23 March 2014


Is Facebook continuing to rely on the idea that it is easier (and more lucrative) to ask for forgiveness than permission, albeit claiming that it truly respects people who use its services?

The Electronic Privacy Information Center (EPIC) and the Center for Digital Democracy (CDD) in In re: WhatsApp, Inc are challenging Facebook's potential misuse of data about WhatsApp users, gained by Facebook as part of the SNS operator's acquisition of WhatsApp for US$16bn.

WhatsApp allows users to send messages without the cost associated with SMS. WhatsApp claims that it “processes over 10 billion messages per day from approximately 450 million users.”

 The two civil society advocates have filed a complaint with the Federal Trade Commission(FTC) - which as noted elsewhere is the dominant privacy regulator in the US - over the acquisition.

The claim, under 15 U.S.C. §§ 45(a) and (n), is that WhatsApp is engaging in deceptive and unfair practices. WhatsApp has consistently represented that it will not collect or use personal information. After acquisition by Facebook, however,  that policy would be abandoned: WhatsApp's new parent would have access to WhatsApp’s phone numbers. The advocates refer to express representations  in WhatsApp’s privacy policy and blog (including its founder) about not using mobile numbers (and other personal information) without the user’s consent. They claim that such representations are relied upon by consumers.

They argue that WhatsApp’s
failure to disclose that this commitment to privacy was subject to reversal constitutes a deceptive act” and “fail[ure] to make special provisions to protect user data in the event of an acquisition . . . unreasonably creates . . . an obstacle to the free exercise of consumer decision-making [and thus, constitute unfair acts].
They state that
This complaint concerns the impact on consumer privacy of the proposed acquisition of WhatsApp, Inc. by Facebook, Inc. ... WhatsApp built a user base based on its commitment not to collect user data for advertising revenue. Acting in reliance on WhatsApp representations, Internet users provided detailed personal information to the company including private text to close friends. Facebook routinely makes use of user information for advertising purposes and has made clear that it intends to incorporate the data of Whats App users into the user profiling business model. The proposed acquisition will therefore violate WhatsApp users’ understanding of their exposure to online advertising and constitutes an unfair and deceptive trade practice, subject to investigation by the Federal Trade Commission.
Trade practices law to the rescue? The advocates aim to halt the acquisition and have the FTC open an investigation. If the acquisition proceeds, they request an order insulating "WhatsApp user’s information from access by Facebook’s data collection practices".

EPIC comments that
EPIC’s 2010 complaint concerning Google Buzz provided the basis for the Commission’s investigation and October 24, 2011 subsequent settlement concerning the social networking service. In that case, the Commission found that Google “used deceptive tactics and violated its own privacy promises to consumers when it launched [Buzz].” The Commission’s settlement with Facebook also followed from a Complaint filed by EPIC and a coalition of privacy and civil liberties organization in December 2009 and a Supplemental Complaint filed by EPIC in February 2010.
The FTC has meanwhile filed an amicus brief in Jo Batman v. Facebook, Inc (9th U.S. Circuit Court of Appeals), arguing that a federal district court was incorrect in ruling that the Children’s Online Privacy Protection Act (COPPA) preempts state privacy laws regarding minors between 13 and 18 years of age.  

Batman involves a class action suit against Facebook regarding use of teenagers' likenesses in 'Sponsored Stories' posts. The district court, in approving a settlement of the class action suit, ruled that objections raised by some potential class members on points of California state law were invalid. The court ruled that COPPA’s provisions related to children under 13 preempted state laws regarding the privacy of children older than 13. The FTC brief argues that COPPA’s preemption provisions do not apply to state privacy protections for teenagers, who are not covered by COPPA (which applies to people under the age of 13).

The FTC may be wondering about Microsoft, which is meanwhile sheltering behind its Terms & Conditions for Hotmail after criticism over is scrutiny of email to a Hotmail service inbox. Microsoft indicates that it took "extraordinary actions in this case", ie reading an anonymous blogger's email in the course of investigating a software leak. The blogger allegedly received "some stolen lines of code from the not-yet-released Windows 8 operating system investigation", which then appeared as screenshots on his blog. Microsoft began its "investigation" - including reading his mail - to determine the identity of its disloyal employee.

Although MS indicates that it would "consult outside counsel in the future", the scrutiny appears to be permitted under US law because it comes under provisions in Microsoft's terms indicating that MS can access information in accounts that are part of its "Communication Services", ie including free email, chat, fora and similar services. MS "reserves the right to review materials posted to the Communication Services and to remove any materials in its sole discretion".

It is unclear whether such searching includes scrutiny of academic and student email services that several Australian universities (including UC) have outsourced to Microsoft.

No need to beg forgiveness there.