A US District Court in California has ruled that a suit that targets Facebook's data-harvesting practices can go forward. The company had attempted to have the whole thing tossed out, but only succeeded in having two relatively minor allegations dismissed.

There are three plaintiffs to the suit, all of whom allege that various state and federal statutes were violated by Facebook's practice of scanning private messages in order to target ads more precisely. They also are upset that the mention of any company in these messages ends up counting as a "like." Their suit [PDF] alleges that Facebook's messaging service is "designed to allow users to communicate privately with other users," and the scanning therefore violates the federal Wiretap Act as well as California’s Invasion of Privacy Act.

Facebook, for its part, wants to see the whole thing thrown out. It claims that it must handle the content of the messages in order to ensure delivery, and therefore it is not possible for it to unlawfully intercept them. Failing that, it suggested that the scans were part of ordinary business practice, and therefore exempt from the law. And, in any case, it stopped the practice back in 2012. For all those reasons, its lawyers argued, the case should not proceed.

The court responded to this request by pursuing an extraordinarily rare course of action: it read Facebook's entire terms of service. And, in this case, their vague language—typically used to provide broad immunity—became a liability: "[the document] does not establish that users consented to the scanning of their messages for advertising purposes, and in fact, makes no mention of 'messages' whatsoever." Thus, the plaintiffs may have had reason to expect that their messages would remain private. And, although the practice may have been discontinued, the plaintiffs allege that Facebook could start scanning messages again whenever it wanted to.

The remaining arguments focused on whether the practice of scanning was a normal part of messaging operations. After all, an e-mail service provider doesn't "intercept" message when handling them on a server; it's an essential part of how e-mail works. Here, the judge ruled that, in the absence of any explanation of how the scanning system worked required that it be sorted out in court: "Facebook’s unwillingness to offer any details regarding its targeted advertising practice prevents the court from being able to determine whether the specific practice challenged in this case should be considered 'ordinary.'”

The company did see a couple of wins when it came to California laws. The judge ruled that one statute didn't apply because the plaintiffs didn't provide sufficient facts to show that they should have expected their communications would be confidential. A second didn't apply because they didn't allege the loss of money or property.

But the end result is that the case will go forward. Facebook isn't the only company to run into suits from its users over alleged privacy violations; Google, Earthlink, and others have all faced this challenge. The Google suit, which the judge referred to multiple times, eventually collapsed when it was denied class action status.