FB Class Action
FB Class Action
FB Class Action
15
UNITED STATES DISTRICT COURT
16
NORTHERN DISTRICT OF CALIFORNIA
17
SAN FRANCISCO DIVISION
18
19
TAYLOR PICHA and ASHLEY CASHON, Case No.: 3:18-CV-02090-WHO
20 individually and on behalf of all others similarly
situated,
21 AMENDED
22 Plaintiffs, CLASS ACTION COMPLAINT
v.
23 JURY TRIAL DEMANDED
FACEBOOK, INC., and CAMBRIDGE
24 ANALYTICA,
25 Defendants.
26
27
28
AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 2 of 57
TABLE OF CONTENTS
1
2 I. INTRODUCTION...........................................................................................................2
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
1 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 3 of 57
I. INTRODUCTION1
1
3 vowed, “In every single thing we do, we always put people first;” promising that Facebook
4 would give people control over how they share their information.2 Zuckerberg continued:
5 “And in the past, when one of your friend blogged into an app [sic]...
the app could ask him not only to share his data but also data that
6 his friends had shared with him—like photos and friend list here. So
now we’re going to change this and we’re going to make it so that
7
now everyone has to choose to share their own data with an
8 app themselves. So we think that this is a really important step for
giving people power and control over how they share their data with
9 the apps. And as developers, this is going to allow you to keep
building apps with all the same great social features while also
10 giving people power and control first.”3
11
2. Just four years later, on March 21, 2018, Zuckerberg addressed fresh reports of the
12
misappropriation of personal data of 50 million Facebook users by an app made by Global
13
Science Research Ltd. and Cambridge Analytica, admitting: “This was clearly a mistake. We
14
have a basic responsibility to protect people’s data, and if we can’t do that then we don’t deserve
15
to have the opportunity to serve people.”4 Then, on April 4, 2018, Facebook publicly stated that
16
up to 87 million users’ data may have been improperly shared with Cambridge Analytica.5
17
18 1
Unless otherwise indicated, all emphases are added and all internal citations, quotation marks,
19 and footnotes are omitted.
2
Facebook’s CEO Mark Zuckerberg F8 2014 Keynote (Full Transcript), Apr. 30, 2014,
20 https://singjupost.com/facebooks-ceo-mark-zuckerberg-f8-2014-keynote-full-
transcript/3/?print=print.
21
3
Id.
22 4
Danielle Wiener-Bronner, Mark Zuckerberg Has Regrets: ‘I’m Really Sorry That This
23 Happened’, CNN Tech, Mar. 21, 2018, http://money.cnn.com/2018/03/21/technology/mark-
zuckerberg-apology/index.html; Mark Zuckerberg in his own words: The CNN interview, CNN
24 Tech, Mar. 21, 2018, http://money.cnn.com/2018/03/21/technology/mark-zuckerberg-cnn-
interview-transcript/index.html?iid=EL.
25
5
David Ingram, Facebook says data leak hits 87 million users, widening privacy scandal,
26 Reuters, Apr. 4, 2018, https://www.reuters.com/article/us-facebook-privacy/facebook-says-
data-leak-hits-87-million-users-widening-privacy-scandal-idUSKCN1HB2CM.
27
28
2 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 4 of 57
1 Zuckerberg added that he regrets the company waited so long to inform its users of what
2 happened: “I think we got that wrong.”6
3 3. This class action lawsuit is about the “wrong” Zuckerberg and Facebook have
4 admitted by disregarding the very privacy safeguards they promised users.
5 4. On March 17, 2018 The Guardian and The New York Times revealed that data
6 analytics firm Cambridge Analytica harvested private information from Facebook users “on an
7 unprecedented scale.”7 At the time, Facebook’s “platform policy” allowed third party
8 applications to accumulate data from “friends” of Facebook users for the purpose of improved
9 user experience, but prohibited it from being sold or used for advertising.8
10 5. Although Facebook knew about the misuse of its users’ data in 2015, it chose to
11 hide this information from its users until forced to confront the issue on March 17, 2018.9
12 6. Just one month earlier, in February 2018, both Facebook and the CEO of
13 Cambridge Analytica, Alexander Nix, told a U.K. parliamentary inquiry on fake news that the
14 company did not possess or employ private Facebook data. When asked if Cambridge Analytica
15 had Facebook user data, Simon Milner, Facebook’s U.K. policy director, told U.K. officials:
16 “They may have lots of data but it will not be Facebook user data. It may be data about people
17 who are on Facebook that they have gathered themselves, but it is not data that we have
18 provided.”10 Cambridge Analytica’s Nix told officials: “We do not work with Facebook data
19
6
20 Id.
7
Carole Cadwalladr and Emma Graham-Harrison, Revealed: 50 million Facebook profiles
21
harvested for Cambridge Analytica in major data breach, The Guardian, Mar. 17, 2018,
22 https://www.theguardian.com/news/2018/mar/17/cambridge-analytica-facebook-influence-us-
election (hereinafter “The Guardian, Revealed”).
23 8
Id.
24 9
Deepa Seetharaman and Katherine Bindley, Facebook Controversy: What to Know About
Cambridge Analytica and Your Data, The Wall Street Journal, Mar. 23, 2018,
25 https://www.wsj.com/articles/facebook-scandal-what-to-know-about-cambridge-analytica-and-
26 your-data-1521806400.
10
The Guardian, Revealed.
27
28
3 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 5 of 57
1 and we do not have Facebook data.”11 Nix was later caught on tape touting campaign tactics such
2 as entrapping political opponents using bribes and sex workers and was terminated on March 20,
3 2018.12
4 7. In direct contradiction to the actual events stemming from Cambridge Analytica’s
5 improper use of Facebook user data, Facebook’s applicable Data Use Policy at the time of the
6 activity stated: “Facebook does not share your information with third parties for the third parties’
7 own and independent direct marketing purposes unless we receive your permission.”13
8 Facebook’s current Data Use Policy states: “We do not share information that personally
9 identifies you (personally identifiable information is information like name or email address that
10 can by itself be used to contact you or identifies who you are) with advertising, measurement or
11 analytics partners unless you give us permission.”14
12 8. Plaintiffs and potential class representatives Taylor Picha and Ashley Cashon,
13 individually and on behalf of all others similarly situated (“Plaintiffs”), by and through
14 undersigned counsel, allege the following upon personal knowledge as to her own acts and upon
15 information and belief as to all other matters.
16 9. Plaintiffs bring this class action against defendants Facebook, Inc. (“Facebook”)
17 and Cambridge Analytica (“CA”) (collectively, “Defendants”) on behalf of all persons who
18 registered for Facebook accounts and whose Personally Identifiable Information, as defined
19 below, was obtained from Facebook by CA or other entities without authorization.
20 10. Cambridge Analytica is a privately held company that combines data mining and
21 data analysis with strategic communication for use in marketing and other strategies.
22
11
Id.
23 12
See n. 8; see also, Revealed: Trump’s election consultants filmed saying they use bribes and
24 sex workers to entrap politicians, Channel 4 News, Mar. 19, 2018,
https://www.channel4.com/news/cambridge-analytica-revealed-trumps-election-consultants-
25 filmed-saying-they-use-bribes-and-sex-workers-to-entrap-politicians-investigation.
13
26 Data Use Policy, Facebook, Nov. 15, 2013,
http://web.archive.org/web/20140103201918/https://www.facebook.com/full_data_use_policy.
27 14
Data Use Policy, Facebook, Sept. 29, 2016, https://www.facebook.com/full_data_use_policy.
28
4 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 6 of 57
1 16. This case concerns the absolute disregard with which Facebook has treated
2 Plaintiffs’ PII. While this information was supposed to be protected and used for only expressly
3 disclosed and limited purposes, Cambridge Analytica was permitted to improperly collect the
4 PII of nearly 87 million Facebook users without authorization, or by exceeding whatever limited
5 authorization it or its agents had.18
6 17. Facebook knew improper data aggregation was occurring and failed to stop it.
7 Plaintiffs bring this suit to protect their privacy interests and those of the class.
8 II. THE PARTIES
9
18. Plaintiff Taylor Picha (or “Plaintiff Picha”) is a resident of Charleston County,
10
South Carolina. Plaintiff Picha has held a Facebook account since 2007. Plaintiff Picha is an
11
active Facebook user and has been at all relevant times. Plaintiff Picha recalls that during the
12
2016 Presidential election, she frequently saw political advertising for the Trump campaign
13
while using Facebook.
14
19. Plaintiff Ashley Cashon (or “Plaintiff Cashon”) is a resident of Charleston County,
15
South Carolina. Plaintiff Cashon has held a Facebook account since . Plaintiff Cashon is an
16
active Facebook user and has been at all relevant times. Plaintiff Cashon recalls that during the
17
2016 Presidential election, she frequently saw political advertising for the Trump Campaign
18
while using Facebook.
19
20. Plaintiff Cashon recently received notice that her personal user data was “shared”
20
with Cambridge Analytica as a result of a “friend” logging into the app “ThisIsYourDigitalLife.”
21
21. Defendant Facebook, Inc. is incorporated in Delaware, and the company’s principal
22
place of business is in Menlo Park, California. Facebook’s securities trade on the NASDAQ
23
under the ticker symbol “FB.”
24
22. Defendant Cambridge Analytica is a privately held company that combines data
25
26 18
Parmy Olson, Face-To-Face With Cambridge Analytica’s Elusive Alexander Nix, Forbes, Mar.
20, 2018, https://www.forbes.com/sites/parmyolson/2018/03/20/face-to-face-with-cambridge-
27 analytica-alexander-nix-facebook-trump/#674008da535f.
28
6 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 8 of 57
1 mining and data analysis with strategic communication for the electoral process.
2 23. When referenced herein, any acts of Defendants shall include (1) the acts of the
3 directors, officers, employees, affiliates, or agents of Defendants who authorized such acts while
4 actively engaged in the management, direction, or control of the affairs of Defendants, or at the
5 direction of Defendants, and/or (2) any persons who are the parents or alter egos of Defendants,
6 while acting within the scope of their agency, affiliation, or employment.
7 24. A contract between Cambridge Analytica and Global Science Research Ltd.
8 describes the objective of the data harvesting as follows: “The ultimate product of the training
9 set is creating a ‘gold standard’ of understanding personality from Facebook profile
10 information.”19 The contract promises to create a database of 2 million “matched” profiles,
11 identifiable and tied to electoral registers, across 11 states,20 but with room to expand much
12 further.
13 III. JURISDICTION AND VENUE
14
25. This Court has jurisdiction pursuant to 28 U.S.C. § 1332(d), the Class Action
15
Fairness Act, because this suit is a class action, the parties are diverse, and the amount in
16
controversy exceeds $5 million, excluding interest and costs. The Court has supplemental
17
jurisdiction over the related state law claims pursuant to 28 U.S.C. § 1367.
18
26. Venue is proper under 28 U.S.C. §1391(c) because Defendants are corporations
19
that do business in and are subject to personal jurisdiction in the Northern District of California.
20
Venue is also proper because a substantial part of the events or omissions giving rise to the claims
21
in this action occurred in or emanated from this district, including decisions made by Facebook
22
23
19
The Guardian, Revealed.
24 20
The states are Arkansas, Colorado, Florida, Iowa, Louisiana, Nevada, New Hampshire, North
25 Carolina, Oregon, South Carolina, and West Virginia (See, Carole Cadwalladr and Emma
Graham-Harrison, How Cambridge Analytica turned Facebook ‘likes’ into a lucrative political
26 tool, The Guardian, Mar. 17, 2018,
https://www.theguardian.com/technology/2018/mar/17/facebook-cambridge-analytica-kogan-
27 data-algorithm).
28
7 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 9 of 57
1 to permit the information aggregation and CA’s collection of the data of personally identifiable
2 information of the class.
3 IV. FACTUAL ALLEGATIONS
4
27. On March 17, 2018, both the New York Times and The Guardian reported on
5
Cambridge Analytica’s use of PII obtained from Facebook without permission under the pretext
6
of collecting and using such data for academic purposes. The reports revealed that Cambridge
7
Analytica, a firm hired by the Trump campaign to target voters online, used the data of millions
8
of people obtained from Facebook without proper disclosures or permission. The reporting also
9
found:
10 [T]he firm harvested private information from the Facebook profiles
of more than 50 million21 users without their permission, according
11 to former Cambridge employees, associates and documents, making
it one of the largest data leaks in the social network’s history. The
12
breach allowed the company to exploit the private social media
13 activity of a huge swath of the American electorate, developing
techniques that underpinned its work on President Trump’s
14 campaign in 2016.
15 ***
But the full scale of the data leak involving Americans has not been
16 previously disclosed—and Facebook, until now, has not
17 acknowledged it. Interviews with a half-dozen former employees
and contractors, and a review of the firm’s emails and documents,
18 have revealed that Cambridge not only relied on the private
Facebook data but still possesses most or all of the trove.22
19
28. In 2014, Cambridge Analytica, through its parent company, Strategic
20
Communications Laboratories (or “SCL”), hired Global Science Research Ltd. to collect
21
22
21
23 Later updated to 87 million users; see, Cecilia Kang and Sheera Frenkel, Facebook Says
Cambridge Analytica Harvested data of Up to 87 Million Users, The New York Times, Apr. 4,
24 2018, https://www.nytimes.com/2018/04/04/technology/mark-zuckerberg-testify-
congress.html.
25
22
Matthew Rosenberg, Nicholas Confessore, and Carole Cadwalldr, How Trump Consultants
26 Exploited the Facebook Data of Millions, The New York Times, Mar. 17, 2018,
https://www.nytimes.com/2018/03/17/us/politics/cambridge-analytica-trump-campaign.html.
27
28
8 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 10 of 57
1 Facebook user data for research purposes.23 SCL agreed to pay Global Science Research
2 Ltd.’s data collection costs “in order to improve ‘match rates’ against SCL’s existing datasets
3 or to enhance Global Science Research Ltd.’s algorithm’s ‘national capacity to profile
4 American citizens.’”24
5 29. Global Science Research Limited (“GSR”) is a privately held company that
6 “optimizes marketing strategies with the power of big data and psychological sciences.”25
7 GSR uses “innovative methods [to] produce insight on a revolutionary scale, empowering
8 clients to understand consumers, markets, and competitors more deeply and accurately than
9 ever before.”26 GSR was founded in 2014 by Dr. Aleksandr Kogan (“Kogan”), a lecturer at
10 the University of Cambridge Psychometrics Center.
11 30. Global Science Research Ltd. collected this data by “us[ing] Amazon’s
12 crowdsourcing marketplace Mechanical Turk (MTurk) to access a large pool of Facebook
13 profiles.”27 GSR offered users one to two dollars to download a survey app on Facebook
14 called “ThisIsYourDigitalLife.”28 Billed as a “research app used by psychologists,” GSR
15 assured Facebook users that their Personally Identifiable Information would “only be used
16 for research purposes” and remain “anonymous and safe.”29
17
18
19 23
Harry Davies, Ted Cruz using firm that harvested data on millions of unwitting Facebook
20 users, The Guardian, Dec. 11, 2015, https://www.theguardian.com/us-
news/2015/dec/11/senator-ted-cruz-president-campaign-facebook-user-data.
21 24
Id.
22 25
Global Science Research, LinkedIn, last accessed Apr. 26, 2018,
23 https://www.linkedin.com/company/global-science-research/.
26
Id.
24 27
Id.
25 28
April Glaser, One of the Data Scientists Involved in the Cambridge Analytica Mess Now
26 Works at Facebook, Slate, Mar. 17, 2018, https://slate.com/technology/2018/03/one-of-the-
data-scientists-involved-in-the-cambridge-analytica-mess-now-works-at-facebook.html.
27 29
See n. 22.
28
9 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 11 of 57
10
11
31. During Zuckerberg’s congressional testimony, he intimated the Cambridge
12
University might also be to blame for this scandal, stating “We do need to understand whether
13
there is something bad going on at Cambridge University overall that will require a stronger
14
action from us.”30 Zuckerberg’s attempt to deflect blame to the University of Cambridge
15
Psychometrics Center was unsuccessful—it is true that the psychometrics program conducts
16
research on what a user’s Facebook profile could mean about their personality; however, those
17
studies were truly academic and consent was obtained to conduct them. Indeed, Zuckerberg
18
should have already known that information considering that the program has been publishing
19
research based on Facebook user data in major peer-reviewed scientific journals since 2013.31
20
These studies have been widely reported in international media, including the study led by
21
Kogan and co-authored by two Facebook employees.32
22
23
24 30
Rachel Kraus, Cambridge University responds to Zuckerberg’s shade, Mashable, Apr. 12,
2018, https://mashable.com/2018/04/12/cambridge-university-responds-to-
25 zuckerberg/#Nvfv8obyBgqV.
31
26 Id.
32
Id.
27
28
10 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 12 of 57
28
11 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 13 of 57
28
12 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 14 of 57
1 American elections. Mr. Wylie stated that “[] Facebook data . . . was ‘the saving grace’ that
2 let his team deliver the models it had promised . . . .”43
3 41. The personal information and data harvested from Facebook was used to
4 “generate sophisticated models of each of [the Facebook users’] personalities…”44 Yet, none
5 of the millions of people whose data was harvested consented to having their data used in
6 such a fashion.
7 42. In response to the instant, growing scandal, Facebook initially claimed that
8 users consented to third-party apps being able to collect their data via their friends’ act of
9 downloading the app and nothing more;45 describing Kogan’s and GSR’s acquisition of data
10 as having been done “in a legitimate way and through the proper channels that governed all
11 developers on Facebook at that time.”46 However, this is factually incorrect. Nothing in
12 Facebook’s Statement of Rights and Responsibilities (“SRR”) or its Privacy Policy (the
13 documents that form the agreement between Facebook and its users) can be read to have
14 permitted CA and Kogan’s practices. The applicable portions of the SRR are as follows:
15 2. Sharing Your Content and Information
16 You own all of the content and information you post on Facebook,
17 and you can control how it is shared through your privacy and
application settings. In addition:
18
***
19
20
21 43
Id.
44
22 See n. 22.
45
23 See Kevin Granville, Facebook and Cambridge Analytica: What You Need to Know as
Fallout Widens, The New York Times, Mar. 19, 2018,
24 https://www.nytimes.com/2018/03/19/technology/facebook-cambridge-analytica-
explained.html.
25 46
See Paul Grewal, Suspending Cambridge Analytica and SCL Group from Facebook, Facebook
26 Newsroom, Mar. 16, 2018, https://newsroom.fb.com/news/2018/03/suspending-cambridge-
analytica/.
27
28
13 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 15 of 57
When you use an application, the application may ask for your
1
permission to access your content and information as well as
2 content and information that others have shared with you. We
require applications to respect your privacy, and your agreement
3 with that application will control how the application can use,
store, and transfer that content and information. (To learn more
4 about Platform, including how you can control what information
other people may share with applications, read our Data Use
5
Policy and Platform Page.)
6 43. Indeed, the SRR affirmatively obligates parties using the platform to respect
7 the privacy rights of users:
8 5. Protecting Other People’s Rights
9 We respect other people’s rights, and expect you to do the same.
10 ***
11
If you collect information from users, you will: obtain their
12 consent, make it clear you (and not Facebook) are the one
collecting their information, and post a privacy policy explaining
13 what information you collect and how you will use it.
14 44. While Facebook’s controlling Privacy Policy does address the phenomenon
15 of permitting third-party apps to acquire user information via that user’s friends, Facebook’s
16 statement on the matter was patently misleading and described a scenario entirely different
18 Controlling what is shared when the people you share with use
19 applications
23 For example, some apps use information such as your friends list,
to personalize your experience or show you which of your friends
24 use that particular app.47
25 45. These examples are far afield of the full extent of the “friends’ permission”
27 47
Data Use Policy, Facebook, Sept. 29, 2016, https://www.facebook.com/full_data_use_policy.
28
14 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 16 of 57
1 Accordingly, Facebook is clearly wrong when it suggests that users consented or otherwise
2 authorized any of the conduct at issue.
3 46. The resulting trove of data about a user’s friends to developers was
4 exceedingly detailed. The exfiltrated information relates to virtually every aspect of a
5 person’s life as embodied on Facebook: their birthday, their hometown, their religious and
6 political affiliations, their work history, and even highly personal data, such as location
7 check-ins and friends’ photos and videos.48
8
Facebook’s History of Privacy Failures
9
47. For a company that was only found little more than a decade ago, Facebook
10
has an extensive history of privacy failures.
11
48. In 2007, Facebook initiated a tracking program called Beacon, which took
12
information from users’ purchases and activities on other websites and posted it to their News
13
Feed without expressly asking for the user’s approval.
14
49. Weeks after Beacon’s introduction, Facebook users responded by signing a
15
petition to drop the feature, citing concerns over privacy. In response, Facebook created an
16
“opt-out” from the service. Zuckerberg commented, “[w]e simply did a bad job with this
17
release, and I apologize.”49
18
50. Nineteen users, unsatisfied with Facebook’s response to their complaints,
19
sued Facebook for violations of various state and federal privacy statutes, and sought
20
damages and a variety of equitable remedies. Facebook reached a $9.5 million settlement
21
agreement at the end of 2009, the terms of which included terminating the Beacon program
22
23
48
See, Avery Hartmans, It’s impossible to know exactly what data Cambridge Analytica scraped
24 from Facebook—but here’s the kind of information apps could access in 2014, Business
Insider, Mar. 22, 2018, http://www.businessinsider.com/what-data-did-cambridge-analytica-
25 have-access-to-from-facebook-2018-3.
26 49
Irina Ivanova, Facebook’s past failures, MSN Money, Mar. 22, 2018, https://www.msn.com/en-
us/money/companies/facebooks-past-failures/ar-BBKyhST?li=BBnb7Kz.
27
28
15 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 17 of 57
1 and funding a new charity organization called the Digital Trust Foundation to “fund and
2 sponsor programs designed to educate users, regulators and enterprises on critical issues
3 relating to protection of identity and personal information online through user control, and
4 the protection of users from online threats.”50 Despite agreeing to terminate the Beacon
5 program, plaintiffs’ counsel admitted that nothing in the settlement agreement precluded
6 Facebook from reinstituting the same program with a new name.51
7 51. In 2008, Facebook introduced “Open ID,” which allowed users to log in to
8 other websites with their Facebook credentials. Facebook also made its “like” button
9 available on other websites, further blurring the lines of privacy and allowing for widespread
10 tracking of a person’s web browsing history—even for non-Facebook users.52
11 52. One year after the initial launch of “Open ID,” Facebook changed its default
12 settings to make users’ profiles public by default. Users objected to this move, but it took
13 Facebook five years to change the default to make profiles visible to users’ friends only.53
14 53. In December 2009, Facebook changed its website so that certain information
15 that users may have designated as private was made public. Facebook neither warned users
16 of this change nor obtained their prior approval. Facebook represented that third-party apps
17 installed by users would have access only to user information needed to operate, when in fact,
18 the apps (and their developers) could access nearly all of users’ Personal Identifiable
19 Information—data the apps did not need. Facebook users were told they could limit the
20 sharing of their personal data to “Friends Only;” however, selecting “Friends Only” did not
21 prevent users’ Personal Identifiable Information from being shared with third-party
22
50
23 See generally, Lane v. Facebook Inc., 696 F.3d 811 (9th Cir. 2012).
51
24 See Transcript of Fairness Hearing dated February 26, 2010, Lane v. Facebook, Inc., Civ. No.
C 08-3845 (ND Cal.) (“At the end of the day, we could not reach agreement with defendants
25 regarding limiting their future actions as a corporation.”); see also
https://www.supremecourt.gov/orders/courtorders/110413zor_bj37.pdf.
26 52
See n. 44.
27 53
Id.
28
16 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 18 of 57
1 applications their friends used. Facebook also promised it would not share users’ personal
2 data with advertisers; yet, it did.
3 54. Upon receiving a number of complaints, the Federal Trade Commission
4 (“FTC”) investigated Facebook’s privacy practices in 2011 which resulted in a consent
5 decree barring Facebook from making any further deceptive privacy claims, required
6 Facebook to obtain consumers’ approval before it changed the way it shared users’ personal
7 data and forced Facebook to undergo periodic assessments of its privacy practices by
8 independent, third-party auditors for 20 years.54 In response to the consent decree,
9 Zuckerberg stated, “I’m the first to admit that we’ve made a bunch of mistakes . . . [w]e can
10 also always do better. I’m committed to making Facebook the leader in transparency and
11 control around privacy.”55
12 55. On March 11, 2011, Facebook users again sued the company for
13 “appropriating the names, photographs, likenesses and identities of [users] to advertise
14 products, services or brands for a commercial purpose without [] consent.”56 This case
15 centered on a Facebook featured called “Sponsored Stories” which essentially turned a users’
16 actions into an endorsed advertisement on their “Friends’” pages, a feature of which users
17 were unable to opt-out.57 A $20 million settlement was reached in this matter on May 10,
18 2012, in which Facebook agreed to revise its Terms of Use and parental controls, establish a
19
20 54
Facebook, Inc., Docket No. C-4365 (FTC July 27, 2012) available at
https://www.ftc.gov/sites/default/files/documents/cases/2012/08/120810facebookdo.pdf;
21
Facebook, Inc., Analysis of Proposed Consent Order to aid Public Comment, FTC, Dec. 5,
22 2011, available at
https://www.ftc.gov/sites/default/files/documents/cases/2011/12/111205facebookfrn.pdf.
23 55
Irina Ivanova, Facebook’s past failures, MSN Money, Mar. 22, 2018,
24 https://www.msn.com/en-us/money/companies/facebooks-past-failures/ar-
BBKyhST?li=BBnb7Kz.
25 56
Complaint at 2, Fraley v. Facebook, Inc., Case No. 11-CV-196193 (Cal. Super. Ct. Mar. 11,
26 2011).
57
Id.
27
28
17 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 19 of 57
1 settlement fund for authorized claimants to receive $10 in restitution, and allocate additional
2 funds to various technology charities as a Cy Pres distribution.58
3 56. Facebook was also forewarned of the possible consequences of its privacy
4 practices through its international subsidiary.
5 57. In August 2011, Facebook user Max Schrems, a German privacy rights
6 lawyer, filed a complaint against Facebook Ireland (Defendant Facebook’s Irish subsidiary
7 and the location of its European headquarters) with the Irish-based Office of the Data
8 Protection Commissioner (or “ODPC”) concerning the access and use of Facebook users’
9 personal data by developers of third-party applications which “constitute[d] a tremendous
10 threat to data privacy on facebook.com.”59 Schrems went on to state that Facebook Ireland
11 had no way “to ensure compliance with the[] limited contractual measures” it imposed on
12 developers.60 Furthermore, while Facebook purportedly requires third-party applications to
13 have a privacy policy, not all apps have one: “[w]hen the user connects to an application that
14 does not have a privacy policy, facebook.com simply hides the link that would usually bring
15 you to the privacy policy, instead of warning the user that there is not even a privacy policy.”61
16 58. As a result of Schrems’ complaint, the ODPC investigated and issued a
17 “Report of Re-Audit” (“Report”) on September 21, 2012, which noted that Facebook Ireland
18
19
20
21 58
Amended Settlement Agreement and Release, Fraley v. Facebook, Inc., (Oct. 5, 2012)
22 available at https://www.scribd.com/document/120980082/Fraley-v-Facebook-Amended-
Settlement-Agreement-2012-10-05.
23 59
Media Update, Max Schrems: Facebook knew about later “Cambridge Analytica” problem
24 since 2011—but said data sharing with questionable apps is perfectly legal, Noyb, last
accessed on Apr. 26, 2018, https://noyb.eu/wp-content/uploads/2018/03/Media-Update-
25 Cambridge-Analytica-en.pdf.
60
26 Id.
61
Id.
27
28
18 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 20 of 57
1 had failed to adopt complete protection of “sensitive personal data.”62 Specifically, the
2 ODPC recommended to Facebook Ireland that:
3 Users must be sufficiently empowered via appropriate
information and told to make a fully informed decision when
4 granting access to third party applications;
5 It must be easier for users to understand that their activation
and use of an app will be visible to their friends as a default
6 setting;
7 It should be easier for users to make informed choices about
what apps installed by friends can access personal data about
8 them.63
9
59. In June 2013, Facebook notified six million users of a data breach involving
10
their contact information, including phone numbers and emails. This data breach also
11
revealed that Facebook had been merging users’ information with data submitted by their
12
contacts in order to create fuller profiles of its users. Essentially, personal data of non-
13
Facebook users whose information may have been uploaded by friends that are Facebook
14
users was being collected by Facebook and may have been inadvertently exposed in the
15
breach.64
16
60. On December 30, 2013, users filed a lawsuit against Facebook for scanning
17
the content of their messages without consent for use in honing its advertisements in violation
18
of the Electronic Communications Privacy Act and California’s Invasion of Privacy Act.65
19
A non-monetary settlement agreement was reached in April 2017 in which Facebook enacted
20
21
62
22 Facebook Ireland Ltd., Report of Re-Audit, Data Protection Commissioner, Sept. 21, 2012,
https://dataprotection.ie/documents/press/Facebook_Ireland_Audit_Review_Report_21_Sept_2
23 012.pdf
63
24 Id.
64
Irina Ivanova, Facebook’s past failures, MSN Money, Mar. 22, 2018,
25 https://www.msn.com/en-us/money/companies/facebooks-past-failures/ar-
26 BBKyhST?li=BBnb7Kz.
65
Campbell v. Facebook Inc., 2017 U.S. Dist. LEXIS 132624 (N.D. Cal. Aug. 18, 2017).
27
28
19 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 21 of 57
1 a number of changes to its ability to monitor and use its users’ communications for
2 advertisement purposes as well as changes to its Help Center and overarching Data Policies.66
3 61. In its latest failure to protect user privacy, Facebook allowed the personal
4 information of over 87 million users to be purchased by Cambridge Analytica, which CA
5 then used to target specific political advertisements to unwitting users.
6 62. Cambridge Analytica was created in 2013 by its British parent company,
7 Strategy Communications Laboratories Group Limited and Robert Mercer, reported to be a
8 “secretive hedge fund billionaire” active in American politics. Christopher Wylie stated the
9 company’s mission as: “[they] want to fight a culture war in America.”67 The Cambridge
10 Analytica website discloses that it has offices in Washington, D.C. and in New York City,68
11 but upon information and belief, it is neither registered to do business nor licensed to conduct
12 business in either jurisdiction.
13 63. In 2015, Cambridge Analytica gained recognition when it was retained by Ted
14 Cruz’s presidential campaign, but after his campaign faltered in 2016, Cambridge Analytica
15 began working with Donald Trump’s presidential campaign.69 An interview with CA’s CEO,
16 Alexander Nix, confirms that the Trump campaign paid for Cambridge Analytica’s services.70
17 64. During the Ted Cruz presidential campaign of 2015, Global Science Research
18 Ltd. and Cambridge Analytica faced similar allegations of unauthorized use of PII from tens
19
20
21 66
Id.
67
22 Matthew Rosenberg, Nicholas Confessore, and Carole Cadwalladr, How Trump Consultants
Exploited the Facebook Data of Millions, The New York Times, Mar. 17, 2018,
23 https://www.nytimes.com/2018/03/17/us/politics/cambridge-analytica-trump-campaign.html.
68
24 Cambridge Analytica, webpage, available at https://cambridgeanalytica.org/.
69
Cambridge Analytica, Wikipedia, https://en.wikipedia.org/wiki/Cambridge_Analytica.
25
70
Parmy Olson, Face-To-Face With Cambridge Analytica’s Elusive Alexander Nix, Forbes, Mar.
26 20, 2018, https://www.forbes.com/sites/parmyolson/2018/03/20/face-to-face-with-cambridge-
analytica-alexander-nix-facebook-trump/#674008da535f.
27
28
20 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 22 of 57
1 of millions of Facebook users for targeted marketing.71 At the time, Facebook stated,
2 “misleading people or misusing [users’] information is a direct violation of our policies and
3 we will take swift action against companies that do, including banning those companies from
4 Facebook and requiring them to destroy all improperly collected data.”72 However, Facebook
5 failed to ban Cambridge Analytica from using its service at that time.73
6 65. On September 11, 2017, the Spanish Agency for Data Protection (or “AEPD”)
7 announced that it had fined Facebook €1.2 million for violating data protection regulations
8 following its investigation to determine whether the data processing carried out by Facebook
9 complied with the data protection regulations. The AEPD stated that its investigation verified
10 that Facebook fails to inform users in a comprehensive and clear way about the data that it
11 collects or about how such data is subsequently treated. In particular, the AEPD found that
12 Facebook collects data derived from its users’ interactions with third-party sites without
13 informing them that Facebook collects such data or for what purposes it will later be used or
14 disseminated. The AEPD also found that Facebook’s privacy policy contains generic and
15 ambiguous language and requires clicking through a multitude of different links to view it in
16 full. Further, the AEPD concluded that Facebook makes an inaccurate reference to the way it
17 uses the data it collects, so even Facebook users with an average knowledge of new
18 technologies would not become aware of Facebook’s data collection, storage, or use policies.74
19 66. In May 2017, the French data protection authority fined Facebook its maximum
20 allowable fine of €150,000 for violations similar to those claimed by the Spanish authorities.
21 The Commission Nationale de ‘Informatique et des Libertés complained that “Facebook
22
71
Id.
23
72
Id.
24 73
Transcript of Mark Zuckerberg’s Senate hearing, The Washington Post, Apr. 10, 2018,
25 https://www.washingtonpost.com/news/the-switch/wp/2018/04/10/transcript-of-mark-
zuckerbergs-senate-hearing/?utm_term=.ef2488691bfb.
26 74
David Meyer, Here’s Why Facebook Got a $1.4 Million Privacy Fine in Spain, Fortune, Sept.
11, 2017, http://fortune.com/2017/09/11/facebook-privacy-fine-spain/.
27
28
21 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 23 of 57
23
24 75
Mar Scott, Facebook Gets Slap on the Wrist From 2 European Privacy Regulators, The New
York Times, May 16, 2017, https://www.nytimes.com/2017/05/16/technology/facebook-
25 privacy-france-netherlands.html.
26 76
Peter Blumberg, Facebook Is Trying to Protect Bikini Photos, But It’s Not Easy, Bloomberg
Technology, Mar. 21, 2018, https://www.bloomberg.com/news/articles/2018-03-21/facebook-
27 is-trying-to-protect-bikini-photos-but-it-s-not-easy.
28
22 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 24 of 57
1 response to Facebook’s infiltration by Russian hackers, though Facebook never mentioned that
2 country by name. Under this mantle, the White Paper began with the admission that:
3 it is important that [Facebook] acknowledge and take steps to guard
4 against the risks that can arise in online communities like ours. The
reality is that not everyone shares our vision, and some will seek to
5 undermine it — but we are in a position to help constructively shape
the emerging information ecosystem by ensuring our platform
6 remains a safe and secure environment for authentic civic
engagement.”77
7
This unquestionably means that Defendant was alerted to hacking, scams, and efforts to deceive
8
Facebook users. However, Facebook took no steps to curb this behavior with respect to its own
9
third party application developers. The White Paper also confirmed that Facebook’s public
10
statements were false and misleading. Among other things, the White Paper affirmatively
11
misrepresented that Facebook had “no evidence of any Facebook accounts being compromised”
12
in connection with the 2016 election as of the date it was published on April 27, 2017.78
13
69. Stamos stated that he had initially provided a written report to Facebook
14
executives concerning the circumstances which led to the harvest of Facebook users’ Personal
15
Identifiable Information by Cambridge Analytica, but instead of taking appropriate action and
16
disclosing the incident, the report was rewritten and presented as a hypothetical scenario; which
17
appeared in the aforementioned, whitewashed “White Paper” that Facebook published to
18
further suppress and conceal its wrongdoing.
19
Facebook Represented User Privacy and Data Security as Vital to Its Business Model,
20
but Failed to Uphold Its Own Policies
21
70. Maintaining user privacy and data security has long been considered
22
important in Facebook’s business and growth prospects. A June 21, 2013 blog post entitled,
23
24
77
Jen Weedon, William Nuland and Alex Stamos, Information Operations and Facebook,
25 Facebook News Room, Apr. 27, 2017,
26 https://fbnewsroomus.files.wordpress.com/2017/04/facebook-and-information-operations-
v1.pdf
27 78
Id.
28
23 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 25 of 57
1 “Important Message from Facebook’s White Hat Program” states: “At Facebook, we take
2 people’s privacy seriously, and we strive to protect people’s information to the very best of
3 our ability. We implement many safeguards, hire the brightest engineers and train them to
4 ensure we have only high-quality code behind the scenes or your Facebook experiences . . . .
5 Your trust is the most important asset we have, and we are committed to improving our
6 safety procedures and keeping your information safe and secure.”79
7 71. However, prior to this blog post, Facebook had experienced at least one major
8 attack to its security systems and represented that it was “working continuously” to prevent
9 similar security threats in the future. A February 15, 2013 post entitled, “Protecting People
10 On Facebook” states:
11 Facebook, like every significant internet service, is frequently
targeted by those who want to disrupt or access our data and
12 infrastructure. As such, we invest heavily in preventing, detecting,
and responding to threats that target our infrastructure, and we
13 never stop working to protect the people who use our service. The
14 vast majority of the time, we are successful in preventing harm
before it happens, and our security team works to quickly and
15 effectively investigate and stop abuse.
25
79
Important Message from Facebook’s White Hat Program, Facebook, June 21, 2013,
26 https://www.facebook.com/notes/facebook-security/important-message-from-facebooks-white-
hat-program/10151437074840766/.
27
28
24 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 26 of 57
22
23
80
Protecting People on Facebook, Facebook, Feb. 15, 2013, https://es-
24 la.facebook.com/notes/facebook-security/protecting-people-on-
facebook/10151249208250766/.
25
81
Notifications for targeted attacks, Facebook, Oct. 16, 2015,
26 https://www.facebook.com/notes/facebook-security/notifications-for-targeted-
attacks/10153092994615766/.
27
28
25 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 27 of 57
1 73. Stamos once told his security team that he explained to upper management that
2 Facebook has “the threat profile of a Northrop Grumman or a Raytheon or another defense
3 contractor, but we run our corporate network, for example, like a college campus, almost.”82
4 Stamos repeatedly butted heads with Facebook executives over the lack of security with their
5 platform. He once had 120 people dedicated to cyber-security under his direction at Facebook,
6 but as of earlier in March 2018, there were only three individuals in Facebook’s entire security
7 group.83
8 74. At all relevant times, Facebook has maintained a Data Use Policy on its
9 website advising users, in part:
10
Granting us permission to use your information not only allows us
11 to provide Facebook as it exists today, but it also allows us to
provide you with innovative features and services we develop in the
12 future that use the information we receive about you in new ways.
While you are allowing us to use the information we receive about
13 you, you always own all of your information. Your trust is
14 important to us, which is why we don’t share information we
receive about you with others unless we have:
15
received your permission
16 given you notice, such as by telling you about it in this
policy; or
17
removed your name and any other personally identifying
18 information from it.84
20 allowed developers to collect information on friends of those who chose to use third-party
21 apps if their privacy settings allowed it. In an email to university colleagues, Kogan said that
22 in 2014, after he founded GSR, he transferred the app to his company and used an official
23 82
Nicole Perlroth and Sheera Frenkel, The End for Facebook’s Security Evangelist, The New
24 York Times, Mar. 20, 2018, https://www.nytimes.com/2018/03/20/technology/alex-stamos-
facebook-security.html.
25 83
Nicole Perlroth, Sheera Frenkel, and Scott Shane, Facebook Exit Hints at Dissent on Handling
26 of Russian Trolls, The New York Times, Mar. 19, 2018,
https://www.nytimes.com/2018/03/19/technology/facebook-alex-stamos.html.
27 84
Data Use Policy, Facebook, Sept. 29, 2016, https://www.facebook.com/full_data_use_policy
28
26 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 28 of 57
1 Facebook platform for developers to change the terms and conditions of his app from
2 “research” to “commercial use,” and that at no point did the social media company later
3 object. Kogan’s email further stated:
4 Through the app, we collected public demographic details about
5 each user (name, location, age, gender), and their page likes (e.g.,
the Lady Gaga page). We collected the same data about their friends
6 whose security settings allowed for their friends to share their data
through apps. Each user who authorized the app was presented with
7 both a list of the exact data we would be collecting, and also a Terms
of Service detailing the commercial nature of the project and the
8 rights they gave us as far as the data. Facebook themselves have
9 been on the record saying that the collection was through legitimate
means.85
10
76. Kogan’s position contradicts Facebook’s stance that Kogan violated the
11
company’s terms and services and then lied about it. In an email obtained by Bloomberg,
12
Kogan wrote on March 18, 2018: “We clearly stated that the users were granting us the right
13
to use the data in broad scope, including selling and licensing the data.” Kogan went on to
14
state that “These changes were all made on the Facebook app platform and thus they had full
15
ability to review the nature of the app and raise issues.” In fact, Zuckerberg admitted in his
16
testimony before the Senate Commerce and Judiciary Committees on April 10, 2018 that
17
Facebook “should have been aware that this app developer submitted a term that was in
18
conflict with the rules of the platform,” but did nothing to remedy it.86 Facebook’s position
19
is also suspect given revelations regarding its relationship with Cambridge Analytica and the
20
fact that Facebook researchers co-authored a study with Kogan in 2015 that also used data
21
harvested by a Facebook app.87
22
85
Lauren Etter and Sarah Frier, Facebook App Developer Kogan Defends His Actions With User
23
Data, Bloomberg Technology, Mar. 21, 2018, https://www.bloomberg.com/news/articles/2018-
24 03-21/facebook-app-developer-kogan-defends-his-actions-with-user-data.
86
Transcript of Mark Zuckerberg’s Senate hearing, The Washington Post, Apr. 10, 2018,
25 https://www.washingtonpost.com/news/the-switch/wp/2018/04/10/transcript-of-mark-
26 zuckerbergs-senate-hearing/?utm_term=.ef2488691bfb.
87
See n. 79.
27
28
27 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 29 of 57
1 77. Further, Kogan maintains that he did not violate Facebook’s policy, because
2 “For you to break a policy it has to exist and really be their policy.”88 In making this
3 statement, Kogan acknowledged that he may have broken the actual “black and white” rules
4 of Facebook’s privacy policy, but that clarified that “[] Facebook clearly has never cared. I
5 mean, it never enforced this agreement. They’ll let you know if you do anything wrong. I
6 had a terms of service that was up there for a year and a half that said I could transfer and
7 sell the data. Never heard a word.”89
8 78. Although Facebook claims it did not receive notice that Cambridge Analytica
9 was harvesting users’ personal data until 2015, its response to an inquiry from the tech
10 publication WIRED regarding the incident confirms that Facebook personnel were aware of
11 similar user privacy issues by at least 2014, and knew that updates to Facebook’s policies
12 and data security practices were necessary to alleviate concerns that had already been
13 expressed by Facebook users. In 2014, Facebook responded by stating that “after hearing
14 feedback from the Facebook community, we made an update to ensure that each person
15 decides what information they want to share about themselves, including their friend list.”
16 The Company went on to further assure users that “Before you decide to use an app, you can
17 review the permissions the developer is requesting and choose which information to share.
18 You can manage or revoke those permissions at any time.”90
19 79. Even after Facebook changed its policy in 2014, supposedly to protect user
20 information from being exploited by “bad actors,” Facebook gave developers a full year
21
88
Alex Hern and Jim Waterson, Facebook in ‘PR crisis mode’ over Cambridge Analytica
22 scandal, The Guardian, Apr. 24, 2018 https://www.theguardian.com/uk-
news/2018/apr/24/facebook-in-pr-crisis-mode-over-cambridge-analytica-scandal-outrage-
23 hallow-aleksandr-kogan.
89
24 Willa Frej, Professor Who Sold Facebook Data To Cambridge Analytica ‘Sincerely Sorry’,
Huffpost, Apr. 23, 2018, https://www.theguardian.com/uk-news/2018/apr/24/facebook-in-pr-
25 crisis-mode-over-cambridge-analytica-scandal-outrage-hallow-aleksandr-kogan.
90
See Paul Grewal, Suspending Cambridge Analytica and SCL Group from Facebook, Facebook
26 Newsroom, Mar. 16, 2018, https://newsroom.fb.com/news/2018/03/suspending-cambridge-
analytica/.
27
28
28 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 30 of 57
1 before it ended their access to friends’ newsfeeds and photos. Worse, Facebook failed to
2 follow up on suspicious activity when security protocols were triggered, as noted by Wylie.91
3 80. Facebook’s failure to detect and prevent the harvesting of Personal
4 Identifiable Information by Cambridge Analytica, or to adequately respond with proper
5 notification and disclosures to Facebook users in accordance with best practices and
6 applicable laws, belies any claim that Facebook’s actual “monitoring” practices and internal
7 data security and privacy policies were sufficient. Facebook’s user privacy data security
8 practices were woefully inadequate.
9 81. The incident has violated the privacy of millions of people in every state. The
10 privacy and personal, sensitive information of 87 million people is now at high risk for
11 identity theft and compromise, and will continue to be at risk as a direct result of the acts of
12 Defendants.
13 Government Investigations and Lawsuits
14 82. In the days after the breach was publicly revealed, the Attorneys General of
15 New York and Massachusetts announced an investigation into Facebook and Cambridge
16 Analytica.92 On March 19, 2018, Senator Ron Wyden followed up with a detailed series of
17 questions for Facebook to answer.93
18 83. Senators Amy Klobuchar, Democrat of Minnesota, and John Kennedy,
19 Republican of Louisiana, requested a hearing to look into the misappropriation of user
20
91
21 Carole Cadwalladr, ‘I made Steve Bannon’s psychological warfare tool’: meet the data war
whistleblower, The Guardian, Mar. 18, 2018,
22 https://www.theguardian.com/news/2018/mar/17/data-war-whistleblower-christopher-wylie-
faceook-nix-bannon-trump.
23
92
Press Release, New York State Office of the Attorney General, Statement “From A.G.
24 Schneiderman on Facebook/Cambridge Analytica”, Mar. 20, 2018, available at
https://ag.ny.gov/press-release/statement-ag-schneiderman-facebookcambridge-analytica.
25
93
See Letter from U.S. Senator Ron Wyden, to Mark Zuckerberg, C.E.O. of Facebook, Inc.,
26 (Mar. 19, 2018), available at https://www.wyden.senate.gov/imo/media/doc/wyden-cambridge-
analytica-to-facebook.pdf.
27
28
29 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 31 of 57
28
30 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 32 of 57
1 breached. Parakilas explained, “My concerns were that all of the data that left Facebook
2 servers to developers could not be monitored by Facebook.”98 He also said that Facebook
3 could have prevented the collection of Personal Identifiable Information by Cambridge
4 Analytica.
5 85. Parakilas was initially told that any decision to ban an app required the
6 personal approval of the chief executive, Mark Zuckerberg.
7 86. Parakilas believes that “a majority of Facebook users” have had their data
8 exfiltrated—without their consent— by unknown third parties. The misuse of the
9 compromised data continues to this day, with no oversight and in direct violation of the most
10 basic autonomy and privacy rights of the individuals who have been— and continue to be—
11 profiled.99
12 87. Parakilas stated that as many as “[h]undreds of millions of Facebook users are
13 likely to have had their private information harvested by companies that exploited the same
14 terms as the firm that collected data and passed it on to Cambridge Analytica.”100
15 88. Facebook’s “trust model” was rife with security vulnerabilities and a near total
16 abnegation of its responsibility to audit its own rules limiting use of Facebook data by third
17 parties. Or in Parakilas’ own words, “[Facebook] felt that it was better not to know.”101
18 89. That company philosophy and practice has continued since Parakilas’s
19 departure from Facebook, as evidenced by the improper harvesting and hijacking of more than
20 87 million of the company’s user profiles by Cambridge Analytica. Facebook’s stated
21
22
98
Paul Lewis, ‘Utterly horrifying’: ex-Facebook insider says convert data harvesting was
23 routine, The Guardian, Mar. 20, 2018,
https://www.theguardian.com/news/2018/mar/20/facebook-data-cambridge-analytica-sandy-
24 parakilas.
99
25 Id.
100
26 Id.
101
Id.
27
28
31 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 33 of 57
16
102
Matthew Rosenberg, Nicholas Confessore, and Carole Cadwalladr, How Trump Consultants
17 Exploited the Facebook Data of Millions, The New York Times, Mar. 17, 2018,
https://www.nytimes.com/2018/03/17/us/politics/cambridge-analytica-trump-campaign.html.
18 103
Id.; n. 90.
19 104
Shona Ghosh, Everything happening to Facebook stems from its radical thesis of ‘Move fast
20 and break things’, Business Insider, Mar. 22, 2018,
http://www.businessinsider.com/everything-happening-to-facebook-stems-from-its-radical-
21 thesis-of-move-fast-and-break-things-2018-3
105
22 David McLaughlin, Ben Brody, and Billy House, Facebook Draws Scrutiny From FTC,
Congressional Committees, Bloomberg Politics, Mar. 20, 2018,
23 https://www.bloomberg.com/news/articles/2018-03-20/ftc-said-to-be-probing-facebook-for-
use-of-personal-data
24 106
Facebook, Inc., Docket No. C-4365 (FTC July 27, 2012) available at
25 https://www.ftc.gov/sites/default/files/documents/cases/2012/08/120810facebookdo.pdf;
Facebook, Inc., Analysis of Proposed Consent Order to aid Public Comment, FTC, Dec. 5,
26 2011, available at
https://www.ftc.gov/sites/default/files/documents/cases/2011/12/111205facebookfrn.pdf.
27
28
32 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 34 of 57
1 92. The current FTC investigation involves similar concerns about Facebook’s
2 user privacy practices. In an interview with The New York Times, David Vladeck, former
3 director of the FTC’s Bureau of Consumer Protection, said the Cambridge Analytica incident
4 may have violated Facebook’s 2011 consent decree. Vladeck further explained that “There
5 are all sorts of obligations under the consent decree that may not have been honored here.”107
6 In another interview, with The Washington Post, Vladeck stated, “I will not be surprised if
7 at some point the FTC looks at this. I would expect them to[.]”108 Jessica Rich, who also
8 served as director of the bureau and was deputy director under Vladeck, said, “Depending
9 on how all the facts shake out, Facebook’s actions could violate any of all of these provision,
10 to the tune of many millions of dollars in penalties. They could also constitute violations of
11 both U.S. and EU laws,” adding, “Facebook can look forward to multiple investigations and
12 potentially a whole lot of liability here.”109
13 93. In a statement on March 20, 2018, a FTC spokeswoman stated “We are aware
14 of the issues that have been raised but cannot comment on whether we are investigating,”
15 adding that “We take any allegations of violations of our consent decrees very seriously.”110
16 94. Concerning the 2011 FTC investigation, Facebook’s deputy chief privacy
17 officer, Rob Sherman, stated: “We remain strongly committed to protecting people’s
18 information. We appreciate the opportunity to answer questions the FTC may have.”111 If
19
107
20 Cecilia Kang, Facebook Faces Growing Pressure Over Data and Privacy Inquiries, The New York
Times, Mar. 20, 2018, https://www.nytimes.com/2018/03/20/business/ftc-facebook-privacy-
21 investigation.html.
108
Craig Timberg, Tony Romm, and Elizabeth Dowskin, U.S. and European officials question
22 Facebook’s protection of personal data, The Washington Post, Mar. 18, 2018,
https://www.washingtonpost.com/business/economy/us-and-european-officials-question-facebooks-
23
protection-of-personal-data/2018/03/18/562b5b0e-2ae2-11e8-911f-
24 ca7f68bff0fc_story.html?utm_term=.78754f22e61b.
109
Id.
25 110
Dylan Byers, Regulators, lawmakers up pressure on Facebook over user data and privacy, CNN Tech,
26 Mar. 20, 2018, http://money.cnn.com/2018/03/20/technology/ftc-pressure-facebook/.
111
Id.
27
28
33 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 35 of 57
1 Facebook violated terms of the consent decree, it could face fines of more than $40,000 a
2 day per violation.112 The FTC confirmed on March 26, 2018, that “it has an open non-public
3 investigation into [Facebook’s privacy] practices.”113
4 95. Zuckerberg appeared before Congress and admitted during his testimony
5 before the Senate Commerce and Judiciary Committees on April 10, 2018 and testimony
6 before the House Energy and Commerce Committee on April 11, 2018, that “[Facebook]
7 didn’t take a broad enough view of [its] responsibility [on data privacy], and that was a big
8 mistake. And it was my mistake. And I’m sorry. I started Facebook, I run it, and I’m
9 responsible for what happens here.”114 Furthermore, he committed to improve his company’s
10 security, “includ[ing] the basic responsibility of protecting people’s information, which we
11 failed to do with Cambridge Analytica.”115
12 96. Senator Amy Klobuchar (D-Minn.) made it clear to Zuckerberg that Congress
13 disapproves of Facebook’s current privacy efforts. She stated prior to her questioning: “I think
14 we all agree that what happened here was bad. You acknowledged it was a breach of trust.
15 And the way I explain it to my constituents is that if someone breaks into my apartment with
16 the crowbar and they take my stuff, it’s just like if the manager gave them the keys or if they
17 didn’t have any locks on the doors, it’s still a breach; it’s still a break in.”
18
19
20
112
Todd Shields and Vonnie Quinn, Facebook Could Be Fined millions for Violating Consent
21
Deal, Bloomberg, Mar. 29, 2018, https://www.bloomberg.com/news/articles/2018-03-
22 29/facebook-risks-millions-of-dollars-in-ftc-fines-over-data-crisis.
113
Press Release, Federal Trade Commission, “Statement by the Acting Director of FTC’s
23
Bureau of Consumer Protection Regarding Reported Concerns about Facebook Privacy
24 Practices”, Mar. 26, 2018, available at https://www.ftc.gov/news-events/press-
releases/2018/03/statement-acting-director-ftcs-bureau-consumer-protection.
25 114
Transcript of Mark Zuckerberg’s Senate hearing, The Washington Post, Apr. 10, 2018,
26 https://www.washingtonpost.com/news/the-switch/wp/2018/04/10/transcript-of-mark-
zuckerbergs-senate-hearing/?utm_term=.ef2488691bfb.
27 115
Id.
28
34 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 36 of 57
24
25
116
Id.
26 117
Id.
27 118
Id.
28
35 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 37 of 57
2 100. Plaintiffs bring this class action claim pursuant to Rule 23 of the Federal Rules
3 of Civil Procedure. The requirements of Rule 23 are met with respect to the class defined
4 below.
5 101. Plaintiffs bring their claims on her own behalf, and on behalf of the following
10 102. Excluded from the Class are Defendants and any entities in which any
11 Defendant or their subsidiaries or affiliates have a controlling interest, and Defendants’
12 officers, agents, and employees. Also excluded from the Class are the judge assigned to this
13 action, and any member of the judge’s immediate family.
14 103. Plaintiffs reserve the right to amend or modify the Class definition in
15 connection with a motion for class certification and/or the result of discovery.
16 104. This lawsuit is properly brought as a class action for the following reasons.
17 The Class is so numerous that joinder of the individual members of the proposed Class is
18 impracticable. Plaintiffs reasonably believe that the Class includes eighty-seven (87) million
19 people or more in the aggregate and well over 1,000 in the smallest of the classes. The
20 precise number and identities of Class members are unknown to Plaintiffs, but are known
21 to Defendants and can be ascertained through discovery regarding the information kept by
22 Defendants or their agents.
23 105. Questions of law or fact common to the Class exist as to Plaintiffs and all
24 Class members, and these common questions predominate over any questions affecting only
25 individual members of the Class. The predominant common questions of law and/or fact
26 include the following:
27
28
36 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 38 of 57
19 k. Whether Plaintiffs and the Class are entitled to equitable relief, including,
but not limited to, injunctive relief and restitution; and
20
l. Whether Plaintiffs and the other Class members are entitled to actual,
21
statutory, or other forms of damages, and other monetary relief.
22 106. Defendants engaged in a common course of conduct giving rise to the legal
23 rights sought to be enforced by Plaintiffs and the Class. Individual questions, if any, pale by
24 comparison to the numerous common questions that predominate.
25 107. Plaintiffs’ claims are typical of the claims of Class members. The injuries
26 sustained by Plaintiffs and the Class flow, in each instance, from a common nucleus of
27 operative facts based on the Defendants’ uniform conduct as set forth above. The defenses,
28
37 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 39 of 57
1 if any, that will be asserted against Plaintiffs’ claims likely will be similar to the defenses
2 that will be asserted, if any, against Class members’ claims.
3 108. Plaintiffs will fairly and adequately protect the interests of Class members.
4 Plaintiffs have no interests materially adverse to or that irreconcilably conflict with the
5 interests of Class members and have retained counsel with significant experience in handling
6 class actions and other complex litigation, and who will vigorously prosecute this action.
7 109. A class action is superior to other available methods for the fair and efficient
8 group-wide adjudication of this controversy, and individual joinder of all Class members is
9 impracticable, if not impossible. The cost to the court system of individualized litigation
10 would be substantial. Individualized litigation would likewise present the potential for
11 inconsistent or contradictory judgments and would result in significant delay and expense
12 to all parties and multiple courts hearing virtually identical lawsuits. By contrast, a class
13 action presents fewer management difficulties, conserves the resources of the parties and
14 the courts and protects the rights of each Class member.
15 110. Defendants have acted on grounds generally applicable to the entire Class,
16 thereby making injunctive relief or corresponding declaratory relief appropriate with respect
17 to the Class as a whole.
18 111. Likewise, particular issues under Rule 23(c)(4) are appropriate for
19 certification because such claims present only particular, common issues, the resolution of
20 which would advance the disposition of this matter and the parties’ interests therein. Such
21 particular issues include, but are not limited to:
22 a. Whether (and when) Facebook knew about the improper collection of
23 Personally Identifiable Information;
services;
1
4 e. Whether Facebook failed to comply with its own policies and applicable
laws, regulations, and industry standards relating to data security;
5
f. Whether Defendants’ acts, omissions, misrepresentations, and practices
6 were and are likely to deceive consumers;
7
g. Whether Defendants’ conduct violated Cal. Bus. & Prof. Code § 22575, et
8 seq.;
15 COUNT ONE
16 Negligence as Against Facebook
17
112. Plaintiffs hereby incorporate all the above allegations by reference as if fully
18
set forth herein. Plaintiffs assert this count individually and on behalf of the proposed Class.
19
113. Defendants owed a duty to Plaintiffs and the Class to exercise reasonable care
20
in obtaining and protecting their Personally Identifiable Information, and keeping it from
21
being compromised, lost, stolen, misused, and or/disclosed to unauthorized parties.
22
114. Defendants knew that the Personally Identifiable Information of Plaintiffs and
23
the Class was personal and sensitive information that is valuable.
24
115. By being entrusted by Plaintiffs and the Class to safeguard their Personally
25
Identifiable Information, Facebook had a special relationship with Plaintiffs and the Class.
26
Plaintiffs and the Class signed up for Facebook’s services and agreed to provide their
27
Personally Identifiable Information with the understanding that Facebook would take
28
39 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 41 of 57
1 appropriate measures to protect it, and would inform Plaintiffs and the Class of any breaches
2 or other security concerns that might call for action by Plaintiffs and the Class. But, Facebook
3 did not. Facebook failed to prevent Cambridge Analytica and Global Science Research Ltd.
4 from improperly obtaining Plaintiffs’ and the Class Members’ Personally Identifiable
5 Information.
6 116. Defendants breached their duties by failing to adopt, implement, and maintain
7 adequate security measures to safeguard the Personally Identifiable Information, or by
8 obtaining that Personally Identifiable Information without authorization.
9 117. Facebook breached its duties by allowing a third-party to access and obtain
10 the Personally Identifiable Information of approximately 87 million users that did not
11 consent to provide this information to either Facebook or Cambridge Analytica.
12 118. Facebook further breached its duties by failing to confirm that Cambridge
13 Analytica had deleted users’ Personally Identifiable Information after it became aware of the
14 breach of information.
15 119. Facebook also breached their duty to timely disclose that Plaintiffs’ and the
16 other class members’ Personally Identifiable Information had been, or was reasonably
17 believed to have been, improperly obtained. Facebook first discovered that its users’
18 information had been improperly obtained in at least 2015, but did not disclose the privacy
19 breach until media pressure forced it to respond on March 22, 2018.
20 120. Cambridge Analytica had a duty to refrain from obtaining Plaintiffs’ and the
21 Class Members’ Personally Identifiable Information without their consent or authorization.
22 121. But for Defendants’ wrongful and negligent breach of their duties owed to
23 Plaintiffs and the Class, their Personally Identifiable Information would not have been
24 improperly obtained. Defendants’ negligence was a direct and legal cause of the theft of the
25 Personally Identifiable Information of Plaintiffs and the Class and all resulting damages.
26
27
28
40 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 42 of 57
1 122. The injury and harm suffered by Plaintiffs and the Class members was the
2 reasonably foreseeable result of Defendants’ failure to exercise reasonable care in safeguarding
3 and protecting Plaintiffs’ and the other class members’ Personally Identifiable Information.
4 123. These damages include, but are not limited to, invasion of privacy, theft of
5 Personally Identifiable Information, increased risk of data breaches, increased risk of identity
6 theft, emotional distress, lost time, effort and money in responding to Facebook’s negligence
7 and misuse of their personal data beyond what Facebook promised.
8 COUNT TWO
9 Negligent Misrepresentation as Against Facebook
10 124. Plaintiffs incorporate all of the above allegations by reference as if fully set
11 forth herein.
12 125. As alleged herein, Defendant Facebook, through its agent and Chief Executive
13 Officer, Mark Zuckerberg, repeatedly assured Plaintiffs and Class Members that their data
14 would be private and protected.
15 126. Facebook further assured that users’ data would not be shared with third-party
16 applications without users’ express permission.
17 127. At the time Defendant Facebook made these representations, Defendant knew
18 or should have known that these representations were false or made them without knowledge
19 of their truth or veracity.
20 128. At minimum, Defendant Facebook negligently misrepresented and/or
21 negligently omitted material facts concerning its commitment to privacy and the safety of
22 user data.
23 129. The negligent misrepresentations and omissions made by Defendant, upon
24 which Plaintiffs and all Class members reasonably and justifiably relied, were intended to
25 induce, and actually induced, Plaintiffs and all Class members to create Facebook profiles,
26 share personally identifiable information with Facebook, and depend upon Facebook to use
27 that data only in the ways defined in the data use policy.
28
41 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 43 of 57
1 130. Plaintiffs and Class members would not have used Facebook’s product, or
2 would not have provided personally identifiable information to Facebook, if the true manner
3 in which their data was being used was known to them, contrary to Facebook’s repeated
4 assurances.
5 131. The negligent actions of Defendant caused damage to Plaintiffs and all Class
6 members, who are entitled to damages and other legal and equitable relief as a result.
7
COUNT THREE
8
Violations of the Stored Communications Act, 18 U.S.C. § 2701, et seq.
9
132. Plaintiffs incorporate all of the above allegations by reference as if fully set
10
forth herein.
11
133. Facebook is an electronic communications provider within the meaning of the
12
Stored Communications Act (“SCA”).
13
134. Under the Stored Communications Act, an entity providing an electronic
14
communication service to the public “shall not knowingly divulge to any person or entity the
15
contents of a communication while in electronic storage by that service.” 18 U.S.C. §
16
2702(a)(1).
17
135. The servers Facebook uses to provide its electronic communications service
18
to Facebook users are a “facility” within the meaning of the SCA.
19
136. Facebook and Cambridge Analytica are “persons” within the meaning of the
20
SCA.
21
137. Section 2701(a)(1) of the Stored Communications Act authorizes a private
22
right of action for damages, injunctive relief and equitable relief against any person who
23
“intentionally exceeds an authorization to access (a facility through which an electronic
24
communication service is provided] . . . and thereby obtains . . . access to wire or electronic
25
communication while it is in electronic storage in such system . . . .”
26
27
28
42 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 44 of 57
1 138. Facebook intentionally exceeded any authorization they may have had to
2 Plaintiffs’ and other users’ stored electronic communications by allowing Global Science
3 Research Limited and Cambridge Analytica to have access to Plaintiffs’ and other users’
4 stored electronic communications which also contained sensitive personal information.
5 139. Facebook knowingly allowed Global Science Research Limited and
6 Cambridge Analytica and as yet unknown other possible third parties to intentionally exceed
7 any authorization it may have had to Plaintiffs’ and other users’ stored electronic
8 communications.
9 140. Facebook’s provision related to users’ personal data and its access to third
10 parties, including Cambridge Analytica’s acquisition of the same, as alleged herein,
11 exceeded any authorization from any party to the personal data at issue.
12 141. Because of the architecture of Facebook’s servers, the sharing of personal data
13 among Facebook users results in and constitutes interstate data transmissions.
14 142. Plaintiffs and Class members have been harmed by Defendants’ misconduct
15 and are entitled to statutory damages, actual damages, and reasonable attorneys’ fees and
16 costs, as well as declaratory and injunctive relief.
17 COUNT FOUR
18
Violations of California’s Unfair Competition Law (“UCL”)—Unlawful Business Practices
19 (Cal. Bus. & Prof. Code § 17200, et seq.)
20 143. Plaintiffs incorporate all of the above allegations by reference as if fully set
21 forth herein.
23 practices within the meaning of the UCL. The conduct alleged herein is a “business practice”
25 145. Facebook represented that it would not disclose users’ Personally Identifiable
26 Information without consent and/or notice. It also required application developers, like
27
28
43 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 45 of 57
1 Cambridge Analytica and Global Science Research Ltd., to obtain and utilize users’
2 Personally Identifiable Information in specified, limited ways.
3 146. Facebook failed to abide by these representations. Facebook did not prevent
4 improper disclosure of Plaintiffs’ and the Class Members’ Personally Identifiable
5 Information.
6 147. Facebook stored the Personally Identifiable Information of Plaintiffs and
7 members of the Class in its electronic and consumer information databases. Defendants
8 represented to Plaintiffs and members of the Class that their Personally Identifiable
9 Information would remain private. Defendants engaged in unfair acts and business practices
10 by representing that they would not disclose this Personally Identifiable Information without
11 authorization, and/or by obtaining that Personally Identifiable Information without
12 authorization.
13 148. Cambridge Analytica obtained Plaintiffs’ and the Class Members’ Personally
14 Identifiable Information either wholly without authorization or in excess of any authorization
15 it—or its agents—may have obtained.
16 149. Defendants’ acts, omissions, and misrepresentations as alleged herein were
17 unlawful and in violation of, inter alia, Cal. Civ. Code § 1798.81.5(b), Section 5(a) of the
18 Federal Trade Commission Act, 15 U.S.C. § 45(a), and Cal. Bus. & Prof. Code § 22576 (as
19 a result of Facebook failing to comply with its own posted policies).
20 150. In Silicon Valley, data is currency. Plaintiffs and the Class members suffered
21 injury in fact and lost money or property as the result of Defendants’ unlawful business
22 practices. In particular, Plaintiffs’ and Class members’ Personally Identifiable Information
23 was “harvested” and is in the hands of those who will use it for their own advantage, or is
24 being sold for value, making it clear that the information at issue in this case is of tangible
25 value.
26
27
28
44 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 46 of 57
28
45 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 47 of 57
1 serious threat to the free exercise of personal liberties and cannot be tolerated in a free and
2 civilized society.”
3 158. Defendants’ acts in violation of the CIPA occurred in the State of California
4 because those acts resulted from business decisions, practices, and operating policies that
5 Facebook developed, implemented, and utilized in the State of California and which are
6 unlawful and constitute criminal conduct in the state of Facebook’s residence and principal
7 business operations. Facebook’s implementation of its business decisions, practices, and
8 standard ongoing policies that violate the CIPA took place and continue to take place in the
9 State of California. Defendants profited and continue to profit in the State of California as a
10 result of its repeated and systemic violations of the CIPA. Defendants’ unlawful conduct,
11 which occurred in the State of California, harmed and continues to harm Plaintiffs and Class
12 Members.
13 159. Plaintiffs and Class Members sent and received private messages, private wall
14 posts, status updates, and other private communications via Facebook’s services.
15 160. Defendants are not, and were not at any time, a party of Plaintiffs’ and Class
16 Members’ private messages.
17 161. The private messages, status updates, wall posts, and other private
18 communications exchanged among Plaintiffs and Class Members are messages.
19 162. These messages are communications among Plaintiffs and Class Members.
20 A. Violations of Cal. Penal Code § 631(a)
21
163. Pursuant to Cal. Penal Code § 7, Defendants, corporations, are “persons.”
22
164. Defendants use a “machine,” “instrument,” “contrivance,” or “in any other
23
manner” are able to, read or to learn the content or meaning of Plaintiffs’ and Class Members’
24
private messages.
25
165. Defendants act willfully when they read, attempt to read, or learn the content
26
or meaning of Plaintiffs’ and Class Members’ private messages.
27
28
46 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 48 of 57
1 166. Defendants do not have the consent of any party to the communication, or
2 they act in an unauthorized manner, when they read, attempt to read, or learn the content or
3 meaning of Plaintiffs’ and Class Members’ private messages.
4 167. Plaintiffs’ and Class Members’ private Facebook communications are “any
5 message, report, or communication.”
6 168. At the time Defendants read, attempt to read, or learn the content or meaning
7 of Plaintiffs’ and Class Members’ private communications, the private communications are in
8 transit.
9 169. At the time Defendants read, attempt to read, or learn the content or meaning
10 of Plaintiffs’ and Class Members’ private communications, the private communications are
11 passing over any wire, line, or cable.
12 170. Private Facebook communications—coded, written messages sent
13 electronically to remote locations— are telegraphs within the meaning of the CIPA and this
14 section of CIPA. As such, the wires, lines, cables, and/or instruments which carry and facilitate
15 the transmission of Plaintiffs’ and Class Members private Facebook communications are
16 telegraph wires, lines, cables and/or instruments within the meaning of the CIPA and CIPA §
17 631(a).
18 171. Plaintiffs and Class Members do not consent, expressly or impliedly, to
19 Defendants’ eavesdropping upon and recording of their private communications. Defendants
20 do not disclose material information to Facebook users relating to their attempts at, among
21 other things, intercepting, storing, and analyzing the contents of users’ private
22 communications.
23 172. There is no knowledge or expectation among Plaintiffs and Class Members
24 regarding the extent of Defendants’ reading of private communications, learning about the
25 content or meaning of such content, the acquisition of such content, the collection of such
26 content, or the manipulation of such content for pecuniary gain. Each and every one of these
27
28
47 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 49 of 57
1 actions extends beyond the normal occurrences, requirements, and expectations regarding the
2 facilitation and transmission of Facebook’s private communication.
3 B. Violations of Cal. Penal Code § 632
4
173. Pursuant to Cal. Penal Code §§ 7 and 632(b), Defendants, corporations, are
5
“persons.”
6
174. Cal. Penal Code § 632 prohibits eavesdropping upon or the recording of any
7
confidential communication, including those occurring by telephone, telegraph, or other
8
device, through the use of an amplification or electronic recording device without the consent
9
of all parties to the communication.
10
175. Defendants intentionally and without the consent of any party to the
11
communications, eavesdrops upon and/or records and uses the contents of Plaintiffs’ and Class
12
Members’ private communications.
13
176. Defendants use electronic amplifying or recording devices, including
14
Cambridge Analytica’s data gathering technology, to eavesdrop upon and to record Plaintiffs’
15
and Class Members’ private communications, for purposes independent and unrelated to
16
storage.
17
177. Plaintiffs’ and Class Member’s private communications are confidential
18
communications with specifically identified and designated recipients.
19
178. At the time Plaintiffs and Class Member transmit private messages, status
20
updates, wall posts, or other private communications through Facebook, their communications
21
are confidential because the communications are confined to those persons specified as
22
recipients in the destination address fields as pertaining to private messages, and are confined
23
to pre-determined “friends” as to other communications on a private profile. There neither
24
would nor could be any expectation that a third party, such as Cambridge Analytica or
25
Facebook, would act in any manner other than to facilitate the communication of the private
26
message between the sender and the intended recipient or recipients. There certainly would not
27
and could not be any expectation that Cambridge Analytica—through Facebook—would be
28
48 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 50 of 57
1 able to access a trove of personal information and private communications without the consent
2 or knowledge of Plaintiffs or Class Members with the intent to use such information for
3 profiling, political advertising, and other non-academic and commercial purposes.
4 179. There is no knowledge or expectation among Plaintiffs and Class Members
5 regarding the extent of Defendants’ reading and use of users’ private communications content,
6 learning about the content or meaning of those private communications, acquiring and
7 collecting the content of such communications, and manipulating the content of such
8 communications—each action being beyond the normal occurrences, requirements, and
9 expectations regarding the facilitation and transmission of private communications on
10 Facebook.
11 180. Plaintiffs’ and Class Members’ private communications sent via Facebook are
12 carried on among the parties by means of an electronic device that is not a radio.
13 181. Plaintiffs and Class Members do not consent, expressly or impliedly, to
14 Defendants’ eavesdropping upon and recording of their private communications. Neither
15 Facebook nor Cambridge Analytica disclosed material information to Facebook users relating
16 to their attempts to read, scan, acquire, collect, and manipulate the contents of users’ private
17 communications.
18 182. While Plaintiffs have identified certain accused devices and/or technology in
19 this Complaint, Plaintiffs reserve the right to assert violations of Cal. Penal Code §§ 631 and
20 632 as to any further devices or technology subsequently discovered or any devices or
21 technology upon which Facebook provides additional information.
22 C. Violations of Cal. Penal Code § 637.7
23
183. As defined under CIPA, “‘electronic tracking device’ means any device
24
attached to a vehicle or other movable thing that reveals its location or movement by the
25
transmission of electronic signals.” § 637.7(d). CIPA expressly prohibits the use of “an
26
electronic tracking device to determine the location or movement of a person.” Cal. Pen. Code
27
§ 637.7(a).
28
49 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 51 of 57
1 184. Among the data points harvested by Facebook and provided to the remaining
2 Defendants (as well as all third-party developers who used the “friends’ permission” feature) was
3 the location of Plaintiffs’ and Class Members.
4 185. Facebook acquired—and Cambridge Analytica exfiltrated and used—Plaintiffs’
5 and Class Members’ location through, inter alia, location data associated with smartphones and
6 other mobile devices running Facebook.
7 186. Plaintiffs and Class members did not consent to said acquisition of location
8 information by any Defendant.
9 D. Relief Sought Under Cal. Penal Code § 637.2
10
187. As a result of Defendants’ violations of Cal. Penal Code §§ 631, 632, and 637,
11
Plaintiffs and the Class are entitled to:
12
a. Preliminary and permanent injunctive relief to require Facebook and
13 Cambridge Analytica to fully disclose the extent of their activities, to
seek the informed and knowing consent of all Facebook users when
14 gathering private communications data, and to halt their violations;
15
b. Appropriate declaratory relief;
16
c. Monetary relief in the amount set forth in Cal. Penal Code § 637.2(a)
17 for each Class Member; and
22 188. Plaintiffs incorporate all of the above allegations by reference as if fully set forth
23 herein.
24 189. Plaintiffs and Class Members have reasonable expectations of privacy in their
27 unique position to monitor Plaintiffs’ and Class Members’ behavior through its access to Plaintiffs’
28
50 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 52 of 57
1 and Class members’ user data. It is further supported by the surreptitious, highly-technical, and
2 non-intuitive nature of Defendants’ collective tracking and exfiltrating of Plaintiffs’ and Class
3 Members’ personal data, via third party apps that Class members did not download, much less
4 provide authorization for such behavior.
5 191. Defendants intentionally intruded on and into Plaintiffs’ and Class Members’
6 solitude, seclusion, or private affairs. Facebook intentionally designed its platform—and
7 established commensurate policies and procedures governing such platform—to enable the
8 exfiltration, without authorization, of Class Members’ personal data by third-party apps such as
9 “ThisIsYourDigitalLife.” Defendants intentionally availed themselves of Facebook’s privacy-
10 invasive measures in order to acquire Class Members’ personal data without consent.
11 192. Defendants intentionally intruded on and into Plaintiffs’ and Class Members’
12 solitude, seclusion, or private affairs by intentionally facilitating the exfiltration of Class Members’
13 personal data to surreptitiously obtain, improperly gain knowledge of, review, and/or retain
14 Plaintiffs’ and Class members’ personal data and activities through the monitoring technologies
15 and policies described herein.
16 193. These intrusions are highly offensive to a reasonable person. This is evidenced by,
17 inter alia, the immense outcry following the revelation of these acts and practices—not only from
18 the public, but also from regulators and legislators. Further, the extent of the intrusion cannot be
19 fully known, as the nature of privacy invasion involves sharing Plaintiffs’ and Class members’
20 personal information with potentially countless third-parties, known and unknown, for undisclosed
21 and potentially unknowable purposes, in perpetuity. Also supporting the highly offensive nature
22 of Defendants’ conduct is the fact that Defendants’ principal goal was to surreptitiously monitor
23 Plaintiffs’ and Class Members—in one of the most private spaces available to an individual in
24 modern life—and to allow third-parties to do the same.
25 194. Plaintiffs and Class Members were harmed by the intrusion into their private affairs
26 as detailed throughout this Complaint.
27
28
51 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 53 of 57
1 195. Defendants’ actions and conduct complained of herein were a substantial factor in
2 causing the harm suffered by Plaintiffs and Class Members.
3 196. As a result of Defendants’ actions, Plaintiffs and Class Members seek injunctive
4 relief, in the form of (1) destruction of all data obtained by Cambridge Analytica; (2) certification
5 by Facebook that no third parties presently are able to access Plaintiffs’ and Class Members’ user
6 data without first obtaining express consent; (3) audits, by Facebook, of all third parties who
7 obtained user data through the “friends permissions” feature; (4) notification, by Facebook to
8 Plaintiffs and Class members, of each instance in which a third party obtained user data—including
9 the type of user data—via the “friends permissions” feature; and, (5) destruction of all improperly
10 obtained user data of Plaintiffs and Class Members.
11 197. As a result of Defendants’ actions, Plaintiffs and Class members seek nominal and
12 punitive damages in an amount to be determined at trial. Plaintiffs and Class members seek
13 punitive damages because Defendants’ actions—which were malicious, oppressive, willful—were
14 calculated to injure Plaintiffs and made in conscious disregard of Plaintiffs’ rights. Punitive
15 damages are warranted to deter Defendants from engaging in future misconduct.
16
COUNT SEVEN
17
Violation of the California Constitution Article I, Section I
18
198. Plaintiffs incorporate all of the above allegations by reference as if fully set forth
19
herein.
20
199. Plaintiffs and Class Members have reasonable expectations of privacy in their
21
online behavior on Facebook.
22
200. The reasonableness of such expectations of privacy is supported by Facebook’s
23
unique position to monitor Plaintiffs’ and Class Members’ behavior through its access to Plaintiffs’
24
and Class Members’ user data. It is further supported by the surreptitious, highly technical, and
25
non-intuitive nature of Defendants’ collective tracking and exfiltrating of Plaintiffs’ and Class
26
Members’ personal data, via third party apps that Plaintiffs and Class Members did not download,
27
much less provide authorization for such behavior.
28
52 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 54 of 57
1 201. Defendants intentionally intruded on and into Plaintiffs’ and Class Members’
2 solitude, seclusion, or private affairs. Facebook intentionally designed its platform—and
3 established commensurate policies and procedures governing such platform—to enable the
4 exfiltration, without authorization, of Plaintiffs’ and Class Members’ personal data by third-party
5 apps such as “ThisIsYourDigitalLife.” Defendants intentionally availed themselves of Facebook’s
6 privacy-invasive measures in order to acquire Plaintiffs’ and Class Members’ personal data
7 without consent.
8 202. These intrusions are highly offensive to a reasonable person. This is evidenced by,
9 inter alia, the immense outcry following the revelation of these acts and practices—not only from
10 the public, but also from regulators and legislators. Further, the extent of the intrusion cannot be
11 fully known, as the nature of privacy invasion involves sharing Plaintiffs’ and Class Members’
12 personal information with potentially countless third-parties, known and unknown, for undisclosed
13 and potentially unknowable purposes, in perpetuity. Also supporting the highly offensive nature
14 of Defendants’ conduct is the fact that Defendants’ principal goal was to surreptitiously monitor
15 Plaintiffs’ and Class Members—in one of the most private spaces available to an individual in
16 modern life—and to allow third-parties to do the same.
17 203. Plaintiffs and Class Members were harmed by the intrusion into their private affairs
18 as detailed throughout this Complaint.
19 204. Defendants’ actions and conduct complained of herein were a substantial factor in
20 causing the harm suffered by Plaintiffs and Class Members.
21 205. As a result of Defendants’ actions, Plaintiffs and Class Members seek injunctive
22 relief, in the form of (1) destruction of all data obtained by Cambridge Analytica; (2) certification
23 by Facebook that no third parties presently are able to access Plaintiffs’ and Class members’ user
24 data without first obtaining express consent; (3) audits, by Facebook, of all third parties who
25 obtained user data through the “friends permissions” feature; (4) notification, by Facebook to
26 Plaintiffs and Class members, of each instance in which a third party obtained user data—including
27
28
53 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 55 of 57
1 the type of user data—via the “friends permissions” feature; and, (5) destruction of all improperly
2 obtained user data of Plaintiffs and Class members.
3 206. As a result of Defendants’ actions, Plaintiffs and Class members seek nominal and
4 punitive damages in an amount to be determined at trial. Plaintiffs and Class members seek
5 punitive damages because Defendants’ actions—which were malicious, oppressive, willful—were
6 calculated to injure Plaintiffs and made in conscious disregard of Plaintiffs’ rights. Punitive
7 damages are warranted to deter Defendants from engaging in future misconduct.
8 COUNT EIGHT
9
Declaratory Relief Pursuant to 28 U.S.C. § 2201
10
207. Plaintiffs incorporate all of the above allegations by reference as if fully set forth
11
herein.
12
208. An actual controversy, over which this Court has jurisdiction, has arisen and now
13
exists between the parties relating to the legal rights and duties of Plaintiffs and Defendants for
14
which Plaintiffs desire a declaration of rights.
15
209. Plaintiffs contend and Defendants dispute that Defendants, in whole or in part, were
16
authorized by Plaintiffs and Class Members to acquire user data via the “friends permissions”
17
functionality without the express consent, from each developer, of all users whose personal data
18
was thereby acquired.
19
210. Plaintiffs, on behalf of themselves and the Class, are entitled to a declaration that
20
Defendants were not so authorized through their contracts with Facebook, and accordingly that
21
Defendants’ behavior violated the Stored Communications Act, CIPA, the UCL, and Plaintiffs’
22
common law claims.
23
COUNT NINE
24
Conversion
25
26 211. Plaintiffs incorporate all of the above allegations by reference as if fully set forth
27 herein.
28
54 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 56 of 57
1 212. Plaintiffs and Class Members were the owners and possessors of their private
2 information. As the result of Defendants’ wrongful conduct, Defendants have interfered with the
3 Plaintiffs’ and Class Members’ rights to possess and control such property, to which they had a
4 superior right of possession and control at the time of conversion.
5 213. As a direct and proximate result of Defendants’ conduct, Plaintiffs and the Class
6 Members suffered injury, damage, loss or harm and therefore seek compensatory damages.
7 214. In converting Plaintiffs’ Private Information, Defendants have acted with malice,
8 oppression and in conscious disregard of the Plaintiffs’ and Class Members’ rights. Plaintiffs,
9 therefore, seek an award of punitive damages on behalf of the class.
10 VI. PRAYER FOR RELIEF
11
WHEREFORE, Plaintiffs, individually and on behalf of the other Class members,
12
respectfully request that this Court enter a judgment against Defendants as follows:
13
(a) Certifying the Nationwide Class and appointing Plaintiffs as Class
14 Representatives;
15 (b) Finding that Defendants’ conduct was negligent, deceptive, unfair, and
unlawful as alleged herein;
16
22 (f) Awarding Plaintiffs and the Class members restitution and disgorgement;
23 (g) Awarding Plaintiffs and the Class members pre-judgment and post-judgment
interest;
24
(h) Awarding Plaintiffs and the Class members reasonable attorneys’ fees costs
25 and expenses, and;
26 (i) Granting such other relief as the Court deems just and proper.
27
28
55 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO
Case 3:18-cv-02090-WHO Document 19 Filed 04/27/18 Page 57 of 57
2 Plaintiffs, individually and on behalf of all others similarly situated, demand a trial by jury
6
/s/ Will Lemkul
7 Will Lemkul (State Bar No. 219061)
MORRIS, SULLIVAN & LEMKUL, LLP
8 9915 Mira Mesa Boulevard, Suite 300
9 San Diego, CA 92131
Telephone: (858) 566-7600
10 Facsimile: (858) 566-6602
Email: [email protected]
11
12
/s/ Jodi Westbrook Flowers
13 Jodi Westbrook Flowers, pro hac vice forthcoming
Ann Ritter, pro hac vice forthcoming
14 Fred Baker, pro hac vice forthcoming
Kimberly Barone Baden (207731)
15 Andrew Arnold, pro hac vice forthcoming
Annie Kouba, pro hac vice forthcoming
16
MOTLEY RICE LLC
17 28 Bridgeside Boulevard
Mount Pleasant, SC 29464
18 Telephone: (843) 216-9000
Facsimile: (843) 216-9450
19 Email: [email protected]
Email: [email protected]
20
Email: [email protected]
21 Email: [email protected]
Email: [email protected]
22 Email: [email protected]
23 Attorneys for Plaintiffs and the proposed class
24
25
26
27
28
56 AMENDED COMPLAINT
CASE NO.: 3:18-CV-02090-WHO