Facebook sued for violating wiretap laws with tracking cookies

Facebook sued for violating wiretap laws with tracking cookies

Summary: Facebook is being sued in multiple states for tracking its users even after they logged out of the service. All the lawsuits allege the company violated federal wiretap laws.

SHARE:
27

Brooke Rutledge of Mississippi has joined a growing number of Facebook users who are suing the social networking giant over allegations that it violates federal wiretap laws. Facebook may not be a phone company, but it has been accused multiple times of using cookies to track users even after they log out of the service. Palo Alto has since twice denied the allegations, and has also twice fixed the issue. In addition to this one, several similar lawsuits have been filed in other states, including Kansas, Kentucky, and Louisiana.

The Mississippi lawsuit, which seeks class action status for millions of Facebook users, was filed this week at the US District Court in Mississippi. Brooke asserts claims for breach of contract, unjust enrichment, trespassing, and invasion of privacy.

"Leading up to September 23, 2011, Facebook tracked, collected, and stored its users' wire or electronic communications, including but not limited to portions of their internet browsing history even when the users were not logged-in to Facebook," the complaint states. "Plaintiff did not give consent or otherwise authorize Facebook to intercept, track, collect, and store her wire or electronic communications, including but not limited to her internet browsing history when not logged-in to Facebook."

Also this week, former Louisiana Attorney General Richard Ieyoub filed a federal lawsuit on behalf of Facebook user Janet Seamon. The allegations were almost identical: the social networking giant is accused of collecting and storing users' Internet browsing history without their permission. Ieyoub is asking a judge to certify the lawsuit as a class action. It seeks unspecified punitive damages and statutory damages of $100 for each day that each class members' data was "wrongfully obtained" or $10,000 for each alleged violation.

Last week, John Graham filed a federal lawsuit in US District Court in Kansas against the social networking giant. Graham is asking the federal court to decide whether the interception was intentional, the extent of communications intercepted and stored, and whether the court should prohibit Facebook from intercepting such communications when a user is not logged in. He is also seeking a preliminary and temporary injunction restraining Facebook from intercepting electronic information when users are not logged in and from disclosing any of the information already acquired on its servers. Last but not least, the lawsuit seeks statutory damages of $100 per day for each of the class members or $10,000 per violation, punitive damages along with attorney fees and court costs.

Also last week, Facebook user David Hoffman filed a federal lawsuit in US District Court in Kentucky against the social networking giant. Hoffman is asking a judge to grant the suit class-action status. Hoffman's lawsuit also seeks an injunction restraining Facebook from intercepting electronic information when users aren't logged in and from disclosing any of the information already acquired. Last but not least, it seeks damages of $100 per day for each of the class members or $10,000 per violation, along with an undisclosed amount in punitive damages.

Each of these lawsuits has been filed under a provision of the federal Wiretap Act that prohibits interception of wire, oral, or electronic communications. Facebook is being accused of violating said wiretap laws with tracking cookies that records users' online activity even when they are not logged into the service. Similar cases against Facebook and others filed under the wiretap law have been thrown out because browser cookies are simply not considered wiretaps and plaintiffs have difficulty proving any harm.

I have contacted Facebook for a statement in regards to these lawsuits.

Last month, self-proclaimed hacker Nik Cubrilovic accused Facebook of tracking its users even if they log out of the social network. He explained that even after logging out of the service, whenever he visited a website that had a Facebook plugin, information including his account ID was still being sent to Palo Alto.

The company responded by denying the claims and offering an explanation as to why its cookies behave the way they do. Palo Alto explained that it does not track users across the Web and its cookies are used to personalize content. As for the logged-out cookies, Facebook said they are used for safety and protection.

After a long technical discussion, Cubrilovic confirmed Facebook made changes to the logout process, and that the cookies in question now behave as they should. They still exist, but they no longer send back personally-identifiable information after you log out. The company also took the time to explain what each cookie is responsible for.

Following all this, 10 privacy groups and US congressmen last month sent letters asking the Federal Trade Commission (FTC) to investigate Facebook for these and other practices. Facebook also needs to worry about this lawsuit.

Furthermore, Ireland's Data Protection Commissioner has agreed to conduct a privacy audit of Facebook. Given that the social network's international headquarters is in Dublin, the latter is the more serious one as the larger majority of the site's users could be affected (see Europe versus Facebook).

Even worse, the issue came back last week. It was discovered that the datr cookie, which can be used for tracking users, was once again being set on third-party websites with a Facebook social plugin – whether you are logged in or logged out of the service. Facebook confirmed the bug, said only some third-party websites were affected, and fixed it.

See also:

Topics: Social Enterprise, Legal

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

27 comments
Log in or register to join the discussion
  • A little point of clarification...

    Cookies don't "send out" information. They are not applications. They are tiny text files that are read by websites. They are used by almost every website out there, including ZDNet. Some of the accusations made about cookies in the past have been laughable at best. Based on the contents of this story, I'd fully expect this lawsuit to be tossed pretty quickly.
    jasonp@...
    • On clarification .... what they call cookies is actually LSOs

      @jasonp@... In other words "Flash cookies". They can run in the background without any user knowledge.
      wackoae
      • RE: Facebook sued for violating wiretap laws with tracking cookies

        @wackoae

        Why waste your time with him? Obviously he is troll or just plain ignorant. But it could get tossed out cause we have LOTS of non-technical wanna-be judges out there!
        SpankyFrost
      • RE: Facebook sued for violating wiretap laws with tracking cookies

        @SpankyFrost
        Why waste your time with an inane comment that means nothing? If the author meant LSOs, he should have said that instead of writing an article about cookies. Everyone who has taken any web programming classes at all learns the definition of a cookie. Cookies are not software. They cannot execute anything. The can perform literally no action on their own. You seem like the technical wannabe type who thinks you know more than everyone else out there. I'm just pointing out that cookies are nothing more than a small text file, nothing more, nothing less.
        jasonp@...
    • I would expect it to be tossed out too, since judges are stupid.

      @jasonp@... since a judge has a hard picking between a chocolate chip and a oatmeal cookie we know they haven't the slightest clue about a computer nor software. They probably never will. Just a bunch of so called "expert" losers telling lies to thick headed legal parasites.
      Reality Bites
  • But Who Really Cares?

    After all, most Facebook users are there for the exposure---with or without clothes.
    nikacat
  • RE: Facebook sued for violating wiretap laws with tracking cookies

    Under United States federal law and most state laws, there is nothing illegal about one of the parties to a telephone call recording the conversation, or giving permission for calls to be recorded or permitting their telephone line to be tapped. -<a href="http://www.24-7pressrelease.com/press-release/veteran-nashville-oncologist-dr-jerry-m-foster-transitions-to-new-role-229518.php">Dr. Jerry M. Foster</a>
    liezelee1109
    • RE: Facebook sued for violating wiretap laws with tracking cookies

      @liezelee1109
      while correct, it has nothing to do with this article. this isnt about a phone call.
      tiderulz
      • RE: Facebook sued for violating wiretap laws with tracking cookies

        @tiderulz It isn't a phone call, but it is the same statute. Similar principles will apply.
        bkshort@...
      • RE: Facebook sued for violating wiretap laws with tracking cookies

        @bkshort... This is about tracking citizens... not recording their vocals. sheesh!
        SpankyFrost
      • RE: Facebook sued for violating wiretap laws with tracking cookies

        @bkshort
        actually, it wont. a computer sending information somewhere unbeknownst to its owner isnt the same thing as 1 party in a call allowing it to be recorded.
        tiderulz
    • You need to read up a little more. recording is illegal almost everywhere.

      @liezelee1109 .... try using it in court, you will find yourself behind bars and sued into the poor house.
      Reality Bites
      • Correct indeed

        @Reality Bites - Well said, in the State of Washington where I live to legally record a phone call the recording party must inform all other parties of the call that it is being recorded. If anyone does not want to be recorded they should hang up at that point, as staying on the line could be constituted in some liberal courts as acceptance of recording.

        Recording a call without notification is considered criminal, and is generally prosecuted when evidence of such behavior occurs. Obviously exceptions are out their for law enforcement with appropriate authorization.

        Thankfully answering machines/services are not considered a violation.

        As to the subject at hand... I'm going to have to read all the complaints before I can form a real (valid or otherwise) opinion as to whether tracking cookies really violate the letter or spirit of the law.

        I think possibly if they are on a mobile device and getting GPS/Location data they may be violating some rules or laws too... Can't remember which court it was but one of them just ruled that the police can't use GPS tracking without a warrant. So tracking cookies with a GPS signature? Might be pretty valid.
        l_creech
  • RE: Facebook sued for violating wiretap laws with tracking cookies

    http://itshrunk.com/d2fe0b
    fdshety
  • RE: Facebook sued for violating wiretap laws with tracking cookies

    http://ppt.cc/9iT1 .............
    zhmmii
  • Mont Blanc Pens sale

    Montblanc Fountain Pen case you trust the seller 100%.Look for listings offering payment via PayPal.<a href="http://www.mont-blanc-pen.net/">Mont blanc Pen</a>, <a href="http://www.mont-blanc-pen.net/">Mont Blanc Pens sale</a> It???s really fast, most sellers won???t charge you any additional fees for transfer (you just pay the sum you intend to), and best of all you can claim a refund once the seller sends you not what you expect to receive (descriptions differs from the real condition of the pen). PayPal will refund you most of your payment. But be sure to f. gnij28iuh0928 ile a claim within a month of completing the payment.2. Trusted sellers have nice positive feedback.Owning a Montblanc pen appears to be about status for many folks. It???s a bit like owning a Porsche cabriolet. Even as you adore the luxury and exclusivity, you realize that the Porsche 911 won???t drive much better than a Honda Civic, and will stay in the shop far more often.Though pricey far more than competitors??? Pelikan or Waterman, Mont Blanc fountain pens are writing instruments that last for years, no matter what sorts of ??maintenance???<a href="http://www.mont-blanc-pen.net/">cheap Montblanc Pen</a>,<a href="http://www.mont-blanc-pen.net/">MontBlanc Meisterstuck Pen</a>,<a href="http://www.mont-blanc-pen.net/">Montblanc Boheme Pen</a> you give them.I must admit Montblanc is very durable. Mine has been ???
    sang777
  • Illegal in Germany...

    The "Like" button (and +1 and Twitter buttons) not allowed to be displayed on websites in Germany, the website must explicitly get the users permission to display the "Like", "+1" etc. before the 3rd party (Facebook, Google etc.) JavaScript code and images can be injected into the page.

    The IT publisher "heise", in Germany, has a JQuery extension which will automtically take care of this, providing a "slider" switch for each social network, which the visitor has to slide, before the "Like", "+1" etc. are enabled and start tracking the user.

    The documentation (in German) for the jQuery addon can be found here: http://www.heise.de/extras/socialshareprivacy/
    wright_is
  • RE: Facebook sued for violating wiretap laws with tracking cookies

    I'll gaurantee you that all of these people are under the impression that if they exit the app, that they have logged off... Not the case, to LOG OFF you actually have to press the LOGOUT button. And most people have enabled and agreed to push notifications and allowing the app to determine location.
    kfortner51
  • Double-talk

    "Palo Alto explained that it does not track users across the Web and its cookies are used to personalize content. As for the logged-out cookies, Facebook said they are used for safety and protection."

    Uh...if they are being used after log-out (the 2nd part of the statement) then the first part of the statement about cookies not being used for tracking after logging out appears to be blatantly false. After all, how can they use a cookie for "safety and protection" if it is not in some manner tracking the user and linking their activities to their Facebook account? Apparently the FB people figure users are so stupid they won't notice the double-talk.
    LDMartin1959
  • You must click FB &quot;Logout&quot; link

    You must click FB "Logout" link for the cookie tracking to stop. Simple closing the browser tab of your FB page will not log you off of Facebook. A lot of people are not going to realize that subtle difference. I had to test it myself.
    Telexer