Social media, as we know, contains a wealth of personal information. This information can be the subject of diverse legal matters, including what the legitimate holder of the information does with it (Cambridge Analytics and Facebook from 2016) and criminal behavior by a third party intruder either using the social media site to attack through a malicious link or gathering enough information through open source intelligence collection to create a profile of a victim in which to use to gain their trust.
Keeping Data Secure
Facebook, over the last few years, has been a work in progress in doing everything it can to secure user’s private data. As it launched Facebook Messenger, a direct communication tool controlled by users, both Facebook and Facebook Messenger talked to each other once both applications were installed and shared information about user’s accounts such as phone numbers of friends in their networks. This is done with a tool called Messenger Contact. Through automated tools and a fake Facebook account, it is possible to use a database of phone numbers to fool Messenger into releasing private data associated with the phone numbers. The act of scraping social media is legal; however, it is not legal to scrape private content without permission and sell it to a third party without user’s consent for a profit, in violation of a User Terms of Agreement.
Facebook Lawsuit Against Social Media Scraping
The defendant in the matter, Alexandrovich Solonchenko, nickname “Solamame”, in 2018 and 2019, allegedly took advantage of Facebook Messenger’s Import Tool by using his fake accounts and automated software, to scrape 178 million Facebook Accounts. Remember, I said Facebook was a work in progress. The complaint notes:
Between February 2018 and December 2018, Facebook set limits for the number of contacts that could be uploaded through Messenger Contact Importer and the frequency at which those phone numbers could be submitted. Finally, since September 2019, Messenger Contact Importer no longer returns one-to-one lists of matched phone numbers.
The complaint alleges that Solonchenko took the scraped data and attempted to sell it for profit on a site called RaidForums (which you can find on the Internet, without having to search the Dark Web). This was done as recently as February 2021 according to the complaint.
The causes of action that Facebook chose in their lawsuit was breach of contract based on the user agreement, which forbids using automated tools to collect or sell private data of another for profit without Facebook permission. The relief asked for amongst other things, is an injunction against Solonchenko to quit using or selling the collected data.
While violating terms of agreement is a pretty clear case of breach of contract, it is a little murkier whether the conduct amounts to a criminal violation under the federal Computer Fraud and Abuse Act. The Supreme Court in their recently decided Van Buren v. United States case noted in summary that accessing a system legally for improper purposes did not meet the intent of the CFAA. Most legal scholars have noted that web scraping would fall under that category.
The Why Behind Facebook’s Lawsuit
Why would Facebook file a suit against someone that is unlikely to respond or comply with court orders? My guess only- it does show a good faith effort for Facebook to do everything they can do post-event to protect customer data, both to the user and regulatory bodies who may have taken action against the company for breach of privacy. Reputation of social media companies can drive their value up or down, and the public eye on protection of the customer is increasingly watchful. It also sets the tone that Facebook will not take these cases lightly in the future (Southwest Airlines succeeded with an injunction in a similar matter last month), and they will enforce User Agreements to the maximum extent possible.