Less than one week. That's all the time needed for Jay Edelson to swing into action in March and file suit upon splashy headlines that Cambridge Analytica had harvested datafrom tens of millions of Facebook users in the interest of swinging the 2016 presidential election in favor of Donald Trump. Edelson was hardly the only class-action lawyer rushing to allege a huge violation of trust on the part of the world's biggest social network. But not every attorney is known to be a corporate America bogeyman, notorious for picking fights with large and small companies over the seedier sides of online life, including surreptitious information collection and the hawking of personal data to occasionally shady third parties.
The Cambridge Analytica scandal gave the 45-year-old bespectacled attorney with a passing resemblance to Steve Jobs an opportunity to go to court with a new story of tech infidelity. One that begins in 2014, when a Russian-American working for Cambridge Analytica created a personality quiz app called thisisyourdigitallife. About 270,000 users downloaded the app. Cambridge Analytica parlayed its modest access to the lives of ordinary Facebook users and their family and friends into more and more information — enough to begin psychologically profiling American voters and then bombarding them with phony and real news.
And Facebook's role?
"This kind of mass data collection was not only allowed but encouraged by Facebook, which sought to keep developers building on its platform and provide companies with all the tools they need to influence and manipulate user behavior," states the March 23 lawsuit filed by Edelson. "That's because Facebook is not a social media company; it is the largest data-mining operation in existence."
Sharp words, but Edelson obviously wasn't alone in expressing that sentiment. In addition to the many lawsuits filed over Cambridge Analytica, lawmakers have expressed outrage that Facebook hasn't taken user privacy seriously enough. And millions of consumers have decided to ditch the platform. But Edelson's lawsuit is notable — and not just for what the complaint says and the prospect that Facebook may pay through its digital nose.
Rather, if Edelson pulls this suit off, he'll be doing so in a brazenly new way, the type of achievement that could attract imitators from the ranks of other attorneys currently struggling to hold companies liable for privacy breaches. That scenario, in turn, could spur federal digital privacy legislation in the new year that could become a headache for CEO Mark Zuckerberg.
What makes the Edelson lawsuit different is a name barely anyone knows: Kimberly Foxx, a state's attorney, the top prosecutor in Cook County, Illinois. Edelson is ostensibly representing the people of Illinois through Foxx on a claim that Facebook engaged in unfair and deceptive conduct. Or, stated another way, a government official has outsourcedlaw enforcement to a class-action attorney.
Edelson, having now been given the role of a Special Assistant State's Attorney thanks to possessing the "required legal expertise," as a court order confirming his appointment put it, aims to punish Facebook for violating The Illinois Consumer Fraud and Deceptive Business Practices Act. It carries massive repercussions, including $50,000 in civil penalties per violation, injunctive relief and — if egregious circumstances call for it — a lost business license to operate in the state. That's right. Theoretically, Facebook could pay billions and be prohibited from offering its service in Illinois if it loses this lawsuit.
No wonder Facebook is desperate to avoid that outcome.
"[T]he case is being directed and financed by private attorneys with no accountability to the State or Illinois voters, pursuant to a contract of questionable validity that awards them a significant contingent interest in any recovery," wrote Facebook's lawyers in a bid to keep the case from being litigated in state court. (Indeed, Edelson will collect 20 percent of whatever he wins in the case.)
The ongoing fight over this lawsuit has caught the attention of other attorneys. "The Edelson firm has generated notoriety with some of its privacy cases," says litigator Robert Schwartz, of the Quinn Emanuel firm, who has defended privacy cases for big companies. "I don't typically agree with their positions. But on this one, on the standing issue, they appear to have done their homework."
What Edelson's case portends is politically connected plaintiffs' lawyers working hand in hand with local regulators and testing out new legislation coming from the progressive quarters of the nation. These sorts of partnerships, sure to raise constitutional challenges, threaten to become disruptive to companies that once made disruption a key part of their own missions. That could well become the incentive for goliaths like Facebook to get behind new federal legislation if only to preempt states like Illinois and California taking an even more punitive approach to privacy breaches. Already, the tech lobby has begun its push. It's not out of generosity. The goal is to supersede what's happening stateside.
"There's a lot of debate over what federal privacy legislation will look like," says Allie Bohm, a privacy expert at Public Knowledge. "After Europe passed GDPR [General Data Protection Regulation], a lot of Americans took notice. California passed an imperfect privacy law. A lot of states are going to act. I think you're going to see companies begin to come to the table and movement toward comprehensive privacy legislation in 2019."
"Cambridge Analytica, that's what gets people's attention," says the self-confident Edelson. "But really it just unmasked Facebook's modus operandi. It's one of a thousand examples."
Since word of Cambridge Analytica's activity spread nine months ago, Facebook has paid quite a price. The company has lost a third of its market value. Zuckerberg was called to testify in front of Congress, where he offered mea culpas and vague promises to do better. That hasn't stymied the backlash. According to a Pew Research poll from September, 42 percent of Facebook users say they've taken a break from checking the platform for a period of several weeks or more, while 26 percent say they have deleted the Facebook app from their mobile phones. Accordingly, Facebook has revised its growth forecast down to pretty much nothing for 2019 as investors continue to punish the company's stock.
Yet for all the hullabaloo generated by the Cambridge Analytica scandal, it's hardly clear that Facebook did anything illegal. Despite the buzz, there really was no "hack" or "data breach" in the traditional sense. What Facebook did in trafficking in data is not too different from what many digital companies do on a daily basis. That includes corporations in the entertainment sector like CBS and Hulu, whose streaming services collect massive data profiles on their users and sell advertisers on the ability to target specific consumers.
It would also be wrong to assume that companies don't give a damn about protecting their customers' most sensitive information. It's just that privacy is one of many interests. Sometimes there are trade-offs when deciding which aspects of a platform should be free and which should be subsidized by sponsors, which facets should be closed and which should be open enough to allow integration and apps built on top of the so-called social graph.
That was one of the points that Zuckerberg attempted to make to the U.S. Senate's Commerce and Judiciary committees back in April. "In 2007, we announced the Facebook developer platform, and the idea was that you wanted to make more experiences social, right?" Zuckerberg testified. "In order to do that, we needed to build a tool that allowed people to sign in to the app and bring some of their information, and some of their friends' information, to those apps. … Now, a lot of good use cases came from that. I mean, there were games that were built. There were integrations with companies that, I think, we're familiar with, like Netflix and Spotify. But over time, what became clear was that that also enabled some abuse."
Facebook is hardly blameless, and its sins undoubtedly go beyond a failure of policing the exploitation of data. Those include data-sharing agreements that reportedly allowed companies like Amazon and Sony to surreptitiously obtain users' names, emails and contact information and might have technically allowed other companies including Netflix and Spotify to read users' private messages (even if there is no evidence that this actually happened or even that Facebook's partners were aware of such powers). And some of Facebook's activity arguably violated the company's 2011 agreement with the Federal Trade Commission in which the company pledged to get consent from users before sharing their data with third parties.
Why hasn't the FTC done anything?
"The FTC is extraordinarily understaffed and under-resourced," says Bohm. "The FTC would have to go to court, but they have just 60 technologists nationwide. It is a really small number."
As for private citizens taking Facebook to court, it's not so easy.
First, users consent to all sorts of broad data collection and sharing as a condition of using the platform in the Terms of Service, the fine print that users click assent to often without reading. That clickwrap agreement also designates that any disputes go to a federal court in Northern California — Facebook's home turf (although that's more generous than the way most digital companies force aggrieved users into arbitration and forgo participation in a class action).
The next challenge for anyone wishing to sue is that there's only a patchwork of privacy laws that would provide grounds. Most of these laws are sector-specific (e.g., statutes covering health records or students' education records), narrowly and confusingly drawn up (e.g., the Video Privacy Protection Act, which prevents a tape service provider from knowingly disclosing personally identifiable information), or can be defeated by a showing of consent or no reasonable expectation of privacy (e.g. wiretapping laws).