In Re FACEBOOK INTERNET TRACKING LITIGATION
Filing
90
*** POSTED IN ERROR *** please see #92 Administrative Motion to File Under Seal filed by Perrin Aikens Davis. (Attachments: #1 Declaration of David Straite, #2 Exhibit 1, #3 Exhibit 2 - FILED UNDER SEAL, #4 Exhibit 3 - FILED UNDER SEAL, #5 Proposed Order)(Kiesel, Paul) (Filed on 11/30/2015) Modified on 6/3/2016 (cv, COURT STAFF).
Exhibit 1
to
Declaration of
David A. Straite
1
2
3
4
5
Stephen G. Grygiel (admitted pro hac vice)
SILVERMAN THOMPSON
SLUTKIN WHITE LLC
201 N. Charles Street, 26TH Floor
Baltimore, MD 21201
Tel. (410) 385-2225
Fax (410) 547-2432
sgrygiel@mdattorney.com
6
7
8
9
Frederic S. Fox (admitted pro hac vice)
David A. Straite (admitted pro hac vice)
KAPLAN FOX & KILSHEIMER LLP
850 Third Avenue, 14th Floor
New York, NY 10022
Telephone: (212) 687-1980
Facsimile: (212) 687-7714
dstraite@kaplanfox.com
Laurence D. King (206423)
Mario Choi (243409)
KAPLAN FOX & KILSHEIMER LLP
350 Sansome Street, 4th Floor
San Francisco, CA 94104
Tel.: (415) 772-4700
Fax: (415) 772-4707
lking@kaplanfox.com
10
11
12
IN THE UNITED STATES DISTRICT COURT
FOR THE NORTHERN DISTRICT OF CALIFORNIA
SAN JOSE DIVISION
13
14
15
16
No. 5:12-md-02314-EJD
IN RE: FACEBOOK, INC. INTERNET
TRACKING LITIGATION
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
17
DEMAND FOR JURY TRIAL
18
19
20
21
22
PUBLIC REDACTED VERSION
23
24
25
26
27
28
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
I.
TABLE OF CONTENTS
INTRODUCTION ............................................................................................................... 1
II.
JURISDICTION AND VENUE ......................................................................................... 2
III.
THE PARTIES .................................................................................................................... 3
IV.
FACTUAL ALLEGATIONS ............................................................................................. 3
2
3
4
5
A. The Facebook Terms of Service .................................................................................... 3
6
A. 6
7
B. URLs Contain the “Contents” of an Electronic Communication................................... 6
8
C. Internet Tracking Through the Facebook “Like” Button ............................................. 11
9
11
1. Tracking Logged-In Subscribers ............................................................................ 11
2. Tracking Logged-Out Subscribers ......................................................................... 16
D. Facebook Unlawfully Tracked Logged-Out Subscribers ............................................. 17
12
E. Facebook Unlawfully Circumvented P3P Privacy Protections on Internet Explorer .. 22
10
13
V.
FACEBOOK’S SURREPTITIOUS TRACKING REVEALED ........................................ 26
14
VI.
PLAINTIFF-SPECIFIC FACTUAL ALLEGATIONS ...................................................... 29
15
VII.
VALUE OF INTERCEPTED REFERRER URLs ............................................................. 31
16
VIII. STATUTE OF LIMITATIONS .......................................................................................... 35
17
IX.
STATUS OF RELATED LITIGATION ............................................................................ 35
18
A. Austria: Schrems v. Facebook Ireland Limited ............................................................ 35
19
B. Belgium: Commission for the Protection of Privacy v. Facebook............................... 36
20
C. California: Ung v. Facebook, Inc. ................................................................................ 38
21
D. Ireland: Schrems v. Irish Data Protection Commissioner ........................................... 39
22
X.
CLASS ACTION ALLEGATIONS ................................................................................... 40
23
XI.
COUNTS ............................................................................................................................. 41
24
COUNT I......................................................................................................................................... 41
25
VIOLATION OF THE FEDERAL WIRETAP ACT, 18 U.S.C. § 2510, et. seq. .......................... 41
26
COUNT II ....................................................................................................................................... 44
27
VIOLATION OF THE STORED COMMUNICATIONS ACT, 18 U.S.C. § 2701, et. seq. ......... 44
28
COUNT III ...................................................................................................................................... 46
i
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
VIOLATION OF THE CALIFORNIA INVASION OF PRIVACY ACT..................................... 46
2
CALIFORNIA CRIMINAL CODE §§ 631 and 632 ...................................................................... 46
3
COUNT IV ...................................................................................................................................... 48
4
INVASION OF PRIVACY ............................................................................................................. 48
5
COUNT V ....................................................................................................................................... 51
6
INTRUSION UPON SECLUSION ................................................................................................ 51
7
COUNT VI ...................................................................................................................................... 52
8
BREACH OF CONTRACT ............................................................................................................ 52
9
COUNT VII .................................................................................................................................... 54
10
BREACH OF THE DUTY OF GOOD FAITH AND FAIR DEALING ....................................... 54
11
COUNT VIII ................................................................................................................................... 55
12
CIVIL FRAUD ............................................................................................................................... 55
13
VIOLATION OF CAL. CIV. CODE §§ 1572 and 1573 ................................................................ 55
14
COUNT IX ...................................................................................................................................... 55
15
Tresspass to chattels ........................................................................................................................ 55
16
COUNT X ....................................................................................................................................... 56
17
VIOLATIONS OF CALIFORNIA PENAL CODE § 502 ............................................................. 56
18
THE CALIFORNIA COMPUTER CRIME LAW (“CCCL”) ....................................................... 56
19
COUNT XI ...................................................................................................................................... 58
20
statutory larceny .............................................................................................................................. 58
21
California penal code §§ 484 and 496 ............................................................................................ 58
22
XII.
23
XIII. JURY TRIAL DEMAND ................................................................................................... 59
PRAYER FOR RELIEF...................................................................................................... 59
24
25
26
27
28
ii
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
2
I.
INTRODUCTION
1.
On April 22, 2010, defendant Facebook, Inc. (“Facebook” or “Defendant”)
3
launched the “Like” button outside of the Facebook domain. Within weeks it became the single
4
most important social plug-in ever created, quickly surpassing Facebook’s “Share” button.
5
2.
Less than five weeks after the Like button launch, 50,000 websites had installed it;
6
less than ten weeks after launch, web site consultants were calling it “ubiquitous.” By November
7
2013, Facebook claimed on its developer blog that its Like and Share buttons drove more referral
8
traffic than all other social networks combined. Today, Facebook says that web pages containing
9
the Like button are viewed more than 30 billion times each day, and more than 7 million websites
10
now incorporate them.
11
“omnipresent.”
12
3.
As the Huffington Post summed up, the Like button is now
As discussed in more detail below, when a Facebook user logs into his Facebook
13
account, a number of session cookies and tracking cookies are written to the user’s browser.
14
When an Internet user visits a webpage with Facebook functionality (including the Like button),
15
Facebook causes the user’s browser to send a real-time copy of the referrer URL of the page
16
being viewed, along with whatever Facebook tracking and session cookies are written to the
17
browser, to Facebook. The browser sends the data to Facebook regardless of whether the user
18
actually clicks on the Like or Share button or even knows of its existence. This means that 30
19
billion times a day, Facebook causes computers around the world to report the real-time Internet
20
communications of hundreds of millions of people – including the entire file path of URLs
21
containing sensitive content – to Facebook. When Facebook’s session and tracking cookies link
22
the URLs to specific persons, anonymity disappears and Facebook’s internet tracking becomes
23
the single most pervasive and grave threat to data privacy today.
24
4.
When a subscriber logs out of Facebook, however, Facebook promises to delete
25
those cookies that contain subscriber’s identifying information, such as user ID. This promise
26
was made from the very first day Facebook launched the Like button. From the very first day,
27
however, Facebook broke this promise – logging out did not in fact remove cookies with user
28
IDs, and at times during the Class Period new cookies were written even when subscribers were
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
logged out. Discovery has revealed that from the very first day, Facebook knew it was deceiving
2
the public, and chose to keep it quiet despite internal concerns. Not until September 26, 2011
3
after an independent researcher publicly disclosed the problem and after the story was picked up
4
by the Wall Street Journal, did Facebook choose to fix the problem.
5.
5
The plaintiffs are four Facebook subscribers whose Internet use was tracked by
6
Facebook between April 22, 2010 through September 26, 2011 (the “Class Period”) while logged
7
out of their Facebook accounts. They bring federal and California state law claims on behalf of
8
other similarly-situated Facebook subscribers in the United States (the “Class”) arising from
9
Facebook’s knowing and unauthorized interception and tracking of users’ Internet
10
communications and activity, and knowing and unauthorized access to users’ computing devices
11
and web browsers.
6.
12
Plaintiffs Quinn, Davis and Lentz also bring these claims on behalf of a subclass of
13
Facebook subscribers in the United States who used Microsoft’s Internet Explorer (the
14
“Subclass”) from April 22, 2010 through September 17, 2010. During this period, Internet
15
Explorer protected the privacy of its users by blocking certain tracking cookies of websites that
16
did not adhere to standards set by the “Platform for Privacy Preferences” project, or P3P.
17
Facebook knowingly circumvented P3P’s cookie blocking by misrepresenting its privacy policy
18
to Internet Explorer until September 17, 2010 when Facebook finally admitted it did not have a
19
compliant P3P policy.
20
II.
21
22
23
JURISDICTION AND VENUE
7.
This Court has personal jurisdiction over Defendant Facebook because Facebook
is headquartered in this District.
8.
This Court has subject matter jurisdiction over the federal claims in this action,
24
namely the Federal Wiretap Act, 18 U.S.C. § 2511 (the “Wiretap Act”) and the Stored
25
Communication Act, 18 U.S.C. § 2701 (“SCA”), pursuant to 28 U.S.C. § 1331.
26
27
9.
This Court has subject matter jurisdiction over this entire action pursuant to the
Class Action Fairness Act (“CAFA”), 28 U.S.C. § 1332(d), because this is a class action in which
28
2
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
the amount in controversy exceeds $5,000,000, and at least one member of the class is a citizen of
2
a state other than California or Delaware.
10.
3
This Court also has supplemental jurisdiction over the state law claims in this
4
action pursuant to 28 U.S.C. § 1367 because the state law claims form part of the same case or
5
controversy as those that give rise to the federal claims.
11.
6
Venue is proper in this District because Defendant Facebook is headquartered in
7
this District. In addition, The Facebook Statements of Rights and Responsibilities in force during
8
the Class Period, which Facebook claims govern the relationship between Facebook and its users,
9
provides for exclusive venue in state or federal courts located in Santa Clara County, California.
10
III.
12.
11
12
13.
14.
Plaintiff Dr. Brian Lentz (“Lentz”) is an adult domiciled in North Carolina. Lentz
had an active Facebook account during the entire Class Period.
15.
17
18
Plaintiff Prof. Cynthia Quinn (“Quinn”) is an adult domiciled in Hawaii. Quinn
had an active Facebook account during the entire Class Period.
15
16
Plaintiff Mrs. Perrin Davis (“Davis’) is an adult domiciled in Illinois. Davis had
an active Facebook account during the entire Class Period.
13
14
THE PARTIES
Plaintiff Mr. Matthew Vickery (“Vickery”) is an adult domiciled in Washington
State. Vickery had an active Facebook account during the entire Class Period.
16.
19
Defendant Facebook is a Delaware corporation which maintains its headquarters at
20
1601 Willow Road, Menlo Park, California 94025. Facebook is a “social network” that permits
21
its members to interact with one another through a web site located at www.facebook.com. By
22
the end of the Class Period, Facebook had approximately 800 million members, of whom 150
23
million were in the United States. Today, Facebook claims approximately 1.4 billion members.
24
IV.
FACTUAL ALLEGATIONS
25
A.
The Facebook Terms of Service
26
17.
Facebook asserts that the agreement governing its relationship with users is the
27
“Statement of Rights and Responsibilities” or “SSR” which incorporates a number of other
28
3
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
documents by reference. The SSR at the start of the Class Period is dated April 22, 2010, and is
2
attached to this complaint as Exhibit A.
3
4
5
18.
Updated SSRs in the Class Period are dated August 25, 2010 (see Exhibit B),
October 4, 2010 (see Exhibit C) and April 26, 2011 (see Exhibit D).
19.
Each of these SSRs, regardless of date, provides that “[t]he laws of the State of
6
California will govern this Statement, as well as any claims that might arise between you and us,
7
without regard to conflict of law provisions.” See, e.g., SSR dated April 22, 2010 at ¶ 15, Ex. A.
8
20.
Each of these SSRs incorporated by reference the Privacy Policy (later called the
9
“Data Use Policy” starting April 26, 2011). See Exhibits E through H. For example, Facebook
10
said in the SSR “[w]e encourage you to read the Privacy Policy, and to use it to help make
11
informed decisions.” SSR dated April 22, 1010 at ¶ 1, Ex. A. At the end, the SSR stated, “The
12
Privacy Policy is designed to help you understand how we collect and use information.”
13
21.
The Privacy Policies (and Data Use Policy) are long and difficult to comprehend.
14
A December 8, 2011 inquiry from the United States House of Representatives noted that
15
Facebook’s privacy policy was “longer than that of all other social networks and exceed in length
16
the United States Constitution. . . . . We are concerned . . . that long, complex privacy policy
17
statements make it difficult for consumers to understand how their information is being used.”
18
See Ex. I., p. 8.
19
22.
In its January 6, 2012 response to the Congressional inquiry, Facebook agreed:
20
“We also agree that long and complex privacy policies can make it difficult for consumers to
21
understand how their information is being used . . . . we use a layered approached, summarizing
22
our practices on the front page and then allowing people to click through the Policy for more
23
details.” Id. at 9.
24
23.
The Privacy Policies and the later Data Use Policy linked to Facebook’s Help Page
25
as a part of this “layered approach.” One Help Page entry provided more detail related to
26
Facebook’s use of cookies, which “are small files that store information about your account, web
27
browser, computer, mobile phone or other device.” Facebook also represented in the social plug-
28
4
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
in discussion that “when you log out of Facebook, we remove the cookies that identify your
2
particular account.”
3
24.
The Privacy Policies dated April 22, 2010 (Ex. E), October 5, 2010 (Ex. F) and
4
December 22, 2010 (Ex. G) link to these representations, contradict none of them, and never
5
purport to obtain consent for Facebook to use account-identifying cookies after logout. In fact, on
6
September 7, 2011 Facebook moved the social-plugin discussion from the Help Center directly
7
into the Data Use Policy, and continued to represent that Facebook would only use User ID
8
cookies when the user is “logged in to Facebook.” Ex. H, section I (“Other Information We
9
Receive About You.”).
10
25.
The Facebook Privacy Policies as explained by the help pages are consistent with
11
all public representations made by Facebook. For example, four days into the Class Period, on
12
April 26, 2010, Facebook explained social plug-ins on its “Facebook Notes” blog. Facebook was
13
clear that “you only see a personalized experience with your friends if you are logged into your
14
Facebook account.”
15
26.
When privacy rights and civil liberties organizations 2010 raised a number of
16
privacy concerns associated with social plug-ins and other changes to the Facebook Privacy
17
Policy at the beginning of the Class Period, it was believed that Facebook was only tracking
18
logged in users via the Like button. So, for example, the ACLU, Center for Democracy and
19
Technology, Center for Digital Democracy, Consumer Action, Consumer Watchdog, Electronic
20
Privacy Information Center, Electronic Frontier Foundation and the Privacy Rights Clearinghouse
21
jointly wrote to Facebook CEO Mark Zuckerberg regarding a number of “outstanding privacy
22
problems.” See Open Letter dated June 16, 2010, attached as Ex. J. The authors objected that the
23
Like buttons “provide Facebook with information about every visit to the site by anyone who is
24
logged in to Facebook.” Id. at 2 (emphasis added). Not one of these well-respected and tech-
25
savvy privacy groups understood that Facebook was also tracking logged out as well as logged in
26
users, which would have been a far more serious concern.
27
28
27.
Throughout the entire Class Period and thereafter, Facebook consistently told the
public that it was not tracking users post-logout. In a series of interviews with USA Today in
5
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
mid-November, 2011, for example, Facebook said it did not log any personal information
2
associated with Internet surfing by logged out users – all logging would be done only by an
3
anonymous browser cookie. When asked if even the anonymous data could somehow be re-
4
associated with the browsing history, Facebook reiterated: “We’ve said that we don’t do it, and
5
we couldn’t do it without some form of consent and disclosure.”1
6
B.
URLs Contain the “Contents” of an Electronic Communication
7
28.
To browse the web via the Internet, users employ a web browser. The most
8
popular web-browsers include Apple Safari, Microsoft Internet Explorer, Google Chrome, and
9
Mozilla Firefox.
29.
10
Web browsers are software applications that allow consumers to send, receive and
11
view electronic communications on the Internet and to view the content of web pages. Web
12
browsers include a Terms of Use or Service, which prohibit users from engaging in unlawful or
13
unauthorized tracking of the communications of others or from using the service to engage in
14
criminal or otherwise unlawful acts. For example, major web-browsers such as Google Chrome,
15
Microsoft Internet Explorer, and Apple Safari all expressly prohibit unlawful acts.2 Plaintiffs are
16
not aware of any major web-browser which consents to the use of its service to engage in criminal
17
or otherwise unlawful acts.
30.
18
Every website is hosted by a server through which it sends and receives
19
communications with Internet users and their web browsers to display web pages on users’
20
monitors and screens, depending on the user’s chosen computing device.
31.
21
The basic command to communicate with websites is called the ‘GET’ command.
22
For example, when an Internet user types a URL into the navigation bar of her web browser and
23
1
24
25
26
27
See Acohido, Byron, How Facebook Tracks you across the Web, USA TODAY, Nov. 16, 2011.
http://www.usatoday.com/tech/news/story/2011-11-15/facebook-privacy-trackingdata/51225112/1.
2
See https://www.google.com/intl/en_US/chrome/browser/privacy/eula_text.html (last visited
July 28, 2014); http://windows.microsoft.com/en-US/internet-explorer/products/ie-9/end-userlicense-agreement (last visited July 28, 2014); and
http://www.apple.com/legal/sla/docs/SafariWindows.pdf (last visited Sept. 10, 2014).
28
6
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
hits enter (or more commonly, when an Internet user clicks on a hyper-link), the user sends a
2
‘GET’ command to the server hosting the website to which the user is sending the
3
communication. The ‘GET’ command instructs the website server to send the content contained
4
within the file the Internet user has requested onto the user’s browser for display.
5
32.
Another basic command is the ‘POST’ command. The ‘POST’ command is used
6
when a user enters data into a form on a website and clicks enter or the submit button. The
7
‘POST’ command sends the data entered into the form to the website.
8
33.
Each website server has an IP address. For example, the IP address for the website
9
“www.nytimes.com” is “170.149.161.130.” An IP address, however, is not the same thing as a
10
URL. The New York Times website has a single or just a handful of IP addresses for all of the
11
articles, essays, and other content hosted on its webserver. Thus, revealing that an Internet user
12
sent a series of communications to 170.149.161.130 only reveals the parties to the communication
13
– the user and the New York Times. In contrast, a full-string detailed URL reveals both the
14
parties to the communication and the contents of a communication.
15
34.
16
following
17
A URL is composed of several different parts. For example, consider the
Breakouts:
18
URL:
a.
http://progressivehealth.hubpages.com/hub/How-Do-I-Reduce-Herpes-
http:// – This is the protocol identified by the web browser to the web
19
server which sets the basic language of the interaction between the browser
20
and the server. The forward-slashes indicate that the browser is attempting
21
to make contact with the server.
22
b.
progressivehealth.hubpages.com – This is the name that identifies the
23
website and corresponding website server with which the Internet user has
24
initiated a communication. There is an IP address associated with the
25
“progresivehealth.com” server.
26
27
c.
/hub/ – This part of the URL indicates a folder on the web-server where the
communication is located, a file of which the Internet user has requested.
28
7
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
d.
/How-Do-I-Reduce-Herpes/Breakouts/ – This is the name of the precise
2
file requested and it constitutes and/or contains information relating to the
3
substance, purport, and meaning of a communication. The IP address
4
attached to this particular URL would only reveal that the user was in the
5
process of sending and receiving communications from HubPages.com. The
6
full string details URL would reveal the user was interested in, and was
7
seeking and requesting information from HubPages.com about, herpes
8
breakouts and their reduction.
9
e.
folder and exact file title is called the “file path.”
10
11
/hub/How-Do-I-Reduce-Herpes-Breakouts – This combination of the
35.
To further illustrate the distinction between an IP address and a full-string detailed
12
URL, consider an Internet user seeking information on “stress after 9/11.” This user might type
13
that exact search term into Google and the first result they would get is a link to an article on the
14
NYTimes.com website:
15
16
17
18
19
The user who clicks on the phrase “Post-Traumatic Stress Disorder from 9/11 Still Haunts” would
20
be sending a communication through the user’s browser to the New York Times seeking that
21
information
22
http://www.nytimes.com/2011/08/10/nyregion/post-traumatic-stress-disorder-from-911still-
23
haunts.html. The IP address for the New York Times would be the same whether the user went to
24
NYTimes.com or sent this detailed request for information via a URL. The user would receive in
25
return a 3,000 word article from the New York Times on the topic of Americans suffering from
26
stress a full ten years after 9/11.
27
36.
via
a
‘GET’
request
and
the
full-string
detailed
URL:
Although a single webpage appears on a user’s screen as a complete product, it is
28
8
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
more often an assembled collage of independent parts. Some portions often exist on different
2
servers, often operated by third parties, which send the additional information to a window called
3
an iframe. In essence, the iframe is a small portion of the third-party’s website that peeks through
4
the first-party website, usually in the form of an advertisement or social plug-in:
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
37.
To display each part of a single webpage as one complete product, the host server
leaves the iframe blank. Upon receiving a ‘GET’ command from a user’s web browser, the
website server contemporaneously re-directs the user’s web-browser to send a separate but
simultaneous GET command to the third-party responsible for the iframe, thereby allowing the
third-parties to gain limited access to the user’s web-browsers.
38.
In addition to the GET command received by the third-party, the detailed URL
from the first domain is acquired by the third-party. These URLs are called “referrer headers”
(technically spelled “referer” due to a quirk of history).
39.
The re-direction of the referrer URL and the sending of the re-directed GET
command is accomplished through the individual Internet user’s web-browser without any further
action or knowledge of the user.
40.
The third-party servers to which the GET requests are contemporaneously re-
directed, and which thereby gained access to the user’s web-browser, responds by sending
information to user’s web-browser to fill in the blank iframe.
41.
The sending of the re-directed GET request and acquisition of the referrer headers
by third-parties occurs both contemporaneously with the user’s communications with the first-
28
9
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
party website and while the information is in storage by the first-party website and the user’s
2
computing device and web-browser.
3
42.
The entire process happens in milliseconds. The precise length of time from the
4
original ‘GET’ request from the user to the website and the corresponding communication from
5
the website back to the user is determined by the user’s Internet speed and the speed of the
6
website server and server(s) to which the user’s referrer URL and GET request was
7
contemporaneously re-directed.
8
43.
Facebook has always understood the sensitivity of content included in referrers,
9
and the privacy concerns associated with referring URLs to another website. One month into the
10
class period, for example, Facebook engineer Matt Jones wrote a blog post called “Protecting
11
Privacy with Referrers.” See Ex. K. He first noted that Facebook does truly want to track its
12
users across the internet:
13
Here at Facebook, we’re all about understanding how people interact with
our site – including how they end up here from across the vast expanse of
the internet. We’re not the only ones, though – most web sites want
similar insights about the people who use them.
14
15
16
Despite its tragic misspelling, the HTTP standard’s “referrer” header sent
by browsers gives websites the information they need to see how users
found them, and how they explore the sites once there.
17
18
44.
19
But sometimes referrers just don’t belong – maybe there is sensitive
information in a URL, or maybe a site just doesn’t want its users’
browsers telling others how they use the site. . . . Facebook is one site
where referrers don’t really belong . . .
20
21
22
23
Then under the heading “Referrers: not always welcome,” Mr. Jones added:
Id. (emphasis added).
45.
Similarly, at the beginning of the Class Period, Facebook met with representatives
24
of YouTube on May 12, 1010 regarding YouTube’s possible integration of Like buttons.
25
Facebook employee Matt Kelly recorded that YouTube wanted to use a version of the button that
26
would provide greater privacy to its users; Mr. Kelly noted “they don’t want us to know what
27
their users are viewing.” In response, Facebook employee Ethan Beard noted the challenge of
28
YouTube’s request, and proposed an alternative “to sign a deal with them that restricted our
10
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
ability to use the data or something (depends on what they are really concerned about – we know
2
a lot about what yt [sic] videos someone is watching).” See Ex. Q at p. 1.
3
C.
1.
4
5
6
Internet Tracking Through the Facebook “Like” Button
46.
Tracking Logged-In Subscribers
When signing up for a Facebook account, subscribers fill out an electronic form,
sending communications to Facebook which personally identified them:
7
8
9
10
11
12
13
14
15
16
17
18
19
47.
Each Facebook subscriber manually enters his or her first and last name, email
20
address, a password, gender and birthdate before signing-up. Upon clicking the green “Sign Up”
21
button, their web-browser sent a ‘POST’ communication to Facebook.
22
48.
Facebook then creates a database entry for the new user in an internal database
23
called “Nectar,” and assigned a unique user ID to the subscriber. Facebook also then writes a
24
number of cookies to the user’s web browser that Facebook correlates with the information in the
25
Nectar database.
As each user adds more information to their Facebook account via
26
communications while logged-in to Facebook, Facebook adds the information to the database
27
entry for each user.
28
11
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
49.
Facebook describes its social plug-ins as a “little piece of Facebook” embedded on
2
a first-party website, as described above. When an internet user lands on a webpage with this
3
embedded piece of Facebook, the user’s browser is instructed to redirect a copy of the user-to-
4
website communications, along with several Facebook cookies, to Facebook, which can then be
5
added to the Nectar database. The adoption rate and growth of Facebook social plug-ins, most
6
importantly the Like button, has been historic:
7
8
a.
By the beginning of June 2010, just weeks after launch, more than 50,000
websites incorporated Like buttons.
9
b.
By August 2010, more than 350,000 websites had Like buttons.
10
c.
By the one-year anniversary on April 22, 2011, 2.5 million websites had
11
Like buttons, including 80 of the top 100 websites in the United States ranked by comScore. 250
12
million people each day were viewing websites with Like buttons.
13
50.
The process differs for logged-in users compared to logged-out users and non-
14
subscribers, and is described in detail in the attached Technical Report recently prepared for the
15
Belgian Privacy Commission on June 25, 2015. See Ex. L.
16
17
18
51.
When a Facebook subscriber is logged into Facebook, the users’ browser will
contain more than 10 Facebook cookies, written to the browser at various times.
52.
Cookies are small text files that web-servers can place on a person’s web-browser
19
and computing device when that person’s web-browser interacts with a website server. Cookies
20
can perform different functions. Eventually, some cookies were designed to track and record an
21
individual Internet user’s communications with and activities on websites across the Internet.
22
23
24
53.
In general, cookies are categorized by (1) duration and (2) party. There are two
types of “duration” cookies, known as session cookies and persistent cookies.
54.
“Session cookies” are placed on a person’s computing device only for the period
25
during which the user is directly communicating with the website that placed the cookie. The
26
person’s web-browser normally deletes session cookies when the user closes the browser.
27
28
55.
“Persistent cookies” are designed to survive beyond a single browsing session.
Persistent cookies are not permanent. Instead, the party creating the persistent cookie determines
12
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
its lifespan – which is longer than a single browsing session. A “persistent cookie” can record a
2
person’s Internet communications for months or years. By virtue of their lifespan, persistent
3
cookies can track a person’s communications with dozens, hundreds, or thousands of websites on
4
the Internet. Persistent cookies are also sometimes called “tracking cookies.”
56.
5
Cookies can also be classified by “Party.” “First-party cookies” are set on a user’s
6
web-browser by the website with which the user is knowingly communicating. For example,
7
NYTimes.com sets a collection of its own first-party cookies on user’s web-browsers when they
8
visit pages at NYTimes.com. First-party cookies can be helpful to the user, server, and website to
9
assist with security, log-in, and functionality.
57.
10
“Third-party cookies” are set and accessed by website servers other than the
11
website with which the user is knowingly communicating. For example, the same user who visits
12
NYTimes.com will also have cookies placed and accessed from their web browser by third-party
13
web-servers, including Facebook. Unlike first-party cookies, third-party cookies are typically not
14
helpful to the Internet user. Instead, third-party cookies typically work in furtherance of data
15
collection, behavioral profiling, and targeted advertising.
58.
16
17
Facebook writes the following cookies to the browsers of logged-in users; the
sample values below relate to an actual test in 2015 using Mozilla’s Firefox browser:
18
19
Cookie
Sample Value
Information Contained
c_user3
10000004223456398
User’s Facebook ID
datr
20
S3fJVgeTh7_ikK5frtHsHPmE
0glRJJKaszKOLdKz8.AWXGH1RrxSLM3P
HeHxfrORv10H8.BCVchV.Sj.FUJ.0.AW
Wsuv8a
wfKm8ItfbXqRKlNoERo10H1H
-2
EM426705095EuserFA21B0911298286
A2EstateFDutF1426705095426Et2F
Aa67DZudqH2wPH19
Browser ID
Encrypted Facebook ID plus
browser ID
21
fr
22
23
24
25
26
27
28
lu
p
presence
s
xs
244%3AjIZKp45fK9ceMA%3A%3A14267
05088%3A3455
Expires
Session / 1
month
2 years
1 month
Encrypted ID of the last user
User’s channel partition
Chat state
2 Years
Session
Session
?
Session /1
month
Session / 1
month
Session number and secret
3
During the Class Period, Facebook used several cookies to identify users, including the a_user,
c_user, and m_user cookies.
13
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
2
2
act
wd
Insecure indicator
1426704200575%2F14
csm
Timestamp and counter of
user actions
Browser window dimensions
1280X653
Session / 1
month
Session
Session
3
59.
Several of these cookies can identify the subscriber. Certainly the c_user cookie,
4
which is the user ID, identifies the subscriber because Facebook assigned that ID to the user upon
5
creating an account. But at least two other cookies can also uniquely identify the user. For
6
example, the fr cookie has the user ID (encrypted) included therein. The lu (“last user”) cookie
7
contains the user ID (encrypted) of the last user to use that browser, which would precisely
8
identify the current user if the computer is not a shared computer. Internal Facebook documents
9
confirm that Facebook used the lu cookie to determine the user. See, e.g., Ex. V, at p. 5 (“we can
10
only do personalization if we know who the user is (which we get from the lu cookie)”). Finally,
11
Facebook assigns each browser a unique identifier (the datr cookie) which can and do identify
12
actual current users when a computer is not a shared computer. This possibility was noted back
13
in February 2011 by Facebook employee Christopher Palow: “LU is the last logged in user ID.
14
We could probably drop it as we now have a server-side store of datr->UIDs [user IDs] who have
15
used that datr.” See Ex. Y, p. 1.
16
60.
When a logged-in subscriber visits a webpage with a Facebook Like button, a copy
17
of the referrer URL is acquired by Facebook along with the cookies above. However, Facebook
18
is not a party to the communication recorded in the referrer URL – instead it acquires the URL
19
from the user. For example, if a logged-in Facebook subscriber visited www.walmart.com, the
20
series of conversations among computers would look like this:
21
22
23
24
25
26
27
28
14
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
61.
Even for an ostensibly innocuous page view – say, perhaps hand towels at
13
Walmart – Facebook acquires an enormous amount of individualized data. Facebook gets the full
14
referral URL (including the exact subpage of precise items being purchased), and through the use
15
of cookies, correlates that URL with the user ID, time stamp, browser settings and even the type
16
of browser used. Facebook not only receives a copy of the user’s communication with Walmart,
17
but can put the communication in the precise context of time of day and other user actions on the
18
same website.
19
62.
No matter how sensitive the website, the referral URL is acquired by Facebook
20
along with the cookies that precisely identify the user. As the researchers noted in the Belgian
21
Technical Report, if a user visited a certain explicit page of the gay website www.gayworld.be,
22
Facebook would receive all of the cookies identified above, including time stamp and user ID,
23
along with this referrer: http://www.gayworld.be/holebi-cultuur/wereldwijd/belgie/. See Ex. L,
24
Fig. 7, Section 5.1.
25
26
27
28
15
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
2.
1
2
63.
Tracking Logged-Out Subscribers
When a subscriber logs out of his or her Facebook account, from the beginning of
3
the Class Period until today Facebook has always represented publicly that it only receives
4
“technical information” about user communications with other websites; when users “log out of
5
Facebook, we remove the cookies that identify your particular account.”
6
64.
Thus, upon logout Facebook deletes the c_user cookie completely, and sets the lu
7
cookie value to zero. Facebook still acquires substantial amounts of data when a logged out user
8
visits a webpage with Facebook functionality – including referrer URLs – and sets a new cookie
9
called “locale,” which is the location of the last user to use that browser.
10
65.
Facebook also records the unique browser ID of the browser used (via the datr
11
cookie), and it appears from the Belgian Technical Report that the fr cookie also remains, despite
12
containing the encrypted user ID. Discovery is still ongoing and it is not yet clear precisely how
13
Facebook uses the datr cookie and/or the fr cookie to associate referrer URLs with actual users.
14
66.
Finally, the “presence” cookie describes the “chat state,” for example, which chat
15
tabs are open. Although not mentioned by the Belgian Technical Report, at least during the Class
16
Period the presence cookies also contained a user ID. Thus, for example, Facebook engineering
17
director Alex Himel assigned the following “high priority” investigation to engineer Adam Wolff
18
on January 27, 2011, during the Class Period:
19
The presence cookie is sent to social plugins when they’re loaded by
external sites even if the user has logged out. This is problematic from a
privacy perspective because it contains a user id. Ideally, we would just
delete this cookie upon logout, but it would also be acceptable to remove
the user id.
20
21
22
23
24
See Ex. M.
67.
Discovery is ongoing and it is not yet clear to what extent Facebook acquired user-
ID-containing presence cookies from logged-out users during the Class Period.
25
26
27
28
16
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
D.
2
68.
Facebook Unlawfully Tracked Logged-Out Subscribers
As soon as the Like button was rolled out on April 22, 2010, Facebook found it
3
had a problem - a large number of users were logging out of their accounts prior to surfing the
4
web. Facebook product manager Austin Haugen noted in an internal email dated October 28,
5
2010, “If I remember right a surprisingly high number of users click ‘Logout’ when they leave
6
Facebook. Also less than 50% of users have a persistent session - so would suggest that most ppl
7
aren’t logged into Facebook until they visit and explicitly log in.” See Ex. N at p. 1. A few
8
months later, after reviewing detailed cookie data, Mr. Haugen determined that only
9
approximately “40% of users arrive logged in.” See Ex. O at p. 4.
10
69.
The genesis for these discussions was pressure coming directly from Facebook
11
CEO Mark Zuckerberg. In an email dated September 21, 2010, Mr. Haugen wrote: “As context
12
zuck is pressing us hard to get users to stay logged in.” See Ex. P at p. 2.
13
70.
Facebook came up with an easy but unlawful interim solution: simply break
14
Facebook’s promise to stop tracking users post-logout. This was done both by failing to delete
15
cookies containing user IDs (such as c_user, lu and fr) and by writing new cookies to the
16
browsers of logged out users.
17
71.
Facebook’s deception was noticed by some investigators who alerted Facebook.
18
The first was Chris Matyszczyk at CNET, who wrote the following in an email to Facebook
19
spokesman Andrew Noyes on June 4, 2010, just 6 weeks after the launch of the Like button
20
outside the Facebook domain:
21
22
23
24
25
26
27
Here’s the thing. While everyone has (justifiably, it seems to me)
wondered about Facebook forcing people’s data into the public domain, I
have been alerted to perhaps an even bigger privacy question with respect
to the activity feed.
It seems to me that when you visit any page that has a like button, your
browser send[s] a request back to Facebook. This means your Facebook
cookie can connect you, personally, to your web activity. . . .
Essentially, unlike DoubleClick or an ISP, it seems that you have anointed
yourselves with the power to link every Facebook member’s web activity
with their real personas. Which is a first. And, perhaps, rather scary.
28
17
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
Ex. R, bates numbers 7472-73. Evidently a flurry of activity within Facebook ensued, but
2
subsequent emails have been redacted. See id., bates numbers 7469-72. In any event, Facebook
3
continued to track users post-logout.
72.
4
The next day, June 5, 2010, a task was created called “No Tracking Cookie For
5
Plugins When Not Logged In.” Facebook engineering director Alex Himel commented, “Ping?
6
We should really get this into Monday or Tuesday’s push since privacy people are complaining
7
about it.” See Ex. S.
73.
8
9
On June 7, 2010, Mr. Himel created a task with the tag “hotfix” and assigned it to
engineer Chuck Rossi. The task noted:
10
What broke: setting cookie for logged out users viewing social widgets on
external sites.
11
When did it break: This has been around for a while but recent privacy
concerns along with the rapid spread of our social plugins have made this
important to address.
12
13
14
Why it can’t wait for the next schedule push: We are getting pinged
constantly about why we are writing a cookie when the user is not even
logged into Facebook. It makes it look like we’re trying to track all users
across the web.
15
16
17
See Ex. T.
18
74.
In the following month in July 2010, Mr. Himel “pushed out a change to stop
19
setting cookies for logged out plugin viewers” but noted in an August 19, 2010 email that changes
20
still had not been made:
21
The reason for the urgency is that a month ago we pushed out a change to
stop setting cookies for logged out plugin viewers and have since been
telling privacy groups that we don’t. Since then, new cookies have been
added to the site making our statement no longer true and easy for
outsiders to verify to be false. We’d like to feet [sic] this out asap so that
we can truthfully say that we’re complying with privacy promises we’ve
made.
22
23
24
25
26
27
28
Ex. U.
75.
After Mr. Himmel’s email above, the only fix Facebook attempted was to stop
writing new cookies to the browsers of logged out users. No attempt was made to delete user18
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
identifying cookies post-logout. These include any of the user cookies (for example, a_user,
2
c_user), the fr cookie, and the lu cookie. This distinction was explicitly noted by Mr. Himel on
3
February 7, 2011: “To clarify, we avoid writing new cookies when the user visits a social plugin
4
when logged out, but we do not clear cookies that are already there.” See Ex. V (emphasis
5
added).
76.
6
Occasionally during the class period, new cookies would be created that would be
7
set when the user was logged out, and efforts would be made to un-set them – but never to inform
8
the public. For example, on January 28, 2011 Alex Himmel noted that “[w]e started writing
9
cookies again when the user hits a like button while logged out.” See Ex. W. An unknown
10
Facebook employee responded, “[s]top setting cookies in this case. Needs to be pushed out
11
sooner rather than later because we publicly stated via legal that we do not set cookies when user
12
is logged out.”
77.
13
No attempt was made to correct the false statements Facebook made publicly
14
about tracking logged-out users, and communications with partners and customers were equally
15
misleading. The internal emails on this point are revealing. For example, on February 2, 2011,
16
Facebook partner Hewlett Packard emailed Aimee Westbrook at Facebook to report that they
17
might be willing to adopt the Like button. They noted, “Privacy would like the info that your
18
team was going to provide on what information Facebook collects . . . when a Like button is
19
enabled.” See Ex. X, pp. 2-3. Alex Himel internally crafted a response which represented the
20
data collected from logged in users, and then for logged out users he simply said “same as above
21
minus the user ID.” This statement was only five days before Mr. Himel noted the opposite
22
internally: “we do not clear cookies that are already there” upon logout. See Ex. V, discussed
23
above.
24
78.
Two weeks later, on February 19, 2011, Facebook employee Douglas Purdy
25
drafted a table “that attempts to capture all the information that we receive when a user visits a
26
website using our social plugins” which only listed datr, locale and lu cookies for logged out
27
users. See Ex. Y. Facebook engineer Matt Jones made a number of revisions and comments, and
28
said “I think the lu is more complicated than just the encrypted UID. . . . . It would be better if we
19
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
did not disclose what this cookie is / does.” Id at 2 (emphasis added). Alex Himel concluded by
2
saying:
3
I think the big question is how tightly we’re going to be held to this
statement. With the pointed out revisions below, I’d estimate this as being
90-90% [sic] accurate with a good chance of losing accuracy as teams add
new scribe logging and add new cookies.
4
5
6
See Ex. Y at 1.
79.
7
At exactly the same time, three Facebook employees filed a patent application
8
(later assigned to Facebook), facilitating the post-logout tracking of Facebook users on other
9
domains.
80.
10
On February 8, 2011, Kent Matthew Schoen, Gregory Luc Dingle and Timothy
11
Kendall (Facebook’s “Director of Monetization”) filed a patent application entitled
12
“Communicating Information in a Social Network System about Activities from Another
13
Domain.”4 As the first claim in the Patent Application explains, the applicants were seeking to
14
patent:
1. A method for tracking information about the activities of users
of a social networking system while on another domain, the
method comprising: maintaining a profile for each of one or
more users of the social networking system…; receiving one or
more communications from a third-party website having a
different domain than the social network system, each message
communicating an action taken by a user of the social
networking system on the third-party website; logging the
actions taken on the third-party website in the social networking
system…; and correlating the logged actions with one or more
advertisements presented to one or more users.
15
16
17
18
19
20
21
22
Patent Application at 2.
81.
23
The detailed description of this tracking method reveals that it enables Facebook to
24
capture and log actions taken by Facebook users on websites other than Facebook, even when the
25
user is not logged in:
[0054] As described above, in particular embodiments, the social
network system 100 also logs actions that a user takes on a third
26
27
28
4
See U.S. Patent Application No. 20110231240, filed February 8, 2011 and published September
22, 2011 (the “Patent Application”) at 1.
20
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
party website 140. The social network system 100 may learn of the
user’s actions on the third party website via any of a number of
methods. In particular embodiment, in response to certain actions
such as, a user registering with a third-party website140, purchasing
a product from a third-party website 140, downloading a service
from a third-party website 140, or otherwise making a conversion,
the third-party website 140 transmits a conversion page, such as a
confirmation or “thank you” page to the user at the user’s client
device. In particular embodiment, this page includes an embedded
call or code segment (e.g., JavaScript) in the HTML or other
structured document code (e.g., in an HREF(Hypertext REFerence)
that, in particular embodiments, generates a tracking pixel that,
when executed by the client’s browser or other rendering
application, generates a tracking pixel or image tag that is then
transmitted to the social network system (whether the user is
logged into the social network system or not). The tracking pixel or
image tag then communicates various information to the social
network system about the user’s action on the third-party website.
By way of example, the tracking pixel or call may transmit
parameters such as the user’s ID (user ID as registered with the
social network system), a product ID, information about the thirdwebsite, timestamp information about the timing of the purchase or
other action, etc. In one example, if the third party website 140 is a
commercial website on which users may purchase items, the third
party website 140 may inform the social network system 100 in this
manner when a user of the social network system 100 buys an item
on the third party website 140.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Patent Application at 5.
16
82.
Further, in certain circumstances, Facebook has to hack its way past data
17
protection software to do this: Facebook deposits a cookie that deliberately and without a user’s
18
consent bypasses security settings on the user’s browser for the purpose of gathering intelligence
19
as to what the user does on the internet in real time, such as what sites are visited, whether
20
purchases are made, or whether information is downloaded or a link forwarded to a friend. This
21
information is then instantly relayed back to Facebook, substantially enhancing the value of
22
Facebook’s vast repository of personal data. This is all done whether the Facebook user is logged
23
onto Facebook or logged off.
24
83.
Technically, this is how the Patent Application describes the bypass:
25
26
27
28
[0099] In one embodiment, the third party website 140 and/or the
social network system 100 determine whether the user is a user of
the social network system 100. For example, the third party
website 140 may access a cookie on the user’s computer, where the
cookie is associated with the social network system 100. Since the
social network system 100 and the third party website 140 are on
21
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
different domains, the user’s browser program may include security
features that normally prevent a website from one domain from
accessing content on other domains. To avoid this, the third party
website 140 may use nested iframes, where the third party website
140 serves a web page that includes a nested iframe in the social
network website’s domain, thereby allowing the nested iframe to
access the user information and send the information back to the
third party website 140. Repeated nesting of iframes further allows
the social networking site 100 to communicate information back to
the third party website 140. By using this technique, the third party
website 140 and the social network system 100 can communicate
about the user without sharing any of the user’s personal
information and without requiring the user to log into the social
network system 100.
1
2
3
4
5
6
7
8
Patent Application 10-11.
9
84.
Although Facebook’s name does not appear in the Patent Application, it is listed in
10
the U.S. Patent & Trademark Office database as assigned to Facebook. Tellingly, Mr. Kendall,
11
Facebook’s “Director of Monetization,” is not an inventor or a computer scientist at all.
12
According to his LinkedIn profile, Mr. Kendall’s job at Facebook is “Product Strategy &
13
Development for Facebook’s revenue generating products.” Essentially, Mr. Kendall is charged
14
with figuring out new and better ways to sell user information to advertisers and third-party
15
websites.
16
E.
Facebook Unlawfully Circumvented P3P Privacy Protections on Internet Explorer
85.
During the Subclass Period, Internet Explorer 6, 7 and 8 by default blocked certain
17
18
cookies from websites that did not honor a privacy system called the Platform for Privacy
19
Preferences Project (P3P). During the Subclass Period, Facebook circumvented this privacy
20
protection by falsely representing its privacy policy to the browser.
21
86.
P3P is a standard format for computer-readable privacy policies, which the World
22
Wide Web Consortium (W3C) published in 2002. The standard includes a P3P full policy format
23
and a P3P “compact policy” (“CP”) format. The compact policy format is designed to be a
24
shorter version of a full P3P policy that encodes in a computer-readable format only the parts of a
25
privacy policy that relate to cookies. Use of a compact policy is optional for websites that use
26
27
28
22
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
P3P full policies. However, according to the P3P working group, “if a web site makes compact
2
policy statements it MUST make these statements in good faith.”5
87.
3
The compact policy is designed to be transmitted in an HTTP header that also
4
contains an HTTP cookie. It takes the form: CP = "POLICY" where POLICY is a series of three-
5
and four-letter tokens associated with P3P policy elements as defined in the P3P 1.0
6
Specification.6 Valid compact policies must have at least five of these elements. For example,
7
the following is a valid P3P compact policy:
CP = “NOI NID ADMa OUR IND UNI COM NAV”
8
88.
9
The P3P specification states “If an unrecognized token appears in a compact
10
policy, the compact policy has the same semantics as if that token was not present.”7 This means
11
that web browsers should ignore any tokens that appear in a P3P compact policy that are not
12
defined in the P3P specification.
89.
13
Microsoft introduced support for P3P in the Internet Explorer 6 web browser in
14
2002; and Microsoft included functionally identical implementations of P3P in its subsequent
15
Internet Explorer 7, 8, and 9 web browsers (hereinafter, Internet Explorer versions 6-9 are all
16
called “IE”). By default, without users taking any action to change configuration settings, IE is
17
set to the “Medium” privacy setting. Users can view and change their privacy settings using the
18
IE “Internet Options” panel. The panel describes the Medium setting as follows:
19
-
Blocks third-party cookies that do not have a compact privacy policy
20
-
Blocks third-party cookies that use personally identifiable information without your
implicit consent
21
-
22
implicit consent
23
24
Restricts first-party cookies that use personally identifiable information without
5
25
W3C. The Platform for Privacy Preferences 1.1. http://www.w3.org/TR/P3P11/, November
2006.
26
6
27
28
W3C. The Platform for Privacy Preference 1.0 (P3P1.0) Specification, W3C Recommendation
16 April 2002, http://www.w3.org/TR/P3P/.
7
P3P1.0 at Section 4.2.
23
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
90.
1
2
Microsoft documentation states, “For most users, Internet Explorer 6 default
privacy settings provides enough privacy protection without disrupting the browsing process.”8
91.
3
Behind the scenes, IE checks for a P3P compact policy header whenever a website
4
sends a cookie in an HTTP response. If IE finds a third-party cookie that is not accompanied by a
5
compact policy, IE blocks that cookie. If IE finds a first-party cookie that is not accompanied by
6
a compact policy, it “leashes” that cookie and prevents that cookie from being transmitted in a
7
third-party context. If IE finds an accompanying compact policy, it evaluates that compact policy,
8
and blocks the cookie if the compact policy is found to be “unsatisfactory.” If IE finds a first-
9
party cookie that is accompanied by a compact policy, it evaluates that compact policy and turns
10
the cookie into a session cookie if the compact policy is found to be unsatisfactory. IE considers
11
a cookie to be unsatisfactory if the corresponding compact policy indicates that the cookie is used
12
to collect personally identifiable information and does not allow users a choice in its use.
92.
13
By blocking cookies on the basis of their P3P compact policies, as described
14
above, the IE default privacy settings allow users “to enjoy the benefits of cookies, while
15
protecting themselves from unsatisfactory cookies.”
93.
16
At all relevant times, IE treated the representations made in compact policies as
17
truthful statements. The software makes no attempt to verify the accuracy of the information in a
18
compact policy. If a website with an unsatisfactory privacy policy were to make an untruthful
19
statement and misrepresent its policy as a satisfactory one, it could trick IE into allowing its third-
20
party cookie to be set when it would otherwise be blocked.
94.
21
Websites can also trick IE into allowing their third-party cookies to be set without
22
making affirmatively false statements. Because of the way Microsoft implemented the P3P
23
compact policy feature, websites can trick IE by simply omitting any compact policy tokens that
24
would lead IE to classify the compact policy as unsatisfactory. In fact, an invalid compact policy
25
that contains only a made-up word is classified by IE as satisfactory.
26
8
27
MSDN Library. How to Create a Customized
http://msdn.microsoft.com/en-us/library/ms537344.
Privacy
Import
File.
2002.
28
24
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
95.
1
On September 10, 2010, researchers at Carnegie Mellon University published a
2
technical report titled “Token Attempt: The Misrepresentation of Website Privacy Policies
3
through the Misuse of P3P Compact Policy Tokens.” See Ex. Z. This report described a research
4
study in which the authors collected compact policies from 33,139 websites and used automated
5
tools to check them for errors. The authors found errors in 11,176 compact policies on 4,696
6
domains, including 11 of the 50 most-visited websites.
96.
7
The study reported that the most popular website to have a compact policy error
8
was Facebook. The study reported that the Facebook compact policy at the time included only the
9
tokens DSP and LAW, indicating that the Facebook privacy policy references a law that may
10
determine remedies for breaches of their privacy policy and that there are ways to resolve
11
privacy-related disputes. However, the Facebook compact policy was invalid because it did not
12
include required tokens to disclose the categories of data associated with cookies, how they are
13
used, who will receive the collected data, the data retention policy, and the policy on providing
14
data access.
97.
15
The report also stated, “When doing preliminary work for this study in 2009, the
16
facebook.com compact policy contained only the single invalid token HONK... [T]hese CPs are
17
useless for communicating with user agents and users. It is likely that facebook.com is using their
18
CP to avoid being blocked by IE.”
98.
19
On September 16, 2010, Ryan McGeehan, a Security Incident Response Manager
20
at Facebook emailed Dr. Lorrie Cranor, one of the authors of the report. He explained that he had
21
seen the report and was trying to determine how to accurately represent Facebook’s privacy
22
policy in a P3P compact policy and “still enable functionality such as the like button.”
99.
23
24
Mellon study. The article included a comment from a Facebook spokesman:9
25
A Facebook spokesman said in an e-mailed statement: “We’re committed to providing
clear and transparent policies, as well as comprehensive access to those policies. We’re
looking into the paper’s findings to see what, if any, changes we can make.” Ben Maurer,
a software engineer at Facebook, said that the site used only two codes instead of five
26
27
28
On September 17, 2010, the New York Times Bits blog reported on the Carnegie
9
http://bits.blogs.nytimes.com/2010/09/17/a-loophole-big-enough-for-a-cookie-to-fit-through/
25
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
because current compact-policy codes do not “allow a rich enough description to
accurately represent our privacy policy.” Mr. Maurer said he did not know the history of
how “HONK” made it into a compact policy.
1
2
3
100.
4
CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
Shortly thereafter, Facebook changed its compact policy to reflect the truth:
101.
By tricking IE with an intentionally invalid compact policy, Facebook was able to
ensure that IE would improperly transmit a user-identifying Facebook cookie back to Facebook
along with sensitive referrer URLs when users visited non-Facebook web sites that had Facebook
like buttons or other embedded Facebook features.
V.
FACEBOOK’S SURREPTITIOUS TRACKING REVEALED
102.
In 2010, Australian researcher and blogger Nik Cubrilovic discovered that
Facebook cookies were tracking users’ Internet communications and accessing their computing
devices and web browsers even after user had logged out of Facebook without the users’
knowledge or consent. Cubrilovic’s investigation revealed that several cookies that revealed
personally identifiable information remained post logout, and some even remained after the
browser was closed and restarted. Despite its representations to the contrary, Facebook was in
fact secretly tracking its users’ Internet communications and accessing their web-browsers
without their knowledge or consent after logout.
103.
Mr. Cubrilovic contacted Facebook on November 14, 2010 to report his findings
and ask Facebook to fix the problem. He received no response. Again on January 12, 2011, Mr.
Cubrilovic wrote to Facebook alerting it to his findings. Again, Facebook refused to respond.
Mr. Cubrilovic of course had no way of knowing that Facebook had always known of the
problem and had been actively concealing it.
104.
On September 25, 2011, Mr. Cubrilovic made his findings public. He wrote,
“Even if you are logged out, Facebook still knows and can track every page you visit.” He
explained that “[t]his is not what ‘logout’ is supposed to mean – Facebook is only altering the
state of the cookies instead of removing all of them when a user logs out.” Mr. Cubrilovic had
revealed what Facebook engineering director Alex Himel had admitted internally months earlier:
28
26
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
“To clarify, we avoid writing new cookies when the user visits a social plugin when logged out,
2
but we do not clear cookies that are already there.” See Ex. V (emphasis added).
3
105.
Mr. Cubrilovic’s blog post spread globally and was picked up the next day by the
4
Wall Street Journal, in addition to dozens of other news outlets. Facebook engineer Gregg
5
Stefancik contacted Mr. Cubrilovic and admitted he raised “important issues.” However, Mr.
6
Stafancik never disclosed that Facebook knew about the tracking all along. Instead, he falsely
7
told Mr. Cubrilovic that a “bug” caused a particular user-identifying cookie, the a_user cookie,
8
not to clear on logout, advising, “We will be fixing that today.” Facebook further admitted that
9
the Company had not “done as good a job as we could have to explain our cookie practices. Your
10
11
post presents a great opportunity for us to fix that.”
106.
Mr. Stefancik also told Mr. Cubrilovic that “if you log out, [the lu] cookie does not
12
contain your user ID” and is used to protect people using public computers. However, the lu
13
cookie actually contained the encrypted user ID of the last user, so Mr. Stefancik’s comment was
14
deeply misleading. It would only be true if an intervening Facebook user were to use the shared
15
computer and then the original user returned without logging into Facebook. For anyone else, the
16
lu cookie continued to identify logged out users, and continued to do so for some time thereafter.
17
18
107.
More than a month later, on Dec. 5, 2011, Facebook employee Tom Elliott made
the following posting on the internal Developer Relations page:
19
I’m looking into the various cookies we serve as part of an audit for Nestle
and I’m surprised to see that lu (which I believe is the encrypted user ID)
is still sent after the user logs out of Facebook.
20
21
This means we do (or at least could) “track” a logged out user as they
browse the web, as any like button/other social plugin on a site will send
the user id back to us.
22
23
I though we removed this after the Austrian student / German politician
mix up from a few months ago?
24
25
26
See Ex. AA.
27
28
27
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
108.
1
Two days after the Cubrilovic revelations, on September 28, 2011, U.S.
2
Representatives Edward Markey10 and Joe Barton, Co-Chairmen of the Congressional Bi-Partisan
3
Privacy Caucus, submitted a joint letter to the Chairman of the Federal Trade Commission urging
4
the FTC to expand its investigation of Facebook.
5
investigation related to the Like button roll-out and changes to the Facebook Privacy Policy in
6
2010, prior to discovery of the secret and pervasive post-logout tracking. Digital privacy rights
7
group EPIC, joined by ten other civil liberties and privacy rights groups had also filed a complaint
8
with the FTC on May 5, 2010 seeking to restrain Facebook’s “data collection practices” among
9
other relief, also before knowing about the post-logout tracking. See Ex. BB, Complaint in EPIC
10
The FTC had already commenced an
vs. Facebook Inc.
109.
11
Congressmen Markey and Barton stated, “[I]n this instance, Facebook has
12
admitted to collecting information about its users even after its users had logged out of
13
Facebook.” They continued, “We believe that tracking users without their knowledge or consent
14
raises serious privacy concerns. When users log-out of Facebook, they are under the impression
15
that Facebook is no longer monitoring their activities. We believe this impression should be the
16
reality.”
110.
17
The FTC sued Facebook under Section 5 of the FTC Act for multiple counts of
18
misrepresenting its privacy policy, alleging that Facebook engaged in deceptive trade practices.
19
In the Matter of Facebook Inc., FTC File No. 0923184.
111.
20
On November 29, 2011, Facebook settled, agreeing to an unprecedented 20 years
21
of independent privacy audits. No fine was levied because a civil fine is not an available remedy
22
absent a violation of a prior Commission order.
112.
23
Marc Rotenberg, Executive Director of the Electronic Privacy Information Center,
24
wrote to the FTC submitting an official comment and asking for clarification of a number of
25
points, including whether the settlement covered Facebook’s post-logout tracking. In response,
26
the FTC confirmed it did. The complaint “does allege that Facebook violated Section 5 of the
27
28
10
Congressman Markey is now Senator Markey.
28
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
FTC Act by falsely representing to users the protections provided by their privacy settings, [and]
2
by making other false promises regarding privacy.” See Letter from FTC to EPIC dated July 27,
3
2012 at p. 3 (Ex. CC). The FTC continued, “the proposed order contains provisions . . . designed
4
to prevent Facebook from engaging in similar practices involving any Facebook product or
5
service.
6
challenged in the complaint.” Id.
7
VI.
8
9
10
11
12
These provisions are broad enough to address misconduct beyond that expressly
PLAINTIFF-SPECIFIC FACTUAL ALLEGATIONS
113.
Plaintiff Davis is an adult domiciled in Illinois and has an active Facebook account
and had an active account during the entire proposed Class period.
114.
She accessed the Internet and sent and received communications on several
computing devices, including one that was not a shared computer that used Internet Explorer.
115.
Using these same computers on which Facebook installed tracking and session
13
cookies, Mrs. Davis visited websites after logging-out of her Facebook account which Facebook
14
tracked, intercepted, and, in relation to which, Facebook accessed her computing device and web-
15
browser. URLs for many of these websites contain detailed file paths containing the content of
16
GET and POST communications, and are available to show the Court in camera if needed.
17
18
19
20
21
116.
Plaintiff Quinn is an adult domiciled in Hawaii and has an active Facebook
account and had an active account during the entire proposed Class period.
117.
She accessed the Internet and sent and received communications on a computer
that was not a shared computer that used Internet Explorer.
118.
Using this same computer on which Facebook installed tracking and session
22
cookies, Prof. Quinn visited websites after logging-out of her Facebook account which Facebook
23
tracked, intercepted, and, in relation to which, Facebook accessed her computing device and web-
24
browser. URLs for many of these websites contain detailed file paths containing the content of
25
GET and POST communications, and are available to show the Court in camera if needed.
26
27
119.
Plaintiff Lentz is an adult domiciled in North Carolina and has an active Facebook
account and had an active account during the entire proposed Class period.
28
29
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
2
3
120.
He accessed the Internet and sent and received communications on a computer
shared with his wife that used Internet Explorer.
121.
Using this same computer on which Facebook installed tracking and session
4
cookies, Dr. Lentz visited websites after logging-out of his Facebook account which Facebook
5
tracked, intercepted, and, in relation to which, Facebook accessed his computing device and web-
6
browser. Dr. Lentz visited these websites immediately after logging out and prior to his wife
7
using his computer. URLs for many of these websites contain detailed file paths containing the
8
content of GET and POST communications, and are available to show the Court in camera if
9
needed.
10
11
12
13
14
122.
Plaintiff Vickery is an adult domiciled in Washington State and has an active
Facebook account and had an active account during the entire proposed Class period.
123.
He accessed the Internet and sent and received communications on a computer that
was not a shared computer that used Google Chrome.
124.
Using these same computers on which Facebook installed tracking and session
15
cookies, Mr. Vickery visited websites after logging-out of his Facebook account which Facebook
16
tracked, intercepted, and, in relation to which, Facebook accessed his computing device and web-
17
browser. URLs for many of these websites contain detailed file paths containing the content of
18
GET and POST communications, and are available to show the Court in camera if needed.
19
125.
None of these four plaintiffs consented to the tracking and interception of their
20
logged-off communications. Nor did they consent to Facebook’s access to their computing
21
devices and web-browsers while logged-off Facebook.
22
23
24
25
26
126.
None of these four plaintiffs changed the default cookie blocking settings on their
browsers during the Class Period.
127.
None of these four plaintiffs installed extensions or plug-ins that disable or modify
referrer headers sent to Facebook when visiting websites with embedded Facebook functionality.
128.
Discovery is still ongoing, and despite Plaintiffs’ document requests, Facebook has
27
not yet produced any documents related to these plaintiffs. The parties have discussed this
28
omission and Plaintiffs will continue to press for production.
30
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
VII.
VALUE OF INTERCEPTED REFERRER URLS
129.
2
Facebook is the brainchild of the Company’s founder and Chief Executive
3
Officer, Mark Zuckerberg, who wrote the first version of “The Facebook” in his Harvard
4
University dorm room and launched the Company in 2004. The key to Facebook’s success was
5
to convince people to create unique, individualized profiles with such personal information as
6
employment history and political and religious affiliations, which then could be shared among
7
their own network of family and friends.
130.
8
9
10
Facebook has become the largest social networking site in the world, approaching
1.5 billion members. At the end of the proposed Class Period, Facebook had over 800 million
users world-wide and over 150 million users in the United States.
131.
11
Facebook’s enormous financial success is the result of connecting advertisers
12
with its huge repository of personal data related to users.
13
Registration Statement following the end of the Class Period, “Advertisers can engage with more
14
than 900 million monthly active users (MAUs) on Facebook or subsets of our users based on
15
information they have chosen to share with us such as their age, location, gender, or interests. We
16
offer advertisers a unique combination of reach, relevance, social context, and engagement to
17
enhance the value of their ads.” See Amendment No. 5 to Form S-1 Registration Statement, filed
18
by Facebook, Inc. with the United States Securities and Exchange Commission on May 3, 2012
19
(the “Registration Statement”) at 1.
132.
20
As Facebook explained in its
From 2009 to 2012, over 90% of Facebook’s revenue was attributable to third
21
party advertising (see Registration Statement at 13), and now that Facebook is a public company,
22
it is even more driven to continue to find new and creative ways to leverage its access to users’
23
data in order to sustain its phenomenal growth (see, e.g., Registration Statement at 88-91, 99-
24
100).
25
133.
Although Facebook does not require its members to pay a monetary subscription
26
fee, membership is not free, despite Facebook’s false guarantee to the contrary. Facebook
27
charges users by acquiring the users’ sensitive and valuable personal information, which includes
28
far more than mere demographic information and volunteering personal information like name,
31
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
birth date, gender and email address.
2
planting of numerous Facebook small text files, called cookies, on the user’s computer and web-
3
browser, which allows Facebook to track users’ browsing histories and correlate them with user
4
IDs – but – Facebook promised - only when users are logged in to Facebook.
5
134.
More importantly, Facebook use entails Facebook’s
The information Facebook tracks has and had massive economic value during the
6
Class Period.
7
information is now viewed as a form of currency.
8
135.
9
This value is well understood in the e-commerce industry, and personal
Professor Paul M. Schwartz noted in the Harvard Law Review:
Personal information is an important currency in the new
millennium. The monetary value of personal data is large and still
growing, and corporate America is moving quickly to profit from
the trend. Companies view this information as a corporate asset
and have invested heavily in software that facilitates the collection
of consumer information.
10
11
12
13
Paul M. Schwartz, Property, Privacy and Personal Data, 117 HARV. L. REV. 2055, 2056-57
14
(2004). Professor Schwartz wrote those words in the same year Facebook was launched.
15
136.
Likewise, in the Wall Street Journal, former fellow at the Open Society Institute
16
(and current principal technologist at the ACLU) Christopher Soghoian noted:
17
18
19
20
21
22
23
24
25
26
27
The dirty secret of the Web is that the “free” content and services
that consumers enjoy come with a hidden price: their own private
data. Many of the major online advertising companies are not
interested in the data that we knowingly and willingly share.
Instead, these parasitic firms covertly track our web-browsing
activities, search behavior and geolocation information. Once
collected, this mountain of data is analyzed to build digital dossiers
on millions of consumers, in some cases identifying us by name,
gender, age as well as the medical conditions and political issues
we have researched online.
Although we now regularly trade our most private information for
access to social-networking sites and free content, the terms of this
exchange were never clearly communicated to consumers.
Julia Angwin, How Much Should People Worry About the Loss of Online Privacy?, THE WALL
STREET JOURNAL (Nov. 15, 2011).
28
32
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
137.
1
2
The cash value of users’ personal information provided during the Class Period to
Facebook as a condition of membership can be quantified. For example, in a study authored by
3
Tim Morey researchers studied the value that 180 internet users placed on keeping personal data
4
secure.11 Contact information of the sort that that Facebook requires was valued by the study
5
participants at approximately $4.20 per year.
6
Demographic information was valued at
approximately $3.00 per year. But web browsing histories were valued at a much higher rate:
7
$52.00 per year. The chart below summarizes the findings:
8
9
10
11
12
13
14
15
16
17
18
19
20
Across Facebook’s approximately 800 million users at the end of the Class Period, these figures
21
imply aggregate annual membership fees of $3.36 billion, $2.4 billion, and $41.6 billion,
22
23
respectively, for each category of information.
138.
24
Similarly, the value of user-correlated internet browsing history can be quantified,
25
because companies were willing during the Class Period to pay users for the exact type of data
26
that Facebook illegally intercepted from Plaintiffs and other members of the Class.
27
11
28
(“What’s Your Personal Data Worth? http://designmind.frogdesign.com/blog/what039s-yourpersonal-data-worth.html, Jan. 18, 2011).
33
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
2
3
4
5
6
139.
For example, Google Inc. had a panel during the Class Period (and still has one
today) called “Google Screenwise Trends” which, according to the Internet giant, is designed “to
learn more about how everyday people use the Internet.”
140.
Upon becoming a panelist, Internet users would add a browser extension that
shares with Google the sites that users visit and how the panelist uses them. The panelists
consented to Google tracking this information for three months in exchange for one of a number
7
of “gifts,” including gift cards to retailers such as Barnes & Noble, Walmart and Overstock.com.
8
9
141.
After three months, Google also agreed to pay panelists additional gift cards “for
10
staying with” the panel. These gift cards, mostly valued at exactly $5, demonstrated conclusively
11
that internet industry participants understood the enormous value in internet users’ browsing
12
habits. Indeed, Facebook’s advertising revenues for 2011 roughly approximate $5 per user over
13
its international user base of 800 million members, demonstrating the value of the information
14
harvested by Facebook. Today, Google now pays Screenwise panelists up to $3 per week to be
15
tracked.
16
17
142.
In addition to the monetary value of user-correlated URLs, they have non-
18
monetary privacy value. For example, in a recent study by the Pew Research Center, 93 percent
19
of Americans said it was important for them to be “in control of who can get information” about
20
them. Seventy-four percent said it was “very important.” 87 percent of Americans said it was
21
important for them not to have someone watch or listen to them without their permission. Sixty-
22
seven percent said it was “very important.” And 90 percent of Americans said it was important
23
that they be able to “control[] what information is collected about [them].” Sixty-five percent said
24
it was very important.
25
143.
Likewise, in a 2011 Harris Poll study, 76 percent of Americans agreed that “online
26
companies, such as Google or Facebook, control too much of our personal information and know
27
too much about our browsing habits.” 65 percent of American Facebook users said they were
28
very or somewhat concerned about invasions of privacy “when using Facebook.”
34
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
VIII. STATUTE OF LIMITATIONS
144.
2
The following claims were brought on a class basis within days of the public
3
reports of post-logout tracking, and the statutes of limitations are thus tolled: Violation of Federal
4
Wiretap Act; Violation of the Stored Communications Act; Violation of CIPA § 631; Invasion of
5
Privacy; Intrusion Upon Seclusion; Trespass to Chattels; and the California Computer Crime
6
Law.
145.
7
The following claims are new in this Second Amended Complaint but relate to the
8
identical “conduct, transaction or occurrence” set out in the First Amended Complaint and thus
9
relate back to the date of filing of the First Amended Complaint: CIPA § 632; Breach of Contract;
10
Breach of the Duty of Good Faith and Fair Dealing; Civil Fraud; and California Statutory
11
Larceny. All relevant statutes of limitations have therefore also been tolled.
12
IX.
STATUS OF RELATED LITIGATION
13
A.
Austria: Schrems v. Facebook Ireland Limited
14
146.
On August 1, 2014, Austrian Facebook user Maximilian Schrems filed a class
15
action against Facebook’s European subsidiary alleging a number of privacy violations. An
16
English-language version of the original complaint as provided by Mr. Schrems is attached as Ex.
17
DD.
18
19
20
21
22
147.
Section II.F (paragraphs 100 through 112) relate to the claims in this Action
regarding data collection via Facebook social plug-ins including Like-buttons.
148.
Section IV.A (paragraphs 180 through 194) set forth claims for damages under
California law.
149.
The Austrian action asserts 22 counts (numbered 1 through 21 plus claim 4.1) in
23
the prayer for relief. Claims 7, 8 and 9 relate to consent generally, and claim 10 relates to social
24
plug-ins (including the Like button) specifically.
25
150.
The Austrian action, were it to proceed as a class action, is limited to Facebook
26
users in Europe. Facebook users in the United States are specifically excluded from the proposed
27
class definition.
28
35
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
2
3
151.
On June 30, 2015, the Austrian regional court in Vienna (the “Landesgericht”)
dismissed the case for lack of jurisdiction, without addressing the merits.
152.
On October 19, 2015, the Court of Appeals (the “Oberlandesgericht”) reversed as
4
to 20 of the 22 counts – agreeing with Facebook only as to the question of whether the case could
5
proceed as a class action under Austrian law.
6
153.
Mr. Schrems and Facebook both appealed to the Austrian Supreme Court (the
7
“Oberster Gerichtshof”) and on November 23, 2015, it was announced that the Supreme Court
8
would hear the case.
9
10
B.
Belgium: Commission for the Protection of Privacy v. Facebook
154.
In January 2015, the Belgian Commission for the Protection of Privacy (“Privacy
11
Commission”), following queries from Facebook users, media, and Parliament, launched an
12
investigation of Facebook’s privacy practices including the gathering of personal data and
13
internet browsing history via the Like button.
14
155.
On April 29, 2015, the Privacy Commission held a hearing and invited Facebook
15
representatives as well as academic technical experts.
16
presented a draft report of their findings regarding Facebook social plug-ins.
17
English-language copy of the technical report dated June 24, 2015 is attached as Ex. L.
18
156.
At the hearing, the technical expert
An updated
On May 13, 2015, the Privacy Commission issued Recommendation no. 04/2015,
19
and found that Facebook tracks non-users’ Internet browsing (or users’ browsing post-logout) in
20
violation of Belgian privacy law via the Like button, and recommended remedial action. The
21
Privacy Commission sought an order from the Court of First Instance in Brussels via a writ of
22
summons on June 10, 2015.
23
157.
On November 9, 2015, the Court of First Instance granted the requested order,
24
finding that non-consensual tracking of Internet browsing violates Belgian privacy law
25
irrespective of how or whether Facebook uses the tracked data. The Court has not yet made an
26
English-language version available, but the Privacy Commission summarized the order in English
27
in an official summary on November 10, 2015, attached as Ex. EE.
28
36
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
158.
1
The court ordered Facebook to stop tracking Internet users via the datr cookie and
2
other means, and imposed a €250,000 fine for each day that Facebook fails to comply. The Court
3
found that even anonymous tracking of users can violate European privacy laws, and also found
4
the matter to be “urgent”:
5
because claims that relate to fundamental rights and freedoms (such as the
protection of privacy) are always urgent, and because this claim does not
relate to the fundamental right of one single individual but of an enormous
group of people. Because of the millions of websites with Facebook
social plug-ins, it is almost unavoidable to escape from these. In addition,
it may relate to very sensitive data revealing, for instance, health or
religious, sexual or political preference.
6
7
8
9
10
Summary of Court Order by the Privacy Commission, Ex. EE, section 2.
159.
11
12
13
14
arguing instead to use the phrase “standard web impressions,” and Facebook also argued that the
tracking cookies (in particular the datr cookie) were necessary for security. The court rejected
these arguments:
With respect to the security argument invoked by Facebook, the Court
finds it not credible that collecting the datr cookie each time a social plugin is loaded on a website, would be necessary for the security of
Facebook’s services. According to the Court, “even an ‘internet illiterate’
understands that systematically collecting the datr cookie as such is
insufficient to counter the attacks referred to by Facebook because
criminals can very easily circumvent this cookie from being installed by
means of software which blocks cookies being installed.
15
16
17
18
19
20
Facebook took issue with the Privacy Commission’s use of the word “tracking,”
Id., section 4.
160.
21
Facebook has stated that it “will appeal this decision” and is negotiating a
22
resolution with the Belgian government while it awaits the official English translation of the
23
order.
24
25
26
27
28
37
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
C.
California: Ung v. Facebook, Inc.
2
161.
In 2012, three California Facebook users filed a state-court class action in Superior
3
Court in Santa Clara County. Ung v. Facebook, Inc., Case No. 1-12-cv-217244. Plaintiffs
4
asserted various claims for invasion of privacy under California law related to Facebook’s
5
tracking of internet browsing via the Like button.
6
162.
On July 2, 2012, the Superior Court denied in part and granted in part Facebook’s
7
demurrer. See Order of July 2, 2012 (“Ung Order”), attached as Ex. HH. Specifically, the court
8
rejected Facebook’s arguments regarding standing, and also found a fundamental privacy interest
9
in users’ internet browsing histories:
10
Even tracking a portion of a person’s browsing history, which would
include visits to a large number of sites given that Facebook’s cookies
exist on millions of websites, can paint a comprehensive picture of a
person’s life. For example, repeated visits to certain websites could show
a person has a particular disease, or religious affiliation, or is
contemplating having an abortion.
11
12
13
14
Ung Order at 2-3.
15
163.
The Superior Court also rejected Facebook’s arguments regarding consent, and
16
rejected Facebook’s arguments regarding ordinary business practice. As to the latter argument,
17
the Court noted that Facebook might be correct “as to the use of cookies on a single website,” but:
18
Facebook’s alleged conduct goes far beyond that. Facebook is alleged to
have used cookies to track large portions of people’s browsing histories
across numerous other websites so that a profile of each person can be put
together . . . the Court finds that Facebook’s alleged conduct constitutes a
serious invasion of a privacy interest.
19
20
21
Id. at 4.
22
164.
The Ung class action asserts claims only on behalf of California residents and thus
23
only overlaps with the current Action for those class members who reside in California.
24
Following the Ung Order, the court stayed the case pending a resolution of this Action.
25
26
27
28
38
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
D.
Ireland: Schrems v. Irish Data Protection Commissioner
2
165.
In 2013, following Edward Snowden’s revelations of the NSA’s bulk data
3
collection programs, five complaints were filed in Europe to prevent the transfer of personal data
4
from the European Economic Area (plus Switzerland, or “EEA/CH” for short). Complaints
5
against Apple and Facebook were filed in Ireland, against Microsoft and Skype in Luxembourg,
6
and against Yahoo in Germany.
7
166.
The complaint against Facebook was made with the Irish Data Protection
8
Commissioner (the “DPC”) on June 25, 2013. The complaint alleged that Facebook’s European
9
subsidiary transferred protected “personal data” of EEA/CH citizens to Facebook, Inc.
10
(“Facebook-US”) in violation of data protection laws because Facebook-US could not guarantee
11
the data would be protected from bulk surveillance by the NSA. The data includes but is not
12
limited to Internet browsing history transferred to Facebook via Like-button functionality.
13
167.
The DPC refused to investigate. Under an agreement with the United States in
14
2000 (the “Safe Harbor”), if a US company self-certifies that it complies with EU data protection
15
laws, the transfer of personal data to the US would be lawful. Facebook self-certifies compliance
16
with EU data protection laws, see, e.g., Privacy Policy dated April 22, 2010, section 1, attached as
17
Ex. E, and thus the DPC found the complaint “frivolous.” The DPC also found no evidence that
18
the plaintiff’s personal data specifically had be compromised.
19
168.
The DPC’s refusal to act was appealed to the Irish High Court, which ruled on
20
June 18, 2014 that the data in question is “personal data” and the transfer would only be lawful if
21
the Safe Harbor program was still valid. In light of the 2013 Snowden revelations, the Irish Court
22
referred the matter to the European Court of Justice (the “ECJ”), the highest court in Europe. See
23
Ex. FF, attached.
24
25
26
27
28
169.
In the referral order of June 18, 2014, the High Court explicitly found that the
plaintiff had standing to bring his complaint. The court noted:
It is irrelevant that Mr. Schrems cannot show that his own personal data
was accessed in this fashion by the NSA, since what matters is the
essential inviolability of the personal data itself. The essence of that right
would be compromised if the data subject had reason to believe that it
39
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
could be routinely accessed by security authorities on a mass and
undifferentiated basis.
1
2
Id., ¶ 75.
3
170.
On October 6, 2015, in a landmark opinion, the ECJ invalidated the Safe Harbor.
4
See Ex. GG. The ECJ noted that the processing of personal data is “liable to infringe fundamental
5
freedoms.” Id. ¶ 38. The court also held:
6
To establish the existence of an interference with the fundamental right to
respect for private life, it does not matter whether the information in
question relating to public life is sensitive or whether the persons
concerned have suffered any adverse consequences on account of that
interference.
7
8
9
10
Id. ¶ 87.
171.
11
12
13
Following the ECJ’s ruling invalidating the Safe Harbor, the Irish High Court held
further hearings on October 20, 2015, and immediately ordered that the DPC “is obligated now to
investigate the complaint” against Facebook.
X.
CLASS ACTION ALLEGATIONS
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
172.
This is a class action pursuant to Rules 23(a) and (b)(3) of the Federal Rules of
Civil Procedure on behalf of a Class of all persons who had active Facebook accounts and used
Facebook between April 22, 2010 and September 26, 2011, both dates inclusive, and whose
Internet use was tracked at times not logged into their Facebook accounts. Plaintiffs Quinn,
Davis and Lentz also bring claims on behalf of a Subclass of Facebook subscribers who used
Internet Explorer between April 22, 2010 and September 17, 2010, and whose Internet use was
tracked while not logged into their Facebook accounts.
173.
Excluded from the Class and the Subclass are the Court, Facebook, and its
officers, directors, employees, affiliates, legal representatives, predecessors, successors and
assigns, and any entity in which any of them have a controlling interest.
174.
The members of the Class and Subclass are so numerous that joinder of all
members is impracticable.
175.
Common questions of law and fact exist as to all members of the Class and
Subclass and predominate over any questions affecting solely individual members of the Class.
40
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
The questions of law and fact common to the Class and Subclass include whether Facebook
2
violated state and federal laws by tracking Internet use and intercepting the communication of its
3
users after the users had logged off of Facebook. Additional questions of fact and law are
4
common to the Subclass related to Facebook’s circumvention of default privacy protections on
5
Internet Explorer during the Subclass Period.
176.
6
Plaintiffs’ claims are typical of the claims of other Class and Subclass members, as
7
all members of the Class and Subclass were similarly affected by Facebook’s wrongful conduct in
8
violation of federal law as complained of herein.
177.
9
Plaintiffs will fairly and adequately protect the interests of the members of the
10
Class and Subclass and have retained counsel that is competent and experienced in class action
11
litigation. Plaintiffs have no interest that is in conflict with, or otherwise antagonistic to the
12
interests of the other Class or Subclass members.
178.
13
A class action is superior to all other available methods for the fair and efficient
14
adjudication of this controversy since joinder of all members is impracticable. Furthermore, as
15
the damages individual Class and Subclass members have suffered may be relatively small, the
16
expense and burden of individual litigation make it impossible for members of the Class and
17
Subclass to individually redress the wrongs done to them.
18
management of this action as a class action.
19
XI.
There will be no difficulty in
COUNTS
20
COUNT I
21
VIOLATION OF THE FEDERAL WIRETAP ACT, 18 U.S.C. § 2510, ET. SEQ.
22
179.
Plaintiffs hereby incorporate all other paragraphs as if fully stated herein.
23
180.
The Federal Wiretap Act, as amended by the Electronic Communications Privacy
24
Act of 1986, prohibits the intentional interception of the contents any wire, oral, or electronic
25
communication through the use of a device. 18 U.S.C. § 2511.
26
181.
The Wiretap Act protects both the sending and receipt of communications.
27
182.
18 U.S.C. § 2520(a) provides a private right of action to any person whose wire,
28
oral or electronic communication is intercepted.
41
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
183.
1
Facebook’s actions in intercepting and tracking user communications while they
2
were logged-off of Facebook was intentional as shown by the internal company emails detailed
3
above.
4
184.
Facebook’s interception of Internet communications that the Plaintiffs were
5
sending and receiving while logged-off Facebook (i.e., the referrer URLs) was done
6
contemporaneously with the Plaintiffs’ sending and receipt of those communications. In fact,
7
Facebook received the communications before the communication between the plaintiffs and the
8
various websites were completed.
9
185.
The referrer URLs intercepted by Facebook included “contents” of electronic
10
communications made from the plaintiffs to websites other than Facebook in the form of detailed
11
URL requests and search queries which plaintiffs sent to those websites and for which plaintiffs
12
received communications in return from those websites.
13
186.
The transmission of data between plaintiffs and the websites on which Facebook
14
tracked and intercepted their communications without authorization while they were logged-off
15
were “transfer[s] of signs, signals, writing, … data, [and] intelligence of [some] nature
16
transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic, or photooptical
17
system that affects interstate commerce[,]” and were therefore “electronic communications”
18
within the meaning of 18 U.S.C. § 2510(12).
19
20
187.
The following constitute “devices” within the meaning of 18 U.S.C. § 2510(5):
a.
The cookies Facebook used to track the Plaintiffs’ communications while
they were logged-off of Facebook;
21
22
b.
The Plaintiffs’ browsers;
23
c.
The Plaintiffs’ computing devices;
24
d.
Facebook’s web servers;
25
e.
The web-servers of websites from which Facebook tracked and intercepted
26
the Plaintiffs’ communications while they were logged-off of Facebook;
27
and
28
42
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
f.
The computer code deployed by Facebook to effectuate its tracking and
2
interception of the Plaintiffs’ communications while logged-off of
3
Facebook;
4
g.
the Plaintiffs’ communications while logged-off of Facebook
5
6
The plan Facebook carried out to effectuate its tracking and interception of
188.
Facebook was not an authorized party to the communication because the Plaintiffs
7
were unaware of Facebook’s redirecting of the referrer URLs to Facebook itself, did not
8
knowingly send any communication to Facebook, and were logged-off of Facebook when
9
Facebook intercepted the communications between the Plaintiffs and websites other than
10
Facebook. Facebook could not manufacture its own status as a party to the Plaintiffs’
11
communications with others by surreptitiously redirecting or intercepting those communications.
12
189.
As illustrated herein, “the” communications between the Plaintiffs and websites
13
were simultaneous to, but separate from, the channel through which Facebook acquired the
14
contents of those communications.
15
190.
The Plaintiffs did not consent to Facebook’s continued gathering of user IDs post-
16
logout, and thus never consented to Facebook’s interception of the referrer URLs to track or
17
intercept their communications while they were logged-off of Facebook. Facebook explicitly
18
promised Plaintiffs and the public that it would not track and intercept their communications to
19
and from other websites while they were logged-off of Facebook except on an anonymous basis.
20
Because the referrer URLs were intercepted with user-specific and user-identifying cookies
21
included, no valid consent can exist.
22
191.
After intercepting the communications, Facebook then used the contents of the
23
communications knowing or having reason to know that such information was obtained through
24
the interception of electronic communications in violation of 18 U.S.C. § 2511(1)(a).
25
192.
As a result of the above actions and pursuant to 18 U.S.C. § 2520, the Court may
26
assess statutory damages to Plaintiffs; injunctive and declaratory relief; punitive damages in an
27
amount to be determined by a jury, but sufficient to prevent the same or similar conduct by
28
43
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
Defendant in the future, and a reasonable attorney’s fee and other litigation costs reasonably
2
incurred
3
COUNT II
4
VIOLATION OF THE STORED COMMUNICATIONS ACT, 18 U.S.C. § 2701, ET. SEQ.
5
193.
Plaintiffs hereby incorporate all other paragraphs as if fully stated herein.
6
194.
The Stored Communications Act (“SCA”) provides a cause of action against a
7
person who “intentionally accesses without authorization a facility through which an electronic
8
communication service is provided” or “who intentionally exceeds an authorization to access that
9
facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic
10
communication while it is in electronic storage in such a system.” 18 U.S.C. § 2701(a).
11
195.
The SCA defines an “electronic communication service” as “any services which
12
provides to users thereof the ability to send or receive wire or electronic communications.” 18
13
U.S.C. § 2510(15).
14
196.
Internet Service Providers provide a service – to allow users to send and receive
15
electronic communications on the Internet. Accordingly, ISPs qualify as ECSs under the SCA.
16
Each of the four plaintiffs used an ISP to communicate with first-party websites.
17
197.
The web browsers used by the plaintiffs also qualify as ECSs because they allow
18
users to send and receive electronic communications over the Internet. Each web browser
19
provider requires users to agree to a Terms of Service or licensing agreement. Google has
20
explained that a web browser is where Internet users “search, chat, email, and collaborate,” and,
21
“in our spare time, we shop, bank, read news, and keep in touch with friends – all using a
22
browser.”
23
198.
The SCA does not provide a separate definition for “facility” but instead it is
24
defined within the context of the sentence in which it is used. A “facility” under the SCA is,
25
under the plain language of the statute, that “through which an electronic communication service
26
is provided.” 18 U.S.C. § 2701(a).
27
28
199.
The items through which the electronic communication services of the Plaintiffs’
ISPs and web-browsers include:
44
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
a.
The Plaintiffs’ personal computing devices;
2
b.
The Plaintiffs’ web-browsers; and
3
c.
The browser-managed files which, together, constitute all of the programs
contained within the Plaintiffs’ web-browsers.
4
5
6
7
200.
Facebook intentionally accessed the Plaintiffs’ personal computing devices, web-
browsers, and browser-managed files while the Plaintiffs were logged-off of Facebook.
201.
The Plaintiffs did not authorize Facebook to track their communications and
8
access their personal computers, web-browsers, and browser-managed files while they were
9
logged-off of Facebook if such communications (the referrer URLs) were coupled with user-
10
identifying cookies.
11
202.
The detailed URLs obtained by Facebook contain contents.
12
203.
The SCA defines “electronic storage” as “any temporary, intermediate storage of a
13
wire or electronic communication incidental to the electronic transmission thereof;” and “any
14
storage of such communication by an electronic communication service for purposes of backup
15
protection of such communication.” 18 U.S.C. § 2510(17).
16
204.
Web browsers store cookie information and referrer URLs in browser-managed
17
files that are temporary, intermediate and incidental to the electronic transmission of electronic
18
communications.
19
20
21
205.
Web-browsers store cookie information and referrer URLs for purposes of back-up
protection.
206.
Web-browsers store a copy of the Plaintiffs’ URL requests in the toolbar while the
22
user remains present at a particular webpage. When the user leaves the webpage, the copy of the
23
detailed URL request is no longer present on the toolbar. Storage in the toobar after the user hits
24
the Enter button or clicks on a link is “incidental to the electronic communication thereof”
25
because once a user hits Enter or clicks on a link, the communication is in the process of being
26
sent and received between the user and the first-party website.
27
28
207.
Web-browsers also immediately store a copy of users’ detailed URL requests in
their browsing history. The precise length of time that each web-browser keeps a copies of users’
45
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
URL requests varies. For example, Google Chrome stores browsing history for approximately 90
2
days while Microsoft Internet Explorer only stores the browsing history for three weeks. Storage
3
via browsing history qualifies as “temporary storage” because it exists in browsing history for
4
“purposes of backup protection” to benefit the users of the web-browsing service.
5
208.
Plaintiffs and Class Members were harmed by Facebook’s actions, and pursuant to
6
18 U.S.C. § 2707(c), are entitled to actual damages including profits earned by Facebook
7
attributable to the violations or statutory minimum damages of $1,000 per plaintiff, punitive
8
damages, costs, and reasonable attorney’s fees.
9
COUNT III
10
VIOLATION OF THE CALIFORNIA INVASION OF PRIVACY ACT
CALIFORNIA CRIMINAL CODE §§ 631 AND 632
11
12
13
14
209.
Plaintiffs hereby incorporate all other paragraphs as if fully stated herein.
210.
The California Invasion of Privacy Act is codified at Cal. Penal Code §§ 630 to
638. The Act begins with its statement of purpose:
The Legislature hereby declares that advances in science and
technology have led to the development of new devices and
techniques for the purpose of eavesdropping upon private
communications and that the invasion of privacy resulting from the
continual and increasing use of such devices and techniques has
created a serious threat to the free exercise of personal liberties and
cannot be tolerated in a free and civilized society.
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Cal. Penal Code § 630.
211.
Cal. Penal Code § 631(a) provides, in pertinent part:
Any person who, by means of any machine, instrument, or
contrivance, or in any other manner ….willfully and without the
consent of all parties to the communication, or in any unauthorized
manner, reads, or attempts to read, or to learn the contents or
meaning of any message, report, or communication while the same
is in transit or passing over any wire, line, or cable, or is being sent
from, or received at any place within this state; or who uses, or
attempts to use, in any manner, or for any purpose, or to
communicate in any way, any information so obtained, or who
aids, agrees with, employs, or conspires with any person or persons
to lawfully do, or permit, or cause to be done any of the acts or
things mentioned above in this section, is punishable by a fine not
46
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
exceeding two thousand five hundred dollars …
1
2
212.
California Penal Code § 632 provides, in pertinent part:
Every person who, intentionally and without the consent of all
parties to a confidential communication, by means of any
electronic amplifying or recording device, eavesdrops upon or
records the confidential communication, whether the
communication is carried on among the parties in the presence of
one another or by means of a telegraph, telephone, or other device,
except a radio, shall be punished by a fine not exceeding two
thousand five hundred dollars.
3
4
5
6
7
8
213.
Under either section of the CIPA, a defendant must show it had the consent of all
9
parties to a communication.
10
214.
Facebook is headquartered in California; designed and contrived and effectuated
11
its scheme to track its users while logged-off from California; and has adopted California
12
substantive law to govern its relationship with its users.
13
215.
At all relevant times, Facebook’s tracking and interceptions of the Plaintiffs’
14
Internet communications while logged-off of Facebook was without authorization and consent
15
from the Plaintiffs.
16
216.
Facebook’s non-consensual tracking of logged-out users’ Internet browsing was
17
designed to attempt to learn at least some meaning of the content in the URLs.
18
217.
The following items constitute “machine[s], instrument[s], or contrivance[s]”
19
under the CIPA, and even if they do not, Facebook’s deliberate and admittedly purposeful scheme
20
that facilitated its interceptions falls under the broad statutory catch-all category of “any other
21
manner”:
22
a.
The cookies Facebook used to track the Plaintiffs’ communications while
23
they were logged-off of Facebook;
24
b.
The Plaintiffs’ browsers;
c.
The Plaintiffs’ computing devices;
d.
Facebook’s web servers;
25
26
27
28
47
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
e.
The web-servers of websites from which Facebook tracked and intercepted
2
the Plaintiffs’ communications while they were logged-off of Facebook;
3
and
4
f.
The computer code Facebook deployed to effect its tracking and
5
interception of the Plaintiffs’ communications while Plaintiffs were
6
logged-off of Facebook;
7
g.
Plaintiffs’ communications while they were logged-off of Facebook
8
9
The plan Facebook carried out to achieve its tracking and interception of the
218.
Plaintiffs and Class Members have suffered loss by reason of these violations,
10
including, but not limited to, violation of their rights to privacy and loss of value in their
11
personally-identifiable information.
12
219.
Pursuant to Cal. Pen. Code § 637.2, Plaintiffs and the Class have been injured by
13
the violations of Cal. Pen. Code §§ 631 and 632, and each seek damages for the greater of $5,000
14
or three times the amount of actual damages, as well as injunctive relief.
15
COUNT IV
16
INVASION OF PRIVACY
17
220.
Plaintiffs hereby incorporate all other paragraphs as if fully stated herein.
18
221.
Article I, section 1 of the California Constitution provides: “All people are by
19
nature free and independent and have inalienable rights. Among these are enjoying and defending
20
life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety,
21
happiness, and privacy.” The phrase “and privacy” was added by the “Privacy Initiative” adopted
22
by California voters in 1972.
23
24
25
222.
The right to privacy in California’s constitution creates a right of action against
private as well as government entities.
223.
The principal purpose of this constitutional right was to protect against
26
unnecessary information gathering, use and dissemination by public and private entities,
27
[including] computer stored and generated dossiers and cradle-to-grave profiles on every
28
American.
48
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
224.
To plead a California constitutional privacy claim, a plaintiff must show an
2
invasion of (1) a legally protected privacy interest; (2) where the plaintiff had a reasonable
3
expectation of privacy in the circumstances; and (3) conduct by the defendant constituting a
4
serious invasion of privacy.
5
225.
As described herein, Facebook has intruded upon the following legally protected
6
privacy interests:
7
a.
A Fourth Amendment right to privacy contained on personal computing
8
devices, including web-browsing history, as explained by the United States
9
Supreme Court in the unanimous decision of Riley v. California;
10
b.
The federal and California Wiretap Acts as alleged herein;
11
c.
The Stored Communications Act as alleged herein;
12
d.
The California Computer Crime Law, Cal Pen. Code § 502, which applies
13
to all plaintiffs in this case by virtue of Facebook’s choice of California law
14
to govern its relationship with Facebook users;
15
e.
Cal. Penal Code § 484(a) which prohibiting the knowing theft or
16
defrauding of property “by any false or fraudulent representation or
17
pretense[.]”
18
f.
The Facebook Statement of Rights and Responsibilities; Data Use Policy,
19
Privacy Policy, and other public promises Facebook made not to track or
20
intercept the Plaintiffs’ communications or access their computing devices
21
and web-browsers while logged-off of Facebook.
22
g.
The Pen Register Act, codified in 18 U.S.C. § 3121, which prohibits the
23
non-consensual installation or use of a “pen register” or “trap and trace”
24
device. Under the statute, a “pen register” is “a device or process which
25
records or decodes dialing, routing, addressing, or signaling (DRAS)
26
information transmitted by an instrument or facility from which a wire or
27
electronic communication is transmitted, provided, however, that such
28
information shall not include the contents of any communication.” The
49
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
cookies and URLs at issue in this case contain both “content” and DRAS
2
information and therefore fall under both the Wiretap and Pen Register
3
Acts. Similarly, a “trap and trace device” is a “device or process which
4
captures the incoming electronic or other impulses which identify the
5
originating number or other DRAS information reasonably likely to
6
identify the source of a wire or electronic communication.” The cookies at
7
issue in this case also work as “trap and trace” devices because, in addition
8
to capturing content, they also capture impulses identifying the originating
9
number of other DRAS information of communications. The Pen Register
10
Act creates a statutorily protected privacy interest in an Internet user’s IP
11
address.
12
226.
13
Plaintiffs had a reasonable expectation of privacy in the circumstances in that:
a.
Plaintiffs could not reasonably expect Facebook would commit acts in
violation of federal and state civil and criminal laws;
14
15
b.
Facebook affirmatively promised users it would not track their
16
communications or access their computing devices or web-browsers while
17
they were logged-off of Facebook.
18
19
227.
Facebook’s actions constituted a serious invasion of privacy in that they:
a.
Invaded a zone of privacy protected by the Fourth Amendment, namely the
20
right to privacy in data contained on personal computing devices, including
21
web search and browsing histories;
22
b.
Violated several federal criminal laws, including the Wiretap Act, Stored
Communications Act, and Pen Register Act;
23
24
c.
Violated dozens of state criminal laws;
25
d.
Invaded the privacy rights of hundreds of millions of Americans without
their consent;
26
27
28
e.
Constituted the unauthorized taking of valuable information from hundreds
of millions of Americans through deceit;
50
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
f.
Took actions constituting exactly what the drafters of the Privacy Initiative
2
sought to stop, namely the collection and stockpiling by a business of
3
unnecessary information without consent, and the misuse of information
4
gathered for one purpose in order to serve other purposes.
228.
5
6
egregious breach of social norms.
229.
7
8
230.
Facebook lacked a legitimate business interest in tracking users while they were
logged-off of Facebook without their consent.
231.
11
12
The surreptitious and unauthorized tracking of the internet communications of
millions of Americans’ constitutes an egregious breach of social norms.
9
10
Committing criminal acts against hundreds of millions of Americans constitutes an
Plaintiffs have been damaged by Facebook’s invasion of their privacy and are
entitled to just compensation.
13
COUNT V
14
INTRUSION UPON SECLUSION
15
232.
Plaintiffs hereby incorporate all other paragraphs as if fully stated herein.
16
233.
Plaintiffs asserting claims for intrusion upon seclusion must plead (1) intrusion
17
into a private place, conversation, or matter; (2) in a manner highly offensive to a reasonable
18
person.
19
234.
In carrying out its scheme to track and intercept Plaintiffs’ communications and
20
access their computing devices and web-browsers while they were logged-off of Facebook in
21
violation of its own privacy promises, Facebook intentionally intruded upon the Plaintiffs’
22
solitude or seclusion in that it effectively placed itself in the middle of conversations to which it
23
was not an authorized party.
24
235.
Facebook’s tracking and access was not authorized by the Plaintiffs, the websites
25
with which they were communicating, the Plaintiffs’ Internet Service Providers, or the Plaintiffs’
26
web-browsers.
27
28
236.
Defendant’s intentional intrusion into their Internet communications and their
computing devices and web-browsers was highly offensive to a reasonable person in that they
51
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
violated federal and state criminal and civil laws designed to protect individual privacy and
2
against theft.
3
4
237.
The taking of personally-identifiable information from hundreds of millions of
Americans through deceit is highly offensive behavior.
5
238.
Secret monitoring of web browsing is highly offensive behavior.
6
239.
Wiretapping and surreptitious recording of communications is highly offensive
7
8
behavior.
240.
Public polling on Internet tracking has consistently revealed that the overwhelming
9
majority of Americans believe it is important or very important to be “in control of who can get
10
information” about them; to not be tracked without their consent; and to be in “control[] of what
11
information is collected about [them].”
12
241.
Plaintiffs have been damaged by Facebook’s invasion of their privacy and are
13
entitled to reasonable compensation including but not limited to disgorgement of profits related to
14
the unlawful internet tracking.
15
COUNT VI
16
BREACH OF CONTRACT
17
242.
Plaintiffs hereby incorporate all other paragraphs as if fully stated herein.
18
243.
Facebook’s relationship with its users is governed by the Statement of Rights and
19
Responsibilities and several other documents and policies, including a Data Use Policy and a
20
Privacy Policy.
21
22
23
244.
The governing documents contain enforceable promises that Facebook made to the
Plaintiffs and the Class.
245.
In the governing documents, Facebook promised that it would not track user’s web
24
browsing after log-out except on an anonymous basis. Facebook unambiguously emphasized,
25
“When you log out of Facebook, we remove the cookies that identify your particular account.”
26
246.
Despite this promise, Facebook received more than mere “technical information”
27
about its users’ IP addresses, browsers, and operating systems, but instead received personally-
28
identifiable information about the same that were akin to and directly connect in Facebook’s
52
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
2
databases to the very User ID which Facebook promised only to track for logged-in users.
247.
The governing documents constitute Facebook’s offer to potential users of its
3
products, by which Facebook promises to respect those users’ privacy in specified ways,
4
including by not tracking or intercepting users’ Internet communications or accessing their
5
computing devices or web-browsers while users were logged-off of Facebook. Plaintiffs and other
6
Class members accepted Facebook’s offer by using Facebook.
7
248.
The promises contained in Facebook’s governing documents and the Plaintiffs’
8
and other Class members’ use of Facebook are each sufficient consideration to support
9
Facebook’s contractual obligations to Plaintiffs.
10
249.
Under the agreement, Plaintiffs and Class members transmitted personally
11
identifiable information to Facebook in exchange for use of Facebook and Facebook’s promise
12
that it would not track users’ communications or access their computing devices or web-browsers
13
while the users were logged-off of Facebook.
14
250.
By reason of the conduct described herein, Facebook materially and uniformly
15
breached its contract with Plaintiffs and each of the Class members by tracking and intercepting
16
the Internet communications and accessing the computing devices and web-browsers of Facebook
17
users while they were logged-off of Facebook.
18
251.
Facebook collects revenues in large part because the personal information
19
submitted by its users and the tracking of their Internet communications across a wide variety of
20
websites increases the value of Facebook’s advertising services. As a result of Facebook’s breach
21
of the contract, it was unjustly enriched.
22
252.
As a further result of Facebook’s breach, Plaintiffs and the class sustained non-
23
monetary privacy damages. Plaintiffs and Class Members also did not receive the benefit of the
24
bargain for which they contracted and for which they paid valuable consideration in the form of
25
their personally-identifiable information, which, as alleged above, has ascertainable value to be
26
proven at trial.
27
28
53
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
COUNT VII
2
BREACH OF THE DUTY OF GOOD FAITH AND FAIR DEALING
3
253.
Plaintiffs hereby incorporate all other paragraphs as if fully stated herein.
4
254.
Every contract imposes upon each party a duty of good faith and fair dealing in its
5
6
7
performance and enforcement.
255.
In dealing between Facebook and its users, Facebook is invested with
discretionary power affecting the rights of its users.
8
256.
Facebook purports to respect and protect its users’ privacy.
9
257.
Despite its contractual privacy promises not to track users while they were logged-
10
off of Facebook, in fact, Facebook took actions outside those contractual promises to track users
11
while they were logged-off and to deprive Plaintiffs and the class of the benefits of their contract
12
with Facebook – that Facebook would not track logged-off users and use the information to
13
increase revenues.
14
258.
Facebook’s tracking and interception of the Internet communications and access to
15
the computing devices and web-browsers of logged-off users was objectively unreasonable given
16
Facebook’s privacy promises.
17
259.
Facebook’s conduct in tracking and intercepting the Internet communications and
18
accessing the computing devices and web-browsers of logged-off users evaded the spirit of the
19
bargain made between Facebook and the plaintiffs.
20
260.
Facebook’s conduct in this case abused its power to specify terms – in particular,
21
Facebook’s failed to accurately disclose its tracking of users while they were logged-off of
22
Facebook.
23
261.
As a result of Facebook’s misconduct and breach of its duty of good faith and fair
24
dealing, Plaintiffs and the Class suffered damages. Plaintiffs and the Class members did not
25
receive the benefit of the bargain for which they contracted and for which they paid valuable
26
consideration in the form of their personal information, which, as alleged above, has ascertainable
27
value to be proven at trial.
28
54
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
COUNT VIII
2
CIVIL FRAUD
VIOLATION OF CAL. CIV. CODE §§ 1572 AND 1573
3
262.
5
6
7
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Cal. Civ. Code § 1572 provides in relevant part that actual fraud exists when a
party to a contract suppresses “that which is true, by one having knowledge or belief of the fact”
“with intent to deceive another party thereto, or to induce him to enter into the contract.”
264.
8
9
Plaintiffs hereby incorporate all other paragraphs as if fully stated herein.
263.
4
any such act or omission as the law specially declares to be fraudulent, with respect to actual
fraud.”
265.
Facebook violated § 1572 through its repeated and false assertions that it did not
track or intercepts users’ communications or access their computing devices or web-browsers
while they were logged-off of Facebook.
266.
Facebook further violated § 1572 by suppressing knowledge of its tracking,
intercepting, and accessing Plaintiffs’ Internet communications, computers, and web-browsers
while they were logged-off of Facebook.
267.
Plaintiffs relied on Facebook’s false assertions in contracting with and using
Facebook.
268.
Additionally and/or alternatively, Facebook violated § 1573 by breaching its duty
not to track, intercept, or access its users’ Internet communications, computers, or web-browsers
while they were logged-off of Facebook and gaining an advantage by doing so, by misleading
users to their prejudice, as describe herein.
269.
Plaintiffs, on behalf of themselves and the Class, seek damages from Facebook,
including but not limited to disgorgement of all proceeds Facebook obtains from its unlawful
business practices.
COUNT IX
26
TRESSPASS TO CHATTELS
27
28
Cal. Civ. Code § 1573 provides in relevant part that constructive fraud exists “[i]n
270.
Plaintiffs incorporate all preceding paragraphs as though set forth herein.
55
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
271.
Defendant, intentionally and without consent or other legal justification, failed to
2
delete cookies on Plaintiffs’ browsers after logout, enabling Facebook to connect Plaintiffs’
3
personally identifiable information to specific communications.
4
272.
Defendant, intentionally and without consent or other legal justification, also
5
placed cookies on Plaintiffs’ computers post-logout without consent which allowed Facebook to
6
track their activity while logged-off of Facebook.
7
273.
Defendant’s intentional and unjustified placing of a cookie designed to track
8
Plaintiffs’ internet activities while logged-off of Facebook and actual tracking of Plaintiffs
9
activities interfered with Plaintiffs’ use of the following personal property owned by Plaintiffs:
10
(a) Plaintiffs’ computers; and (b) Plaintiffs’ personally identifiable information.
11
COUNT X
12
VIOLATIONS OF CALIFORNIA PENAL CODE § 502
THE CALIFORNIA COMPUTER CRIME LAW (“CCCL”)
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
274.
Plaintiffs incorporate all preceding paragraphs as though set forth herein.
275.
Defendant violated Cal. Penal Code § 502(c)(2) by knowingly and without
permission accessing, taking and using Plaintiffs’ and the Class Members’ personally identifiable
information.
276.
Defendant accessed, copied, used, made use of, interfered with, and/or altered data
belonging to Plaintiffs and Class Members: (1) in and from the State of California; (2) in the
states in which the Plaintiffs and the Class Members are domiciled; and (3) in the states in which
the servers that provided services and communication links between Plaintiffs and the Class
Members and Facebook.com and other websites with which they interacted were located.
277.
Cal. Penal Code § 502 provides: “For purposes of bringing a civil or a criminal
action under this section, a person who causes, by any means, the access of a computer, computer
system, or computer network in one jurisdiction from another jurisdiction is deemed to have
personally accessed the computer, computer system, or computer network in each jurisdiction.”
278.
Defendants have violated California Penal Code § 502(c)(1) by knowingly and
without permission altering, accessing, and making use of Plaintiffs and Class Members’
56
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
personally identifiable data in order to execute a scheme to defraud consumers by utilizing and
2
profiting from the sale of their personally identifiable data, thereby depriving them of the value of
3
their personally identifiable data.
4
279.
Defendants have violated California Penal Code § 502(c)(6) by knowingly and
5
without permission providing, or assisting in providing, a means of accessing Plaintiffs’ and
6
Class Members' computer systems and/or computer networks.
7
280.
Defendants have violated California Penal Code § 502(c)(7) by knowingly and
8
without permission accessing, or causing to be accessed, Plaintiffs’ and Class Members' computer
9
systems and/or computer networks.
10
281.
Pursuant to California Penal Code § 502(b)(10) a "Computer contaminant" is
11
defined as "any set of computer instructions that are designed to ... record, or transmit information
12
within computer, computer system, or computer network without the intent or permission of the
13
owner of the information."
14
282.
Defendants have violated California Penal Code § 502(b)(8) by knowingly and
15
without permission introducing a computer contaminant into the transactions between Plaintiffs
16
and the Class Members and websites; specifically, a “cookie” that intercepts and gathers
17
information concerning Plaintiffs’ and the Class Members’ interactions with certain websites,
18
which information is then transmitted back to Facebook.
19
283.
As a direct and proximate result of Defendant’s unlawful conduct within the
20
meaning of California Penal Code § 502, Defendant has caused loss to Plaintiffs and the Class
21
Members in an amount to be proven at trial. Plaintiffs and the Class Members are also entitled to
22
recover their reasonable attorneys' fees pursuant to California Penal Code § 502(e).
23
24
25
284.
Plaintiffs and the Class Members seek compensatory damages, in an amount to be
proven at trial, and declarative or other equitable relief.
285.
Plaintiffs and the Class Members are entitled to punitive or exemplary damages
26
pursuant to Cal. Penal Code § 502(e)(4) because Defendant’s violations were willful and, upon
27
information and belief, Defendant is guilty of oppression, fraud, or malice as defined in Cal. Civil
28
Code § 3294.
57
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
COUNT XI
2
STATUTORY LARCENY
CALIFORNIA PENAL CODE §§ 484 AND 496
3
286.
6
7
Section 496(a) prohibits the obtaining of property “in any manner constituting
288.
5
Plaintiffs incorporate all preceding paragraphs as though set forth herein.
287.
4
Section 484 defines theft, and provides:
theft.”
Every person who shall feloniously steal, take, carry, lead, or drive
away the personal property of another, or who shall fraudulently
appropriate property which has been entrusted to him or her, or
who shall knowingly and designedly, by any false or fraudulent
representation or pretense, defraud any other person of money,
labor or real or personal property, or who causes or procures others
to report falsely of his or her wealth or mercantile character and by
thus imposing upon any person, obtains credit and thereby
fraudulently gets or obtains possession of money, or property or
obtains the labor or service of another, is guilty of theft.
8
9
10
11
12
13
14
289.
Section 484 thus defines “theft” to include obtaining property by false pretense.
15
290.
Defendant intentionally designed a program that would operate in a manner
16
unbeknownst to Plaintiffs whose computers were thus deceived into providing personally
17
identifiable information to Defendant.
18
291.
Defendant acted in a manner constituting theft and/or false pretense.
19
292.
Defendant stole, took, and/or fraudulently appropriated Plaintiffs' PII without
20
Plaintiffs consent.
21
293.
Defendant concealed, aided in the concealing, sold, and/or utilized Plaintiffs PII
22
that was obtained by Defendant for Defendant’s commercial purposes and the financial benefit of
23
Defendant.
24
294.
Defendant knew that Plaintiffs’ PII was stolen and/or obtained because
25
Defendant’s intentionally failed to delete user-identifying cookies which enabled Defendant to
26
steal and/or obtain Plaintiffs’ PII in a manner that was concealed and/or withheld from Plaintiffs.
27
28
295.
The reasonable and fair market value of the unlawfully obtain personal data can be
determined in the marketplace.
58
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
XII.
PRAYER FOR RELIEF
2
WHEREFORE, Plaintiffs respectfully request that this Court:
3
A.
4
Civil Procedure;
5
B.
Certify this action is a class action pursuant to Rule 23 of the Federal Rules of
Award compensatory damages, including statutory damages where available, to
6
Plaintiffs and the Class against Defendant for all damages sustained as a result of Defendant’s
7
wrongdoing, in an amount to be proven at trial, including interest thereon;
8
9
10
11
12
13
14
15
C.
Permanently restrain Defendant, and its officers, agents, servants, employees and
attorneys, from installing cookies on its users’ computers that could track the users’ computer
usage after logging out of Facebook or otherwise violating its policies with users;
D.
Award Plaintiffs and the Class their reasonable costs and expenses incurred in this
action, including counsel fees and expert fees; and
E.
Grant Plaintiffs such further relief as the Court deems appropriate.
XIII. JURY TRIAL DEMAND
The Plaintiffs demand a trial by jury of all issues so triable.
16
17
18
19
20
21
22
23
24
25
26
27
28
59
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
Dated: November 30, 2015
KIESEL LAW LLP
2
By:
/s/ Paul R. Kiesel
Paul R. Kiesel (SBN 119854)
8648 Wilshire Blvd.
Beverly Hills, CA 90211-2910
Telephone: (310) 854-4444
Facsimile: (310) 854-0812
kiesel@kiesel-law.com
3
4
5
6
7
Interim Liaison Counsel
8
SILVERMAN, THOMPSON, SLUTKIN &
WHITE LLC
KAPLAN, FOX & KILSHEIMER LLP
By: /s/ Stephen G. Grygiel
Stephen G. Grygiel (admitted pro hac vice)
201 N. Charles St., #2600
Baltimore, MD 21201
Telephone (410) 385-2225
Facsimile: (410) 547-2432
sgrygiel@mdattorney.com
By:
/s/ David A. Straite
Frederic S. Fox (admitted pro hac vice)
David A. Straite (admitted pro hac vice)
850 Third Avenue
New York, NY 10022
Telephone: (212) 687-1980
Facsimile: (212) 687-7714
dstraite@kaplanfox.com
Interim Co-Lead Counsel
9
Laurence D. King (206423)
Mario Choi (243409)
350 Sansome Street, 4th Floor
San Francisco, CA 94104
Tel.: (415) 772-4700
Fax: (415) 772-4707
lking@kaplanfox.com
10
11
12
13
14
15
16
17
18
19
Interim Co-Lead Counsel
20
21
22
23
24
25
26
27
28
60
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
2
CERTIFICATE OF SERVICE
I hereby certify that on November 30, 2015, I caused the foregoing to be electronically
3
filed with the Clerk of the Court using the CM/ECF system which will send notification of such
4
filing to the e-mail addresses denoted on the Electronic Mail Notice List.
5
6
I certify under penalty of perjury under the laws of the United States of America that the
foregoing is true and correct. Executed on November 30, 2015.
7
KIESEL LAW LLP
8
/s/ Paul R. Kiesel
9
10
11
12
13
14
Paul R. Kiesel
kiesel@kbla.com
8648 Wilshire Boulevard
Beverly Hills, California 90211
Tel.: (310) 854-4444
Fax: (310) 854-0812
Interim Liaison Counsel
15
16
17
18
19
20
21
22
23
24
25
26
27
28
61
5:12-MD-02314-EJD
SECOND AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?