In Re FACEBOOK INTERNET TRACKING LITIGATION
Filing
157
THIRD AMENDED COMPLAINT (Public Version) against All Defendants. Filed by Brian K. Lentz, Perrin Aikens Davis, Matthew J. Vickery, Cynthia D. Quinn. (Attachments: #1 Exhibit A, #2 Exhibit B, #3 Exhibit C, #4 Exhibit D, #5 Exhibit E, #6 Exhibit F, #7 Exhibit G, #8 Exhibit H, #9 Exhibit I, #10 Exhibit J, #11 Exhibit K, #12 Exhibit L, #13 Exhibit M, #14 Exhibit N, #15 Exhibit O, #16 Exhibit P, #17 Exhibit Q, #18 Exhibit R, #19 Exhibit S, #20 Exhibit T, #21 Exhibit U (redacted), #22 Exhibit V (redacted), #23 Exhibit W (redacted), #24 Exhibit X (redacted), #25 Exhibit Y (redacted), #26 Exhibit Z (redacted), #27 Exhibit AA (redacted), #28 Exhibit BB (redacted), #29 Exhibit CC (redacted), #30 Exhibit DD (redacted), #31 Exhibit EE, #32 Exhibit FF (redacted), #33 Exhibit GG (redacted), #34 Exhibit HH (redacted), #35 Exhibit II (redacted), #36 Exhibit JJ, #37 Exhibit KK, #38 Exhibit LL (redacted), #39 Exhibit MM, #40 Exhibit NN, #41 Exhibit OO, #42 Exhibit PP)(Straite, David) (Filed on 8/25/2017) Modified on 8/25/2017 (cv, COURT STAFF).
<![CDATA[
Exhibit T
January 6, 2012
The Honorable Cliff Stearns
U.S. House of Representatives
2306 Rayburn House Office Building
Washington, DC 20515-0906
The Honorable Diana DeGette
U.S. House ofRepresentatives
2335 Rayburn House Office Building
Washington, DC 20515-0601
The Honorable Joe Barton
U.S. House ofRepresentatives
2125 Rayburn House Office Building
Washington, DC 20515-6155
The Honorable Edward J. Markey
U.S. House of Representatives
2108 Rayburn House Office Building
Washington, DC 20515-6155
Dear Representatives Steams, DeGette, Barton, and Markey:
This letter responds to your December 8, 2011 inquiry about Facebook's practices. We
appreciate the opportunity to respond to your questions.
Facebook develops innovative products and services that facilitate sharing, selfexpression, and connectivity. We work hard to give people control over the information they
share and the connections they make. When people use Facebook, they do so because they trust
that we will use the information they provide to us fairly and responsibly, and we are committed
to working every day to sustain and deepen that trust.
That commitment is reflected in our agreement last month with the Federal Trade
Commission to formalize and enhance our privacy program. The comprehensive program that
we are developing will address the privacy risks related to new and existing services and ensure
that appropriate privacy and security protections are integrated into those services. It also will be
evaluated by an independent outside auditor, who will be responsible for assessing whether we
are meeting our obligations over the next twenty years.
Our commitment to building people's trust also is reflected in the results of an audit of
the privacy practices of our international affiliate, Facebook Ireland, Ltd., which the Office of the
Data Protection Commissioner oflreland released in December. 1 Among other conclusions, the
report issued by the Commissioner's Office determined that Facebook has "a positive approach
1
Facebook Ireland, Ltd., Report of Audit of Irish Data Protection Commissioner (available at
Although the Irish Data Protection Commission does not
have jurisdiction over Face book's activities in the United States, the practices and policies that it audited are the
same as those in effect at Facebook in the United States.
FB_MDL_00000240
and commitment ... to respecting the privacy rights of its users." 2 In an effort to improve the
way that we provide our services, we agreed as part of the Irish audit to implement or consider a
range of best practices recommended by the audit team, the vast majority of which also will
apply to our practices in the United States.
Our agreement with the Federal Trade Commission and commitments to the Irish Data
Protection Commissioner demonstrate that Face book is serious about working with regulators,
policymakers, advocates and experts to inform our data practices and policies. They also reflect
emerging industry standards and, in that sense, help to establish rules that all Internet-based
companies can and should live by.
With this background in mind, we address each of your questions in turn.
l. Please explain Facebook's browsing or tracking information collection practices.
a. What browsing or tracking information does Facebook collect for both users
and non-users? Does this information collection include any information that
can be used to identify an individual?
b. How does Facebook inform users and non-users of any data collection?
c. Can users or non-users opt-out of this information collection? If so, how?
d. Does Facebook collect any information about a user's activity after a user or
non-user opts-out?
As your letter notes, Facebook allows third-party websites to display certain Facebook
functionality on their sites through social plugins, such as the "Like" button. Face book has not
designed its advertising system to "track" people through social plugins on third-party websites
for the purpose of profiling their activities and serving them targeted advertisements based on
that activity. As the Office of the Irish Data Protection Commissioner found in its report:
"[T]his Office conducted a thorough analysis of the use of
information gathered from external websites via the social plug-in.
This Office is satisfied (for the reasons stated elsewhere) that such
information is not associated with the user or used in any way to
build a profile of that user. Neither is there any profile formed of
non-users which could be attributed to a person on becoming a
user." 3
"We found no evidence, from a very extensive examination of
code, logging and queries served to the logged data that the
2
See Report of Audit oflrish Data Protection Commissioner, p. 3.
3
See id., p. 65.
2
FB_MDL_00000241
information gathered was used for any advertising, predictive or
4
user profiling purposes. "
The Office of the Irish Data Protection Commissioner rendered these findings only after
testing our use of the data collected through social plugins. 5
As background, social plugins allow a third-party website to present relevant information
to a logged in Face book user and to enable Facebook users to share content from that third-party
site with their friends. This extends the experience of Facebook to other websites by enabling
people to connect with friends and to recommend, comment on, and share content across the
Internet. When a third-party website chooses to use Facebook features on their sites, Facebook
records certain browser-related data when people visit those sites. The amount of data that a
person's browser sends to Face book depends on whether the person has visited Facebook in the
past and whether the person is logged into Facebook when he or she visits the site.
•
•
In addition to this technical information, if the person has visited Facebook.com
in the past, Facebook will record information that has been stored in a "cookie"
that was previously set when the person visited our site. For people who have
visited Facebook.com, we place a cookie on their browser that identifies the
individual browser but does not include personally identifying information, such
as name or contact information. This browser-identifying cookie helps us keep
Facebook and the people who use it safe. For example, we want to know if the
same browser is attempting to visit Face book thousands of times in just a few
seconds as part of a coordinated denial of service attack.
•
4
When a person who has never visited Facebook.com before visits a website with a
social plugin, Face book will receive a limited list of standard browser
information, including: (i) the website being visited, (ii) the date and time, (iii)
the IP address of the computer, and (iv) information about the browser type and
operating system. The transmission of this information is part of the normal
operation of the Internet: the information is sent to Facebook so that its servers
can communicate with the person's browser and load the Facebook functionality
onto the webpage.
When a person is logged into Facebook and then visits a third-party site with a
social plugin, we receive additional information that we need to provide the
personalized, social experience that people request when they log into Face book.
Specifically, when a person is logged into Facebook, we would use a cookie to
See id., p. 74.
5
See Report of Audit oflrish Data Protection Commissioner, p. 82 ("Tests were also performed to attempt to
establish whether or not the act of a logged-in Face book user simply browsing to pages that have social plug ins (as
opposed to clicking the 'Like' button) would influence the advertising that the user is presented with. An affirmative
result would strongly indicate that Face book were using browsing activity to target advertising, which it is claimed
is not the case. No correlation with browsing activity was identified.").
3
FB_MDL_00000242
confirm that the person is logged into a specific Facebook account so that we can
customize the content presented through the social plugin. For example, this
allows us to ensure that when someone clicks the "Like" button, the "Liked"
information is associated with the correct account or if someone visits a site with
news articles, a social plugin may show them articles that their friends have liked
or have shared on Facebook.
Importantly, Facebook specifically designed its social plugins so as not to share
information that people provide on Face book with third-party sites. To do this, the social plugin
pulls content directly from Facebook's website and sends it to the person's browser, allowing, in
effect, a part ofFacebook to appear on a non-Facebook site. As the Office of the Irish Data
Protection Commissioner found in its report:
"We have confirmed that the content of the social plugin iframe is
delivered directly to the web browser from Facebook and the
website on which the social plugin is hosted has no visibility of the
content of the social plugin delivered." 6
In short, Faccbook's social plugin technology brings socially relevant content to users as they
interact with other sites around the Internet without sharing any of that information with the
hosting site. The information that we log through social plugins is used to deliver our services
and analyze internally how our services are being used across the Internet. We also may use the
information we collect for internal operations, including data analysis, research, development,
and service improvement.
We describe in our Data Use Policy, which is available from a link that appears on
virtually every page of our website, how we collect and use information when people use thirdparty sites that include Pacebook plugins. Specifically, we explain:
"We receive data whenever you visit a game, application, or
website that uses Facebook Platform or visit a site with a Facebook
feature (such as a social plugin). This may include the date and
time you visit the site; the web address, or URL, you're on;
technical information about the IP address, browser and the
operating system you use; and, if you are logged in to Face book,
your User ID."7
Our Data Use Policy also provides a link to our Help Center, where we answer frequently
asked questions about a variety oftopics, including questions around social plugins. 8 There, we
answer questions such as, "Does Facebook receive cookie information when I visit a site with a
6
See Report oflrish Data Protection Commissioner, p. 80.
7
Our Data Use Policy can be found here:
4
FB_MDL_00000243
Like button or other social plugin" and "What information does Face book receive when I visit a
site with the Like button or another social plugin."
People can control the extent to which we receive and record information about them
when they use sites with social plugins by logging out of Face book. When a person logs out of
Facebook, we do not record through social plugins any information that identifies his or her
particular account. Due to the limitations in browsers today, there are some categories of
information about a browser- such as its Internet Protocol address, the referring page, and the
operating system - that browsers send automatically whenever a user views content on the
web. Just like other web-based companies, we accordingly we receive this information
automatically from web browsers as a part of the normal operation of the Internet regardless of
the browser status of the person visiting a third-party site (i.e., logged in, logged out, or nonFacebook user).
2. Does Fa.cebook offer its users a way to opt-out of all information collection (other
than information the user specifically provides to Face book)? If so, how is
Face book making it easier for users to understand their ability to opt-out? If not,
please explain why Facebook does not offer such an opt-out.
We provide information on our website about the circumstances under which we collect
information when people use Facebook, the purposes for which 'We use such information, and the
choices people have regarding that information. 9 We do not
Facebook users a way to opt
out of all information collection. As the Office of the Irish Data Protection Commissioner
concluded in its report:
"[I]t is important to make clear at the outset that this Office does
not consider that it is possible using data protection requirements
as a basis to require [Facebook] to deliver a free service from
which members can have the right to opt-out completely from the
means of funding it." 10
With respect to information provided by individuals, we offer granular privacy controls
that allow people to choose who will be able to see each piece of information they post and alter
the privacy setting of something they have previously posted. And we provide interactive
privacy tools that, for example, enable people to review the permissions they have granted to the
Facebook applications they use and download the information they have submitted to Facebook
all at once.
We also respect people's ability to request removal of information they have posted on
Facebook and to request removal of their account in its entirety. This is reflected in the
obligation that we undertook in our agreement with the Federal Trade Commission to
9
See e.g., https://www.facebook.com/full data use polic:y (describing "information received and how it used").
10
See Report of Irish Data Protection Commissioner, p. 44.
5
FB_MDL_00000244
"implement procedures reasonably designed to ensure that [this]
information cannot be accessed by any third party from servers
under [our] control after a reasonable period of time, not to exceed
thirty (30) days, from the time that the user has deleted such
information or deleted or terminated his or her account, except as
required by law or where necessary to protect the Facebook
website or its users from fraud or illegal activity."
In agreeing to this obligation, the Federal Trade Commission and we focused on our
commitment that, when people ask us to remove information that they have posted, we act
quickly to make that information inaccessible on Facebook. This commitment reflects the
recognition that the fundamental goal of a removal request is to prevent further distribution of
that information. The Federal Trade Commission recognized that the essential commitment to
promptly make removed information inaccessible creates real value for consumers by giving
them control over its further distribution.
Recognizing that each person will have different preferences when it comes to privacy and that a person's preferences may differ depending on the information itself- we believe that
offering a menu of privacy settings and the various tools described above provides people with
meaningful control over their privacy without stifling the social communication that is the reason
they use Facebook in the first place.
3. Please explain Facebook's practices regarding the archiving of user information.
How does Facebook treat a deceased user's account and personal information?
Many people use Facebook as the primary place where they store personal photos,
videos, and other information that is important to them, so it is important that we ensure their
information is available for them, anytime. We archive this material in our active databases and
also maintain emergency backup records of stored information. Because securing information
against unauthorized access is critical to Facebook, we invest heavily in technology, people and
processes as part of our commitment to keeping the data that we archive safe and secure.
It is our position that people own the information they post on Facebook and they can
modify or delete such information. We have a comprehensive process for responding to requests
that we remove individual pieces of data and we will follow the obligations regarding the
retention of data that are included in our agreement with the FTC, which are described in
response to question 2.
When a Facebook account-holder passes away, our policy is to place the account into a
special memorialized status to help protect the privacy of the person and his or her family and
friends. Memorializing an account sets the account privacy so that only confirmed friends can
see the person's profile or timeline or locate it on Facebook search. Friends and family can leave
posts in remembrance. Memorializing an account also prevents anyone from logging into the
account and makes other changes, such as preventing the person from appearing in the
Suggestions portion of our homepage.
6
FB_MDL_00000245
If we receive a request from a verified immediate family member of the person who
passed away, we will delete or deactivate the person's account from Facebook rather than
memorializing it. This will prevent any information associated with the person's accountincluding the person's profile or timeline- from appearing on Facebook.
4. News reports indicate that when Facebook launches the "Timeline" side-wide, users
will have 5 days to emphasize or hide aspects of their profiles.
a. How did you arrive at the time frame of 5 days?
b. How did you respond to concerns that it will be onerous for users to carefully
review each prior post and photo in just 5 days, particularly for long-time or
highly active users?
c. Do you have any analysis indicting how many users will dedicate the time to
do this?
Although the implementation oftimelinc on Facebook changes the template that we use
to display information on people's profiles, no privacy setting is changing. As a result, all ofthc
choices that people made regarding the privacy of their information on Facebook will continue to
be effective. For example, if a person uploaded a photo and made it available only to specific
friends, then only those friends will be able to see the photo through timeline. Similarly, if
someone removed herself from a photo in which she was tagged or chose not to allow photos in
which other people tag her to appear on her profile, those preferences will continue to be
respected.
We recognize, of course, that any time we change our interface, people will want to
understand how we will display the information that is already on Facebook. That is why we
decided to roll out timeline with a seven-day preview, 11 which will allow people to see how their
timeline will look to others before it launches publicly and to make any changes to their privacy
settings before that launch. During the preview period, a person's traditional profile is still
visible to the audiences they have selected. Again, existing privacy settings will continue to be
respected, so the only preexisting information that will appear in a user's timeline is information
that was already visible under the privacy settings that existed before the user upgraded to
timeline.
During the roll-out period, each person can choose when his or her preview starts so that
it can happen at a time convenient to him or her. And, while we believe it is important for
people to see their Timelines before they become public, we also understand that it can be
confusing for people to see a different view of their own profile than others see. We chose seven
days in an effort to give people a sufficient amount of time to review their Timeline before it is
made available to others without causing confusion as to what information is visible to others.
That is why, after the seven-day preview period, we think it is most important to ensure that
11
Some news outlets erroneously reported that the Timeline preview period is five, rather than seven, days.
7
FB_MDL_00000246
there is consistency between the way a person's profile looks when he or she views it and the
way it looks for others.
Although we do not have statistics as to how long it takes people to curate their Timelines
or how many users are likely to do so, we are offering a number of tools and settings to help
make curating Timelines fast and easy. These include Activity Log, which is the most
comprehensive information control tool that we have ever developed. Using Activity Log,
people can review their posts and activity, from today back to when they first started using
Face book. They can sort and review content by type- for example, photos or status updates and quickly adjust the privacy settings of the content, including featuring or hiding it in their
Timelines or deleting it entirely. 12 We also have added a tool to m.ake it easy for people to see
how their Timelines look to others. To do this, a person can simply
to their Timeline, click
"View As ... " and type the name of a friend (or non-friend) on Facebook. We will then show
how the Timeline would look to the specified individual.
In addition to offering tools to help people manage their privacy settings, we are taking a
number of steps to help people learn about Timeline. When people get Time line, they will
participate in a multi-step transitional tour that walks them through the features ofTimeline,
including how to feature, hide, or delete stories. We also will begin featuring educational
announcements on Face book profiles and the home page, linking to informative pages, F AQs,
tutorials and videos. In total, we will be serving more than 3 billion educational messages to
help people learn more about Timeline and how they can control what information it displays.
5. The New York Times recently reported that Facebook's privacy policy has grown in
length by a factor of nearly six in as many years. The current privacy policy is 5,830
words in length, up from 1,004 in 2005. Facebook's 2010 privacy policy was longer
than that of aU other social networks and exceed in length the United States
Constitution, without Amendments. As you may know, we strongly support greater
transparency to empower consumers with the information they need to make
informed choices. We are concerned, however, that long, complex privacy policy
statements make it difficult for consumers to understand how their information is
being used. Do you believe the average Facebook user would read such a lengthy
document in order to understand what personal information Face book collects, use,
or shares? Please provide an data indicating the percentage ofFacebook users who
read the full policy.
We strongly agree that consumers should be provided with the information they need to
make informed choices about the use of their data online. The FTC emphasized this point in its
December 2010 preliminary staff report when it urged companies to provide this information
(and, if appropriate, offer the person a choice about the use of his or her data) "at a time and in a
context in which the consumer is making a decision about his or her data." 13 Over the past year,
12
More information about Activity Log is available at http://www.facebook.com/help/activitylog.
13
Fed. Trade Comm 'n, Preliminary Staff Report, Protecting Consumer Privacy in an Era of Rapid Change: A
Proposed Framework for Businesses and Policymakers 57-58 (Dec. 2010).
8
FB_MDL_00000247
we have implemented this principle across Facebook. For example, through our inline audience
selector controls, users can easily exercise control over the audience with whom a post or profile
update will be shared at the moment they create the post or update. 14 Also, when we launch new
features, we often include "What's this?" question marks in the context that the feature is
implemented. By hovering over the question mark, the user can learn more information about
the new feature, including how it may use the person's data.
We also agree that long and complex privacy policies can make it difficult for consumers
to understand how their information is being used. For this reason, when we rolled out our new
Data Use Policy last year, we included a number ofim1ovative features that were designed to
make the Policy more accessible and useful for the people who use Facebook. The Policy,
available from almost every page on our site, describes in plain English our data use practices
and includes a comprehensive, easy-to-understand guide to privacy on Face book. In it, we use a
layered approach, smarizing our practices on the front page and then allowing people to dick
through the Policy for more details. Of course, people who want to read the entire Data Use
Policy on one page can do that as well.
By adopting this layered approach to privacy, our goal was to make comprehensive and
detailed information available to people who wanted it, while making shorter summaries about
how we use the data we receive easily available. We believe that this layered and graphical
approach is the best way to provide people with clear information about our data use practices.
We also sought to provide the information in a more accessible layout, using graphics and
offering a format similar to the way content is presented to users online. The content is
organized by topic, similar to our Help Center, which lets users find exactly what they are
looking for quickly and easily.
We believe that the Data Use Policy provides the information that our users need because
we developed it with their feedback. It has long been Facebook's policy- unmatched in the
industry- to announce proposed changes to our Data Use Policy and offer users the ability to
comment on the changes before they take effect. Numerous users commented on our latest
updates, and we incorporated many of those comments into the current Data Use Policy.
Although we do not have the ability to determine the percentage ofFacebook users who
have read the full Data Use Policy, we believe that the resources we offer to users about how to
control their information reaches a large cross-section of our user base. We give our users a
wide array of choices in how they can obtain information about the uses of their data. While
some users prefer to read full privacy policies to learn about how their data is being used online,
we recognize that others would rather be given that information in different formats. That's
why, in addition to our Data Use Policy, we provide information throughout our site to educate
users about our practices. For example:
"'
We have created a number of interactive privacy tools that, for example, let
people preview how their profile looks to any other specific person, see what
14
9
FB_MDL_00000248
permissions they have granted to the Faccbook applications they use, and
download the information they have submitted to Face book all at once. 15
•
We provide links to our Help Center in the dropdown menu at the top of every
page of our site. People can use the Help Center to learn information about topics
ranging from their Account Settings to online bullying, as well as to search for
answers to privacy-related questions. 16
•
We display Facebook public service announcements to educate people about
privacy and related topics. Most recently, we displayed a notice on the pages of
Facebook users entitled About Ads: Ever wonder how Face book makes money?
Get the Details, which linked to a video describing advertising on Facebook. 17
•
We enable users to preview and comment on changes to our Data Use Policy on
our Site Governance page, which has over two million fans. 18 In addition,
Facebook users obtain privacy-related updates, information, and other resources
in their News Feed by "liking" the Facebook & Privacy Page, which has almost
600 thousand fans. 19
•
We offer videos and other tutorials about how our products, tools, and features
work, including through our Facebook Page, which has over 57 million fans. 20
We believe the compendium of resources that we offer, including our Data Use Policy
and the tools highlighted above, demonstrates our commitment to ensuring Facebook users
understand the collection and use oftl1eir information and how they can control this collection
and use. We recognize that we can always improve upon the information that we provide about
our practices and, as part of our commitments to the Office of the Irish Data Protection
Commissioner, we have agreed implement a number of modifications to our Data Use Policy,
including additional explanations of our data protection practices. Our goal is to ensure that
Facebook users have the information they need to make the privacy decisions that are right for
them.
* * *
10
FB_MDL_00000249
Thank you for your letter. If we can provide any additional information, please do not
hesitate to contact us.
ErinM. Egan
ChiefPrivacy Officer, Policy
Face book
11
FB_MDL_00000250
]]>
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?
