X
Business

Facebook sued for violating wiretap laws with tracking cookies

Facebook is being sued in multiple states for tracking its users even after they logged out of the service. All the lawsuits allege the company violated federal wiretap laws.
Written by Emil Protalinski, Contributor

Brooke Rutledge of Mississippi has joined a growing number of Facebook users who are suing the social networking giant over allegations that it violates federal wiretap laws. Facebook may not be a phone company, but it has been accused multiple times of using cookies to track users even after they log out of the service. Palo Alto has since twice denied the allegations, and has also twice fixed the issue. In addition to this one, several similar lawsuits have been filed in other states, including Kansas, Kentucky, and Louisiana.

The Mississippi lawsuit, which seeks class action status for millions of Facebook users, was filed this week at the US District Court in Mississippi. Brooke asserts claims for breach of contract, unjust enrichment, trespassing, and invasion of privacy.

"Leading up to September 23, 2011, Facebook tracked, collected, and stored its users' wire or electronic communications, including but not limited to portions of their internet browsing history even when the users were not logged-in to Facebook," the complaint states. "Plaintiff did not give consent or otherwise authorize Facebook to intercept, track, collect, and store her wire or electronic communications, including but not limited to her internet browsing history when not logged-in to Facebook."

Also this week, former Louisiana Attorney General Richard Ieyoub filed a federal lawsuit on behalf of Facebook user Janet Seamon. The allegations were almost identical: the social networking giant is accused of collecting and storing users' Internet browsing history without their permission. Ieyoub is asking a judge to certify the lawsuit as a class action. It seeks unspecified punitive damages and statutory damages of $100 for each day that each class members' data was "wrongfully obtained" or $10,000 for each alleged violation.

Last week, John Graham filed a federal lawsuit in US District Court in Kansas against the social networking giant. Graham is asking the federal court to decide whether the interception was intentional, the extent of communications intercepted and stored, and whether the court should prohibit Facebook from intercepting such communications when a user is not logged in. He is also seeking a preliminary and temporary injunction restraining Facebook from intercepting electronic information when users are not logged in and from disclosing any of the information already acquired on its servers. Last but not least, the lawsuit seeks statutory damages of $100 per day for each of the class members or $10,000 per violation, punitive damages along with attorney fees and court costs.

Also last week, Facebook user David Hoffman filed a federal lawsuit in US District Court in Kentucky against the social networking giant. Hoffman is asking a judge to grant the suit class-action status. Hoffman's lawsuit also seeks an injunction restraining Facebook from intercepting electronic information when users aren't logged in and from disclosing any of the information already acquired. Last but not least, it seeks damages of $100 per day for each of the class members or $10,000 per violation, along with an undisclosed amount in punitive damages.

Each of these lawsuits has been filed under a provision of the federal Wiretap Act that prohibits interception of wire, oral, or electronic communications. Facebook is being accused of violating said wiretap laws with tracking cookies that records users' online activity even when they are not logged into the service. Similar cases against Facebook and others filed under the wiretap law have been thrown out because browser cookies are simply not considered wiretaps and plaintiffs have difficulty proving any harm.

I have contacted Facebook for a statement in regards to these lawsuits.

Last month, self-proclaimed hacker Nik Cubrilovic accused Facebook of tracking its users even if they log out of the social network. He explained that even after logging out of the service, whenever he visited a website that had a Facebook plugin, information including his account ID was still being sent to Palo Alto.

The company responded by denying the claims and offering an explanation as to why its cookies behave the way they do. Palo Alto explained that it does not track users across the Web and its cookies are used to personalize content. As for the logged-out cookies, Facebook said they are used for safety and protection.

After a long technical discussion, Cubrilovic confirmed Facebook made changes to the logout process, and that the cookies in question now behave as they should. They still exist, but they no longer send back personally-identifiable information after you log out. The company also took the time to explain what each cookie is responsible for.

Following all this, 10 privacy groups and US congressmen last month sent letters asking the Federal Trade Commission (FTC) to investigate Facebook for these and other practices. Facebook also needs to worry about this lawsuit.

Furthermore, Ireland's Data Protection Commissioner has agreed to conduct a privacy audit of Facebook. Given that the social network's international headquarters is in Dublin, the latter is the more serious one as the larger majority of the site's users could be affected (see Europe versus Facebook).

Even worse, the issue came back last week. It was discovered that the datr cookie, which can be used for tracking users, was once again being set on third-party websites with a Facebook social plugin – whether you are logged in or logged out of the service. Facebook confirmed the bug, said only some third-party websites were affected, and fixed it.

See also:

Editorial standards