Specifically, what seems to be up for grabs are the contents of links to third-party websites contained inside supposedly private messages.
The lawsuit, which can be read in full here, claims that data mined in this way by the social network is shared with third parties such as advertisers and marketers.
When a user composes a Facebook message and includes a link to a third party website (a “URL”), the Company scans the content of the Facebook message, follows the enclosed link, and searches for information to profile the message sender’s web activity.
This practice is not done to facilitate the transmission of users’ communications via Facebook, but because it enables Facebook to mine user data and profit from those data by sharing them with third parties – namely, advertisers, marketers, and other data aggregators.
Representing to users that the content of Facebook messages is “private” creates an especially profitable opportunity for Facebook, because users who believe they are communicating on a service free from surveillance are likely to reveal facts about themselves that they would not reveal had they known the content was being monitored. Thus, Facebook has positioned itself to acquire pieces of the users’ profiles that are likely unavailable to other data aggregators.
The class action cites independent research by security firm High-Tech Bridge which last year tested which social networks accessed secret and unpredictable URLs that it shared privately via various services.
According to the complaint filed by Matthew Campbell and Michael Hurley with the Northern District Court in California:
Contrary to its representations, “private” Facebook messages are systematically intercepted by the Company in an effort to learn the contents of the users’ communications…
For its part, Facebook says that the allegations are “without merit”.
So, what should we think about this?
Well, social networks like Facebook do need to make clear what they do or don’t do with content posted by it users both publicly and privately on the service, including messages sent supposedly privately between two users.
But I don’t see anything necessarily wrong in principle with online services automatically scanning messages between individuals, and examining the links that they are sharing.
Indeed, if Facebook’s security team didn’t have such systems in place I would believe them to be disturbingly lax in their duty of care for users.
After all, if you didn’t properly scan and check links there’s a very real risk that spam, scams, phishing attacks, and malicious URLs designed to infect recipients’ computers with malware could run rife.
Different services and social networks may investigate URLs to different depths, with varying levels of thoroughness, in their attempt to determine whether the webpage linked to contains malicious or scam content.
Whether Facebook needs to reword its terms and conditions to make clear that it will be scanning the contents of private messages, and exploring links that are shared, remains to be seen and is something for sharp-suited legal types to look into.
And the social network does need to ensure its 1,000,000,000+ members know what Facebook does, and why, so there is proper transparency which allows users to make informed decisions.
With that information you may decide, for instance, not to use Facebook for private messaging and use something with end-to-end encryption instead.
But one thing that is certain to me is that automated scanning of links sent via ‘private’ messages is overall a good thing for Facebook users’ security.
If you are on Facebook, and want to be kept updated with news about security and privacy risks, and tips on how to protect yourself online, join the Graham Cluley Security News Facebook page.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.