Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Facebook Tries Again On Sponsored Stories Settlement

New proposed settlement terms call for plaintiff payments, increased user control over content. Meanwhile, Facebook urges judge to dismiss proposed $15 billion class action lawsuit over tracking practices.

Cue take two for a proposed Facebook settlement over the social networks' Sponsored Stories program, which was the subject of a class action lawsuit filed on behalf of users whose names and images were used for advertising purposes without their permission.

In a surprise turn of events, the first proposed settlement was blocked in August by U.S. District Court Judge Richard Seeborg, who voiced "serious concerns" with a provision in the settlement that guarantees that the plaintiffs' lawyers will receive up to $10 million in attorneys' fees from Facebook.

Given that the settlement amount being offered to consumers affected by Sponsored Stories was also $10 million, Seeborg asked whether the lawyers representing consumers "may 'have bargained away something of value to the class'"--meaning they may not have demanded enough money from Facebook--and asked to know how negotiators had arrived at their total $20 million settlement amount.

[ Wondering how to handle those annoying Facebook newsfeed highjacks? Read Attack Of The Rude Facebook Shoes. ]

Critics of the settlement also questioned why all of the settlement money--beyond attorney fees and related costs--was set to go not to affected consumers, but rather to six organizations that deal with consumers' privacy rights: Consumer Federation of America, Electronic Frontier Foundation, Campaign for a Commercial-Free Childhood, Center for Democracy and Technology, Rose Foundation, and the Stanford Law School Center for Internet and Society.

But that could change, as the amended settlement filed Friday now says that affected consumers will receive "a one-time cash payment equal to $10." If more than one million consumers make a settlement-related claim, the $10 million will be split evenly between them. If the settlement amounts drop to less than $5, however, the settlement administrator can either split the money equally between all claimants, or instead distribute all of the money to the aforementioned privacy organizations.

Other settlement changes include Facebook providing consumers with an easily accessible way to review all of their Sponsored Stories interactions, including any related content of theirs that may have been used. Facebook would also revise its terms of service to make clear that any user agrees to give Facebook "permission to use your name, profile picture, content, and information in connection with commercial, sponsored, or related content (such as a brand you like) served or enhanced by us." In other words, Facebook will tell users that they "permit a business or other entity to pay us to display your name and/or profile picture with your content or information."

Meanwhile, anyone under the age of 18 who uses Facebook would be attesting that their parent or legal guardian has agreed to those terms. That said, when Facebook knows about users' family relationships--for example, when a user designates themselves to be the parent of a minor who's also a Facebook user--it will allow the parent to opt their child out of Sponsored Stories. "Where a minor user indicates that his or her parents are not on Facebook, Facebook will make the minor ineligible to appear in Sponsored Stories until he or she reaches the age of 18, until the minor changes his or her setting to indicate that his or her parents are on Facebook, or until a confirmed parental relationship with the minor user is established," reads the revised settlement.

In other lawsuit-related Facebook news, an attorney for the social network Friday urged a judge to dismiss a separate $15 billion class action lawsuit against the company, which consolidated lawsuits filed in 10 different states. The lawsuit accuses Facebook of tracking users' online behavior even after they'd left the social network's website.

Facebook attorney Matthew Brown told U.S. District Judge Edward Davila that the complaint against Facebook--in what's known as the "In re Facebook Internet Tracking Litigation" case--contained an "utter lack of allegations of any injury to these particular named plaintiffs," reported Bloomberg. Because the plaintiffs hadn't demonstrated that anyone had been harmed, Brown recommended that the lawsuit be dismissed.

But Stephen Grygiel, a lawyer for the users, disputed that no harm had been done, telling the court that "through a trick," Facebook had intercepted communications with other websites, reported Bloomberg. "Nowhere in Facebook's privacy policies does the company say, 'We are involved in your communication with third-party websites after you log out,'" he said.

Benchmarking normal activity and then monitoring for users who stray from that norm is an essential strategy for getting ahead of potential data and system breaches. But choosing the right tools is only part of the effort. Without sufficient training, efficient deployment and a good response plan, attackers could gain the upper hand. Download our Fundamentals Of User Activity Monitoring report. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/13/2020
Where Are the 'Great Exits' in the Data Security Market?
Dave Cole, Cofounder and CEO, Open Raven,  10/13/2020
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15256
PUBLISHED: 2020-10-19
A prototype pollution vulnerability has been found in `object-path` <= 0.11.4 affecting the `set()` method. The vulnerability is limited to the `includeInheritedProps` mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of `object-path` and settin...
CVE-2020-15261
PUBLISHED: 2020-10-19
On Windows the Veyon Service before version 4.4.2 contains an unquoted service path vulnerability, allowing locally authenticated users with administrative privileges to run malicious executables with LocalSystem privileges. Since Veyon users (both students and teachers) usually don't have administr...
CVE-2020-6084
PUBLISHED: 2020-10-19
An exploitable denial of service vulnerability exists in the ENIP Request Path Logical Segment functionality of Allen-Bradley Flex IO 1794-AENT/B 4.003. A specially crafted network request can cause a loss of communications with the device resulting in denial-of-service. An attacker can send a malic...
CVE-2020-6085
PUBLISHED: 2020-10-19
An exploitable denial of service vulnerability exists in the ENIP Request Path Logical Segment functionality of Allen-Bradley Flex IO 1794-AENT/B 4.003. A specially crafted network request can cause a loss of communications with the device resulting in denial-of-service. An attacker can send a malic...
CVE-2020-10746
PUBLISHED: 2020-10-19
A flaw was found in Infinispan version 10, where it permits local access to controls via both REST and HotRod APIs. This flaw allows a user authenticated to the local machine to perform all operations on the caches, including the creation, update, deletion, and shutdown of the entire server.