Bass v. Facebook, Inc.

          ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS

          WILLIAM ALSUP UNITED STATES DISTRICT JUDGE.

         INTRODUCTION

         In this data-breach putative class action, defendant Facebook, Inc. moves to dismiss the consolidated complaint pursuant to Rule 12(b)(1) and Rule 12(b)(6). The motion to dismiss is Granted in Part and Denied in part.

         STATEMENT

         1. Facebook, inc.

         Defendant Facebook, Inc. operates an online social network where users stay in touch with family and friends, share their thoughts, and connect with each other (Dkt. No. 76 ¶¶ 1, 9-11). This primarily happens on the user's “Timeline” - a space to share experiences by posting various forms of content, such as comments, photos, and videos (Bream Decl. ¶¶ 7, 8). Facebook's platform is widely used throughout the world. Facebook has approximately 2.2 billion users and an annual revenue of $40.65 billion (Dkt. No. 76 ¶¶ 1, 11).

         Facebook primarily generates its revenue by monetizing its users' information. None of its 2.2 billion users pay Facebook money (id. ¶ 10). Instead, approximately 96% of Facebook's revenue “originate[s] from the sale of targeted advertising based on the extensive data Facebook collects, analyzes, and maintains about its users” (id. ¶ 11). In addition, the collected information enables the platform technology to operate (id. ¶¶ 26, 28, 32).

         At minimum, Facebook requires every user to share their “name, email address or mobile phone number, date of birth, and gender” (id. ¶ 26). In full, however, Facebook purportedly collects a much broader set of data, including:

all posts, photos and videos, all replies, likes and reactions, all friends and friend history, all games, every “follow” including individuals, event, activity, service, application, group, web sites, advertisements, all followers of the same, all messages exchanges, event RSVPs, all profile information (username, devices, authentication methods, recoverable email accounts and credentials, encryption settings, phone numbers, challenge response information, biometric information and settings, birth date, major events, employment, education, education history, personal preferences, “about me, ” religion and political preferences, work history, book preferences, fitness data, news feed preferences, musical preferences), GPS locations where messages, photos, and posts were made, all “pokes, ” all advertisements, all calls and messages and associated event logs, and all security and login information including all devices used to access Facebook.

(id. ¶ 126).

         The collection and maintenance of all this information has impelled Facebook to provide some transparency as to its data-protection practices. To this end, two separate links posted on the website, entitled “Data Policy” and “Privacy Basics” contain representations as to what data are collected, what data are shared, and with whom (id. ¶¶ 38, 44). The links also include certain representations such as “Privacy Principles” where Facebook asserts “[w]e design privacy into our products from the outset, ” “[w]e work around the block [sic] to help protect people's accounts, ” and “[w]e are accountable” (id. ¶ 44).

         Nevertheless, Facebook users' private information has not been protected. In 2007, Facebook's then-57 million users settled a class action suit which arose from Facebook's “privacy” practices for $9.5 million. The following year, Facebook exposed the birthdays of roughly 80 million users (id. ¶¶ 11, 47-50). Then, in 2011, Facebook settled with the Federal Trade Commission over charges that it had deceived users by “telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public” (id. ¶ 54 n.32) (quoting Facebook Settles FTC Charges that it Deceived Consumers by Failing to Keep Privacy Promises, The Fed. Trade Comm'n (Nov. 29, 2011), https://www.ftc.gov/news-events/press-releases/2011/11/facebook-settles-ftc-charges-it-deceive dconsumers-failing-keep). More recently, in 2015, the world learned that Cambridge Analytica had misused personal data from Facebook to generate targeted political advertisements. Facebook's relationship with Cambridge Analytica led to a political uproar. All this preceded the instant suit (Dkt. No. 76 ¶¶ 48, 58).

         2. Access Tokens

         “Access tokens” star in the instant data breach. When a Facebook user logs into Facebook with a specific username and password, that user can conveniently access Facebook again without being forced to re-enter that information. This ease-of-access is facilitated by the “access token” generated by Facebook for that user upon his or her first log-in. The access token operates as an automatic super password - an electronic object embedded with all of a users' security information - which allows a user to log in numerous times without typing out their username and password each time. Many companies, not just Facebook, use this tool to reduce barriers between the user and the online platform thereby increasing ease-of-access and efficiency (id. ¶¶ 81-83).

         Facebook's access tokens, however, carry specific value. As stated in the consolidated complaint:

[o]nce a malicious actor is able to gain access to and compromise that user's access token, Facebook's lack of security and safeguards allowed that malicious actor to then use that access token to gain access to and compromise all tokens from that user's shared or connected web applications (i.e., those applications that utilize the “Facebook Login” system, such as Microsoft Azure cloud platform, SalesForce, etc.). Worse, that malicious actor could then reset all user permissions, passwords, and other safeguards (such as two-factor authentication) not only in Facebook, but also any third-party accounts that utilize Facebook's authentication login features and do so in such a manner that the user is not provided an alert or any other notification. From there, the malicious actor can syphon [sic] PII and other personal data from those accounts without hindrance. To prevent unauthorized users from eavesdropping, there is free software to validate the data transferred between the client browser and the application servers. Most hackers also utilize the free software as a simple method to detect and identify easy areas of exploit.

(Id. ¶ 110) (emphasis added).

         Put simply, once a Facebook user's access token is compromised, all tokens from the user's shared or connected web applications (like Skype and Uber) purportedly become accessible. In addition, anyone with access to the token can reset all other user data permissions and steal the tokens of all connected applications without alerting the original user. Facebook's access tokens are allegedly the key to a breathtaking amount of online access (id. ¶¶ 99-101, 109).

         Importantly, standard industry practice is for companies to limit the lifespan of the tokens. By contrast, Facebook allegedly designed its access tokens to never expire (id. ¶¶ 83, 106-109). With this background in tow, this order now turns to the events at issue.

         3. The Data Breach

         On September 14, 2018, Facebook discovered it had a coding vulnerability related to its “View As” feature. The vulnerability revealed users' access tokens. Hackers accordingly stole the access tokens for 69, 000 users. This led to the theft of a narrow set of information for 15 million worldwide users (2.7 million United States users) and a more comprehensive set of information for 14 million worldwide users (1.2 million United States users) (id. ¶¶ 84, 95).

         The hacking began sometime after July 2017. The specific source of the vulnerability related to the internal coding of Facebook's “View As” feature. This feature permitted users to see what their own “Timeline” looked like to other users (id. ¶¶ 3, 88, 91, 94). To illustrate, if a teenage user wanted to see his own account from the perspective of his parents' account, the teenager would utilize this “View As” feature on his own account to “view” the account “as” his parents. This would enable the teenager to see firsthand what information his parents could and could not see on the teenager's account.

         Momentarily stepping outside the consolidated complaint, Facebook has provided a declaration with step-by-step information of how the attack took place. Per the declaration, when a user's “Timeline” would be accessed in the “View As” mode, an access token of the other user would generate in the Hypertext Markup Language (“HTML”) of the web page. The HTML is the part of the webpage that says “www.Facebook.com.” So, when the teenager viewed his account through the eyes of his parents' account, his parents' access token generated in the part of the webpage that says “www.Facebook.com.” These attackers could then utilize the parents' access token to access the parents' account and repeat the identical process with the parents' friends. Ultimately, per Facebook's declaration, approximately 69, 000 user accounts had their full accounts accessed through this vulnerability (Bream Decl. ¶¶ 12, 14).

         This vulnerability did not occur every time a user utilized the “View As” feature. Rather, the vulnerability only materialized if two additional (somewhat random) conditions were satisfied. First, the teenager's birthday had to be visible on the “Timeline.” Second, at least three other users had to have posted birthday messages on that “Timeline” (id. ¶¶ 13, 14).

         Significantly, the vulnerability allowed for access tokens to be generated only if the “seed user” (the teenager) met the conditions described above. Accordingly, even if one user was vulnerable, not every account linked was also vulnerable (id. ¶ 16). To illustrate, if the teenager had his birthday visible on his “Timeline” and had three friends wish him happy birthday on his “Timeline, ” then his parents' access token would be generated when the teenager viewed his account through the eyes of his parents' account. With the parents' access token in hand, the attackers could then turn to the parents' account and treat that account as a new seed user account. If, however, the parents' account did not have a birthday visible on their own “Timeline, ” the access tokens to the parents' friends' accounts would not be revealed. This would end that branch of the access-token collection tree.

         The information taken in the attack did not end with these 69, 000 users. Facebook connects users to each other. This means that once accounts have been connected to each other as “friends” on Facebook, one user can see another user's information. Once the attackers compromised the access tokens to an account, account-information associated with connected accounts could be culled as well. This resulted in 29 million users (approximately 4 million users in the United States) having information taken in this data breach, according to Facebook (id. ¶ 9).

         These 29 million users can be divided into two groups. The first group comprises of approximately 15 million users (2.7 million users in the United States). For these users, the attackers obtained solely the user's name and basic contact information (phone number and/or email addresses, depending on which users had chosen to provide to Facebook) (id. ¶ 11.c.).

         The second group comprises of approximately 14 million users (1.2 million users in the United States). For these users, in addition to the information listed for the first group, the hackers also obtained the username, gender, date of birth, and (if users had chosen to share it) workplace, education, relationship status, religious views, hometown, self-reported current city, website, the user's locale/language, the types of devices used to access Facebook, the last ten places the user “checked into” or was “tagged” in on Facebook, the people or pages that the user “followed” on Facebook, and the user's fifteen most recent searches using the Facebook search bar (id. ¶ 11.d.).

         5. This Action

         Facebook first became aware of a potential data breach on September 14, 2018. Facebook's engineering team isolated the security flaws on September 25, 2018. Facebook notified potentially affected users on September 28, 2018. Facebook then purportedly invalidated the access tokens of over 90 million accounts that were potentially impacted by the vulnerability and effected a “forced logout” which “requir[ed] [users] to reenter their passwords” to access their accounts (Dkt. No. 76 ¶¶ 84-87, 91-92).

         After the breach had been publically announced, eleven separate lawsuits were filed against Facebook. These lawsuits generally alleged that Facebook failed to adequately protect its users' accounts. A public tutorial on the issue of personal information in the context of data breaches proceeded in the district court. The eleven actions were then consolidated and an amended consolidated complaint was filed (Dkt. Nos. 67, 76). Five named plaintiffs filed the consolidated complaint. Except for one original named plaintiff, every named plaintiff who had not filed the consolidated complaint voluntarily withdrew without prejudice (Dkt. Nos. 87-94).

         The consolidated complaint asserted ten claims on behalf of a class of Facebook users in the United States “whose [personal identifiable information] was compromised in the data breach announced by Facebook on September 28, 2018” (id. ¶¶ 13, 179). Those ten claims are: (i) breach of contract; (ii) breach of implied contract; (iii) breach of implied covenant of good faith and fair dealing; (iv) quasi-contract for non-restitutionary damages; (v) negligence; (vi) negligence per se; (vii) violation of ...