http://blogs.wsj.com/digits/2010/10/17/facebook-faces-suit-over-earlier-breach/

October 17, 2010

Facebook Faces Suit Over Earlier Breach

By Jennifer Valentino-DeVries

A lawsuit moving through a California court alleges Facebook Inc. violated federal and California law and breached a contract with users when it sent data to advertisers that could identify users without their knowledge.

The suit references a Wall Street Journal article in May [1] that exposed Facebook's practice of sending Facebook ID codes under some circumstances when users clicked on an ad. The codes can be used to look up individual profiles, which could include a person's real name, age, hometown, or other details. Facebook has since discontinued the practice. More recently, [2] the Journal's Emily Steel and Geoffrey Fowler found that applications on Facebook also were sending such data to ad networks.

Soon after the Journal's first story, David Gould and Mike Robertson filed separate suits alleging that Facebook violated a federal law that protects the privacy of electronic communications and California computer-crime law by using the data without users' permission. On Oct. 11, the suits were consolidated into one case in U.S. District Court in the Northern District of California.

"We believe there is no merit to these suits and we will fight them vigorously," a Facebook spokesman said in an emailed statement.

The codes were being sent under a common Web practice to transmit the address of the last page viewed when a user follows a link. In Facebook's case, that address could include the user's name or identification number. Facebook also sometimes sent the ID code of the user that clicked on the ad. After being contacted by the Journal, Facebook changed its system so that the ID codes are no longer sent to other websites.

Messrs. Gould and Robertson also alleged Facebook's actions constitute breach of contract because they violated the site's privacy policy, which says it does not share information with advertisers without user consent.

"Facebook talks a lot about how they take privacy seriously and won't do anything without the user's permission. We've alleged that that is a binding agreement," said Kassra Nassiri, one of the lead attorneys in the case, in an interview.

Previous court decisions have been divided on whether privacy policies are contracts or general statements that can't be enforced. Courts also generally require plaintiffs to prove monetary harm in breach-of-contract cases, which has proved another stumbling block for privacy suits.

But Michael Aschenbrener, the other lead attorney on the case, said he believes the fact that consumer data are now bought and sold by advertising companies means a value can be placed on the information. "There's a market for what access to a Facebook profile is worth," he said in an interview.

The suit seeks unspecified damages and asks that the court force Facebook to turn over revenue earned from outside advertisers while it was disclosing the data. Messrs. Gould and Robertson also are seeking class-action status, claiming that "millions" of Facebook users were affected by the problem.

[1] http://online.wsj.com/article/SB10001424052748704513104575256701215465596.html

[2] http://online.wsj.com/article/SB10001424052702304772804575558484075236968.html