In Re FACEBOOK INTERNET TRACKING LITIGATION
Filing
35
CORRECTED FIRST AMENDED CONSOLIDATED CLASS ACTION COMPLAINT against Facebook Inc.. correction to # 33 First Amended Consolidation Class Action Complaint Filed by Brian K. Lentz, Perrin Aikens Davis, Matthew J. Vickery, Cynthia D. Quinn. (Kiesel, Paul) (Filed on 5/23/2012) Modified on 5/23/2012 (cv, COURT STAFF).
1 KIESEL BOUCHER LARSON LLP
Paul R. Kiesel (SBN 119854)
2 kiesel@kbla.com
8648 Wilshire Boulevard
3
Beverly Hills, CA 90211-2910
4 Telephone: (310) 854-4444
Facsimile:
(310) 854-0812
5 Interim Liaison Counsel
6 BARTIMUS, FRICKLETON,
ROBERTSON & GORNY, P.C.
7 Edward D. Robertson, Jr.
Stephen M. Gorny
8 James P. Frickleton
Mary D. Winter
9 Edward D. Robertson III
11150 Overbrook Road, Suite 200
10 Leawood, KS 66211
chiprob@earthlink.net
11 Telephone:
(913) 266-2300
Facsimile:
(913) 266-2366
12 Interim Co-Lead Counsel
13
14
STEWARTS LAW US LLP
David A. Straite. (admitted pro hac vice)
Ralph N. Sianni
Michele S. Carino
Lydia E. York
1201 North Orange Street, Suite 740
Wilmington, DE 19801
dstraite@stewartslaw.com
Telephone:
(302) 298-1200
Facsimile:
(302) 298-1222
Interim Co-Lead Counsel
IN THE UNITED STATES DISTRICT COURT
FOR THE NORTHERN DISTRICT OF CALIFORNIA
SAN JOSE DIVISION
15 IN RE: FACEBOOK, INC. INTERNET
TRACKING LITIGATION
16
No. 5:12-md-02314-EJD
17
CORRECTED FIRST AMENDED
CONSOLIDATED CLASS ACTION
COMPLAINT
18
DEMAND FOR JURY TRIAL
19
20
21
22
23
24
25
26
27
28
1
CORRECTED FIRST AMENDED
CONSOLIDATED CLASS ACTION
COMPLAINT - No. 5:12-md-02314-EJD
1
2
NATURE OF THE ACTION
1.
This class action lawsuit, seeking in excess of $15 billion in damages and
3 injunctive relief brought by, and on behalf of, similarly situated individuals domiciled in the
4 United States who had active Facebook, Inc. (“Facebook” or the “Defendant”) accounts from May
5 27, 2010 through September 26, 2011 (the “Class Period”), arises from Facebook’s knowing
6 interception of users’ internet communications and activity after logging out of their Facebook
7 accounts in violation of state and federal laws.
8
9
JURISDICTION AND VENUE
2.
This Court has personal jurisdiction over Defendant Facebook because Facebook is
10 headquartered in this District.
11
3.
This Court has subject matter jurisdiction over this action and Defendant Facebook
12 pursuant to 28 U.S.C. § 1331 because this action arises in part under federal statutes, namely the
13 Federal Wiretap Act, 18 U.S.C. § 2511 (the “Wiretap Act”), the Stored Communications Act, 18
14 U.S.C. § 2701 (“SCA”) and the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (the “CFAA”)
15 and pursuant to 28 U.S.C. § 1332(d) because the amount in controversy exceeds $5,000,000.
16
4.
Venue is proper in this District because Defendant Facebook is headquartered in
17 this District. In addition, The Facebook Statements of Rights and Responsibilities in force during
18 the Class Period, which governs the relationship between Facebook and its users, provides for
19 exclusive venue in state or federal courts located in Santa Clara County, California.
20
21
THE PARTIES
5.
Plaintiff Mrs. Perrin Davis (“Davis”) is an adult domiciled in Illinois. Davis had an
22 active Facebook account during the entire Class Period, which Facebook utilized to track and
23 intercept her specific electronic activity and communications.
24
6.
Plaintiff Prof. Cynthia Quinn (“Quinn”) is an adult domiciled in Hawaii. Quinn
25 had an active Facebook account during the entire Class Period, which Facebook utilized to track
26 and intercept her specific electronic activity and communications.
27
7.
Plaintiff Dr. Brian Lentz (“Lentz”) is an adult domiciled in Virginia. Lentz had an
28 active Facebook account during the entire Class Period, which Facebook utilized to track and
CORRECTED FIRST AMENDED
2
CONSOLIDATED CLASS ACTION
COMPLAINT - No. 5:12-md-02314-EJD
1 intercept his specific electronic activity and communications.
2
8.
Plaintiff Mr. Matthew Vickery (“Vickery”) is an adult domiciled in Washington
3 State. Vickery had an active Facebook account during the entire Class Period, which Facebook
4 utilized to track and intercept his specific electronic activity and communications.
5
9.
Defendant Facebook is a Delaware corporation which maintains its headquarters at
6 156 University Avenue, Palo Alto, California 94301. Facebook is a “social network” that permits
7 its members to interact with one another through a web site located at www.facebook.com. By the
8 end of the Class Period, Facebook had approximately 800 million members, of whom 150 million
9 were in the United States.
10
11 I.
FACTUAL ALLEGATIONS
FACTUAL BACKGROUND
12
Zuckerberg: Yeah so if you ever need info about anyone at Harvard
13
Zuckerberg: Just ask.
14
Zuckerberg: I have over 4,000 emails, pictures, addresses, SNS
15
[Redacted Friend’s Name]: What? How’d you manage that one?
16
Zuckerberg: People just submitted it.
17
Zuckerberg: I don’t know why.
18
Zuckerberg: They “trust me”
19
Zuckerberg: Dumb fucks.
20
-
21
22
10.
Facebook Founder Mark Zuckerberg’s Instant Messages,
circa 2004, as made public by New York Magazine
on September 20, 2010
Facebook is the brainchild of the Company’s founder and Chief Executive Officer,
23 Mark Zuckerberg, who wrote the first version of “The Facebook” in his Harvard University dorm
24 room and launched the Company in 2004. The key to Facebook’s success was to convince people
25 to create unique, individualized profiles with such personal information as employment history
26 and political and religious affiliations, which then could be shared among their own network of
27 family and friends.
28 / / /
3
CORRECTED FIRST AMENDED
CONSOLIDATED CLASS ACTION
COMPLAINT - No. 5:12-md-02314-EJD
1
11.
Facebook has become the largest social networking site in the world with over 800
2 million users world-wide and over 150 million users in the United States.
3
12.
Facebook’s enormous financial success is the result of connecting advertisers with
4 its huge repository of personal data provided by users. As Facebook explained in its recent
5 Registration Statement, “Advertisers can engage with more than 900 million monthly active users
6 (MAUs) on Facebook or subsets of our users based on information they have chosen to share with
7 us such as their age, location, gender, or interests. We offer advertisers a unique combination of
8 reach, relevance, social context, and engagement to enhance the value of their ads.”
See
9 Amendment No. 5 to Form S-1 Registration Statement, filed by Facebook, Inc. with the United
10 States Securities and Exchange Commission on May 3, 2012 (the “Registration Statement”) at 1.
11
13.
Indeed, in the past three years, over 90% of Facebook’s revenue was attributable to
12 third party advertising (see Registration Statement at 13), and Facebook is driven to continue to
13 find new and creative ways to leverage its access to users’ data in order to sustain its phenomenal
14 growth (see, e.g., Registration Statement at 88-91, 99-100).
15
14.
Although Facebook does not require its members to pay a monetary subscription
16 fee, membership is not free. Instead, Facebook conditions its membership upon users providing
17 sensitive and valuable personal information to Facebook upon registration, including name, birth
18 date, gender and email address. More importantly, Facebook conditions membership upon the
19 user accepting numerous Facebook small text files, called cookies, on the user’s computer, which
20 allows Facebook to intercept its users’ electronic communications and track browsing history.
21
15.
According to a recent report by Rainey Reitman at the Electronic Frontier
22 Foundation (“EFF”), titled “Facebook’s Hotel California” (Oct. 10, 2011), Facebook installs two
23 types of cookies on members’ computers:
24
25
Session cookies are set when you log into Facebook and they include data like
your unique Facebook user ID. They are directly associated with your Facebook
account. When you log out of Facebook, the session cookies are supposed to be
deleted.
26
27
28
Tracking cookies - also known as persistent cookies - don’t expire when you leave
your Facebook account. Facebook sets one tracking cookie known as ‘datr’ when
you visit Facebook.com, regardless of whether or not you actually have an account.
This cookie sends data back to Facebook every time you make a request of
CORRECTED FIRST AMENDED
4
CONSOLIDATED CLASS ACTION
COMPLAINT - No. 5:12-md-02314-EJD
1
2
Facebook.com, such as when you load a page with an embedded Facebook ‘like’
button. This tracking takes place regardless of whether you ever interact with a
Facebook ‘like’ button. In effect, Facebook is getting details of where you go on the
Internet.
3
6
When you leave Facebook without logging out and then browse the web, you have
both tracking cookies and session cookies. Under those circumstances, Facebook
knows whenever you load a page with embedded content from Facebook (like a
Facebook ‘like’ button) and also can easily connect that data back to your
individual Facebook profile.
7
As the EFF noted, Facebook promised to delete session cookies upon logout. This is not
4
5
8 just vague industry expectation: it is the limit of the user’s consent under the governing
9 contracts, and therefore under federal law.
10
16.
Use of Facebook is governed by the Statement of Rights and Responsibilities and
11 several other documents and policies, including a Data Use Policy and a Privacy Policy (hereafter
12 referred to collectively as “governing documents”). Although the governing documents reflect
13 that users consent to Facebook installing cookies on each user’s computer, and although users
14 consent to these cookies tracking and transmitting data to Facebook regarding each user’s web
15 browsing, such consent was limited to internet usage while users are logged on to Facebook.
16 Users do not consent to Facebook tracking their web browsing activity after logging out of
17 Facebook. In fact, Facebook represented it would delete the session cookies at the time of logout.
18 On Facebook’s online help center, Facebook clearly and unambiguously emphasized, “When you
19 log out of Facebook, we remove the cookies that identify your particular account.”
20
17.
Even though Facebook assures its users that it does not track their internet
21 browsing post log out, Facebook has been doing exactly that.
22
18.
On September 25, 2011, Australian blogger Nik Cubrilovic reported that: “Even if
23 you are logged out, Facebook still knows and can track every page you visit.” He explained that
24 “[t]his is not what ‘logout’ is supposed to mean – Facebook is only altering the state of the cookies
25 instead of removing all of them when a user logs out.”
26
19.
In response, on September 26, 2011, Facebook engineer Gregg Stefancik thanked
27 Cubrilovic “for raising these important issues” and acknowledged that a particular cookie, the
28 a_user cookie, was not cleared on logout, advising that “We will be fixing that today.” Facebook
CORRECTED FIRST AMENDED
5
CONSOLIDATED CLASS ACTION
COMPLAINT - No. 5:12-md-02314-EJD
1 further admitted that the Company had not “done as good a job as we could have to explain our
2 cookie practices. Your post presents a great opportunity for us to fix that.”
3
20.
While its response was seemingly forthcoming, Facebook failed to tell users that it
4 had known for nearly a year that its systems were surreptitiously capturing users’ internet
5 browsing habits after logout – and moreover, it had been developing better post-logout tracking
6 devices that were designed exactly for that purpose.
7
21.
In fact, Cubrilovic first discovered that Facebook cookies were tracking user’s
8 internet usage even after logging out of Facebook without the knowledge or consent of the user in
9 2010. Cubrilovic’s investigation revealed that several cookies that revealed personally identifiable
10 information remained post logout, and some even remained after the browser was closed and
11 restarted. In short, Cubrilovic established that Facebook was in fact secretly tracking its users’
12 web browsing without their knowledge or consent even after logout.
13
22.
Cubrilovic repeatedly contacted Facebook to report his findings and ask them to fix
14 the problem. For example, Cubrilovic emailed Facebook on November 14, 2010, and then again
15 on January 12, 2011. Facebook refused to respond.
16
23.
Following the findings of Nik Cubrilovic, Facebook admitted that it has been
17 tracking, collecting, storing and using its users’ wire and/or electronic communications while
18 users have been logged-out of Facebook.
19
24.
On September 28, 2011, U.S. Representative Edward Markey and U.S.
20 Representative Joe Barton, Co-Chairmen of the Congressional Bi-Partisan Privacy Caucus,
21 submitted a joint letter to the Chairman of the Federal Trade Commission stating, “[I]n this
22 instance, Facebook has admitted to collecting information about its users even after its users had
23 logged out of Facebook.”
24
25.
Neither Facebook users nor the third-party websites have given consent or
25 otherwise authorized Facebook to intercept, acquire, store and track users’ electronic
26 communications while not logged-in to Facebook.
27 / / /
28 / / /
6
CORRECTED FIRST AMENDED
CONSOLIDATED CLASS ACTION
COMPLAINT - No. 5:12-md-02314-EJD
1
26.
Facebook has made inconsistent public statements regarding the reason for its post
2 log-out tracking, despite its admission that such tracking occurred. For instance:
1.
Facebook first claimed that the post log out tracking of its users’ personally
identifiable information was “inadvertent” and was a “bug.” On October 4,
2011 Facebook Spokesperson Greg Stefancik commented on an online post
stating, “as we discussed last week, we are examining our cookie setting
behavior to make sure we do not inadvertently receive data that could be
associated with a specific person not logged into Facebook.” Further, in
response to Nik Cubrilovic’s blog post, Facebook responded by saying,
“What you see in your browser is largely typical, except a_user which is
less common and should be cleared upon logout (it is set on some photo
upload pages). There is a bug where a_user was not cleared on log out. We
will be fixing that today.”
2.
3
Facebook then publicly stated that it uses post log-out tracking of specific
personally identifiable information for safety purposes only. In a USA
Today article, Facebook engineering director Arturo Bejar claimed that
Facebook uses such data only to boost security and improve how ‘Like’
buttons and similar Facebook plug-ins perform.1
4
5
6
7
8
9
10
11
12
13
27.
14
The German Hamburg Commissioner for Data Protection and Freedom of
15 Information conducted a full investigation into Facebook’s tracking of users post log-out.
16 Facebook told the Hamburg Commissioner that it “needs” users to be identifiable after log-out for
17 security purposes, but the Hamburg Commissioner was unconvinced.
The Hamburg
18 Commissioner issued a press release regarding their investigation, which stated:
19
Facebook’s argument that all users need to be identifiable even once
they have logged out of Facebook in order to guarantee the security
of the service is untenable within this context. The fact that the
installation of cookies in reality only permits the collection of the
user’s personal data required to use the service seems extremely
questionable. The results of the investigation raised the suspicion
that
Facebook
is
creating
user
tracking
profiles.
20
21
22
23
28.
24
Additionally, a patent application assigned to Facebook, which the U.S. Patent &
25 Trademark Office recently published, indicates that Facebook is not only aware that its cookies
26 persist after logout, but that it deliberately designed them to function in that manner.
27
1
See Byron Acohido, "How Facebook tracks you across the Web," USA Today, November 16,
28 2011.
CORRECTED FIRST AMENDED
7
CONSOLIDATED CLASS ACTION
COMPLAINT - No. 5:12-md-02314-EJD
1
29.
Specifically, on February 8, 2011, three individuals, Kent Matthew Schoen,
2 Gregory Luc Dingle and Timothy Kendall, filed a patent application entitled, “Communicating
3 Information in a Social Network System about Activities from Another Domain.”2 As the first
4 claim in the Patent Application explains, the applicants were seeking to patent:
5
1. A method for tracking information about the activities of users
of a social networking system while on another domain, the
method comprising: maintaining a profile for each of one or
more users of the social networking system…; receiving one or
more communications from a third-party website having a
different domain than the social network system, each message
communicating an action taken by a user of the social
networking system on the third-party website; logging the
actions taken on the third-party website in the social networking
system…; and correlating the logged actions with one or more
advertisements presented to one or more users.
6
7
8
9
10
11
12
13 Patent Application at 2.
30.
14
The detailed description of this tracking method reveals that it enables Facebook to
15 capture and log actions taken by Facebook users on websites other than Facebook, even when the
16 user is not logged in:
17
[0054] As described above, in particular embodiments, the social
network system 100 also logs actions that a user takes on a third
party website 140. The social network system 100 may learn of the
user’s actions on the third party website via any of a number of
methods. In particular embodiment, in response to certain actions
such as, a user registering with a third-party website 140, purchasing
a product from a third-party website 140, downloading a service
from a third-party website 140, or otherwise making a conversion,
the third-party website 140 transmits a conversion page, such as a
confirmation or “thank you” page to the user at the user’s client
device. In particular embodiment, this page includes an embedded
call or code segment (e.g., JavaScript) in the HTML or other
structured document code (e.g., in an HREF(Hypertext REFerence)
that, in particular embodiments, generates a tracking pixel that,
when executed by the client’s browser or other rendering
application, generates a tracking pixel or image tag that is then
18
19
20
21
22
23
24
25
26
27
2
See U.S. Patent Application No. 20110231240, filed February 8, 2011 and published September
28 22, 2011 (the “Patent Application”) at 1.
CORRECTED FIRST AMENDED
8
CONSOLIDATED CLASS ACTION
COMPLAINT - No. 5:12-md-02314-EJD
transmitted to the social network system (whether the user is logged
into the social network system or not). The tracking pixel or image
tag then communicates various information to the social network
system about the user’s action on the third-party website. By way of
example, the tracking pixel or call may transmit parameters such as
the user’s ID (user ID as registered with the social network system),
a product ID, information about the third-website, timestamp
information about the timing of the purchase or other action, etc. In
one example, if the third party website 140 is a commercial website
on which users may purchase items, the third party website 140 may
inform the social network system 100 in this manner when a user of
the social network system 100 buys an item on the third party
website140.
1
2
3
4
5
6
7
8
9 Patent Application at 5.
10
11
31.
Further, in certain circumstances, Facebook has to actively bypass data protection
12 software to do this: Facebook deposits a cookie that deliberately and without a user’s consent
13 bypasses security settings on the user’s browser for the purpose of gathering intelligence as to
14 what the user does on the internet in real time, such as what sites are visited, whether purchases
15 are made, or whether information is downloaded or a link forwarded to a friend. This information
16 is then instantly relayed back to Facebook, substantially enhancing the value of Facebook’s vast
17 repository of personal data to third parties, namely advertisers. This is all done whether the
18 Facebook user is logged onto the social networking site or logged off.
19
20
21
22
23
24
25
26
27
28
32.
Technically, this is how the Patent Application describes the bypass:
[0099] In one embodiment, the third party website 140 and/or the
social network system 100 determine whether the user is a user of
the social network system 100. For example, the third party website
140 may access a cookie on the user’s computer, where the cookie is
associated with the social network system 100. Since the social
network system 100 and the third party website 140 are on different
domains, the user’s browser program may include security features
that normally prevent a website from one domain from accessing
content on other domains. To avoid this, the third party website 140
may use nested iframes, where the third party website 140 serves a
web page that includes a nested iframe in the social network
website’s domain, thereby allowing the nested iframe to access the
user information and send the information back to the third party
website 140. Repeated nesting of iframes further allows the social
CORRECTED FIRST AMENDED
9
CONSOLIDATED CLASS ACTION
COMPLAINT - No. 5:12-md-02314-EJD
networking site 100 to communicate information back to the third
party website 140. By using this technique, the third party website
140 and the social network system 100 can communicate about the
user without sharing any of the user’s personal information and
without requiring the user to log into the social network system 100.
1
2
3
4
5 Patent Application 10-11.
6
33.
Although Facebook’s name does not appear in the Patent Application, it is listed in
7 the U.S. Patent & Trademark Office database as assigned to Facebook. Tellingly, one of the three
8 individual applicants, Timothy Kendall, is not an inventor or a computer scientist at all. Rather,
9 Mr. Kendall is the Director of Monetization at Facebook. According to his LinkedIn profile, Mr.
10 Kendall’s job at Facebook is “Product Strategy & Development for Facebook’s revenue
11 generating products.” Essentially, he figures out new and better ways to sell user information to
12 advertisers.
13
34.
In a November 10, 2011 letter, U.S. Representatives Markey and Barton stated,
14 “This patent application raises a number of questions about whether Facebook tracks its
15 subscribers on websites other than Facebook, regardless of login status, or has plans to do
16 so…Experts who have reviewed Publication #20110231240 agree that the patent contemplates
17 tracking users on other websites. The patent also includes sending targeted advertisements to users
18 based on information gleaned from such tracking.”
19
35.
On December 21, 2011, Facebook responded to U.S. Representatives Markey and
20 Barton’s letter with their own 6-page letter. This letter talked extensively about how their current
21 business operation did not track users while the user was logged-off, but did not discuss their
22 previous tracking systems.
23
36.
In a press release by U.S. Representative Markey’s office dated January 9, 2012,
24 the Congressman stated, “Lawmakers are unsatisfied with responses of social networking site to
25 queries about recent patent application that suggests tracking of users on other websites, using
26 information to target advertisements…the main questions of whether Facebook has considered
27 using third-party tracking data to build user profiles or employs user-provided data to target
28 advertising remain unanswered from the company’s response to our letter.”
CORRECTED FIRST AMENDED
10
CONSOLIDATED CLASS ACTION
COMPLAINT - No. 5:12-md-02314-EJD
1
37.
The press release also states, “Additionally in its response to us, Facebook states
2 that it uses consumer-provided data for ‘internal operations, including data analysis, research,
3 development, and service improvement’ yet provides no description of what these activities entail
4 or how they affect consumer privacy… Facebook seems to be saying one thing and doing
5 another…In the company’s response, it talks a lot about how they don’t currently ‘track’ users
6 online, but they just asked for a patent that would allow them to do just that. Why ask for
7 something you don’t ever plan on using?”
8 II.
HOW FACEBOOK TRACKS ITS MEMBERS’ INTERNET USE
9
A.
How Cookies Are Installed On Users’ Computers
10
38.
On the Web, servers store information on users’ computers via cookies. A cookie
11 is a small text file that the server creates and sends to the browser, which stores it in a particular
12 directory on the user’s computer. Some cookies relate to the browser and others relate to specific
13 users.
14
39.
When a user contacts a web server, such as Facebook, the browser software checks
15 to see if that server has set any cookies on that client machine. If there are valid (unexpired)
16 cookies that were set by that server, then the client sends the cookies to the server.
17 Thus, cookies allow servers to store information on a browser.
18
40.
Because cookies are small text files, there is a limited amount of information that
19 can be stored in them. Typically, servers create database records on the server that correspond to
20 users, sessions, and browsers. These records are indexed by numbers, typically random, and the
21 numbers are the actual values stored in the cookies.
22
41.
Every time that a server, such as Facebook, receives a cookie, the server knows that
23 it is interacting with a client with whom it has interacted before. The server examines the cookie to
24 identify the value of a database index and uses the index value from the cookie to locate the
25 database record that corresponds to that user, session or browser, depending on the type of cookie
26 that is received. For example, a c_user cookie contains an index into a database of information
27 about a particular user who is logged into Facebook.
28 / / /
11
CORRECTED FIRST AMENDED
CONSOLIDATED CLASS ACTION
COMPLAINT - No. 5:12-md-02314-EJD
1
42.
When an in
nternet user signs up for Facebook a Facebook.com, the Fa
s
r
at
acebook.com
m
2 we server imp
eb
plants a num
mber of cook onto the internet use compute The proce by which
kies
er’s
er.
ess
h
3 tha occurs is as follows:
at
a
4
43.
The user typ the URL facebook.co in the ad
pes
L
om
ddress bar of his browser
f
r.
5
44.
The browser initiates a GET reques to the Face
st
ebook server to display t webpage
r
the
e.
6 Fac
cebook creat a log file of the reque which is indexed by a number, e 12345:
tes
e
est,
s
y
e.g.
7
8
9
10
11
12
13
14
15
45.
Facebook responds by sending the content of the webpa (an HT
r
e
age
TTP response
e
ntaining an HTML page) which is th displaye on the use browser screen.
H
),
hen
ed
er’s
r
16 con
17
46.
Facebook’s response in
ncludes a “ Set-cookie” header that causes the browser to
t
e
o
ore
okie
u
ne
value 12345
5.
18 sto a datr coo on the user’s machin with the v
19
47.
The Facebook.com hom
mepage is dis
splayed with the possibility to log on or to create
h
n
e
20 an account.
21
48.
Thus, at the end of the response fro Facebook the brows has a datr cookie file
e
r
om
k,
ser
e,
d
ook
e
y
sponds to tha cookie.
at
22 and the Facebo database has an entry that corres
23 / / /
24 / / /
25 / / /
26 / / /
27 / / /
28 / / /
1
12
CORREC
CTED FIRST AMENDE
T
ED
CONSOLID
DATED CLA ACTIO
ASS
ON
COMPLAINT - No. 5:12-m
md-02314-EJ
JD
1
2
3
4
5
6
7
8
49.
ering some private infor
The user cre
eates an acc
count by ente
rmation and clicking the
d
e
ignup’ button
n.
9 ‘Si
10
50.
Clicking th button im
his
mplies that the user a
agrees to th Terms of Service of
he
f
cebook.
11 Fac
12
51.
The click initiates an HTTP requ
i
uest from th user’s br
he
rowser to th Facebook
he
k
rver. The br
rowser check the cook directory on the clie machine to see if th
ks
kie
y
ent
e
here are any
y
13 ser
okies for the Facebook.c
e
com domain and finds t datr cook that was recently se there. The
n
the
kie
s
et
e
14 coo
okie
s
g
GET request, to store the data in a log
g
15 coo with value 12345 is sent to Facebook, along with the G
e
t
e.
16 file and show the next page
17
18
19
20
21
22
23
24
52.
When Faceb
book receive this reque it uses th index 123 to link th request to
es
est,
he
345
he
o
25 the previous re
e
equest sent by the brow
b
wser, and in t
this manner Facebook can track al subsequen
r,
ll
nt
26 req
quests from the browser whenever it receives th datr cook with valu 12345. I a differen
r
i
he
kie
ue
If
nt
27 bro
owser on a different mac
d
chine used by a differen user inter
b
nt
racts with Fa
acebook, the datr cookie
e
e
28 val sent will be different As more people conn to Faceb
lue
t.
p
nect
book, the siz of the data
ze
abase grows
s,
CORREC
CTED FIRST AMENDE
T
ED
1
13
CONSOLID
DATED CLA ACTIO
ASS
ON
COMPLAINT - No. 5:12-m
md-02314-EJ
JD
1 to keep track of all of the different brow
k
d
wsers.
2
53.
The Facebo server then respond by displa
ook
t
ds
aying a new webpage: the persona
w
al
3 pro
ofile page of the new me
f
ember.
4
54.
After the user has ente
u
ered their us
sername and password a logged i the server
d
and
in,
5 cre
eates a new database entry. This new database e
d
w
entry corresp
ponds to the actual user who logs in
e
n.
6 Fac
cebook uses a different large, rand
s
t
dom numbe to index i
er
into this da
atabase entry e.g., 7890
y,
0
7 (Sm number are used here for illust
mall
rs
h
tration purpo
oses. An actual index on Facebook is around 15
5
8 dig
gits). The value 7890 is then sent in a new Set
s
i
t-Cookie hea
ader in the r
response to the browser
r.
9 The browser st
tores this in a c_user coo on the c
okie
client machin in the coo directory
ne
okie
y.
10
55.
The datr coo persists in the brow as well.
okie
s
wser
11
56.
At the end of this inte
eraction, the browser has the c_user cookie stored on the
e
e
er’s
e,
acebook ser
rver has an e
entry for tha user, inde
at
exed by the v
value of tha
at
12 use machine and the Fa
okie.
13 coo
14
15
16
17
18
19
20
21
B.
Facebook’s Tracking Of Logged-I Member
s
O
In
rs
22
57.
When a user visits another site o the intern that has any type o Facebook
on
net
s
of
k
23 con
ntent integrated into th website, the Facebo
he
ook.com se
erver is not
tified of tha electronic
at
c
24 com
mmunication That proce occurs as follows:
n.
ess
s
25
58.
The user visits anoth website by typing in a new URL (fo example
v
her
e
g
w
for
e,
26 ww
ww.cnn.com) in the brow address bar (CNN h Facebook content int
)
wser
has
k
tegrated into the site).
o
27 / / /
28 / / /
1
14
CORREC
CTED FIRST AMENDE
T
ED
CONSOLID
DATED CLA ACTIO
ASS
ON
COMPLAINT - No. 5:12-m
md-02314-EJ
JD
1
59.
The browse sends a GET request to the CNN server to display the webpage. If
er
G
t
N
2 CN had prev
NN
viously set an cookies on the brows and they were not e
ny
o
ser,
y
expired, then the browser
n
3 wo
ould send tho as well.
ose
4
5
6
7
8
9
10
11
12
13
60.
When the CNN server receives this request, it r
C
r
s
responds wit the HTML file for the
th
L
e
n.com home page. This HTML file contains in
e
e
nformation f
from third p
parties, who partner with
h
14 cnn
NN
y
n
For
e,
ees
hat
e,
15 CN to display content on the CNN home page. F example if a user se a story th they like
ey
book “Like” button, wh
”
hich is Faceb
book content embedded on the CNN
t
N
16 the can click on the Faceb
ebsite, and th story will show up in their Faceb
he
l
n
book news fe
feed. To ach
hieve this, C
CNN includes
17 we
me
H
i
L
eb
18 som special HTML code in the HTML for the we site.
19
61.
Part of the contents of the response concern Facebook L
f
Like buttons. The CNN
N
rver does not send these button imag but inst
ges,
tead sends a piece of co to the br
ode
rowser of the
e
20 ser
er:
21 use
22
23
24
25
26
27
28
1
15
CORREC
CTED FIRST AMENDE
T
ED
CONSOLID
DATED CLA ACTIO
ASS
ON
COMPLAINT - No. 5:12-m
md-02314-EJ
JD
1
62.
The browse triggered by the cod sends a request to the Facebook server to
er,
d
de,
o
2 dis
splay the Like button. The HTML code on the CNN site looks lik this: Facebook
k.
5
63.
This is a tag that cause an automa request to Facebook from the b
g
es
atic
k
browser. The
e
6 req
quest include the specifi details of web page (o story) that the user has requested.
es
fic
or
t
s
7
64.
So, as a res of the user who is logged into Facebook requesting a story from
sult
u
o
m
8 CN the user’s cookies, as well as th identity o the Web p
NN,
a
he
of
page that the user visite are sent to
e
ed
o
9 Fac
cebook.
10
65.
The request includes the information contained in the datr c
t
e
cookie.
11
66.
The request includes the information contained in the c_use cookie.
t
e
er
12
67.
When Faceb
book receive this inform
es
mation, it us the 12345 and the 7890 indices to
ses
5
o
date
base records for the brow and the user, respectively, to ad the inform
s
wser
e
dd
mation abou
ut
13 upd its datab
hich
u
,
14 wh site the user visited, in this case, CNN.
15
68.
Further, Fac
cebook actua receives this inform
ally
s
mation before the content of the user’s
e
quest shows up on the us
u
ser’s screen. It is simulta
aneous with the request.
16 req
17
69.
In a similar fashion, Fa
r
acebook can keep track of all of the partner sit that users
n
e
tes
sit.
18 vis
19
20
21
22
23
24
25
/
26
27 / / /
28 / / /
1
16
CORREC
CTED FIRST AMENDE
T
ED
CONSOLID
DATED CLA ACTIO
ASS
ON
COMPLAINT - No. 5:12-m
md-02314-EJ
JD
1
70.
The Facebo server responds by sending th content w
ook
r
y
he
which displa the Like
ays
e
2 but
tton on the browser scree of the use (in the CN website):
b
en
er
NN
:
3
4
5
6
7
8
9
10
11
C.
Facebook’s Tracking Of Logged-O Users
s
O
Out
12
71.
When a use logs out of Facebook, the Facebo
er
o
,
ook.com serv is still notified every
ver
y
13 tim that user visits a website that has Facebook c
me
v
content integ
grated into th website. That process
he
14 occ as follow
curs
ws:
15
72.
The user vi
isits another website by typing in a new URL (www.cnn
r
y
L
n.com) in the
e
16 bro
owser addres bar.
ss
17
73.
The browser sends a req
quest to the C
CNN server to display th webpage:
he
:
74.
The CNN server respo
onds by sen
nding the contents of t webpag which are
the
ge
e
18
19
20
21
22
23
24
25
splayed on th browser screen of the user.
he
26 dis
27 / / /
28 / / /
1
17
CORREC
CTED FIRST AMENDE
T
ED
CONSOLID
DATED CLA ACTIO
ASS
ON
COMPLAINT - No. 5:12-m
md-02314-EJ
JD
1
75.
Part of the contents of the CNN w page co
f
web
oncern Face
ebook Like b
buttons. The
e
2 CN server do not send these butto images, b sends a piece of cod to the br
NN
oes
d
on
but
de
rowser of the
e
3 use
er:
4
76.
5
6
7
8
9
10
11
77.
er,
d
de,
o
The browse triggered by the cod sends a request to the Facebook server to
12 dis
splay the Lik button.
ke
13
78.
The request includes information contained in cookies that contain personally
i
n
y
14 ide
entifiable inf
formation. By accessin this cook informat
ng
kie
tion stored on the user’s computer
r,
15 Fac
cebook has exceeded au
uthorized ac
ccess to the user’s comp
puter and in
ntercepted a electronic
an
c
16 com
mmunication because that cookie inf
n
formation w supposed to have bee deleted up log out.
was
d
en
pon
17
79.
Facebook creates a log entry of t request including th informati from the
c
g
the
he
ion
e
18 coo
okies that co
ontain person
nally identifi
iable inform
mation.
19
80.
Facebook ac
ctually recei
ives this info
ormation bef
fore the cont
tent of the u
user’s reques
st
20 sho up on th user’s scre It is sim
ows
he
een.
multaneous w the requ
with
uest.
21
81.
The Facebo server responds by sending th content w
ook
r
y
he
which displa the Like
ays
e
22 but
tton on the browser scree of the use
b
en
er.
23 / / /
24 / / /
25 / / /
26 / / /
27 / / /
28 / / /
1
18
CORREC
CTED FIRST AMENDE
T
ED
CONSOLID
DATED CLA ACTIO
ASS
ON
COMPLAINT - No. 5:12-m
md-02314-EJ
JD
1
2
3
4
5
6
7
82.
Facebook’s receipt of a copy of th user’s req
he
quest to the CNN server along with
r,
h
8 the cookie info
e
ormation, is an intercep
s
ption of the contents of an electron commun
f
nic
nication. By
y
9 obt
taining a du
uplicate copy of the use commun
y
er’s
nication with the websit Facebook obtains, in
h
te,
k
n
10 rea time, the content of th datr track
al
c
he
king cookie and other p
persistent cookies, the d
details of tha
at
11 com
mmunication (which dis
n
scloses what content ex
t
xactly the us requested and consti
ser
d
itutes a URL
L
12 req
quest), along with the da time and web addres of the webpages click on, the i
g
ate,
d
ss
ked
identification
n
13 of the content accessed on each page, and the cha
n
aracteristics of the user’ PC, mobi computer
’s
ile
r,
14 cel phone and browser, su as the IP address, u
ll
d
uch
I
universal de
evice identifi (“UDID” on mobile
fier
”)
e
15 dev
vices , scree resolution operating system and browser ve
en
n,
d
ersion. All of this occu while the
urs
e
16 use is logged off of Facebook, contrar to Facebo ok’s govern
er
o
ry
ning policies.
.
17
83.
Moreover, Facebook ea
F
asily tracked logged out users with its datr trac
d
t
h
cking cookie
e
18 alo without the need for an addition Faceboo cookie co
one,
r
nal
ok
ontaining a F
Facebook user ID. From
m
19 the first time a Facebook user logs into Facebo and the datr tracking cookie i set on his
e
k
ook
is
20 ma
achine, all of that user’s browsing to Facebook partner si
o
k
ites using th browser is linked by
hat
y
21 Fac
cebook back to that use because th datr track
k
er
he
king cookie contains a u
unique numb which is
ber,
22 also unique to that particu user’s browser and his specif computer or mobile device, tha
o
ular
b
d
fic
r
at
23 ind
dexes into th Facebook database which tracks users and b
he
k
w
browser sess
sions both o computers
on
24 and mobile dev
d
vices such as Android ce phones, iP
s
ell
Phones, iPad and the iP Touch.
ds
Pod
25
84.
Every time a user visits such a part
s
tner site, the datr trackin cookie wi its unique
ng
ith
e
26 num
mber is sent to Faceboo along wit a duplica of the sam informat
t
ok
th
ate
me
tion as desc
cribed above
e.
27 Thu in violat
us,
tion of the federal and California sta laws enu
fe
C
ate
umerated be
elow, Facebo used this
ook
28 inf
formation to track users after they log
a
gged out of F
Facebook.
1
19
CORREC
CTED FIRST AMENDE
T
ED
CONSOLID
DATED CLA ACTIO
ASS
ON
COMPLAINT - No. 5:12-m
md-02314-EJ
JD
1 III.
FACEBOOK’S HISTORY AND PATTERN OF DISREGARD FOR THE PRIVACY
RIGHTS OF ITS MEMBERS
2
3
85.
Facebook has had a long history of disregard for the privacy rights of its members,
4 including, but not limited to, the following:
5
1.
May 2004: Zuckerberg hacked the personal email accounts of editors of the
Harvard newspaper, utilizing private login information entered by users on
Facebook’s site;
2.
Summer 2004: Zuckerberg hacked into a rival company’s (ConnectU)
networking site, purportedly for the purpose of disrupting the functionality
of the program;
3.
September 8, 2006: Zuckerberg acknwledges in a blog entry that “We really
messed this one up. When we launched News Feed and Mini-Feed we were
trying to provide you with a stream of information about your social world.
Instead we did a bad job of explaining what the new features were and an
even worse job of giving you control of them. I’d like to correct those errors
now;”
4.
August 2007: Configuration problem on Facebook’s server allowed code to
be displayed which put in doubt the privacy of Facebook users’ personal
information. Facebook responded, “A small fraction of the code that
displays Facebook web pages was exposed to a small number of users due
to a single misconfigured web server that was fixed immediately;”
5.
November 2007: Blog post by Security Engineer at CA, Inc. claimed that
Facebook Beacon was collecting data from affiliate sites even when users
opted out and even when not logged into the site. There were concerns over
Facebook utilizing this data and Facebook responded, “Facebook does not
associate the information with any individual user account, and deletes the
data as well;”
6.
February 2008: Concerns arose that even when users close an account,
Facebook could retain the information indefinitely. Facebook did not fix
this problem until 2010;
7.
May 2008: 35 page complaint by Canadian Internet Policy and Public
Interest Clinic (CIPPIC) citing 22 breaches of Canadian law;
8.
September 2009: Settlement of lawsuit over Beacon (shutting down the
program);
9.
December 2009: EPIC files lawsuit against Facebook regarding terms of
service;
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
20
CORRECTED FIRST AMENDED
CONSOLIDATED CLASS ACTION
COMPLAINT - No. 5:12-md-02314-EJD
10.
December 2009: FTC complaint against Facebook regarding the change to
its privacy policies;
11.
May 2010: “Quit Facebook Day” was a day set up where users would quit
Facebook due to privacy concerns. 33,000 users quit that day;
12.
December 2010: As of this date, 1,136 complaints had been filed with the
Better Business Bureau;
13.
August 2011: As of this date, 16 complaints had been filed against
Facebook by the privacy rights advocacy group, Europe v. Facebook;
14.
September 2011: Nik Cubrilovic discovers Facebook’s post log-out
tracking;
15.
November 2011: FTC settles complaint over Facebook Privacy issues by
requiring extensive oversight. Zuckerberg responded, “I’m the first to admit
that we’ve made a bunch of mistakes;” and
16.
1
February 2012: Facebook was caught with the ability to read any text
message sent over mobile phones and tablets which had downloaded its
mobile app. Facebook responded that it uses this data for research and had
only taken the texting inboxes of a handful of users.
2
3
4
5
6
7
8
9
10
11
12
13
14
15 IV.
16
17
FACEBOOK INTENTIONALLY CIRCUMVENTED WEB BROWSING PRIVACY
P3P CODE IN ORDER TO TRACK USERS
86.
The Platform for Privacy Preferences (P3P) is a standard format for computer-
18 readable privacy policies, which the World Wide Web Consortium (W3C) published in 2002. The
19 standard includes a P3P full policy format and a P3P “compact policy” (“CP”) format. The
20 compact policy format is designed to be a shorter version of a full P3P policy that encodes in a
21 computer-readable format only the parts of a privacy policy that relate to cookies. Use of a
22 compact policy is optional for websites that use P3P full policies. However, according to the P3P
23 working group, “if a web site makes compact policy statements it MUST make these statements in
24 good faith.”3
25
87.
The compact policy is designed to be transmitted in an HTTP header that also
26 contains an HTTP cookie. It takes the form: CP = “POLICY” where POLICY is a series of three27
3
W3C. The Platform for Privacy Preferences 1.1. http://www.w3.org/TR/P3P11/, November
28 2006.
CORRECTED FIRST AMENDED
21
CONSOLIDATED CLASS ACTION
COMPLAINT - No. 5:12-md-02314-EJD
1 and four-letter tokens associated with P3P policy elements as defined in the P3P 1.0
2 Specification.4 Valid compact policies must have at least five of these elements. For example,
3 the following is a valid P3P compact policy:
4
CP = “NOI NID ADMa OUR IND UNI COM NAV”
5
88.
The P3P specification states “If an unrecognized token appears in a compact policy,
6 the compact policy has the same semantics as if that token was not present.”5 This means that
7 web browsers should ignore any tokens that appear in a P3P compact policy that are not defined in
8 the P3P specification.
9
89.
Microsoft introduced support for P3P in the Internet Explorer 6 web browser in
10 2002; and Microsoft included functionally identical implementations of P3P in its subsequent
11 Internet Explorer 7, 8, and 9 web browsers (hereinafter, Internet Explorer versions 6-9 are all
12 called “IE”). By default, without users taking any action to change configuration settings, IE is set
13 to the “Medium” privacy setting. Users can view and change their privacy settings using the IE
14 “Internet Options” panel. The panel describes the Medium setting as follows:
15
-
Blocks third-party cookies that do not have a compact privacy policy
16
-
Blocks third-party cookies that use personally identifiable information without your
17
implicit consent
18
-
Restricts first-party cookies that use personally identifiable information without
19
implicit consent
20
90.
21
Microsoft documentation states, “For most users, Internet Explorer 6 default
6
22 privacy settings provides enough privacy protection without disrupting the browsing process.”
23
91.
Behind the scenes, IE checks for a P3P compact policy header whenever a website
24 sends a cookie in an HTTP response. If IE finds a third-party cookie that is not accompanied by a
25
26
27
4
W3C. The Platform for Privacy Preference 1.0 (P3P1.0) Specification, W3C Recommendation
16 April 2002, http://www.w3.org/TR/P3P/.
5
6
P3P1.0 at Section 4.2.
MSDN Library. How to Create a Customized Privacy Import File. 2002.
28 http://msdn.microsoft.com/en-us/library/ms537344.
CORRECTED FIRST AMENDED
22
CONSOLIDATED CLASS ACTION
COMPLAINT - No. 5:12-md-02314-EJD
1 compact policy, IE blocks that cookie. If IE finds a first-party cookie that is not accompanied by a
2 compact policy, it “leashes” that cookie and prevents that cookie from being transmitted in a third3 party context. If IE finds an accompanying compact policy, it evaluates that compact policy, and
4 blocks the cookie if the compact policy is found to be “unsatisfactory.” If IE finds a first-party
5 cookie that is accompanied by a compact policy, it evaluates that compact policy and turns the
6 cookie into a session cookie if the compact policy is found to be unsatisfactory. IE considers a
7 cookie to be unsatisfactory if the corresponding compact policy indicates that the cookie is used to
8 collect personally identifiable information and does not allow users a choice in its use.7
9
92.
By blocking cookies on the basis of their P3P compact policies, as described above,
10 the IE default privacy settings allow users “to enjoy the benefits of cookies, while protecting
11 themselves from unsatisfactory cookies.”8
12
93.
IE treats the representations made in compact policies as truthful statements. The
13 software makes no attempt to verify the accuracy of the information in a compact policy. If a
14 website with an unsatisfactory privacy policy were to make an untruthful statement and
15 misrepresent its policy as a satisfactory one, it could trick IE into allowing its third-party cookie to
16 be set when it would otherwise be blocked.
17
94.
Websites can also trick IE into allowing their third-party cookies to be set without
18 making untruthful statements. Because of the way Microsoft implemented the P3P compact
19 policy feature, websites can trick IE by simply leaving out any compact policy tokens that would
20 lead IE6 to classify the compact policy as unsatisfactory. In fact, an invalid compact policy that
21 contains only a made-up word is classified by IE as satisfactory.
22
95.
On September 10, 2010, researchers at Carnegie Mellon University published a
23 technical report titled “Token Attempt: The Misrepresentation of Website Privacy Policies through
24 the Misuse of P3P Compact Policy Tokens.”9 This report described a research study in which the
25
7
26
Privacy in Microsoft Internet Explorer 6. October 2001. http://msdn.microsoft.com/enus/library/ms537343
27
8
Privacy in Microsoft Internet Explorer 6.
28
9
http://www.cylab.cmu.edu/research/techreports/2010/tr_cylab10014.html.
CORRECTED FIRST AMENDED
23
CONSOLIDATED CLASS ACTION
COMPLAINT - No. 5:12-md-02314-EJD
1 authors collected compact policies from 33,139 websites and used automated tools to check them
2 for errors. The authors found errors in 11,176 compact policies on 4,696 domains, including 11 of
3 the 50 most-visited websites.
4
96.
The study reported that the most popular website to have a compact policy error
5 was Facebook. The study reported that the Facebook compact policy at the time included only the
6 tokens DSP and LAW, indicating that the Facebook privacy policy references a law that may
7 determine remedies for breaches of their privacy policy and that there are ways to resolve privacy8 related disputes. However, the Facebook compact policy was invalid because it did not include
9 required tokens to disclose the categories of data associated with cookies, how they are used, who
10 will receive the collected data, the data retention policy, and the policy on providing data access.
11
97.
The report also stated, “When doing preliminary work for this study in 2009, the
12 facebook.com compact policy contained only the single invalid token HONK... [T]hese CPs are
13 useless for communicating with user agents and users. It is likely that facebook.com is using their
14 CP to avoid being blocked by IE.”
15
98.
On September 16, 2010, Ryan McGeehan, a Security Incident Response Manager
16 at Facebook emailed Dr. Lorrie Cranor, one of the authors of the report. He explained that he had
17 seen the report and was trying to determine how to accurately represent Facebook’s privacy policy
18 in a P3P compact policy and “still enable functionality such as the like button.”
19
99.
On September 17, 2010, the New York Times Bits blog reported on the Carnegie
20 Mellon study. The article included a comment from a Facebook spokesman:10
A Facebook spokesman said in an e-mailed statement: “We’re committed to providing
clear and transparent policies, as well as comprehensive access to those policies. We’re
looking into the paper’s findings to see what, if any, changes we can make.” Ben Maurer, a
software engineer at Facebook, said that the site used only two codes instead of five
because current compact-policy codes do not “allow a rich enough description to
accurately represent our privacy policy.” Mr. Maurer said he did not know the history of
how “HONK” made it into a compact policy.
21
22
23
24
25
100.
26
CP=“Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p”
27
28
Shortly thereafter, Facebook changed its compact policy to:
10
http://bits.blogs.nytimes.com/2010/09/17/a-loophole-big-enough-for-a-cookie-to-fit-through/
CORRECTED FIRST AMENDED
24
CONSOLIDATED CLASS ACTION
COMPLAINT - No. 5:12-md-02314-EJD
1
101.
Facebook’s new compact policy still tricks IE into allowing Facebook’s cookies.
2 Although the body of Facebook’s compact policy is an English-language statement, readable to
3 humans, that indicates that Facebook does not actually have a P3P policy; compact policies are
4 designed to be read by computers, not humans. The IE web browser does not have the ability to
5 glean meaning from this English-language statement. All IE does is scan the words within this
6 statement to see whether any of them are on its list of unsatisfactory P3P tokens. Since none of
7 these words are unsatisfactory P3P tokens, IE is tricked into classifying the policy as satisfactory
8 and allows the Facebook cookie.
9
102.
By tricking IE with an intentionally invalid compact policy, Facebook was able to
10 ensure that IE would improperly transmit a Facebook cookie back to Facebook when users visited
11 non-Facebook web sites that had Facebook like buttons or other embedded Facebook features.
12 V.
PLAINTIFFS’ SPECIFIC FACTUAL ALLEGATIONS
13
103.
Plaintiff Davis is a Facebook user and during the Class Period had an active
14 Facebook account. Plaintiff Davis, using the same computer on which Facebook installed tracking
15 and session cookies, visited websites with Facebook-integrated content after logging out of her
16 Facebook account. Contrary to its policies, Facebook intercepted Plaintiff Davis’ electronic
17 communications and tracked her internet use post-logout. Plaintiff did not consent to post-logout
18 tracking.
19
104.
Plaintiff Quinn is a Facebook user and during the Class Period had an active
20 Facebook account.
Plaintiff Quinn, using the same computer on which Facebook installed
21 tracking and session cookies, visited websites with Facebook integrated content after logging out
22 of her Facebook account.
Contrary to its policies, Facebook intercepted Plaintiff Quinn’s
23 electronic communications and tracked her internet use post-logout. Plaintiff did not consent to
24 post-logout tracking.
25
105.
Plaintiff Lentz is a Facebook user and during the Class Period had an active
26 Facebook account. Plaintiff Lentz, using the same computer on which Facebook installed tracking
27 and session cookies, visited websites with Facebook integrated content after logging out of his
28 Facebook account. Contrary to its policies, Facebook intercepted Plaintiff Lentz’s electronic
CORRECTED FIRST AMENDED
25
CONSOLIDATED CLASS ACTION
COMPLAINT - No. 5:12-md-02314-EJD
1 communications and tracked his internet use post-logout. Plaintiff did not consent to post-logout
2 tracking.
3
106.
Plaintiff Vickery is a Facebook user and during the Class Period had an active
4 Facebook account. Plaintiff Vickery, using the same computer on which Facebook installed
5 tracking and session cookies, visited websites with Facebook integrated content after logging out
6 of his Facebook account.
Contrary to its policies, Facebook intercepted Plaintiff Vickery’s
7 electronic communications and tracked his internet use post-logout. Plaintiff did not consent to
8 post-logout tracking.
9
107.
The Wiretap Act, as discussed in more detail below, provides statutory damages of
10 the greater of $100 per violation per day, up to $10,000, per Facebook user.
11
108.
Plaintiffs are thus each entitled to the greater of $100 of statutory damages per day
12 (corresponding to $15 billion for the Class), or $10,000 each for the ongoing violations during the
13 class period (corresponding to $1.5 trillion for the Class).
14
15
109.
Plaintiff Davis, through counsel, also retained a computer and computer law expert
16 to advise her and counsel on the nature of Facebook’s violations, the technologies and remedies.
17 The expert was paid a retainer of $7,500.
18
110.
The Computer Fraud and Abuse Act, as discussed in more detail below, statutorily
19 provides for reimbursement of out-of-pocket costs incurred as a result of Defendant’s violations of
20 the Act if such costs exceed $5,000. Plaintiff Davis is thus entitled to reimbursement of these
21 damages as are any other Class Members who incurred out-of-pocket costs as a result of
22 Defendant’s violations.
23 VI.
THEFT OF PERSONALLY IDENTIFIABLE INFORMATION
24
111.
Facebook admits that users must “provide their name, age, gender, and a valid
25 email address, and agree to Facebook’s terms of service.”
26
112.
Although Facebook members are not required to transmit cash to Facebook, the
27 personal information Facebook requires has massive economic value. More importantly, Facebook
28 conditioned membership upon the user accepting numerous Facebook cookies, which track
CORRECTED FIRST AMENDED
26
CONSOLIDATED CLASS ACTION
COMPLAINT - No. 5:12-md-02314-EJD
1 browsing history, on the user’s computer. This browsing history has even greater economic value.
2
113.
The value of the information that users are required to provide to Facebook is well
3 understood in the e-commerce industry, and personal information is now viewed as a form of
4 currency.
5
114.
6
Professor Paul M. Schwartz noted in the Harvard Law Review:
Personal information is an important currency in the new
millennium. The monetary value of personal data is large and still
growing, and corporate America is moving quickly to profit from
the trend. Companies view this information as a corporate asset and
have invested heavily in software that facilitates the collection of
consumer information.
7
8
9
10 Paul M. Schwartz, Property, Privacy and Personal Data, 117 HARV. L. REV. 2055, 2056-57
11 (2004). Professor Schwartz wrote those words in the same year Facebook was launched.
12
115.
Likewise, in the Wall Street Journal, privacy expert and fellow at the Open Society
13 Institute Christopher Soghoian noted:
14
The dirty secret of the Web is that the “free” content and services
that consumers enjoy come with a hidden price: their own private
data. Many of the major online advertising companies are not
interested in the data that we knowingly and willingly share. Instead,
these parasitic firms covertly track our web-browsing activities,
search behavior and geolocation information. Once collected, this
mountain of data is analyzed to build digital dossiers on millions of
consumers, in some cases identifying us by name, gender, age as
well as the medical conditions and political issues we have
researched online.
15
16
17
18
19
20
Although we now regularly trade our most private information for
access to social-networking sites and free content, the terms of this
exchange were never clearly communicated to consumers.
21
22
23 Julia Angwin, How Much Should People Worry About the Loss of Online Privacy?, THE WALL
24 STREET JOURNAL (Nov. 15, 2011).
25
116.
The cash value of users’ personal information provided to Facebook as a condition
26 of membership can be quantified. For example, in a recent study authored by Tim Morey
27 (“What’s Your Personal Data Worth? http://designmind.frogdesign.com/blog/what039s-your28 personal-data-worth.html, Jan. 18, 2011), researchers studied the value that 180 internet users
CORRECTED FIRST AMENDED
27
CONSOLIDATED CLASS ACTION
COMPLAINT - No. 5:12-md-02314-EJD
1 placed on keeping personal data secure. The results were striking. Contact information of the sort
2 that that Facebook requires was valued by the study participants at approximately $4.20 per year.
3 Demographic information was valued at approximately $3.00 per year. Web browsing histories
4 were valued at a much higher rate: $52.00 per year. The chart below summarizes the findings:
5
6
7
8
9
10
11
12
13
14
15
16
17 Across Facebook’s approximately 800 million users, these figures imply aggregate annual
18 membership fees of $3.36 billion, $2.4 billion, and $41.6 billion, respectively, for each category of
19 information.
20
117.
Similarly, the value of personal data and internet browsing history can be
21 quantified, because at least two internet giants are willing to pay users for the exact type of data
22 that Facebook illegally intercepted from Plaintiffs and other members of the Class.
23
118.
For example, Google Inc. now has a panel called “Google Screenwise Trends”
24 which, according to the internet giant, is designed “to learn more about how everyday people use
25 the Intenet.”
26
119.
Upon becoming a panelist, internet users add a browser extension that will share
27 with Google the sites that users visit and how the panelist uses them. The panelist consents to
28 Google tracking this information for three months in exchange for one of a number of “gifts,”
CORRECTED FIRST AMENDED
28
CONSOLIDATED CLASS ACTION
COMPLAINT - No. 5:12-md-02314-EJD
1 including gift cards to retailers such as Barnes & Noble, Walmart and Overstock.com.
2
120.
After three months, Google also agrees to pay panelists additional unspecified gifts
3 “for staying with” the panel.
4
121.
These gift cards, mostly valued at exactly $5, demonstrate conclusively that
5 internet industry participants now generally understand the enormous value in internet users’
6 browsing habits. Indeed, Facebook’s advertising revenues for 2011 roughly approximate $5 per
7 user over its international user base of 800 million members, demonstrating that the industry is
8 starting to settle on a rough consensus as to the value of the information harvested by Facebook.
9
122.
Moreover, active markets exist all over the world for this type of data.
For
10 instance, a company in the United Kingdom, Allow Ltd., has created a business model based on
11 the value of personally identifiable information. When a customer signs up for Allow ltd., the
12 company sends a letter on behalf of their new client to the top companies in the United Kingdom
13 that harvest personal data demanding that those companies immediately stop using the client’s
14 personally identifiable data.
15
123.
Because that data is not readily available, it becomes highly coveted by advertisers,
16 and thus, applying basic economic principles, its value as a commodity increases in the market. In
17 contrast, the more accessible the user’s data, the less valuable it becomes on the open market.
18
124.
United States data markets work the same way. The more a person’s personally
19 identifiable data is used, the less money someone will pay for it. Consequently, an individual’s
20 personally identifiable data diminishes in value each time that data is intercepted and then sold to
21 advertisers, data aggregators and other third parties without the individual’s consent.
22
125.
In the instant case, Facebook intentionally intercepted Plaintiffs’ personally
23 identifiable data without consent. Thus, in addition to the concrete and quantifiable damages
24 described above, Plaintiffs have also suffered damages as a result of the decreased value of their
25 data in the marketplace.
26 VII.
ADDITIONAL CONSEQUENTIAL DAMAGES
27
126.
Plaintiff Davis signed up for a service called “Privacy Watch” from Abine, an
28 online privacy company.
29
CORRECTED FIRST AMENDED
CONSOLIDATED CLASS ACTION
COMPLAINT - No. 5:12-md-02314-EJD
1
127.
Privacy Watch is an email alert service specifically targeted at Facebook.
2 Subcribers receive alerts when Facebook changes its Data Use Policy or makes changes to privacy
3 controls and provides expert assistance for Facebook users looking to protect their privacy.
4
128.
The Privacy Watch service costs $1.99 per month, or approximately $24 per year.
5
129.
Plaintiff Davis subscribed to the service and incurred this expense as a direct result
6 of Facebook’s failure during the Class Period to abide by its privacy policies.
7 VIII. FACEBOOK TRACKED ITS MEMBERS’ POST-LOGOUT INTERNET USE
INTENTIONALLY
8
9
130.
As set forth in detail herein, Facebook’s intentional interception of members’
10 electronic communications, including their internet browsing activity, coupled with their
11 personally identifiable data, without consent, even after logging out of Facebook, is evidenced by
12 the following:
13
(1)
14
15
Facebook’s Patent Application, which demonstrates that Facebook
employed technology specifically designed to track users while logged out;
(2)
16
Facebook’s contradictory responses to regulators, including claims that the
persistence of certain cookies post-log-out was both a “bug” and that
17
Facebook “needs” personally identifiable information after log-out in order
18
to guarantee security;
19
20
(3)
The report issued by German authorities, explaining that Facebook’s
21
alleged reasons for “needing” personal information after log-out were
22
“untenable”;
23
24
(4)
Facebook’s pervasive violations of individual privacy;
(5)
The use of different cookies to track users prior to and post log-out, in
25
addition to cookies that track non-Facebook members;
26
27
28
(6)
Facebook’s knowledge of the tracking issue at least a year prior to its
admission that it needed to correct this “bug” based on the findings of Nic
CORRECTED FIRST AMENDED
30
CONSOLIDATED CLASS ACTION
COMPLAINT - No. 5:12-md-02314-EJD
1
Cubrilovic, who repeatedly contacted the Company, but received no
2
response until he posted the information on his blog; and
3
(7)
Facebook’s use of the P3P tracking cookie.
4
CLASS ACTION ALLEGATIONS
5
6
131.
This is a class action pursuant to Rules 23(a) and (b)(3) of the Federal Rules of
7 Civil Procedure on behalf of a Class of all persons who had active Facebook accounts and used
8 Facebook between May 27, 2010 and September 26, 2011, both dates inclusive, and whose
9 privacy Facebook violated. Excluded from the Class are Facebook, and its officers, directors,
10 employees, affiliates, legal representatives, predecessors, successors and assigns, and any entity in
11 which any of them have a controlling interest.
12
132.
The members of the Class are so numerous that joinder of all members is
13 impracticable.
14
133.
Common questions of law and fact exist as to all members of the Class and
15 predominate over any questions affecting solely individual members of the Class. The questions
16 of law and fact common to the Class include whether Facebook violated state and federal laws by
17 tracking Internet use and intercepting the communication of its users after the users had logged off
18 of Facebook.
19
134.
Plaintiffs’ claims are typical of the claims of other Class members, as all members
20 of the Class were similarly affected by Facebook’s wrongful conduct in violation of federal law as
21 complained of herein.
22
135.
Plaintiffs will fairly and adequately protect the interests of the members of the
23 Class and have retained counsel that is competent and experienced in class action litigation.
24 Plaintiffs have no interest that is in conflict with, or otherwise antagonistic to the interests of the
25 other Class members.
26
136.
A class action is superior to all other available methods for the fair and efficient
27 adjudication of this controversy since joinder of all members is impracticable. Furthermore, as the
28 damages individual Class members have suffered may be relatively small, the expense and burden
CORRECTED FIRST AMENDED
31
CONSOLIDATED CLASS ACTION
COMPLAINT - No. 5:12-md-02314-EJD
1 of individual litigation make it impossible for members of the Class to individually redress the
2 wrongs done to them. There will be no difficulty in management of this action as a class action.
3
COUNT I
4
VIOLATION OF THE FEDERAL WIRETAP ACT, 18 U.S.C. § 2510, et. seq.
5
137.
Plaintiffs incorporate the above allegations by reference as if set forth more fully
138.
The Federal Wiretap Act, as amended by the Electronic Communications Privacy
6 herein.
7
8 Act of 1986, prohibits the intentional interception of any wire, oral, or electronic communication.
9
139.
18 U.S.C. § 2520(a) provides a private right of action to any person whose wire,
10 oral or electronic communication is intercepted.
11
140.
Facebook intercepted the contents of Plaintiffs’ and Class Members’ electronic
12 communications even after such users had logged out of Facebook, contrary to its governing
13 policies and without the consent of its users.
14
141.
Neither the Plaintiffs nor members of the Class were aware that Facebook was
15 violating its own privacy policy, intercepting its users’ electronic communications and tracking
16 their detailed web browsing habits after users logged out of Facebook.
17
142.
By duplicating its users’ communications with websites that use Facebook content
18 (the users’ URL requests for information) and associating it with cookies and other data, Facebook
19 used technology to acquire the contents of those electronic communications within the meaning of
20 the Wiretap Act.
21
143.
Facebook intentionally made copies of such detailed website requests and
22 personally identifiable information using a device on users’ computers, its web servers and
23 technology, and thus intentionally intercepted the electronic communications of its users.
24
144.
Plaintiffs and Class Members are persons whose electronic communications were
25 intercepted within the meaning of Section 2520.
26
145.
Section 2520 provides for preliminary, equitable and declaratory relief, in addition
27 to statutory damages of the greater of $10,000 or $100 a day for each day of violation or actual
28 damages, punitive damages in appropriate cases, reasonable attorneys’ fees, and other litigation
CORRECTED FIRST AMENDED
32
CONSOLIDATED CLASS ACTION
COMPLAINT - No. 5:12-md-02314-EJD
1 costs reasonably incurred.
2
COUNT II
3
VIOLATION OF THE STORED
COMMUNICATIONS ACT, 18 U.S.C. § 2701, et. seq.
4
5
146.
Plaintiffs incorporate the above allegations by reference as if set forth more fully
147.
The Stored Communications Act (“SCA”) provides a cause of action against a
6 herein.
7
8 person who intentionally accesses without authorization a facility through which an electronic
9 communication service is provided, or who intentionally exceeds an authorization to access that
10 facility, and thereby obtains, alters or prevents authorized access to a wire or electronic
11 communication while it is in electronic storage in such a system.
12
148.
The statute defines “Electronic Storage” as “any temporary, intermediate storage of
13 a wire or electronic communication incidental to the electronic transmission thereof; and any
14 storage of such communication by an electronic communication service for purposes of backup
15 protection of such communication.”
16
149.
Facebook’s access of persistent cookies on Plaintiffs’ and Class Members’
17 computers without their consent and in violation it privacy policies after logout from Facebook
18 exceeded authorized access to those computers, which are facilities through which an electronic
19 communication service is provided. By using technology that caused cookie data to be sent to
20 Facebook without Plaintiffs’ or Class Members’ consent or knowledge, Facebook obtained
21 electronic communication data in electronic storage in violation of the SCA.
22
150.
Plaintiffs and other member of the Class were harmed by Defendant’s violations,
23 and pursuant to 18 U.S.C. § 2707(c), are entitled to actual damages including profits earned by
24 Defendant attributable to the violations or statutory minimum damages of $1,000 per person,
25 punitive damages, costs and reasonable attorneys’ fees.
26 / / /
27 / / /
28 / / /
33
CORRECTED FIRST AMENDED
CONSOLIDATED CLASS ACTION
COMPLAINT - No. 5:12-md-02314-EJD
1
COUNT III
2
VIOLATION OF THE COMPUTER FRAUD AND ABUSE ACT,
18 U.S.C. § 1030
3
4
151.
Plaintiffs incorporate the above allegations by reference as if set forth more fully
152.
Plaintiffs’ and Class Members’ computers were used in interstate commerce or
5 herein.
6
7 communication.
8
153.
Defendant intentionally accessed Plaintiffs’ and Class Members computers without
9 authorization or by exceeding authorized access to such computers, and by obtaining information
10 from such a protected computers.
11
154.
Defendant knowingly caused the transmission of a program, information, code or
12 command to said computers and as a result caused a loss to Plaintiffs and Class Members during
13 any one-year period of at least $5,000 in the aggregate.
14
155.
Plaintiffs and Class Members have also suffered a violation of the right of privacy
15 as a result of Defendant’s knowing actions.
16
156.
Defendant has thus violated the Computer Fraud and Abuse Act, 18 U.S.C. § 1030.
17
157.
Defendant’s unlawful access to Plaintiffs’ and Class Members’ computers and
18 communications have caused irreparable injury. Unless restrained and enjoined, Defendant will
19 continue to commit such acts. Plaintiffs’ and Class Members’ remedies at law are not adequate to
20 compensate for these inflicted and threatened injuries, entitling Plaintiffs and the Class to remedies
21 including injunctive relief as provided by 18 U.S.C. § 1030(g).
22
COUNT IV
23
INVASION OF PRIVACY
24
158.
Plaintiffs incorporate all preceding paragraphs as though fully set forth herein.
25
159.
Plaintiffs had an interest in: (1) precluding the dissemination and/or misuse of their
26 sensitive, confidential personally identifiable information; and (2) making personal decisions
27 and/or conducting personal activities without observation, intrusion or interference, including, but
28 not limited to, the right to visit and interact with various internet sites without having that
CORRECTED FIRST AMENDED
34
CONSOLIDATED CLASS ACTION
COMPLAINT - No. 5:12-md-02314-EJD
1 information intercepted and transmitted to Defendant without their knowledge or consent.
2
160.
Based on, among other things, Facebook’s Terms of Use and Privacy Policy,
3 Plaintiffs had a reasonable expectation that their personally identifiable information and other data
4
5
would remain confidential and that Defendant would not install cookies on their browsers that
would enable Facebook to track their activities on the internet after logging out of their Facebook
6
7
accounts.
8
161.
This invasion of privacy is sufficiently serious in nature, scope and impact.
9
162.
This invasion of privacy constitutes an egregious breach of the social norms
10 underlying the privacy right.
11
COUNT V
12
INTRUSION UPON SECLUSION
13
163.
Plaintiffs incorporate all preceding paragraphs as though fully set forth herein.
14
164.
By intercepting Plaintiffs’ wire and electronic communications on the internet,
15 Defendants intentionally intruded upon their solitude or seclusion.
16
165.
Plaintiffs did not consent to Defendants’ intrusion.
17
166.
Defendants’ intentional intrusion on Plaintiffs’ solitude or seclusion without
18 consent would be highly offensive to a reasonable person.
19
COUNT VI
20
CONVERSION
21
167.
Plaintiffs incorporate all preceding paragraphs as though set forth herein.
22
168.
Plaintiffs and the Class Members own and/or have a right to possess their
23 personally identifiable information and other data, including, but not limited to, their names,
24 account information, browsing histories, and purchasing habits.
Such property, owned by
25 Plaintiffs and the Class Members, is valuable to Plaintiffs and the Class Members.
26
169.
Defendant unlawfully exercised dominion over said property and thereby converted
27 Plaintiffs’ and the Class Members’ property, by, inter alia, installing cookies on Plaintiffs’ and the
28 Class Members’ computers, which continued to intercept their communications after they were
CORRECTED FIRST AMENDED
35
CONSOLIDATED CLASS ACTION
COMPLAINT - No. 5:12-md-02314-EJD
1 logged out of their Facebook accounts.
2
170.
Plaintiffs and the Class Members have suffered damages as a result of Defendant’s
3 actions, including, but not limited to, the loss in value of their personally identifiable information
4 in the marketplace.
5
COUNT VII
6
TRESPASS TO CHATTELS
7
171.
Plaintiffs incorporate all preceding paragraphs as though set forth herein.
8
172.
Defendant, intentionally and without consent or other legal justification, tracked
9 Plaintiffs’ activity while Plaintiffs were logged-off of the website Facebook.com, and, in the
10 process, connected Plaintiffs’ personally identifiable information to their specific actions on the
11 Internet.
12
173.
Defendant, intentionally and without consent or other legal justification, placed
13 cookies on Plaintiffs’ computers which tracked their activity while logged-off of Facebook.
14
174.
Defendant’s intentional and unjustified placing of a cookie designed to track
15 Plaintiffs’ internet activities while logged-off of Facebook and actual tracking of Plaintiffs
16 activities interfered with Plaintiffs’ use of the following personal property owned by Plaintiffs: (a)
17 Plaintiffs’ computers; and (b) Plaintiffs’ personally identifiable information.
18
COUNT VIII
19
VIOLATION OF CALIFORNIA BUSINESS AND PROFESSIONAL CODE
§ 17200, ET SEQ., THE UNFAIR COMPETITION LAW (“UCL”)
20
21
175.
Plaintiffs incorporate all preceding paragraphs a though set forth herein.
22
176.
In violation of California Business and Professional Code § 17200, et seq.,
23 Defendant’s conduct in this regard is ongoing and includes, but is not limited to, statements made
24 by Defendant in its information privacy and confidentiality practices.
25
177.
By engaging in the acts and practices described herein, Defendant has committed
26 one or more acts of unfair competition within the meaning of the UCL, and as a result, Plaintiffs
27 and the Class Members have suffered injury-in-fact and have lost money and/or property, namely,
28 as described herein, the insertion of cookies on their computers and the invasion and lost value of
CORRECTED FIRST AMENDED
36
CONSOLIDATED CLASS ACTION
COMPLAINT - No. 5:12-md-02314-EJD
1 their personally identifiable information and other data.
2
178.
In reasonable reliance on Defendant’s misrepresentations and omissions, Plaintiffs
3 interacted with various websites while logged out of their Facebook accounts believing that this
4 information was secure and confidential. In actuality, without Plaintiffs’ knowledge or consent,
5 Defendant caused certain cookies to be placed on Plaintiffs’ computers, which actively intercepted
6 and collected Plaintiffs’ personally identifiable information so that it could be utilized for
7 advertising and other purposes for Defendant’s benefit.
8
179.
Defendant’s business acts and practices are unlawful, in part, because they violate
9 California Business and Professions Code§ 17500, et seq., which prohibits false advertising, in
10 that they were untrue and misleading statements relating to Defendant’s performance of services,
11 made with the intent to induce consumers to enter into obligations relating to such services, and
12 regarding which statements Defendant knew, or which by the exercise of reasonable care
13 Defendant should have known, to be untrue and misleading. Defendant’s business acts and
14 practices are also unlawful in that they violate the California Consumers Legal Remedies Act,
15 California Civil Code § 1750, et seq., California Penal Code § 502, California Penal Code §630,
16 18 U.S.C. § 2511, et seq., and 18 U.S.C. § 1030. Defendant is therefore in violation of the
17 “unlawful” prong of the UCL.
18
180.
Defendant’s business acts and practices are unfair, because they cause harm and
19 injury in fact to Plaintiffs and Class Members, and for which Defendant has no justification other
20 than to increase, beyond what Defendant would have otherwise realized, its profit in fees from
21 advertisers, software developers and other third parties and the value of its information assets
22 through the acquisition of consumers’ personal information.
Defendant’s conduct lacks
23 reasonable and legitimate justification in that Defendant has benefited from such conduct and
24 practices while Plaintiffs and the Class Members have been misled as to the nature and integrity of
25 Defendant’s services and have, in fact, suffered material disadvantage regarding their interests in
26 the privacy and confidentiality of their personal information. Defendant’s conduct offends public
27 policy in California as embodied in the Consumers Legal Remedies Act, the state constitutional
28 right of privacy, and California statutes recognizing the need for consumers to obtain material
CORRECTED FIRST AMENDED
37
CONSOLIDATED CLASS ACTION
COMPLAINT - No. 5:12-md-02314-EJD
1 information that enables them safeguard their own privacy interests, including Cal. Civ. Code §
2 1798.80.
3
181.
Moreover, Defendant knew, or should have known, that consumers care about the
4 status of personal information and internet privacy, but are unlikely to be aware of the manner in
5 which Defendant was engaged in practices that expressly violated its stated Privacy Policy and the
6 Terms of Use. Defendant therefore is in violation of the “unfair” prong of the UCL.
7
182.
Defendant’s acts and practices were fraudulent within the meaning of the UCL,
8 because they were likely to, and did, in fact, mislead the members of the public to whom they
9 were directed.
10
183.
Plaintiffs, on behalf of themselves and each Class Member, seek restitution,
11 injunctive relief, and other relief as provided under the UCL.
12
COUNT IX
13
VIOLATIONS OF CALIFORNIA PENAL CODE § 502
THE CALIFORNIA COMPUTER CRIME LAW (“CCCL”)
14
15
184.
Plaintiffs incorporate all preceding paragraphs as though set forth herein.
16
185.
Defendant violated Cal. Penal Code § 502(c)(2) by knowingly and without
17 permission accessing, taking and using Plaintiffs’ and the Class Members’ personally identifiable
18 information.
19
186.
Defendant accessed, copied, used, made use of, interfered with, and/or altered data
20 belonging to Plaintiffs and Class Members: (1) in and from the State of California; (2) in the states
21 in which the Plaintiffs and the Class Members are domiciled; and (3) in the states in which the
22 servers that provided services and communication links between Plaintiffs and the Class Members
23 and Facebook.com and other websites with which they interacted were located.
24
187.
Cal. Penal Code § 502 provides: “For purposes of bringing a civil or a criminal
25 action under this section, a person who causes, by any means, the access of a computer, computer
26 system, or computer network in one jurisdiction from another jurisdiction is deemed to have
27 personally accessed the computer, computer system, or computer network in each jurisdiction.”
28 / / /
38
CORRECTED FIRST AMENDED
CONSOLIDATED CLASS ACTION
COMPLAINT - No. 5:12-md-02314-EJD
1
188.
Defendants have violated California Penal Code § 502(c)(1) by knowingly and
2 without permission altering, accessing, and making use of Plaintiffs and Class Members’
3 personally identifiable data in order to execute a scheme to defraud consumers by utilizing and
4 profiting from the sale of their personally identifiable data, thereby depriving them of the value of
5 their personally identifiable data.
6
189.
Defendants have violated California Penal Code § 502(c)(6) by knowingly and
7 without permission providing, or assisting in providing, a means of accessing Plaintiffs’ and Class
8 Members’ computer systems and/or computer networks.
9
190.
Defendants have violated California Penal Code § 502(c)(7) by knowingly and
10 without permission accessing, or causing to be accessed, Plaintiffs’ and Class Members’ computer
11 systems and/or computer networks.
12
191.
Pursuant to California Penal Code § 502(b)(10) a “Computer contaminant” is
13 defined as “any set of computer instructions that are designed to ... record, or transmit information
14 within computer, computer system, or computer network without the intent or permission of the
15 owner of the information.”
16
192.
Defendants have violated California Penal Code § 502(6)(8) by knowingly and
17 without permission introducing a computer contaminant into the transactions between Plaintiffs
18 and the Class Members and websites; specifically, a “cookie” that intercepts and gathers
19 information concerning Plaintiffs’ and the Class Members’ interactions with certain websites,
20 which information is then transmitted back to Facebook.
21
193.
As a direct and proximate result of Defendant’s unlawful conduct within the
22 meaning of California Penal Code § 502, Defendant has caused loss to Plaintiffs and the Class
23 Members in an amount to be proven at trial. Plaintiffs and the Class Members are also entitled to
24 recover their reasonable attorneys’ fees pursuant to California Penal Code § 502(e).
25
194.
Plaintiffs and the Class Members seek compensatory damages, in an amount to be
26 proven at trial, and injunctive or other equitable relief.
27
195.
Plaintiff and Class Members have suffered irreparable and incalculable harm and
28 injuries from Defendant’s violations. The harm will continue unless Defendant is enjoined from
CORRECTED FIRST AMENDED
39
CONSOLIDATED CLASS ACTION
COMPLAINT - No. 5:12-md-02314-EJD
1 further violations of this section. Plaintiffs and Class Members have no adequate remedy at law.
2
196.
Plaintiffs and the Class Members are entitled to punitive or exemplary damages
3 pursuant to Cal. Penal Code § 502(e)(4) because Defendant’s violations were willful and, upon
4 information and belief, Defendant is guilty of oppression, fraud, or malice as defined in Cal. Civil
5 Code § 3294.
6
197.
Plaintiffs and the Class Members have also suffered irreparable injury from these
7 unauthorized acts of disclosure, to wit: all of their personal, private, and sensitive web
8 communications have been harvested, viewed, accessed, stored, and used by Defendant, and have
9 not been destroyed, and due to the continuing threat of such injury, have no adequate remedy at
10 law, entitling Plaintiffs to injunctive relief.
11
COUNT X
12
VIOLATIONS OF CALIFORNIA PENAL CODE § 630
THE INVASION OF PRIVACY ACT
13
14
15
198.
Plaintiffs incorporate all preceding paragraphs as though set forth herein.
199.
California Penal Code § 631(a) provides, in pertinent part:
16
Any person who … willfully and without the consent of all parties
to the communication, or in any unauthorized manner, reads, or
attempts to read, or to learn the contents or meaning of any message,
report, or communication while the same is in transit or passing over
any wire, line, or cable, or is being sent from, or received at any
place within this state; or who uses, or attempts to use, in any
manner, or for any purpose, or to communicate in any way, any
information so obtained, or who aids, agrees with, employs, or
conspires with any person or persons to lawfully do, or permit, or
cause to be done any of the acts or things mentioned above in this
section, is punishable by a fine not exceeding two thousand five
hundred dollars…
17
18
19
20
21
22
23
200.
At all relevant times, Defendant’s business practice of depositing a cookie that
24 continued to access, intercept and collect Plaintiffs’ and Class Members’ personally identifiable
25 information and other data, including information concerning their interactions with certain
26 websites, after log-out from Facebook.com was without authorization and consent, including, but
27 not limited to, obtaining any and all communications.
28 / / /
40
CORRECTED FIRST AMENDED
CONSOLIDATED CLASS ACTION
COMPLAINT - No. 5:12-md-02314-EJD
1
201.
Upon information and belief, Plaintiffs, and each Class Member, during one or
2 more of their interactions on the internet during the Class Period, communicated with one or more
3 entities based in California, or with one or more entities whose servers were located in California.
4
202.
Communications from the California web-based entities to Plaintiffs and Class
5 Members were sent from California. Communications to the California web-based entities from
6 Plaintiffs and Class Members were sent to California.
7
203.
Plaintiffs and Class Members did not consent to any of Defendant’s actions in
8 intercepting, reading, and/or learning the contents of their communications with such
9 California-based entities.
10
204.
Plaintiff and Class Members did not consent to any of the Defendant’s actions in
11 using the contents of their communications with such California-based entities.
12
205.
Defendant is not a “public utility engaged in the business of providing
13 communications services and facilities...”
14
206.
The actions alleged herein by Defendant was not undertaken “for the purpose of
15 construction, maintenance, conduct or operation of the services and facilities of the public utility.”
16
207.
The actions alleged herein by Defendant was not undertaken with respect to any
17 telephonic communication system used for communication exclusively within a state, county, city
18 and county, or city correctional facility.
19
208.
Defendant directly participated in the interception, reading, and/or learning of the
20 contents of the communications between Plaintiffs, Class Members and California-based web
21 entities.
22
209.
Plaintiffs and Class Members have additionally suffered loss by reason of these
23 violations, including, without limitation, violation of the right of privacy and deprivation of the
24 loss of value in their personally identifiable information.
25
210.
Unless restrained and enjoined, Defendants will continue to commit such acts.
26
211.
Pursuant to Section 637.2 of the California Penal Code, Plaintiff and the Class have
27 been injured by the violations of California Penal Code § 631. Wherefore, Plaintiffs, on behalf of
28 themselves and on behalf of a similarly situated Class of consumers, seeks damages and injunctive
CORRECTED FIRST AMENDED
41
CONSOLIDATED CLASS ACTION
COMPLAINT - No. 5:12-md-02314-EJD
1 relief.
2
COUNT XI
3
VIOLATIONS OF CALIFORNIA CIVIL CODE § 1750
THE CONSUMER LEGAL REMEDIES ACT
4
5
212.
Plaintiffs incorporate all preceding paragraphs as though set forth herein.
6
213.
In violation of California Civil Code § 1750, et seq. (the “CLRA”), Defendant has
7 engaged and is engaged in unfair and deceptive acts and practices in the course of its interactions
8 with Plaintiffs and Class Members.
9
214.
At all relevant times, Plaintiffs and each proposed Class Member was a
10 “consumer,” as that term is defined in Civ. Code § 1761(d).
11
215.
At all relevant times, Defendant’s online services constituted “services,” as that
12 term is defined in Civ. Code § 1761(b).
13
216.
At all relevant times, Defendant was a “person,” as that term is defined in Civ.
14 Code § 1761(c).
15
217.
At all relevant times, Plaintiffs’ and each proposed Class Member’s use of
16 Defendant’s website and the implementation of cookies constituted a “transaction,” as that term is
17 defined in Civ. Code § 1761(e).
18
218.
Defendant’s practices, acts, policies, and course of conduct violated the CLRA in
19 that Defendant represented that its website and online services have characteristics, uses and
20 benefits which they do not have, in violation of § 1770(a)(5) of the CLRA.
21
219.
Defendant’s practices, acts, policies, and course of conduct violated the CLRA in
22 that Defendant represented that a transaction confers or involves rights, remedies, or obligations
23 which it does not have, in violation of § 1770(a)(14) of the CLRA.
24
220.
As previously described in detail, Defendant represented that it would supply its
25 service to Plaintiffs and Class Members in accordance with the governing documents and then did
26 not, in violation of § 1770(a)(16).
27
221.
Plaintiffs and the Class relied on Defendant’s representations that it would supply
28 its service in accordance with the governing documents.
42
CORRECTED FIRST AMENDED
CONSOLIDATED CLASS ACTION
COMPLAINT - No. 5:12-md-02314-EJD
1
222.
Plaintiffs and the Class suffered the aforementioned damages as a result of the
2 Defendant’s conduct.
3
223.
4
Plaintiffs seek only injunctive relief for the CLRA claims alleged in this Complaint.
PRAYER FOR RELIEF
5
WHEREFORE, Plaintiffs respectfully request that this Court:
6
A.
Certify this action is a class action pursuant to Rule 23 of the Federal Rules of Civil
7 Procedure;
8
B.
Award compensatory damages, including statutory damages where available, to
9 Plaintiffs and the Class against Defendant for all damages sustained as a result of Defendant’s
10 wrongdoing, in an amount to be proven at trial, including interest thereon;
11
C.
Permanently restrain Defendant, and its officers, agents, servants, employees and
12 attorneys, from installing cookies on its users’ computers that could track the users’ computer
13 usage after logging out of Facebook or otherwise violating its policies with users;
14
D.
Award Plaintiffs and the Class their reasonable costs and expenses incurred in this
15 action, including counsel fees and expert fees; and
16
E.
Grant Plaintiffs such further relief as the Court deems appropriate.
17 / / /
18 / / /
19 / / /
20 / / /
21 / / /
22 / / /
23 / / /
24 / / /
25 / / /
26 / / /
27 / / /
28 / / /
43
CORRECTED FIRST AMENDED
CONSOLIDATED CLASS ACTION
COMPLAINT - No. 5:12-md-02314-EJD
1
2
JURY TRIAL DEMAND
The Plaintiffs demand a trial by jury of all issues so triable.
3 DATED this 23rd day of May, 2012.
4
Respectfully submitted,
BARTIMUS, FRICKLETON,
5 ROBERTSON & GORNY, P.C.
STEWARTS LAW US LLP
6
/s/ David A. Straite
David A. Straite (admitted pro hac vice)
Ralph N. Sianni
Michele S. Carino
Lydia E. York
1201 North Orange Street, Suite 740
Wilmington, DE 19801
dstraite@stewartslaw.com
Telephone:
(302) 298-1200
Facsimile:
(302) 298-1222
Interim Co-Lead Counsel
7
8
9
10
11
/s/ Edward D. Robertson Jr.
Edward D. Robertson, Jr.
James P. Frickleton
Mary D. Winter
Edward D. Robertson III
11150 Overbrook Road, Suite 200
Leawood, KS 66211
chiprob@earthlink.net
Telephone:
(913) 266-2300
Facsimile:
(913) 266-2366
Interim Co-Lead Counsel
12 KIESEL BOUCHER LARSON LLP
13 Paul R. Kiesel, Esq. (SBN 119854)
8648 Wilshire Boulevard
14 Beverly Hills, CA 90211
kiesel@kbla.com
15 Telephone: (310) 854-4444
Facsimile: (310) 854-0812
16
Interim Liaison Counsel
17
Stephen G. Grygiel
18 John E. Keefe, Jr.
Jennifer Harwood
19 KEEFE BARTELS LLC
170 Monmouth Street
20
Red Bank, NJ 07701
(732) 224-9400
21 Telephone:
Facsimile:
(732) 224-9494
22 sgrygiel@keefebartels.com
Plaintiffs’ Steering Committee Member
23
Barry R. Eichen
24
Daryl L. Zaslow
25 Tom Paciorkowski
EICHEN CRUTCHLOW ZASLOW &
26 MCELROY LLP
40 Ethel Road
27 Edison, New Jersey 08817
(732) 777-0100
28 Telephone:
Michael S. Schwartz
Mark S. Mandell
Zachary Mandell
MANDELL, SCHWARTZ & BOISCLAIR,
LTD.
1 Park Row
Providence, RI 02903
msmandell@msb-atty.com
Telephone:
(401) 273-8330
Facsimile:
(401) 751-7830
Plaintiffs’ Steering Committee Member
Stephen M. Gorny
BARTIMUS, FRICKLETON,
ROBERTSON & GORNY, P.C.
11150 Overbrook Road, Suite 200
Leawood, KS 66211
steve@bflawfirm.com
Telephone: (913) 266-2300
Facsimile: (913) 266-2366
44
CORRECTED FIRST AMENDED
CONSOLIDATED CLASS ACTION
COMPLAINT - No. 5:12-md-02314-EJD
(732) 248-8273
1 Facsimile:
beichen@njadvocates.com
2 Plaintiffs’ Steering Committee Member
Plaintiffs’ Steering Committee Member
3
William M. Cunningham, Jr.
Peter S. Mackey
Peter F. Burns
BURNS CUNNINGHAM & MACKEY PC
P.O. Box 1583
Mobile, AL 36633
wmcunningham@bcmlawyers.com
Telephone:
(251) 432-0612
Facsimile:
(251) 432-0625
Plaintiffs’ Steering Committee Member
4
5
6
7
8
Andrew J. Lyskowski
Erik A. Bergmanis
BERGMANIS LAW FIRM, L.L.C.
380 W. Hwy. 54, Suite 201
P.O. Box 229
Camdenton, MO 65020
alyskowski@ozarklawcenter.com
Telephone:
(573) 346-2111
Facsimile:
(573) 346-5885
Plaintiffs’ Steering Committee Member
9
William H. Murphy, Jr.
10 William H. Murphy, III
Tonya Osborne Baña
11 MURPHY, FALCON & MURPHY, P.A.
One South Street, 23rd Floor
12 Baltimore, MD 21202
billy.murphy@murphypa.com
13 Telephone:
(410) 539-6500
Facsimile:
(410) 539-6599
14 Plaintiffs’ Steering Committee Member
15 Margery S. Bronster
Robert Hatch
16 BRONSTER HOSHIBATA
1003 Bishop Street, Suite 2300
17 Honolulu, Hawaii 96813
mbronster@bhhawaii.net
18 Telephone:
(808) 524-5644
Facsimile:
(808) 599-1881
19 Special State AG Advisory Committee Member
21
Richard P. Ieyoub
Michael Reese Davis
L. J. Hymel
Tim P. Hartdegen
HYMEL, DAVIS & PETERSEN, LLC
10602 Coursey Blvd.
Baton Rouge, LA 70816
rieyoub@hymeldavis.com
Telephone:
(225) 298-8188
Facsimile:
(225) 298-8119
Special State AG Advisory Committee Member
22 Grant Woods
GRANT WOODS PC
23 Two Renaissance Square
40 N. Central Ave., Suite 2250
24 Phoenix, AZ 85004
gw@grantwoodspc.net
25 Telephone:
(602) 258-2599
Facsimile:
(602) 258-5070
26 Special State AG Advisory Committee Member
Mike Moore
MIKE MOORE LAW FIRM, LLC
10 Canebrake Blvd.
Suite 150 Flowood, MS 39232
mm@mikemoorelawfirm.com
Telephone:
(601) 933-0070
Facsimile:
(601) 933-0071
Special State AG Advisory Committee Member
20
27
28
45
CORRECTED FIRST AMENDED
CONSOLIDATED CLASS ACTION
COMPLAINT - No. 5:12-md-02314-EJD
1
2
3
4
CERTIFICATE OF SERVICE
I hereby certify that on May 23, 2012, I caused the foregoing to be electronically filed
with the Clerk of the Court using the CM/ECF system which will send notification of such filing
to the e-mail addresses denoted on the Electronic Mail Notice List.
5
6
7
I certify under penalty of perjury under the laws of the United States of America that the
foregoing is true and correct. Executed on May 23, 2012.
8
Respectfully Submitted,
9
KIESEL BOUCHER LARSON LLP
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
/s/ Paul R. Kiesel
Paul R. Kiesel
kiesel@kbla.com
8648 Wilshire Boulevard
Beverly Hills, California 90211
Tel.: (310) 854-4444
Fax: (310) 854-0812
Interim Liaison Counsel
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?