[HN Gopher] U.S. Supreme Court rebuffs Facebook appeal in user t...
___________________________________________________________________
U.S. Supreme Court rebuffs Facebook appeal in user tracking lawsuit
Author : LinuxBender
Score : 199 points
Date : 2021-03-22 18:12 UTC (4 hours ago)
(HTM) web link (www.reuters.com)
(TXT) w3m dump (www.reuters.com)
| duxup wrote:
| >In its appeal to the Supreme Court, Facebook said it is not
| liable under the Wiretap Act because it is a party to the
| communications at issue by virtue of its plug-ins.
|
| That would be kinda scary if allowed. I would think / hope that
| as an individual that I would need to actually know that someone
| is a party to the conversation... the idea that Facebook could
| just say "well you logged in this one time so now we're party who
| god knows what ..." would be pretty horrible if legally accepted.
|
| Granted, from a tech standpoint, that's also kinda how it is :(
| ocdtrekkie wrote:
| This is an incredible opportunity to set the legal precedent to
| make the tech standpoint no longer acceptable, and hence,
| compel it to change.
| CobrastanJorji wrote:
| This is a dangerous plan.
|
| The same logic applies to "Let's make sure that other party
| chooses the worst possible candidate, thus compeling everyone
| to vote for the candidate we prefer in the general election."
|
| Or "let's present our boss with two options, the correct one
| and also an absolutely awful one, thus ensuring that they
| will select the correct option."
| alistairSH wrote:
| I'm not sure how telling Facebook (or Google) "you can't
| spy on people just because a page has a link to your
| widget" is even remotely the same as gaming an election?
| anticristi wrote:
| Would this have implications on Google Analytics? I
| didn't agree to them knowing what URLs I visit.
| Griffinsauce wrote:
| Good, we need some plans that are dangerous to the status
| quo.
| duxup wrote:
| In this case Facebook already is the worst possible
| candidate ... and is doing the thing and arguing they're a
| party to the conversation.
| nicefedora wrote:
| This is a textbook false dichotomy. We could change the
| laws around digital privacy to reflect an infinite
| combination of policies, it is not a choice between two
| options. The point is that Facebook's position should not
| be the default policy.
|
| What makes this case particularly exciting to me is that it
| feels like a step in the direction of bottoms-up
| protections for citizens, as opposed to top-down regulation
| of corporations, which I believe is the better path
| forward.
| IncRnd wrote:
| The two situations are entirely separate. What you,
| essentially, wrote is that there is no difference between
| gaming an election and the privacy afforded by a
| wiretapping statute.
| nerdponx wrote:
| _"Facebook was not an uninvited interloper to a communication
| between two separate parties; it was a direct participant," the
| company said in a legal filing._
|
| There's gotta be some existing legal doctrine on what constitutes
| a "direct participant", right?
|
| Suppose I visit the website of Company A intending to do business
| with them (perhaps this is the only way to contact them). Their
| website contains the Facebook "like" button somewhere on the
| page. Is Facebook really a "direct participant" if I have no way
| to know that their widget is even on the site until I visit it,
| at which point they have already participated and I have no way
| to avoid it?
|
| Likewise, does the law/precedent on "expectation of privacy" have
| anything to say about who specifically I should/shouldn't expect
| privacy from?
| coldtea wrote:
| > _Is Facebook really a "direct participant" if I have no way
| to know that their widget is even on the site until I visit it,
| at which point they have already participated and I have no way
| to avoid it?_
|
| If you meet someone at some office for an interview or a
| negotiation or something, and a third party is there whose
| presense was not announced beforehand, aren't they a "direct
| participant"?
|
| And didn't you also had "no way to know that they would even be
| there" until you visited that location?
| gwerbret wrote:
| In the example you gave, I have the opportunity to interact
| with this third party, demand to know why they're there, and
| may choose to leave, with my privacy intact, if I don't like
| their presence. This is all part of the process of informed
| consent.
|
| Clearly this analogy, particularly with respect to "informed"
| and "consent", does not apply to a Facebook widget on a site.
| legitster wrote:
| The key here for the purpose of the Wiretap act is that the
| website was the participant - they wanted the Facebook like
| button there. And the argument will likely revolve around
| whether the companies were cognizant of the implications of
| adding Facebook scripts to their site.
| kstrauser wrote:
| No one's asking me to, but I'd testify that I absolutely
| didn't know the implications back when I had share buttons on
| my site. It was a fun thing that almost everyone was doing,
| for the sole intention of making it more convenient for
| visitors to share my content that they enjoyed. Period. It
| absolutely wasn't so that I could make it easy for FB and
| friends to track my visitors.
|
| It all seems so obvious in retrospect, but at the time there
| wasn't a lot of pushback from people explaining why it was a
| terrible idea.
| TheSpiceIsLife wrote:
| Imagine Mark Zuckerberg saying something like:
|
| You were stupid enough to _not_ devine my intentions 10
| years ago, so now I think the US Supreme Court should
| decide you are that stupid now too.
| oarsinsync wrote:
| > whether the companies were cognizant of the implications of
| adding Facebook scripts to their site.
|
| I'm inclined to believe Backblaze were not cognisant of the
| implications of adding Facebook scripts to their site, given
| the speedy (~12hr) turnaround on resolving once brought to
| their attention.
|
| If tech companies are unaware, what are the odds that the
| majority of other companies are?
|
| Discussion from here earlier today:
| https://news.ycombinator.com/item?id=26536019
| legitster wrote:
| The lawsuit only applies to 2011, Although in Backblaze's
| case it looks like a situation where their web team made a
| mistake building a custom Facebook tracking pixel. They are
| 100% intending to send tracking information to Facebook.
| seanalltogether wrote:
| Couldn't you apply this same logic to google analytics which
| has been embedded in most sites for over a decade?
| fotbr wrote:
| Some states allow "one party consent" to recordings of
| communications (ie, phone calls). Extending that, as long as
| Company A is aware of FB's practices, then your wishes are
| irrelevant as far as the law is concerned.
|
| I have no idea what California's laws are regarding the matter,
| or the laws governing any of the other participants. I'm just
| speaking in the general case, that some states allow it, and
| the argument that could be made.
| philip1209 wrote:
| Presumably - if states are defining 1-party vs. 2-party
| consent laws, then doesn't the 10th amendment imply that this
| matter shouldn't be handled federally?
| rossdavidh wrote:
| ...unless the communications cross state lines, which in
| this case they mostly do.
| TrinaryWorksToo wrote:
| California is a two-party consent state for wiretapping laws.
| rsstack wrote:
| "California's wiretapping law is a "two-party consent" law.
| California makes it a crime to record or eavesdrop on any
| confidential communication, including a private conversation
| or telephone call, without the consent of all parties to the
| conversation."
| nerdponx wrote:
| Two-party consent is a funny thing. It's empowering to
| individuals in their interactions with corporations, but in
| this case it's clearly disempowering to individuals.
|
| Is "asymmetric" one-party consent a thing in any
| jurisdiction?
| tobylane wrote:
| The UK only requires notification from the company in a
| commercial call. The recipient can do so without
| permission.
| cgriswald wrote:
| One-party consent seems far more empowering to me. It
| lets me record any conversation I'm a party to whether
| the other party likes it or not.
|
| In a two-party consent state, the corporation just has a
| message that the call may be monitored or recorded and me
| staying on the line qualifies as 'consent'. I'm not
| provided with an option to talk without being recorded
| and for many functions companies won't deal with you
| except through these specific phone numbers.
|
| However, if I tell the company I want to record them,
| they have very little reason to humor me. In practice,
| this means I'm almost always being recorded _anyway_ ,
| but I can't generally record them back. It looks to me
| very much like corporations get one-party consent, and I
| don't.
|
| I've heard it argued that "This call may be monitored or
| recorded..." can be interpreted as consent, but I'm not
| sure how that works out in practice, especially since I'd
| be recording the individual employees (who may have
| consented to their employer, but haven't to me).
| hellbannedguy wrote:
| Georgia is the only state where only one person needs
| consent to record.
|
| I just heard that.
| whichquestion wrote:
| This is false. There are many other one party consent
| states. See https://recordinglaw.com/united-states-
| recording-laws/one-pa... for more info.
| caymanjim wrote:
| Not so. Only 12 states require two-party consent to
| record conversations. Federal law is one-party. There are
| caveats and rules around all of it, but on a board scale,
| most of the country only requires single party consent.
| LinuxBender wrote:
| California is 2-party-consent [1]
|
| [1] - https://www.dmlp.org/legal-guide/california-recording-
| law
| ehnto wrote:
| Hm, it's challenging because of the new medium but maybe we
| could discuss a real world analogue:
|
| You walk in to a home expecting to meet your friend, when you
| enter there is a man from the TV network there. You didn't
| expect him, his intention is just to watch you and your friend
| talk about television shows.
|
| Perhaps an example that gets closer to the crux of the problem:
|
| You're at a restaurant with a friend, and an unrelated stranger
| nearby can overhear the conversation. Not a participant, right?
| Now imagine they were sent to listen to you, and report back to
| the TV networks. I would say that, they have a very clear
| intention to participate in the conversation.
| TeMPOraL wrote:
| How about this analogue:
|
| You come to a restaurant to eat dinner with your friend, who
| arrived early. Unbeknownst to you, your friend arranged for
| one of their acquaintances, who you don't know, to sit at the
| next table and secretly record the whole conversation.
| nerdponx wrote:
| And your friend might or might not know that the
| acquaintance is recording.
| ethbr0 wrote:
| I'd go a step farther, because I think it's what should
| _really_ be relevant in this case.
|
| You come to a restaurant to eat dinner with your friend,
| who arrived early. Unbeknownst to you, your friend arranged
| for one of their acquaintances, _who owns a business, to
| observe and document your arrival, from a concealed
| location, behind a sign for that business._
|
| What's relevant in this case should be that a _reasonable_
| person, upon observing a Facebook "Like" button on a page,
| comes to the conclusion that "that button exists for me to
| interact with, and interact with Facebook, related to this
| business."
|
| More specifically, a reasonable person would _not_ come to
| the conclusion that a Facebook "Like" button allows
| Facebook to load arbitrary code into your session with the
| business, the purpose of which is to track you and compile
| information on you.
|
| It's unreasonable to expect people to choose to opt out of
| what they don't even understand.
| taxidump wrote:
| This is perfectly legal in most of the US.
|
| Famous people and their paparazzi followers probably know
| all too well that when you are anywhere an eye can see from
| a public location you can be recorded.
| rossdavidh wrote:
| As I understand it (and IANAL) there is a pretty well-
| established legal distinction between people whose job or
| avocation inevitably involves being famous and noticed,
| and just ordinary citizens. If you become a politician,
| singer, actor, etc. it is assumed that your expectation
| of privacy is different than for most people. Again
| IANAL, but my understanding is that just because
| photographers are allowed to hound famous actors, doesn't
| mean they can do it to someone who isn't newsworthy or
| otherwise in a public profession. IANAL.
| jacquesm wrote:
| Famous people have different expectations of privacy than
| ordinary people.
| m463 wrote:
| and the acquaintance is paying for the free restaurant
| food.
|
| For doing that, he feels entitled to share his notes with
| anyone who pays him.
| [deleted]
| ska wrote:
| In this already murdered analogy, they aren't even paying
| all of the rent. There is a rumour they paid a server
| once but nobody has ever seen them. You have to bring
| your own food and wine and cook it, but you're encouraged
| to share with other tables. Some of those tables were
| paid to be there. There is also a stream of bored looking
| people wandering round, occasionally one of them will
| drop a snack on your table.
| legitster wrote:
| Expectations of privacy are already pretty well defined:
| https://en.wikipedia.org/wiki/Expectation_of_privacy
|
| You have an expectation of privacy in your own home - but you
| can't take back what you shared to your friend when you
| discovered he writes down every conversation on his blog.
| Intent isn't super relevant.
|
| For the purpose of the wiretap act, 'participant' is
| unrelated to intent.
| nerdponx wrote:
| Interesting, I didn't realize "expectation of privacy" was
| related to (and dependent on) the 4th Amendment. Seems like
| a gap in our laws; expectation of privacy _from people who
| aren 't the government_.
| legitster wrote:
| I mean, society won't function if you have to give
| everyone outside of your home consent to look or speak at
| you. Unless you plan on blinding and deafening the whole
| world, there's going to have to be a line somewhere about
| what we are allowed to learn about the people around us.
| nerdponx wrote:
| _You walk in to a home expecting to meet your friend, when
| you enter there is a man from the TV network there. You didn
| 't expect him, his intention is just to watch you and your
| friend talk about television shows._
|
| Maybe the analogy should be: you go to meet a local
| contractor, and a representative from the cable company is
| there to help advise on the work. Neither of you are aware
| that he is recording the whole conversation, and that will
| use that information to send you targeted junk mail.
| jascination wrote:
| A problem with all of the responses here is that they swing
| and miss at trying to find an allegory that matches this
| situation, and then conflate their allegory as truth, losing
| any of the nuances of the Facebook situation.
|
| You can skew these examples to make your point stronger, too.
| (The Radio in the restaurant is listening to me!)
|
| The only situation that matches is the exact one at hand:
| Facebook tracked user information in their share/like
| widgets. Is that ok under the law? It wouldn't surprise me if
| it was, but I don't I think the laws should be tightened up
| on this as well.
| rossdavidh wrote:
| Really, we can expect this to go all the way to the Supreme
| Court, and I would not be at all surprised if one of the
| reasons that the Supreme Court did not quash it is that
| they know they will have to provide guidance (in the form
| of a precedent) for lower courts on expectations of privacy
| in internet situations, but they want to let every court
| below them kick the tires on this case first so that they
| can benefit from all of that investigation and discovery
| before they have to issue a ruling on it.
| inetknght wrote:
| You're moving the goalposts.
|
| Here, let me refocus the goalpost for you.
|
| > _I have no way to know that their widget is even on the
| site until I visit it_
|
| You can ask, and expect an honest answer, from your friend
| about any TV news crew.
|
| And you don't really have an expectation to privacy in many
| restaurant settings.
| SilasX wrote:
| I'd say it's more like, VendorA gives VendorB special buttons
| (like they kind you pin to your shirt) that promote VendorA,
| analogous to the "like" buttons.
|
| You visit VendorB for private financial counseling (like an
| https web session). VendorB is wearing the button during the
| session.
|
| Unbeknownst to you (and probably VendorB), the button is
| recording some metadata of your encounter: when you went
| there, for how long, how loud your voices were, and VendorA
| periodically scans the button for this data and collects it.
|
| Just like on the web, you were never aware of the
| implications of the VendorB button, and had no chance to opt
| out before the recording began.
| freeopinion wrote:
| What if the "man from the TV network" is really a "man from
| Amazon" only it isn't a man. It's a Ring doorbell, clearly
| labeled when you came through the front door. Or it's a
| little Echo in the corner of the room.
|
| Does that mean Amazon was invited to the conversation? Should
| you as a visitor to the home expect that every logo you see
| in the house means that you agree to have that company
| present in your conversations during the visit?
|
| Does a Facebook icon or a Google icon or an Amazon icon on a
| webpage give them the right to participate in your
| conversation? Does a Windows logo in the corner of your
| screen give Microsoft the same right?
|
| Is it ok if they don't record audio or video, just metadata?
| nextlinemail wrote:
| The "direct participant" is the key phrase here. This is going
| to come up again and again unless we get this legally defined
| better.
|
| "Expectation of privacy" is yet another quagmire. Similar to
| obscenity - difficult to define, but I know it when I see it.
| 1vuio0pswjnm7 wrote:
| "Suppose I visit the website of Company A intending to do
| business with them (perhaps this is the only way to contact
| them). Their website contains the Facebook "like' button
| somewhere on the page. Is Facebook really a "direct
| participant" ..."
|
| The term "direct particpant" is not from the statute. Those are
| the words of Facebook's defense lawyers.
|
| The statute provides an exemption for a "party" to
| communication, but it does not define the term "party".
|
| The 1st and 7th Circuits, when faced with cases similar to this
| one involving third party "tech" companies that subsist on
| internet advertising, have interpreted the term "party" to
| exclude third parties such as Facebook. The 3rd Circuit however
| has interpreted it to include them. The 9th Circuit on hearing
| Facebook's case followed the 1st and 7th Circuits. Facebook
| wants the 3rd Circuit's interpetation to be the law of the
| land. The Supreme Court denied Facebook's appeal.
|
| As such, the hypothetical requires some more facts. Where is
| Company A domiciled? Where do they do business? What state do
| you live in?
| legitster wrote:
| > Four individuals filed the proposed nationwide class action
| lawsuit in California federal court seeking $15 billion in
| damages for Menlo Park, California-based Facebook's actions
| between April 2010 and September 2011. The company stopped its
| nonconsensual tracking after it was exposed by a researcher in
| 2011, court papers said.
|
| If I understand correctly, for over a year Facebook would track
| users to web services that had Facebook integrations installed.
| It's not super clear what was different for "consensual
| tracking", but I presume this coincided with their privacy
| center?
|
| > "Facebook's user profiles would allegedly reveal an
| individual's likes, dislikes, interests and habits over a
| significant amount of time, without affording users a meaningful
| opportunity to control or prevent the unauthorized exploration of
| their private lives,"
|
| The Wiretap act seems like a bad precedent here. The problem
| isn't that that data was unwillingly intercepted (otherwise even
| things as simple as server logs would count as a wiretap), it's
| that people object to the way their information is being
| collected and aggregated. And there's no good law to really apply
| here without making a new one.
| SimeVidas wrote:
| > If I understand correctly, for over a year Facebook would
| track users to web services that had Facebook integrations
| installed.
|
| Facebook tracks users across websites. This is of course still
| happening. I thought this is common knowledge. This is
| happening because both Facebook and other websites benefit from
| this kind of tracking.
| legitster wrote:
| The suit only covers between 2010 and 2011. So unless their
| tracking opt-in dramatically changed, I believe the issue of
| the lawsuit was the lack of consumer privacy options in this
| period.
| duxup wrote:
| Possibly there is some EULA language or option to opt out
| now and the folks suing would rather sidestep that whole
| question for now.
| prepend wrote:
| I think these kinds of data lawsuits are going to be the new
| tobacco/opioids lawsuits. People seem to be figuring out how to
| quantify harm and damages and remediations. Once a few of these
| start paying out, I can see some really massive class action
| lawsuits and then state lawsuits.
|
| I think it will be bigger than tobacco and opioid because of the
| ability for key insiders to be able to target lawsuits and
| highlight things that were illegal or caused some sort of harm.
| 1vuio0pswjnm7 wrote:
| Here is the 9th Circuit opinion:
|
| https://cdn.ca9.uscourts.gov/datastore/opinions/2020/04/09/1...
|
| Nice typo in the 2nd paragraph.
|
| Here is the orginal publication of Facebook's wiretapping, and
| the Facebook response where it denied the tracking was used for
| advertising.
|
| https://web.archive.org/web/20110929182141/http://nikcub.app...
|
| https://web.archive.org/web/20110927040818/http://venturebea...
|
| https://web.archive.org/web/20110929182141/http://www.huffin...
|
| This was first reported in 2011. Note how long it took to get to
| the point where Facebook is being legally compelled tell the
| truth.
|
| IMO, this also highlights the difference between tracking as one
| issue and what a company may do with collected data as another.
| Arguably the second issue is the most important. It is easy
| enough to discover the presence of tracking, but discovering what
| companies do with collected data is more difficult, and perhaps
| requires compelled discovery in the context of legal proceedings.
| binarymax wrote:
| "The company stopped its nonconsensual tracking after it was
| exposed by a researcher in 2011, court papers said."
|
| Did Facebook stop tracking non-users though? Maybe that
| particular method was ceased but Facebook still slurps up all the
| data it can on anyone and everone. Case in point: the recent
| Facebook login SDK for mobile was tracking non-users.
| vmception wrote:
| I think we need a new way to force original jurisdiction to the
| Supreme Court
|
| A ruling in 2021 about a 2011 incident is not useful in
| software
| anticristi wrote:
| Why not? Next time someone comes with the idea of tracking
| non-users, there will be a clear legal test to prove this is
| illegal.
|
| Also, pursuing a start-up after 10 years sends a clear
| message to VCs too: Don't invest in startup that grow via
| wiretapping.
| ChuckMcM wrote:
| Personally, I think the privacy cases that this Supreme court
| hears will probably be what it is most remembered for in the
| future. I suspect this particular lawsuit will be settled now for
| an undisclosed sum to the plaintiffs as it seems that it will be
| allowed to proceed in the lower courts and that means discovery
| and all sorts of things which Facebook would likely want to
| avoid.
| 3xasperated wrote:
| Interesting read
___________________________________________________________________
(page generated 2021-03-22 23:00 UTC)