The latest lawsuit filed against social networking giant Facebook may ultimately lead to change in how social networks can collect and use our communications, but in the meantime serves to highlight the obsolescence and vagueness of the legislation that protects the personal data we share via social networks and email.
Re/code reports that Facebook will face a class-action lawsuit that accuses it of violating users’ privacy by scanning the messages that they send to other users of the social network. U.S. District Judge Phyllis Hamilton dismissed some state-law claims against the company but denied Facebook’s bid to dismiss the lawsuit, which will now seek to establish how routine the process of scanning messages is to the tech firm’s business.
Facebook has argued that the alleged scanning of users’ messages was covered by an exception under the federal Electronic Communications Privacy Act (ECPA) for interceptions by service providers occurring in the ordinary course of business. But Hamilton says that the social media company has “not offered a sufficient explanation of how the challenged practice falls within the ordinary course of its business.” According to Newsweek, Hamilton ruled that Facebook hadn’t provided enough information to qualify for the exemption:
[The terms of service do] not establish that users consented to the scanning of their messages for advertising purposes, and in fact, makes no mention of ‘messages’ whatsoever. Facebook’s unwillingness to offer any details regarding its targeted advertising practice prevents the court from being able to determine whether the specific practice challenged in this case should be considered ‘ordinary.’
The particulars of Facebook’s message scanning are unclear
As Ars Technica notes, Facebook claims that it must handle the content of users’ messages in order to ensure their delivery, and therefore it can’t “unlawfully” intercept them. The court responded by reading Facebook’s entire terms of service — where the document’s vague language became a liability — and ruled that the document does not establish that users consented to the scanning of their messages for advertising purposes.
The proceedings also focused on whether the scanning of messages is a normal practice of messaging operations. An email service provider, for example, isn’t considered to “intercept” messages when handling them on a server. How the scanning system works will need to be established in court.
The lawsuit was originally filed in 2013 and alleged that Facebook scanned the content of private messages for links to websites and would then count those links in a tally of “likes” of the pages. The “likes” were used to compile user profiles in delivering targeted advertising, and the complaint alleged that the original scanning of the private messages violated both federal and California state law. Facebook reportedly ceased the practice in October 2012, but the company says that it still completes some “analysis” of messages to protect users against viruses and spam.
The suit, filed by Facebook user Matthew Campbell, seeks class-action status on behalf of U.S. users who sent or received private messages that included website addresses. The case is Campbell et al v. Facebook Inc., U.S. District Court, Northern District of California, No. 13-5996, and alleges that “Facebook systematically intercepts users’ messages in order to mine user data for sharing with third parties,” including “advertisers, marketers, and other data aggregators.”
The Next Web writes that the suit seeks damages of up to $10,000 to be paid out per user, and for Facebook to stop scanning messages. Because the majority of Facebook’s revenue is made through advertising, it will likely fight the case not only to avoid payouts but to continue to scan messages for information that will make its profiles for targeted advertising more comprehensive.
The legislation protecting our electronic communications is outdated
As The New York Times reported almost four years ago, in 2011, the privacy law — which was first enacted in 1986, before the use of email or mobile phones was widespread and prior to the birth of the earliest social networks — is outdated and “outrun by the web.”
Just as law enforcement agencies were beginning to target Google, Facebook, and telecommunications companies with requests for user data, the Times noted that Internet companies and consumer advocates were growing concerned that the main law governing communication privacy consisted of “a patchwork of confusing standards that have been interpreted inconsistently by the courts.”
Susan Freiwald, a professor at the University of San Francisco School of Law and an expert in electronic surveillance law, told the newspaper” “Some people think Congress did a pretty good job in 1986 seeing the future, but that was before the World Wide Web. The law can’t be expected to keep up without amendments.” The rules established by the ECPA depend upon what type of information is sought and how old it is, and courts in different jurisdictions have interpreted the rules differently.
According to the website of the American Civil Liberties Union, Internet companies and advocacy organizations have engaged in an ongoing campaign to modernize the Electronic Communications Privacy Act. The ACLU reports that “Since 1986, technology has advanced at breakneck speed while electronic privacy law remained at a standstill. The outdated Electronic Communications Privacy Act (ECPA) allows the government to intercept and access a treasure trove of information about who you are, where you go, and what you do, which is being collected by cell phone providers, search engines, social networking sites, and other websites every day.”
The ACLU believes that the ECPA should be updated to protect all personal electronic information regardless of age or nature, safeguard location information, institute oversight and reporting requirements, require a suppression remedy, and craft reasonable exceptions.
Google noted in its Public Policy Blog in June that a “significant milestone for digital due process” — and for the campaign to update the ECPA — was reached this summer, when a majority of the members of the U.S. House of Representatives went on record to support legislation that would “create a bright-line, warrant-for-content rule for electronic communications. “
Change seems imminent — or at least eminently necessary — for a law that may provide greater or lesser protection for an email based upon how old it is, whether it has been opened, or where it has been stored, factors which Google points out are irrelevant to users.
Because the ECPA was enacted to extend the government’s wiretap restrictions to electronic data transmitted by computers, the law places Internet companies like Google and Facebook, which rose to prominence after the law was enacted in 1986, squarely between governments and consumers. But this lawsuit places Facebook in a different position — one in which the company’s use of the data that users share with it, rather than the government’s requests for that data, could be found in violation of the law.
Google is currently under similar legal scrutiny for its own message-scanning practices. Perhaps the best possible outcome of the lawsuits would be to place a new spotlight on the vagueness of the ECPA when it comes to technologies developed after 1986, and to simultaneously bring into the public consciousness the amount of data that we share with social networks and online services — and the liberties these companies are able to take with it. The results of both lawsuits will have significant and likely far-reaching effects, and they’ll both be significant stories to follow in the new year.