Facebook users must register with the website and agree to Facebook's Statement of Rights and Responsibilities (SRR). On registration, users are given unique user names and passwords to access their own user profiles as well as the profiles of their "friends." Only registered users can send messages to each other through the Facebook website. The SRR prohibits any activity that would impair the operation of Facebook's website, including the use of data-mining "bots" to gain access to users' login information, the posting of unsolicited advertising on the website, the circulation of such advertising via e-mail, or any commercial use of the Facebook website without Facebook's prior authorization.
Facebook alleges that Philip Porembski is a registered Facebook user who is bound by the SRR. Since October 2008, Porembski and others (the defendants) allegedly have obtained login credentials for at least 116,000 Facebook accounts without authorization, and they have sent more than 7.2 million spam messages to Facebook users. According to Facebook, the messages ask recipients to click on a link to a "phishing" site designed to trick users into divulging their Facebook login information.
Once users divulge the information, the defendants use it to send spam messages to the users' friends, repeating the cycle. In addition, certain spam messages allegedly redirect users to websites that pay the defendants for each user visit. Facebook filed suit asserting that the defendants' phishing and spamming activities are in violation of the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act). Is there a violation? If so, how will the court calculate damages?