How to deal with receiving a cease-and-desist letter from Big Tech

Although this article isn’t related to any of the 12 Challenges so far, it’s on a subject I’m developing for a potential future challenge.

---

In July 2021 Facebook sent me a cease-and-desist letter because I made a browser extension, Unfollow Everything, which helped people use Facebook less.

Over the years, a number of developers who have also received cease-and-desist letters from Facebook have got in touch with me — so here’s a round-up of my advice.

Disclaimer: I’m not a lawyer, and nothing in here should be taken as legal advice. I’ll try to add caveats throughout where my experience may not be relevant.

0) Anticipate the risk

If you’ve already received a cease-and-desist letter, skip to the next section.

But if you are making software or doing research that’s adversarial to Big Tech and haven’t thought at all about the possibility of receiving a cease-and-desist letter, this message is for you:

Be aware that it could happen any day!

I didn’t understand that making software that interoperated with Facebook opened me up to the risk of a cease-and-desist letter and a lifetime ban.

Being more aware of that could have set my expectations better so that I wouldn’t have been so shocked.

A handy rule of thumb:

If you are doing almost anything, including but not limited to software, that interacts with Big Tech platforms, inside or outside of official APIs or services, you are at risk of receiving a cease-and-desist letter — even if you don’t see what you’re doing as adversarial to the platform.

Sending out cease-and-desist letters is very easy, and these platforms have a lot of money, so it makes sense for them to cast the net wide.

Things that can lower your risk are:

1. Working within a large organization with a legal and PR team ready to defend you, which will make Big Tech platforms think twice before hitting send

2. Working on something that is clearly in the public interest, and that will blow up in Big Tech’s face if they try to ban it, e.g. research

(Note that neither of these stopped Facebook sending NYU researchers a cease-and-desist in 2021, so there are no guarantees.)

Now that you’re anticipating the risk of a cease-and-desist, here are a few preparatory steps:

1. Download a copy of all of your data from the platform you are working on (as well as any related platforms, e.g. owned by the same Big Tech company), and do this regularly — especially if you’re not based in a jurisdiction like the UK or EU where you are legally entitled to demand your data even after being banned.

2. Make sure nothing critical in your life relies on using the platform. It shouldn’t be your primary means of contacting any important people in your life, you shouldn’t rely on it as a primary means of entertainment or to keep up-to-date. Ideally you should have no reliance at all on the platform, in case you get banned for life.

3. Read the platform’s terms of service to understand which things they might accuse you of doing that breach the agreement. Yeah, I know — you’ll have to become one of approximately three people in the world who ever actually read this document.

4. Consult a lawyer in your jurisdiction to get their opinion on what you are doing vs. the terms of service (and vs. IP legislation, CFAA etc.), so that you aren’t blindsided. Make sure you have the lawyer a phone call away for when you need them.

Great. Let’s move on to when you receive a letter.

1) Know that you’re probably going to be OK

On the actual day that things went down, the first thing I noticed was that I couldn’t log into my Facebook or Instagram accounts. Then, 5 hours later — Thursday evening at midnight — I received the cease-and-desist letter. I didn’t really understand what it was. I would have wanted to know that:

1. There was virtually zero chance of going to jail, or indeed court (in retrospect, it seems crazy that I was worried about this — but it shows just how scary the experience was, and how ill-equipped I was to deal with it).

2. A cease-and-desist letter doesn’t mean any kind of formal legal action has started against you. It’s notionally a first step towards that kind of thing, but in practice it’s used to scare you into doing what the company wants — and if you do it, they are unlikely to go further.

3. Companies can put all sorts of outrageous claims and demands in a cease-and-desist letter, even if they aren’t true or legally enforceable. It’s essentially a bullying tactic. They can reference parts of their terms of service that you signed up to, which will make things sound scarier, but those terms may themselves be completely unfair.

   • Companies have unfair terms of service because they are a wishlist of how they’d like the world to work — which will stand until it gets challenged in court or chastised by a regulator (and that will take years!).

   • So even if the company is quoting their terms of service at you, bear in mind that some of these may be completely unenforceable if the matter were to reach court.

4. The point of cease-and-desist letters is to get you to stop. If you stop, and if you didn’t do anything very bad at all, likely that’ll be the end of the matter. I get the sense that the key metric the law firm representing the Big Tech company is trying to hit is quite simply ‘did they stop?’. Although the company may still keep following up with other demands, as we’ll see later.

5. The letter may try to gaslight you. There may be claims in there that are false, defamatory, insulting, etc. This doesn’t mean that you can take their threats any less seriously, unfortunately. But it does make the whole situation even more messed up. Do not rush to react to these false claims — go to the next section first.

2) Figure out your first actions

So. You’re staring at your cease-and-desist letter. What should you do next?

1. I’m depressed to be writing this, but if it’s relatively costless to you to pause providing the software or service they’re targeting, and if you don’t have access to $$$ of legal funds, I would go ahead and pause immediately. The reality is that you’re being bullied by a firm with virtually infinite resources and at this point, while you’re still in shock and scared, it’s probably best to simply take a pause. You can always change your mind later, once you’ve had a chance to get more comfortable with the situation.

2. There may be an aggressive deadline to respond on the cease-and-desist letter. For me, it was 48 hours — and I received it on a Thursday night at midnight! I would strongly advise that you don’t rush to respond to the letter, and find a lawyer to advise you first. The last thing you want to do is reply with an email where you make a bunch of statements that the company can use against you, because you don’t understand the law. A 48 hour deadline is plainly ridiculous — that’s not enough time to get legal advice and decide how to respond. It’s all part of the bullying tactics. But you should still respond within a week or so.

3. There also may be a laundry list of demands in the letter: explain how your software works, give a list of the domains you own and apps you operate, tell us the revenue you made from the software, agree to never again do X, Y, Z. I would roundly ignore all of their demands for now, and simply stick to pausing the software or service, and not responding yet to their letter.

4. Bringing those points together looks like:

   1. Find a lawyer

   2. Pause the software or service, if there’s minimal downside to doing so

   3. Don’t reply until you find a lawyer

5. Another thing to note: at this point, you’ll likely have been banned from the platform. But if you haven’t been (yet), immediately download all your data from all accounts. They might not yet have spotted an account or two.

3) Realize that your options are limited

Receiving a cease-and-desist letter is a great lifehack to realizing this fundamentally depressing fact about most legal systems*:

It doesn’t matter if you’re right. It matters if you have money, time, and willpower to go to court.

Let’s say you find a lawyer, as advised in the previous section. You consult them about the cease-and-desist letter, and they are bowled over by how weak the legal arguments are. They say there’s no way a judge or jury would allow their demands and their ban to stand. Great!

Nope. Because now you’d need to risk your finances, mental health and years of your life to litigate against the Big Tech company. In other words, it’s completely irrelevant that you’re right and they’re wrong.

So:

Even if you are sure you are in the right, and that you would almost certainly win in court, you can’t realistically do anything about it. The sooner you accept that, the better.

The exception: if you are working at a university or some other big organization (or if you’re extremely rich). In that case, you’ll have lawyers aplenty — although the mental toll, and the time you’ll have to spend, may still not be worth it. And you’re still unlikely to get your accounts back, since platforms are at liberty to deny you access to them for a whole variety of reasons.

Still determined to take the matter to court, but don’t have the money? You can do two things:

1. Crowdfund. And it will be difficult, since there are more worthwhile things people can donate to than a legal case against an enormous company which you’re unlikely to win.

2. Ask a foundation for money. Try to get funding for your legal fees from foundations like OSF, Luminate, Reset and Ford Foundation (some of the biggest players in funding tech activism). That’ll also be difficult, unless you already know them or can get a very warm intro. These foundations prefer working with people they know and trust, especially on legal issues — and even then, they might not see it as strategically valuable to fund your particular case. An added complication might be that they won’t even know how much money to set aside, since legal fees can balloon over time.

*Apparently there are some legal systems, particularly in Europe, where the costs of taking Big Tech to court are lower. You’d have to ask your lawyer about that. The time and willpower aspects may be similar though.

4) Decide how to respond

With that in mind, how to respond? You have three options, as laid out by this handy article:

1. Ignore

2. Comply

3. Defend

Ignoring completely, and choosing to keep offering your software or service, is incredibly risky. The Big Tech company may very likely take you to court, and that would really suck. So it’s hard to recommend this approach.

Complying is the best way to make this whole issue disappear and get your life back to normal, but you can always do so selectively: stop doing whatever you’re doing (take down the app, stop the service), but then ignore other demands that you see as unfair or onerous. Based on my experience, it’s likely the Big Tech company will not pursue you any further, although they may follow up for a while (see below).

There is an important exception: if you desperately need your accounts back, for instance your entire livelihood depends on it. If that’s the case, you probably want to comply fully with every single thing they ask — be a completely open book. Don’t be remotely adversarial in any of your dealings. There will still be no guarantee of getting any accounts back, but it’s your only chance.

Finally, you can defend yourself, if you have the time, money and willpower. But as dealt with in the previous section, that could end up being seriously, seriously painful, even if you are completely in the right.

There is, however, a way for you to fight back through non-legal means:

5) Go to the court of public opinion

If you want to get catharsis and cause Big Tech grief, the most viable option is to take the fight to the court of public opinion. Tell the world about what happened.

1. Post about the letter everywhere you can. Keep up a drumbeat! One post won’t get you anywhere

2. Try to enlist sympathetic journalists to write about the situation. A lot of journalists are open to cold outreach through social media

3. Reach out to superusers of your app and other sympathisers, and ask them to share your posts widely

4. Contact politicians who represent you, for instance your local senator or representative, or your MP. At the very least, they may be able to link you to journalists or offer their sympathy

Worth noting that this strategy is most likely to go well if your software or research was in the public interest.

Side note: if your situation attracts a lot of interest, you may find yourself completely overwhelmed by messages from journalists, tweets from sympathetic followers, emails of support etc.

I don’t know how I could have managed this better, but I’d just say — be aware that it could happen, and that even well-meaning support and valuable media interest can cause a huge amount of stress.

If you agree to do an interview, consider doing some online training around how to talk to the media so that you get the points across that you want to, and so you don’t say anything on record that you don’t want to.

6) Be prepared for follow-ups

One deeply unpleasant part of the whole situation was how often, and for how long, Facebook followed up. For an entire year, from July 2021 to June 2022, they kept sending me emails, like the world’s most efficient stalker. They then finally went quiet, and I haven’t heard from them since. (Miss you guys!)

At the beginning, they sent numerous follow-ups asking for me to agree to all of the demands in the original letter.

Then there was a period of radio silence, until 7 months later they sent through a new document, which they called a ‘Proposed Agreement’. I’m publishing this document here for the first ever time, in case it’s useful to anyone.

The document dangled the possibility of my Facebook and Instagram accounts being reinstated if I agreed to similar demands to those in the initial cease-and-desist letter (like agreeing to never make any software again that interacts with Facebook), but with a fun twist:

In other words, if I agreed to the letter and then went onto breach the terms, Facebook would automatically be entitled to at least $30k. (I guess you have to get creative to bring home the bacon when Apple destroys a chunk of your revenue model.)

It would’ve been a terrible idea to sign this letter to get my accounts back, given that Facebook made it clear that they would have no actual obligation whatsoever to do this:

The wording doesn’t even say I can request my accounts back — just my ‘licence’ to use Facebook and Instagram again!

So a couple of things to bear in mind:

1. You will receive follow-ups. That much is basically certain, and based on my experience with Facebook, it could be for a while

2. You might be given some ray of hope about being able to get your account back. But you’d be sensible to ignore this if the language is anything like what I received. If you really, really need your account back, you might want to get a lawyer to draft a response saying you’ll consider signing if the wording is tweaked to guarantee that your accounts will be restored. (Or in the case where it’s critical to get your accounts back, you may simply want to do whatever they say, to keep seeming as cooperative to them as possible)

7) Move on...

The final stage of grief is acceptance. From what I can tell, in most cease-and-desist cases:

• You’re not going to get your accounts back

• You’re not going to be able to keep making the software or doing the research that led to the cease-and-desist

• You’re not going to have money, time or willpower to take it to court

So you should cause as much of a stink in the court of public opinion as you can — which really can have impact, because it will add to the nice long list of Big Tech legal horror stories which politicians read and eventually create regulation in response to (in the EU, for instance).

And then you should probably just accept the situation, and move on to working on something else.

8) Or don’t

But if you’re stubborn and, like me, don’t want to ever accept the situation, then:

• Keep writing about it

• Keep the pressure up on politicians. Send your senator, or representative, or MP regular updates on what’s happened since you first reached out. Stories of Big Tech bullying can eventually add up to regulation

• Build bridges with organizations in the tech community, like Knight First Amendment Institute, who can and do take legal action to defend developers and researchers

• Band together with others who have been unfairly targeted, so you can advocate for change together

Whatever you decide to do, remember that you’ll get through this, even though it is frankly a horrible, horrible experience.

Good luck!

---

If you’ve received a cease-and-desist letter from Big Tech, I’d love to hear from you — 1) for strength in numbers and 2) to add your experiences to this article. You can email: hi [at] louis [dot] work.

---

Comments

[Me]

Do you know if "accidentally" leaking the source code (if it wasn't open-source already) after a while could make the situation any worse?