Facebook Privacy Tracking Lawsuit Can Continue, Court Says

Everyone knows that when you use a social media site such as Facebook, the website is collecting information about you. I’m not sure whether, even with privacy settings set, that people know who is getting access to this information, for what purposes, and what information exactly they are getting. Reading the Facebook privacy policy and privacy settings isn’t much help; they really don’t tell me what personal information is being collected by Facebook, and how the company is using it. Also little understood is the fact that Facebook is collecting information about you even after you log off the service.

On April 9, the 9th U.S. Circuit Court of Appeals in California ruled that a class action lawsuit could proceed against Facebook on charges that its collection of “tracking” information about its subscribers when they were not on the social networking site could proceed.

Using third-party plug-ins, if you were on a non-Facebook website and clicked on a “like ” button, Facebook would be alerted to the website you were on and would add that information to the Facebook profile of you that it used to target its client’s advertisers. Because, after all, you are not the customer—you are the product, right?

When a user creates a Facebook account, Facebook installs more than 10 different tracking cookies on the user’s browser that collect things such as login ID and the websites visited, whether the user is on the Facebook page or is logged out of Facebook entirely. When Facebook’s data collection practices were revealed by an Australian hacker’s blog post, a class action lawsuit was filed alleging that these undisclosed data collections violated the Wiretap Act, the Stored Communications Act, the California Invasion of Privacy Act, intrusion into seclusion tort, breach of contract, breach of the duty of good faith and fair dealing, civil fraud, trespass to chattels, violations of California Computer Data Access and Fraud Act, and larceny. It’s the linguini theory of litigation: Throw everything against the wall and see what sticks.

Each of these allegations, whether crimes that provide a “private right of action” (the ability of individuals to sue), tort actions, contract actions, theft or fraud actions, requires proof of different things.

The 9th Circuit first found that the Facebook users had adequately alleged that they suffered an actual injury resulting from Facebook’s data collection practices. The court noted:

“Plaintiffs have adequately alleged harm to these privacy Interests. [Facebook’s] tracking occurred ‘no matter how sensitive’ or personal users’ browsing histories were [and] by correlating users’ browsing history with users’ personal Facebook profiles—profiles that could include a user’s employment history and political and religious affiliations—Facebook gained a cradle-to-grave profile without users’ consent.”

The appellate court reversed the lower court’s finding that there was no genuine injury to the Facebook users and no genuine benefit to Facebook (unjust enrichment) resulting from the tracking. The court also found, at least for the purpose of letting the case go forward, that the Facebook users had adequately asserted that the social media company had “intruded” into their private lives without consent in a way that was “highly offensive,” noting that, “In light of the privacy interests and Facebook’s allegedly surreptitious and unseen data collection, Plaintiffs have adequately alleged a reasonable expectation of privacy [in the data Facebook collected].”

The court next turned to the question of whether Facebook, by collecting information about a users’ offline activities, violated both federal and California wiretapping laws, which prohibit the unauthorized “acquisition of the contents” of a communication, but which also exempt from punishment such acquisition by either the provider of the telecommunications service or by a party to the communications (federal) or all parties (California). Under the “party” exception, federal courts have been split, with some holding that software that copies email on behalf of a user is a “party” to the act of resolving URLs, and others holding that Google was not a “party” to a communication it mediated when it installed a tracking cookie. The court went with the latter position finding “simultaneous, unknown duplication and communication of GET requests do not exempt a defendant from liability under the party exception.”

However, in a victory for Facebook, the court ruled that the tracking cookie monitoring by Facebook did not violate the Stored Communications Act, (SCA) a federal privacy law protecting the contents of communications stored by and Electronic Communications Facility. The court noted that the SCA requires plaintiffs to plead that Facebook (1) gained unauthorized access to a “facility” where it (2) accessed an electronic communication in “electronic storage.” The ruling focused on the technical means by which a GET command traveled from a user’s request on a non-Facebook website to Facebook’s computers, noting “the GET requests are sent directly between the user and the third-party website. The text displayed in the toolbar serves only as a visual indication—a means of informing the user—of the location of their browser. Thus, the URL’s appearance in the toolbar is not “incidental” to the transmission of the URL or GET request.”

The case also stands for the proposition that, at least as a matter of contract law, companies are not required to abide by the terms of the privacy policies, even where, as here, their privacy policy is expressly referenced in the terms of use which is, in fact, a binding contract. The 9th Circuit found that “the Privacy and Data Use Policies do not outline shared commitments to which users must abide. For a contract to exist, there must be an exchange for a promise. The 2011 Data Use Policy does not contain any exchange.” In other words, the privacy policy is just a promise, not a contract. Now, if you could argue that you read the privacy policy and agreed to provide Facebook with data and information in (detrimental) reliance upon not only what the policy said (“we will collect x information”) but also based on what it did NOT say (“we will also collect Y information”), then you might have a contract claim.

So it’s a mixed bag. Facebook wins on the SCA, breach of contract and “fair dealing” claims, which were dismissed by the appellate court, but the suit continues on the other claims. Whether the class action is successful is something we will know after the trial is over or settles. In a few weeks. Or months. Or years.

Until then, the best lesson is to be as clear as possible when describing your data collection, use and sharing policies and—I can’t emphasize this enough—actually do what you say and test to make sure of it. You may be tempted to use people’s personal information for something else—something really cool, right? Resist that temptation. It’s not that you can’t do the thing that’s really cool; sometimes you can, sometimes you can’t. But you can’t do it secretly, especially when you have promised that you won’t. When you tell your customers, “Your privacy is important to us …” try to actually mean it.

Featured eBook
The State of Cloud Native Security 2020

The State of Cloud Native Security 2020

The first annual State of Cloud Native Security report examines the practices, tools and technologies innovative companies are using to manage cloud environments and drive cloud native development. Based on a survey of 3,000 cloud architecture, InfoSec and DevOps professionals across five countries, the report surfaces insights from a proprietary set of well-analyzed data. This ... Read More
Palo Alto Networks

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 91 posts and counting.See all posts by mark