Risk
10/8/2012
01:20 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Facebook Tries Again On Sponsored Stories Settlement

New proposed settlement terms call for plaintiff payments, increased user control over content. Meanwhile, Facebook urges judge to dismiss proposed $15 billion class action lawsuit over tracking practices.

Cue take two for a proposed Facebook settlement over the social networks' Sponsored Stories program, which was the subject of a class action lawsuit filed on behalf of users whose names and images were used for advertising purposes without their permission.

In a surprise turn of events, the first proposed settlement was blocked in August by U.S. District Court Judge Richard Seeborg, who voiced "serious concerns" with a provision in the settlement that guarantees that the plaintiffs' lawyers will receive up to $10 million in attorneys' fees from Facebook.

Given that the settlement amount being offered to consumers affected by Sponsored Stories was also $10 million, Seeborg asked whether the lawyers representing consumers "may 'have bargained away something of value to the class'"--meaning they may not have demanded enough money from Facebook--and asked to know how negotiators had arrived at their total $20 million settlement amount.

[ Wondering how to handle those annoying Facebook newsfeed highjacks? Read Attack Of The Rude Facebook Shoes. ]

Critics of the settlement also questioned why all of the settlement money--beyond attorney fees and related costs--was set to go not to affected consumers, but rather to six organizations that deal with consumers' privacy rights: Consumer Federation of America, Electronic Frontier Foundation, Campaign for a Commercial-Free Childhood, Center for Democracy and Technology, Rose Foundation, and the Stanford Law School Center for Internet and Society.

But that could change, as the amended settlement filed Friday now says that affected consumers will receive "a one-time cash payment equal to $10." If more than one million consumers make a settlement-related claim, the $10 million will be split evenly between them. If the settlement amounts drop to less than $5, however, the settlement administrator can either split the money equally between all claimants, or instead distribute all of the money to the aforementioned privacy organizations.

Other settlement changes include Facebook providing consumers with an easily accessible way to review all of their Sponsored Stories interactions, including any related content of theirs that may have been used. Facebook would also revise its terms of service to make clear that any user agrees to give Facebook "permission to use your name, profile picture, content, and information in connection with commercial, sponsored, or related content (such as a brand you like) served or enhanced by us." In other words, Facebook will tell users that they "permit a business or other entity to pay us to display your name and/or profile picture with your content or information."

Meanwhile, anyone under the age of 18 who uses Facebook would be attesting that their parent or legal guardian has agreed to those terms. That said, when Facebook knows about users' family relationships--for example, when a user designates themselves to be the parent of a minor who's also a Facebook user--it will allow the parent to opt their child out of Sponsored Stories. "Where a minor user indicates that his or her parents are not on Facebook, Facebook will make the minor ineligible to appear in Sponsored Stories until he or she reaches the age of 18, until the minor changes his or her setting to indicate that his or her parents are on Facebook, or until a confirmed parental relationship with the minor user is established," reads the revised settlement.

In other lawsuit-related Facebook news, an attorney for the social network Friday urged a judge to dismiss a separate $15 billion class action lawsuit against the company, which consolidated lawsuits filed in 10 different states. The lawsuit accuses Facebook of tracking users' online behavior even after they'd left the social network's website.

Facebook attorney Matthew Brown told U.S. District Judge Edward Davila that the complaint against Facebook--in what's known as the "In re Facebook Internet Tracking Litigation" case--contained an "utter lack of allegations of any injury to these particular named plaintiffs," reported Bloomberg. Because the plaintiffs hadn't demonstrated that anyone had been harmed, Brown recommended that the lawsuit be dismissed.

But Stephen Grygiel, a lawyer for the users, disputed that no harm had been done, telling the court that "through a trick," Facebook had intercepted communications with other websites, reported Bloomberg. "Nowhere in Facebook's privacy policies does the company say, 'We are involved in your communication with third-party websites after you log out,'" he said.

Benchmarking normal activity and then monitoring for users who stray from that norm is an essential strategy for getting ahead of potential data and system breaches. But choosing the right tools is only part of the effort. Without sufficient training, efficient deployment and a good response plan, attackers could gain the upper hand. Download our Fundamentals Of User Activity Monitoring report. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web