During his career as a litigator, David A. Straite has sued money-losing hedge funds and polluting solar-panel makers. These days he has a new hunting ground: the Internet.
Over the last eight months, Straite, a partner at Stewarts Law, headquartered in London, has sued AT&T, Samsung, Facebook, and Google, alleging that the companies violated U.S. wiretapping laws and committed computer fraud when they tracked users on the Web or via their smart phones in ways that broke the companies’ own privacy policies.
Straite specializes in class action cases, in which lawyers sue on behalf of thousands, even millions, of people affected by malfunctioning products or corporate misdeeds. It’s the same type of lawsuit used to go after asbestos factories, tobacco firms, and makers of faulty medical devices. Attorneys now see the privacy stumbles of Internet firms as a new area ripe for litigation and fat settlements.
“There is a mushrooming number of cases,” says Todd Ruback, head of privacy and technology at the law firm DiFrancesco Bateman. “A decade ago privacy was a distant worry among CEOs and boards of directors, but now it’s a full-blown hurricane.”
Tech companies including Microsoft, LinkedIn, and Zynga recognize that they face a dangerous situation. Some have begun revising user agreements so that the users relinquish their right to sue, or have even filed briefs at the Supreme Court in hopes of swaying opinion against such lawsuits. But as the public’s mood has shifted against technology firms on privacy questions, many companies would rather settle out of court than face a jury. This month, Facebook agreed to shell out $20 million to settle a lawsuit over its use of members’ faces in online ads.
By punishing companies that mishandle personal data, lawsuits might benefit consumers. Just the same, the spread of litigation threatens to damp innovation in Silicon Valley. In 2010, for instance, Netflix cancelled the planned sequel to a $1 million public prize for movie recommendation software after lawyers sued it for accidentally releasing rental records that could be traced to individual consumers.
Legal risks around privacy are creating entire new industries. So-called cyber insurance, which protects against the economic fallout from viruses, data loss, and other electronic mishaps, is now the fastest-growing type of insurance coverage in the United States, according to the insurance broker Marsh. Meanwhile, the International Association of Privacy Professionals—a trade group devoted to a field barely recognized a few years back—recently celebrated its 10,000th member.
Regulations are also multiplying. The Securities and Exchange Commission last year told public companies they must report “cyber incidents” to investors. And since 2002, in an effort to cut down on identity theft, 49 U.S. states and territories have passed laws requiring companies that lose personal data—by accident or to hackers—to alert consumers and local authorities.
All that has made it easier for lawyers to develop cases. “For the big breaches, we’re seeing the class actions start within 24 hours,” says Bob Parisi, a senior vice president at Marsh.
For instance, after hackers made off with 6.5 million passwords from the social network LinkedIn in June, lawyers were quick to file a $5 million suit claiming the company was negligent. Such cases, however, have faced a key obstacle: it is often hard to show that anyone has actually been hurt, or suffered what the law books call “injury in fact.” If lawyers can’t find victims of privacy violations, judges will dismiss their cases.
Lately, in a development that worries Internet companies, some courts have begun to signal a looser standard for letting trials proceed. In one case involving a lost laptop containing the Social Security numbers and names of 97,000 Starbucks employees, the Ninth Circuit Court of Appeals said the workers could sue because of the mere “threat” of identity theft.
That ruling has contributed to a “marked uptick” in litigation and in settlements, according to Parisi. “If the company really screwed up, they don’t want to go to court and air that dirty laundry,” he says.
In his latest case against Facebook, now before a federal judge, Straite is asking for $15 billion in damages—nearly much as that company raised in its recent IPO. The lawsuit hinges on the social network’s alleged use of browser cookies to track users even when they were logged out. According to Straite, that was a violation of the federal Wiretap Act, just as if you had listened in on a neighbor’s phone calls.
Conveniently, that wiretap law provides for “statutory damages” of $100 per violation per user per day. That means it’s possible to win money if the law was broken; no need to prove that Facebook’s actions actually hurt anyone. Straite arrived at the towering $15 billion damage figure by multiplying a single day’s penalty by Facebook’s 150 million U.S. users.
“But this is not just about the money,” says the lawyer. “It’s about the extent to which people have or have not consented to being tracked around the Web.”
Facebook didn’t reply to a request for comment. But it sees danger in letting class actions gain steam. Along with other tech companies, including LinkedIn, Facebook filed a brief last August to the U.S. Supreme Court in a related case. It called lawsuits by people who “have suffered no harm or injury whatsoever” a blatant attempt at “manipulating the system to extort settlement payments.”
Other tech companies are also maneuvering to forestall lawsuits. This year, Microsoft has been requiring users of Xbox Live to sign an updated agreement that forbids them from bringing class action cases (a tactic made possible by a separate Supreme Court ruling on contract law). Since most people don’t read the fine print, they probably won’t realize they are giving up their legal rights.
“If they say ‘We can break into your computer and do what we want,’ people will click ‘Yes,’” Straite says.
The 41-year-old attorney, who calls himself a “tech enthusiast,” is something of a pioneer. As work suing pharmaceutical companies and securities firms has ebbed, more trial lawyers think Internet privacy is the next big opportunity. But it’s no simple matter to master arcana like HTTP headers, cookie sessions, and P3P tokens. Straite says his firm hired outside technology experts to build its case.
Not everyone who cares about online privacy thinks lawsuits will help. “I didn’t expect anybody to take my work on Facebook privacy as a basis for a civil lawsuit; it was the last thing on my mind,” says Nik Cubrilovic, the Australian programmer and blogger who first documented how Facebook tracked logged-out users. He says he was contacted by lawyers but decided they were “vultures” and declined to help.
Cubrilovic wonders why anyone needs to sue, especially since Facebook addressed the issue after he identified it. Shouldn’t that be enough? “My concern is with litigation tying down startups who make honest mistakes with privacy and security issues,” he says. He fears a situation in which legal and regulatory hassles mean that “only the largest companies can afford to compete.”
Whatever happens, consumers shouldn’t expect to get a check in the mail. Even a multimillion-dollar settlement would add up to just pennies apiece if it were divided among Facebook’s users. Instead, in recent class action cases that Facebook settled, the social network has agreed to pay a few million to opposing lawyers and then donate an equal amount to nonprofits involved in online privacy.
Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.Subscribe today