Facebook faces nationwide class action tracking cookie lawsuit

Facebook is once again being sued for tracking its users even after they logged out of the service. This new nationwide class action lawsuit alleges the company violated federal wiretap laws.
Written by Emil Protalinski, Contributor

Facebook users are suing the social networking giant over allegations that it violates federal wiretap laws. In addition to several lawsuits filed in multiple states, including Kansas, Kentucky, Louisiana, and Mississippi, the company is now facing a nationwide class action lawsuit. Law firms Murphy PA and Girard Gibbs have made their case in the U.S. District Court for the Northern District of California, accusing Facebook of continuing to ignore concerns over its tracking cookies. They argue the company violates its own privacy policy, which states post-log-out activity is not tracked by the social networking giant.

Facebook has been accused multiple times of using cookies to track users even after they log out of the service. Menlo Park has since twice denied the allegations, and has also twice fixed the issue. Nevertheless, the lawsuits just keep coming.

Like the previous lawsuits, Facebook is once again being accused of violating the Federal Wiretap Act. Additionally, this nationwide class action lawsuit says Facebook violates the California Internet Privacy Requirements Act and the California Unfair Competition Law. It's worth noting that similar cases against Facebook and others filed under the wiretap law have been thrown out because browser cookies are simply not considered wiretaps and plaintiffs have difficulty proving any harm.

"The days when online service providers can run roughshod over the privacy rights of their customers are over," William Murphy Jr., founding partner of Murphy PA, said in a statement. "Companies that operate commercial websites, such as Facebook, need to realize the public is increasingly concerned about its privacy rights. Perhaps even more importantly, there is a growing community of security experts and bloggers that is extremely savvy about internet technology and committed to ensuring that people’s privacy rights are respected and protected."

In September 2011, self-proclaimed hacker Nik Cubrilovic accused Facebook of tracking its users even if they log out of the social network. He explained that even after logging out of the service, whenever he visited a website that had a Facebook plugin, information including his account ID was still being sent to Palo Alto.

The company responded by denying the claims and offering an explanation as to why its cookies behave the way they do. Menlo Park explained that it does not track users across the Web and its cookies are used to personalize content. As for the logged-out cookies, Facebook said they are used for safety and protection.

After a long technical discussion, Cubrilovic confirmed Facebook made changes to the logout process, and that the cookies in question behave as they should. They still exist, but they no longer send back personally-identifiable information after you log out. The company also took the time to explain what each cookie is responsible for.

Later that month, 10 privacy groups and US congressmen sent letters asking the Federal Trade Commission (FTC) to investigate Facebook for these and other practices. Note that the FTC settlement from November 2011 was over charges that date back to December 2009, meaning the tracking cookie issue was never discussed.

In October 2011, the issue came back. It was discovered that the datr cookie, which can be used for tracking users, was once again being set on third-party websites with a Facebook social plugin – whether you are logged in or logged out of the service. Facebook confirmed the bug, said only some third-party websites were affected, and fixed it.

Also in September, Ireland's Data Protection Commissioner (DPC) agreed to conduct a privacy audit of Facebook. Since the social network giant's international headquarters is in Dublin, the larger majority of the site's users are affected by any of the DPC's decisions (see Europe versus Facebook). Thankfully for Facebook, when the DPC completed his three-month privacy audit of Facebook's activities in December 2011, he said Facebook makes "innovative use of cookies to identify unusual or suspicious activity" on an account.

All that being said, Facebook still needs to worry about this lawsuit and all the previous ones related to cookie tracking. I have contacted Facebook and will update you if I hear back.

Update 10:00 AM PST: "We believe that these cases are without merit and we will fight them vigorously," a Facebook spokesperson said in a statement.

See also:

Editorial standards