Hot Docs: Facebook sued (again) for privacy violations

November 17, 2011

FB wiretapFacebook is getting sued again, and, unsurprisingly, over alleged privacy violations.

Since this song and dance is nothing new, I’m just going to skip to the punch line.

The suit alleges that Facebook maintains individual personal information and “monitors the individual online habits of their users [sic] keeping track of websites they visit,” in violation of the Wiretap Act.

Anyone familiar with the Wiretap Act may be wondering how, exactly, this behavior constitutes a violation, since the Act prohibits the “intentional interception” of “electronic communications.”

The complaint claims that Facebook is “intercepting” “cookies.”

“Cookies,” a term thrown around a lot in online privacy discussions, are packets of information that are communicated back and forth between a user’s web browser and the website the user is accessing.

Originally used online as a solution for remembering the contents of a user’s shopping cart, cookies are widely and heavily employed today.

For example, every time you visit a website, or a particular page within a website, cookies are exchanged back and forth.

Every time you click on an ad, cookies are exchanged.

Whenever you search for something on Google…

Whenever you send an email…

Whenever you log in to a website…

Cookies are exchanged.

Hot Doc: Vickery v. Facebook Inc.

Source: Thomson Reuters News & Insight – National Litigation

Though there are certainly privacy issues at play, to anyone who understands on even a superficial level how cookies and the Wiretap Act operate, the lawsuit doesn’t seem to make any sense.

First, the complaint states that the transmission of data was between the plaintiff’s computer and the Internet.

Um…what?

The Internet is not a single place or point; it is a series of interconnected computer networks that use the same protocol (i.e. speak the same language).

Therefore, it is impossible to just send a message to “the Internet;” you must have a specific recipient on the Internet.

Of course, in order to invoke a Wiretap Act violation, you’d have to allege that Facebook was not the intended recipient, which the complaint attempts to do here.

Unfortunately, the allegations do not comport with reality: Facebook was the intended recipient of all cookies sent from the plaintiff’s computer.

The lawsuit also alleges that information – a lot of it – from other websites is “intercepted” by Facebook, but, again, this isn’t interception within the meaning of the Wiretap Act.

The complaint is referring to times when you visit websites other than Facebook, but Facebook still somehow collects information about your being there (and what you looked at, what you searched for, what you bought, etc).

Facebook is able to legally do this under the Wiretap Act because these websites have an integrated Facebook feature that allows the website and Facebook to connect via the user (i.e. you can Facebook “Like” content on, say, Amazon.com).

Thus, cookies are intentionally sent to Facebook by the user accessing these outside websites, and Facebook can track and collect data on a particular user’s shopping list, medical inquiries, and legal concerns.

True, logging out of Facebook makes the information contained within these cookies anonymous, but as soon as you log back in (or sign up for Facebook), all of that information still retained by Facebook is matched up with your profile.

Are there privacy concerns here?

Definitely.

Is it a violation of the Wiretap Act?

Almost certainly not.

This lawsuit and the many others like it illustrate an important point, though.

They keep manifesting because there are such massive privacy implications here, and there is virtually no legal framework for dealing with it (thus, the slew of lawsuits).

As I’ve said many times before and will probably say again, Congress needs to take action, and quickly.