New Lawsuit Against Facebook From People Who Just Don't Like Facebook
from the what's-your-cause-of-action? dept
Another day, another bizarre lawsuit. Eric Goldman points us to a lawsuit against Facebook that is best summarized as "we don't like Facebook, and we're sure it's doing something bad." It involves a few different plaintiffs who all have very different complaints, combined with some weird claims about Facebook violating their privacy, and that it's really a data mining company in disguise. But, of course, there's an easy way to avoid any such issue. It's called not using Facebook. The lawsuit also seems to rely on the fact that lots of people don't like the terms of service that Facebook has used, but not liking the terms don't necessarily make them against the law. There's also a poorly explained copyright claim -- but it's so unclear that I can't tell if the complaint is that Facebook is violating copyrights by showing the photos that one of the plaintiffs themselves uploaded (which would be flat out ridiculous), or that the issue is other users uploading photos (which would be pre-empted by the DMCA's safe harbors). The whole thing seems like a group of people suing Facebook for the hell of it and hoping to get some cash out of it.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: lawsuits, privacy, social networks
Companies: facebook
Reader Comments
Subscribe: RSS
View by: Time | Thread
ToS Abuse
Did the litigants in this case plead the right claims? I do not know, I will have to read the complaint closer. But the complainants have a very real problem with the ToS, they should not be abused like this.
Here is one example from the complaint of an unreasonable change:
2004
“You may remove your Member Content from the site at any time. If you choose to remove your Member Content, the license granted…will automatically expire.”
2009
On February 4, 2009, Facebook revised its Terms of Service, a document Facebook asserts it is legally permitted to update “AT ANY TIME WITHOUT INFORMING USERS.”
[ link to this | view in thread ]
Complaint about lawsuit from people who just don't like lawsuits
[ link to this | view in thread ]
Apart from that, many of the complainants are minors. They aren't even supposed to be on facebook.
To be fair, when FB changed the TOS unknowingly and members complained, they changed it back and started up a group discussion on new terms. Took some suggestions into account and not others.
They also notified people via account when the new terms were issued.
There are problems on FB but if you don't like it...there's the door.
[ link to this | view in thread ]
Re: ToS Abuse
[ link to this | view in thread ]
Actually, Mike, your "easy way" won't work
Facebook, along with any number of other similar sites, makes it a practice to deceive its new users into surrendering access to their address book (presuming their mail client maintains one). It then (a) spams everyone in it and (b) forges the address of the address book owner as the sender.
This is clearly abusive (since it's spam, and a forgery to boot) and it's invasive of privacy, since of course accumulation of a sufficient number of address books facilitates construction of extensive social graphs.
But to get to the point on the Subject line, this means that Facebook is now in possession of social data about me. Are they mining it, or selling it to people who are? They'd be silly NOT to: it's quite profitable, they probably wouldn't be caught, it probably isn't illegal, and even if so, the worst that will happen to them is a slap on the wrist.
[ link to this | view in thread ]
Re: Actually, Mike, your "easy way" won't work
Also, while they are *technically* forging the headers to make it appear you sent the e-mail I think it may be legally sound and not actually a Bad Thing in this case. The whole premise is that Facebook will magically have *you* send those e-mails, and in fact is what it asks you if you want to do. It isn't malicious, though I can see how it can be annoying.
Luckily the people I associate with aren't typically lazy and I've only ever gotten one "spam" message like that. Everyone else has done the same as me and told Facebook "no thanks" to sending out those e-mails.
[ link to this | view in thread ]
Re: Re: Actually, Mike, your "easy way" won't work
[ link to this | view in thread ]
Re: Re: Actually, Mike, your "easy way" won't work
And forging an address that's not yours (and joe@example.com's address isn't Facebook's) is never a good idea: there are many negative consequences that often ensue from doing so. (For example: it's quite easy to leverage this mechanism into a DoS attack against an individual email address or an entire email server.) And this is before we even get into all the various anti-forgery technologies out there -- oh, not that I'm a fan of those, because I'm not, but they do exist, they are deployed, and this smacks right into them.
[ link to this | view in thread ]
Re: ToS Abuse
[ link to this | view in thread ]
Re: Re: Re: Actually, Mike, your "easy way" won't work
To be sarcastic: "How dare a social website, designed to bring friends together, try to make it easy to notify your friends!"
You can not blame facebook for an individuals inability to pay attention to what they are doing. If you are unable to read, then you should go back to school. And if that offends you, then how are you reading this post?
[ link to this | view in thread ]
Copyright Claim
[ link to this | view in thread ]
Plaintiff Xavier O. is an 11-year-old minor residing with his parents in
Orange County, California. Plaintiff Xavier O. has a Facebook account that was opened without the knowledge or consent of his parent or guardian. Plaintiff Xavier O. has uploaded personal information, videos and photographs, including swimming and/or partially clothed photographs of children ages 5 to11. On or about August 8, 2009, Plaintiff Xavier O. posted “Xavier O. has swine flu…Please pray for me…God Bless.” Upon learning of the Facebook account and the posting of an uncertain medical condition, Plaintiff Xavier O’s parents removed the medical condition posting from Facebook.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: Re: Re: Actually, Mike, your "easy way" won't work
I suggest spending some time on the spam-l, ietf-smtp, irtf-asrg, mailop, spamtools, and spam-research mailing lists in order to get up to speed on this. It would probably also be helpful to read RFCs 5321, 5322, 2142, and 2505, among others.
[ link to this | view in thread ]
Re: Re:
Well, most of you anyway.
So, this tiny human's parents are suing a website because the tiny human used it as it was intended to be used? (And the tiny human had to falsify information just to make an account!)
Oops. Nosebleed. Gotta go.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Actually, Mike, your "easy way" won't work
Any email "sent to you by Facebook" is really being sent to you by a user of Facebook. Email being "automated" does not make it spam. A user is asked by a confirmation dialogue if they want to send that email to you. If your friends are idiots, I'm sorry but that's not Facebook's fault.
It's not "forgery" either since the user is asked if THEY want to send you a message. When they select that they do, Facebook sends THEIR email from THEM to you and appropriately puts THEIR name on it.
Apparently you're the one "not cognizant of the operational definitions of those terms."
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Actually, Mike, your "easy way" won't work
Maybe you should "visit" facebook to fully understand what you are talking about. Those so called "spam" messages that you have gotten were maybe sent by facebook, but with full permission and by the request of your friends. Each reminder was sent with full permission and by the request from your friends.
Now the part that makes it not illegal, counterfeit, or forged, is that your friend has to specificly give permission for that message to be sent out. So if you would like to sue someone, sue your friend as the spam is from him. Facebook is just the tool he used.
[ link to this | view in thread ]
Re: Actually, Mike, your "easy way" won't work
Um, you mean it sets the "from" address field after you agreed to let it mail all your address book members?
that's not forging. Forging, especially email headers, is very different.
Be careful of the terms you toss around, or you may end up looking like a poorly-informed Luddite.
[ link to this | view in thread ]
Re: Re:
Here's a hunch: it was up on his facebook page.
[ link to this | view in thread ]
Re: Re: Re: Actually, Mike, your "easy way" won't work
[ link to this | view in thread ]
Re: Re: Re: Actually, Mike, your "easy way" won't work
What in the world are you blathering about? I assume what you're talking about is mailing out tonnes of emails with from and reply-to on the "target" server, in the hopes that replies will take down the target server?
If so, that's the most ludicrous, circuitous and ineffective DOS attack vector I've ever heard. To generate a number of replies substantial enough to take down the target, you'd need to generate, at a theoretical minimum, the number of emails necessary to take down the target server yourself.
Consider: I wanna take down youDontUnderstandComputers.com I theorize that two million emails in an hour to that domain will overload it. I calculate that 25% of the emails I send out will generate replies within an hour. Therefore, I must send out eight million emails in an hour.
Your statements are nonsensical. Your grasp of the technical issues is thin bordering on delusional. I strongly urge to read up on what you're spewing in the hopes that you can prevent further incidents of rattling off nonsense in public.
[ link to this | view in thread ]
My Thoughts
If they assert that the child had his privacy violated or was even somehow endangered because FB allowed him to post personal photos and information, is it a stretch to suggest that the parents' own negligence is the true problem?
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Actually, Mike, your "easy way" won't work
Hmmm. While longevity in the field is not necessarily evidence of clue, I've been working in this one for decades. You?
Some points to enlighten you: (1) The fact that it's automated doesn't make it spam, and I never said it did. The fact that it's unsolicited bulk email makes it spam, since that's the canonical definition of spam. (2) One of the rudimentary concepts involved in anti-spam (and more broadly, anti-abuse) work is that if spam/abuse comes from Foo's servers/network, then it's Foo's spam/abuse. It's thus obvious that (a) that it's spam and (b) it's Facebook's spam. (Yes, we can also assign some measure of blame to the bonehead who initiated it: there's enough to go around.) (3) If the message sender was set to joe@facebook.com, where that's Joe's username or a stand-in for it, then it wouldn't be a forgery. But if it's set to joe@example.com, then it is. Keep in mind that it's insufficient for merely Joe to grant permission for Facebook to emit mail traffic with a putative sender @example.com; it's necessary that Facebook have permission from the keepers of example.com. Which they don't. Because they don't ask. (4) Note as well that such messages will be recognized as forgeries by technologies along the lines of SPF or DKIM (provided those records have been sanely configured by the keepers of example.com).
Something I haven't mentioned is just why these social network spammers do this, and why they don't emit these messages from joe@facebook.com or equivalent. (Which would still be spam but would not be a forgery, since it would use an address assigned to the user in the facebook.com domain.) As has been discussed elsewhere at considerable length, they do this in order to take advantage of weak authentication -- such as that used on most mailing lists, where messages submitted from list members are passed through (and messages from non-members either rejected or held for moderation). This in turn is why spam from Facebook routinely turns up not just in folks' personal mail, but in traffic from mailing lists as well.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Actually, Mike, your "easy way" won't work
And let's presume that social network user, furnished with that information, clicks the "yeah, go ahead do it" button or equivalent -- thus giving his/her permission.
It's still spam, because that's not the person whose permission is required for bulk email. The person whose permission is required is the recipient (or recipients). This "Joe gave us permission to spam you" excuse was recognized as nonsense last century -- not that it isn't periodically trotted out again by newbie spammers, but really this is a fundamental principle that's been well-known since the heyday of Spamford.
[ link to this | view in thread ]
Re: Re: Re: Re: Actually, Mike, your "easy way" won't work
First, using your own resources is a bonehead move. Not only does it make the attack relatively easy to isolate, but it makes you much easier to find. So "best practice" in DoS attacks is to use someone else's.
Second, using one external resource doesn't do much good either, as it too can be isolated relatively easily. It's much better to use multiple resources simultaneously. In this case, there are quite a few available, making a DDoS feasible.
Third, using a resource with severely limited capacity isn't that bright -- if the goal is a DoS, then clearly large capacity is preferable. So sites that have it and can be co-opted to participate are good choices.
Fourth (and I'm going to obfuscate this slightly; I'm sure you can work it out), consider that not all email gets delivered. Consider that not all address book entries are individuals. And consider that throwaway domains are quite cheap. Put those together, and work it out: the first two methods should be pretty obvious, others less so.
From a DoS perspective, the fundamental problem here is that is that this mechanism allows a third party to generate outbound traffic to arbitrary destinations via Facebook (or any other site doing this). That sentence should set off alarm bells in the heads of everyone with a basic background in security, even before they work through the details of the various scenarios and whether or not they're feasible, practical, etc.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: Actually, Mike, your "easy way" won't work
The correct scenario would be Joe signs up for Facebook. He gets an option to allow Facebook to look through his contact file or email to find suggestions of who he can add as friends. Joe agrees and either manually uploads his contacts, or puts in his e-mail address and password for facebook to search.
Facebook takes this information and gives Joe a list of who he talks to and may want to invite, compiled from the contact list or e-mail. Joe, likes you and would want you to join. He selects you and requests for Facebook to send you an e-mail.
You ignore the e-mail and dont join. Joe is sad. Joe wonders why you would not want to be his friend. Joe find you in his pending friends list and requests for Facebook to send you a reminder. Joe thinks you might have forgotten.
You get mad, "Facebook is spamming me. I know that word because I read it somewhere and I got two or three e-mails now."
Joe is still sad. Joe doesnt know why you won't be his friend. Joe keeps asking Facebook to remind you. Joe swears that you still talk to him. He is sure you want to be his friend.
That is not spam. That is not forgery. That is just an annoying person that keeps bugging you. Do us all a favor: "Tell Joe that you don't like him"
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Actually, Mike, your "easy way" won't work
The scenario you describe is still impractical in the extreme.
If you think for a second facebook or anyone else will allow unbounded emails, let alone the fact that smtp is a queued, non-realtime protocol, you are still entirely out in left field. Have fun, maybe you'll catch a fly ball or two.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: Actually, Mike, your "easy way" won't work
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Actually, Mike, your "easy way" won't work
DoS attacks take control of multiple computers to send denial of service attacks to a small number of destinations in order to interupt service.
With this, no service is being interupted. There is no control of multiple machines. There are no destinations being attacked.
But, nice write up. It almost looks valid.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: Actually, Mike, your "easy way" won't work
Forging the headers is also debatable but there is a much better case for it. FB asks if you want to send email and is clear that it will appear to be from you. They use your email address but do not send through your smtp server. While the headers are technically forged they are forged in a legitimate manner. Most corporation forge headers to some degree. My from address here at the office isn't even closely related to the server that sends the email but if you respond the email goes through the system and ends up in my inbox. So technically the headers are forged according to the RFC. FB is doing what amounts to the same thing.
While you may not like FBs methods and they may violate an RFC or two the best you get is forged headers. It is not spam due to the means by which it is initiated or FB would be in every spamlist around and they frankly aren't. It could be considered commercial email even but last.fm didn't offer a way to invite your friends and I sent you an email asking you to join from my gmail account it wouldn't be spam. This is the same thing. FB just makes it easy to ask your friends to join.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Actually, Mike, your "easy way" won't work
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: Actually, Mike, your "easy way" won't work
More often, it refers to artificial transfer agent headers. Typically this is done in order to hide email origination on the 'net.
By contrast, gmail allows me to specify addresses other than my gmail account as from and reply-to. By your definition, this is header forging, and Mr. Kulawiec asserts this is "wrong".
It's common practice.
[ link to this | view in thread ]
Typo above
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Actually, Mike, your "easy way" won't work
SMTP is entirely unsuited to this, as email can be quite slow in getting to the target, and is subject to routing servers' traffic management as well.
Additionally the premise of using facebook or equiv. as an outbound facilitator is ludicrous, any high traffic site is batching their outbound traffic.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: Actually, Mike, your "easy way" won't work
Forging as I understand it would be: modifying the address in order to conceal and decieve the recipient on who the origional sender is.
What Facebook does I would consider to be more "ghosting the address" with the intent to reveal the origion of the sender and using the Facebook server as a passthough. The senders e-mail is verified when the account is opened, lowering the risk of deception.
As with most items, it is the intent of the action that defines what the action is.
[ link to this | view in thread ]
A point of note: If they're the ones asking, they're initiating. Had the user gone to FB and said, "Hey, would you please send emails to all the people in my address book?" then it would have been initiated by the user. This, however, does not appear to be the case.
Personally, I feel that only a bone head would leave their personal information (Your address book is personal info!) with any entity that explicitly tells you that they reserve the right to change their mind and won't be bothered to tell you. The only information they got out of me was my throw away email account. Once a month I check the select all button, hit delete and get on with my day. I've been using that account for over decade and all my friends know that anything that comes from that account is unwanted. (It was an actual account back in the days of free dial up services.)
Spam is a tasty meat product that goes good with eggs or mac and cheese!
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
eww
" or mac and cheese!"
I am a Canadian, and we pride ourselves on our mac and cheese (no, not kd, real mac and cheese), and you, sir or madam or various combinations thereof, have just declared war on Canada. When the hockey stick hits you in the back of the head, that was us.
[ link to this | view in thread ]
facebook
[ link to this | view in thread ]
Re: There's the door
It appears that the Facebook exit is a swing door that doesn't lock.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: Re: Actually, Mike, your "easy way" won't work
The nature of the spam may be that it is requested by the new member of facebook, but it is actively solicited by Facebook, with no option to filter (as far as I know) and is more in their interest that that of the requester.
Facebook also rely on the fact that a good percentage of their users will be either:
A: Lazy, or;
B: a bonehead
Seeing as none of the recipients of the mailing had any choice in whether FB got hold of their details or whether they were sent the mailing, FB have acted pretty much in the spirit self interest rather than the interest of anyone else involved in the process. I'm afraid there is nothing in your previous comments that really addresses the issues raised here.
[ link to this | view in thread ]
facebook issues
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: children with access to facebook
[ link to this | view in thread ]
Re: Re: children with access to facebook
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Re: children with access to facebook
[ link to this | view in thread ]