Brooke Rutledge of Lafayette County, Mississippi has sued Facebook for allegedly violating federal wiretap laws by illegally tracking her Internet activity while logged out of the social networking site. The 17-page filing seems to have been prompted by a recent discovery by Australian blogger Nik Cubrilovic. In late September, Cubrilovic released an article explaining how Facebook could track users across the Web on any page running a Facebook widget, such as the "Like" button seen at the bottom of TechSpot's articles.
"Leading up to September 23, 2011, Facebook tracked, collected, and stored its users' wire or electronic communications, including but not limited to portions of their internet browsing history even when the users were not logged-in to Facebook," says Rutledge's complaint, which she hopes will reach class-action status. It goes on to say that Rutledge didn't authorize Facebook to intercept, track, collect and store her electronic communications such as browsing history when not logged in to the social site.
Facebook's privacy policy informs users that when visiting sites with plugins such as the Like button, your browser will send certain information back to Facebook, but your account ID is supposed to be excluded if you're not logged in. The policy specifically claims: "If you're logged out or don't have a Facebook account and visit a website with the Like button or another social plugin, your browser sends us a more limited set of information. For example, because you're not logged in to Facebook, we don't receive your User ID."
However, Cubrilovic's research suggests that the site issues cookies with unique identifiers that are included in the data returned to Facebook – even when you're logged out. "Even if you are logged out, Facebook still knows and can track every page you visit that has Facebook integrated," Cubrilovic wrote. "The only solution to Facebook not knowing who you are is to delete all Facebook cookies." This isn't a new discovery, either. Cubrilovic informed Facebook about the issue several times over the last year but has been ignored.
Until he went public, of course. Facebook Engineer Gregg Stefancik quickly replied to – and largely denied – Cubrilovic's claims. Two days after publishing his original article, Cubrilovic said in an update that Facebook has partly resolved the issue, which reportedly stemmed from a "bug" that left identifying cookies on your system after logging out. "Facebook has changed as much as they can change with the logout issue. They want to retain the ability to track browsers after logout for safety and spam purposes," Cubrilovic wrote.
Facebook hasn't commented on Rutledge's suit, but it's not the first of its kind and it certainly won't be the last. Earlier this month, 42-year-old Kansas lawyer John Graham filed suit over Facebook's cookies citing wiretap violations. Experts believe these cases have little footing as there is a legal precedent suggesting cookies aren't wiretaps. The Register notes that although similar cases against Disney, Microsoft, McDonalds and others have been thrown out, it's mostly because the plaintiffs couldn't quantify monetary damages.