Lane vs. Facebook | |
Court: | United States District Court for the Northern District of California |
Full Name: | Sean Lane, et al. vs. Facebook, Inc., Blockbuster Inc., Fandango Inc., Hotwire, Inc., STA Travel Inc., Overstock.com, Inc., Zappos.com, GameFly, Inc. |
Date Decided: | March 17, 2010 |
Judge: | Richard G. Seeborg |
Holding: | Settled under court order; Facebook shut down its Beacon Service and created a $9.5M privacy fund. |
Keywords: | internet privacy |
Lane vs. Facebook was a class-action lawsuit in the United States District Court for the Northern District of California regarding internet privacy and social media.[1] In December 2007, Facebook launched Beacon, which resulted in users' private information being posted on Facebook without the users' consent. Facebook ended up terminating the Beacon program and created a $9.5 million fund for privacy and security. There was no monetary compensation awarded to Facebook users affected negatively by the Beacon program.
Plaintiff Sean Lane represented the class of Facebook users who had visited Beacon sites. In 2007, he purchased a diamond ring from Overstock.com with the intention of surprising his wife. Without his knowledge, this purchase was broadcast to hundreds of people in his network on Facebook – including his wife. The Beacon feature was an opt-out: in order to disable the feature, one had to understand the privacy controls on Facebook, as well as all of its 40+ affiliate sites.[2] There was also no option to turn off the service permanently.[3] For Facebook, this feature was intended to be a "completely new way of advertising online."[3]
The Beacon feature remained turned on by default, until December 2007, when Facebook instituted new privacy controls. The lawsuit concerns the window of time before those easier-to-understand controls were implemented.[4]
The feature was heavily criticized by security experts and privacy advocates.[5] Security researchers found that Beacon transmitted data even if the user was logged out of Facebook.[6] MoveOn.org, a civic action political group, posted a petition objecting to the new program which gathered the signatures of over 50,000 Facebook members in 10 days.[7]
As early as 2003, Attorney Joseph H. Malley, (Law Offices of Joseph H. Malley, PC, Dallas Texas), began investigating the emergence of videos used in online ads to conduct ubiquitous tracking of consumers, developing a litigation plan. The difficulty in developing a strategy concerned little if any legal precedent related to modern technology, and a lack of scientific proof evidencing hidden tracking mechanisms. By 2007, it was determined that sufficient computing device testing had been completed using various software programs, and a new litigation strategy developed to "test" the courthouse. This research culminated in Attorney Malley filing a Federal Class Action against Facebook, and thirty-three companies, including Blockbuster, Zappos, and Overstock, due to privacy violations caused by the Facebook Beacon program. This program resulted in users' private information, obtained from third-party affiliate marketing websites, being posted on Facebook without users' consent. This act was referenced in the Lane v. Facebook, Inc. class action suit. Based on this act, it is generalized to other forms of rental records such as DVDs and video games etc.
With the emergence of new-age computing technology and devices in the early 2000s came websites, 3rd party advertising, and tracking firms using mechanisms that violated a user's privacy. While computer technology was progressing rapidly, federal and state laws had failed to be proactive, a risk to society of ungoverned technology. As such, litigation for violations was relatively non-existent. A new method to litigate Federal privacy cases was needed to protect the hundreds of millions of people violated by unauthorized tracking user's activities online. This was a formidable task since no law firms had litigated cases involving the computer technology inherent within the exchange of user data between third-party affiliated entities; thus there was no case precedent, no "blueprint" to follow. Earlier cases, such as the double-click "cookie" case in 2001, had relied on using a wiretap statute, the Electronic Communication Privacy Act ("ECPA"). While a plausible allegation, it was a weak allegation since the website user had granted such permissible use within the website's term of service ("TOS").
Attorney Malley, who had developed a litigation strategy in the early 2000s involving another federal privacy law, the Driver Privacy Protection Act ("DPPA"), a law related to the unauthorized access to DMV records and permitted statutory damages for privacy violations. IE., $2500.00 damage award "per person-per violation, (per company)", successfully filing numerous federal class actions against 3-400+ companies, sought a similar strategy, but needed to develop a new theory of liability for added assurance to survive a motion to dismiss.
The online advertising industry, in association with analytic companies, had begun using video ads to conduct its ubiquitous tracking, consumer's attention shown to be drawn to such as opposed to written content, In later years, these tracking methods would expand to photos and audio, IE., In 2008, cell phones were re-designed to include a new method of tracking, the use of social apps to collect photos, a process which now permitted a one step "click" process to upload a photo as opposed to the previous six steps, thus consumers were now more inclined to upload photos in mass. This allowed content to be provided for free and which formed the basis for the tracking, IE., EXIF data. Such acts were captured when Attorney Malley used software applications to log HTTP/HTTPS traffic between a computer's web browser and the Internet, analytic tests using two computers interfaced, producing indisputable evidence of such activities: moreover, detailed reports of any and all parties involved in such nefarious activities, IE., "tracking the trackers". In the continuing research of the Industry's business practices in order to determine its monetization interests, such revealed the incorporation of complex graphics within online ads, and the exchange of data derived from video ads not confined to an internal network, used via a TCP/IP protocol. This unauthorized activity would become the core allegation.
Extensive research and case analysis of Federal and State laws, regulations, and Court Opinions yielded limited assistance. An adaptation of the law was needed to litigate this new computer technology involving the unauthorized access to online consumer's data. Attorney Malley seized on an archaic law written concerning the technology of the 1980s involving video cassettes, VHS, and Betamax, the Video Privacy Protection Act ("VPPA"), 18 U.S. Code § 2710 - Wrongful disclosure of video tape rental or sale records, (1988), envisioning that the websites, and any affiliated third-parties, which used the audio and/or video within its marketing ads were "video-providers"; moreover, this content, ads and online games, merely a video; moreover, the essential functionality of the illegal transfer, a "wrongful disclosure", (core elements needed to prove-up a VPPA violation). The use of the VPPA law in regard to this new-age computer technology would set precedent, and become the new "blueprint" used in Federal privacy litigation.
The class that the plaintiffs represented were all Facebook users who visited Beacon affiliate sites, a class of about 3.6 million users.[8] One of the law firms involved was also behind the lawsuits involving digital rights management on the Amazon Kindle, Spore, and the Sony rootkit.[9]
The Beacon affiliated companies were Blockbuster Inc., Fandango.com Inc, Hotwire Inc, STA Travel Inc, Overstock.com Inc, Zappos.com Inc, and GameFly Inc.
The action was brought individually and on behalf of all Facebook users that had been affected by this service, and used it without their knowledge between November and December 2007.[10] The Plaintiffs claimed that Beacon had breached several federal and state privacy laws.
Plaintiffs alleged that Electronic Communications Privacy Act was violated, since the browsing information sent between a Facebook user's computer and the websites of Beacon affiliates was intercepted, and this communication was disclosed for an unlawful purpose. Furthermore, the plaintiffs alleged that this intercepted communication was used to enhance profitability through advertising. By the ECPA, plaintiffs and the Class were entitled to statutory damages of the greater of $10,000 or $100 a day for each day of violation, as well as profits and legal fees.[2]
Plaintiffs alleged that the Video Privacy Protection Act was violated by Fandango, Blockbuster, Overstock, and Gamefly, since those companies are "video tape service providers" within the meaning of the Act, and they knowingly disclosed personally identifiable information to Facebook without informed consent. They also alleged Facebook aided in this violation.[2]
Plaintiffs alleged that Facebook and its Beacon affiliates violated the California Consumer Legal Remedies Act since the terms of the Beacon Affiliates did not state that personally identifiable information was being transmitted to Facebook. The CLRA applies to transactions that are intended to result in the sale of goods to customers. Plaintiffs alleged that this information in conjunction with the disclosure of their identity inflicted irreparable harm.[2]
The plaintiffs alleged that Facebook and its Beacon affiliates violated the California Computer Crime Law and the Computer Fraud and Abuse Act by collecting the information.[2]
Throughout this entire process, Facebook denied any wrongdoing whatsoever on their part or on the part of any of the companies affiliated with them.
The settlement phase posed a difficult problem. Facebook by now was nearing 400-500 million users, individuals that qualified as prospective class members. In the history of Federal Class Actions, Courts had not envisioned, nor encountered, such a large class: moreover, a method and means to provide a remedy. There could not be a "coupon", return of a product, or statutory violation of $2500.00 per person-per use, such would amount to "Annihilation of damages", a potential monetary award, if imposed, that would annihilate Facebook, thus bankrupt Facebook. Attorney Malley, determined not only to have Facebook cease its tracking activities, also wanted a residual purpose to filing privacy class actions. A concept he envisioned to remedy these issues involved setting up a trust within Privacy Class Action Settlements to fund educational programs for parents and children about the uses and dangers of the Internet that would provide such a purpose, a concept used in settling Facebook and Nebuad. Funding for these types of programs had in excess of $10,000,000.00 by 2013. This concept was then adopted by many subsequent settlements.
Fordham Law School's Center for Law and Information Policy will announce and release a first-ever curriculum for privacy education geared to middle school students.[11]
"The program was financed by a court-approved settlement in the class action lawsuit against NebuAd....Participating schools: Berkeley Law, UC-Irvine, Georgetown, Harvard's Berkman Center, Idaho, Princeton's Center for Information Technology Policy,..and Yale."[12]
Facebook established a cash settlement fund of $9.5 MM.[13] The money was used to establish and operate a privacy foundation which was devoted to funding and sponsoring programs designed to educate users. The privacy foundation has sole responsibility over the management and distribution of its funds. Facebook also had to provide the following relief:
The decision to let Facebook have one seat on the newly established privacy funds' three-person board was controversial.[4] Several nonprofit organizations, including the Electronic Privacy Information Center and Center for Digital Democracy wrote an objection to the settlement, on the grounds that the proposed foundation would not satisfactorily represent the interests of Facebook users.[15]