<i><b>Online Extra:</i></b>Facebook Fights to Snuff Out Privacy Suit

Plaintiffs lawyers lined up to bring suits targeting Facebook and Yahoo Inc. after U.S. District Judge Lucy Koh gave a green light last September to a similar case against Google over the company's scanning of Gmail messages. But in the wake of Koh's ruling the spate of litigation seems to have sputtered: Koh denied class certification in the Gmail suit in March and tossed federal wiretap claims from a suit against Yahoo in August.

Hamilton's take on the Facebook case could help resolve just how far Internet companies can go in screening users' personal messages before running afoul of privacy laws that carry statutory damages as high as $10,000 per violation.

The complaint against Facebook cited an'October 2012 Wall Street Journal report'showing that when users included links to websites in private Facebook messages, those links registered as a “Like” on other sites that displayed Facebook's “Like” button. “By scanning users' private messages, and inferring 'Likes' from the content of those messages, Facebook has been able to glean from its users data that they otherwise would not have shared, allowing Facebook to generate even more robust, and accordingly more valuable, user profiles,” the plaintiffs lawyers wrote in'the consolidated amended complaint, filed in April.

The complaint alleged Facebook violated the federal Electronic Communications Privacy Act (ECPA) ' the 1986 update to the Federal Wiretap Act of 1968 ' and California privacy and unfair-competition laws. Plaintiffs lawyers have asked for an injunction, actual damages and statutory damages, which can go as high as $10,000 per violation under the ECPA.

Facebook's lawyers at Gibson Dunn argued in'their motion to dismiss'that the only basis for the plaintiffs' claims was the display of “an aggregate'and anonymous'count” of Likes and shares of links to particular websites on Facebook. “Plaintiffs do not contend'nor could they'that anyone other than the recipient of the message learned that a particular user had shared a URL,” they wrote.

Since the Like count appeared as an anonymous tally on other sites, Facebook's lawyers argued, the plaintiffs hadn't suffered any harm. “Plaintiffs' real complaint is not that Facebook receives and processes their messages (obviously it does, and it must), but that Facebook used those messages in a manner that they challenge (i.e., by increasing the “Like” count),” they wrote.

Ordinary Course of Business

Facebook's lawyers argued that the company's actions fall under an exemption in the ECPA for things done “in the ordinary course of its business” by electronic communications services. Facebook, they argued, must receive and process messages in the normal course of offering a messaging service. The plaintiffs maintain that scanning messages for URLs doesn't fall within the exemption.

Koh and U.S. Magistrate Judge Paul Grewal have already weighed in on what sorts of activity they find fits into the “ordinary course of business” in two separate cases involving Google. Koh found that Google's scanning of Gmail to help sell targeted ads wasn't exempt activity for a company providing email services. Grewal, however, dismissed a lawsuit targeting Google's tracking of users' personal data across its various services. Grewal found there's “broad immunity” for electronic communication services under the exemption.

Koh's ruling, seemingly a huge win for plaintiffs, came in multidistrict litigation consolidated before her in 2013. Plaintiffs lawyers quickly brought similar claims against Yahoo and Facebook. But Koh stopped the Gmail case cold earlier this year, denying motion to certify a class of Gmail users.

In August, Koh allowed plaintiffs to move forward with some claims against Yahoo, but knocked out allegations under the federal Wiretap Act. She sidestepped the question of whether Yahoo's message scanning fell under the “ordinary course of business” exemption. Yahoo is represented by Morrison & Foerster.

Facebook, which brought on Gibson Dunn's Ashlie Beringer as deputy general counsel for litigation, regulation and product issues late last year, turned to her former partners Joshua Jessen and Christopher Chorba as defense counsel.

They argued in Facebook's motion that plaintiffs consented to any alleged interception as part of the company's data use policy. The state privacy act claims also fail, they argued, since users gave their consent. The unfair-competition claim should be dismissed, they claimed, since Facebook is a free service and the plaintiffs have not lost any money or property.

Plaintiffs' counsel pushed back against the “copycat” label in'their reply brief'filed in July. They argued that the complaint focused on practices unique to Facebook. Facebook, they wrote, “added code to its messaging process that was unnecessary for any purpose other than to enable it to analyze the substance of its users' messages and determine their meaning, as well as to tie that meaning back to the users.” Plaintiffs noted that Facebook changed its practice without amending its consent disclosures after the Wall Street Journal report.

“These acts are the twenty-first-century equivalent of AT&T eavesdropping on each of its customers' phone conversations, or of a common carrier taking information from private correspondence; acts which would uniformly be condemned as egregious and illegal invasions of privacy under any circumstance,” the plaintiffs' lawyers wrote.

Cotchett, Pitre & McCarthy's Ara Jabagchourian says that these lawsuits attempt to apply decades-old laws to technology that wasn't contemplated at the time they were enacted. “The right answer is going to have to be new legislation,” said Jabagchourian, who brought a similar lawsuit against Yahoo Inc. over its email scanning practices but dropped it before the pleading stage. “Why are we treating email different from phone calls?” he said. “Why are we treating email different from faxes?”

Ross Todd writes for The Recorder, the San Francisco-based ALM sibling of Internet Law & Strategy. He can be reached at [email protected].

'

U.S. District Judge Phyllis Hamilton was set last month to be the latest jurist in the Northern District of California to grapple with how decades-old federal wiretapping laws apply to today's technology. On Sept. 24, Hamilton was scheduled to hear oral arguments on Facebook Inc.'s motion to dismiss a lawsuit claiming the company scanned users' messages illegally.

Plaintiffs lawyers, headed up by Michael Sobol at Lieff Cabraser Heimann & Bernstein,'sued Facebook in December 2013'on behalf of a proposed class of the social network's users. They claimed the company illegally intercepted private messages sent via Facebook whenever users included a link to an outside website.

Facebook's lawyers at Gibson, Dunn & Crutcher have pooh-poohed the allegations, calling the case a “copycat suit” that echoes accusations of email snooping that have been advanced against other tech companies, but largely floundered in court.

Plaintiffs lawyers lined up to bring suits targeting Facebook and Yahoo Inc. after U.S. District Judge Lucy Koh gave a green light last September to a similar case against Google over the company's scanning of Gmail messages. But in the wake of Koh's ruling the spate of litigation seems to have sputtered: Koh denied class certification in the Gmail suit in March and tossed federal wiretap claims from a suit against Yahoo in August.

Hamilton's take on the Facebook case could help resolve just how far Internet companies can go in screening users' personal messages before running afoul of privacy laws that carry statutory damages as high as $10,000 per violation.

The complaint against Facebook cited an'October 2012 Wall Street Journal report'showing that when users included links to websites in private Facebook messages, those links registered as a “Like” on other sites that displayed Facebook's “Like” button. “By scanning users' private messages, and inferring 'Likes' from the content of those messages, Facebook has been able to glean from its users data that they otherwise would not have shared, allowing Facebook to generate even more robust, and accordingly more valuable, user profiles,” the plaintiffs lawyers wrote in'the consolidated amended complaint, filed in April.

The complaint alleged Facebook violated the federal Electronic Communications Privacy Act (ECPA) ' the 1986 update to the Federal Wiretap Act of 1968 ' and California privacy and unfair-competition laws. Plaintiffs lawyers have asked for an injunction, actual damages and statutory damages, which can go as high as $10,000 per violation under the ECPA.

Facebook's lawyers at Gibson Dunn argued in'their motion to dismiss'that the only basis for the plaintiffs' claims was the display of “an aggregate'and anonymous'count” of Likes and shares of links to particular websites on Facebook. “Plaintiffs do not contend'nor could they'that anyone other than the recipient of the message learned that a particular user had shared a URL,” they wrote.

Since the Like count appeared as an anonymous tally on other sites, Facebook's lawyers argued, the plaintiffs hadn't suffered any harm. “Plaintiffs' real complaint is not that Facebook receives and processes their messages (obviously it does, and it must), but that Facebook used those messages in a manner that they challenge (i.e., by increasing the “Like” count),” they wrote.

Ordinary Course of Business

Facebook's lawyers argued that the company's actions fall under an exemption in the ECPA for things done “in the ordinary course of its business” by electronic communications services. Facebook, they argued, must receive and process messages in the normal course of offering a messaging service. The plaintiffs maintain that scanning messages for URLs doesn't fall within the exemption.

Koh and U.S. Magistrate Judge Paul Grewal have already weighed in on what sorts of activity they find fits into the “ordinary course of business” in two separate cases involving Google. Koh found that Google's scanning of Gmail to help sell targeted ads wasn't exempt activity for a company providing email services. Grewal, however, dismissed a lawsuit targeting Google's tracking of users' personal data across its various services. Grewal found there's “broad immunity” for electronic communication services under the exemption.

Koh's ruling, seemingly a huge win for plaintiffs, came in multidistrict litigation consolidated before her in 2013. Plaintiffs lawyers quickly brought similar claims against Yahoo and Facebook. But Koh stopped the Gmail case cold earlier this year, denying motion to certify a class of Gmail users.

In August, Koh allowed plaintiffs to move forward with some claims against Yahoo, but knocked out allegations under the federal Wiretap Act. She sidestepped the question of whether Yahoo's message scanning fell under the “ordinary course of business” exemption. Yahoo is represented by Morrison & Foerster.

Facebook, which brought on Gibson Dunn's Ashlie Beringer as deputy general counsel for litigation, regulation and product issues late last year, turned to her former partners Joshua Jessen and Christopher Chorba as defense counsel.

They argued in Facebook's motion that plaintiffs consented to any alleged interception as part of the company's data use policy. The state privacy act claims also fail, they argued, since users gave their consent. The unfair-competition claim should be dismissed, they claimed, since Facebook is a free service and the plaintiffs have not lost any money or property.

Plaintiffs' counsel pushed back against the “copycat” label in'their reply brief'filed in July. They argued that the complaint focused on practices unique to Facebook. Facebook, they wrote, “added code to its messaging process that was unnecessary for any purpose other than to enable it to analyze the substance of its users' messages and determine their meaning, as well as to tie that meaning back to the users.” Plaintiffs noted that Facebook changed its practice without amending its consent disclosures after the Wall Street Journal report.

“These acts are the twenty-first-century equivalent of AT&T eavesdropping on each of its customers' phone conversations, or of a common carrier taking information from private correspondence; acts which would uniformly be condemned as egregious and illegal invasions of privacy under any circumstance,” the plaintiffs' lawyers wrote.

Cotchett, Pitre & McCarthy's Ara Jabagchourian says that these lawsuits attempt to apply decades-old laws to technology that wasn't contemplated at the time they were enacted. “The right answer is going to have to be new legislation,” said Jabagchourian, who brought a similar lawsuit against Yahoo Inc. over its email scanning practices but dropped it before the pleading stage. “Why are we treating email different from phone calls?” he said. “Why are we treating email different from faxes?”

Ross Todd writes for The Recorder, the San Francisco-based ALM sibling of Internet Law & Strategy. He can be reached at [email protected].

'