MA Attorney General v. Facebook
- EPIC to Massachusetts Supreme Court: Facebook Needs to Disclose Apps that Violated User Privacy: EPIC has filed an amicus brief in Massachusetts Attorney General v. Facebook urging the Massachusetts Supreme Judicial Court to require Facebook to disclose information about third-party apps that violated user privacy protections. The Attorney General requested the information as part of an investigation into the 2018 Cambridge Analytica scandal. EPIC wrote that Facebook has been obligated to collect information about user privacy abuses for more than a decade but failed to do so in this case until threatened with litigation. As a consequence, EPIC argued, if the company is allowed to keep this information secret, "Facebook will continue to evade accountability and the harmful effects of Facebook's business practices could go undetected." EPIC argued that Facebook has had a long pattern of secrecy, and that Facebook now "knows a shocking amount about each of its users, but its users know shockingly little about Facebook." EPIC has long sought accountability for Facebook's broken privacy promises. EPIC filed the original FTC Complaint in 2009 that led to the FTC's 2012 Consent Order with the company, subsequently filed several complaints alleging violations of the Order, urged the FTC to investigate the Cambridge Analytica incident, and moved to intervene in and filed an amicus brief challenging the FTC's 2019 settlement with Facebook. (Nov. 16, 2020) More top news »
The Massachusetts Attorney General opened an investigation into consumer privacy abuses following the Cambridge Analytica scandal. The AG sought information about the identities of developers and applications which Facebook found had impermissibly accessed user data, along with Facebook's internal communications about them. Facebook challenged this request, claiming that the information was privileged because it was prepared in anticipation of the extensive litigation Facebook now faces. After a trial court ordered Facebook to hand over the requested information, Facebook directly appealed to the Supreme Judicial Court of Massachusetts.
The Facebook Platform allows third-party app developers to promote and offer apps that are integrated with Facebook. The system provides the developers with access to a variety of users' personal information.
In 2009, EPIC and others urged the FTC to investigate Facebook's Platform and the extent to which third parties could access granular user information without their knowledge or consent. After investigating the company for several years, the FTC ordered entered into a consent order with Facebook that required the company to implement detection and enforcement programs which would regularly monitor and investigate apps and developers that potentially violated user privacy policies. The FTC also required Facebook to limit the amount of user data parties on the Platform could access.
In 2014, a single Facebook Platform app developer was able to access and extract the personal information of 87 million users without their knowledge or consent and then provided that data to Cambridge Analytica for use in political ad campaigns. The FTC nor the independent auditor tasked with assessing Facebook's privacy program under the 2012 Consent Order detected the failure in Facebook's monitoring system.
When news broke of the Cambridge Analytica incident in March 2018, Facebook announced an investigation into other apps and developers who may have used the Platform in a similar way to extract personal information.
In 2018, Massachusetts AG Maura Healey announced that her office would investigate Facebook. The investigation seeks in part to identify app developers who may have violated the state's Consumer Protection Act. The AG has demanded information from Facebook's investigation of other third party apps. Facebook refused to provide the requested information.
In 2019, the AG filed a petition with the trial court to compel Facebook to comply with the demand for information on apps and developers identified by Facebook's investigation and related internal communications. In response to the petition, Facebook argued that all of the requested information was protected by attorney-client privilege because it was gathered by the company in the course of an internal investigation designed and managed by Facebook's lawyers. The trial court rejected Facebook's argument and ordered Facebook to provide the requested information. Facebook then applied for direct review to the Supreme Judicial Court. The Court granted review in May 2020.
A central issue on appeal is whether the information the AG seeks contains protected or privileged client-attorney communications. Facebook argues they do, since the information only exists because Facebook chose to investigate the Platform after the company faced a wave of litigation in early 2018. EPIC argues in an amicus brief that Facebook was obligated to proactively monitor for the very information at issue in the case, and that the company's failure to do so until there was a threat of litigation should not justify secrecy.
EPIC has consistently urged the FTC to investigate and regulate Facebook's data practices, especially sharing users' personal information without their knowledge or consent. In 2009, EPIC and others focused the FTC's attention on this particular issue in a complaint highlighting the vast amounts of personal information available to third parties through the Platform. EPIC was directly involved in the Cambridge Analytica investigations, urging the FTC to investigate the company's data sharing practices. EPIC more recently moved to intervene in the FTC's 2020 settlement with Facebook and filed an amicus brief arguing that the deal would not require Facebook to change its practices in any meaningful way. EPIC gathered thousands of complaints filed by users with the FTC regarding Facebook's data sharing practices in the years between the 2012 Order and the 2020 settlement. EPIC also uncovered communications between the FTC and Facebook that demonstrated the FTC's reluctance to effectively enforce the requirements of the 2012 Order, which may have prevented the Cambridge Analytica incident altogether.
Massachusetts Supreme Judicial Court (No. SJC-12946)
- Appellant Facebook Application for Direct Appellate Review (Apr. 15, 2020)
- Party Briefs
- Appellant Facebook Brief (July 27, 2020)
- Appellee AG Brief (Sept. 30, 2020)
- Appellant Facebook Reply Brief (Oct. 28, 2020)
- Amicus Briefs in Support of Appellant Facebook
- Amicus Brief of National Association of Criminal Defense Lawyers (May 4, 2020)
- Amicus Brief of Association of Corporate Counsel (Nov. 10, 2020)
- Amicus Brief of Chamber of Commerce of the USA (Nov. 13, 2020)
- Amicus Briefs in Support of Appellee MA Attorney General
- Amicus Brief of EPIC (filed Nov. 16, 2020)
- EPIC's Motion for Leave to File Amicus Brief (filed Nov. 16, 2020)
- Amicus Brief of Common Sense Media (Nov. 13, 2020)
- Opinion (Mar. 24, 2021)
Share this page:
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.