A raft of class action lawsuits filed in Federal court charge the globe’s biggest social networking
firms with violating federal communications privacy laws, allowing advertisers to profit from personal information harvested from users.
Weeks after the Wall Street Journal blew the whistle on lax data privacy standards on Facebook, a string of class action suits attempt to hold the social networking giant, as well as game company Zynga and Google liable for what the suits contend are lax practices that allow advertisers to harvest personal information on Web users.
The suits are seeking monetary damages on behalf of potentially millions of users of Facebook, Google and game company Zynga. The suits allege that the users’ personal information has been leaked to advertisers and other unauthorized individuals, in violation of the companies’ privacy policies and a number of state and federal statues protecting the confidentiality of electronic communications.
Two suits were filed on October 18 and 19 in U.S. District Court for the Northern District of California in the name of individual users in Connecticut, Minnesota and California, but on behalf of a broad class of users who have established accounts and shared private data with Facebook, Google, and game giant Zynga. In each case, the defendants are accused of improperly sharing personal data with third parties – including advertisers and seek monetary damages and relief to stop what the cases allege is illegal data sharing practices.
The suits follow a Wall Street Journal expose, published on October 18 that revealed lax data security practices by many popular applications on the massive social network. Among other things, that article revealed that the top 10 Facebook applications, including mega hits such as Zynga Game Network Inc.’s Farmville and Texas HoldEm Poker transmit players’ unique Facebook ID to outside firms. The Facebook ID is an identifier that, depending on a user’s account settings, might also provide access to information such as the user’s age, residence, occupation and even personal photos.
Facebook acknowledged that IDs may be ‘inadvertently shared’ at the time, but denied that knowing that ID provided access to a Facebook user’s private information. Still, the company said it would introduce new technology to contain the problem.
Two cases filed in U.S. District Court for the Northern District of California refer directly to that kind of activity. Nancy Walther Graf v. Zynga Game Network, Inc. was filed on October 18, the same day the Journal article appeared, and Shelley Albini v. Zynga Game Network Inc. and Facebook, Inc., which was filed the next day. Graf v. Zynga explicitly mentions the Journal article as evidence against Zynga, while Albini vs. Zynga and Facebook seems narrowly tailored around the very problem described in the Journal article: the unauthorized transmission of users Facebook ID to advertising and data aggregation firms.
A third class action suit, Paloma Gaos v. Google Inc., was filed in U.S. District Court for the Northern District of California on October 25 and charges the search giant with violating users privacy with its implementation of HTTP referrers, or “Referrer Headers.” Those are the ubiquitous, modified URLs that are created as users click from one ‘referring’ Web page or search results list to another. Those URLs transmit reams of data about a user and their search preferences, the suit alleges, in violation of its own promises to protect the privacy of its users. That data can then be reassembled by third party firms, like RapLeaf, which can then sell it to advertisers.
This kind of inadvertent data leak via search data and HTTP referrers is also mentioned in the Graf vs. Zynga case, and both Graf and Gaos are being represented by the same firm: Nassiri & Jung LLP of San Francisco and Edelson McGuire LLC. It was also the subject of a complaint filed with the U.S. Federal Trade Commission (FTC) earlier in October by privacy advocate and former FTC technologist Chris Soghoian. That complain alleged that referrer header data could disclose sensitive information including Social Security and credit card account numbers, if a user was searching for that kind of data.
In addition to violating the terms of their own user agreements and privacy statements, the suits allege, the practices of Google, Facebook and Zynga run afoul of both federal and California state law. The suits charge the companies with breach of contract and “unjust enrichment” under California’s Civil Code and allege violations of California’s Unfair Competition Law and Computer Crime Law. They also claim violations of the Federal Stored Communications Act of 1986 and Electronic Communications Privacy Act.
While no specific demands for damages are made, the amounts in question could be quite large, given the number of users identified in the “classes”- “all Facebook users in the United States who, at any time after October 18, 2006, used a Facebook application” in the case of the Albini case — and the provisions of the laws cited. The Electronic Communications Privacy Act, for example, entitles the Plaintiff and Class to statutory damages of $10,000 or $100 per day for each day of violation.”
Neither Zynga nor Facebook responded to e-mail requests for comment. Aaron Zamost, a Google spokesman, said the company wasn’t commenting on the suit filed against it at this time.
It is unclear whether the claims made in the suit will hold water in federal court, however. Among other things, the firms may argue that their efforts to anonymize data are adequate and that the ability of third parties to combine that anonymous data with other information feed available online to make it less anonymous and recreate user identities is beyond their control. In the last week, the U.S. Federal Trade Commission decided not to penalize Google for inadvertently collecting information on U.S. residents as part of its Street View sweeps of local neighborhoods after the firm promised to tighten up its practices.
The security and privacy of social networks is a growing concern among consumers and businesses alike. Third party applications that run on Facebook and other social networks have been shown to be vulnerable to manipulation or to use deceptive practices. Recently, Facebook has taken steps to make it harder to publish applications anonymously.