Facebook and the VPPA: Uh-Oh

December 10, 2007 at 1:14 AM

19 Comments

The Facebook Beacon story has been igniting privacy debates for a while, and has caused the company some serious embarrassment. I think it could cause them much worse.

Another member of a professorial mailing list I’m on asked whether Facebook may have violated the Video Privacy Protection Act of 1988. Nicknamed the “Bork Bill” (a newspaper published his video rental records during his confirmation hearings), the VPPA protects your privacy in the videos you rent and buy. Well, guess what? One of Facebook’s Beacon partners was Blockbuster, so some of the items that wound up in people’s news feeds were the names of videos they’d bought. Oops.

I dug a bit into the legalities of the issue, and this is roughly what I came up with: Facebook and Blockbuster should hunker down and prepare for the lawsuits. Their recent move to allowing a global opt-out may cut them off from accruing further liability, but there’s probably an overhang of damages facing them from their past mistakes. I should note that this isn’t my usual area of law, so salt the analysis appropriately. Caselaw on the VPPA is thin, but there might be other rules of information privacy law out there that would significantly change the bottom line. That said, let us begin.

The VPPA states:

A video tape service provider who knowingly discloses, to any person, personally identifiable information concerning any consumer of such provider shall be liable… .

18 U.S.C. § 2710(b)(1). The important first question is who’s a “video tape service provider.” That’s defined in paragraph (a)(4):

[T]he term “video tape service provider” means any person, engaged in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials … .

Thus, it’s fairly clear that Blockbuster is a “video tape service provider” but Facebook and its users aren’t. There are also a pair of important legal principles that could make things much dicier for Blockbuster.

If the disclosures by Facebook or a user are involuntary, then torts law ordinarily puts the liability on whoever set the unfortunate process in train. It’s like persuading a six-year-old to commit fraud for you, or grabbing a pirate’s sword arm and forcing him to slice someone with his cutlass. As we’ll see, this could make Blockbuster liable for disclosures technically made by its customers.

If Facebook and Blockbuster agreed to act in concert to do something, then doctrines of principal-and-agent and joint enterprise often allow their actions and motives to be attributed to each other. That would let things done by Facebook be counted as having been done by Blockbuster, possibly making Blockbuster liable for disclosures technically made by Facebook.

With these rules in mind, let’s look at the facts to see if there were any relevant disclosures of personally identifiable information. The typical sequence of relevant information flows in the days before a global opt-out went something like this:

Ethan visits Blockbuster and clicks to buy The Producers. Ethan’s click causes some functions (written by Facebook, sent to Ethan by Blockbuster) to execute in Ethan’s browser. Those functions create an “iframe” (a kind of sub-page) within the Blockbuster page on Ethan’s browser. The iframe communicates with Facebook, telling it that the currently-logged-in user (Ethan) has just bought The Producers. The iframe tosses a pop-up window; if Ethan clicks “no” in the pop-up, the dance stops here. Joel, who is on Ethan’s friends list, sees that Ethan bought The Producers.

There are two possible sources of VPPA trouble here . First, in step (4) when Facebook found out that Ethan had purchase The Producers, that might have been a disclosure either by Ethan or by Blockbuster. Second, in step (6) when Ethan’s friends found out that he’d bought it, that might have been a disclosure by Ethan or by Facebook.

Let’s start with the disclosure to Facebook (step (4)). Blockbuster looks like it has a strong argument here that Ethan was the discloser, not it. After all, it was Ethan’s browser that told Facebook what he’d rented, not Blockbuster’s web site. Since Ethan isn’t a video tape service provider, that’s the end of the story.

I don’t think that argument works, though, because Ethan’s disclosure to Facebook is pretty much a textbook example of an involuntary act. Yes, Ethan’s browser did the heavy lifting. But it did so because Blockbuster included some HTML on its page. Ethan didn’t parse the javascript and load the iframe himself, and if he was like me, he probably didn’t even realize that Blockbuster could get his browser to give Facebook that combination of information. (The trick works because the iframe both has some info that Blockbuster gave it and “belongs” to Facebook and can therefore access Ethan’s Facebook account. Awful clever, ain’t it?) Ethan’s browser was acting as Blockbuster’s agent, not Ethan’s.

Once we have that first disclosure, the disclosure by Facebook (step (6)) is easier. Facebook is acting in concert with Blockbuster, which is under a duty not to disclose. On principal-and-agent reasoning, Blockbuster effectively made those disclosures, and is therefore liable for them.

(I’m not sure you could get this result on your own if you looked just at step (6). The reasons are a bit subtle. Yes, it looks as though Blockbuster and Facebook are engaged in a scheme to reveal PII, but you need to be careful about the source of that PII. If Ethan had used the Movies app to tell Facebook voluntarily that he liked The Producers (which, purely incidentally, he bought online from Blockbuster), I don’t think Blockbuster has a duty to keep that fact from disclosure. A critical nexus has been sundered. That’s why we need to look at step (4)—to see whether it sunders the nexus between the purchase and information about that purchase. I think that the way Beacon operates means that the nexus is still intact; if you disagree with me about my characterization of step (4), you’ll think that Facebook takes the information free and clear, and owes no duty to anyone, even if Blockbuster is involved. There are some further legal complexities here that involve some very precise statutory reading, but I’ll omit them so as not to get into a digression from a digression.)

So that’s an affirmative case for some serious liability. Blockbuster could try to interpose a few defenses. I don’t think any of them work, but they’re worth discussing.

First, Beacon successfully identifies Ethan here even if he buys the movie from Blockbuster under a false name. The critical step is that the same person both buys the movie and is logged into Facebook. Thus, there will be some scenarios in which Blockbuster causes Ethan to be identified without itself having had any knowledge of his identity. In those cases, it seems hard to frame an argument that you can “disclose” something you never knew. Nonetheless, given the statutory definition of PII (“includes information which identifies a person as having requested or obtained specific video materials”), Blockbuster can “identif[y]” Ethan as having bought The Producers whether it knows who he is on Facebook or not. It provides to Facebook information sufficient to say that Mr. X bought a movie, and Facebook knows who Mr. X is.

Second, Blockbuster could argue that its step-(4) disclosure is “to the consumer” and thus allowed under subparagraph (b)(2)(A) of the VPPA. That works as to the information flows in steps (1) and (2), in which Blockbuster tells Ethan’s browser some things, but it doesn’t work as to the information flow in step (4). Facebook is not the “consumer” no matter how hard you stretch and strain. It also doesn’t work in step (6); if you think of the other users as the “consumer,” you’ve pretty much completely eviscerated the VPPA.

Third, there’s the whole can of worms around the temporary pop-up that Facebook showed to let users opt-out of sharing details. Each site using Beacon used to show users a pop-up letting them avoid having the transaction listed. Subparagraph (b)(2)(B) allows disclosure with “the informed, written consent of the consumer given at the time the disclosure is sought.” Those pop-ups failed that test in multiple ways:

They vanished if the user did nothing for twenty seconds or so. You can pretty much guarantee that some users won’t see the pop-up at all. So much for “informed.”

It’s been revealed that if you’d ever clicked “remember me” on Facebook, it would remember you in spades. Even if you weren’t logged in, your Beacon transactions would still result in personally-identifying web requests hitting Facebook’s servers—regardless of any opt-out requests. So much for “consent.”

Regardless of what Facebook’s request for consent looked like, Blockbuster’s was pretty clearly defective—viz.: nonexistent. Indeed, by the time you see the pop-up, your browser has already sent the critical step-(4) request to Facebook. All that saying “no” does is to prevent step (6) from happening. Thus, on my reasoning above, the user can’t prevent the first and critical disclosure from happening. So much for “given at the time the disclosure is sought.”

Indeed, if my analysis of step (4) is correct, then Facebook’s current policy (failure to click on the pop-up constitutes refusal, not acceptance) is still defective. It’s too late at that point to keep Facebook from learning that you, yes you Ethan K—, bought The Producers. The violations might still be accumulating. Facebook’s only arguable out would be that the company’s servers aren’t a “person,” so there’s been no actionable disclosure. I need to think more on this angle, but I have my suspicions that it might be too slender a reed to support Facebook’s awesome weight.

So that’s Blockbuster. What about Facebook? There’s the joint enterprise theory; since Facebook and Blockbuster acted together, and Blockbuster is liable, so too is Facebook. There’s a split in the VPPA caselaw as to whether liability runs only against the video tape service provider, or can run also against the person who induced the disclosure. Those cases, though, typically involve police officers getting rental information without going through proper law enforcement channels (a search warrant, grand jury subpoena, or court order). I’m not sure quite how they’d apply here, where Facebook is more clearly acting in concert with Blockbuster to engage in further disclosures. My sense is that Facebook could win or could lose, depending on how the court chooses to interpret the VPPA. The risks are substantial.

Put this all together, and the legal situation looks a bit bleak for Facebook and Blockbuster. The VPPA provides damages of $2,500 per violation, plus punitive damages and attorneys’ fees. I have no idea how many movies wound up in people’s news feeds, but it doesn’t have to be too many for the total to hurt. Class action lawyers, start your engines.

Addendum 2007-12-11: There’s an interesting discussion over at Concurring Opinions of the “marketing exception” of subparagraph (b)(2)(D). That exception allows disclosures of the genres of movies you rent, if there’s a “clear and conspicuous” opt-out, and “for the exclusive use of marketing goods and services directly to the consumer.” The exception fails in at least three (!) ways:

“Clear and conspicuous” opt-out? I don’t think so, not if the opt-out pop-up disappears on you.

Beacon showed actual titles, not just genres.

Marketing to the consumer’s friends is different from marketing “to the consumer.”

Addendum 2007-12-11: heebner, in comments, raises the issue of whether Facebook is a “person.” It is. The definitions section (18 U.S.C. § 2711) for the chapter of the U.S. Code that includes the VPPA (18 U.S.C. ch. 121) includes a bunch of definitions from another definitions section (18 U.S.C. § 2510), including one that defines “person” as:

any employee, or agent of the United States or any State or political subdivision thereof, and any individual, partnership, association, joint stock company, trust, or corporation.

My apologies for previously making that issue seem harder than it is, and thanks to heebner and Mike Malone for bringing it up.