Lane vs. Facebook | |
---|---|
Court | United States District Court for the Northern District of California |
Full case name | Sean Lane, et al. vs. Facebook, Inc., Blockbuster Inc., Fandango Inc., Hotwire, Inc., STA Travel Inc., Overstock.com, Inc., Zappos.com, GameFly, Inc. |
Decided | March 17, 2010 |
Holding | |
Settled under court order; Facebook shut down its Beacon Service and created a $9.5M privacy fund. | |
Court membership | |
Judge(s) sitting | Richard G. Seeborg |
Keywords | |
internet privacy |
Lane vs. Facebook was a class-action lawsuit in the United States District Court for the Northern District of California regarding internet privacy and social media. [1] In December 2007, Facebook launched Beacon, which resulted in users' private information being posted on Facebook without the users' consent. Facebook ended up terminating the Beacon program and created a $9.5 million fund for privacy and security. There was no monetary compensation awarded to Facebook users affected negatively by the Beacon program.
Plaintiff Sean Lane represented the class of Facebook users who had visited Beacon sites. In 2007, he purchased a diamond ring from Overstock.com with the intention of surprising his wife. Without his knowledge, this purchase was broadcast to hundreds of people in his network on Facebook – including his wife. The Beacon feature was an opt-out: in order to disable the feature, one had to understand the privacy controls on Facebook, as well as all of its 40+ affiliate sites. [2] There was also no option to turn off the service permanently. [3] For Facebook, this feature was intended to be a "completely new way of advertising online." [3]
The Beacon feature remained turned on by default, until December 2007, when Facebook instituted new privacy controls. The lawsuit concerns the window of time before those easier-to-understand controls were implemented. [4]
The feature was heavily criticized by security experts and privacy advocates. [5] Security researchers found that Beacon transmitted data even if the user was logged out of Facebook. [6] MoveOn.org, a civic action political group, posted a petition objecting to the new program which gathered the signatures of over 50,000 Facebook members in 10 days. [7]
This section contains content that is written like an advertisement .(November 2019) |
As early as 2003, Attorney Joseph H. Malley, (Law Offices of Joseph H. Malley, PC, Dallas Texas), began investigating the emergence of videos used in online ads to conduct ubiquitous tracking of consumers, developing a litigation plan. The difficulty in developing a strategy concerned little if any legal precedent related to modern technology, and a lack of scientific proof evidencing hidden tracking mechanisms. By 2007, it was determined that sufficient computing device testing had been completed using various software programs, and a new litigation strategy developed to "test" the courthouse. This research culminated in Attorney Malley filing a Federal Class Action against Facebook, and thirty-three companies, including Blockbuster, Zappos, and Overstock, due to privacy violations caused by the Facebook Beacon program. This program resulted in users' private information, obtained from third-party affiliate marketing websites, being posted on Facebook without users' consent. This act was referenced in the Lane v. Facebook, Inc. class action suit. Based on this act, it is generalized to other forms of rental records such as DVDs and video games etc.
With the emergence of new-age computing technology and devices in the early 2000s came websites, 3rd party advertising, and tracking firms using mechanisms that violated a user's privacy. While computer technology was progressing rapidly, federal and state laws had failed to be proactive, a risk to society of ungoverned technology. As such, litigation for violations was relatively non-existent. A new method to litigate Federal privacy cases was needed to protect the hundreds of millions of people violated by unauthorized tracking user's activities online. This was a formidable task since no law firms had litigated cases involving the computer technology inherent within the exchange of user data between third-party affiliated entities; thus there was no case precedent, no "blueprint" to follow. Earlier cases, such as the double-click "cookie" case in 2001, had relied on using a wiretap statute, the Electronic Communication Privacy Act ("ECPA"). While a plausible allegation, it was a weak allegation since the website user had granted such permissible use within the website's term of service ("TOS").
Attorney Malley, who had developed a litigation strategy in the early 2000s involving another federal privacy law, the Driver Privacy Protection Act ("DPPA"), a law related to the unauthorized access to DMV records and permitted statutory damages for privacy violations. IE., $2500.00 damage award "per person-per violation, (per company)", successfully filing numerous federal class actions against 3-400+ companies, sought a similar strategy, but needed to develop a new theory of liability for added assurance to survive a motion to dismiss.
The online advertising industry, in association with analytic companies, had begun using video ads to conduct its ubiquitous tracking, consumer's attention shown to be drawn to such as opposed to written content, In later years, these tracking methods would expand to photos and audio, IE., In 2008, cell phones were re-designed to include a new method of tracking, the use of social apps to collect photos, a process which now permitted a one step "click" process to upload a photo as opposed to the previous six steps, thus consumers were now more inclined to upload photos in mass. This allowed content to be provided for free and which formed the basis for the tracking, IE., EXIF data. Such acts were captured when Attorney Malley used software applications to log HTTP/HTTPS traffic between a computer's web browser and the Internet, analytic tests using two computers interfaced, producing indisputable evidence of such activities: moreover, detailed reports of any and all parties involved in such nefarious activities, IE., "tracking the trackers". In the continuing research of the Industry's business practices in order to determine its monetization interests, such revealed the incorporation of complex graphics within online ads, and the exchange of data derived from video ads not confined to an internal network, used via a TCP/IP protocol. This unauthorized activity would become the core allegation.
Extensive research and case analysis of Federal and State laws, regulations, and Court Opinions yielded limited assistance. An adaptation of the law was needed to litigate this new computer technology involving the unauthorized access to online consumer's data. Attorney Malley seized on an archaic law written concerning the technology of the 1980s involving video cassettes, VHS, and Betamax, the Video Privacy Protection Act ("VPPA"), 18 U.S. Code § 2710 - Wrongful disclosure of video tape rental or sale records, (1988), envisioning that the websites, and any affiliated third-parties, which used the audio and/or video within its marketing ads were "video-providers"; moreover, this content, ads and online games, merely a video; moreover, the essential functionality of the illegal transfer, a "wrongful disclosure", (core elements needed to prove-up a VPPA violation). The use of the VPPA law in regard to this new-age computer technology would set precedent, and become the new "blueprint" used in Federal privacy litigation.
The class that the plaintiffs represented were all Facebook users who visited Beacon affiliate sites, a class of about 3.6 million users. [8] One of the law firms involved was also behind the lawsuits involving digital rights management on the Amazon Kindle, Spore, and the Sony rootkit. [9]
The Beacon affiliated companies were Blockbuster Inc., Fandango.com Inc, Hotwire Inc, STA Travel Inc, Overstock.com Inc, Zappos.com Inc, and GameFly Inc.
The action was brought individually and on behalf of all Facebook users that had been affected by this service, and used it without their knowledge between November and December 2007. [10] The Plaintiffs claimed that Beacon had breached several federal and state privacy laws.
Plaintiffs alleged that Electronic Communications Privacy Act was violated, since the browsing information sent between a Facebook user's computer and the websites of Beacon affiliates was intercepted, and this communication was disclosed for an unlawful purpose. Furthermore, the plaintiffs alleged that this intercepted communication was used to enhance profitability through advertising. By the ECPA, plaintiffs and the Class were entitled to statutory damages of the greater of $10,000 or $100 a day for each day of violation, as well as profits and legal fees. [2]
Plaintiffs alleged that the Video Privacy Protection Act was violated by Fandango, Blockbuster, Overstock, and Gamefly, since those companies are "video tape service providers" within the meaning of the Act, and they knowingly disclosed personally identifiable information to Facebook without informed consent. They also alleged Facebook aided in this violation. [2]
Plaintiffs alleged that Facebook and its Beacon affiliates violated the California Consumer Legal Remedies Act since the terms of the Beacon Affiliates did not state that personally identifiable information was being transmitted to Facebook. The CLRA applies to transactions that are intended to result in the sale of goods to customers. Plaintiffs alleged that this information in conjunction with the disclosure of their identity inflicted irreparable harm. [2]
The plaintiffs alleged that Facebook and its Beacon affiliates violated the California Computer Crime Law and the Computer Fraud and Abuse Act by collecting the information. [2]
Throughout this entire process, Facebook denied any wrongdoing whatsoever on their part or on the part of any of the companies affiliated with them.
The settlement phase posed a difficult problem. Facebook by now was nearing 400-500 million users, individuals that qualified as prospective class members. In the history of Federal Class Actions, Courts had not envisioned, nor encountered, such a large class: moreover, a method and means to provide a remedy. There could not be a "coupon", return of a product, or statutory violation of $2500.00 per person-per use, such would amount to "Annihilation of damages", a potential monetary award, if imposed, that would annihilate Facebook, thus bankrupt Facebook. Attorney Malley, determined not only to have Facebook cease its tracking activities, also wanted a residual purpose to filing privacy class actions. A concept he envisioned to remedy these issues involved setting up a trust within Privacy Class Action Settlements to fund educational programs for parents and children about the uses and dangers of the Internet that would provide such a purpose, a concept used in settling Facebook and Nebuad. Funding for these types of programs had in excess of $10,000,000.00 by 2013. This concept was then adopted by many subsequent settlements.
Fordham Law School's Center for Law and Information Policy will announce and release a first-ever curriculum for privacy education geared to middle school students. [11]
"The program was financed by a court-approved settlement in the class action lawsuit against NebuAd....Participating schools: Berkeley Law, UC-Irvine, Georgetown, Harvard's Berkman Center, Idaho, Princeton's Center for Information Technology Policy,..and Yale." [12]
Facebook established a cash settlement fund of $9.5 MM. [13] The money was used to establish and operate a privacy foundation which was devoted to funding and sponsoring programs designed to educate users. The privacy foundation has sole responsibility over the management and distribution of its funds. Facebook also had to provide the following relief:
The decision to let Facebook have one seat on the newly established privacy funds' three-person board was controversial. [4] Several nonprofit organizations, including the Electronic Privacy Information Center and Center for Digital Democracy wrote an objection to the settlement, on the grounds that the proposed foundation would not satisfactorily represent the interests of Facebook users. [15]
Spyware is any software with malicious behavior that aims to gather information about a person or organization and send it to another entity in a way that harms the user by violating their privacy, endangering their device's security, or other means. This behavior may be present in malware and in legitimate software. Websites may engage in spyware behaviors like web tracking. Hardware devices may also be affected.
The Telephone Consumer Protection Act of 1991 (TCPA) was passed by the United States Congress in 1991 and signed into law by President George H. W. Bush as Public Law 102-243. It amended the Communications Act of 1934. The TCPA is codified as 47 U.S.C. § 227. The TCPA restricts telephone solicitations and the use of automated telephone equipment. The TCPA limits companies or debt collectors from calling clients or prospective customers using automatic dialing systems, artificial or prerecorded voice messages, SMS text messages, and fax machines. It also specifies several technical requirements for fax machines, autodialers, and voice messaging systems—principally with provisions requiring identification and contact information of the entity using the device to be contained in the message.
The Video Privacy Protection Act (VPPA) is a bill that was passed by the United States Congress in 1988 as Pub. L.Tooltip Public Law (United States) 100–618 and signed into law by President Ronald Reagan. It was created to prevent what it refers to as "wrongful disclosure of video tape rental or sale records" or similar audio visual materials, to cover items such as video games and the future DVD format. Congress passed the VPPA after Robert Bork's video rental history was published during his Supreme Court nomination and it became known as the "Bork bill". It makes any "video tape service provider" that discloses rental information outside the ordinary course of business liable for up to $2500 in actual damages.
Zango,, formerly ePIPO, 180solutions and Hotbar, was a software company that provided users access to its partners' videos, games, tools and utilities in exchange for viewing targeted advertising placed on their computers. Zango software is listed as adware by Symantec, and is also labeled as a potentially unwanted program by McAfee. Zango was co-founded by two brothers: Keith Smith, who served as the CEO; and Ken Smith, who served as the CTO.
The multinational technology corporation Apple Inc. has been a participant in various legal proceedings and claims since it began operation and, like its competitors and peers, engages in litigation in its normal course of business for a variety of reasons. In particular, Apple is known for and promotes itself as actively and aggressively enforcing its intellectual property interests. From the 1980s to the present, Apple has been plaintiff or defendant in civil actions in the United States and other countries. Some of these actions have determined significant case law for the information technology industry and many have captured the attention of the public and media. Apple's litigation generally involves intellectual property disputes, but the company has also been a party in lawsuits that include antitrust claims, consumer actions, commercial unfair trade practice suits, defamation claims, and corporate espionage, among other matters.
Intelius, Inc. is a public records business headquartered in Seattle, Washington, United States. It provides information services, including people and property search, background checks and reverse phone lookup. Users also have the ability to perform reverse address lookups to find people using Intelius’ services and an address. Intelius, founded by former InfoSpace executives, was started in 2003. It is owned and operated by PeopleConnect, Inc.
Beacon formed part of Facebook's advertisement system that sent data from external websites to Facebook, for the purpose of allowing targeted advertisements and allowing users to share their activities with their friends. Beacon reported to Facebook on Facebook's members' activities on third-party sites that also participated with Beacon. These activities were published in users' News Feed. This occurred even when users were not connected to Facebook, and happened without the knowledge of the Facebook user. The service was controversial and became the target of a class-action lawsuit, resulting in it shutting down in September 2009. One of the main concerns was that Beacon did not give the user the option to block the information from being sent to Facebook. Beacon was launched on November 6, 2007, with 44 partner websites. Mark Zuckerberg, CEO of Facebook, characterized Beacon on the Facebook Blog in November 2011 as a "mistake." Although Beacon was unsuccessful, it did pave the way for Facebook Connect, which has become widely popular.
The Digital Millennium Copyright Act (DMCA) is a 1998 United States copyright law that implements two 1996 treaties of the World Intellectual Property Organization (WIPO). It criminalizes production and dissemination of technology, devices, or services intended to circumvent measures that control access to copyrighted works. It also criminalizes the act of circumventing an access control, whether or not there is actual infringement of copyright itself. In addition, the DMCA heightens the penalties for copyright infringement on the Internet. Passed on October 12, 1998, by a unanimous vote in the United States Senate and signed into law by President Bill Clinton on October 28, 1998, the DMCA amended Title 17 of the United States Code to extend the reach of copyright, while limiting the liability of the providers of online services for copyright infringement by their users.
In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497 ("DoubleClick"), had Internet users initiate proceedings against DoubleClick, alleging that DoubleClick's placement of web cookies on computer hard drives of Internet users who accessed DoubleClick-affiliated web sites constituted violations of three federal laws: The Stored Communications Act, the Wiretap Statute and the Computer Fraud and Abuse Act.
The Driver's Privacy Protection Act of 1994, Title XXX of the Violent Crime Control and Law Enforcement Act, is a United States federal statute governing the privacy and disclosure of personal information gathered by state Departments of Motor Vehicles.
Facebook, Inc. v. Power Ventures, Inc. is a lawsuit brought by Facebook in the United States District Court for the Northern District of California alleging that Power Ventures Inc., a third-party platform, collected user information from Facebook and displayed it on their own website. Facebook claimed violations of the CAN-SPAM Act, the Computer Fraud and Abuse Act ("CFAA"), and the California Comprehensive Computer Data Access and Fraud Act. According to Facebook, Power Ventures Inc. made copies of Facebook's website during the process of extracting user information. Facebook argued that this process causes both direct and indirect copyright infringement. In addition, Facebook alleged this process constitutes a violation of the Digital Millennium Copyright Act ("DMCA"). Finally, Facebook also asserted claims of both state and federal trademark infringement, as well as a claim under California's Unfair Competition Law ("UCL").
In the middle of 2009 the Federal Trade Commission filed a complaint against Sears Holdings Management Corporation (SHMC) for unfair or deceptive acts or practices affecting commerce. SHMC operates the sears.com and kmart.com retail websites for Sears Holdings Corporation. As part of a marketing effort, some users of sears.com and kmart.com were invited to download an application developed for SHMC that ran in the background on users' computers collecting information on nearly all internet activity. The tracking aspects of the program were only disclosed in legalese in the middle of the End User License Agreement. The FTC found this was insufficient disclosure given consumers expectations and the detailed information being collected. On September 9, 2009 the FTC approved a consent decree with SHMC requiring full disclosure of its activities and destruction of previously obtained information.
Edelson PC is an American plaintiffs' law firm that focuses on public client investigations, class actions, mass tort, and consumer protection laws. Edelson’s cases include class action settlements against Facebook for $650 million (2021), social casino apps for nearly $200 million (2021), and a $925 million verdict against ViSalus (2020.)
A zombie cookie is a piece of data usually used for tracking users, which is created by a web server while a user is browsing a website, and placed on the user's computer or other device by the user's web browser, similar to regular HTTP cookies, but with mechanisms in place to prevent the deletion of the data by the user. Zombie cookies could be stored in multiple locations—since failure to remove all copies of the zombie cookie will make the removal reversible, zombie cookies can be difficult to remove. Since they do not entirely rely on normal cookie protocols, the visitor's web browser may continue to recreate deleted cookies even though the user has opted not to receive cookies.
Google has been involved in multiple lawsuits over issues such as privacy, advertising, intellectual property and various Google services such as Google Books and YouTube. The company's legal department expanded from one to nearly 100 lawyers in the first five years of business, and by 2014 had grown to around 400 lawyers. Google's Chief Legal Officer is Senior Vice President of Corporate Development David Drummond.
Google's changes to its privacy policy on March 16, 2012, enabled the company to share data across a wide variety of services. These embedded services include millions of third-party websites that use AdSense and Analytics. The policy was widely criticized for creating an environment that discourages Internet-innovation by making Internet users more fearful and wary of what they do online.
Cross-device tracking is technology that enables the tracking of users across multiple devices such as smartphones, television sets, smart TVs, and personal computers.
The Biometric Information Privacy Act is a law set forth on October 3, 2008 in the U.S. state of Illinois, in an effort to regulate the collection, use, and handling of biometric identifiers and information by private entities. Notably, the Act does not apply to government entities. While Texas and Washington are the only other states that implemented similar biometric protections, BIPA is the most stringent. The Act prescribes $1,000 per violation, and $5,000 per violation if the violation is intentional or reckless. Because of this damages provision, the BIPA has spawned several class action lawsuits.
Meta Platforms, formerly Facebook, Inc., has been involved in many lawsuits since its founding in 2004.
Meta Platforms Inc., or Meta for short, has faced a number of privacy concerns. These stem partly from the company's revenue model that involves selling information collected about its users for many things including advertisement targeting. Meta Platforms Inc. has also been a part of many data breaches that have occurred within the company. These issues and others are further described including user data concerns, vulnerabilities in the company's platform, investigations by pressure groups and government agencies, and even issues with students. In addition, employers and other organizations/individuals have been known to use Meta Platforms Inc. for their own purposes. As a result, individuals’ identities and private information have sometimes been compromised without their permission. In response to these growing privacy concerns, some pressure groups and government agencies have increasingly asserted the users’ right to privacy and to be able to control their personal data.