wordpress blog stats
Connect with us

Hi, what are you looking for?

Meta Faces Allegations of Non-Consensual Interception of Browsing Activity in New Class-Action Suit

Social media giant Meta is facing a class-action lawsuit on violating privacy and intercepting communications by two Facebook users

meta facebook shiny solid icons

Two United States residents have challenged Facebook-parent Meta’s allegedly non-consensual and intentional interception of users’ electronic communications while using iOS. In a class-action suit filed at a District Court in California on September 21st, the petitioners argue that Facebook illegally intercepted and recorded users’ data while they used its in-app browser to access third-party websites, harming their privacy rights.

The social media giant did not disclose these practices to users. ‘Had Plaintiffs known that Meta could and would use its in-app browser to overcome Plaintiffs’ default browser settings and override their privacy choices, Plaintiffs would have avoided navigating to third-party websites from within Facebook,’ the petition hypothesises. 

Claiming that Meta’s actions are in violation of state and federal laws on privacy and competition, the petitioners seek various types of relief and that the platform’s actions be brought to a halt.


FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.


Why it matters: The petitioners contextualise Meta’s interception of user communications against updates to Apple’s iOS—specifically, April 2021’s iOS 14.5 update, which required platforms to obtain a user’s consent to track their activity online. Meta—whose billion-dollar profits are substantially owed to detailed profiling of users for advertising purposes—lost out its main revenue stream as a result of the update, argue the petitioners. Petitions like these hint toward changing tides for prevailing digital advertising models—their privacy-invasive methods are coming under increasing scrutiny from regulators and the public alike.

Advertisement. Scroll to continue reading.

Meta has bypassed Apple’s efforts at enabling consent by inserting a JavaScript code into third-party sites accessed through Facebook’s browser, the petitioners claim. As a result, Meta still manages to collect a wide range of personally identifiable information on users. The petitioners claim that this non-consensual data gathering includes information on ‘every button, keystroke and link a user taps, whether the user has taken any screenshots, text entries (including passwords and credit card information), and how much time a user spent on the website’. 

The petition claims that Meta has acknowledged its tracking of in-app browsing activity on Facebook. However, the platform ambiguously argues that this is done to ‘aggregate events’ before they are used in targeted advertising. That being said, this script is not inserted into the in-app browser for WhatsApp, which ‘confirms that injecting JavaScript [in Facebook’s browser] is not necessary for users’ security or for any other legitimate purpose’ argue the petitioners. Interception benefits Meta’s ad revenues alone at the cost of a user’s reasonable expectation of privacy, allege the petitioners. 

How Is Meta Intercepting Private Communications?

The petitioners’ claims largely target Facebook’s (and Meta’s) intensive profiling of individuals to support its advertising business—which comprised 97% of Meta’s revenue for 2021, according to the petition.

While Facebook offers its services for free, ‘Meta conditions the use of Facebook upon users disclosing sensitive and valuable personal information when they register, including birthdates and email addresses,’ the petitioners argue. This information is consistently gathered and aggregated, and then used to target advertisements at individuals. 

The quest for gathering more information on users to boost profits has led to Facebook summarily violating the privacy rights of its users over the years through various surreptitious data mining strategies. The petitioners claim that the platform has done so again in the context of iOS.

The petition leans heavily on a report by data privacy researcher, Felix Krause, which reveals that Meta injects JavaScript code into third-party websites being accessed through Instagram and Facebook’s in-app browser. ‘When a Meta user, while visiting the Facebook app, clicks on a link to an external website (e.g., from a friend’s wall post on their profile), Meta automatically reroutes the user to its own in-app web browser instead of the users’ built-in web browser (such as Apple’s Safari app that is preloaded onto iPhones). As a result, third-party websites are rendered inside the app—enabling Meta “to monitor everything happening on external websites, without the consent [of] the user” or from the website itself,’ says the petition, summarising the report.

Advertisement. Scroll to continue reading.

How Meta accesses electronic communications via Facebook and Instagram according to the petition.

On the flip side, if a user accessed the website directly through their preferred web browser on iOS, it ‘would actively block and prevent Meta’s ability to intercept and track the user’s activity on the third-party website’. Meta did not disclose that it was tracking users even after they opted out of being tracked. 

Meet the Plaintiffs

The plaintiffs are Gabriele Willis (resident of California) and Kerreisha Davis (resident of Louisiana). Both had active Facebook accounts—and did not consent to Meta’s tracking of their electronic communications. They reasonably held that Meta would not intercept their communications or collect personally identifiable information on them as they accessed third-party sites through Facebook’s in-app browser.

The ‘Class’ the plaintiffs are representing comprises all persons in the US ‘with active Facebook accounts who visited a third-party external website on Facebook’s in-app browser during the Class Period’. The ‘Subclass’ they represent is people in California who were subject to the same violations during the Class Period. 

According to the petition, the Class Period is between when Meta began implementing such practices on Facebook and the final date of judgment. It does not specify what the exact starting point is.

First Claim for Relief: Violation of the Wiretap Act; On Behalf of the Class

Meta non-consensually intercepted the contents of the plaintiffs’ electronic communications as they switched between Facebook to third-party websites. This is in violation of the federal Wiretap Act.

What the law says: Intentional interception of a wire, and an oral or electronic communication is forbidden by the Wiretap Act, amended by the 1986 Electronic Communications and Privacy Act. The Act provides a right of action for those whose communications are intercepted. 

Arguments: Meta knowingly and intentionally injected a specific JavaScript code into third-party websites accessed through Facebook’s in-app browser. This script intercepted the plaintiffs’ electronic communications without their knowledge or consent, even as it allowed Facebook unfettered access to their interactions with third-party platforms.

Advertisement. Scroll to continue reading.

Relief sought: ‘Preliminary, equitable and declaratory relief, in addition to statutory damages of the greater of $10,000 or $100 per day for each day of violation, actual damages, punitive damages, and reasonable attorneys’ fees and costs of suit,’ reads the filing.

Second Claim for Relief: Violation of the California Invasion of Privacy Act; On Behalf of the Class or California Subclass

Meta’s illicit surveillance and interception of users through a JavaScript plug-in also marks a violation of the California Invasion of Privacy Act.

What the law says: The California Penal Code under which the provision falls penalises intentional and non-consensual interception of communications. If found guilty, an entity is to pay a fine of up to $2,500.

Arguments: Meta’s usage of JavaScript to profile users was intentional and non-consensual—the information it collected included the ‘personally identifiable information and other highly specific information and communications, including, without limitation, every button, keystroke and link a user taps, whether the user has taken any screenshots, text entries (including passwords and credit card information), and how much time a user spent on the website‘. Meta did not disclose that it was intercepting or tracking communications generated as users accessed third-party websites based in California within Facebook. The information Meta collected would not be accessible to the company without such non-consensual tracking. 

Relief sought: ‘Meta is liable to the Plaintiffs and Class members for the greater of treble actual damages related to their loss of privacy in an amount to be determined at trial, or statutory damages in the amount of $5,000 per violation,’ reads the filing.

Third Claim for Relief: Invasion of Privacy (Intrusion Upon Seclusion); On Behalf of the Class

The Plaintiffs and Class Members assumed the expectation of privacy while using Facebook and third-party websites within it. Meta’s actions injure their privacy rights, in that ‘Meta intentionally intruded upon their solitude or seclusion’.

Advertisement. Scroll to continue reading.

What the law says: As MediaNama previously reported in a similar case filed against Oracle’s illicit data gathering practices, ‘under U.S. Common Law, the ‘intrusion upon seclusionprivacy tort refers to an intentional invasion of someone’s privacy (or ‘seclusion’) that is offensive to a reasonable person and causes suffering. To assert such a claim, the petitioners must plead that a highly offensive intrusion into a private place or matter took place.’

Arguments: Meta failed to prevent the dissemination or misuse of users’ confidential and sensitive personally identifiable information. Its actions overrode user controls over the information that they allow Meta to track.  Its actions prevented unknowing users from making decisions or doing activities that were not tracked by Meta.

Relief sought: ‘Just compensation, including monetary damages,’ reads the filing.

Fourth Claim for Relief: Violation of the Unfair Competition Law; On Behalf of the Class or California Subclass

Meta’s conduct was and is unfair, predatory, and in violation of larger public policies in California that protect the privacy of confidential information.

What the law says: The petitioners contend that Meta’s actions are in violation of the Unfair Competition Law, an antitrust legislation which outlaws an ‘unlawful, unfair, or fraudulent business act or practice and unfair, deceptive, untrue or misleading advertising’. They add that it also violates the Consumers Legal Remedies Act.

Arguments: Meta’s conduct was solely in the interest of increasing its profits by acquiring users’ personal information. Meta’s conduct is unjust in that it has reaped millions at the expense of misled consumers who believed in the platform’s integrity and privacy-respecting features. The suit argues that had the Plaintiffs and Class Members known they were being tracked through in-app browser, they would have ‘avoided navigating to third-party websites from within Facebook, and instead would have copied and pasted links into their standard browser to avoid being tracked, thereby avoiding this injury’. Interestingly, the petitioners argue that Meta’s non-consensual and intentional tracking also depreciated the value of the data itself—although no arguments are provided to substantiate this.

Advertisement. Scroll to continue reading.

Relief sought: Restitution, injunctive relief, and other relief sanctioned by the Unfair Competition Law. 

Fifth Claim for Relief: Unjust Enrichment (On Behalf of the Class)

Meta has profited off of the unjust tracking of users described above. Or, alternatively in this case, ‘Plaintiffs and Class members conferred benefits on Meta by using Facebook’. Meta’s retention of these profits and benefits is unjust.

Relief sought: The profits should either be disgorged from Meta, or placed in a ‘constructive trust’ for the Plaintiffs and Class Members to obtain restitution.

Questions of Law to Be Answered in this Case

As per the petitioners, these are the main questions before a Judge and Jury:

  • Did Meta intentionally tap the electronic communications of Class members when they visited third-party websites?
  • Does Facebook’s in-app browser record Class members’ personally identifiable information and private communications?
  • Do Class members have a ‘reasonable expectation of privacy’ when it comes to this kind of information?
  • Is Meta’s privacy invasion ‘highly offensive to a reasonable person’?
  • Are Meta’s actions in violation of federal and state laws?
  • Did Meta’s conduct result in a breach of confidentiality?
  • Did Meta’s actions mislead Class members about the control they had over their private communications?
  • Are the Class members entitled to damages, restitution, or relief?

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Read More

Advertisement. Scroll to continue reading.
Written By

I'm interested in stories that explore how countries use the law to govern technology—and what this tells us about how they perceive tech and its impacts on society. To chat, for feedback, or to leave a tip: aarathi@medianama.com

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.

Views

News

Studying the 'community' supporting the late Sushant Singh Rajput (SSR) shows how Twitter was gamed through organized engagement

News

Do we have an enabling system for the National Data Governance Framework Policy (NDGFP) aiming to create a repository of non-personal data?

News

A viewpoint on why the regulation of cryptocurrencies and crypto exchnages under 2019's E-Commerce Rules puts it in a 'grey area'

News

India's IT Rules mandate a GAC to address user 'grievances' , but is re-instatement of content removed by a platform a power it should...

News

There is a need for reconceptualizing personal, non-personal data and the concept of privacy itself for regulators to effectively protect data

You May Also Like

News

Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...

Advert

135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...

News

By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

News

Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Name:*
Your email address:*
*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ