Facebook privacy lawsuit 'a jumbled mess'

A lawsuit against Facebook appears to be all over the place and not based on an real understanding of how the site works.

Larry Magid
Larry Magid
Larry Magid is a technology journalist and an Internet safety advocate. He's been writing and speaking about Internet safety since he wrote Internet safety guide "Child Safety on the Information Highway" in 1994. He is co-director of ConnectSafely.org, founder of SafeKids.com and SafeTeens.com, and a board member of the National Center for Missing & Exploited Children. Larry's technology analysis and commentary can be heard on CBS News and CBS affiliates, and read on CBSNews.com. He also writes a personal-tech column for the San Jose Mercury News. You can e-mail Larry.
3 min read

While I can't comment on the entire suit, it's clear to me that parts of the just-filed privacy lawsuit against Facebook represent a lack of understanding of how social networks like Facebook work as well as how best to protect children and adults on the Internet. I'm especially baffled by the allegation that Facebook violated the rights of an 11-year-old child because he disclosed that he had swine flu.

The suit, brought by five plaintiffs in Southern California, alleges that Facebook violates California privacy laws.

The child who said he had swine flu is identified as "Xavier O." The complaint says he "has a Facebook account that was opened without the knowledge or consent of his parents." He allegedly "uploaded personal information, videos and photographs, including swimming and/or partially clothed photographs of children ages 5 to 11." It further says that he posted information that he had swine flu and asked people to "Please pray for me...God Bless." The complaint says that "upon learning of the Facebook account and the posting of an uncertain medical condition," the child's parents "removed the medical condition postings from Facebook" and that "Xavier O. and his parents have been unable to learn where the minor's medical information may have been stored, disseminated or sold by Facebook."

(Disclosure: I'm co-director of ConnectSafely.org, a nonprofit organization that receives financial support from Facebook as well as other companies.)

I don't know where to begin parsing young Xavier's case. First, by simply having a Facebook account he was violating Facebook's terms of service. And why did his parents only remove "the minor's medical information?" They should have deleted his entire account.

Like all reputable social networking sites, Facebook complies with the Children's Online Privacy Protection Act (COPPA) by not allowing children under 13 to have accounts (COPPA does make provisions for accounts for children under 13 but imposes certain conditions including parental consent). The only way for this young man to obtain a Facebook account would be to lie about his date of birth.

Facebook makes reasonable efforts to remove accounts of children where there is evidence they are under 13, but it's not possible to catch every violator of these terms and its attempts to validate the ages of members are consistent with industry practices. While it could be argued that they should be using some type of age-verification technology, an exhaustive investigation of those technologies by the Harvard Berkman Center led Internet Safety Technology Task Force (of which I was a member) determined that such technologies, at the current time, are neither effective nor necessarily desirable.

Once on Facebook, anything a person posts can, by default, be seen only by his friends or people in his network. If Xavier's profile was available to additional people, it was because he changed his default privacy settings. But, even if he hadn't, there is always the possibility that a friend or anyone with access to his profile could copy any text or images posted and disseminate them. So of course it's possible that such information could have been stored, or disseminated. In an e-mail interview, Facebook spokesman Barry Schnitt said, "There are no circumstances under which we would have sold that information." He further points out that the plaintiffs in the suit "make many assertions about mining data and selling it, but never say who is buying."

What I find very strange is the statement that the 11-year-old had posted "swimming and/or partially clothed photographs of children ages 5 to 11." Could they be implying he was posting child pornography images? If so (and I doubt it), this kid could find himself in juvenile court.

Another strange allegation comes from a college student who joined Facebook in 2005 back when it was for college students only. Somehow she is shocked that Facebook is now open to anyone--a change that Facebook made with great fanfare in 2006. If she's so unhappy about the change, why doesn't she just close her account?

Santa Clara University Law Professor Eric Goldman told me that he considers the complaint to be "a jumbled mess." "There is a style of complaint that lists every single possible gripe you have with a company," he said. "This one listed all sorts of random gripes about Facebook including insignificant items like their acquisition of FriendFeed." He added, "lawyers sometimes do that, hoping that if you throw those against the wall, the judge will find something that sticks."

This post is adopted from a post that first appeared on my site, SafeKids.com.