Case 1:19-cv-02184 Document 1 Filed 07/24/19 Page 1 of 50
UNITED STATES OF AMERICA, Plaintiff
Case No. 19-cv-2184
UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA
COMPLAINT FOR CIVIL
v. PENALTIES, INJUNCTION, AND
Plaintiff, the United States of America, acting by and through the Consumer Protection Branch of the U.S. Department of Justice, alleges that:
1. Plaintiff brings this action against Defendant Facebook, Inc. (“Facebook”) under Sections 5(a) and (l) and 16(a)(1) of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. §§ 45(a) and (l) and 56(a)(1), to obtain civil penalties, an injunction, and other equitable relief for violations of a 2012 order previously issued by the Federal Trade Commission (“FTC” or “Commission”) for violations of Section 5(a) of the FTC Act. See Exhibit A, In re Facebook, Inc., C-4365, 2012 FTC LEXIS 135 (F.T.C. July 27, 2012) (Decision and Order) (“Commission Order” or “2012 Order”). This action seeks to hold Facebook accountable for its failure to protect consumers’ privacy as required by the 2012 Order and the FTC Act.
FACEBOOK, Inc., a corporation,
Page 1 of 50
Case 1:19-cv-02184 Document 1 Filed 07/24/19 Page 2 of 50
NATURE OF THE CASE
2. Facebook operates a social-networking service through its website— www.facebook.com—and mobile applications. Those applications connect consumer users of Facebook’s service, who each create a Facebook “profile” showing personal information, with “Friends” who also have Facebook accounts and profiles (“Friends” or “Facebook Friends”). Through its service, Facebook collects and maintains vast amounts of consumer information. As of 2018, Facebook had more than 2.2 billion monthly active users worldwide. Over one hundred million Americans use Facebook every day to share personal information, such as their real name, date of birth, hometown, current city, employer, relationship status, and spouse’s name, as well as sensitive personal information, such as political views, sexual orientation, photos of minor children, and membership in health-related and other support groups. Users can also provide information about themselves by indicating that they “like” public Facebook pages. Research suggests that a user’s “likes” of public Facebook pages can be used to accurately predict that user’s personality traits, sometimes better than the user’s own friends and family. In addition, Facebook users may install and use applications (“apps”) developed by third-parties (“third-party developers”) that allow the users to share information with their Facebook Friends.
3. Facebook’s core business model monetizes user information by using it for advertising. Substantially all of Facebook’s $55.8 billion in 2018 revenues came from advertising.
4. To encourage users to share information, Facebook promises users that they can control the privacy of their information through Facebook’s privacy settings. However, through at least June 2018, Facebook subverted users’ privacy choices to serve its own business interests.
Page 2 of 50
Case 1:19-cv-02184 Document 1 Filed 07/24/19 Page 3 of 50
5. Beginning at least as early as 2010, every Facebook user who installed an app (“App User”) agreed to Facebook sharing with the third-party developer of the installed app both information about the App User and the App User’s Facebook Friends. Facebook’s default settings were set so that Facebook would share with the third-party developer of an App User’s app not only the App User’s data, but also data of the App User’s Facebook Friends (“Affected Friends”), even if those Affected Friends had not themselves installed the app. Affected Friends could only avoid this sharing by finding and opting out of it via settings on Facebook’s Applications page, which was located on Facebook’s website and mobile applications, separate and apart from Facebook’s Privacy Settings page. Third-party developers that received user and Affected Friend information could use that information to enhance the in-app experience or target advertising to App Users and their Affected Friends. In the wrong hands, user and Affected Friend data could be used for identity theft, phishing, fraud, and other harmful purposes.
6. In 2012, after an FTC investigation, Facebook settled allegations that its practice of sharing Affected Friends’ data with third-party developers of apps was deceptive. The resulting Commission Order, among other things, prohibits Facebook from misrepresenting the extent to which consumers can control the privacy of their information, the steps that consumers must take to implement such controls, and the extent to which Facebook makes user information accessible to third parties. See Commission Order, Parts I.B. & C.
7. In the wake of the FTC’s initial investigation, Facebook retained the separate opt- out sharing setting on its Applications page, but it added a disclaimer to its Privacy Settings page, warning users that information shared with Facebook Friends could also be shared with the
Page 3 of 50
Case 1:19-cv-02184 Document 1 Filed 07/24/19 Page 4 of 50
apps those Friends used. However, four months after the 2012 Order was finalized, Facebook removed this disclaimer—even though it was still sharing Affected Friends data with third-party developers and still using the same separate opt-out setting that undermined users’ privacy choices before entry of the Commission Order.
8. At its F8 conference in April 2014—one theme of which was user trust— Facebook announced that it would stop allowing third-party developers to collect data about Affected Friends. Facebook also told third-party developers that existing apps could only continue to collect Affected Friend data for one year, or until April 2015. But, after April 2015, Facebook had private arrangements with dozens of developers, referred to as “Whitelisted Developers,” that allowed those developers to continue to collect the data of Affected Friends, with some of those arrangements lasting until June 2018.
9. At least tens of millions of American users relied on Facebook’s deceptive privacy settings and statements to restrict the sharing of their information to their Facebook Friends, when, in fact, third-party developers could access and collect their data through their Friends’ use of third-party developers’ apps. Facebook knew or should have known that its conduct violated the 2012 Order because it was engaging in the very same conduct that the Commission alleged was deceptive in Count One of the original Complaint that led to the 2012 Order. See Exhibit B, In re Facebook, Inc., C-4365, 2012 FTC LEXIS 136 (F.T.C. July 27, 2012) (“Original Complaint”).
10. Facebook also failed to maintain a reasonable privacy program that safeguarded the privacy, confidentiality, and integrity of user information, as required by Part IV of the 2012 Order. The requirement in the 2012 Order that Facebook maintain a reasonable privacy program
Page 4 of 50
Case 1:19-cv-02184 Document 1 Filed 07/24/19 Page 5 of 50
was vitally important because Facebook had allowed millions of third-party developers to access and collect massive troves of consumer data about both App Users and their Facebook Friends, and Facebook failed to track that data in an organized, systematic way.
11. As a general practice, Facebook did not vet third-party developers before granting them access to consumer data; instead, developers simply had to check a box agreeing to comply with Facebook’s policies and terms and conditions, including those designed to protect consumer information. This made Facebook’s enforcement of its policies, terms, and conditions acutely important.
12. Facebook’s enforcement of its policies, terms, and conditions, however, was inadequate and was influenced by the financial benefit that violator third-party app developers provided to Facebook. This conduct was unreasonable. Facebook never disclosed this disparate enforcement practice to the third-party assessor charged by the 2012 Order with assessing the implementation and effectiveness of Facebook’s privacy program, nor did Facebook disclose its enforcement practices to the Commission in its biennial assessment reports mandated by the 2012 Order. See Commission Order, Part V.
13. In addition to its violations of the 2012 Order, Facebook also engaged in deceptive practices in violation of Section 5(a) of the FTC Act. Between November 2015 and March 2018, Facebook asked its users to provide personal information to take advantage of security measures on the Facebook website or mobile application, including a two-factor authentication measure that encouraged provision of users’ phone numbers. Facebook did not effectively disclose that such information would also be used for advertising.
Page 5 of 50
Case 1:19-cv-02184 Document 1 Filed 07/24/19 Page 6 of 50
14. Finally, in April 2018, Facebook updated its data policy to explain that Facebook would use an updated facial-recognition technology to identify people in user-uploaded pictures and videos “[i]f it is turned on,” implying that users must opt in to use facial recognition. Contrary to the implication of this updated data policy, however, tens of millions of users who still had an older version of Facebook’s facial-recognition technology had to opt out to disable facial recognition. This violated the 2012 Order by misrepresenting the extent to which consumers could control the privacy of their information used for facial recognition.
JURISDICTION AND VENUE
15. This Court has subject matter jurisdiction pursuant to 28 U.S.C. §§ 1331, 1337(a), 1345, and 1355; and 15 U.S.C. §§ 45(a) and (l), and 56(a)(1).
16. Venue in this District is proper under 28 U.S.C. §§ 1391(b)(2), (c)(2), and 1395(a); and 15 U.S.C. § 53(b).
17. Facebook, Inc. is a Delaware corporation with its principal office or place of business at 1601 Willow Road, Menlo Park, California 94025. At all times relevant to this Complaint, Facebook has operated its social-networking service through its website, www.facebook.com, and mobile applications that connect users with Friends on Facebook.
18. At all times material to this Complaint, Facebook maintained a substantial course of trade in or affecting commerce, as “commerce” is defined in Section 4 of the FTC Act, 15 U.S.C. § 44.
Page 6 of 50
Case 1:19-cv-02184 Document 1 Filed 07/24/19 Page 7 of 50
THE COMMISSION ORDER
19. As part of Facebook’s operation of its social-networking service, it has for years offered the Facebook Platform (“Platform”), a set of tools and application programming interfaces (“APIs”) that enable third-party developers to access user data and develop software applications, such as games, with which Facebook users can interact; it also allows users to use apps or log into websites using their Facebook credentials.
20. In April 2010, Facebook launched an initial version of the Graph API (“Graph API V1”), which allowed third-party developers to access and collect data about Facebook App Users. Graph API V1 also allowed third-party developers to access and collect data about Affected Friends.
21. At that time, Facebook’s settings presented an App User with a screen whereby the app requested permission from the App User before initial installation to permit it to access certain fields of data, as shown in the example below:1
Case 1:19-cv-02184 Document 1 Filed 07/24/19 Page 8 of 50
22. Facebook did not require third-party developers to request permission directly from Affected Friends of App Users to access those Affected Friends’ data from Facebook. Instead, Facebook automatically sent Affected Friend data based solely on App Users’ granted permission.
23. Using this process, third-party developers could collect dozens of pieces of data from Facebook about Affected Friends, including information related to each Affected Friend’s:
• news article activity • books activity
• current city
• education history
• fitness activity
• games activity
• music activity
• online presence
• Open Graph activity
• relationship details
• religion/political views • status
• video-watch activity
• website URL
• work history
Page 8 of 50
Case 1:19-cv-02184 Document 1 Filed 07/24/19 Page 9 of 50
24. In its 2012 Original Complaint in the proceeding bearing Docket No. C-4365, the Commission charged Facebook with engaging in unfair and deceptive acts or practices in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), for, among other things, its practices associated with giving third-party developers access to Affected Friends’ data.
25. Specifically, Count One of the Original Complaint alleged that Facebook was engaging in deceptive acts and practices by representing to users that Facebook’s privacy settings allowed them to restrict to limited audiences (e.g., “Only Friends”) the sharing of non- public personal information that they added to their Facebook profiles and their non-public Facebook posts (collectively, “Profile Information”), when, in fact, those settings did not prevent Facebook from sharing that information with third-party developers of apps installed by the users’ Friends. See Exhibit B at ¶¶ 10-18.
26. The Original Complaint also asserted that Facebook misled users by placing the option to block third-party developers from accessing their information through Friends not prominently on Facebook’s Privacy Settings page, but rather, on a page called, at various times, “Applications,” “Apps,” or “Applications and Websites.” This Applications page allowed users, among other things, to restrict the information that third-party developers of Friends’ apps could access. But no Facebook page other than the Applications page disclosed to users that, unless they adjusted the setting on the Applications page, their other privacy choices were ineffective to prevent the sharing of their data with third-party developers of their Friends’ apps.
27. The Original Complaint also noted that users who did not themselves use apps would have no reason to click on the Applications page, and thus would have concluded that
Page 9 of 50
Case 1:19-cv-02184 Document 1 Filed 07/24/19 Page 10 of 50
their choices to restrict Facebook’s sharing of their Profile Information through the Privacy Settings page were complete and effective.
28. Facebook settled the Commission’s Original Complaint with the Commission Order. The Commission Order became final in August 2012 and remains in effect.
29. Part I of the Commission Order, in relevant part, states:
IT IS ORDERED that Respondent and its representatives, in connection with any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, the extent to which it maintains the privacy or security of covered information, including, but not limited to:
B. the extent to which a consumer can control the privacy of any covered information maintained by Respondent and the steps a consumer must take to implement such controls;
C. the extent to which Respondent makes or has made covered information accessible to third parties;
See Commission Order, Part I.
30. The Commission Order defines “Covered Information” as:
information from or about an individual consumer including, but not limited to: (a) a first or last name; (b) a home or other physical address, including street name and name of city or town; (c) an email address or other online contact information, such as an instant messaging user identifier or a screen name; (d) a mobile or other telephone number; (e) photos and videos; (f) Internet Protocol (“IP”) address, User ID or other persistent identifier; (g) physical location; or (h) any information combined with any of (a) through (g) above.
See Commission Order, Definition 4.
31. Part IV of the Commission Order, in relevant part, states that Facebook shall:
establish and implement, and thereafter maintain, a comprehensive privacy program that is reasonably designed to (1) address privacy risks related to the development and management of new and existing products and services for consumers, and (2) protect the privacy and confidentiality of covered information.
Page 10 of 50
Case 1:19-cv-02184 Document 1 Filed 07/24/19 Page 11 of 50
Such program, the content and implementation of which must be documented in writing, shall contain controls and procedures appropriate to [Facebook]’s size and complexity, the nature and scope of [Facebook]’s activities, and the sensitivity of covered information, including:
B. the identification of reasonably foreseeable, material risks, both internal and external, that could result in [Facebook]’s unauthorized collection, use, or disclosure of covered information and an assessment of the sufficiency of any safeguards in place to control these risks. . . .
C. the design and implementation of reasonable controls and procedures to address the risks identified through the privacy risk assessment, and regular testing or monitoring of the effectiveness of those controls and procedures.
E. the evaluation and adjustment of [Facebook]’s privacy program in light of the results of the testing and monitoring required by subpart C, any material changes to [Facebook]’s operations or business arrangements, or any other circumstances that [Facebook] knows or has reason to know may have a material impact on the effectiveness of its privacy program.
See Commission Order, Part IV.
32. Part V of the Commission Order states that Facebook shall “obtain initial and
biennial assessments and reports (‘Assessments’) from a qualified, objective, independent third- party professional, who uses procedures and standards generally accepted in the profession.”
33. The Commission Order requires, among other things, that each such Assessment shall:
A. set forth the specific privacy controls that [Facebook] has implemented and maintained during the reporting period;
B. explain how such privacy controls are appropriate to [Facebook]’s size and complexity, the nature and scope of [Facebook]’s activities, and the sensitivity of the covered information;
C. explain how the privacy controls that have been implemented meet or exceed the protections required by Part IV of [the Commission] Order; and
Page 11 of 50
Case 1:19-cv-02184 Document 1 Filed 07/24/19 Page 12 of 50
D. certify that the privacy controls are operating with sufficient effectiveness to provide reasonable assurance to protect the privacy of covered information and that the controls have so operated throughout the operating period.
See Commission Order, Part V.
DEFENDANT’S NOTICE OF THE COMMISSION ORDER
34. Facebook’s General Counsel signed the Commission Order on behalf of Facebook. The Commission served the Commission Order in August 2012.
Facebook’s Desktop Privacy Settings Failed to Disclose That Users’ Privacy Choices Would Be Undermined by Default Settings That Allowed Facebook to Share Users’ Data with Third-Party Developers of Their Friends’ Apps
35. Around the time that it resolved the Original Complaint through the Commission Order in 2012, Facebook added a disclaimer to the top of its desktop Privacy Settings page stating, “You can manage the privacy of your status updates, photos, and information using the inline audience selector—when you share or afterwards. Remember: the people you share with can always share your information with others, including apps.” (emphasis added), as shown in the figure below:
Page 12 of 50
Case 1:19-cv-02184 Document 1 Filed 07/24/19 Page 13 of 50
36. Approximately four months after the Commission Order became effective, however, Facebook removed the disclaimer from the Privacy Settings page, as shown in the below example:
Page 13 of 50
Case 1:19-cv-02184 Document 1 Filed 07/24/19 Page 14 of 50
37. Facebook’s new “Privacy Settings” page purported to allow users to restrict who could see their past and future posts.
38. Posts could include, among other things, status updates, photos, videos, check-ins,
“edit” and select from non-public categories, such as “Friends,” “Only me,” and “Custom.”
39. A user wishing to restrict future posts on the Privacy Settings page would click
Case 1:19-cv-02184 Document 1 Filed 07/24/19 Page 15 of 50
40. Facebook did not disclose anywhere on this page, or anywhere along the path that users would have had to take to reach the Privacy Settings page, that users who shared their posts with “Friends” or a “Custom” audience3 could still have those posts shared with any of the millions of third-party developers whose apps were used by their Friends.
41. As was the case before the Commission Order, Affected Friends who sought to opt out of such sharing—and to have their privacy choices honored—needed to locate and adjust settings located under the separate “Apps” tab.
42. The Apps tab did not alert users that it linked to a page containing settings that users had to disable in order to have their privacy choices fully honored.
43. In December 2012, Facebook introduced “Privacy Shortcuts,” which it touted as a privacy tool that helps users navigate “key settings.” See Exhibit C (Dec. 21, 2012 Press Release); see also Exhibit D (May 22, 2014 Press Release) (describing Privacy Shortcuts as a “tool designed to help people make sure they are sharing with just the audience they want”).
44. The Privacy Shortcuts tool also had privacy settings for posts that purported to allow users to restrict their posts to Friends, as shown in the example below:4
3 “Custom” audiences are typically a subset of Friends and are thus a more restrictive privacy setting than “Friends.” For simplicity, this Complaint refers to both “Friends” and “Custom” audience selections as “Friends.”
Case 1:19-cv-02184 Document 1 Filed 07/24/19 Page 16 of 50
45. However, Facebook did not disclose on the Privacy Shortcuts tool, or anywhere along the path that users took to reach this tool, that their non-public posts could be shared with third-party developers of Friends’ apps.
46. At all times relevant to this Complaint, Facebook also provided users with inline controls that purported to allow users to restrict who could see their posts.
47. Specifically, when users posted a status update, photo, or video, Facebook gave users a drop-down menu that allowed them to restrict the audience for that post to, for example, “Friends,” as shown below:5
5 https://www.facebook.com/notes/facebook/making-it-easier-to-share-with-who-you- want/10150251867797131/
Page 16 of 50
Case 1:19-cv-02184 Document 1 Filed 07/24/19 Page 17 of 50
48. However, Facebook did not disclose to users that sharing their non-public posts with Friends would allow Facebook to share those posts with third-party developers of Friends’ apps.
49. In addition, Facebook’s settings conveyed that users could restrict on their Facebook “About” page who could see personal information that users added to their profile, such as hometown, birthday, relationship, current city, education history, and work history.
50. But Facebook did not disclose to users on their About page that sharing their personal information with Friends would allow Facebook to share that information with third- party developers of Friends’ apps.
Facebook’s Desktop “Apps others use” and “Platform” Settings Also Undermined Users’ Privacy Choices
51. Facebook also misled users by having default settings that shared Affected Friends’ Profile Information with third-party developers of Friends’ apps unless the Affected Friend found and opted out of settings found on the Apps Settings page.
52. The Apps Settings page contained two opt-out settings—the “Apps others use” setting and the “Platform” setting.
Page 17 of 50
Case 1:19-cv-02184 Document 1 Filed 07/24/19 Page 18 of 50
53. To access the “Apps others use” setting, Affected Friends first had to realize that Facebook shared their Profile Information with third-party developers of Friends’ apps, and then successfully had to navigate a series of steps to find and opt-out of that setting.
54. A user first had to click on the “Apps” tab in the settings menu. This tab did not include any disclosure that the “Apps” tab linked to any privacy settings for apps not installed by the user.
55. After clicking the “Apps” tab, users were directed to the Apps Settings page, where they had to locate the “Apps others use” setting.
56. The format of the Apps Settings page varied over time. However, at all times relevant to this Complaint, the “Apps others use” setting at the bottom of the page, separate and apart from the privacy settings for the apps the user installed, as shown in the below example:
Page 18 of 50
Case 1:19-cv-02184 Document 1 Filed 07/24/19 Page 19 of 50
57. On the “Apps others use” setting, Facebook stated, “People who can see your info can bring it with them when they use apps. Use this setting to control the categories of information people can bring with them.”
58. This was Facebook’s only representation on any of the settings pages informing users that third-party developers of Friends’ apps could access and collect their Profile Information.
59. Facebook presented users who clicked on “edit” within the “Apps others use” setting with options that allowed them to opt out of Facebook sharing their data, as shown in the below example:
Page 19 of 50
Case 1:19-cv-02184 Document 1 Filed 07/24/19 Page 20 of 50
60. By default, all categories of Affected Friend data, except “Religious and political views” and “Interested in,” were set to be shared with third-party developers who requested them.
61. During all times relevant to this Complaint, only a very low percentage of users opted out of this default setting.
62. Alternatively, users could prevent Facebook from sharing their Profile Information with third-party developers of Friends’ apps by opting out of Facebook’s “Platform” setting within the Apps Setting page. But, in so doing, users could not use any Facebook apps themselves. By default, this setting was turned “on” and allowed Facebook to share users’ data with third-party developers of Friends’ apps.
63. To access the Platform setting, a user had to: (1) click on the “Apps” tab in the settings menu; (2) find the Platform opt-out setting, which was located in a section of the page devoted to the user’s apps and labeled at various times “Apps you use” or “Apps, Websites, and Plugins”; and (3) click on the “edit” button to disable the default setting that shared the user’s data with third-party developers of Friends’ apps.
64. Although the precise language varied over time, disclaimers on the Platform setting warned that turning it off would prevent users from using any Facebook apps themselves and prevent their Friends from being able to “interact and share with you using apps and websites” (emphasis added).
Page 20 of 50
Case 1:19-cv-02184 Document 1 Filed 07/24/19 Page 21 of 50
65. This language—which focused on information that would be shared with the user, rather than information Facebook would share about the user—did not inform users that: (a) by default, Facebook shared their Profile Information with third-party developers of Friends’ apps; or (b) this setting allowed them to opt out of such sharing.
66. A very low percentage of Facebook users disabled the Platform setting between August 2012 and April 2015.
Facebook’s Mobile Privacy Settings Also Deceived Users
67. As early as March 2012, and until March 2013, as shown in the example below, Facebook’s mobile interface contained a disclaimer near the top of the Privacy Settings page stating, “You can manage the privacy of your status updates, photos and information using the
Page 21 of 50
Case 1:19-cv-02184 Document 1 Filed 07/24/19 Page 22 of 50
inline audience selector—when you share or afterwards. Remember: the people you share with can always share your information with others, including apps. . .” (emphasis added).
68. The mobile Privacy Settings page purported to allow users to restrict who could see their past and future posts, as well as, for approximately six months, users’ birthday and contact information.
69. During this time, Facebook’s Privacy Settings page further featured a link to the Apps Settings page.
70. In or around March 2013, Facebook removed the disclaimer about the sharing of data with apps, as shown in the below figure:
Page 22 of 50
Case 1:19-cv-02184 Document 1 Filed 07/24/19 Page 23 of 50
71. Facebook also removed from the mobile Privacy Settings page the link to the Apps Settings page.
72. After Facebook made these changes, to find the Apps Setting page, a user on the mobile interface had to go to the main settings menu and click on the heading labeled “Apps” or “Apps and Websites,” as shown in the below example:
Page 23 of 50
Case 1:19-cv-02184 Document 1 Filed 07/24/19 Page 24 of 50
73. The headings did not disclose that the “Apps” or “Apps and Websites” tabs included privacy settings for apps that the user did not install.
Page 24 of 50
Case 1:19-cv-02184 Document 1 Filed 07/24/19 Page 25 of 50
74. Once on the Apps Settings page, users had to locate the “Apps others use” setting and click on “edit” before gaining access to options that allowed them to opt out of Facebook sharing their data with third-party developers of Friends’ apps.
75. The “Apps others use” setting was located separate and apart from the privacy settings for the apps the user installed.
76. Users’ bios, birthdays, family and relationships, websites, status updates, photos, videos, links, notes, hometowns, current cities, education histories, work histories, activities, interests, “likes,” app activity, and status of being online, were set to be shared with third-party developers by default.
77. Similarly, to access the Platform setting in the mobile interface, users had to click on the “Apps” heading in the settings menu and then click on the “Platform” opt-out setting link.
78. The Platform setting link referenced apps the user authorized rather than apps authorized by the user’s Friends.
79. Moreover, although the precise language varied over time, disclaimers on the Platform setting explained that turning off the Platform setting would prevent users from using any Facebook apps themselves and prevent their Friends from being able to “interact and share with you using apps and websites” (emphasis added).
Page 25 of 50
Case 1:19-cv-02184 Document 1 Filed 07/24/19 Page 26 of 50
80. This language—which focused on information that would be shared with the user rather than information Facebook would share about the user—did not alert users to the fact that: (a) Facebook shared their Profile Information with third-party developers of Friends’ apps by default; or (b) the Platform setting allowed them to opt out of such sharing.
Facebook Was Aware That Giving Millions of Third-Party Developers Access to Affected Friend Data Posed Privacy Risks
81. Facebook was aware of the privacy risks posed by allowing millions of third-party developers to access and collect Affected Friend data for nearly two years before it changed the Graph API to remove third-party developers’ access to that data. By August 2013, Facebook had decided to remove third-party developers’ access to Affected Friend data. As an internal document explained:
Page 26 of 50
Case 1:19-cv-02184 Document 1 Filed 07/24/19 Page 27 of 50
We are removing the ability for users to share data that belongs to their friends who have not installed the app. Users should not be able to act as a proxy to access personal information about friends that have not expressed any intent in using the app.
82. In September 2013, Facebook audited a set of apps to determine whether to revoke their data permissions. That audit revealed that over a 30-day period, the audited apps were making hundreds of millions of requests to the Graph API for a variety of data, including Affected Friends’ work histories, photos, videos, statuses, “likes,” interests, events, education histories, hometowns, locations, relationships, and birthdays.
83. In some instances, the apps called for data about Affected Friends in numbers that greatly exceeded the number of the apps’ monthly active users. For example, one app highlighted in the audit made more than 450 million requests for data—roughly 33 times its monthly active users.
84. Indeed, the volume of data acquired by the audited apps led one Facebook employee to comment, “I must admit, I was surprised to find out that we are giving out a lot here for no obvious reason.”
85. This was not the only instance in which an examination of apps showed massive amounts of Affected Friends’ data being accessed. A mere month after the September 2013 audit, while discussing upcoming Platform changes, senior Facebook management employees observed that third-party developers were making more than 800 billion calls to the API per month and noted that permissions for Affected Friends’ data were being widely misused.
86. Likewise, in 2014, when discussing changes that would be made to the Platform, Facebook senior management employees considered reports showing that, every day, more than 13,000 apps were requesting Affected Friends’ data.
Page 27 of 50
Case 1:19-cv-02184 Document 1 Filed 07/24/19 Page 28 of 50
87. Facebook made several changes to the Privacy Settings and Apps Settings pages throughout 2013 and 2014. However, none of the changes sought to inform users that sharing data with their Friends also allowed Facebook to share that data with any of the more than one million third-party developers whose apps could be used by their Friends.
Financial Considerations Influenced Facebook’s Decisions Regarding Whether to Restrict Third-Party Developers’ Access to User Data
88. Even though Facebook acknowledged the data-privacy risks associated with the data access it gave to third-party developers, on numerous occasions, while determining whether to continue granting a particular developer access to user data, it considered how large a financial benefit the developer would provide to Facebook, such as through spending money on advertisements or offering reciprocal data-sharing arrangements.
89. At one point in 2013, for instance, Facebook considered whether to maintain or remove data permissions for third-party developers based on whether the developer spent at least $250,000 in mobile advertising with Facebook.
90. As internal Facebook documents explained, Facebook would contact apps spending more than $250,000 on advertising and ask them to confirm the need for the data they were accessing, while Facebook would terminate access for apps spending less than $250,000.
91. Similarly, during the transition to the second version of Graph API (“Graph API V2”), when preparing to implement changes to the Platform to remove third-party developers’ access to Affected Friend data, Facebook explicitly evaluated whether apps affected by the changes spent money on advertising with Facebook, generated revenue for the company, or otherwise offered something of value such as reciprocal access to user data.
Page 28 of 50
Case 1:19-cv-02184 Document 1 Filed 07/24/19 Page 29 of 50
Facebook Falsely Announced That Third-Party Developers Would No Longer Be Able to Access Affected Friend Data
92. In 2013, Facebook conducted a survey that showed that its users were concerned about sharing their data with apps, believed apps asked for unnecessary information or permissions, and were concerned about the information apps used for marketing.
93. Similarly, based on research Facebook conducted, Facebook employees discussed that certain categories of data requests—the user’s activities, birthday, education history, list of interests, religious and political affiliation, page “likes,” photos, videos, hometown, relationship preferences, work history, current city, status messages, and check-ins—were sensitive and, accordingly, should require review after Graph API V2 was introduced.
94. As one employee explained, “Perm[ission]s like user relationships, work history, and relationship details (which indicates the user’s gender preferences) can be perceived as really sensitive. It’s really bad for user trust whenever these perm[ission]s are asked for. . . .”
95. Facebook communicates with its users through various means, including keynote addresses during F8 conferences, videos on Facebook’s YouTube channel, and Facebook Newsroom.
96. In April 2014, Facebook announced that it was deprecating (i.e., discontinuing) Graph API V1 and replacing it with Graph API V2.
97. At Facebook’s April 30, 2014 F8 Conference, Facebook announced that it would no longer allow third-party developers to collect Affected Friend data. In the keynote address, Facebook explained:
[W]e’ve also heard that sometimes you can be surprised when one of your friends shares some of your data with an app. . . . So now we’re going to change this, and we’re going to make it so that now, everyone has to choose to share their own data with an app
Page 29 of 50
Case 1:19-cv-02184 Document 1 Filed 07/24/19 Page 30 of 50
themselves. . . . [W]e think this is a really important step for giving people power and control over how they share their data with apps.
(emphasis added). Facebook posted a video of this keynote address on its YouTube channel in May 2014.
98. On April 30, 2014, Facebook also issued a press release in which it stated:
Putting people first: We’ve heard from people that they are worried about sharing information with apps, and they want more control over their data. We are giving people more control over these experiences so they can be confident pressing the blue button.
99. These communications with users addressed, among other things, the privacy controls that Facebook made available on its Platform.
100. Despite these clear statements, Facebook gave third-party developers with a pre- existing, approved app at least one year of continued access to Affected Friends’ data. In other words, third-party developers that had a preexisting app on the Facebook Platform as of April 2014 could still access and collect Affected Friend data until April 2015. Facebook did not disclose this fact to its users.
Facebook’s Privacy Checkup Did Not Tell Users That Sharing with Their Friends Allowed Third-Party Developers to Access Their Profile Information
101. In September 2014, Facebook launched “Privacy Checkup.” Facebook publicized Privacy Checkup as a means to help users “be in control” of what they shared and with whom they shared it. See Exhibit E (Press release).
Page 30 of 50
Case 1:19-cv-02184 Document 1 Filed 07/24/19 Page 31 of 50
102. Privacy Checkup purported to allow users to restrict who could see their posts and “review and edit the privacy of key pieces of information,” Exhibit E, on the user’s profile, as shown in the below figures:
Page 31 of 50
Case 1:19-cv-02184 Document 1 Filed 07/24/19 Page 32 of 50
103. The Privacy Checkup tool highlighted the apps that users installed, but it did not list the apps that had access to users’ Profile Information based on their Friends’ consent.
104. The Privacy Checkup tool also included a link to the Facebook user’s About page, where Profile Information such as birthdate, hometown, religious views, political views, interests (e.g., sports teams, music, movies), public page “likes,” relationships, and relationship details were displayed. These settings also purported to allow users to restrict who could see their data.
105. Facebook did not disclose anywhere on these pages that, when users shared their Profile Information with Friends, Facebook could continue to share that information with millions of third-party developers of their Friends’ installed apps.
Page 32 of 50
Case 1:19-cv-02184 Document 1 Filed 07/24/19 Page 33 of 50
Facebook Finally Removed General Access to Affected Friend Data but Granted Special Access to Affected Friend Data to Certain Developers Without Telling Users
106. On April 30, 2015, Facebook deprecated Graph API V1. As a result, this generally required third-party developers that had not already migrated to Graph API V2 to do so. Graph API V2 did not allow third-party developers to access or collect Affected Friend data.
107. In or around April 2015, Facebook gathered journalists in San Francisco and discussed the deprecation of Graph API V1 and the removal of access to Affected Friend data.
108. However, going forward, Facebook privately granted continued access to Graph API V1 to more than two dozen developers—the Whitelisted Developers—which included gaming, retail, and technology companies, as well as third-party developers of dating apps and other social-media services. Those Whitelisted Developers thus still had access to the same Affected Friend data that Facebook had publicly announced was no longer available.
109. Some of the Whitelisted Developers retained access for months, while others retained access for years.
110. Facebook granted access to Affected Friend data to a few Whitelisted Developers as a beta test, with that access left active until June 2018.
111. Facebook granted other Whitelisted Developers specific permissions to Affected Friend data, including data on public page “likes,” location, education, work status, relationship status, notes, groups, events, photos, religion, “looking for,” significant other, websites, activities, and interests—much of which Facebook knew consumers might be sensitive to sharing.
112. Facebook did not tell its users that it was still granting these Whitelisted Developers access to their data.
Page 33 of 50
Case 1:19-cv-02184 Document 1 Filed 07/24/19 Page 34 of 50
113. When users chose to share their data with Friends, they had no way of knowing that Facebook would still share it with these Whitelisted Developers.
Facebook Failed to Implement and Maintain Appropriate Safeguards and Controls Over Third-Party Developers’ Access to User Data
114. To address concerns associated with Facebook’s sharing of user and Affected Friend data with the more than 36 million third-party apps on the Facebook Platform in 2012, Part IV of the Commission Order required Facebook to implement and maintain a comprehensive privacy program reasonably designed to address privacy risks and protect the privacy and confidentiality of covered information.
115. Part V of the Commission Order required Facebook to obtain initial and biennial assessments from an independent third-party professional that, among other things, set forth Facebook’s specific privacy controls and explained how those controls met or exceeded
Part IV’s requirements.
116. In the initial and biennial assessment reports required by the Commission Order, Facebook claimed that it had implemented certain controls and procedures to address the privacy risks created by the extensive access to user data it provided to third-party developers.
117. Facebook’s assessment reports also claimed that it had monitoring controls in place to detect material misuse of the Platform by third-party developers.
118. Other than requiring third-party developers to agree to Facebook’s policies and terms when they registered their app with the Platform (“Platform Policies”), however, Facebook generally did not screen the third-party developers or their apps before granting them access to vast amounts of user data through Graph API V1.
Page 34 of 50
Case 1:19-cv-02184 Document 1 Filed 07/24/19 Page 35 of 50
120. Similarly, Facebook routinely granted third-party developers broad permissions to access user and Affected Friend data without first performing any checks on whether such permissions were consistent with a Facebook Platform policy requiring that apps request only data necessary to run the app or to enhance the user’s app experience.
121. The Platform Policies outlined a number of privacy obligations and restrictions, such as limits on an app’s use of data received through Facebook, requirements that an app obtain consent for certain data uses, and restrictions on selling or transferring user data. For example, third-party developers were specifically prohibited from transferring, directly or indirectly, any data—including aggregate, anonymous, or derivative data—to any ad network or data broker.
122. According to Facebook, these policies ensured that users’ personal information was disclosed only to third-party developers who agreed to protect the information in a manner consistent with Facebook’s privacy program.
123. To enforce its Platform Policies, Facebook relied on administering consequences for policy violations th