This is actually fascinating, legally. What are they suing them for? Under what law or legal principle?
A maker of extensions never agrees to Facebook's ToS in the first place, so there's no breach of contract.
It would seem that only individual users could in theory be sued, though obviously Facebook would never do that because of the PR nightmare.
IANAL, so I'm really curious if anyone thinks Facebook could win this in court? (Regardless of whether it works by threatening to drown the extension maker in legal costs.)
> What are they suing them for? Under what law or legal principle?
The Computer Fraud and Abuse Act (CFAA) allows for civil cases. The law prohibits accessing a computer without authorization, or in excess of authorization. This isn't a case of users knowingly using a tool to scrape data for their own use, the users installing the extension are, at most, mules, for the extension makers.
Alternately, maybe copyright infringement. Some of the data are considered facts, that are not copyrightable (even in aggregate, in the U.S.) but at minimum, the actual content of ads scraped is copyrightable. There might be a question of whether Facebook has standing to sue over infringement of ads for other businesses but their ToS may cover some non-exclusive copyright to shared
>This isn't a case of users knowingly using a tool to scrape data for their own use, the users installing the extension are, at most, mules, for the extension makers.
I feel it's reasonable for the average person to figure that a plugin that pays them for using Facebook and Twitter is paying for the data generated from those sessions. There is already a case with LinkedIn where courts are allowing data scraping even though LinkedIn disallows it and forced LinkedIn to stop blocking it.
I feel like this is a case Facebook should lose. Facebook wants complete ownership of the data from Facebook for marketing purposes because obviously if they're the only ones that have the data they have a monopoly. But preventing others from gathering competing data seems to be a breach of Antitrust. And Facebook execs will openly admit this is what they're doing. They've shut down multiple influencer related companies who completely backed down from a cease and desist from Facebook. And they're refusing to allow anyone to grant influencer agencies access to their data. This is Facebook telling people who they can give their data to. As well as Facebook saying companies can't scrape public information and then sell the statistics. And statistics can't be copyrighted.
> courts are allowing data scraping even though LinkedIn disallows it and forced LinkedIn to stop blocking it
Courts only said "If your server responds to an unauthenticated GET request, that's on you". Linkedin is free to stop providing that data or move it behind a login wall, they just don't want to because it helps them with SEO. Contrast that with these plugins that are absolutely accessing data behind the user's login.
Also with regards to the antitrust assertions you make, Facebook is absolutely not required to share their data with anyone. People give their data to FB, FB can do what they want with it (as long as it's within the ToS). Facebook can't stop me from also giving my data to someone else outside the platform, but they do not have to facilitate that process in any way.
> Courts only said "If your server responds to an unauthenticated GET request, that's on you". Linkedin is free to stop providing that data or move it behind a login wall, they just don't want to because it helps them with SEO. Contrast that with these plugins that are absolutely accessing data behind the user's login.
Yes, exactly. Basically saying if LinkedIn was providing the data they couldn't block the data for specific people. In contrast, these plugins are collecting data that someone has chosen to make available to them. This is Facebook attempting to stop people from giving data to their competitors. This is anti-competitive. Overall the LinkedIn case said that if the user made that data available then that is on them. Not that it was an unauthenticated request, but that the data was made public and there was no attempt to bypass any privacy filters.
> Also with regards to the antitrust assertions you make, Facebook is absolutely not required to share their data with anyone. People give their data to FB, FB can do what they want with it (as long as it's within the ToS). Facebook can't stop me from also giving my data to someone else outside the platform, but they do not have to facilitate that process in any way.
One of Facebook's services is to provide that data to other services so you can use those services with that data. Saying no you can't share that data and not provide you that data in export is well, anti-competitive. This is saying "No, we don't want you to give those people that data." This is anti-competitiveness. Suing companies and preventing them from competing is predatory. You make claims that Facebook doesn't have to do these things, I feel like Facebook should be forced to allow these things. Just like we force Facebook to do other things like delete user data or make user data available (which it actually isn't doing completely last time I checked because you can't export your data and then have the exact same data on your own system.)
I feel it's reasonable for the average person to figure that a plugin that pays them for using Facebook and Twitter is paying for the data generated from those sessions.
I suspect that, to date, you've mostly met above-average people.
The average person, in my experience, has no such expectation or understanding. All they know is "free money!"
> Alternately, maybe copyright infringement. Some of the data are considered facts, that are not copyrightable (even in aggregate, in the U.S.).
Facts aren't copyrightable, but a collection of facts might be if there was sufficient creativity involved in the selection and arrangement of the facts.
The big case on this was Feist Publications, Inc., v. Rural Telephone Service Co., 499 U.S. 340 (1991), where a company copying a telephone book was found not to be if infringing because the phone book was not be copyrighted.
The Court ruled that there is a constitutional requirement for at least some minimal degree of creativity in a work for it to be copyrighted. In the case of a phone book, neither the selection criteria (everyone in this region who has a phone) nor the arrangement (alphabetical order by name).
The Court also noted that if there is sufficient creativity in the selection or arrangement to support copyright, the copyright would be on that selection and arrangement. The underlying facts would still be uncopyrightable. In the case of the phone book, for example, that would mean that even if Rural had used a creative arrangement and could copyright that, Feist could still take all the names and phone numbers and produce its alphabetical phone book from them.
Applying this to Facebook, it may be that they do have copyright in the selection and arrangement of facts that were scraped. Whether or not the scraper is infringing would hinge on what they did with those facts.
The case you mention is one-half of the picture, and I feel it's important to mention the other half.
The White Pages are not copyright-able, which is what your case describes. But the Yellow Pages are copyright-able (somewhat). This is because grouping the businesses into categories clears the bar of "minimal degree of creativity" that you mention. However, the individual listings are still not subject to copyright so there's no problem with taking them and re-arranging them.
> Whether or not the scraper is infringing would hinge on what they did with those facts.
I don't think the scraping companies could mount a successful fair use defense so they'd definitely be found to be infringing and could be ordered by a court to stop. What damages they might pay would depend on what they did with the data.
How does the idea that while the user of the extension might agree, the friend group that is sharing the information that is being scraped has not consented?
Yes, there's harm to Facebook, the other users whose data is scraped, and probably to organizations advertising on Facebook. The masses of users and organizations are unlikely to be aware this is going on or to be able to organize and sue the extension makers.
These extensions are made by shitty companies using shitty practices to make money. If current legal frameworks aren't well suited to deal with it, that doesn't make them any less shitty.
These extensions are made by shitty companies using shitty practices to make money by "stealing" data from a shitty company with shitty practices to make money.
You're just a pawn sitting in the middle while the parties to this fight over who gets to exploit you most effectively. The only positive outcome here would be if the courts hugely overstepped their mandate and told everyone involved that this data shouldn't be available at all, you have to destroy it now.
Sure, but doesn't the TOS harm the user by restricting their access to their own data? Facebook might have a case but you can't possibly paint them as a victim here.
The issue not so much the extensions scraping the individual user's own data (or data about them) but scraping data about advertisers and about other users.
Facebook is harmed through resource consumption by the scraping, the infringement of any copyrights they hold on what's scraped, and potentially harmed in their relationship with their advertising customers and their users.
How bad Facebook's own practices are is irrelevant to the issue of what these extension makers have done. Dirtbags have rights too.
With as little respect I have for Facebook, and how reluctant I'd even be to defend them, your last sentence, "Dirtbags have rights too." is an attitude I think we all should stand to live up to these days.
I agree with your last statement that dirtbags deserve rights too; however, companies should not have rights on par with civilian rights at all. Hell, I'd like to write up a TOS they implicitly sign by taking on my business. ...while we're on the subject of normativity, anyway! :)
The users of the extension have access granted to those friend groups by the owners of those groups. Through that access things get saved. Consent was given...
I feel like users should be having automated tools to scrape for their own use. Once these kind of sophisticated browser automation tools come out eventually Google and ilk will be putting out all stops to prevent browser automation and verify who is using the browser, their real identity and what they are allowed to see (and not see)
I bet they do. Even if most of what is scraped is more properly considered as belonging to their users and customers, I'm sure at least some of what's scraped truly belongs to Facebook.
Even if the specific act of letting the extension run is the fault of each user and presumably means they each violated Facebook's ToS, they can probably sue the extension makers for bribing the users to violate the ToS.
> sue the extension makers for bribing the users to violate the ToS
That's an interesting thought. A ToS is just a (rather questionable, in many cases) contract. Can party A sue party C for bribing party B to violate a contract between A and B? Genuine question - I honestly don't know, but my guess is no.
Looks like they are suing under breach of contract, because employees of the companies had FB accounts and therefore broke the ToS, as well as unjust enrichment. The actual complaint is here:
Hold up- so if Facebook puts any clause in their ToS, I could be sued by them for breaching it? I agreed to create an account there, but I didn’t read or understand the TOS.
Does deleting my account help? Or can they say in their tos that it’s perpetual? And oops I already agreed to that)l
If people are going to be mad at Facebook for allowing Cambridge Analytica to get access to user data by tricking users into providing access to their data on Facebook by installing apps, they really ought to support Facebook in the effort to block these entities who are pulling the same scheme with chrome extensions.
> tricking users into providing access to their data on Facebook by installing apps
> same scheme with chrome extensions
These are very different things. One took place via Facebook's own platform while the other did not.
If their own platform officially allowed for third parties to collect user data, it is reasonable to complain about that being the case.
If their own platform explicitly forbid collecting user data in such a manner but they stood by and let it happen anyway, it seems reasonable to object to that.
I don't see how it's any of their business what a legitimate user does with their own data after it's been sent to them (ie the page loads). I suppose they could add a provision to their ToS disallowing such use; if a violation were discovered they could ban the user in question. But a third party almost certainly never agreed to such a ToS. It's not the existence of the program that violates the contract but rather a specific instance of its usage.
I think the dichotomy you’re pointing will affect Facebook’s legal tactics, but has no bearing on the privacy risk they need to defend against. In both cases, Facebook has an API that served data for some authorized client for a specific purpose (users browsing Facebook, users taking a quiz), but really there’s some entity pulling the strings and misusing the client to amass user data (collecting data associated with users who took the quiz, collecting data associated with users browsing on Facebook).
Not only that, but recognize that any location where people share information about themselves is susceptible to attacks like this. Even personal blogs. If you make it so that your friends can see things about you, and your friends are wont to install extensions, then you are vulnerable to this kind of attack. Decentralized open source solutions will not help with this problem. Quite the opposite: who will fund the lawsuit?
Facebook had to dedicate some resources to even go looking for extensions like this. They only have 5000-10000 installs. IMO it demonstrates a change in the company’s attitude toward protecting user data from the old days of letting people download the entire social graph of the US.
And there is a real trade-off here. 10 years ago everyone would be hating them for cracking down on the open web if they did this, and calling it anti-competitive to silo user data.
Interesting if you can get a bug bounty for reporting this. I think if an enterprising bounty hunter heard about that, a bunch of anonymously authored extensions might start mysteriously appearing. It might pay better than building web apps for people on upwork.
I'm not sure what level of KYC the Chrome web store does, but said enterprising bounty hunter might find that it's not that hard to detect a pattern of "Guy reports a lot of suspiciously similar unpopular extensions. Let's get a warrant to find out who he is from his bank and see if Google knows anything about it."
They view themselves as an agent of their users. The users willingly give them data, with the intention of sharing it with a select audience. As the user's agent, one should generally abide by their wishes, and especially prevent the data from being shared further abroad than the user intended.
Unless Facebook stopped creating shadow profiles of non-users (have they? I'm not a user and don't keep up with it) I don't think they have a leg to stand on.
This comment really put into perspective what kind of malware these extensions are to me.
When I think about decentralized open source solutions, the major example that comes to mind is email, with how Gmail can communicate with Hotmail can communicate with AOL Mail.
And this made me realize that these chrome extension are not too different from an extension that saves and archives your email history. Pure malware.
Yeah it's interesting to me that people are disregarding the parallels. Is Facebook responsible for keeping your (and your friends) data out of 3rd party hands or not? Maybe if the makers of these extensions were affiliated with GOP PACs...
EDIT: Also to be clear, I do think it is Facebooks job/responsibility/obligation
> Is Facebook responsible for keeping your (and your friends) data out of 3rd party hands or not?
They are responsible for the activity that they directly facilitate on their own platform. They have legal authority over the interactions they directly engage in (ie with users). They have no say (legally or otherwise) over what goes on outside the bounds of their own platform and thus no responsibility for it.
Regulators, not individual actors, are the ones with authority over the broader ecosystem. GDPR and CCPA are examples of such.
What's next, should Google be permitted to publish a ToS forbidding access to their services with non-Chrome browsers and then legally pursue other browser makers for facilitating the violation of their ToS?
My understanding is that CA got the data by building a free quiz app on Facebook’s platform (I don’t think FB was getting paid for that, correct me if I’m wrong). The difference is that the quiz app used Facebook’s developer-facing APIs to access the data, whereas these Chrome extensions are hijacking the user agent to access the data via Facebook’s browser-facing APIs. I don’t think it makes a difference as to whether Facebook ought to try to stop the data collection to prevent the another CA-type scandal, and to protect itself from the resulting uproar. The fact that the extension developers haven’t made any agreement with FB means that FB needs different legal tools to try to shut it down, and perhaps they won’t succeed.
A quick search indicates they have free plans up to a certain number of active users and then you need to call them. So apparently they keep their pricing secret.
Given their tracking pixels are installed on at least 8 million websites(1), they are effectively watching everything you do on a large proportion of popular/commercial websites.
They were also caught a few years ago asking users to "verify their emails" by providing Facebook their email account password(2), after which FB's servers logged into the user's email account and scraped their contacts out without warning.
They also acquired a popular VPN app explicitly so they could comb through the users' traffic data and identify competing apps for acquisition.(3)
In my opinion it's core to how the company has always been. Facebook's predecessor, or perhaps first iteration, FaceMash, was a hot-or-not game based on student photos scraped from Harvard's internal websites(4).
> They were also caught a few years ago asking users to "verify their emails" by providing Facebook their email account password(2), after which FB's servers logged into the user's email account and scraped their contacts out without warning.
Why aren't developers in jail for this? Breaking into someone's email account and exfiltrating their data - disgusting. Clicking "OK" on a 500 page ToS doesn't get you out of this.
I'm so sick of this criminal behavior being brushed off as "growth hacking", "move fast and break things", or some other bullshit. The people creating this garbage should feel some shame and face real consequences.
Which makes it even worse. At least with the extension the user is deciding to install it.
In the webpage case, the web developer is choosing to provide the user's data to Facebook or Google (without the user's consent). The vast majority of people don't even understand how this works and think that Facebook can only see activity performed on Facebook itself.
Yes, but thinking that it's a specific issue is misguided. This is how the web works and it is extremely hard to change it. By default you do send your IP, and other metadata, to a server who can do whatever they want with it. You can either refuse this reality and try to invent a new set of internet protocols, or try to fix them on the client-side with VPNs and browsers that randomize metadata, etc. Not super practical though.
FB asks you explicitly if you want to upload your contacts as part of helping you find your friends. That's a far cry from "scraping your data everywhere on the internet" from the your grandparent post.
Off-hand I suspect your contact book is more valuable than virtually anything publicly available on you. It's also entirely unnecessary to building a lookup-by-email or lookup-by-phone. I'm going to go ahead and say it's a much more evil practice than scraping.
This is interesting - instead of suing under the idea that scraping itself is wrong (courts have ruled that public information that you can get on websites can be scraped... I think it is something like 50%+ of web traffic in the U.S. is bot traffic), they are suggesting that scraping through a logged-in account is somehow different.
If the user of the account consents to have the plugin installed on their computer and is made aware that the plugin will scrap this data, you could argue that there is nothing wrong here.
However, people post on Facebook under the idea that the information they share will only be viewable by their friend group (or as dictated by their privacy settings).
That's where this gets interesting... does the friend group of the person with the plugin have any rights to privacy that dictate what the person with the plugin can do with their data?
If I take a picture of a newsfeed, for example, that has information my friends have posted, and share that somehow - am I violating their privacy legally?
Pretty sure that either the user is not aware at all of the scraping, or anyway the scraping is not done in the user's interest and the user is not in a position to fully understand the implications, so it is a clearly malicious operation.
In other words, they are abusing the user's trust to access the user's private data for their own profit, hence defrauding the user, and engaging in unauthorized access to the data shared between the user and Facebook without either party's full informed consent.
I don't think facebook is serving ads in the users interest and the user doesn't understand the implications either. The user has to understand that there's no free lunch.
This is also interesting, because people (mostly my friends) also use Facebook as a tool to share pictures and other PII about me without my consent. In that regard, I don't know if there's a clear difference between Facebook and these extensions.
I wonder if the court would rule differently if the extensions were designed to enable interoperability with other social networks. Admittedly it would be a rather awkward UX if you had to browse pages in FB before returning to your preferred social network to view the scraped data there.
I've wondered if something like this was coming for honey/joinhoney extension..
Sure pulling info from PortalX that us public is on thing - but what if Amazaon starts adding coupon codes for logged in users only? or even if not logged in, but recognized user - adds special promo price for doing thing Y.. at that point they are scraping non-public data.
They would also be using that data for other purposes than just the single user who is accessing it - most likely..
I find the lack of privacy discussing in the joinhoney ads I've heard to be a bit distressing personally.
Just looked at their privacy policy, and I wonder if "Honey does not track your search engine history, emails, or your browsing on any site that is not a retail website (a site where you can shop and make a purchase)"
Is purposefully trying put into user's mines, retail, you know like home depot, bed bath, etc.. but the way it's written can include online retail portals.. but with "(a site where you can shop and make a purchase)"" added as a qualifier - wouldn't this include pornhub and similar places?
Fingers crossed the browser makers will include on-off toggles for extensions soon - similar to how uBlock origin has - would be great to have a whitelist list of sites that I could have my browser remind me that I can turn on SpyShoppingExtensionToCheck - then auto turn off when leaving set list..
I avoided so many chrome extensions that said 'perms to view / change all web pages/ - even though I may have really wanted to use them on blankTube and yaddaTube - I didn't want them reading all web pages, and the current UI for turning off and on is not optimal imho.
> (i) we will collect and store data which includes a randomly generated device ID and user ID as well as data about sponsored campaigns, sponsored posts or advertisements that target you directly or that have been shared with you on specific mobile applications, social media and/or other websites, as applicable; and (ii) we will complement these data with general demographic and profile information, which we collect from you as part of your registration/qualification to the Panel App and/or from your Facebook profile, like your age, your gender, where you live (by region), your relationship status and your general interests. You may also provide us with, and we may collect, additional information when you answer certain survey questions.
It states clear what it does. If not it is problem of usability. Chrome Store should provide badge "Collects Data". People sell their data for discount both online and in real world. How can service provider sell my data and I can't? It may be interesting experience - create clean profile, watch guitar lessons on youtube, I can share it.
I guess to take this one step further, if these extensions become ad platforms by themselves and replace ads that facebook puts in your feed w/ their own ads, what would happen?
uBlock origin (basic) - blocks facebook tracking, does not track you, inserts non personalized ads.
uBlock origin (premium) - 1$ / mo. Blocks all ads.
Facebook should lose this one. Secret shopping isn't illegal, and using tools to secret shop isn't illegal either. Going after camera manufacturers because they are tools used to secret shop certainly isn't illegal, even if the camera was called the "SecretShopper 3000" and paid you to do it.
The users on the other hand, if they were unaware of what the extensions were doing in exchange for that money, might have a case against the extension manufacturers. But how could Facebook possibly have standing?
> the scrapers are acting as agents of individual users.
According to the article, it's the reverse, the individual users are acting as paid agents of the scrapers, a proxy giving scrapers access to data through the users' access to Facebook.
The extension is still impersonating or watching the user, with full permission from the user (acting as its agent, it's UserAgent even) - if anyone broke FB's ToS, it's the user, not the maker of the extension.
I wonder what legal principle gives Facebook standing to sue the makers of the extension.
Even if the specific act of letting the extension run is the fault of each user and presumably means they each violated Facebook's ToS, they can probably sue the extension makers for bribing the users to violate the ToS.
Each user only chooses to install the extension, the extension makers choose what data to scrape and I'm sure at least some of what's scraped truly belongs to Facebook, not their users or customers.
If a Facebook account can be considered a technological barrier protecting intellectual property, they could sue under DMCA anti-circumvention provisions. The users installing the extension could be accomplices but they're not really the ones scraping and collecting the data.
> If a Facebook account can be considered a technological barrier protecting intellectual property, they could sue under DMCA anti-circumvention provisions.
It would also likely make screen readers, screenshots, and many other things illegal. I don't think it can be considered a "technological barrier", but who knows what courts will decide.
That said, I'd be surprised if that's the angle Facebook is taking - because they did (and still do) the same thing with their phone apps collecting ("scraping") address book records and uploading them to facebook servers -- and that would be an estopple-able admission of guilt if they do (even if the courts decide against them in THIS particular case).
IANAL, but if I make a tool whose purpose is to violate the FB ToS, I could be liable under torturious interference (I think that's what it's called). Basically, I can't make money off of things that violate other people's contracts.
I think tortious interference (https://en.wikipedia.org/wiki/Tortious_interference) requires having the specific intention of causing the violation to occur. Not just that one party happened to be motivated to break contract because of something you did but rather that your actions were motivated by specifically trying to get them to break the contract in and of itself.
Do you know which jurisdictions have a precedent of ToS being considered a contract?
Being a one-sided, no negotiation and with no "meeting of minds", most European jurisdictions won't consider this a contract -- facebook can kick any user out, but it is unlikely they could recover damages from anyone (or have standing). At least that's my impression -- though US courts, especially in states that have UCITA or similar, are more likely to consider this a contract.
edit: I've found two jurisdictions, and both of them require proof of actual economic harm for standing (among many other things). I'll wait for more specific details about Facebook's approache.....
What? the Atlas thing is recording what a set of people do, passively. These extensions are actively scraping extra data from web sites beyond what the user is doing.
As long as users know what the extension is doing, hope the extension owners win. Facebook has a choice to boot the users if they don't like them giving credentials to the extension.
What Facebook considers is not what matters though. They've shown time and time again that they are terrible stewards of people's private data. They should not be a trusted party, and Google isn't far behind. Being sympathetic to their point is view when it comes to privacy is entirely the wrong angle to take.
A maker of extensions never agrees to Facebook's ToS in the first place, so there's no breach of contract.
It would seem that only individual users could in theory be sued, though obviously Facebook would never do that because of the PR nightmare.
IANAL, so I'm really curious if anyone thinks Facebook could win this in court? (Regardless of whether it works by threatening to drown the extension maker in legal costs.)