Facebook Sued Over Default Privacy Settings in Late-Year Revisions
Facebook is unintentionally aiding organized crime groups that “scour the Internet for personal information,” according to near-identical lawsuits seeking class-action status in the U.S. District Court in San Jose, Calif. The social networking site’s changes to default privacy settings late last year -- opening more personal information to public view and the subject of a complaint to the FTC (WID Dec 18 p2) -- made it easier for those groups to “dupe” Internet users into handing over more information and then stealing from or impersonating users, said the suits. We couldn’t reach attorney David Lake, who filed both two weeks ago but used different sets of lead plaintiffs, nine in all, as well as different co-counsels.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
An early goal of the suits -- consolidation with the $9.5 million settlement over Facebook’s defunct Beacon advertising program (WID Sept 22 p6) -- hasn’t been achieved. U.S. District Judge Richard Seeborg in San Jose ruled Thursday that the two new cases under consideration by his colleague Judge Jeremy Fogel, Silverstri v. Facebook and Markowitz v. Facebook, weren’t related to the Beacon settlement in Lane v. Facebook. Seeborg gave the settlement preliminary approval last fall but its provisions have come in for criticism because it would give the class no financial compensation. He will consider final approval at a Feb. 26 hearing. Fogel hasn’t yet ruled on another motion by the two sets of privacy-setting plaintiffs to merge their cases.
The new default privacy settings, if left intact by users after a quick review, could open them up to “identity theft, harassment and embarrassment,” the suits said. The defaults have been criticized far and wide as deceptive, confusing even to savvy users and primarily intended to drive more traffic to Facebook through search indexing, they said. The changes go beyond Facebook’s “expected commercial use” of users’ data, selling targeted advertising across its site. Contrary to how they were pitched to users in pop-up messages, the changes in November and December made far more information publicly available by default, including profile photos, friend lists, pages that users are fans of “including controversial political causes,” geographic region and gender, the suits said. In a nod to FTC concern over the practice (WID Feb 10/09 p3), the suits call attention to the “negative option” method that Facebook uses, pre-clicking certain options in privacy settings. Those 29 settings are spread across several pages and are “all set at the minimum level of protection."
Though Facebook told users in November they could control access by third-party applications to their data, the “one-click option” to block information from being shared through the Facebook API was deleted, the suits said. Users now can only control a few fields, whereas publicly-available information will “always” be open to applications, giving users no “realistic option” for privacy. They would have to visit each application’s “about” page and “click a small link” to block access, the suits said. Less than a month ago Facebook made e-mail addresses more available to developers, “contrary to the ideals” in its privacy policy.
Through the defaults, Facebook violates the Electronic Data Privacy Act, a statutory right of publicity, California’s deceptive business practices law and the state penal code concerning access to personal information, the suits said. It also commits wrongful appropriation and unjust enrichment. The suits ask the court to enter an injunction against Facebook and require it to make several changes: (1) Change defaults to more protective settings such as “friends” and “not allowed.” (2) Provide an 800 number and live-chat system to answer privacy and security question, plus an “on-site video” and presentation explaining settings. (3) Do a “complete redraft” of its privacy policy. (4) Require developers to show a privacy page right after a user logs into to an application for the first time.
A Facebook spokesman provided largely the same statement the company issued when the Canadian privacy commissioner announced a new investigation over Facebook’s default settings (WID Jan 29 p10). The transition process to the new settings was “transparent, consistent with people’s expectations, and well within the law,” with an “unprecedented” campaign to inform users and no changes implemented until users affirmatively accepted them, he said.