Computers, Privacy & the Constitution

Privacy on Facebook: Beacon and Beyond

INTRODUCTION

On February 26th, the 9th Circuit denied petitions for rehearing of the $9.5 million class-action settlement approved by the district court in Lane v. Facebook, Inc. The settlement pertained to Beacon, a controversial part of Facebook’s advertisement system that gathered and published information about Facebook users’ online transactions. The settlement included a cy pres award to a charity that Facebook is ordered to found.

Facebook doesn’t appear to be humbled by the settlement; it has recently partnered with several data-mining companies to further target ads for users. It is uncertain as of yet how efficiently Facebook will target consumers, and how users will react to the amount of knowledge Facebook has of their non-Facebook activity.

SUMMARY OF BEACON ISSUE

“Beacon,” launched November 2007, was meant to allow Facebook users to share what they did elsewhere on the Internet with their friends. The program sent records of transactions from external partner websites, such as Overstock.com or Blockbuster, to Facebook, which then published these transactions on personal profiles; Facebook also used the data to target advertising to users. Facebook members participated in the program by default. While users could opt-out of having the transaction appear on their profile, a researcher discovered there was no way to turn off the program altogether (i.e. Facebook would continue to gather data on user transactions). Further, the partner websites were sending Facebook information on customers who were not Facebook users.

The Beacon program remained on by default until December 2007, until negative press and user response forced Facebook to change privacy settings. Ultimately Beacon was taken down in 2009, as a condition of the class-action settlement.

POST-BEACON

Despite the settlement, Facebook continues to gather information about its users’ activities outside Facebook. FIRST, in late February, Facebook announced partnerships with several companies, including Acxiom, Datalogix, and Epsilon. These companies collect information on consumer spending habits based on data from financial-services companies, court records, and federal government documents; in short, even MORE personal information than collected through Beacon (because the information isn’t limited to participating websites). This allows advertisers to target specific segments of the population. SECOND, companies can provide Facebook with customer email addresses, which Facebook would, in encrypted form, match with profiles. This allows companies to advertise to their existing customer base. Users can opt-out of receiving these advertisements through Facebook and each third party partner, which is an arduous process. In reality, consumers can only escape this targeted advertising through blocking Web trackers and being mindful of sharing email addresses.

As the NY Times notes, “whether Facebook users will enjoy seeing ‘relevant’ ads or be alienated by more intensive tracking remains to be seen.” It is important to note that Facebook users generally like Facebook Connect, which allows the user to choose to connect their Facebook identity to external sites.

Facebook users’ comfort level may depend on how heavy-handed the targeted advertising appears, not unlike the controversy Target faced when it narrowly advertised toward women that it figured out, through its accumulated data, were pregnant. As long as the company’s aggregation of private information merely lead to increased convenience, consumers appear largely unconcerned; concerns increase when the company shares that information with the public, or in some other heavy-handed way reveals how much it knows about its users.

CY PRES

Of the Beacon settlement, after paying plaintiffs’ counsel and awarding the named plaintiffs, $6.5 million remained. That amount, instead of being disbursed to the class, was granted cy pres (a rule of construction to save a charitable gift that would otherwise fail, by allowing the next best use of the funds) to found a charity called the Digital Trust Foundation. The Foundation’s [[ http://www.mediapost.com/publications/article/183468/divided-court-oks-facebooks-privacy-foundation.html#axzz2MW8jkAbZ][three-person board]] will include Facebook’s director of public-policy, Tim Sparapani. The Foundation made a commitment to “fund and sponsor programs designed to educate users, regulators[,] and enterprises regarding critical issues relating to protection of identity and personal information online through user control, and the protection of users from online threats.” Lane v. Facebook, Inc., 696 F.3d 811, 822 (9th Cir. 2012). In short, the Foundation would not work to remedy Internet companies’ unauthorized disclosure of private information, but to put the onus of responsibility for invasion of privacy onto individuals. The settlement drew criticism and challenges. Upon the 9th Circuit’s denial of rehearing en banc, Judge Smith, joined by five other judges, dissented on grounds that the cy pres award (1) was neither reasonably certain to benefit the class, (2) nor advanced the objectives of the statutes relied upon in bringing suit. FIRST, it is not “reasonably certain” that the settlement would benefit the class, as the mission statement of the Foundation is to sponsor “programs” to “educate users” on “critical issues” relating to Internet privacy. Such an “open-ended, one-sentence mission statement . . . completely eviscerate[s] the meaning of [the 9th Circuit’s] previously controlling case law” on cy pres. SECOND, the statutes under which class-action plaintiffs brought their case are meant to prevent unauthorized access or disclosure of private information. Given that Facebook already possesses all member information, it seems pointless to have a charity to teach users how to protect themselves “through user control” from “online threats.” While cy pres means “as near as possible,” this falls far short of the mark. As Judge Smith notes, the only way the Foundation could teach Facebook users to protect themselves from Facebook is if it “teaches Facebook users not to use Facebook. That seems unlikely.”

CONCLUSION

As noted above, Facebook has continued to aggregate data on users’ outside-Facebook activities. New developments suggest this will only continue, possibly on an even larger scale. Facebook has developed a feature called Lookalike, which targets users based on demographic similarity. Additionally, there is the looming menace of CISPA, which may allow the government to access user information (which for now is subject to Facebook’s sieve-like privacy-policy). The Beacon settlement should have created a more dynamic organization as part of the settlement. The Digital Trust Foundation has not popped up yet, but we should keep an eye out for when it does, and examine what it actually achieves in terms of digital privacy.

Why not be brief about it, and say that Facebook was permitted to spend $6m on a tax-free lobbying operation run by their own chief lobbyist? Why not say that this means nothing whatever; Facebook spent more money on PR over Beacon, going in and coming out, than all of this money many times over? Given that there's no here here, why are you writing about it? In other words, you need to explain to the reader why the meaninglessness of this nonevent has some larger significance than its nothingness.

Navigation

Webs Webs

r5 - 14 Jan 2015 - 22:44:39 - IanSullivan
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM