachani will be held liable for violating federal and state law because they intentionally accessed Facebook’s systems without authorization. We will continue to pursue damages and all available relief.”
Get Data Sheet, Fortune’s technology newsletter.
The new ruling comes a week after the same appeals court found that, in some cases, accessing a computer with someone else’s password could be a CFAA violation. The decision drew attention in part because a dissenting judge warned the court’s conclusion about passwords could end up criminalizing the everyday activities of millions of Americans.
In the new Facebook ruling, the appeals court appeared to go out of its way to reassure people that its CFAA finding would not sweep up trivial activities. Specifically, it emphasized that ignoring a website’s terms of service violation was not enough, and that only blowing off a cease-and-desist could trigger CFAA trouble.
Not everyone is convinced, however. George Washington University law professor Orin Kerr, who has written extensively on the topic, has already blasted the court, saying the ruling is too broad.
Finally, in a bit of good news for those worried about the courts overreaching, the 9th Circuit threw out the part of the decision that concluded Power had violated anti-spam laws. The case is now going back before the lower court for a new ruling on damages.
