Key to the complaint is Facebook's alleged practice of scanning private messages rather than just the public postings. "All of Facebook’s activities complained of herein," says the complaint, "are performed without users’ consent. Instead, to increase users’ comfort with the website and, thereby, increase the amount of information they share, the Company makes assurances of user control over privacy settings and messaging options. These assurances affirmatively state that only senders and intended recipients are privy to the contents of their nonpublic communications. In reality, Facebook never intended to provide this level of confidentiality. Instead, Facebook mines any and all transmissions across its network, including those it labels 'private,' in order to gather any and all morsels of information it can about its users."
As evidence, the complainants cite research undertaken by Swiss firm High-Tech Bridge (HTB) in August 2013. HTB tested fifty of the major social networks and webmail providers: it "used a dedicated web server and generated a secret URL for each of the Web Services. HTB then used the private messaging function of each of the Web Services, embedding a unique URL in each message." By monitoring the logs of the server, it was able to detect which of the service providers had scanned the messages and clicked on the embedded URLs.
"Facebook was one of the Web Services that was caught scanning URLs despite such activity remaining undisclosed to the user," says the complaint. The accusation is that this is done covertly specifically to gather as much personal data as possible to increase the personal profiles that Facebook can 'sell' to advertisers.
Facebook has said that the case is 'without merit.' "We believe the allegations are without merit and we will defend ourselves vigorously," said a Facebook spokesperson.
The company is not without support. Security expert Graham Cluley blogged this morning, "I don’t see anything necessarily wrong in principle with online services automatically scanning messages between individuals, and examining the links that they are sharing." He does suggest that Facebook needs to be clear about what it is doing, but adds, "if you didn’t properly scan and check links there’s a very real risk that spam, scams, phishing attacks, and malicious URLs designed to infect recipients’ computers with malware could run rife."
But equally the practice is not without its critics. In August 2013 privacy consultant Alexander Hanff detected the same practice in Twitter. He blogged at the time, "If they wanted to check whether or not a URL is malicious they should use the many freely available databases designed explicitly for that purpose. It is both more cost effective - generates far less data traffic which they have to pay for; and more technically efficient - uses far less resources and time to do a simple database query than it does to download and parse a web page, analyze that page with heuristic algorithms and then add it to their own database. Also it is debatable that they could accurately determine whether or not a URL is safe using heuristic algorithms - most of the databases I know of are supported by wide peer review."
Nevertheless, in the end, this case may prove similar to an earlier one settled in August last year. At that time Facebook agreed to pay $20 million compensation to users who had their 'likes' included in third-party advertisements without their prior knowledge or approval. Facebook was not required to change this practice, only to reword its privacy policy to make it clear to users that it would or might happen.