11:52 AM

Facebook Settles Lawsuit Over Sponsored Stories

Proposes paying $10 million to settle class action lawsuit over using Facebook users' names and images in advertising without their permission.

Facebook's History: From Dorm To IPO Darling
Facebook's History: From Dorm To IPO Darling
(click image for larger view and for slideshow)
Facebook has proposed paying $10 million to settle a class action lawsuit over its use of Facebook users' images and names in its Sponsored Stories advertising campaigns.

Before becoming final, however, the proposed settlement must first be approved by a federal judge.

The settlement relates to a class action lawsuit first filed in U.S. District Court in California in March 2011 by Angel Fraley, Paul Wang, and Susan Mainzer, as well as two minors named only by their initials (J.H.D. and W.T.). It alleged that Facebook's use of its users' images for advertising purposes--without compensation--had caused them economic harm.

[ For more on Facebook and privacy concerns, see Facebook Buys Face.com: At What Privacy Cost? ]

"At issue here is one of Facebook's advertising practices in particular, 'Sponsored Stories,' which appear on a member's Facebook page, and which typically consist of another member's name, profile picture, and an assertion that the person 'likes' the advertiser, coupled with the advertiser's logo," read court documents filed in support of the lawsuit. "Sponsored Stories are generated when a member interacts with the Facebook website or affiliated sites in certain ways, such as by clicking on the 'Like' button on a company's Facebook page."

After the lawsuit was first filed, Facebook issued the following statement: "We are reviewing the decision and continue to believe that the case is without merit." Facebook also sought to distinguish its Sponsored Stories from advertising. For example, last year in an interview with the BBC, Facebook public policy VP Elliot Schrage explained to BBC reporter Emily Maitlis the process by which clicking the "Like" button could lead to users' names or images being used in Sponsored Stories. "When I press a 'Like' button on an ad, I'm trying on the Facebook system, I am affirmatively communicating that I am associating myself with whatever I'm liking. And what that does is create a story," he said.

"Well, you can call it a story--many people would call it an advertisement--and Facebook is getting paid for those by the companies," responded Maitlis.

Interestingly, the presiding judge in the "Fraley versus Facebook" case appeared to agree. "California has long recognized a right to protect one's name and likeness against appropriation by others for their advantage," U.S. District Judge Lucy Koh wrote in a December 2011 ruling that granted and denied parts of a motion filed by Facebook to dismiss the lawsuit.

Koh ruled that Facebook's interpretation that its "Like" button constituted a consumer endorsement of any product or service, allowing their name or likeness to be used for free in advertising, potentially violated California's Right of Privacy Law.

The plaintiffs argued--under the state's Right of Privacy Law--that they were economically injured by having their names and likenesses used without compensation. But Facebook, in its motion to dismiss the case, argued that because the Facebook users weren't celebrities, they should first have to demonstrate that had "some preexisting commercial value to their names and likenesses," according to court documents. Koh dismissed that argument, noting that under California law, residents didn't have to be celebrities to suffer economic injury when their name, voice, signature, photograph, or likeness was used without their consent.

The plaintiffs also argued that Facebook's privacy policy "led them to believe they have control over Facebook's use of their likeness in advertising such as Sponsored Stories," according to court documents.

But actually opting out of Sponsored Stories isn't a straightforward process. "Members are unable to opt out of the Sponsored Stories service, which was introduced after Plaintiffs became Facebook members, and instructions on how to disable an individual post from appearing on Friends' News Feeds or as a Sponsored Story are only available on a 'buried Help Center page, not connected by any link within the Privacy Policy or Statement of Rights and Responsibilities pages,'" wrote Koh in her ruling.

Facebook didn't immediately respond to a request for comment about what changes the company might make in the wake of the proposed settlement, such as altering its data use policy or discontinuing its practice of using members' names and images as part of Sponsored Stories should they click the "Like" button for a company, brand, or product.

Facebook's proposed settlement would distribute $10 million not to users, but rather "to groups whose charters set out actions and programs relevant to advocacy related to the purposes for which the case was brought." The settlement focused on that type of a payout after finding that any type of compensation for affected members would be "not practicable," wrote Edward A. Infante, the retired Chief Magistrate Judge of the U.S. District Court who mediated the settlement agreement. For example, any damages awarded under the California Right of Publicity Law could involve a minimum of $750 per person affected, which, if applied to all Facebook users, would result in a fine of $75 billion.

New apps promise to inject social features across entire workflows, raising new problems for IT. In the new, all-digital Social Networking issue of InformationWeek, find out how companies are making social networking part of the way their employees work. Also in this issue: How to better manage your video data. (Free with registration.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
The Role of KPIs in Incident Response
John Moran, Senior Product Manager, DFLabs,  4/18/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.