A Facebook user has filed a federal lawsuit against the social networking giant, claiming it violated wiretap laws with a tracking cookie that records web browsing history after logging off of Facebook.
John Graham, a 42-year-old lawyer, is the named plaintiff in the lawsuit filed on Wednesday in U.S. District Court in Kansas. His suit seeks class action status for the 150 million users of Facebook in the United States. Graham referred all comment to his attorneys, who declined to comment on the filing.
Experts say the Kansas litigation faces an uphill battle since courts in the past have tossed out similar cases against Facebook and others filed under wiretap law, finding such computer cookies are not wiretaps. In those cases that do end up being litigated the plaintiffs typically lose because they cannot prove any harm.
Andrew Noyes, a spokesman for Facebook, said the firm was not commenting on the lawsuit at this time.
But when the controversy over the cookies was initially raised, the company issued a statement saying there was no security or privacy breach and Facebook did not store or use any information it should not have. Like every site on the Internet that personalizes content and tries to provide security for its user, Facebook places cookies on the computer of the user, it said.
"Three of these cookies on some users' computers inadvertently included unique identifiers when the user had logged out of Facebook," according to the statement. "However, we did not store these identifiers for logged out users. Therefore, we could not have used this information for tracking or any other purpose."
Graham asks the federal court to decide whether the interception was intentional, the extent of communications intercepted and stored, and whether the court should prohibit Facebook from intercepting such communications when a user is not logged in.
"The case raises important questions that the court should consider," said David Jacobs, a consumer advocacy fellow for the Electronic Privacy Information Center.
The lawsuit filed in Kansas is similar to another case filed last week in California arising out of the revelation that Facebook placed cookies on the browsers of its users that traced their Internet activity even when they were not logged into Facebook, Jacobs said.
Both lawsuits seek to certify as its class the 150 million users of Facebook in the United States. Both were filed under a provision of the federal Wiretap Act which prohibits interception of wire, oral or electronic communications, Jacobs wrote in an email. The Kansas lawsuit differs in that it also alleges several state law claims, including violation of the Kansas Consumer Protection Act.
Nine privacy groups — including the Electronic Privacy Information Center and the American Civil Liberties Union — sent a joint letter last week to the Federal Trade Commission saying it should investigate the ways Facebook collects data about users' online activity after recent changes to its site.
Jules Polonetsky, former privacy officer at AOL and now director of the Future of Privacy Forum think tank, said in a telephone interview that for quite some time companies have settled such lawsuits, but a number have been litigated recently — with the courts generally finding that the wiretapping law is not applicable to online tracking cases.
"The courts have in the past year turned back class actions that focused on wiretapping or some of the other causes raised on the grounds that the wiretapping don't apply and, number two, there was no harm," Polonetsky said.
Graham's lawsuit seeks a preliminary and temporary injunction restraining Facebook from intercepting electronic information when they are not logged in and from disclosing any of the information already acquired on its servers. It also seeks statutory damages of $100 per day for each of the class members or $10,000 per violation, punitive damages along with attorney fees and court costs.