SAN FRANCISCO (CN) – To advance a privacy class action against Facebook, Android users must explain precisely what permissions they granted before the tech giant started harvesting their phone call and text data, a federal judge said in court Thursday.
“If you’re making claims of misrepresentation and omission, you need specific language,” U.S. District Judge Richard Seeborg said during a motion to dismiss hearing Thursday.
Facebook is fighting a consolidated class action alleging that prior to October 2017, it exploited a vulnerability in Android’s permission settings to not only obtain users’ contact lists but also years’ worth of phone call and text log history.
The hearing on Thursday occurred one day after the British government released a trove of internal Facebook documents, including a February 2015 email in which a Facebook employee called the collection of Android users’ call and text data a “high-risk” move “from a PR perspective.”
In court, the social media giant insisted that it never uploaded Android users’ text and call data without consent, and that even if it had, those users would still lack standing to sue because they suffered no “concrete and particularized injury.”
“It must be something beyond the boiler plate invasion of privacy,” Facebook attorney Elizabeth Deeley, of Latham & Watkins in San Francisco, argued. “It must be coupled with some promise not to do something, or particularly sensitive information that could create some kind of risk.”
A similar standing debate is now playing out in the Ninth Circuit, where Facebook is challenging U.S. District Judge James Donato’s decisions from earlier this year finding the “intangible harm” of losing control over one’s private data is a concrete injury suitable to establish standing.
According to Android users’ complaint, Facebook collected years of phone call data, including contact names and numbers for each call, the date and time of each call, call durations and whether the call was outgoing, incoming or missed. It also collected the dates, times and other details for text messages, which it allegedly used to monetize the information for advertising purposes.
Facebook denies that it collected the data without permission. In a Wednesday blog post, the company said each Android user must “opt in” to give Facebook access to their call and text data, which it uses to “do things like make better suggestions for people to call in Messenger.”
But the plaintiffs say Facebook misled Android users by only requesting permission to access their contacts list, not their phone call and text history.
“A cell phone has a reasonable expectation of privacy that if police want to search it, they need to get a warrant,” plaintiffs’ lawyer Neal Deckant, of Bursor & Fisher in New York, insisted. “The court should consider the highly sensitive nature of the information.”
But Seeborg repeatedly pushed Deckant to identify the specific words displayed in permission prompts that gave Facebook access to Android phone data, along with details on when the named plaintiffs saw those requests for permission.
“We all agree that is your obligation,” Seeborg told the plaintiffs’ lawyer. “You can’t just generally say there was a prompt during all this period of time.”
Deckant urged the judge to let the plaintiffs amend their complaint if he decides to dismiss it. The plaintiffs’ lawyer said recently released documents could provide new details about Facebook’s alleged misconduct.
“Just yesterday additional documents were released discussing the prompts at issue from Facebook engineers,” Deckant said, likely referring to records released by the British government Wednesday.
Deckant refused to confirm which documents he was citing when approached after the hearing.
Seeborg said at the start of Thursday’s hearing that he was leaning toward dismissing the suit with leave to amend, but he issued no official ruling.
Documents released by British Parliament on Wednesday also revealed that Facebook used its massive trove of user data to favor certain business partners and punish rivals by granting or restricting access to the valuable information.
The lawsuit over Android users’ call and text data is one of several privacy-related class actions Facebook is now fighting in federal court.
The Menlo Park-based social media giant is also defending itself against lawsuits over its sharing of 87 million users’ private data with Cambridge Analytica, a September security breach that compromised 50 million user accounts and its data-sharing partnerships with device makers like Apple and Samsung.