Facebook May be On the Hook for Scanning Private Messages for Links

This is a privacy lawsuit against Facebook:

Plaintiffs allege that Facebook scans the content of their private messages, and if there is a link to a web page contained in that message, Facebook treats it as a “like” of the page, and increases the page’s “like” counter by one. Plaintiffs further allege that Facebook uses this data regarding “likes” to compile user profiles, which it then uses to deliver targeted advertising to its users. Plaintiffs allege that the messaging function is designed to allow users to communicate privately with other users, and that Facebook’s practice of scanning the content of these messages violates [the Wiretap Act, as well as two California privacy statutes].

Facebook moved to dismiss, but the court denies the motion.

No prima facie violation: The Wiretap Act is focused on interception, and Facebook argued that it doesn’t apply, because the focus of plaintiffs’ complaint is that Facebook engaged in improper use, rather than interception, of the contents of the messages.

The court rejects this argument, saying that the acquisition of the contents of a communication occurs when it is “captured or redirected in any way,” and it’s unclear as a factual matter whether Facebook redirects the communications in the process of scanning it for links. Facebook also argued that to implicate the Wiretap Act, an interception must occur while a message is “in transmission,” rather than when it is in storage. The court says this similarly raises a factual question that can’t be resolved at the motion to dismiss stage.

Ordinary Course of Business Exception: Facebook then argued that Facebook’s scanning fell within the “ordinary course of business” exception to the Wiretap Act. The court finds the Gmail scanning case, which took a narrow view of this exception, and Google’s unified privacy policy case, which took a broader view, instructive. (In the Gmail scanning case, the court found that the exception “offers protection from liability only where an electronic communication service provider’s interception facilitates the transmission of the communication at issue or is incidental to the transmission of such communication.”) As with Facebook’s other arguments, the court finds that whether Facebook’s practice is within the ordinary course of its business raises a factual question. The court is also not persuaded by Facebook trying to argue both sides of the point—that as a factual matter it didn’t scan for advertising purposes, but that advertising is nevertheless a part of the ordinary course of its business:

The court rejects the suggestion that any activity that generates revenue for a company should be considered within the “ordinary course of its business.” At the hearing, Facebook’s counsel suggested that, because the practice is in the service of making money, it must necessarily fall within the ordinary course of business. However . . . the statute’s inclusion of the word “ordinary” implies some limits on a company’s ability to self-define the scope of the exception. An electronic communications service provider cannot simply adopt any revenue-generating practice and deem it “ordinary” by its own subjective standard. The court instead finds that any interception falling within the exception must be related or connected to an electronic communication provider’s service, even if it does not actually facilitate the service. While the court agrees with the Google court’s holding that the exception must cover more than just “necessary” activities, it also agrees with the Gmail court’s finding that there must be “some nexus between the need to engage in the alleged interception and the subscriber’s ultimate business, that is, the ability to provide the underlying service or good.” Based on the current record, the court cannot find any facts alleged in the complaint or facts presented by Facebook that indicate a nexus between Facebook’s alleged scanning of users’ private messages for advertising purposes and its ability to provide its service. [emphasis added]

Facebook also argued that even if its use of the messages was not within the ordinary course of its business, its interception, as distinguished from the scanning for links within the messages, was. The court also rejects this argument. Another of Facebook’s arguments was the Gmail scanning case concluded Google could not take advantage of the ordinary course of business exception on the basis that the scanning in question violated Google’s own polices. But the court said this read the Gmail scanning case too narrowly.

Consent: Facebook also raised a consent argument but the court rejects it as well. While Facebook’s terms contain numerous waivers and disclosures, nothing specifically said that Facebook would scan messages for advertising purposes:

Facebook’s counsel pointed to the disclosure that Facebook “may use the information we received about you” for “data analysis.” However, this disclosure is not specific enough to establish that users expressly consented to the scanning of the content of their messages – which are described as “private messages” – for alleged use in targeted advertising ..

Facebook also tried to rely on implied consent on the basis of the context of the communication and the URL preview feature it offered. Again, while this may tip off a user that Facebook is scanning messages—perhaps for viruses and other types of bad content—this does not mean that a user knows Facebook is scanning messages for advertising purposes.

CA Privacy Causes of Action: As to the state law causes of action, plaintiffs achieve a mixed result.

The court rejects Facebook’s request to dismiss plaintiffs’ claim under section 631 of the California Invasion of Privacy Act. Facebook’s consent argument failed. While the statute did require that the interception occur while the message was in transit, and this requirement could not be satisfied as to messages between Facebook members, Facebook allowed messaging functionality to non-Facebook users. As to these messages, the messages would be in transit when scanned by Facebook.

Plaintiffs also asserted a claim under Section 632, which is the California statute prohibiting recording of private communications. Relying on precedent finding that internet communications are not confidential (see People v. Nakai) the court holds that plaintiffs do not satisfy this prong. Accordingly, there can be no violation of CIPA section 632.

__

Along with the Google and Yahoo email scanning cases and the Google wi-fi sniffing case, this case is one of the more interesting privacy lawsuits on the docket. The order highlights a central point of contention involving service providers who provide free messaging services: is scanning for advertising purposes within the “ordinary course of business”? Some would say that service providers should be able to scan and advertise in order to defray the costs of free services and any reasonable customer would realize and expect this. The court leaves the precise scope of this exception for another day, but does not offer any specifics regarding what standards the court will utilize in resolving this question. It’s worth flagging that while Facebook has ceased this practice, the court rejects Facebook’s request to dismiss plaintiffs’ request for injunctive relief on the basis that there is no assurance that the conduct will not re-start again.

Although it’s unclear consent and waiver of someone’s Wiretap Act rights can be effected via a terms of service, Facebook’s failure to include clear waiver/consent language is surprising. Facebook has a sprawling and much-hashed out set of terms, and it would have been trivially easy for Facebook to flag in its policies that it scans private message for tracking and advertising purposes.

This case is vaguely reminiscent of the Hulu Facebook ID implementation case where Facebook’s technical implementation (perhaps unwittingly) causes a possible privacy problem.

I’m not sure we’ve seen service providers argue in such stark terms that since service providers are in the business of making money, scanning for advertising purposes should be considered within the ordinary course of their business. We did not need another reason to not trust Facebook’s privacy practices, but the argument Facebook raises here, as driven by the necessities of litigation as it likely is, may be one to add to the list.

Eric’s Comments: I’m with Venkat on the consent question: how hard is it to bury a description of this practice in the privacy policy?

Overall, I see these email scanning cases as anachronistic. Online services are automatically scanning incoming content all of the time for a wide range of reasons; but the law attempts to distinguish “private” content like email as a special class of content that should be automatically processed differently. As the modality of email keeps “dying” its decades-long death, this type of email “exceptionalism” probably doesn’t make sense any more (if it ever did).

Case citation: Campbell v. Facebook, No. C 13-5996 PJH (N.D. Cal. Dec. 23, 2014)

Related posts:

Judge Koh Dismisses the Bulk of the Yahoo Email Scanning Class Action

AOL’s Disclosure of Search Data May Support Claims Under California Law

Court: Husband’s Access of Wife’s Email to Obtain Information for Divorce Proceeding is not Outrageous

Minors’ Privacy Claims Against Viacom and Google Over Disclosure of Video Viewing Habits Dismissed

Lawsuit Over Google’s Unified Privacy Policy Pared Down, But Two Claims Survive

Privacy Claims Based on LinkedIn’s Security Promises Survive Motion to Dismiss

Google Gets Dismissal of Lawsuit Over Privacy Policy Integration–In re Google Privacy Policy

Privacy Plaintiffs Lose Because They Didn’t Rely on Apple’s Privacy Representations — In re iPhone App Litigation

Google Wins Cookie Privacy Lawsuit

Wiretap Claims Against Gmail Scanning Survive Motion to Dismiss — In re: Google Inc. Gmail Litigation

Supervisor’s Post-Termination Access of Employee’s Gmail Account May Violate ECPA – Lazette v. Kulmatycki

Court: Prosecutors Can’t Rummage Around in a Defendant’s Gmail Account — U.S. v. Cioffi

Search Engines and Privacy…AGAIN?!

Search Engines and Privacy

Email Harvesting: Repeated Emails From LinkedIn May Violate Publicity Rights