Judge questions Facebook over ‘backdoor’ data sharing

SAN FRANCISCO -- Facebook Inc. cannot determine which applications had access to private user data through what the federal judge handling the case called a "backdoor" channel to the information, a company attorney argued Monday.

Overseen by U.S. District Judge Vince Chhabria, the case concerns accusations Facebook illegally permitted third party applications to obtain users' personal information. Certain "whitelisted" applications allegedly had access to the private data of a users' friends even after the company said it discontinued the practice.

The lawsuit was filed shortly after the March 2018 revelation that political consulting firm Cambridge Analytica unlawfully obtained 87 million users' data through a platform application. Allegations have since expanded to include the entirety of Facebook's data-sharing practices.

Chhabria took the matter under submission.

Facebook should only have to produce evidence on accounts related to the 32 named plaintiffs in the proposed class action lawsuit, according to defense attorney Orin Snyder. The company's policies on its data-sharing policies are "far afield" from claims in this case, he added.

Chhabria responded he cannot "advance the ball in any meaningful way" if Facebook cannot answer a question he said was at the core of the plaintiffs' claims.

"We have plaintiffs who are saying you gave these third party applications access to my information, and that they got that information through the backdoor, through my friends," he said.

Those users had "no expectation to privacy" if their friends authorized the data-sharing, Snyder said. In re: Facebook, Inc. Consumer Privacy User Profile Litigation, 18-MD02843 (N.D. Cal., filed June 6, 2018).

The longtime Facebook attorney from Gibson, Dunn & Crutcher LLP also noted plaintiffs should be required to turn over information relating to the named plaintiffs to determine if they even have standing to sue. Facebook can beat some of the claims at issue in this case if it finds they authorized their friends to share their information, Snyder said.

Chhabria said the best way to understand how the company's information sharing practices affected individual plaintiffs is to learn as much as possible about them, including how many applications had access to the data, what kind of information they obtained and what Facebook did in response.

Evidence production is "limited to the 32 named plaintiffs," argued Snyder, who has maintained there was "no ultimate harm" and the social media giant never "exceeded user consent."

Derek Loeser, representing the plaintiffs, agreed with Chhabria's approach. The problem with Facebook's suggestion is claims the named plaintiffs are arguing are not solely specific to them, Loeser said.

"So much of the evidence applies to the platform and its policies and practices," he added.

It would be inefficient to proceed with individualized inquiries on the plaintiffs and then go back to the same issues when arguing whether the lawsuit can proceed as a class action, Loeser noted.

Chhabria requested additional briefing on what the specific requests for evidence would look like before he makes a decision.

Last week, Facebook lost a bid to immediately appeal to the 9th U.S. Circuit Court of Appeals ruling that allowed users in this case to move on with their claims because they were supposedly unharmed as a result of the misconduct.

"The question whether alleged data privacy violations give rise to [standing] is an evolving issue of increasing importance that already has drawn considerable attention from the nation's appellate courts, including the U.S. Supreme Court," Snyder wrote.

Chharbia found "courts have often held that this particular type of intangible injury -- disclosure of sensitive private information, even without further consequence -- gives rise" to sue.