Last September, Australian developer Nic Cubrilovic reported on his blog that Facebook was able to identify users when they visited sites with the "like" button or other social widgets -- even when those users were logged out of the social networking service.
The news proved embarrassing for the social networking site, which quickly rolled out a fix while downplaying Cubrilovic's findings as a coding bug. But that didn't stop consumers from suing. Within days, the company was hit with five separate potential class-action lawsuits alleging that it violated various laws by receiving information about users as they surfed the Web. Other lawsuits soon followed; the cases ultimately were consolidated in U.S. District Court for the Northern District of California, where they are pending before Judge Edward Davila. Yesterday, on the eve of Facebook's initial public offering, users filed an amended complaint in the matter.
The new papers allege that Facebook violated federal privacy laws and federal computer fraud laws as well as California state laws. "Even though Facebook assures its users that it does not track their internet browsing post log out, Facebook has been doing exactly that," the lawsuit says.
For Facebook, these types of lawsuits are nothing new. On the contrary, the company has been hit with dozens of potential class-actions in the last four years. So far, none of the cases have gone to trial.
The first major privacy lawsuit against Facebook came in 2008, when users sued the company for its now-infamous Beacon program. With Beacon, Facebook told users about their friends' purchases at retail sites like Blockbuster.com and Overstock.
Facebook agreed to a $9 million settlement, two-thirds of which was supposed to go toward the launch of a new privacy foundation. A trial judge approved the deal, but a legal challenge by Ginger McCall -- a Facebook user and a privacy advocate -- is still pending in the 9th Circuit Court of Appeals. McCall argues that the settlement gives Facebook too much control over the new foundation.
That's not the only privacy lawsuit still dogging Facebook. The company also is embroiled in litigation with users who say that the "sponsored stories" program violates a California law that gives people the right to control how their names and images are used in endorsements. Last December, U.S. District Court Judge Lucy Koh in the Northern District of California rejected Facebook's arguments that the case should be dismissed because the users weren't harmed economically. Koh ruled that users could proceed because California's misappropriation statute provides for at least $750 in damages per violation.
But in other cases, Facebook also succeeded in convincing judges to throw out the lawsuits at an early stage. Last October, U.S. District Court Judge Richard Seeborg in the Northern District of California came to the opposite conclusion as Koh in a case alleging violations of California's misappropriation law. Seeborg threw out a lawsuit against Facebook by users who said their identities were misappropriated in Friend Finder ads. Those ads displayed users' names and photos in ads to their friends; Seeborg decided the users couldn't proceed because they lacked proof of economic injury.
In yet another pro-Facebook ruling, U.S. District Court Judge James Ware in the Northern District of California dismissed a potential class-action lawsuit accusing Facebook of "leaking” users' personal information to advertisers via referrer headers. Ware ruled that the consumers couldn't proceed with their claims because they couldn't show that they had been harmed by any disclosures. "Nominal damages and speculative harm do not suffice to show legally cognizable damage," Ware wrote in that matter.
Consumers in both of those cases filed appeals to the 9th Circuit Court of Appeals.