"...defendants made false or misleading statements and failed to disclose that Facebook violated its own data privacy policies by allowing third parties access to personal data of millions of Facebook users without their consent..."
The "without their consent" part is BS, as is this lawsuit. When you use Facebook platform apps, you have to consent to the disclosure of your information to the developer, and have to agree to allow whatever special permissions the developer is asking for. As for friend data that apps may have access to, when you sign up for and use Facebook, you agree to the terms and conditions, which allow this behavior.
Investors had the opportunity to view both the developer platform policies and Facebook TOS long before they ever bought shares. If they didn't like the possible implications of them, they should not have invested. My guess is that this case will go nowhere.
> agree to allow whatever special permissions the developer is asking for
You can't just write up an arbitrary contract and assume it will hold up in a court of law. For example, if I tried to rent out a unit by signing a lease that allowed the landlord to turn my water off if I posted a negative review about them, their lease would probably be found in violation of the corresponding state's landlord-tenant laws.
Precedents are established all the time. In the case of Facebook, this is something that common law would not have addressed prior to the early 2000s. Never before have we had such an efficient data-mining machine in the hands of anyone. New technologies warrant new laws.
I am a developer of an app that makes use of Facebook friend permissions and have seen the various API changes they have made since 2014.
Applications using Facebook Graph 2.+ (which is the only option since Spring 2015 or so) who access friend data may only access data of friends who have also given consent to your app. So if A and C log into a Facebook app, and A is friends with B and C, the app can only be aware that A and C exist. This is true of legacy and new Facebook applications. It used to be possible to get basically everything about B (name, age, gender, photo, etc), but that all got shut down when Graph API 1.0 was discontinued. If this is somehow not the case for some Facebook apps that got special permission or there is a hack to get at the data, that would be a huge breach of trust.
Is this correct? Because all this time I was wondering about this scandal: apparently, this all started because someone had some app or website which got downloaded by a few hundred thousand FB users (who gave access to their info), and somehow they turned that into data of 50M users. And I also am well aware the current FB API doesn't allow you to get info about your friends if only you give permissions to an app. That this "breach" happened some time ago, when API permissions were different, would make a lot of sense to me.
Before 2015 Facebook apps could access the data of your friends if you gave it permission. Your friends didn't need to give explicit permission (though there were never-used settings to block access).
Some academic dude made a personality test app that harvested the data from all of the friends of people who used it. He paid lots of people (almost all American) on Amazon's Mechanical Turk to use it and harvested their data and the data of their friends.
He sold that data to Cambridge Analytica. This was in 2012 I think. Facebook removed that version of the Friends API in 2015 so this is no longer possible.
That’s actually the point of my post. I have been developing Facebook apps since the very beginning of the developer platform, but stopped because the new rules were so restrictive that they made apps useless. There is no point to developing social network apps that can’t involve the user’s social network.
Since all apps have these restrictions, I don’t believe that any apps at issue here had special permissions. However, it is possible that they scraped public data and were assisted in being pointed to which data to scrape by the direct profile data they obtained through the apps. Enough friends lists etc. are public to make this potentially beneficial.
No specs have been released about CA’s “psychographic profiling”. We don’t know the extent of the data that they had access to, what data went into it (perhaps it was based on name and friends list only, which are mostly public etc.). So until we know more, we can only assume that these apps had the same constraints that all others do.
> When you use Facebook platform apps, you have to consent to the disclosure of your information to the developer, and have to agree to allow whatever special permissions the developer is asking for. As for friend data that apps may have access to, when you sign up for and use Facebook, you agree to the terms and conditions, which allow this behavior.
So it depends on what you mean by consent, and whether you want to specify "informed consent". Lots of EU data protection law talks about "informed consent". If you asked 1,000 facebook users what they had consented to, they probably would not think that they had consented to that. One can make a case that the long legalese with a checkbox at the end isn't (informed) consent.
In fact, I can demonstrate that Facebook has the wherewithal to explicitly determine that I haven't read their TOS, yet chooses not to do so. I would argue that construes some kind of acceptance that the TOS are unenforceable. IANAL, and I'm not aware of that argument being attempted, but I'd quite like it to be.
>If you asked 1,000 facebook users what they had consented to, they probably would not think that they had consented to that.
SomeFacebookApp is requesting permission to do the following:
Access my basic information: Includes my name, profile picture, gender, networks, user ID, list of friends, and any other information I've shared with everyone.
Access my contact information: Current Address and Mobile Phone Number
I can't imagine how much more explicit this could be. I don't think the argument that it's behind legalese would hold. And it seems pretty informative about what information is going to be taken.
>Ah yes, and what exactly are they doing with this information? I can't imagine how much less explicit this could be.
I would have appreciated less smugness, but I get your point. The permissions request should go further and say how the permissions will be used and what can happen if they are used.
The idea of informed consent applied here (which is EU law) gives SomeFacebookApp permission to access the data, like the text you have written says, and nothing beyond that.
Once they had accessed the data, they would not [legally] be able to store it, or use it for any purpose. Text like this worries me because it's clear there is some illegal intent - that doesn't mean I agree to the illegal action.
That 'list of friends' meant 'oh, and all of these for all of your friends as well, and by accepting this, you tell us they know about this and they accepted it as well' - in which case, your friends, of course, are not even aware of this.
Please don’t post blatantly incorrect statements like this.
An app that gets a friend list of a user does not get the same access to each friend as to the authorizing user. This should be obvious; if I agree to allow an app to post on my wall and access my friends list, it doesn’t mean the app can post on my friends’ walls from my friends’ identities.
The only information the FB API returns about the authorizing user’s friends is data those friends have made publicly available. In fact, the friends even have the option to configure their privacy settings to exclude them from any “friend lists” given to apps.
Honestly it’s ridiculous... nothing was breached in the CA scandal. Users authorized access to their data, and any data of other people was publicly available and authorized by TOS or (admittedly opt-out) privacy settings.
If you want to stay private online, maybe don’t use a service with the singular business model of monetizing your data.
You assume an unlimited ability to give consent. Some protected classes (ie children) and countless others may not be able to give consent. And id assume that in some country somewhere even adults might not be able to divest themselves of all privacy rights forever. There are limits to reasonability.
Well that notification doesn't say what SomeFacebookApp will do with the information, it implies they won't share it with anyone else. "any other information" is too broad, so it's not clear what that covers.
Correct me where I'm wrong but did it not used to be the case that facebook apps could access almost as much info about your friends as they could about you?
So where is the consent? Fred gives consent to run a personality quiz and its associated data gathering - Fred's 180 friends didn't.
This is, of course, true but it's not clear why investors should have any grounds to sue over it. This wasn't actually a PR problem for Facebook until relatively recently - for instance, the 2012 Obama campaign harvested data about the Facebook friends of people who volunteered access to their accounts, those friends obviously didn't consent, and this mostly just lead to glowing articles about how clever this was and how commercial companies could copy it.
What it took for this to be a problem for Facebook was Trump running for and winning the presidency, the press needing someone to blame other than themselves, and them being willing to bury minor details like the campaign probably not actually using the data in question in any form. That doesn't seem like something which could reasonably be predicted in advance.
That consent is contained in the TOS that you and all of your friends agreed to when you signed up for Facebook. Further, the access to friend data has always been more limited than you imply here, and more recently, it’s become so limited that using apps for data collection about friends is almost a pointless endeavor.
"Well duh, it says it right there in section 37, paragraph 12, in dense legalese – how could anyone be surprised?"
Perhaps the very best thing that could come out of this is an end to the longstanding legal fig leaf of lengthy, complex legal documents presented as click-through agreements somehow constituting "informed consent."
I fully agree with this, there should be laws that enforce TOS length and legibility for those who didn't take the bar exam or had their personal counsel available before clicking I Agree.
Or create a universal TOS where service creators can just check off various options, in the same way that Creative Commons created a universe copyright licensing agreement.
This is the only reasonable way I can see going forward.
I recall reading once that a person would need a lifetime's worth of time (50 years? 80?) just to read and understand the legal ramifications of the contracts and TOS he or she must agree to in order to use software.
Clicking "I agree" is probably the most obvious and common lie told by humanity today. Something has to change.
I mean terms of service are not that hard to read. Facebook's TOS is only 4k words long. It is not particularly dense or full of legalese. I have written source code comments a tenth that length for a single function. That is not many words to describe the plethora of implications of using their service.
Go ahead and have a glance at it. What would you remove from it that wouldn't cause a significant gap?
Some example clauses:
> For content that is covered by intellectual property rights, like photos and videos (IP content), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook (IP License). This IP License ends when you delete your IP content or your account unless your content has been shared with others, and they have not deleted it.
(They have to put this. If they didn't, they would get sued by someone who shared a video and then was mad that other people could see it.)
> Facebook users provide their real names and information, and we need your help to keep it that way. Here are some commitments you make to us relating to registering and maintaining the security of your account:
>
> You will not provide any false personal information on Facebook, or create an account for anyone other than yourself without permission.
(Not exactly dense legalese. It is good to ban impersonation, and it is right that they should include such a ban in their terms.)
> We’ll notify you before we make changes to these terms and give you the opportunity to review and comment on the revised terms before continuing to use our Services.
(Seems reasonable to me. Many years ago, people used to complain that the terms changed without notice, so FB committed to not doing that any more.)
I don't know. This whole "terms of service are impossible to read except by a lawyer" meme just doesn't hold water for me.
Great. So far so good. Where was the part where I agreed they could harvest my profile information because a friend filled out a quiz/questionnaire/etc.?
When you use an application, the application may ask for your permission to access your content and information as well as content and information that others have shared with you. We require applications to respect your privacy, and your agreement with that application will control how the application can use, store, and transfer that content and information. (To learn more about Platform, including how you can control what information other people may share with applications, read our Data Policy and Platform Page.)
You gave access to your friends, who then authorised access to the application.
Let's see what the readability of the FB TOS is, using a random Googled analyzer, in this case https://readable.io:
Readability Grade Levels
A grade level (based on the USA education system) is equivalent to the number of years of education a person has had. A score of around 10-12 is roughly the reading level on completion of high school. Text to be read by the general public should aim for a grade level of around 8.
Flesch-Kincaid Grade Level 12.6
Gunning Fog Index 13.9
Coleman-Liau Index 11.8
SMOG Index 14.9
Automated Readability Index 12.4
Average Grade Level 13.1
The whole point is that you cannot meaningfully consent to give out information about your friend since they’d have to consent to that. Even acknowledging they exist and are your friends is already information. To make matters worse, the v1 API would happily hand out information about your friends, such as their likes without _their_ consent. Not your privacy is breached - theirs is. And there’s no way user A can meaningfully consent to have user B’s information exposed.
That's just not how it works. Apps could for example request access to all messages. Let's make that a physical world example: I write you a letter that contains private details. Are you free to share this letter with third parties? The established legal precedent is clearly "no, not at all." Another example: I allow you to peek into my diary. I shared my private thoughts with you. Are you now allowed to go out and trumpet those out in the world? No, not by any standard. So the default assumption is that things shared privately are private, not public. There are cases where a higher good allows to breach that assumption, but "financial gain" has never been accepted as a higher good in such cases.
Failing to honor that assumption is facebooks fault here.
Actually, that is how it works. Unless there is an NDA in place between you and I, I can share anything you choose to share with me, especially in the context of a social network where we both agreed to and are bound by the same TOS where we authorized exactly this kind of sharing.
There is a setting to globally disable and enable all apps. If you disable it, no apps can see you, even if your friends use the app. Facebook actually has tons of settings - discoverability is a big problem
And they change all the time, often resetting defaults. And without notice. Playing “respect
my privacy” whack a mole with a billion dollar company grows old quickly.
“... the planning charts and demolition orders have been on display at your local planning department in Alpha Centauri for 50 of your Earth years, so you’ve had plenty of time to lodge any formal complaint and it’s far too late to start making a fuss about it now. ...“
This will hopefully be a learning experience for everyone- consent doesn't make something right, nor will it prevent legal investigations and implications. In addition, I'd assume less then 0.1% of users read any TOS.
The point is that Facebook disclosed to you that this might happen. Failing to read the TOS is not the same as not having been informed. If you fail to read your mortgage contract but sign it anyway, you’ll still lose your house if you don’t live up to the terms. And for the record, the friend data that Facebook makes available to apps is far from “all” of it, especially nowadays
In Australia, people who work for organisations that sell mortgages have a professional duty they're required to perform by explaining to you, to your face, in simple terms, what certain parts of the contract mean and what obligations each party has, and sign off that they are satisfied that you understand.
I don't recall that ever happening when a TOS was displayed on any of my electronic devices.
In EU all sorts of EULAs are invalid almost by definition and have proven time and time again that they don't stand up in court. Terms of any contract have to be reasonable - if your mortgage has a clause that says "the bank can terminate your mortgage for displaying flower pots on the north side of the building" that would 100% not stand up in court. Yes, you agreed to it, but it's not a reasonable clause.
> access to friend data has always been more limited than you imply here, and more recently, it’s become so limited that using apps for data collection about friends is almost a pointless endeavor.
Not sure what was limited, but you were able to get name, age, location, gender, photo, categories set (the profile stuff that I don't think many use any more), and other info. That seems more than enough to start building a profile on someone that you have no relationship with. Particularly if you're able to collect in quantity and join the dots.
> more recently, it’s become so limited that using apps for data collection about friends is almost a pointless endeavor.
I was aware it had changed some, but not when or how much. You seem to agree that it used to be useful for data gathering on friends.
That's less than ideal when most of us have connections to teen, and elderly, relatives who might be insufficiently suspicious of a fun questionnaire. To over-generalise a little neither group is renowned for tech awareness.
When I click a button that says I agree to share my data with a third party app, I am also clicking it on behalf of all of my friends. Where in the TOS does it say that?
When you use an application, the application may ask for your permission to access your content and information as well as content and information that others have shared with you. We require applications to respect your privacy, and your agreement with that application will control how the application can use, store, and transfer that content and information. (To learn more about Platform, including how you can control what information other people may share with applications, read our Data Policy and Platform Page.)
How can you give consent to share with a third party what I have shared privately with you? Just because the TOS says so doesn’t make you exposing my private Information consentful.
Look at the example of what LinkedIn and WhatsApp and all its ilk does: I don’t want to be on those platforms. But friends upload their address books all the time, so I’m fairly sure they all have a full view of my social connections. How and where did I agree to that? How can my friends meaningfully consent to that on my behalf?
Once again, your friends agreed to the possibility of this happening when they agreed to the TOS. I’m on my mobile phone right now, so I won’t be combing through the TOS looking for the specific clause atm. Maybe in an edit later. But it’s there.
In the US if you are unable to enter a legally binding agreement if you are intoxicated... Users who aren't reading anything, just ticking a box with a mouse click and hitting next defeats the purpose of a legally binding agreement.
If both parties aren't all committed or informed, this is simliar an intoxicated person entering a legally binding agreement.
These so-called "clickwrap" or "browser-wrap" agreements have definitely been found to be enforcible. However the details of exactly how the agreement was presented and what the user had to click can affect their enforcibilty.
The modern approach to consent in these things arguably immoral, and indisputably awful.
Most adults simply don't have the ability to understand the dense legalese that these contracts are written in, so they don't. Asking people to take an hour or two to properly read and digest it just to sign up for a website is ridiculous, and expecting them to actually do so is like something out of a Terry Gilliam movie.
The provision that allows this is ~460 words into the TOS, and is written in pretty easy to understand english. At some point you need to hold yourself accountable for agreeing to this stuff.
"... you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook (IP License)"
I would expect the implications of that provision to be inscrutable to someone who doesn't have at least some familiarity with IP law. Techies tend to have that background, because software licensing is such a big factor in open source software. But I would bet that if you go out and survey people off the street about what that's saying, very few would anticipate that it means, "We can sell your data to anyone we want, including exporting it to places where your local privacy laws may not apply, and they get to do whatever they want with it, including selling it to still other people." Especially in light of the (misleading, if you're interpreting it in terms of vernacular English instead of legalese) statement that, "You own all of the content and information you post on Facebook," that opens the section.
Expecting most people I know to reliably all of the relevant implications for their privacy out of that saucer full of tea leaves is, to put it bluntly, bullshit.
> The "without their consent" part is BS, as is this lawsuit. When you use Facebook platform apps, you have to consent to the disclosure of your information to the developer, and have to agree to allow whatever special permissions the developer is asking for. As for friend data that apps may have access to, when you sign up for and use Facebook, you agree to the terms and conditions, which allow this behavior.
As far as I am aware, across the whole of Europe, pretty much none of those TOS click-through things hold up as informed contractual consent. They aren't really worth the pixels they are written on in many jurisdictions.
Disagree - your argument makes no legal point. This suit is by institutional investors who have access to the best lawyers in the country. They chose to sue fully aware of the TOC, they obviously know more
Or they're just greedy and looking for a quick settlement, like all other class action securities attorneys do when the sue over large stock price drops. These types of suits are filed daily, many of them without merit.
For a fascinating look at Bill Lerach, the lawyer who perfected this tactic, check out [1]. He squeezed so much money out of public companies and caused so many problems with these often ridiculous lawsuits, that Congress passed a bill limiting them that became known as the "Get Lerach Act". He eventually went to federal prison for paying kickbacks to plaintiffs.
The "without their consent" part is BS, as is this lawsuit. When you use Facebook platform apps, you have to consent to the disclosure of your information to the developer, and have to agree to allow whatever special permissions the developer is asking for. As for friend data that apps may have access to, when you sign up for and use Facebook, you agree to the terms and conditions, which allow this behavior.
Investors had the opportunity to view both the developer platform policies and Facebook TOS long before they ever bought shares. If they didn't like the possible implications of them, they should not have invested. My guess is that this case will go nowhere.