Facebook may have violated federal privacy laws by scanning private messages, according to a lawsuit certified for class action yesterday in Northern California District Court. The allegations center around Facebook's practice of scanning and logging URLs sent through the site's private messaging system. Those scans serve a number of purposes, including anti-malware protection and industry-standard searches for child pornography, but may also be used for marketing purposes.

The plaintiffs allege that Facebook routinely scans those URLs for advertising and other user-targeting data — and claim that by maintaining those records in a searchable form, Facebook is violating both the Electronic Communications Privacy Act and California Invasion of Privacy Act. Facebook disputes that private messages are scanned in bulk, and maintains the URL data is anonymized and only used in aggregate form.

"The records... may be put to any use, for any reason, by any Facebook employee, at any time."

Through the discovery process, the plaintiffs have gained significant access to Facebook source code and engineers, although many of the resulting exhibits are still under seal. The available court records strongly suggest that the company maintains a persistent record of the links sent in private messages. As the plaintiffs' attorneys put it, "the records that Facebook creates from its users’ private messages, and which are stored indefinitely, may be put to any use, for any reason, by any Facebook employee, at any time."

It’s unclear how easily those records could be traced back to the person who sent the message. In a response motion, Facebook described the records as "more akin to The New York Times publishing a list of bestselling books…the anonymized and aggregated data is used to indicate the popularity of information." Describing the collection of that data as a privacy violation constitutes "a technical attack on basic elements of computer programming," the company argued.

"more akin to... a list of bestselling books"

A technical analysis performed on behalf of the plaintiffs seems to contradict Facebook's description of the records. According to that analysis, each messaged URL is stored in a private message database dubbed "Titan," which shows the date and time a message was sent, along with the user IDs of both the sender and the recipient. (Titan may also refer to a particular brand of graph database software.) The analysis provides a specific data query that a Facebook employee could enter to identify anyone who sent or received a URL-linked private message during the period specified by the lawsuit. In a response, Facebook lawyers described the analysis as "speculative."

Without access to the source code, it’s difficult to assess how effective Facebook's anonymization was. But in the case of the 2012 version of the system, there seems to have been at least some internal ambiguity surrounding the data. Private messages were meant to increase the Like Count without identifying the source of the Like — but it's unclear how robust that system was. In one email exchange describing the 2012 system for converting URLs sent in messages to Likes, a Facebook employee said, "we have intentionally not proactively messaged what this number is since it’s kind of sketchy how we construct it."

Yesterday’s certification rules out any monetary damages, so while the court could prohibit Facebook from conducting similar scans in the future, the plaintiffs won’t receive any payout as a result of the ruling. In a statement, a Facebook spokesperson applauded that finding. "We agree with the court's finding that the alleged conduct did not result in any actual harm and that it would be inappropriate to allow plaintiffs to seek damages on a class-wide basis," the statement reads. "The remaining claims relate to historical practices that are entirely lawful, and we look forward to resolving those claims on the merits."

Facebook "continues to make use of the content it acquires"

The company’s practices have changed significantly over time. In 2012, it was revealed that Facebook was increasing a link’s Like count each time it was sent in a private message, an incident that plaintiffs take as evidence that the data is tied to a user's profile. According to Facebook testimony, the practice was discontinued shortly after it was revealed.

While the company is no longer using private messaging data to boost Like counts, the plaintiffs allege Facebook hasn’t stopped collecting URLs from private messages. "Facebook’s source code not only reveals that Facebook continues to acquire URL content from private messages, but that it also continues to make use of the content it acquires," the plaintiffs' attorneys wrote in a recent motion.

The majority of information on Facebook is intentionally shared, and as a result can be stored indefinitely and used to target content and advertisements without any legal implications. But links sent in private messages are, by definition, private, and any persistent record that a person had privately shared a specific link — to a medical clinic or political organization, for instance — would pose an obvious privacy concern.

It still remains to be seen whether the link-logging system at any point violated ECPA or CIPA, but the path is now cleared for the case to proceed. The plaintiffs are due to file an amended complaint by June 8th, ahead of a scheduling conference at the end of the month.

Update 12:52PM ET: Added statement from Facebook and more information on the nature of the class certification.

Campbell v. Facebook Class Certification by Anonymous Mw4rxN5su