UIC John Marshall Journal of Information Technology & Privacy UIC John Marshall Journal of Information Technology & Privacy
Law Law
Volume 31 Issue 3 Article 5
2014
Facebook Messenger: Eroding User Privacy in Order to Collect, Facebook Messenger: Eroding User Privacy in Order to Collect,
Analyze, and Sell Your Personal Information, 31 J. Marshall J. Analyze, and Sell Your Personal Information, 31 J. Marshall J.
Info. Tech. & Privacy L. 393 (2014) Info. Tech. & Privacy L. 393 (2014)
Erica Jaeger
Follow this and additional works at: https://repository.law.uic.edu/jitpl
Part of the Computer Law Commons, Consumer Protection Law Commons, Internet Law Commons,
Privacy Law Commons, and the Science and Technology Law Commons
Recommended Citation Recommended Citation
Erica Jaeger, Facebook Messenger: Eroding User Privacy in Order to Collect, Analyze, and Sell Your
Personal Information, 31 J. Marshall J. Info. Tech. & Privacy L. 393 (2014)
https://repository.law.uic.edu/jitpl/vol31/iss3/5
This Comments is brought to you for free and open access by UIC Law Open Access Repository. It has been
accepted for inclusion in UIC John Marshall Journal of Information Technology & Privacy Law by an authorized
administrator of UIC Law Open Access Repository. For more information, please contact [email protected].
393
COMMENTS
FACEBOOK MESSENGER: ERODING
USER PRIVACY IN ORDER TO
COLLECT, ANALYZE, AND SELL YOUR
PERSONAL INFORMATION
ERICA JAEGER*
I. INTRODUCTION
Facebook collects your personal data as well as website usage his-
tory.
1
The more personal information Facebook collects from its users;
the more Facebook can profit.
2
Facebook has partnered with a number
of data brokers in order to collect even larger quantities of personal in-
formation about Facebook users.
3
The collected data allows advertisers
to target certain users with specific ads and sales opportunities.
4
Face-
book is thus able to monetize users‘ personal information.
5
Social networking sites have become information-gathering devices,
* Erica Jaeger graduated from South Dakota State University in 2013 with a
Bachelor of Science in Political Science and Speech Communication. Currently, Erica is
pursuing her Juris Doctor at The John Marshall Law School, expected May 2016.
1
. What Facebook Collects and Shares, MY SECURE CYBERSPACE,
http://www.mysecurecyberspace.com/articles/features/what-facebook-collects-and-
shares.html (last visited Jan. 24, 2015). (Website usage data is defined as the type of web
browser an individual uses, the user‘s IP address, how long a user spends on a particular
webpage, and other statistics)
2
. Kim Komando, 5 Facebook details you shouldn't share, USA TODAY (Jan. 13,
2015), http://www.usatoday.com/story/tech/columnist/komando/2015/01/23/facebook-
details-sharing/22155437/. Facebook partnered with the Axciom, Epsilon, Datalogix, and
Blue Kai to expand data collection capabilities. Id.
3
. Kashmir Hill, Facebook Joins Forces With Data Brokers To Gather More Intel
About Users For Ads, FORBES (Feb. 27, 2013),
http://www.forbes.com/sites/kashmirhill/2013/02/27/facebook-joins-forces-with-data-
brokers-to-gather-more-intel-about-users-for-ads/.
4
. Id.
5
. Komando, supra note 2.
394 J. INFORMATION TECHNOLOGY & PRIVACY LAW [Vol. XXXI
harboring millions of peoples‘ personal information. Today‘s society
strives for technological advances; however, these advances diminish an
individual‘s online privacy. ―We‘ve been starting this trend of sacrificing
privacy for features.‖
6
―They'll get over it. Just like anything else that's
happened they'll get over it.‖
7
An individual‘s privacy online is becoming
a thing of the past. Today‘s online technology advances at a much faster
rate than society‘s privacy laws,
8
and little has been done to control it.
Society has begun to accept and get over the loss of online privacy in or-
der to advance technology. Succumbing to social networking sites‘ tech-
nological advances diminish the consumers‘ right to privacy.
Social networking sites have been exploiting consumers‘ personal
information in order to make a profit. Facebook is one of the social net-
working sites, offering ―a free social media platform to use and in turn
sell advertising and insights based on what they learn about you.‖
9
Cur-
rently, Facebook can ―collect, store and analyze data‖ in massive quan-
tities.
10
Therefore, who protects consumers from these companies that
store and sell individuals‘ online personal information? Is it the gov-
ernment‘s responsibility to protect consumer rights? Or is it the con-
sumer‘s responsibility to limit the amount of personal information he or
she offers to these companies?
Today‘s society focuses on what‘s new and convenient. However,
with convenience comes sacrifice. The more convenient technology be-
comes; the more rights consumers lose, especially in regards to privacy.
In 2013, Facebook updated its Data Use Policy, stating ―We only pro-
vide data to our advertising partners or customers after we have re-
moved your name or any other personally identifying information from
it, or have combined it with other people‘s data in a way that it no long-
er personally identifies you.‖
11
Facebook gathers, collects, and analyzes
an individual‘s data every time a user logs into Facebook, Facebook mo-
bile, or Facebook Messenger.
12
So what does this mean? It means Face-
6
. Christine VanTimmeren, Social media outrage over Facebook Messenger App,
FOX 25 (Aug. 29, 2014), http://www.okcfox.com/story/26237312/social-media-outrage-over-
facebook-messenger-app.
7
. Id.
8
. Vivek Wadhwa, Law and Ethics Can’t Keep Pace with Technology, MIT TECH.
REV. (Apr. 15, 2014), http://www.technologyreview.com/view/526401/laws-and-ethics-cant-
keep-pace-with-technology/.
9
. Bernard Marr, How Facebook Exploits Your Private Information, LINKEDIN
(May 2, 2013), https://www.linkedin.com/pulse/article/20130502052254-64875646-how-
facebook-exploits-your-private-information.
10
. Id.
11
. Anthony W. Kosner, New Facebook Policies Sell Your Face And Whatever It In-
fers, FORBES (Aug. 31, 2013), http://www.forbes.com/sites/anthonykosner/2013/08/31/new-
facebook-policies-sell-your-face-and-whatever-it-infers/.
12
. Data Policy, FACEBOOK, https://www.facebook.com/about/privacy/your-info (last
visited Jan. 24, 2015).
2015] FACEBOOK MESSENGER AND USER PRIVACY 395
book provides advertisers with users‘ data without any personal identi-
fication like the user‘s name or phone number; however, the infor-
mation can still be linked to the user by providing companies with what
area the user lives in and the user‘s likes or dislikes.
13
Facebook‘s new
terms of service allow companies ―carte blanche to guess at the details
of our identities that we have not specifically disclosed and target mar-
keting to us based on their guesses.‖
14
Today, vast amounts of consumer
data can be accessed through the Internet; one can easily make ‗an edu-
cated guess‘ and determine the true identity of those individuals. Even
though, technology is advancing society, it is also crippling consumers‘
right to privacy.
This comment will examine Facebook‘s new standalone Facebook
Messenger app, and review how the Privacy Policy, Data Use Policy,
and the list of permissions violate Section 5 of the Federal Trade Com-
mission Act. The comment will focus on Facebook Messenger‘s deceptive
methods of accessing users‘ personal information and how Facebook us-
es that personal information. Section II will explain social networking
sites and the configuration of Facebook, Facebook Messenger, and Fa-
cebook‘s evolving policies. Section II will also discuss the Federal Trade
Commission and the Federal Trade Commission Act that was created to
protect consumers against unfair, deceptive, or fraudulent practices.
15
Section III will identify Facebook‘s prior commitments and obligations
it had to users and demonstrate how the site failed to protect users in
the past. The comment will then address latent issues that arise out of
Facebook Messenger‘s list of permissions, policies, and how it violates
Section 5 of the Federal Trade Commission Act. Finally, this Comment
will present a consumer-based proposal outlining the necessary changes
to avoid violating Section 5 of the Federal Trade Commission Act. The
proposal will address privacy and data use concerns while continuing to
uphold the Federal Trade Commission Act in Facebook‘s day-to-day ac-
tivity.
II. BACKGROUND
A. SOCIAL NETWORKING, THE NEXT BIG THING?
The definition of social networking is ―the practice of expanding the
number of one‘s business and/or social contacts by making connections
13
. Kosner, supra note 11. ―If Facebook sells a profile for ‗Mr. X‘ to an advertiser,
does it matter that my name or street address is not included if everything else about me
is? They don‘t have to know where I live in the physical world to know where I live
online.‖ Id.
14
. Id.
15
. 15 U.S.C. § 45 (2010).
396 J. INFORMATION TECHNOLOGY & PRIVACY LAW [Vol. XXXI
through individuals.‖
16
Social networking can be an ―online service,
platform, or site that focuses on facilitating the building of social net-
works or social relations among people.‖
17
The service enables individu-
al users to create a profile that represents the user‘s social links as well
as offering a variety of additional services.
18
Users on social networking
sites can ―share ideas, activities, events, and interests within their indi-
vidual networks.‖
19
Users can interact over the Internet because a ma-
jority of ―social network services are web-based.‖
20
The sum of users on
these social networking sites results in Interconnected Internet com-
munities.
21
B. FACEBOOK
―Facebook is a social networking website that makes it easy for you
to connect and share with your family and friends online.‖
22
Users can
post photos, comments, share links, and keep in touch with other Face-
book users.
23
On February 4, 2004 ―Harvard classmates Mark Zucker-
berg, Eduardo Saverin, Dustin Moskovitz, and Chris Hughes‖ created
Facebook.
24
Approximately 24 hours after Facebook‘s creation, 1,200
Harvard students had created profiles on the site.
25
Within the first
month of operation, half of Harvard‘s undergraduate population had a
Facebook user profile.
26
It was only a matter of months before Face-
book‘s network extended to all United States universities.
27
By Septem-
ber 2005, United States high school students were given access to create
a Facebook profile.
28
Soon individuals all over the world were granted
access to Facebook.
29
In September 2006, ―the network extended beyond
16
. Margaret Rouse, Social Networking, WHATIS.COM,
http://whatis.techtarget.com/definition/social-networking (last visited Sept. 26, 2014).
17
. Social Networking, MASHABLE, http://mashable.com/category/social-networking/
(last visited Sept. 26, 2014).
18
. Id.
19
. Id.
20
. Id.
21
. Rouse, supra note 16.
22
. Facebook 101, GCF LEARN FREE, http://www.gcflearnfree.org/facebook101/2 (last
visited Nov. 25, 2014).
23
. Vangie Beal, Facebook, WEBOPEDIA,
http://www.webopedia.com/TERM/F/Facebook.html (last visited Nov. 25, 2014).
24
. Howard Koplowitz, A Timeline Of Facebook History: From Fledgling Startup To
$114 Billion Giant, INT‘L BUS. TIMES (May 12, 2012), http://www.ibtimes.com/timeline-
facebook-history-fledgling-startup-114-billion-giant-699093.
25
. Sarah Phillips, A brief history of Facebook, GUARDIAN (July 24, 2007),
http://www.theguardian.com/technology/2007/jul/25/media.newmedia.
26
. Id.
27
. Id.
28
. Id.
29
. Id.
2015] FACEBOOK MESSENGER AND USER PRIVACY 397
educational institutions to anyone with a registered e[-]mail address.‖
30
Facebook reached 100 million active users by August 2008.
31
Recently,
as of December 31, 2014 there are 1.39 billion monthly active Facebook
users.
32
―Facebook‘s mission is to give people the power to share and make
the world more open and connected.‖
33
Facebook users use the social
networking site in order to stay connected with family and friends, as
well as discovering what is happening all over the world.
34
Facebook al-
lows connected users to share and express what interests them.
35
In
April 2006, Facebook gave users the ability to access the site via mobile
telephone by launching Facebook for Mobile.
36
―Facebook Mobile is a
feature that allows a user to access Facebook from their cellphone
through text messages, e[-]mails, download applications, or a web
browser.‖
37
Facebook on m.facebook.com has many features including,
―posting, messaging, adding friends, uploading photos and editing your
privacy settings.‖
38
In 2011, ―Facebook launched the standalone Messenger app and
rolled out some big updates in the last quarter of 2013.‖
39
Through Fa-
cebook Messenger, users can instantly exchange chat messages with
other Facebook users.
40
Within the Facebook Messenger app, users are
capable of making voice calls, sharing photos and videos, and sending
SMS text messages to other Facebook Messenger users.
41
Users can
send and receive these messages directly from their mobile devices.
42
―Facebook Messenger also enables users to send chat messages to peo-
30
. Id.
31
. Koplowitz, supra note 24.
32
. Company Info, FACEBOOK, http://newsroom.fb.com/company-info/ (last visited
Apr. 14, 2014).
33
. About, FACEBOOK, https://www.facebook.com/facebook/info (last visited Sept. 26,
2014).
34
. Id.
35
. Id.
36
. Company Info, supra note 32.
37
. Facebook Mobile, WHATIS.COM,
http://whatis.techtarget.com/definition/Facebook-Mobile (last visited Sept. 26, 2014).
38
. Facebook Mobile, FACEBOOK, https://www.facebook.com/help/121049727976363
(last visited Sept. 26, 2014).
39
. Seth Fiegerman, Facebook Plans to Launch More Standalone Appls Like Mes-
senger, MASHABLE (Jan. 29, 2014), http://mashable.com/2014/01/29/facebook-standalone-
apps/.
40
. Facebook Messenger, TECHOPEDIA,
http://www.techopedia.com/definition/28490/facebook-messenger (last visited Sept. 26,
2014).
41
. Leslie Walker, Facebook Messenger Mobile App: Why Anyone Needs It, ABOUT
TECH., http://personalweb.about.com/od/facebookmobile/a/Facebook-Messenger.htm (last
visited Nov. 25, 2014).
42
. Facebook Messenger, supra note 40.
398 J. INFORMATION TECHNOLOGY & PRIVACY LAW [Vol. XXXI
ple who are logged onto their Facebook accounts‖ via computer.
43
Face-
book Messenger can be downloaded on the following mobile devices:
Android phones, iPhones, iPads, and BlackBerry devices.
44
Today, iPh-
one and Android users are unable to send messages to other users via
the Facebook application itself.
45
In order for Android and iPhone users
to send a Facebook message, Facebook now requires users to install the
standalone Facebook Messenger app.
46
C. FACEBOOK, ERODING PRIVACY ONE DAY AT A TIME.
Since Facebook‘s incorporation in 2004, ―Facebook has undergone a
remarkable transformation.‖
47
When it first launched, Facebook ―was a
private space for communication with a group of your choice.‖
48
It was
only a matter of time before Facebook ―transformed into a platform
where much of your information is public by default.‖
49
Today, Facebook
has become a platform that requires certain information to be made
public.
50
Facebook can use this public information by sharing it with its
partner websites in order to target specific ads at individual users.
51
Now, Facebook limits the amount of information users can keep private,
thus shifting away from full user privacy.
52
By examining Facebook‘s privacy policies over the years, users can
see just how Facebook transformed from a private space for communica-
tion into a more public space—shifting away from an individual‘s priva-
cy.
53
A privacy policy is a website‘s statement regarding how specific in-
formation is collected and used.
54
In 2005, Facebook‘s Privacy Policy
stated, ―No personal information that you submit to Thefacebook will be
43
. Id.
44
. Id.
45
. Josh Smith, Facebook Messenger Forced Update: What to Know, GOTTA BE
MOBILE (July 29, 2014), http://www.gottabemobile.com/2014/07/29/facebook-messenger-
forced-update-what-to-know/.
46
. Id.
47
. Kurt Opsahl, Facebook’s Eroding Privacy Policy: A Timeline, ELECTRONIC
FRONTIER FOUNDATION (Apr. 28, 2010), https://www.eff.org/deeplinks/2010/04/facebook-
timeline.
48
. Id.
49
. Id.
50
. Id.
51
. Id.
52
. Id.
53
. Opsahl, supra note 47.
54
. Privacy Policy, BUS. DICTIONARY,
http://www.businessdictionary.com/definition/privacy-policy.html (last visited Oct. 19,
2014) (Defining a privacy policy as a ―Statement that declares a firm's or website's policy
on collecting and releasing information about a visitor. It usually declares what specific
information is collected and whether it is kept confidential or shared with or sold to other
firms, researchers or sellers‖).
2015] FACEBOOK MESSENGER AND USER PRIVACY 399
available to any user of the Web Site who does not belong to at least one
of the groups specified by you in your privacy settings.‖
55
In 2007, Face-
book‘s Privacy Policy stated:
Profile information you submit to Facebook will be available to users
of Facebook who belong to at least one of the networks you allow to ac-
cess the information through your privacy settings (e.g., school, geog-
raphy, friends of friends). Your name, school name, and profile picture
thumbnail will be available in search results across the Facebook
network unless you alter your privacy settings.
56
Facebook‘s Privacy Policy as of April 2010 states:
When you connect with an application or website it will have access to
General Information about you. The term General Information in-
cludes your and your friends‘ names, profile pictures, gender, user
IDs, connections, and any content shared using the Everyone privacy
setting. ... The default privacy setting for certain types of information
you post on Facebook is set to ‗everyone.‘ ...Because it takes two to
connect, your privacy settings only control who can see the connection
on your profile page. If you are uncomfortable with the connection be-
ing publicly available, you should consider removing (or not making)
the connection.
57
Facebook‘s current Privacy Policy as of January 2015 states, ―We
use the information we receive about you in connection with the ser-
vices and features we provide to you and other users like your friends,
our partners, the advertisers that purchase ads on the site, and the de-
velopers that build the games, applications, and websites you use.‖
58
As
the years have passed, Facebook has shifted away from complete, user
driven privacy controls to limiting user privacy controls in regards to
who can access users‘ personal information.
59
In the beginning, Facebook‘s core base of users signed up because
the site offered users complete control over their personal information.
60
However, as Facebook‘s popularity grew, and the number of users dras-
tically increased, Facebook no longer allowed users complete control of
their personal information.
61
Instead, Facebook limited a user‘s control
regarding his or her personal information.
62
With over 200,000 million
monthly users, Facebook Messenger ―requires you to allow access to an
alarming amount of personal data and, even more startling, direct con-
55
. Opsahl, supra note 47.
56
. Id.
57
. Id.
58
. Data Policy, supra note 12.
59
. Opsahl, supra note 47.
60
. Id.
61
. Id.
62
. Id.
400 J. INFORMATION TECHNOLOGY & PRIVACY LAW [Vol. XXXI
trol over your mobile device.‖
63
Upon downloading and using the
standalone Facebook Messenger app, users are required to agree to the
application‘s list of permissions, which allows the app to access a varie-
ty of information on one‘s mobile device.
64
Facebook‘s Privacy Policy also describes how third parties use us-
ers‘ personal information.
65
Facebook is set up in a manner consistent
with one‘s privacy settings, but the site does not guarantee that third
parties will follow Facebook‘s rules.
66
When users share information
that is set to ‗everyone‘ this information is publically available.
67
Once
the information is publically accessible, anyone with access to the In-
ternet is capable of seeing that information.
68
Even individuals not
logged onto Facebook can access this public information.
69
Publically ac-
cessible information ―is subject to indexing by third party search en-
gines and may be imported… and exported by Facebook and others
without privacy limitations.‖
70
Facebook is only responsible for its site;
Facebook does not own or operate enhanced applications or websites.
71
So when users visit Facebook-enhanced applications and websites they
are giving someone other than Facebook access to their personal infor-
mation within Facebook.
72
In order for Facebook-enhanced applications
and websites to operate at their highest capacity, ―they receive publicly
available information automatically when you visit them and additional
63
. Sam Fiorella, The Insidiousness of Facebook Messenger's Android Mobile App
Permissions (Updated), HUFF. POST (Aug. 11, 2014), http://www.huffingtonpost.com/sam-
fiorella/the-insidiousness-of-face_b_4365645.html.
64
. Permissions, FACEBOOK MESSENGER,
https://play.google.com/store/apps/details?id=com.facebook.orca (last visited Sept. 27,
2014). The Facebook Messenger application is capable of: finding accounts on the device,
reading your contact card, reading your contacts, finding your approximate and precise
location, editing your text messages, receiving text messages, reading your text messages,
sending SMS messages, directly calling phone numbers, reading call log, testing access to
protected storage, modifying or deleting the contents of your USB storage, taking pictures
and videos, recording audio, viewing Wi-Fi connections, reading phone status and identi-
ty, receiving data from the Internet, downloading files without notification, running at
startup, preventing the device from sleeping, viewing network connections, installing
shortcuts, reading battery statistics, changing your audio settings, reading Google service
configuration, drawing over other apps, full network access, reading sync settings, con-
trolling vibrations, and changing network connectivity. Id.
65
. Data Policy, FACEBOOK, https://www.facebook.com/policy.php (last visited May
18, 2015).
66
. Terms of Service, FACEBOOK (Jan. 31, 2015),
https://www.facebook.com/legal/terms.
67
. Id.
68
. Id.
69
. Id.
70
. Opsahl, supra note 47.
71
. Terms of Service, FACEBOOK (Jan. 31, 2015),
https://www.facebook.com/legal/terms.
72
. Data Policy, FACEBOOK, supra note 65.
2015] FACEBOOK MESSENGER AND USER PRIVACY 401
information when you formally authorize or connect your Facebook ac-
count with them.‖
73
In 2011, ―Facebook reached a settlement agreement
with the Federal Trade Commission regarding the social network‘s poli-
cy on changing privacy controls and informing users of those changes.‖
74
The settlement requires Facebook to obtain user approval prior to
―making changes to the way their personal data is shared on the net-
work.‖
75
―The Federal Trade Commission‘s release lists seven com-
plaints against Facebook‘s allegedly deceptive privacy practices, specifi-
cally that it told users some of their personal information would be kept
private, but that the site later allowed that information to become ac-
cessible.‖
76
This type of business practice, of accessing personal infor-
mation without consent, is a deceptive trade practice which is subject to
examination by the Federal Trade Commission under Section 5 of the
Federal Trade Commission Act.
77
D. THE FEDERAL TRADE COMMISSION
On September 26, 1914 President Woodrow Wilson created the
Federal Trade Commission (FTC), when he signed the Federal Trade
Commission Act into law.
78
The FTC‘s primary mission is to ―prevent
business practices that are anticompetitive or deceptive or unfair to
consumers; to enhance informed consumer choice and public under-
73
. In Re Facebook, EPIC.ORG, https://epic.org/privacy/inrefacebook/ (last visitied
May 18, 2015).
74
. Catherine Smith, Facebook, FTC Reach Settlement Over Alleged Privacy Viola-
tions, HUFF. POST (Nov. 29, 2011), http://www.huffingtonpost.com/2011/11/29/facebook-ftc-
reach-settle_n_1118996.html.
75
. Id.
76
. Id. The FTC‘s seven allegations are:
In December 2009, Facebook changed its website so certain information that us-
ers may have designated as private – such as their Friends List – was made pub-
lic. They didn't warn users that this change was coming, or get their approval in
advance. (2) Facebook represented that third-party apps that users' installed
would have access only to user information that they needed to operate. In fact,
the apps could access nearly all of users' personal data – data the apps didn't
need. (3) Facebook told users they could restrict sharing of data to limited audi-
ences – for example with "Friends Only." In fact, selecting "Friends Only" did not
prevent their information from being shared with third-party applications their
friends used. (4) Facebook had a "Verified Apps" program & claimed it certified
the security of participating apps. It didn't. (5) Facebook promised users that it
would not share their personal information with advertisers. It did. (6) Facebook
claimed that when users deactivated or deleted their accounts, their photos and
videos would be inaccessible. But Facebook allowed access to the content, even
after users had deactivated or deleted their accounts. (7) Facebook claimed that it
complied with the U.S.- EU Safe Harbor Framework that governs data transfer
between the U.S. and the European Union. It didn't.
Id.
77
. 15 U.S.C. § 45 (2010).
78
. Our History, FED. TRADE COMM., http://www.ftc.gov/about-ftc/our-history (last
visited Sept. 25, 2014).
402 J. INFORMATION TECHNOLOGY & PRIVACY LAW [Vol. XXXI
standing of the competitive process; and to accomplish this without un-
duly burdening legitimate business activity.‖
79
Currently, five Commis-
sioners govern the FTC.
80
The President nominates each Commissioner,
and the Senate confirms the nominations.
81
Commissioners serve a sev-
en-year term and ―no more than three Commissioners can be of the
same political party.‖
82
One Commissioner, chosen by the president,
serves as the Chairman.
83
Within the FTC is the Bureau of Consumer Protection whose offi-
cial order ―is to protect consumers against unfair, deceptive, or fraudu-
lent practices.‖
84
The Bureau ―enforces a variety of consumer laws en-
acted by Congress‖ as well as informing ―Congress and other
government entities of the impact that proposed actions could have on
consumers.‖
85
The Bureau of Consumer Protection protects consumers
from ―unfair, deceptive, and fraudulent business practices by collecting
complaints and conducting investigations, suing companies and people
that break the law, developing rules to maintain a fair market place,
and educating consumers and businesses about their rights and respon-
sibilities.‖
86
The FTC will sue companies that make deceptive claims
about their company‘s products or services.
87
The FTC enforces federal consumer protection laws because the
Federal Trade Commission Act (FTCA) authorizes them to do so.
88
The
FTC‘s primary statute is the FTCA.
89
The FTC‘s enforcement power
originates from the FTCA.
90
The Federal Trade Commission Act prohib-
its unfair and deceptive acts and practices.
91
Once the FTC Board dis-
covers unfair or deceptive acts or practices, the FTC has the authority
79
. About the FTC, FED. TRADE COMM., http://www.ftc.gov/about-ftc (last visited
Sept. 25, 2014).
80
. Commissioners, FED. TRADE COMM., http://www.ftc.gov/about-ftc/commissioners
(last visited Oct. 14, 2014).
81
. Id.
82
. Id.
83
. Id.
84
. Bureaus & Offices, FED. TRADE COMM., http://www.ftc.gov/about-ftc/bureaus-
offices (last visited Sept. 25, 2014).
85
. Id.
86
. About the Bureau of Consumer Protection, FED. TRADE COMM.,
http://www.ftc.gov/about-ftc/bureaus-offices/bureau-consumer-protection/about-bureau-
consumer-protection (last visited Sept. 25, 2014).
87
. Id.
88
. Enforcement, FED. TRADE COMM., http://www.ftc.gov/enforcement (last visited
Sept. 26, 2014).
89
. Statutes Enforced or Administered by the Commission, FED. TRADE COMM.,
http://www.ftc.gov/enforcement/statutes (last visited Sept. 26, 2014).
90
. 15 U.S.C. § 45 (2010).
91
. Id.
2015] FACEBOOK MESSENGER AND USER PRIVACY 403
to take action.
92
―The legal standards for unfairness and deception are
independent of each other; depending on the facts, an act or practice
may be unfair, deceptive, or both.‖
93
An unfair practice is when the act:
―(1) causes or is likely to cause substantial injury to consumers, (2) can-
not be reasonably avoided by consumers, and (3) is not outweighed by
countervailing benefits to consumers or to competition.‖
94
Depending on
the circumstance ―public policy, as established by statute, regulation, or
judicial decisions, may be considered with all other evidence in deter-
mining whether an act or practice is unfair.‖
95
A practice is deceptive
when an act is:
(1) A representation, omission, or practice misleads or is likely to mis-
lead the consumer, (2) a consumer‘s interpretation of the representa-
tion, omission, or practice is considered reasonable under the circum-
stances, and (3) the misleading representation, omission, or practice is
material.
96
The FTC will analyze the facts and circumstances surrounding an act or
practice; its finding will determine whether a particular act or practice
is deceptive.
97
The following section will analyze how Facebook Messenger‘s poli-
cies and permissions violate Section 5 of the Federal Trade Commission
Act due to the site's deceptive business practices, in turn, leaving users‘
personal information vulnerable to third party access.
III. ANALYSIS
A. IN THE PAST, FACEBOOK HAS MANIPULATED AND LIED TO ITS USERS.
Facebook proclaims, ―We're committed to protecting your infor-
mation. We have industry standard and proprietary network monitor-
ing tools constantly running in our system in order to prevent security
breaches and protect the security of your data.‖
98
However, in 2011 the
FTC settled charges with Facebook, stating that Facebook ―deceived
consumers by telling them they could keep their information on Face-
book private, and then repeatedly allowing it to be shared and made
92
. Id.
93
. Section 5: Unfair or Deceptive Acts or Practices, FED. TRADE COMM. ACT,
http://www.federalreserve.gov/boarddocs/supmanual/cch/ftca.pdf , 1 (last visited Sept. 27,
2014).
94
. Id. at 1.
95
. Id. at 1.
96
. Id. at 1.
97
. Id. at 1.
98
. What Does Facebook Do To Protect My Information, FACEBOOK,
https://www.facebook.com/help/212183815469410 (last visited Oct. 16, 2014).
404 J. INFORMATION TECHNOLOGY & PRIVACY LAW [Vol. XXXI
public.‖
99
Facebook promised to keep users‘ personal information pri-
vate, yet broke this promise by allowing the public access to users‘ pri-
vate, personal information.
100
The FTC and Facebook reached a settle-
ment that
Bars Facebook from making any further deceptive privacy claims, re-
quires that the company get consumers' approval before it changes the
way it shares their data, and requires that it obtain periodic assess-
ments of its privacy practices by independent, third-party auditors for
the next 20 years.
101
It would seem that as a result of the settlement, Facebook would be
obligated to inform users about the sites privacy changes and how cer-
tain data is collected. Even though, Facebook notifies users of privacy
changes, it does so in a deceptive manner consisting of vague and un-
reasonable terms, making it difficult for a reasonable Facebook user to
comprehend.
In the FTC‘s settlement with Facebook, Facebook agreed to a 20-
year consent order in which Facebook is required to protect users‘ per-
sonal information in a more explicit manner.
102
Facebook was ordered
to comply with a multitude of provisions in order to protect users‘ priva-
cy.
103
The FTC‘s consent order with Facebook was an administrative
complaint, meaning that the FTC had ―reason to believe that the law
has been violated or is being violated.‖
104
The FTC proceeded with the
public‘s interest at heart rather than ruling that Facebook had violated
Section 5 of the Federal Trade Commission Act.
105
Facebook did not
admit to violating the law by agreeing to the consent order; the purpose
of the consent order was for a settlement resolution that would carry
the force of the law in any future violations.
106
99
. Press Release, Fed. Trade Comm., Facebook Settles FTC Charges That It De-
ceived Consumers By Failing To Keep Privacy Promises (Nov. 29, 2011), available at
http://www.ftc.gov/news-events/press-releases/2011/11/facebook-settles-ftc-charges-it-
deceived-consumers-failing-keep.
100
. Id.
101
. Id.
102
. In the Matter of Facebook, Inc. (F.T.C. Jul. 27, 2012), available at
http://www.ftc.gov/sites/default/files/documents/cases/2012/08/120810facebookdo.pdf.
103
. Id. Some of the FTC orders for Facebook are as follows: Facebook was ordered
not to misrepresent in any manner the extent to which it maintains the privacy or securi-
ty of covered information, for Facebook to share any personal information with third-
parties Facebook must clearly and prominently disclose to the user and obtain the user‘s
affirmative consent, Facebook must implement procedures so that third-parties cannot
access user information from Facebook‘s servers, Facebook shall establish a comprehen-
sive privacy program, Facebook shall allow the FTC the ability to inspection certain doc-
uments regarding user privacy, and etc. Id.
104
. Press Release, Fed. Trade Comm., supra note 99.
105
. Id.
106
. Id.
2015] FACEBOOK MESSENGER AND USER PRIVACY 405
On the outside, it seems as if the consent order would protect Face-
book users‘ right to privacy in regards to users‘ personal information.
However, Commissioner Rosch‘s dissent in the Agreement Containing
Consent Order addresses the problems of the consent order. First, the
order allowed Facebook to deny all allegations set forth in the com-
plaint.
107
In order for the FTC to accept the consent agreement, there
needed to have been reason to believe that Facebook did in fact engage
in an unfair or deceptive practice and that the consent agreement was
in the interest of the public.
108
However, by allowing Facebook to deny
all the allegations of the complaint, the requirement of ―reason to be-
lieve‖ was not satisfied.
109
Rosch‘s second concern is that the consent
order does not ―unequivocally cover all representations made in the Fa-
cebook environment [while a user is on Facebook] relating to the decep-
tive information sharing practices of apps about which Facebook knows
or should know.‖
110
Rosch gives an example of an application that a user
downloaded while on Facebook.
111
The application within Facebook in-
formed the user that ―only me‖ would be allowed to see the information
that the user posted and that no other users on Facebook could access
the information.
112
Unbeknown to the consenting user, other users of
the application within Facebook were capable of seeing the information
that the user shared as ―only me.‖
113
The FTC has not addressed con-
cerns about these outside applications that run through Facebook‘s
platform.
114
Thus, users are likely injured because Facebook does not
offer users adequate disclosure when it comes to data collection.
In 2012, a study revealed that Facebook manipulated thousands of
users‘ timelines in order to trigger an emotional response from users.
115
In regards to this experiment, Facebook users did not explicitly consent
to take part in a study based on experimental manipulation.
116
Throughout the study, Facebook would ―manipulate people‘s moods by
107
. Dissenting Statement of Comm‘r Rosch, In the Matter of Facebook, Inc., No.
0923184, 1 (F.T.C. Aug. 10, 2012), available at
https://www.ftc.gov/sites/default/files/documents/public_statements/dissenting-statement-
commissioner-j.thomas-rosch-matter-facebook-inc./120810facebookstatement.pdf.
108
. Id. at 1.
109
. Id. at 1.
110
. Id. at 2.
111
. Id. at 2.
112
. Id. at 2.
113
. Dissenting Statement of Comm‘r Rosch, In the Matter of Facebook, Inc., supra
note 107.
114
. Id. at 2.
115
. Adam D.I. Kramer, Jamie E. Guillory, & Jeffery T. Hancock, Experimental evi-
dence of massive-scale emotional contagion through social networks, 111 PNAS 8788-8790
(2014).
116
. Id.
406 J. INFORMATION TECHNOLOGY & PRIVACY LAW [Vol. XXXI
tweaking their news feeds to favor negative or positive content.‖
117
In
return, it triggered an emotional response where users wrote posts that
resonated with what they had just seen or read.
118
Moreover, users were
unaware that Facebook was going to publish users‘ responses.
119
Even
though, users did not explicitly consent to this particular study, Face-
book indicated that users gave informed consent prior to creating a Fa-
cebook account when the users consented to Facebook‘s Data Use Poli-
cy.
120
When a user agrees to Facebook‘s terms and conditions the user al-
so agrees to Facebook‘s Data Use Policy.
121
The Data Use Policy states
that any data collected from a Facebook user‘s profile is used ―for inter-
nal operations, including troubleshooting, data analysis, testing, re-
search[,] and service improvement.‖
122
Facebook‘s vague Data Use Poli-
cy and Privacy Policy allow the site to manipulate, data mine, and sell
users‘ personal information to third parties.
123
Based on Facebook‘s pri-
or actions the site has left users‘ personal information vulnerable and
unprotected. On multiple occasions, Facebook has proclaimed one thing,
then upon further examination, and sometime later the truth is re-
vealed,
124
showing that Facebook is doing the exact opposite of what it
117
. David Talbot, Facebook’s Emotional Manipulation Study Is Just the Latest Ef-
fort to Prod Users, MIT TECH. REV. (July 1, 2014),
http://www.technologyreview.com/news/528706/facebooks-emotional-manipulation-study-
is-just-the-latest-effort-to-prod-users/.
118
. Id. ―Facebook ran an experiment on 689,003 users to see if it could manipulate
their emotions by varying the selection of posts in their news feeds. One group had stories
with positive words filtered out; another experimental group had stories with negative
words filtered out. Taken as a group, the people subjected to these changes tended to
write posts that echoed those moods, though the effect was small.‖ Id.
119
. Id.
120
. Id.
121
. Sign Up, FACEBOOK, https://www.facebook.com/r.php?locale=en_US (last visited
Jan. 24, 2015).
122
. Data Policy, supra note 12.
123
. Complaint at 3, Campbell v. Facebook Inc., No. C 13-5996 PJH, 2014 U.S. Dist.
LEXIS 177331 (N.D. Cal. Dec. 23, 2014).
124
. Press Release, Fed. Trade Comm., supra note 99. The FTC‘s complaint stated:
Facebook allegedly made promises that it did not keep: (1) In December 2009, Fa-
cebook changed its website so certain information that users may have designated
as private – such as their Friends List – was made public. They didn't warn users
that this change was coming, or get their approval in advance. (2) Facebook rep-
resented that third-party apps that users' installed would have access only to user
information that they needed to operate. In fact, the apps could access nearly all
of users' personal data – data the apps didn't need. (3) Facebook told users they
could restrict sharing of data to limited audiences – for example with "Friends
Only." In fact, selecting "Friends Only" did not prevent their information from be-
ing shared with third-party applications their friends used. (4) Facebook had a
"Verified Apps" program & claimed it certified the security of participating apps.
It didn't. (5) Facebook promised users that it would not share their personal in-
formation with advertisers. It did. (6) Facebook claimed that when users deac-
tivated or deleted their accounts, their photos and videos would be inaccessible.
2015] FACEBOOK MESSENGER AND USER PRIVACY 407
first indicated. On multiple occasions, Facebook has overstepped
boundaries and violated users‘ privacy. Facebook has exploited users‘
personal information in the past with minor repercussions; so now what
is stopping Facebook from continuing to exploit users‘ personal infor-
mation it collects from Facebook Messenger‘s list of permissions and
Data Use Policy? Nothing.
B. VAGUE POLICIES ALLOW FACEBOOK TO DATA MINE USERS‘ PERSONAL
INFORMATION.
In order for Facebook to protect itself from litigation, Facebook has
implemented a lengthy Privacy and Data Use Policies, which are com-
bined in multiple documents.
125
In regards to a user‘s privacy, Facebook
stated that,
Your privacy is very important to us. We designed our Data Use Policy
to make important disclosures about how you can use Facebook to
share with others and how we collect and can use your content and in-
formation. We encourage you to read the Data Use Policy, and to use
it to help you make informed decisions.
126
Facebook‘s Privacy Policy and Data Use Policy can be found on Fa-
cebook‘s webpage, however, the policies span throughout a multitude of
documents. This requires users to shift between several webpages in
order to understand how their information is collected and what the in-
formation can be used for.
Facebook‘s Data Use Policy outlines the type of information the site
collects and how Facebook uses that personal information.
127
Facebook
states,
We use the information we receive about you ‗in connection’ with the
services and features we provide to you and other users like your
friends, our partners, the advertisers that purchase ads on the site,
and the developers that build the games, applications, and websites
you use.
128
The policy lists several examples and ways in which Facebook may
use users‘ information, but Facebook does not provide a detailed list of
But Facebook allowed access to the content, even after users had deactivated or
deleted their accounts. (7) Facebook claimed that it complied with the U.S.- EU
Safe Harbor Framework that governs data transfer between the U.S. and the Eu-
ropean Union. It didn't.
Id.
125
. Statement of Rights and Responsibilities, FACEBOOK,
https://www.facebook.com/legal/terms (last visited Jan. 24, 2015).
126
. Id.
127
. Data Use Policy, FACEBOOK, https://www.facebook.com/policy.php (last visited
Jan. 24, 2015).
128
. Id.
408 J. INFORMATION TECHNOLOGY & PRIVACY LAW [Vol. XXXI
all the possible ways in which Facebook can access users‘ personal in-
formation.
129
Facebook‘s Data Use Policy is vague and does not repre-
sent the whole truth behind data collection. Essentially, anything Face-
book deems as ‗in connection with the services and features we provide‘
Facebook is capable of tracking, collecting, and using that user‘s per-
sonal information in any manner available to Facebook.
130
Facebook
wants users to make informed decisions about using its services; how-
ever, the site reveals little information about the specifics of users‘ pri-
vacy rights. Since, Facebook does not offer a fully detailed list of how
personal information is collected; users are left helpless and unaware of
what Facebook can access.
Specifically, Facebook Messenger contains a list of permissions that
allow Facebook access to a wide variety of information on a user‘s mo-
bile device. ―Permissions are how you ask someone if you can access
that data.‖
131
Facebook Messenger has a list of thirty-two permissions
which allows Facebook the ability to edit users‘ text messages, modify
or delete the contents of users‘ USB storage, record audio, full network
access, and etc.
132
The list of permissions identifies what Facebook can
access, yet it fails to state the timeframe of when Facebook has access
to this information and how that information is being used. The lan-
guage of the list of permissions is vague and misleading, and favors Fa-
cebook rather than its users‘ privacy.
In Commissioner Rosch‘s dissent, he raised concerns that the FTC
had not addressed applications that run on the Facebook platform.
133
Facebook Messenger‘s vague list of permissions is the perfect example
of how the 2011 FTC settlement did not cover all of the Facebook‘s de-
ceptive practices. Under Facebook‘s Help Center, the company address-
es a few reasons behind the list of permissions.
134
Facebook states that
allowing permissions for the application to use the user‘s camera and
record audio are to allow ―the Messenger app to easily send pictures to
your friends and other contacts‖ or to ―confirm your phone number by
finding the confirmation code‖ within the user‘s text messages log.
135
In
reality the actual list of permissions reads differently. The actual list
129
. Id.
130
. Id.
131
. Permission with Facebook Login, FACEBOOK,
https://developers.facebook.com/docs/facebook-login/permissions/v2.1 (last visited Oct. 19,
2014).
132
. Id.
133
. Dissenting Statement of Comm‘r Rosch, In the Matter of Facebook, Inc., supra
note 107.
134
. Why is the Messenger app requesting permission to access features on my An-
droid phone or tablet?, FACEBOOK, https://www.facebook.com/help/347452185405260 (last
visited Oct. 19, 2014).
135
. Id.
2015] FACEBOOK MESSENGER AND USER PRIVACY 409
reads ―the app has access to read your contacts...read your messag-
es…record audio‖ etc.
136
In reality, if Facebook wanted to record audio it
is authorized to do so whenever it wants, even when Facebook Messen-
ger is not in use. Facebook also has the authority to send a text message
from the user‘s mobile device.
137
Facebook does not provide users with
adequate details nor examples regarding a majority of the permissions
Facebook Messenger requires.
138
Within Facebook‘s Help Center, Facebook explains five of the thir-
ty-two permissions that Facebook Messenger requires.
139
So how does a
user gain understanding of how Facebook uses the other twenty-seven
permissions? This information is not available online for users. Thus,
users are left vulnerable because they are unaware of how much per-
sonal information Facebook can access. Facebook has the ability to ma-
nipulate a user‘s mobile device because of the vague list of permissions.
Facebook also states that it wants individual users to read through
multiple documents regarding data use and privacy in order to make
informed decisions about using Facebook.
140
The multitude of docu-
ments that Facebook requires users to shift between can confuse a us-
er‘s understanding of the site‘s policies.
141
Confusing a user‘s under-
standing of policies is another example of how Facebook deceives its
users in order to profit off their personal information.
Facebook makes it the user‘s responsibility to set individual privacy
settings, because when a user fails to do so, Facebook is able to mone-
tize accounts by selling personal information to third parties. Facebook
is in the business of monetizing personal information, rather than pro-
tecting user privacy.
142
Overall, Facebook‘s vague and minimal policies
do not address the flaws regarding users‘ privacy rights. The list of
permissions, Data Use Policy, and Privacy Policy are deceptive to the
reasonable Facebook user. When a company like Facebook says one
136
. Permissions, FACEBOOK MESSENGER, supra note 64.
137
. Id.
138
. Why is the Messenger app requesting permission to access features on my An-
droid phone or tablet?, FACEBOOK, supra note 134. Of the thirty-two permissions Face-
book Messenger requires, Facebook only gives users examples for five of the permissions.
The five examples Facebook gives give users some understanding on how Facebook uses
the permissions to access user information. However, only five of the thirty-two permis-
sions are explained to users. Id.
139
. Id.
140
. Statements of Rights and Responsibilities, FACEBOOK,
https://www.facebook.com/terms.php (last visited Nov. 30, 2014).
141
. Campbell v. Facebook Inc., No. C 13-5996 PJH, 2014 U.S. Dist. LEXIS 177331
(N.D. Cal. Dec. 23, 2014) (Determining that despite the slight modifications of the lan-
guage within all three policies the general principles remained the same).
142
. Howard Steven Friedman, You Are Responsible for Your Own (Facebook) Priva-
cy, HUFF. POST (Mar. 3, 2011), http://www.huffingtonpost.com/howard-steven-
friedman/you-are-responsible-for-y_b_830652.html.
410 J. INFORMATION TECHNOLOGY & PRIVACY LAW [Vol. XXXI
thing but does the opposite, an injury is likely to occur. And who bears
the burden of being injured? Consumers. Facebook portrays itself as
caring about user privacy and will say whatever it takes in order for us-
ers to feel at ease when using its services, like Facebook Messenger. Fa-
cebook has shifted from a social networking site that supported com-
plete user privacy controls to limiting user privacy controls in order to
data mine and monetize user‘s personal information by collecting, ana-
lyzing, and selling information to third parties. Facebook is deceiving
users in order to make a profit at the expense of users.
The 2011 settlement between Facebook and the FTC did not cover
all applications on the Facebook platform.
143
By allowing Facebook to
deny all the allegations of the complaint, the FTC indicated that Face-
book had not violated any laws.
144
In order for users to challenge Face-
book Messenger‘s list of permissions and Data Use Policy, users must
either wait for the FTC to step in or challenge Facebook Messenger‘s
policies and list of permissions in court.
C. CAMPBELL V. FACEBOOK CHANGES THE WAY COURT‘S EXAMINE
CONSENT IN TERMS OF PRIVACY AND DATA USE POLICIES.
In a recent case involving the interception of Facebook users‘ mes-
sages, the court ruled that the plaintiffs did not impliedly consent to
Facebook scanning their messages.
145
―Plaintiffs allege that Facebook
scans the content of these private messages for use in connection with
its "social plugin" functionality.‖
146
Plaintiffs further allege that Face-
book scans the contents of users‘ messages in order to deliver users with
targeted ads.
147
The Plaintiffs argued that Facebook violated the Feder-
al Electronic Communications Privacy Act.
148
Facebook argued that un-
der the site‘s Statement of Rights and Responsibilities and Data Use
Policy, users expressly consented to have Facebook scan private user
messages for advertising purposes.
149
The court noted that Facebook‘s
Statement of Rights and Responsibilities makes no mention of scanning
messages but only ―encourage[s]" the reader to "read the Data Use Poli-
cy, and to use it to help you make informed decisions.‖
150
Facebook also
argued that users previously consented to message scanning when the
143
. Dissenting Statement of Comm‘r Rosch, In the Matter of Facebook, Inc., supra
note 107.
144
. Id. at 1.
145
. Campbell, 2014 U.S. Dist. LEXIS 177331, at *31.
146
. Id. at *4.
147
. Id. at *4.
148
. Id. at *4.
149
. Id. at *26.
150
. Campbell, 2014 U.S. Dist. LEXIS 177331, at *26.
2015] FACEBOOK MESSENGER AND USER PRIVACY 411
user agreed to the Data Use Policy.
151
Facebook‘s Data Use Policy states
that Facebook ―may use the information we received about you" for "da-
ta analysis.‖
152
However, the court ruled that these particular disclo-
sures are ―not specific enough to establish that users expressly consent-
ed to the scanning of the content of their messages.‖
153
Additionally, Facebook claimed users impliedly consented to the al-
leged interceptions.
154
In determining implied consent, the court exam-
ined the overall circumstances and determined whether the parties had
adequate notice of the interception of messages.
155
The court ruled that
due to the lack of evidentiary record, the plaintiffs had not impliedly
consented to the alleged interceptions of messages
.
156
Campbell is significant because the court determined that Face-
book‘s Statement of Rights and Responsibilities and Data Use Policy
were not specific enough to show that the Plaintiffs expressly or im-
pliedly consented to the interception of personal messages without noti-
fication.
157
In addition, the court concluded that Facebook‘s disclosure
statement that it ―may use the information we received about you for
data analysis‖ does not encompass the specific practice of intercepting a
user‘s private messages.
158
This ruling will allow users to challenge Fa-
cebook Messenger‘s vague list of permissions in court, even if the FTC
does not determine that Facebook violated Section 5 of the Federal
Trade Commission Act.
Under Section 5 of the Federal Trade Commission Act, an act or
practice is deceptive when a ―representation, omission, or practice is de-
ceptive if it is likely to mislead a consumer acting reasonably under the
circumstances and is likely to affect a consumer‘s conduct or decision
regarding a product or service.‖
159
The court‘s decision in Campbell and
subsequent user challenges following this decision, may force the FTC
to investigate Facebook Messenger‘s list of permissions and Data Use
Policy as a possible violation of Section 5 of the Federal Trade Commis-
sion Act.
D. FACEBOOK MESSENGER‘S LIST OF PERMISSIONS AND DATA USE POLICY
IS A DECEPTIVE PRACTICE UNDER SECTION 5 OF THE FEDERAL TRADE
151
. Id. at *29.
152
. Id. at *28.
153
. Id. at *29.
154
. Id. at *30.
155
. Id. at *30.
156
. Campbell, 2014 U.S. Dist. LEXIS 177331, at *31.
157
. Id. at *26.
158
. Id. at *28.
159
. Unfair or Deceptive Acts or Practices by State-Chartered Banks, FEDERAL
DEPOSIT INSURANCE CORPORATION (Mar. 11, 2004),
https://www.fdic.gov/news/news/financial/2004/fil2604a.html.
412 J. INFORMATION TECHNOLOGY & PRIVACY LAW [Vol. XXXI
COMMISSION ACT.
Three elements must be established to conclude that Facebook
Messenger‘s list of permissions and Data Use Policy is a deceptive act or
practice under Section 5 of the FTCA. To determine whether a repre-
sentation, omission, or practice is deceptive a three-part test must be
applied.
160
First, ―the representation, omission, or practice must mis-
lead or be likely to mislead the consumer.‖
161
Second, ―the consumer‘s
interpretation of the representation, omission, or practice must be rea-
sonable under the circumstances.‖
162
Finally, ―the misleading represen-
tation, omission, or practice must be material.‖
163
1. Facebook Messenger‘s List of Permissions and Data Use Policy is a
Representation, Omission, or Practice that is Likely to Mislead
Consumers.
A written representation by a company can be classified as a mis-
leading or deceptive practice.
164
Facebook Messenger‘s list of permis-
sions and Data Use Policy is categorized as a practice. The FTC will de-
termine if ―the act or practice is likely to mislead, rather than whether
it causes actual deceptions.‖
165
The FTC will evaluate a practice by de-
termining how a reasonable consumer is likely to respond.
166
Prior to
downloading Facebook Messenger, a user can find the list of permis-
sions under Google Play‘s website.
167
The list of permissions is a written
representation made by Facebook, and therefore qualifies as a practice
under the FTCA. Thus, the first element has satisfied in determining
whether an act or practice is deceptive.
160
. Federal Trade Commission Act Section 5: Unfair or Deceptive Acts or Practices,
FED. TRADE COMM. ACT, supra note 93.
161
. Id. at 8.
162
. Id. at 8.
163
. Id. at 8.
164
. Letter from James C. Miller III, Chairman, Fed. Trade Comm., FTC Policy
Statement on Deception (Oct. 14, 1983), available at http://www.ftc.gov/public-
statements/1983/10/ftc-policy-statement-deception (appended to Cliffdale Associates, Inc.,
103 F.T.C. 110, 174 (1984)).
165
. Id.
166
. Id.
167
. Permissions, FACEBOOK MESSENGER, supra note 64.
2015] FACEBOOK MESSENGER AND USER PRIVACY 413
2. The Consumer‘s Interpretation of Facebook Messenger‘s List of
Permissions and Data Use Policy is Reasonable Under the
Circumstances.
Facebook‘s list of permissions and Data Use Policy is a practice
that is very likely to mislead consumers. To evaluate whether a practice
is likely to mislead consumers the Commission will evaluate the con-
sumer‘s interpretation or reaction toward that practice.
168
Under this
evaluation, the Commission examines how a reasonable Facebook user
will interpret or react toward the permissions. If the practice misleads
even a significant minority of consumers the practice will be deemed as
deceptive.
169
In some instances, when a representation conveys more
than one meaning which is likely to mislead a reasonable consumer the
representation may be deceptive.
170
The list of permissions grant Face-
book access to a wide variety of items such as access to the user‘s con-
tacts within the user‘s mobile device all the way to the ability to change
a user‘s network connectivity.
171
Facebook‘s list of permissions is misleading for consumers because
Facebook does not clarify when Facebook has access to the list of per-
missions. The list of permissions does not state when Facebook has ac-
cess to the user‘s personal information stored on the user‘s mobile de-
vice. For instance, a user may believe that Facebook only has access to
the list of permissions when Facebook Messenger is in use; however,
Facebook‘s list of permission does not specify when Facebook can access
a user‘s personal information. This is deceiving because the user may
think that Facebook does not have access to his or her personal infor-
mation when Facebook Messenger is not in use, but in reality Facebook
may have access to the user‘s personal information even when the app
is not in use. This is an area where Facebook‘s representation has two
possible meanings, thus potentially placing the user in harm‘s way.
Facebook states that ―privacy is core to our approach with Messen-
ger, and like any developer, we analyze usage trends to make our apps
better, faster, and more efficient.‖
172
However, Jonathan Zaziarski, a
security researcher, revealed, ―Messenger appears to have more spy-
ware type code in it than I've seen in products intended specifically for
168
. Federal Trade Commission Act Section 5: Unfair or Deceptive Acts or Practices,
FED. TRADE COMM. ACT, supra note 93.
169
. Letter from Hon. John D. Dingell, Fed. Trade Comm., FTC Policy Statement on
Deception (Oct. 14, 1983), available at http://www.ftc.gov/public-statements/1983/10/ftc-
policy-statement-deception.
170
. Federal Trade Commission Act Section 5: Unfair or Deceptive Acts or Practices,
FED. TRADE COMM. ACT, supra note 93.
171
. Permissions, FACEBOOK MESSENGER, supra note 64.
172
. Dianne Depra, Report claims Facebook Messenger app packed with spyware,
TECH TIMES (Sept. 21, 2014), http://www.techtimes.com/articles/15981/20140921/report-
claims-facebook-messenger-app-packed-with-spyware.html.
414 J. INFORMATION TECHNOLOGY & PRIVACY LAW [Vol. XXXI
enterprise surveillance.‖
173
Even though Facebook claims the company
is not collecting data with a deceptive intention, realistically the list of
permissions allows Facebook to gather sensitive personal information
from users who download Facebook Messenger.
174
Facebook‘s under-
standing of the list of permissions is not the same as the reasonable Fa-
cebook user‘s understanding. The reasonable person standard is an ob-
jective standard that examines a particular circumstance as a
reasonable person would, ―it is what is fit and appropriate to the end in
view.‖
175
Essentially it is ―a hypothetical person in society who exercises
average care, skill, and judgment in conduct and who serves as a com-
parative standard for determining liability.‖
176
This is the type of
standard Facebook would look to when insuring its users understand its
policies. However, Facebook has not clarified all possible understand-
ings of the list of permissions. With multiple interpretations users are
left vulnerable with regard to their personal information. Numerous in-
terpretations can mislead users‘ understanding of Facebook‘s policies.
Thus, the second element of the deception test has been met.
3. Facebook Messenger‘s List of Permissions and Data Use Policy Are
Material.
For a representation, omission, or practice to be considered materi-
al it must be shown that ―it is likely to affect a consumer‘s decision re-
garding a product or service.‖
177
The FTC will examine if the infor-
mation is important to the consumer.
178
―A finding of materiality is also
a finding that injury is likely to exist because of the representation,
omission, sales practice, or marketing technique.‖
179
Injury can occur in
a variety of ways such as if the consumer would have chosen differently
if it weren‘t for the deception aspect.
180
Injury is likely when certain in-
formation is either inaccurate or omitted.
181
The FTC will find this type
173
. Id.
174
. Nilofar Neemuchwala, Facebook Messenger’s Privacy Concerns Have Users Out-
raged, GUARDIAN (Sept. 3, 2014) http://guardianlv.com/2014/09/facebook-messengers-
privacy-concerns-have-users-outraged/#6uokwW78Xgag8UYh.99.
175
. Madison v. Baumann, 162 Wis. 2d 660, 678 (1991)(citing Black's Law Dictionary
(rev. 4th ed.), p. 1431.).
176
. Reasonable Person, LEGAL DICTIONARY, http://legal-
dictionary.thefreedictionary.com/Reasonable+person+standard (last visited Apr. 15,
2105).
177
. Federal Trade Commission Act Section 5: Unfair or Deceptive Acts or Practices,
FED. TRADE COMM. ACT, supra note 93
178
. Letter from Hon. John D. Dingell, Fed. Trade Comm., supra note 169.
179
. Id.
180
. Id.
181
. Id.
2015] FACEBOOK MESSENGER AND USER PRIVACY 415
of injury material.
182
Facebook Messenger‘s list of permissions is material because in or-
der for users to access Facebook Messenger users must agree to the list
of permissions and Data Use Policy. If the Facebook user has an An-
droid mobile device, the user must agree to all the permissions at once,
whereas users with an iPhone can agree to individual permissions with-
in the app.
183
Injury occurs when users are forced into accepting all the terms of
Facebook Messenger, even when the user does not understand all the
terms and conditions within the Data Use Policy and list of permis-
sions. Facebook Messenger‘s list of permissions and Data Use Policy
does not include all of the potential examples in which Facebook can ac-
cess users‘ personal information. Facebook omits certain crucial details
regarding Facebook Messenger‘s list of permissions. Those omissions
put the users in harm‘s way because the user is not fully aware of what
personal information Facebook has access to. It is likely that if users
knew exactly what personal information Facebook is capable of access-
ing through the Facebook Messenger app, the user may have chosen not
to download the standalone application. Subsequently, the claim is ma-
terial because the user may have come to an alternative conclusion
were they fully aware of Facebook‘s data collection capabilities.
Under Section 5 of the Federal Trade Commission Act, Facebook
Messenger‘s list of permissions and Data Use Policy would be consid-
ered deceptive if challenged. The FTC will be able to determine that Fa-
cebook Messenger‘s list of permissions and Data Use Policy qualifies as
a practice. Additionally, the FTC will likely find this practice is mis-
leading to users and is also material to the Facebook Messenger app. In
return, it is likely that the FTC will determine that Facebook is in-
volved in deceptive practices, thus violating Section 5 of the Federal
Trade Commission Act.
E. REVAMPING FACEBOOK‘S POLICIES TO CHANGE FOR THE BETTER.
The new proposal will require Facebook to explicitly identify the
specifics behind Facebook Messenger‘s Data Use Policy, Privacy Policy,
and list of permissions. The new proposal is broken down into three cat-
egories. The first category deals with terms of the Facebook‘s policies
and list of permissions. The second category deals with notification, and
the final category creates a communication system.
182
. Id.
183
. Reed Albergotti, Facebook Messenger Privacy Fears? Here’s What to Know,
DIGITS (Aug. 8, 2014), http://blogs.wsj.com/digits/2014/08/08/facebook-messenger-privacy-
fears-heres-what-you-need-to-know/.
416 J. INFORMATION TECHNOLOGY & PRIVACY LAW [Vol. XXXI
1. Reasonable Terms
When it comes to Facebook‘s privacy policies, the policies must be
rewritten so that a reasonable user can understand the terms and pos-
sible consequences. With Facebook having 1.39 billion monthly active
users, Facebook must rewrite the policies in plain language so that a
majority of Facebook users are able to understand and comprehend the
terms that are being agreed to.
184
As previously discussed, Facebook
policies must be understood by the reasonable Facebook user. Current-
ly, users aged 25 to 34 are the most common age demographic, account-
ing for 29.7% of all Facebook users.
185
The target demographic falls into
this category, however, Facebook has an increasing number of minor
children and mature users.
186
Thus, the changed policy terms must be
rewritten so that the average, reasonable Facebook user can compre-
hend and understand the term‘s meanings. Today, Facebook‘s vague
policies leave users vulnerable in regards to the protection of their per-
sonal information. The new proposed policy must identify the specific
information Facebook Messenger can access on the user‘s phone. The
current list of permissions are extremely vague and do not give users a
fair disclosure of what types of information Facebook can access. Face-
book will be required to have a well-defined and evident disclosure
statement. This can be accomplished by simply requiring Facebook to
state what information they can access, why access is needed, and how
any collected data may be used. Users must have specifics rather than a
vague and misleading list of permissions. Facebook must specify exam-
ples of all thirty-two permissions that Facebook Messenger requires, ra-
ther than defining only five. By defining all thirty-two permissions, us-
ers will have a clear understanding of what information Facebook has
access to through the standalone messenger app.
After determining the exact information to be collected, Facebook
creators must address when and how this information is being collected.
First, the policy needs to divulge whether or not Facebook can access
ones camera, text log, contacts, etc. even when the application is not in
use. The application must make users aware of when Facebook has ac-
cess to the information within the user‘s mobile device. A simple modi-
fication to the application‘s policies can assuage the privacy concerns
that many users feel upon downloading Facebook Messenger. There
must be specific examples of when Facebook is collecting data and ex-
actly how this data is used.
184
. Company Info, FACEBOOK, http://newsroom.fb.com/company-info/ (last visited
Nov. 30, 2014).
185
. Dan Noyes, The Top 20 Valuable Facebook Statistics – Updated October 2014,
ZEPHORIA (Oct.29, 2914), https://zephoria.com/social-media/top-15-valuable-facebook-
statistics/.
186
. Id.
2015] FACEBOOK MESSENGER AND USER PRIVACY 417
2. Notification
Not only must Facebook rewrite the policy terms, Facebook must
be required to notify users of all policy changes in a reasonable manner.
Recently, Facebook sent out a lengthy e-mail informing users that as of
January 2015 the privacy policy will be changing.
187
Within the e-mail,
Facebook states ―we're also updating our terms, data policy and cookies
policy to reflect new features we've been working on and to make them
easy to understand.‖
188
Facebook offers links for users to click on in order to navigate
around the updated policies, however, Facebook does not point out the
differences between the old and new policies. Users would have to read
through the prior policies and then compare the old policies to the new
in order to see how user controls have being affected. Shifting through
multiple documents to understand user privacy controls is ineffective
and burdensome. Facebook must be required to inform users on how the
new policies differ from the prior policies in one document. This can be
accomplished with a side-by-side comparison between the old and new
policies. The comparison will allow users to immediately see what areas
within the policies have changed and which areas have not changed.
Users will find this more effective to immediately see the changes ra-
ther than having to shift through multiple documents in trying to de-
termine where Facebook has changed its policies. With a comparison of
policies, Facebook can be assured that a reasonable Facebook user is
aware and understands the modifications. Due to the complexity of
some changes not all users will realize and understand what each modi-
fication entails. Thus, the final revision for the proposal will require Fa-
cebook to implement a communication system.
3. Communication System
The final element of the new proposal is a communication system
where users can acquire more details about the policies and have any
questions answered in a timely fashion. Currently, Facebook directs us-
ers to a webpage called ―Desktop Help‖ when a question arises.
189
Upon
accessing the Desktop Help webpage, users must shift through multiple
categories on a multitude of webpages to determine whether there is an
answer to their question and/or problem. Solutions for all problems or
questions, except data use policy questions, can only be retrieved online.
187
. Steve Kovach, Facebook's Privacy Policy Is Changing And You're Going To Get
A Long Email About It, BUS. INSIDER (Nov. 27, 2014),
http://www.businessinsider.com/facebook-privacy-policy-change-2014-11.
188
. Id.
189
. Desktop Help, FACEBOOK, https://www.facebook.com/help/ (last visited Nov. 29,
2014).
418 J. INFORMATION TECHNOLOGY & PRIVACY LAW [Vol. XXXI
So when Facebook‘s list of pre-automated solutions does not solve or an-
swer the user‘s question, the user is left with no other option than to ac-
cept Facebook the way it is or to deactivate his or her account.
When a user has a question regarding the data use policy, the user
has two options for contacting Facebook. The first is through Facebook‘s
online form where a user can type in his or her name and any addition-
al information describing his or her data use question or concern.
190
The
second option is to contact Facebook by mail.
191
When a user has a
question or complaint regarding Facebook‘s Data Use Policy the user
can write a letter to Facebook‘s California office or Ireland office.
192
However, neither of these options say if or when Facebook will answer
or address the question or complaint. Requiring users to send com-
plaints and questions via mail and online form is ineffective because it
prolongs assistance. Users are left waiting for an extended period of
time for Facebook to respond. This additional waiting period may cause
more harm for the user if his or her privacy concern is not resolved in a
timely manner. Facebook must offer users an efficient and direct line of
communication.
In order to operate an efficient and direct line of communication be-
tween Facebook and users, Facebook should be required to operate a
call center. Facebook‘s call center should operate Monday through Fri-
day from the hours of 9am to 6pm EST. When a user calls an automated
voice system would answer directing the user to push 1 for data use pol-
icy questions, push 2 for privacy policy questions, push 3 for technical
questions, push 4 for general Facebook questions, and push 5 for any
other Facebook orientated questions. Upon making a selection, the user
would be directed to a Facebook representative that can answer any
questions the user may have and explain any policies in further details
so that a reasonable Facebook user can understand. The call center
would provide users an immediate response to any questions or com-
plaints that may arise upon using Facebook.
The second option within Facebook‘s communication system will al-
low users to e-mail Facebook directly. A user could communicate direct-
ly with a Facebook representative via e-mail 24/7, if the user‘s question
190
. Data Use Policy Questions, FACEBOOK,
https://www.facebook.com/help/contact/173545232710000 (last visited Nov. 29, 2014).
191
. Data Use Policy, FACEBOOK, https://www.facebook.com/about/privacy (last visit-
ed Nov. 29, 2014).
192
. Id.
If you have questions or complaints regarding our Data Use Policy or practices,
please contact us by mail. If you are located in the U.S. or Canada, our mailing ad-
dress is Facebook Inc., 1601 Willow Road, Menlo Park, CA 94025. If you are located
outside the U.S. or Canada, our mailing address is Facebook Ireland Ltd., 4 Grand
Canal Square, Grand Canal Harbour Dublin 2, Ireland. Registered in Ireland
(Companies Registration Office) Company No. 462932.
Id.
2015] FACEBOOK MESSENGER AND USER PRIVACY 419
or complaint does not require an immediate response. There are two
ways in which a user could e-mail a Facebook representative. The first
option would require a user to log into his or her Facebook account and
open the chat window. Within the chat window, the user could select
the ‗Facebook Representative‘ button where the user would be prompt-
ed to select a specific category depending on the user‘s type of question,
complaint, or concern. Upon selecting a category, a text box would ap-
pear where the user can describe in detail the problem that has oc-
curred. Once the user hits the ‗Send‘ button an automated response
would appear notifying the user that his or her message has been re-
ceived and that a representative will be in contact via Facebook Chat
within 48-72 hours.
The second option in e-mailing Facebook would be through the us-
er‘s personal e-mail address. This option is available in case the user is
not capable of accessing his or her Facebook Chat due to technical is-
sues. On Facebook‘s main web page, under the ‗Help‘ tab, Facebook
would provide users with an e-mail address where concerns, questions,
and problems could be directed. Within the user‘s personal e-mail ac-
count, the user will describe his or her problem in detail and send the e-
mail to the e-mail address that Facebook has provided. Upon sending
the e-mail, an automated response would be sent verifying that the pre-
vious e-mail has been received and that a Facebook representative will
be in contact via personal e-mail within 48-72 hours. Between the call
center and e-mail options Facebook users will now have the option to
communicate with Facebook directly in a more efficient manner.
The new proposal would be implemented in order to safeguard Fa-
cebook users from the fraud, deception, and unfair business practices
that Facebook implements. Facebook has the obligation to uphold users‘
privacy rights, and if Facebook disregards consumer‘s rights the Feder-
al Trade Commission has the authority to act. The Federal Trade
Commission has authority under Section 5 of the FTCA in order to ―pro-
tect consumers by stopping unfair, deceptive, or fraudulent practices in
the marketplace.‖
193
Throughout this Comment it has been established that Facebook
Messenger‘s lists of permissions and policies have violated Section 5 of
the Federal Trade Commission Act. This Comment has discussed a pos-
sible legal solution, which would better safeguard users‘ privacy rights
and gives adequate notice for when Facebook modifies data use and pri-
vacy policies. As stated earlier, for years consumers‘ rights have been
placed on the back burner and sacrificed in order to advance technology.
Privacy laws must advance with today‘s changing technology; otherwise
consumers will constantly be the ones paying the price, until eventually
193
. What We Do, FED. TRADE COMM., http://www.ftc.gov/about-ftc/what-we-do (last
visited Oct. 19, 2014).
420 J. INFORMATION TECHNOLOGY & PRIVACY LAW [Vol. XXXI
consumer privacy is completely eradicated due to a company‘s wordy
privacy policy.
IV. CONCLUSION
In today‘s society where a majority of individual‘s post inmate de-
tails about his or her life on social network sites, one would think that
individuals would have control over who has access to their personal
data, however, that is not the case. Today, privacy is becoming a thing
of the past. Facebook Messenger‘s list of permissions, Data Use Policy,
and Privacy Policy mislead consumers into thinking their privacy is be-
ing protected. Facebook‘s Data Use Policy and Privacy Policy are multi-
ple pages filled with vague and misleading terms. Anything Facebook
deems ―in connection with the services and features we provide‖ they
are able to track, collect, and use in any manner available to Face-
book.
194
So when does a user know Facebook has deemed something ‗in
connection with its services and features?‘ Facebook does not offer this
information publically, the only way to find what is in connection with
Facebook is through an internal information leak, at which point the
information will have been collected and the injury sustained. Face-
book‘s policies are vague and misleading, which leads to one thing—
consumers being left vulnerable and unprotected.
Facebook‘s Data Use Policy and Privacy Policy must be condensed
and rewritten to facilitate a reasonable user‘s understanding. Current-
ly, Facebook has a 14,000-word term of service and data use policy.
195
Facebook‘s policies, in comparison to Snapchat, Twitter, and Instagram
contain significantly more text. Twitter‘s privacy policy has 2,151
words,
196
Instagram‘s about 2,000 words and Snapchat‘s approximately
1,800 words.
197
Facebook‘s policies and terms of service tower over other
social networking sites. In order to better inform users, Facebook must
restructure its policies.
This Comment discussed Section 5 of the Federal Trade Commis-
sion Act and how Facebook violated the Act due to the company‘s decep-
tive practices. This Comment addressed a solution where consumer
rights are being advanced rather than corporate data collection, and the
194
. Data Use Policy, FACEBOOK, https://www.facebook.com/full_data_use_policy
(last visited Oct. 19, 2104).
195
. Oliver Smith, Facebook terms and conditions: why you don't own your online
life, TELEGRAPH (Jan. 4, 2013), http://www.telegraph.co.uk/technology/social-
media/9780565/Facebook-terms-and-conditions-why-you-dont-own-your-online-life.html.
196
. Number of words in the privacy policies of selected social networks as of 2012,
STATISTIC, http://www.statista.com/statistics/268079/privacy-policy-word-count-of-
selected-social-networks/ (last visited Nov. 4, 2014).
197
. Ashley T. Powell, Shorter privacy policies win-win for all, THE DAILY WILDCAT
(Oct. 28, 2013), http://www.wildcat.arizona.edu/article/2013/10/shorter-privacy-policies-
win-win-for-both-users-companies.
2015] FACEBOOK MESSENGER AND USER PRIVACY 421
proposal was designed to place Facebook users on notice and give them
the opportunity to understand all policy modifications in layman terms
rather than advanced legalese. Technology is advancing at a much fast-
er rate than consumer privacy laws. If the FTC does not hold compa-
nies, like Facebook, accountable for their breaches of privacy rights,
they continue to quash user privacy controls until privacy no longer ex-
ists, leaving privacy rights a thing of the past.
