[HN Gopher] U.S. Supreme Court rebuffs Facebook appeal in user t... ___________________________________________________________________ U.S. Supreme Court rebuffs Facebook appeal in user tracking lawsuit Author : LinuxBender Score : 199 points Date : 2021-03-22 18:12 UTC (4 hours ago) (HTM) web link (www.reuters.com) (TXT) w3m dump (www.reuters.com) | duxup wrote: | >In its appeal to the Supreme Court, Facebook said it is not | liable under the Wiretap Act because it is a party to the | communications at issue by virtue of its plug-ins. | | That would be kinda scary if allowed. I would think / hope that | as an individual that I would need to actually know that someone | is a party to the conversation... the idea that Facebook could | just say "well you logged in this one time so now we're party who | god knows what ..." would be pretty horrible if legally accepted. | | Granted, from a tech standpoint, that's also kinda how it is :( | ocdtrekkie wrote: | This is an incredible opportunity to set the legal precedent to | make the tech standpoint no longer acceptable, and hence, | compel it to change. | CobrastanJorji wrote: | This is a dangerous plan. | | The same logic applies to "Let's make sure that other party | chooses the worst possible candidate, thus compeling everyone | to vote for the candidate we prefer in the general election." | | Or "let's present our boss with two options, the correct one | and also an absolutely awful one, thus ensuring that they | will select the correct option." | alistairSH wrote: | I'm not sure how telling Facebook (or Google) "you can't | spy on people just because a page has a link to your | widget" is even remotely the same as gaming an election? | anticristi wrote: | Would this have implications on Google Analytics? I | didn't agree to them knowing what URLs I visit. | Griffinsauce wrote: | Good, we need some plans that are dangerous to the status | quo. | duxup wrote: | In this case Facebook already is the worst possible | candidate ... and is doing the thing and arguing they're a | party to the conversation. | nicefedora wrote: | This is a textbook false dichotomy. We could change the | laws around digital privacy to reflect an infinite | combination of policies, it is not a choice between two | options. The point is that Facebook's position should not | be the default policy. | | What makes this case particularly exciting to me is that it | feels like a step in the direction of bottoms-up | protections for citizens, as opposed to top-down regulation | of corporations, which I believe is the better path | forward. | IncRnd wrote: | The two situations are entirely separate. What you, | essentially, wrote is that there is no difference between | gaming an election and the privacy afforded by a | wiretapping statute. | nerdponx wrote: | _"Facebook was not an uninvited interloper to a communication | between two separate parties; it was a direct participant," the | company said in a legal filing._ | | There's gotta be some existing legal doctrine on what constitutes | a "direct participant", right? | | Suppose I visit the website of Company A intending to do business | with them (perhaps this is the only way to contact them). Their | website contains the Facebook "like" button somewhere on the | page. Is Facebook really a "direct participant" if I have no way | to know that their widget is even on the site until I visit it, | at which point they have already participated and I have no way | to avoid it? | | Likewise, does the law/precedent on "expectation of privacy" have | anything to say about who specifically I should/shouldn't expect | privacy from? | coldtea wrote: | > _Is Facebook really a "direct participant" if I have no way | to know that their widget is even on the site until I visit it, | at which point they have already participated and I have no way | to avoid it?_ | | If you meet someone at some office for an interview or a | negotiation or something, and a third party is there whose | presense was not announced beforehand, aren't they a "direct | participant"? | | And didn't you also had "no way to know that they would even be | there" until you visited that location? | gwerbret wrote: | In the example you gave, I have the opportunity to interact | with this third party, demand to know why they're there, and | may choose to leave, with my privacy intact, if I don't like | their presence. This is all part of the process of informed | consent. | | Clearly this analogy, particularly with respect to "informed" | and "consent", does not apply to a Facebook widget on a site. | legitster wrote: | The key here for the purpose of the Wiretap act is that the | website was the participant - they wanted the Facebook like | button there. And the argument will likely revolve around | whether the companies were cognizant of the implications of | adding Facebook scripts to their site. | kstrauser wrote: | No one's asking me to, but I'd testify that I absolutely | didn't know the implications back when I had share buttons on | my site. It was a fun thing that almost everyone was doing, | for the sole intention of making it more convenient for | visitors to share my content that they enjoyed. Period. It | absolutely wasn't so that I could make it easy for FB and | friends to track my visitors. | | It all seems so obvious in retrospect, but at the time there | wasn't a lot of pushback from people explaining why it was a | terrible idea. | TheSpiceIsLife wrote: | Imagine Mark Zuckerberg saying something like: | | You were stupid enough to _not_ devine my intentions 10 | years ago, so now I think the US Supreme Court should | decide you are that stupid now too. | oarsinsync wrote: | > whether the companies were cognizant of the implications of | adding Facebook scripts to their site. | | I'm inclined to believe Backblaze were not cognisant of the | implications of adding Facebook scripts to their site, given | the speedy (~12hr) turnaround on resolving once brought to | their attention. | | If tech companies are unaware, what are the odds that the | majority of other companies are? | | Discussion from here earlier today: | https://news.ycombinator.com/item?id=26536019 | legitster wrote: | The lawsuit only applies to 2011, Although in Backblaze's | case it looks like a situation where their web team made a | mistake building a custom Facebook tracking pixel. They are | 100% intending to send tracking information to Facebook. | seanalltogether wrote: | Couldn't you apply this same logic to google analytics which | has been embedded in most sites for over a decade? | fotbr wrote: | Some states allow "one party consent" to recordings of | communications (ie, phone calls). Extending that, as long as | Company A is aware of FB's practices, then your wishes are | irrelevant as far as the law is concerned. | | I have no idea what California's laws are regarding the matter, | or the laws governing any of the other participants. I'm just | speaking in the general case, that some states allow it, and | the argument that could be made. | philip1209 wrote: | Presumably - if states are defining 1-party vs. 2-party | consent laws, then doesn't the 10th amendment imply that this | matter shouldn't be handled federally? | rossdavidh wrote: | ...unless the communications cross state lines, which in | this case they mostly do. | TrinaryWorksToo wrote: | California is a two-party consent state for wiretapping laws. | rsstack wrote: | "California's wiretapping law is a "two-party consent" law. | California makes it a crime to record or eavesdrop on any | confidential communication, including a private conversation | or telephone call, without the consent of all parties to the | conversation." | nerdponx wrote: | Two-party consent is a funny thing. It's empowering to | individuals in their interactions with corporations, but in | this case it's clearly disempowering to individuals. | | Is "asymmetric" one-party consent a thing in any | jurisdiction? | tobylane wrote: | The UK only requires notification from the company in a | commercial call. The recipient can do so without | permission. | cgriswald wrote: | One-party consent seems far more empowering to me. It | lets me record any conversation I'm a party to whether | the other party likes it or not. | | In a two-party consent state, the corporation just has a | message that the call may be monitored or recorded and me | staying on the line qualifies as 'consent'. I'm not | provided with an option to talk without being recorded | and for many functions companies won't deal with you | except through these specific phone numbers. | | However, if I tell the company I want to record them, | they have very little reason to humor me. In practice, | this means I'm almost always being recorded _anyway_ , | but I can't generally record them back. It looks to me | very much like corporations get one-party consent, and I | don't. | | I've heard it argued that "This call may be monitored or | recorded..." can be interpreted as consent, but I'm not | sure how that works out in practice, especially since I'd | be recording the individual employees (who may have | consented to their employer, but haven't to me). | hellbannedguy wrote: | Georgia is the only state where only one person needs | consent to record. | | I just heard that. | whichquestion wrote: | This is false. There are many other one party consent | states. See https://recordinglaw.com/united-states- | recording-laws/one-pa... for more info. | caymanjim wrote: | Not so. Only 12 states require two-party consent to | record conversations. Federal law is one-party. There are | caveats and rules around all of it, but on a board scale, | most of the country only requires single party consent. | LinuxBender wrote: | California is 2-party-consent [1] | | [1] - https://www.dmlp.org/legal-guide/california-recording- | law | ehnto wrote: | Hm, it's challenging because of the new medium but maybe we | could discuss a real world analogue: | | You walk in to a home expecting to meet your friend, when you | enter there is a man from the TV network there. You didn't | expect him, his intention is just to watch you and your friend | talk about television shows. | | Perhaps an example that gets closer to the crux of the problem: | | You're at a restaurant with a friend, and an unrelated stranger | nearby can overhear the conversation. Not a participant, right? | Now imagine they were sent to listen to you, and report back to | the TV networks. I would say that, they have a very clear | intention to participate in the conversation. | TeMPOraL wrote: | How about this analogue: | | You come to a restaurant to eat dinner with your friend, who | arrived early. Unbeknownst to you, your friend arranged for | one of their acquaintances, who you don't know, to sit at the | next table and secretly record the whole conversation. | nerdponx wrote: | And your friend might or might not know that the | acquaintance is recording. | ethbr0 wrote: | I'd go a step farther, because I think it's what should | _really_ be relevant in this case. | | You come to a restaurant to eat dinner with your friend, | who arrived early. Unbeknownst to you, your friend arranged | for one of their acquaintances, _who owns a business, to | observe and document your arrival, from a concealed | location, behind a sign for that business._ | | What's relevant in this case should be that a _reasonable_ | person, upon observing a Facebook "Like" button on a page, | comes to the conclusion that "that button exists for me to | interact with, and interact with Facebook, related to this | business." | | More specifically, a reasonable person would _not_ come to | the conclusion that a Facebook "Like" button allows | Facebook to load arbitrary code into your session with the | business, the purpose of which is to track you and compile | information on you. | | It's unreasonable to expect people to choose to opt out of | what they don't even understand. | taxidump wrote: | This is perfectly legal in most of the US. | | Famous people and their paparazzi followers probably know | all too well that when you are anywhere an eye can see from | a public location you can be recorded. | rossdavidh wrote: | As I understand it (and IANAL) there is a pretty well- | established legal distinction between people whose job or | avocation inevitably involves being famous and noticed, | and just ordinary citizens. If you become a politician, | singer, actor, etc. it is assumed that your expectation | of privacy is different than for most people. Again | IANAL, but my understanding is that just because | photographers are allowed to hound famous actors, doesn't | mean they can do it to someone who isn't newsworthy or | otherwise in a public profession. IANAL. | jacquesm wrote: | Famous people have different expectations of privacy than | ordinary people. | m463 wrote: | and the acquaintance is paying for the free restaurant | food. | | For doing that, he feels entitled to share his notes with | anyone who pays him. | [deleted] | ska wrote: | In this already murdered analogy, they aren't even paying | all of the rent. There is a rumour they paid a server | once but nobody has ever seen them. You have to bring | your own food and wine and cook it, but you're encouraged | to share with other tables. Some of those tables were | paid to be there. There is also a stream of bored looking | people wandering round, occasionally one of them will | drop a snack on your table. | legitster wrote: | Expectations of privacy are already pretty well defined: | https://en.wikipedia.org/wiki/Expectation_of_privacy | | You have an expectation of privacy in your own home - but you | can't take back what you shared to your friend when you | discovered he writes down every conversation on his blog. | Intent isn't super relevant. | | For the purpose of the wiretap act, 'participant' is | unrelated to intent. | nerdponx wrote: | Interesting, I didn't realize "expectation of privacy" was | related to (and dependent on) the 4th Amendment. Seems like | a gap in our laws; expectation of privacy _from people who | aren 't the government_. | legitster wrote: | I mean, society won't function if you have to give | everyone outside of your home consent to look or speak at | you. Unless you plan on blinding and deafening the whole | world, there's going to have to be a line somewhere about | what we are allowed to learn about the people around us. | nerdponx wrote: | _You walk in to a home expecting to meet your friend, when | you enter there is a man from the TV network there. You didn | 't expect him, his intention is just to watch you and your | friend talk about television shows._ | | Maybe the analogy should be: you go to meet a local | contractor, and a representative from the cable company is | there to help advise on the work. Neither of you are aware | that he is recording the whole conversation, and that will | use that information to send you targeted junk mail. | jascination wrote: | A problem with all of the responses here is that they swing | and miss at trying to find an allegory that matches this | situation, and then conflate their allegory as truth, losing | any of the nuances of the Facebook situation. | | You can skew these examples to make your point stronger, too. | (The Radio in the restaurant is listening to me!) | | The only situation that matches is the exact one at hand: | Facebook tracked user information in their share/like | widgets. Is that ok under the law? It wouldn't surprise me if | it was, but I don't I think the laws should be tightened up | on this as well. | rossdavidh wrote: | Really, we can expect this to go all the way to the Supreme | Court, and I would not be at all surprised if one of the | reasons that the Supreme Court did not quash it is that | they know they will have to provide guidance (in the form | of a precedent) for lower courts on expectations of privacy | in internet situations, but they want to let every court | below them kick the tires on this case first so that they | can benefit from all of that investigation and discovery | before they have to issue a ruling on it. | inetknght wrote: | You're moving the goalposts. | | Here, let me refocus the goalpost for you. | | > _I have no way to know that their widget is even on the | site until I visit it_ | | You can ask, and expect an honest answer, from your friend | about any TV news crew. | | And you don't really have an expectation to privacy in many | restaurant settings. | SilasX wrote: | I'd say it's more like, VendorA gives VendorB special buttons | (like they kind you pin to your shirt) that promote VendorA, | analogous to the "like" buttons. | | You visit VendorB for private financial counseling (like an | https web session). VendorB is wearing the button during the | session. | | Unbeknownst to you (and probably VendorB), the button is | recording some metadata of your encounter: when you went | there, for how long, how loud your voices were, and VendorA | periodically scans the button for this data and collects it. | | Just like on the web, you were never aware of the | implications of the VendorB button, and had no chance to opt | out before the recording began. | freeopinion wrote: | What if the "man from the TV network" is really a "man from | Amazon" only it isn't a man. It's a Ring doorbell, clearly | labeled when you came through the front door. Or it's a | little Echo in the corner of the room. | | Does that mean Amazon was invited to the conversation? Should | you as a visitor to the home expect that every logo you see | in the house means that you agree to have that company | present in your conversations during the visit? | | Does a Facebook icon or a Google icon or an Amazon icon on a | webpage give them the right to participate in your | conversation? Does a Windows logo in the corner of your | screen give Microsoft the same right? | | Is it ok if they don't record audio or video, just metadata? | nextlinemail wrote: | The "direct participant" is the key phrase here. This is going | to come up again and again unless we get this legally defined | better. | | "Expectation of privacy" is yet another quagmire. Similar to | obscenity - difficult to define, but I know it when I see it. | 1vuio0pswjnm7 wrote: | "Suppose I visit the website of Company A intending to do | business with them (perhaps this is the only way to contact | them). Their website contains the Facebook "like' button | somewhere on the page. Is Facebook really a "direct | participant" ..." | | The term "direct particpant" is not from the statute. Those are | the words of Facebook's defense lawyers. | | The statute provides an exemption for a "party" to | communication, but it does not define the term "party". | | The 1st and 7th Circuits, when faced with cases similar to this | one involving third party "tech" companies that subsist on | internet advertising, have interpreted the term "party" to | exclude third parties such as Facebook. The 3rd Circuit however | has interpreted it to include them. The 9th Circuit on hearing | Facebook's case followed the 1st and 7th Circuits. Facebook | wants the 3rd Circuit's interpetation to be the law of the | land. The Supreme Court denied Facebook's appeal. | | As such, the hypothetical requires some more facts. Where is | Company A domiciled? Where do they do business? What state do | you live in? | legitster wrote: | > Four individuals filed the proposed nationwide class action | lawsuit in California federal court seeking $15 billion in | damages for Menlo Park, California-based Facebook's actions | between April 2010 and September 2011. The company stopped its | nonconsensual tracking after it was exposed by a researcher in | 2011, court papers said. | | If I understand correctly, for over a year Facebook would track | users to web services that had Facebook integrations installed. | It's not super clear what was different for "consensual | tracking", but I presume this coincided with their privacy | center? | | > "Facebook's user profiles would allegedly reveal an | individual's likes, dislikes, interests and habits over a | significant amount of time, without affording users a meaningful | opportunity to control or prevent the unauthorized exploration of | their private lives," | | The Wiretap act seems like a bad precedent here. The problem | isn't that that data was unwillingly intercepted (otherwise even | things as simple as server logs would count as a wiretap), it's | that people object to the way their information is being | collected and aggregated. And there's no good law to really apply | here without making a new one. | SimeVidas wrote: | > If I understand correctly, for over a year Facebook would | track users to web services that had Facebook integrations | installed. | | Facebook tracks users across websites. This is of course still | happening. I thought this is common knowledge. This is | happening because both Facebook and other websites benefit from | this kind of tracking. | legitster wrote: | The suit only covers between 2010 and 2011. So unless their | tracking opt-in dramatically changed, I believe the issue of | the lawsuit was the lack of consumer privacy options in this | period. | duxup wrote: | Possibly there is some EULA language or option to opt out | now and the folks suing would rather sidestep that whole | question for now. | prepend wrote: | I think these kinds of data lawsuits are going to be the new | tobacco/opioids lawsuits. People seem to be figuring out how to | quantify harm and damages and remediations. Once a few of these | start paying out, I can see some really massive class action | lawsuits and then state lawsuits. | | I think it will be bigger than tobacco and opioid because of the | ability for key insiders to be able to target lawsuits and | highlight things that were illegal or caused some sort of harm. | 1vuio0pswjnm7 wrote: | Here is the 9th Circuit opinion: | | https://cdn.ca9.uscourts.gov/datastore/opinions/2020/04/09/1... | | Nice typo in the 2nd paragraph. | | Here is the orginal publication of Facebook's wiretapping, and | the Facebook response where it denied the tracking was used for | advertising. | | https://web.archive.org/web/20110929182141/http://nikcub.app... | | https://web.archive.org/web/20110927040818/http://venturebea... | | https://web.archive.org/web/20110929182141/http://www.huffin... | | This was first reported in 2011. Note how long it took to get to | the point where Facebook is being legally compelled tell the | truth. | | IMO, this also highlights the difference between tracking as one | issue and what a company may do with collected data as another. | Arguably the second issue is the most important. It is easy | enough to discover the presence of tracking, but discovering what | companies do with collected data is more difficult, and perhaps | requires compelled discovery in the context of legal proceedings. | binarymax wrote: | "The company stopped its nonconsensual tracking after it was | exposed by a researcher in 2011, court papers said." | | Did Facebook stop tracking non-users though? Maybe that | particular method was ceased but Facebook still slurps up all the | data it can on anyone and everone. Case in point: the recent | Facebook login SDK for mobile was tracking non-users. | vmception wrote: | I think we need a new way to force original jurisdiction to the | Supreme Court | | A ruling in 2021 about a 2011 incident is not useful in | software | anticristi wrote: | Why not? Next time someone comes with the idea of tracking | non-users, there will be a clear legal test to prove this is | illegal. | | Also, pursuing a start-up after 10 years sends a clear | message to VCs too: Don't invest in startup that grow via | wiretapping. | ChuckMcM wrote: | Personally, I think the privacy cases that this Supreme court | hears will probably be what it is most remembered for in the | future. I suspect this particular lawsuit will be settled now for | an undisclosed sum to the plaintiffs as it seems that it will be | allowed to proceed in the lower courts and that means discovery | and all sorts of things which Facebook would likely want to | avoid. | 3xasperated wrote: | Interesting read ___________________________________________________________________ (page generated 2021-03-22 23:00 UTC)