New Lawsuit Against Facebook From People Who Just Don't Like Facebook
from the what's-your-cause-of-action? dept
Another day, another bizarre lawsuit. Eric Goldman points us to a lawsuit against Facebook that is best summarized as “we don’t like Facebook, and we’re sure it’s doing something bad.” It involves a few different plaintiffs who all have very different complaints, combined with some weird claims about Facebook violating their privacy, and that it’s really a data mining company in disguise. But, of course, there’s an easy way to avoid any such issue. It’s called not using Facebook. The lawsuit also seems to rely on the fact that lots of people don’t like the terms of service that Facebook has used, but not liking the terms don’t necessarily make them against the law. There’s also a poorly explained copyright claim — but it’s so unclear that I can’t tell if the complaint is that Facebook is violating copyrights by showing the photos that one of the plaintiffs themselves uploaded (which would be flat out ridiculous), or that the issue is other users uploading photos (which would be pre-empted by the DMCA’s safe harbors). The whole thing seems like a group of people suing Facebook for the hell of it and hoping to get some cash out of it.
Filed Under: lawsuits, privacy, social networks
Companies: facebook
Comments on “New Lawsuit Against Facebook From People Who Just Don't Like Facebook”
ToS Abuse
There is more to the claims then you are giving the litigants credit for. In 2004 Facebook had a somewhat reasonable ToS now the ToS is abusive to users that have contributed time and energy to making Facebook a top social network. If this ToS were a standard contract between equal negotiating parties this would never happen. When one party abuses a contract of adhesion like this there should be a cause of action.
Did the litigants in this case plead the right claims? I do not know, I will have to read the complaint closer. But the complainants have a very real problem with the ToS, they should not be abused like this.
Here is one example from the complaint of an unreasonable change:
2004
“You may remove your Member Content from the site at any time. If you choose to remove your Member Content, the license granted…will automatically expire.”
2009
On February 4, 2009, Facebook revised its Terms of Service, a document Facebook asserts it is legally permitted to update “AT ANY TIME WITHOUT INFORMING USERS.”
Re: ToS Abuse
As long as the TOS are not illegal than FaceBook can put up whatever it wants. One cannot sue over bad terms of service. And that update without informing users is common on a lot of contracts, ever read your credit card contract or your internet contract?
Re: ToS Abuse
Then don’t use the service. I don’t like AT&T so I don’t buy AT&T, duh problem solved.
Complaint about lawsuit from people who just don't like lawsuits
You can’t even figure our what the lawsuit is about, eh.
Interesting. This Melkonian person…she is member of at least one group that has no standing for integrity among most professionals I know.
Apart from that, many of the complainants are minors. They aren’t even supposed to be on facebook.
To be fair, when FB changed the TOS unknowingly and members complained, they changed it back and started up a group discussion on new terms. Took some suggestions into account and not others.
They also notified people via account when the new terms were issued.
There are problems on FB but if you don’t like it…there’s the door.
Re: There's the door
I went out through the door and within three months started getting friend requests on an email address that was never associated with that particular account. I have no idea how FB got it, as I never gave it to them in relation to the account, and the only person I had as a friend on the account before I went out the door has absolutely nothing to do with the people that have “accepted me as a friend” and I solicited no friends other than the one that I had. The account was active for only a week, that’s how long it took for me to get my first smatterings of spam, so it appears that they culled friend invites I made some two years earlier on another account and then associated them with this deactivated account (yep, but I was still getting unsolicited friend accepts on it!). Hey, I’m sure this is entirely innocent though!!
It appears that the Facebook exit is a swing door that doesn’t lock.
Re: children with access to facebook
i agree regarding children on facebook. they are not mature enough to be there. they are exposed to all manner and level of mature material. i’m sure if facebook wanted to prevent them from being on the program they could do something about it. money is no object to facebook.
Re: Re: children with access to facebook
why i gotta be a coward
Re: Re: Re: children with access to facebook
If not wanting the government or face book to know who you are is being a coward then I guess I’m a coward too. Its amazing what “THEY” can do to destroy your life for being honest and speaking your mind.
Actually, Mike, your "easy way" won't work
I’ve never visited Facebook’s web site and of course don’t have an account there (and never will). However, they have data on me and have sent me spam.
Facebook, along with any number of other similar sites, makes it a practice to deceive its new users into surrendering access to their address book (presuming their mail client maintains one). It then (a) spams everyone in it and (b) forges the address of the address book owner as the sender.
This is clearly abusive (since it’s spam, and a forgery to boot) and it’s invasive of privacy, since of course accumulation of a sufficient number of address books facilitates construction of extensive social graphs.
But to get to the point on the Subject line, this means that Facebook is now in possession of social data about me. Are they mining it, or selling it to people who are? They’d be silly NOT to: it’s quite profitable, they probably wouldn’t be caught, it probably isn’t illegal, and even if so, the worst that will happen to them is a slap on the wrist.
Re: Actually, Mike, your "easy way" won't work
Actually no, the message (at least on FB) clearly asks the new user if they WANT to spam their address book. Smart people like myself we tell it no, but people who don’t read (and it IS in simple English so there is really no excuse other than laziness) will end up spamming their address book.
Also, while they are *technically* forging the headers to make it appear you sent the e-mail I think it may be legally sound and not actually a Bad Thing in this case. The whole premise is that Facebook will magically have *you* send those e-mails, and in fact is what it asks you if you want to do. It isn’t malicious, though I can see how it can be annoying.
Luckily the people I associate with aren’t typically lazy and I’ve only ever gotten one “spam” message like that. Everyone else has done the same as me and told Facebook “no thanks” to sending out those e-mails.
Re: Re: Actually, Mike, your "easy way" won't work
There is never a time when forging headers on an e-mail is acceptable. Recently, I have gotten a whole spew of facebook spams from friends (including the first of the reminder emails last night). Once started, apparently it isn’t so easy to turn off (I won’t turn it on to find out, I don’t want to bother my friends).
Re: Re: Re: Actually, Mike, your "easy way" won't work
Mr. Kulawiec uses inaccurate/misleading terminology. Facebook isn’t forging headers.
Re: Re: Actually, Mike, your "easy way" won't work
The mail messages come from Facebook’s mail servers: therefore, it’s Facebook’s spam. The charade of asking the Facebook user for permission and forging their name onto it is merely an attempt to evade responsibility. It’s obviously malicious: it’s spam, thus abusive by definition.
And forging an address that’s not yours (and joe@example.com‘s address isn’t Facebook’s) is never a good idea: there are many negative consequences that often ensue from doing so. (For example: it’s quite easy to leverage this mechanism into a DoS attack against an individual email address or an entire email server.) And this is before we even get into all the various anti-forgery technologies out there — oh, not that I’m a fan of those, because I’m not, but they do exist, they are deployed, and this smacks right into them.
Re: Re: Re: Actually, Mike, your "easy way" won't work
There are things that I dont like about Facebook, but the spam is not one of them. It doesn’t “forge” the headders to look like you sent it. It asks you if you want to send, and then sends it for you. That is not illegal or malicious. It did exactly what you told it to do.
To be sarcastic: “How dare a social website, designed to bring friends together, try to make it easy to notify your friends!”
You can not blame facebook for an individuals inability to pay attention to what they are doing. If you are unable to read, then you should go back to school. And if that offends you, then how are you reading this post?
Re: Re: Re:2 Actually, Mike, your "easy way" won't work
If you (a) don’t grasp that it’s spam or (b) don’t grasp that it’s a forgery, when it’s quite obviously both, then I must presume either (1) you’re not fully aware of what they’re doing and/or (2) you’re not cognizant of the operational definitions of those terms. This is not a gray area (many of those certainly exist); this is spam and forgery by definition.
I suggest spending some time on the spam-l, ietf-smtp, irtf-asrg, mailop, spamtools, and spam-research mailing lists in order to get up to speed on this. It would probably also be helpful to read RFCs 5321, 5322, 2142, and 2505, among others.
Re: Re: Re:3 Actually, Mike, your "easy way" won't work
Yeah, I’m about 110% sure you have no idea what you’re talking about.
Any email “sent to you by Facebook” is really being sent to you by a user of Facebook. Email being “automated” does not make it spam. A user is asked by a confirmation dialogue if they want to send that email to you. If your friends are idiots, I’m sorry but that’s not Facebook’s fault.
It’s not “forgery” either since the user is asked if THEY want to send you a message. When they select that they do, Facebook sends THEIR email from THEM to you and appropriately puts THEIR name on it.
Apparently you’re the one “not cognizant of the operational definitions of those terms.”
Re: Re: Re:4 Actually, Mike, your "easy way" won't work
Yeah, I’m about 110% sure you have no idea what you’re talking about.
Hmmm. While longevity in the field is not necessarily evidence of clue, I’ve been working in this one for decades. You?
Some points to enlighten you: (1) The fact that it’s automated doesn’t make it spam, and I never said it did. The fact that it’s unsolicited bulk email makes it spam, since that’s the canonical definition of spam. (2) One of the rudimentary concepts involved in anti-spam (and more broadly, anti-abuse) work is that if spam/abuse comes from Foo’s servers/network, then it’s Foo’s spam/abuse. It’s thus obvious that (a) that it’s spam and (b) it’s Facebook’s spam. (Yes, we can also assign some measure of blame to the bonehead who initiated it: there’s enough to go around.) (3) If the message sender was set to joe@facebook.com, where that’s Joe’s username or a stand-in for it, then it wouldn’t be a forgery. But if it’s set to joe@example.com, then it is. Keep in mind that it’s insufficient for merely Joe to grant permission for Facebook to emit mail traffic with a putative sender @example.com; it’s necessary that Facebook have permission from the keepers of example.com. Which they don’t. Because they don’t ask. (4) Note as well that such messages will be recognized as forgeries by technologies along the lines of SPF or DKIM (provided those records have been sanely configured by the keepers of example.com).
Something I haven’t mentioned is just why these social network spammers do this, and why they don’t emit these messages from joe@facebook.com or equivalent. (Which would still be spam but would not be a forgery, since it would use an address assigned to the user in the facebook.com domain.) As has been discussed elsewhere at considerable length, they do this in order to take advantage of weak authentication — such as that used on most mailing lists, where messages submitted from list members are passed through (and messages from non-members either rejected or held for moderation). This in turn is why spam from Facebook routinely turns up not just in folks’ personal mail, but in traffic from mailing lists as well.
Re: Re: Re:5 Actually, Mike, your "easy way" won't work
Having also worked in the industry for years I can assure you that the messages from Facebook are not spam. Unsolicited email != spam. The fact is the email is initiated by someone you know or who has you in their address book. It is not initiated by FB. FB is very careful about this so their messages are not counted as spam. There are multiple verifications before any email is sent. It is not FB’s spam as they are sending only what their users request. Saying these messages are FB’s spam is like saying that all the damn forwards I get from my mom are hotmail’s spam because hotmail sent them regardless of who pushed the button and it is ridiculous.
Forging the headers is also debatable but there is a much better case for it. FB asks if you want to send email and is clear that it will appear to be from you. They use your email address but do not send through your smtp server. While the headers are technically forged they are forged in a legitimate manner. Most corporation forge headers to some degree. My from address here at the office isn’t even closely related to the server that sends the email but if you respond the email goes through the system and ends up in my inbox. So technically the headers are forged according to the RFC. FB is doing what amounts to the same thing.
While you may not like FBs methods and they may violate an RFC or two the best you get is forged headers. It is not spam due to the means by which it is initiated or FB would be in every spamlist around and they frankly aren’t. It could be considered commercial email even but last.fm didn’t offer a way to invite your friends and I sent you an email asking you to join from my gmail account it wouldn’t be spam. This is the same thing. FB just makes it easy to ask your friends to join.
Re: Re: Re:6 Actually, Mike, your "easy way" won't work
Hey, Sorry, but they are clearly spam. If Facebook asked you to select the names in your address book then your argument may have some weight, otherwise, the postings are indiscriminate mass mailings. And that is a fact both morally and technically that you will never budge from the top of the tree of facts that stands on the very peak of Fact Mountain, which stands in the very heart of Factland, no matter what you say.
The nature of the spam may be that it is requested by the new member of facebook, but it is actively solicited by Facebook, with no option to filter (as far as I know) and is more in their interest that that of the requester.
Facebook also rely on the fact that a good percentage of their users will be either:
A: Lazy, or;
B: a bonehead
Seeing as none of the recipients of the mailing had any choice in whether FB got hold of their details or whether they were sent the mailing, FB have acted pretty much in the spirit self interest rather than the interest of anyone else involved in the process. I’m afraid there is nothing in your previous comments that really addresses the issues raised here.
Re: Re: Re:3 Actually, Mike, your "easy way" won't work
“Forgery: The act of forging, especially the illegal production of something counterfeit.”
Maybe you should “visit” facebook to fully understand what you are talking about. Those so called “spam” messages that you have gotten were maybe sent by facebook, but with full permission and by the request of your friends. Each reminder was sent with full permission and by the request from your friends.
Now the part that makes it not illegal, counterfeit, or forged, is that your friend has to specificly give permission for that message to be sent out. So if you would like to sue someone, sue your friend as the spam is from him. Facebook is just the tool he used.
Re: Re: Re:4 Actually, Mike, your "easy way" won't work
Ah, yes, I see where the misunderstanding is. Let’s presume,
for the moment, that the social network site in question is up-front about what’s going to happen — that is, that it fully informs any user asked to surrender their address book what it’s going to do with it.
And let’s presume that social network user, furnished with that information, clicks the “yeah, go ahead do it” button or equivalent — thus giving his/her permission.
It’s still spam, because that’s not the person whose permission is required for bulk email. The person whose permission is required is the recipient (or recipients). This “Joe gave us permission to spam you” excuse was recognized as nonsense last century — not that it isn’t periodically trotted out again by newbie spammers, but really this is a fundamental principle that’s been well-known since the heyday of Spamford.
Re: Re: Re:5 Actually, Mike, your "easy way" won't work
Presume as you wish, or you could truely look for the facts.
The correct scenario would be Joe signs up for Facebook. He gets an option to allow Facebook to look through his contact file or email to find suggestions of who he can add as friends. Joe agrees and either manually uploads his contacts, or puts in his e-mail address and password for facebook to search.
Facebook takes this information and gives Joe a list of who he talks to and may want to invite, compiled from the contact list or e-mail. Joe, likes you and would want you to join. He selects you and requests for Facebook to send you an e-mail.
You ignore the e-mail and dont join. Joe is sad. Joe wonders why you would not want to be his friend. Joe find you in his pending friends list and requests for Facebook to send you a reminder. Joe thinks you might have forgotten.
You get mad, “Facebook is spamming me. I know that word because I read it somewhere and I got two or three e-mails now.”
Joe is still sad. Joe doesnt know why you won’t be his friend. Joe keeps asking Facebook to remind you. Joe swears that you still talk to him. He is sure you want to be his friend.
That is not spam. That is not forgery. That is just an annoying person that keeps bugging you. Do us all a favor: “Tell Joe that you don’t like him”
Re: Re: Re:5 Actually, Mike, your "easy way" won't work
So just to clarify. Your saying that if I want to send all my friends an email that I have to first call/visit/snail mail/etc to make sure it’s okay that I send the an email?
Re: Re: Re:4 Actually, Mike, your "easy way" won't work
The headers are forged. The dictionary does not reflect the technical use of the word. The headers make the email appear to have come from an account that it did not. While userx may have said “send this in my name” the email still did not originate from the address in the headers so it is forged. Whether this is bad or not is a whole other debate but the headers are forged in the technical use of the word.
Re: Re: Re:5 Actually, Mike, your "easy way" won't work
The term forged headers usually refers to more than the from and the too.
More often, it refers to artificial transfer agent headers. Typically this is done in order to hide email origination on the ‘net.
By contrast, gmail allows me to specify addresses other than my gmail account as from and reply-to. By your definition, this is header forging, and Mr. Kulawiec asserts this is “wrong”.
It’s common practice.
Re: Re: Re:6 Typo above
that should read “The term forged headers usually refers to more than the from and the reply-to.”
Re: Re: Re:5 Actually, Mike, your "easy way" won't work
Ok Romeo, I can see your point on that, although I might look at the action in a different context.
Forging as I understand it would be: modifying the address in order to conceal and decieve the recipient on who the origional sender is.
What Facebook does I would consider to be more “ghosting the address” with the intent to reveal the origion of the sender and using the Facebook server as a passthough. The senders e-mail is verified when the account is opened, lowering the risk of deception.
As with most items, it is the intent of the action that defines what the action is.
Re: Re: Re: Actually, Mike, your "easy way" won't work
“For example: it’s quite easy to leverage this mechanism into a DoS attack against an individual email address or an entire email server.”
What in the world are you blathering about? I assume what you’re talking about is mailing out tonnes of emails with from and reply-to on the “target” server, in the hopes that replies will take down the target server?
If so, that’s the most ludicrous, circuitous and ineffective DOS attack vector I’ve ever heard. To generate a number of replies substantial enough to take down the target, you’d need to generate, at a theoretical minimum, the number of emails necessary to take down the target server yourself.
Consider: I wanna take down youDontUnderstandComputers.com I theorize that two million emails in an hour to that domain will overload it. I calculate that 25% of the emails I send out will generate replies within an hour. Therefore, I must send out eight million emails in an hour.
Your statements are nonsensical. Your grasp of the technical issues is thin bordering on delusional. I strongly urge to read up on what you’re spewing in the hopes that you can prevent further incidents of rattling off nonsense in public.
Re: Re: Re:2 Actually, Mike, your "easy way" won't work
I see that you’re unfamiliar with some of the currently-used DoS attack vectors. Let me try to remedy some of that by explaining a few basic principles to you.
First, using your own resources is a bonehead move. Not only does it make the attack relatively easy to isolate, but it makes you much easier to find. So “best practice” in DoS attacks is to use someone else’s.
Second, using one external resource doesn’t do much good either, as it too can be isolated relatively easily. It’s much better to use multiple resources simultaneously. In this case, there are quite a few available, making a DDoS feasible.
Third, using a resource with severely limited capacity isn’t that bright — if the goal is a DoS, then clearly large capacity is preferable. So sites that have it and can be co-opted to participate are good choices.
Fourth (and I’m going to obfuscate this slightly; I’m sure you can work it out), consider that not all email gets delivered. Consider that not all address book entries are individuals. And consider that throwaway domains are quite cheap. Put those together, and work it out: the first two methods should be pretty obvious, others less so.
From a DoS perspective, the fundamental problem here is that is that this mechanism allows a third party to generate outbound traffic to arbitrary destinations via Facebook (or any other site doing this). That sentence should set off alarm bells in the heads of everyone with a basic background in security, even before they work through the details of the various scenarios and whether or not they’re feasible, practical, etc.
Re: Re: Re:3 Actually, Mike, your "easy way" won't work
Wow really?
The scenario you describe is still impractical in the extreme.
If you think for a second facebook or anyone else will allow unbounded emails, let alone the fact that smtp is a queued, non-realtime protocol, you are still entirely out in left field. Have fun, maybe you’ll catch a fly ball or two.
Re: Re: Re:3 Actually, Mike, your "easy way" won't work
Your information is valid as far as DoS attack are concerned. The issue is that it still doesnt apply.
DoS attacks take control of multiple computers to send denial of service attacks to a small number of destinations in order to interupt service.
With this, no service is being interupted. There is no control of multiple machines. There are no destinations being attacked.
But, nice write up. It almost looks valid.
Re: Re: Re:4 Actually, Mike, your "easy way" won't work
Actually, it’s not. Denial of Service is about creating high concurrency, sustained traffic to the system, typically traffic that requires some processing on the target machine before the machine can move on to subsequent requests.
SMTP is entirely unsuited to this, as email can be quite slow in getting to the target, and is subject to routing servers’ traffic management as well.
Additionally the premise of using facebook or equiv. as an outbound facilitator is ludicrous, any high traffic site is batching their outbound traffic.
Re: Actually, Mike, your "easy way" won't work
“forges the address of the address book owner as the sender”
Um, you mean it sets the “from” address field after you agreed to let it mail all your address book members?
that’s not forging. Forging, especially email headers, is very different.
Be careful of the terms you toss around, or you may end up looking like a poorly-informed Luddite.
Copyright Claim
Not only is the copyright issue poorly explained, but copyright infringement is not even alleged as a cause of action. Eric.
srsly?
Plaintiff Xavier O. is an 11-year-old minor residing with his parents in
Orange County, California. Plaintiff Xavier O. has a Facebook account that was opened without the knowledge or consent of his parent or guardian. Plaintiff Xavier O. has uploaded personal information, videos and photographs, including swimming and/or partially clothed photographs of children ages 5 to11. On or about August 8, 2009, Plaintiff Xavier O. posted “Xavier O. has swine flu…Please pray for me…God Bless.” Upon learning of the Facebook account and the posting of an uncertain medical condition, Plaintiff Xavier O’s parents removed the medical condition posting from Facebook.
Re: Re:
Xavier O. and his parents have been unable to learn where the minor’s medical information may have been stored, disseminated or sold by Facebook.
Re: Re: Re:
I hate humans.
Well, most of you anyway.
So, this tiny human’s parents are suing a website because the tiny human used it as it was intended to be used? (And the tiny human had to falsify information just to make an account!)
Oops. Nosebleed. Gotta go.
Re: Re: Re:
“Xavier O. and his parents have been unable to learn where the minor’s medical information may have been stored, disseminated or sold by Facebook.”
Here’s a hunch: it was up on his facebook page.
My Thoughts
If the underage child created a facebook account without his parents’ permission, then the child most likely falsified information to create the account.
If they assert that the child had his privacy violated or was even somehow endangered because FB allowed him to post personal photos and information, is it a stretch to suggest that the parents’ own negligence is the true problem?
All I know about facebook is that soon after creating an account just to find out what the noise was all about, Facebook sent me an email to the effect that a person with my name “couldn’t possibly exsist.” Their words.
A point of note: If they’re the ones asking, they’re initiating. Had the user gone to FB and said, “Hey, would you please send emails to all the people in my address book?” then it would have been initiated by the user. This, however, does not appear to be the case.
Personally, I feel that only a bone head would leave their personal information (Your address book is personal info!) with any entity that explicitly tells you that they reserve the right to change their mind and won’t be bothered to tell you. The only information they got out of me was my throw away email account. Once a month I check the select all button, hit delete and get on with my day. I’ve been using that account for over decade and all my friends know that anything that comes from that account is unwanted. (It was an actual account back in the days of free dial up services.)
Spam is a tasty meat product that goes good with eggs or mac and cheese!
Re: Re:
Wow! A throw-away e-mail account! Impressive. I bet nobody has thought of that before. Better patent it.
Re: Re:
“Spam is a tasty meat product that goes good with eggs”
eww
” or mac and cheese!”
I am a Canadian, and we pride ourselves on our mac and cheese (no, not kd, real mac and cheese), and you, sir or madam or various combinations thereof, have just declared war on Canada. When the hockey stick hits you in the back of the head, that was us.
facebook
I hope the lawsuit succeeds. I’ve had trouble with facebook too. I can’t even get them to remove my profile from their site. They will not communicate with me in any way.
facebook issues
I use to like facebook, but I tried to login and it wouldn’t let me. For no reason. I don’t know if my profile was stolen or not. I tried to reset my password and it wouldn’t let me do that either. There is no way to contact these people if there is a problem. no tech support no customer support. I’ve been trying and trying to find a way to ask what’s going on and where my profile and information is.
I dont like facebook I think its crap
Does anyone realize that facebook has monopolized the comment section of major news medis so you can”t excersize your writes under the first amendment of freedom of speech without being identified? Every comment you make goes on facebook and logged by the government under the patriot act and your information is tagged and you become under investigation????? Your no longer free my friends. Wake up and smell the coffee. Facebook is an arm of the US Government and is most likely getting paid big bucks to sell you out!