United States District Court, N.D. California
WILLIAM BASS JR., an individual and California resident, and STEPHEN ADKINS, an individual and Michigan resident, on behalf of themselves and all others similarly situated, Plaintiffs,
v.
FACEBOOK, INC., Defendant.
ORDER GRANTING IN PART AND DENYING IN PART MOTION TO
DISMISS
WILLIAM ALSUP UNITED STATES DISTRICT JUDGE.
INTRODUCTION
In this
data-breach putative class action, defendant Facebook, Inc.
moves to dismiss the consolidated complaint pursuant to Rule
12(b)(1) and Rule 12(b)(6). The motion to dismiss is
Granted in Part and Denied in part.
STATEMENT
1.
Facebook, inc.
Defendant
Facebook, Inc. operates an online social network where users
stay in touch with family and friends, share their thoughts,
and connect with each other (Dkt. No. 76 ¶¶ 1,
9-11). This primarily happens on the user's
“Timeline” - a space to share experiences by
posting various forms of content, such as comments, photos,
and videos (Bream Decl. ¶¶ 7, 8). Facebook's
platform is widely used throughout the world. Facebook has
approximately 2.2 billion users and an annual revenue of
$40.65 billion (Dkt. No. 76 ¶¶ 1, 11).
Facebook
primarily generates its revenue by monetizing its users'
information. None of its 2.2 billion users pay Facebook money
(id. ¶ 10). Instead, approximately 96% of
Facebook's revenue “originate[s] from the sale of
targeted advertising based on the extensive data Facebook
collects, analyzes, and maintains about its users”
(id. ¶ 11). In addition, the collected
information enables the platform technology to operate
(id. ¶¶ 26, 28, 32).
At
minimum, Facebook requires every user to share their
“name, email address or mobile phone number, date of
birth, and gender” (id. ¶ 26). In full,
however, Facebook purportedly collects a much broader set of
data, including:
all posts, photos and videos, all replies, likes and
reactions, all friends and friend history, all games, every
“follow” including individuals, event, activity,
service, application, group, web sites, advertisements, all
followers of the same, all messages exchanges, event RSVPs,
all profile information (username, devices, authentication
methods, recoverable email accounts and credentials,
encryption settings, phone numbers, challenge response
information, biometric information and settings, birth date,
major events, employment, education, education history,
personal preferences, “about me, ” religion and
political preferences, work history, book preferences,
fitness data, news feed preferences, musical preferences),
GPS locations where messages, photos, and posts were made,
all “pokes, ” all advertisements, all calls and
messages and associated event logs, and all security and
login information including all devices used to access
Facebook.
(id. ¶ 126).
The
collection and maintenance of all this information has
impelled Facebook to provide some transparency as to its
data-protection practices. To this end, two separate links
posted on the website, entitled “Data Policy” and
“Privacy Basics” contain representations as to
what data are collected, what data are shared, and with whom
(id. ¶¶ 38, 44). The links also include
certain representations such as “Privacy
Principles” where Facebook asserts “[w]e design
privacy into our products from the outset, ”
“[w]e work around the block [sic] to help protect
people's accounts, ” and “[w]e are
accountable” (id. ¶ 44).
Nevertheless,
Facebook users' private information has not been
protected. In 2007, Facebook's then-57 million users
settled a class action suit which arose from Facebook's
“privacy” practices for $9.5 million. The
following year, Facebook exposed the birthdays of roughly 80
million users (id. ¶¶ 11, 47-50). Then, in
2011, Facebook settled with the Federal Trade Commission over
charges that it had deceived users by “telling them
they could keep their information on Facebook private, and
then repeatedly allowing it to be shared and made
public” (id. ¶ 54 n.32) (quoting
Facebook Settles FTC Charges that it Deceived Consumers
by Failing to Keep Privacy Promises, The Fed. Trade
Comm'n (Nov. 29, 2011),
https://www.ftc.gov/news-events/press-releases/2011/11/facebook-settles-ftc-charges-it-deceive
dconsumers-failing-keep). More recently, in 2015, the world
learned that Cambridge Analytica had misused personal data
from Facebook to generate targeted political advertisements.
Facebook's relationship with Cambridge Analytica led to a
political uproar. All this preceded the instant suit (Dkt.
No. 76 ¶¶ 48, 58).
2.
Access Tokens
“Access
tokens” star in the instant data breach. When a
Facebook user logs into Facebook with a specific username and
password, that user can conveniently access Facebook again
without being forced to re-enter that information. This
ease-of-access is facilitated by the “access
token” generated by Facebook for that user upon his or
her first log-in. The access token operates as an automatic
super password - an electronic object embedded with all of a
users' security information - which allows a user to log
in numerous times without typing out their username and
password each time. Many companies, not just Facebook, use
this tool to reduce barriers between the user and the online
platform thereby increasing ease-of-access and efficiency
(id. ¶¶ 81-83).
Facebook's
access tokens, however, carry specific value. As stated in
the consolidated complaint:
[o]nce a malicious actor is able to gain access to and
compromise that user's access token, Facebook's lack
of security and safeguards allowed that malicious actor to
then use that access token to gain access to and compromise
all tokens from that user's shared or connected web
applications (i.e., those applications that utilize the
“Facebook Login” system, such as Microsoft Azure
cloud platform, SalesForce, etc.). Worse, that malicious
actor could then reset all user permissions, passwords, and
other safeguards (such as two-factor authentication) not
only in Facebook, but also any third-party accounts that
utilize Facebook's authentication login features and do
so in such a manner that the user is not provided an alert or
any other notification. From there, the malicious actor
can syphon [sic] PII and other personal data from those
accounts without hindrance. To prevent unauthorized users
from eavesdropping, there is free software to validate the
data transferred between the client browser and the
application servers. Most hackers also utilize the free
software as a simple method to detect and identify easy areas
of exploit.
(Id. ¶ 110) (emphasis added).
Put
simply, once a Facebook user's access token is
compromised, all tokens from the user's shared or
connected web applications (like Skype and Uber) purportedly
become accessible. In addition, anyone with access to the
token can reset all other user data permissions and steal the
tokens of all connected applications without alerting the
original user. Facebook's access tokens are allegedly the
key to a breathtaking amount of online access (id.
¶¶ 99-101, 109).
Importantly,
standard industry practice is for companies to limit the
lifespan of the tokens. By contrast, Facebook allegedly
designed its access tokens to never expire (id.
¶¶ 83, 106-109). With this background in tow, this
order now turns to the events at issue.
3.
The Data Breach
On
September 14, 2018, Facebook discovered it had a coding
vulnerability related to its “View As” feature.
The vulnerability revealed users' access tokens. Hackers
accordingly stole the access tokens for 69, 000 users. This
led to the theft of a narrow set of information for 15
million worldwide users (2.7 million United States users) and
a more comprehensive set of information for 14 million
worldwide users (1.2 million United States users)
(id. ¶¶ 84, 95).
The
hacking began sometime after July 2017. The specific source
of the vulnerability related to the internal coding of
Facebook's “View As” feature. This feature
permitted users to see what their own “Timeline”
looked like to other users (id. ¶¶ 3, 88,
91, 94). To illustrate, if a teenage user wanted to see his
own account from the perspective of his parents' account,
the teenager would utilize this “View As” feature
on his own account to “view” the account
“as” his parents. This would enable the teenager
to see firsthand what information his parents could and could
not see on the teenager's account.
Momentarily
stepping outside the consolidated complaint, Facebook has
provided a declaration with step-by-step information of how
the attack took place. Per the declaration, when a user's
“Timeline” would be accessed in the “View
As” mode, an access token of the other user
would generate in the Hypertext Markup Language
(“HTML”) of the web page. The HTML is the part of
the webpage that says “www.Facebook.com.” So,
when the teenager viewed his account through the eyes of his
parents' account, his parents' access token generated
in the part of the webpage that says
“www.Facebook.com.” These attackers could then
utilize the parents' access token to access the
parents' account and repeat the identical process with
the parents' friends. Ultimately, per Facebook's
declaration, approximately 69, 000 user accounts had their
full accounts accessed through this vulnerability (Bream
Decl. ¶¶ 12, 14).
This
vulnerability did not occur every time a user utilized the
“View As” feature. Rather, the vulnerability only
materialized if two additional (somewhat random) conditions
were satisfied. First, the teenager's birthday
had to be visible on the “Timeline.”
Second, at least three other users had to have
posted birthday messages on that “Timeline”
(id. ¶¶ 13, 14).
Significantly,
the vulnerability allowed for access tokens to be generated
only if the “seed user” (the teenager) met the
conditions described above. Accordingly, even if one user was
vulnerable, not every account linked was also vulnerable
(id. ¶ 16). To illustrate, if the teenager had
his birthday visible on his “Timeline” and had
three friends wish him happy birthday on his “Timeline,
” then his parents' access token would be generated
when the teenager viewed his account through the eyes of his
parents' account. With the parents' access token in
hand, the attackers could then turn to the parents'
account and treat that account as a new seed user account.
If, however, the parents' account did not have a birthday
visible on their own “Timeline, ” the access
tokens to the parents' friends' accounts would not be
revealed. This would end that branch of the access-token
collection tree.
The
information taken in the attack did not end with these 69,
000 users. Facebook connects users to each other. This means
that once accounts have been connected to each other as
“friends” on Facebook, one user can see another
user's information. Once the attackers compromised the
access tokens to an account, account-information associated
with connected accounts could be culled as well. This
resulted in 29 million users (approximately 4 million users
in the United States) having information taken in this data
breach, according to Facebook (id. ¶ 9).
These
29 million users can be divided into two groups. The first
group comprises of approximately 15 million users (2.7
million users in the United States). For these users, the
attackers obtained solely the user's name and basic
contact information (phone number and/or email addresses,
depending on which users had chosen to provide to Facebook)
(id. ¶ 11.c.).
The
second group comprises of approximately 14 million users (1.2
million users in the United States). For these users, in
addition to the information listed for the first group, the
hackers also obtained the username, gender, date of birth,
and (if users had chosen to share it) workplace, education,
relationship status, religious views, hometown, self-reported
current city, website, the user's locale/language, the
types of devices used to access Facebook, the last ten places
the user “checked into” or was
“tagged” in on Facebook, the people or pages that
the user “followed” on Facebook, and the
user's fifteen most recent searches using the Facebook
search bar (id. ¶ 11.d.).
5.
This Action
Facebook
first became aware of a potential data breach on September
14, 2018. Facebook's engineering team isolated the
security flaws on September 25, 2018. Facebook notified
potentially affected users on September 28, 2018. Facebook
then purportedly invalidated the access tokens of over 90
million accounts that were potentially impacted by the
vulnerability and effected a “forced logout”
which “requir[ed] [users] to reenter their
passwords” to access their accounts (Dkt. No. 76
¶¶ 84-87, 91-92).
After
the breach had been publically announced, eleven separate
lawsuits were filed against Facebook. These lawsuits
generally alleged that Facebook failed to adequately protect
its users' accounts. A public tutorial on the issue of
personal information in the context of data breaches
proceeded in the district court. The eleven actions were then
consolidated and an amended consolidated complaint was filed
(Dkt. Nos. 67, 76). Five named plaintiffs filed the
consolidated complaint. Except for one original named
plaintiff, every named plaintiff who had not filed the
consolidated complaint voluntarily withdrew without prejudice
(Dkt. Nos. 87-94).
The
consolidated complaint asserted ten claims on behalf of a
class of Facebook users in the United States “whose
[personal identifiable information] was compromised in the
data breach announced by Facebook on September 28,
2018” (id. ΒΆΒΆ 13, 179). Those ten
claims are: (i) breach of contract; (ii) breach of implied
contract; (iii) breach of implied covenant of good faith and
fair dealing; (iv) quasi-contract for non-restitutionary
damages; (v) negligence; (vi) negligence per se; (vii)
violation of ...