Facebook Privacy Claims May Buckle in the 9th

     (CN) - Facebook and Zynga users trying to revive privacy claims struggled to show the 9th Circuit that either the social networking giant or the game company had violated any laws.
     Forced to appear together before the appeals court in a consolidated hearing, attorneys for the two companies were pressed for time but relieved to find a three-judge panel that seemed reluctant to reinstate the claims.
     Mike Robertson's 2010 class action claimed that, whenever a user clicked third-party posts on a Facebook page, Facebook sent those advertisers a "referrer header" containing the user's personally identifiable information.
     Though Facebook has since stripped the headers of such private data, headers at the time of the lawsuit's filing could include a user's name, gender and age. Robertson said this violated the federal Electronic Communications Privacy and Stored Communications Acts and California consumer and computer fraud statutes, as well as breaching the user agreement with Facebook.
     U.S. District Judge James Ware dismissed part of Robertson's lawsuit in 2011, however, finding that users like Robertson were not consumers for the purposes of California's unfair competition or consumer protection laws because Facebook provided its services for free.
     He also said California's computer fraud statute did not apply since Facebook did not circumvent technical barriers in sending the headers. The breach of contract claim meanwhile failed because Robertson had failed to show "appreciable and actual damage."
     In dismissing the claims under the federal Wiretap Act or the Stored Communications Act, Ware said Robertson did not make the necessary showing that the information Facebook allegedly disclosed "was not part of a communication from plaintiffs to an addressee or intended recipient of that communication."
     Robertson in turn argued in an amended complaint that Facebook was liable under the Stored Communications Act because it was acting as a "remote computing service provider," and thus cannot rely on the "intended recipient" exception to liability.
     Unswayed, Ware dismissed the whole complaint in late 2011. The judge said that Facebook was not acting as a "remote computing service provider" because it was acting as an intermediary for user requests to advertisers, and because it did not provide "processing or storage" of users' "data."
     The action also failed to meet California's definition of computer fraud because the "alleged transmission of personally identifiable information is caused by a 'standard web browser function,' rather than by a 'contaminant' introduced to plaintiffs' computers by defendant to 'usurp' the 'normal operations' of those computers," according to the ruling.
     Ware also found no "actual and appreciable damages" to support a contract claim. Robertson's attorney started his argument on this point before the 9th Circuit on Jan. 17.
     Kassra Nassiri argued that Facebook's privacy policy promised Robertson's identity would not be shared with advertisers. When it broke that promise, "it deprived appellant Robertson of the benefit of that bargain," she said. "That constitutes actual and appreciable harm."
     The Nassiri & Jung lawyer said California law provides "disgorgement and nominal damages" to plaintiffs who suffered harm but not monetary damages.
     Turning to the Stored Communications Act claims, Judge Sandra Ikuta asked how the user ID and URL contained in the disputed headers "constitute the contents of a communication rather than just record information."
     Nassiri said the header becomes a statutorily protected communication when the user ID is sent "together with the URL of the page the user was viewing when he or she clicked on the advertising link," rather than being "disaggregated."
     A skeptical Ikuta noted that the interest expressed in mattresses by a caller to "1-800-MATTRESS" is discernible, but is not content.
     Nassiri said that Internet clicks are the only way users can communicate with Facebook, and that the clicks "have substance, import and meaning."
     Judge Richard Tallman chimed in: "Drawing the line where you want us to draw it seems to me too broad as opposed to too narrow."
     Facebook's attorney, Aaron Panner, noted the triviality of any information disclosed in the header.
     "There is no allegation that the [header information] was worth anything to anyone who received it, or indeed to the plaintiff," said Panner, who is with Kellog, Huber, Hansen, Todd, Evans & Figel in Washington D.C.
     He said Robertson was "in no way worse off as a result of this disclosure."
     All that was supposedly disclosed was a URL, a web page address that had a user ID in it, from which allegedly advertisers could decode and infer the identity of the user and the location."
     Panner likened the URL address to a dialed phone number, which contains information about a phone user, but is still not content as imagined by Congress when enacting the Wiretap Act in 1968 or the Stored Communications Act in 1986.
     Tallman agreed, saying that early email existed in 1986, "but I don't think Congress in its wildest dreams thought about what your clients are doing now."
     Panner told the court how it could rule on the appeal: "The user ID, to the extent that it is communicated to a third-party website, that is a record, it is not contents. It would be a very clean way for this court to resolve this case to say ... a web page address and a user ID are not the contents of a communication, they are a record and therefore there is no claim under the federal statute."
     Facebook also factored into a related case that the panel considered, involving someone who clicked a link on her Facebook page that sent a request to Zynga Game Network to play a game.
     Nancy Graf and several individuals filed a class action in 2010 for alleged violations of the Electronic Communications Privacy Act. They claimed that when a Facebook user clicks on a link that opens a Zynga window within their Facebook page, both companies broke their promises to not share personally identifiable information with third parties.
     U.S. District Judge Ware dismissed the case on the same day in 2011 as he dismissed Robertson's case against Facebook.
     "What's the beef here? I just don't see how that can violate the law," an incredulous Tallman asked Graf's attorney.
     "Who's being misled? I mean I'm the Facebook user, and I have asked Facebook to give me my Zynga game, and Zynga is responding to the request I initiated and giving me my Farmville game," he asked attorney Adam Levitt.
     "Where's the misrepresentation?" Tallman asked.
     Levitt, of Grant & Eisenhofer in Chicago, said both Zynga and Facebook promised not to share the user information, but Zynga "wrongfully reached out and took that communication."
     Zynga's attorney, Richard Seabolt of Duane Morris in San Francisco, said Graf's complaint "arises from the customary operation of the Internet and browsers. The problem has been fixed [in browser software updates]."
     Seabolt said all the data cited in Graf's privacy claims is public information found on users' Facebook pages that can be retrieved using a Google search.
     "Frankly, all of this is public information," Seabolt said, adding that the lower court was right to dismiss Graf's claims. He said no laws were broken since Zynga was the intended recipient of her communication.
     The federal statutes do not apply to companies like Zynga and the sharing of user IDs between Facebook and Zynga is not a disclosure of content, the judge added.