An already head-spinning legal case between Facebook and the developer of a now-defunct app that searched for Facebook users’ bathing suit photos took another series of turns Wednesday. First, The Wall Street Journal reported on a previously redacted court filing, containing information that Facebook has fought for months to keep sealed, which alleges that Facebook had considered selling access to user data before 2014. Then, Facebook hit back against the company behind the lawsuit—Six4Three—arguing that it breached a court order to keep the documents sealed and then sought to destroy evidence just before British lawmakers seized some of those documents from Six4Three’s founder last week.
The court filing, which was drafted by Six4Three’s legal team in 2017, is based on internal Facebook documents obtained through discovery. Though the underlying documents aren’t included in the filing, they’re partially quoted throughout it and suggest that Facebook brokered special data deals with companies like the Royal Bank of Canada and Amazon, among others. In one email cited in the filing, a Facebook employee discussed shutting down apps that don’t spend “at least $250k a year to maintain access to the data.” The exposure of this sensitive information comes down to a simple technical glitch: The court documents were redacted improperly, leaving the underlying text exposed when it was uploaded to a text editor by a reporter at Ars Technica, which published the document in full Wednesday night.
“The documents Six4Three gathered for this baseless case are only part of the story and are presented in a way that is very misleading without additional context,” said Konstantinos Papamiltiadis, Facebook’s director of developer platforms and programs, in a statement.
The company had successfully fought to keep the documents sealed in California, where the lawsuit was filed. But last week, lawmakers in the United Kingdom seized at least some of them from Six4Three founder Ted Kramer while he was traveling to London on business and are planning on publishing them within a week. Facebook is now charging Six4Three with breaching the California court order and is demanding a discovery process of its own to find out how British regulators were able to obtain confidential documents that were never supposed to see the light of day.
The filing cuts to the heart of an increasingly nasty legal battle between Facebook and Six4Three, whose bikini-finder app Pikinis went out of business in 2015 after Facebook changed its API to cut off app developers from their users’ friends data. It did this ostensibly to protect users’ privacy. But the Pikinis app relied on that data, and after it shut down, Kramer sued Facebook, alleging that the company had been planning to cut off access to this data as early as 2012, at the same time it was luring new developers with it. He has since accused the company of trading access to user data in return for mobile advertising purchases from app developers beginning in 2012.
In a hearing in London this week, Facebook’s vice president of public policy said that the company considered a variety of business models, including privatizing its APIs, as it transitioned from a primarily desktop-based business to mobile. But in a subsequent statement provided by Papamiltiadis, the company stood by its assertion that it’s never sold data. “Our APIs have always been free of charge and we have never required developers to pay for using them, either directly or by buying advertising,” he said.
It’s an international he-said/he-said showdown where somehow every party looks bad. Facebook appears to have at least seriously considered something it has long promised it would never do, which is sell users’ data. Six4Three, meanwhile, is coming after Facebook for actually strengthening its protections of user data at a time when the world is rightly concerned about the lack of privacy online. The Pikinis app let people access strangers’ bikini photos, using the same feature that enabled a political firm called Cambridge Analytica to misappropriate the data of tens of millions of Americans without their knowledge. Then there are the UK lawmakers who, in their quest to hold Facebook accountable, have defied international norms by seizing documents that were ordered sealed in the US, setting a worrisome precedent.
Still, it’s Facebook that has the most to lose. Six4Three’s filing quotes from internal emails to allege that Facebook was operating a sort of concierge service with user data on behalf of major advertisers. According to the filing, in August 2013, the Royal Bank of Canada expressed concerns about continued access to user data. After Facebook employees “confirm the existence of a contract for a large advertising expenditure,” the filing states, they then “ask their legal department to release an Extended API Agreement to Royal Bank of Canada” and assure the bank that their data will not be impacted. A spokesperson for the bank told The Wall Street Journal that the company “never had a minimum marketing spend or target agreement with Facebook.”
That same year, the filing says, two Facebook employees exchanged emails about a deal pending with Amazon, with one employee asking if Facebook was going to grant Amazon the permissions “only if they give in on our asks.” According to the filing, the other employee responded, “Given we’re deprecating the majority of these permissions, we’ll need to either have a disappointing conversation with Amazon or a strategic conversation in the context of the broader deal discussions.” Six4Three’s filing argues that his reply suggests Facebook was continuing to set up deals contingent on data access, knowing full well that data access would soon be cut off.
The filing also alleges that Facebook negotiated deals with a number of developers, granting them extended access to data even after the API changed for good in May of 2015. Facebook has previously given Congress a list of 61 companies that received access beyond that date, but a number of the businesses mentioned in the filing don’t appear on the list. For instance, the filing mentions—but doesn’t quote from—an email from April 30, 2015, in which a Facebook employee confirms that a Chrysler/Fiat app was white-listed for extended access.
Another email concerns Facebook’s negotiations for a trademark held by the dating app Tinder. According to the filing, a Facebook employee asked for the trademark in return for access to two new APIs that would “effectively allow Tinder to maintain parity of the product in the new API world,” the email read. The filing alleges several other companies not mentioned in Facebook’s disclosure to Congress may have had special access to data, including Lyft, Airbnb, GoDaddy, and Netflix. GoDaddy says no such deal existed. Netflix and Airbnb also told WIRED that they did not receive an extension. Lyft did not immediately respond to WIRED’s request for comment, but Facebook says all of them transitioned to the new API by the end of May 2015.
Even as it faces a barrage of accusations, Facebook is lobbing plenty of its own. In a filing in San Mateo Superior Court on Wednesday, the company accused Kramer and his lawyers of breaching the court order to keep the documents sealed. Kramer told the court he traveled to London on business on November 19 and told only the British journalist Carole Cadwalladr where he was staying. Cadwalladr had previously suggested Kramer bring his case to Damian Collins, chair of the British Parliament’s Digital, Culture, Media and Sport Committee, which is investigating disinformation and fake news. While in London, Kramer began receiving notices from Collins asking that he turn over the documents. In one case, the sergeant-at-arms appeared at his hotel to deliver the notice. Kramer says he was subsequently informed he was under investigation by Parliament and faced imprisonment if he didn’t comply. Despite warnings from his legal team, he says he met with Collins and, “panicked,” shared the documents that were stored in a Dropbox account. A representative for Collins declined to comment on how the committee knew where Kramer was staying. Cadwalladr also declined to comment for this story.
Now, Facebook is demanding answers. For starters, it argues Six4Three shouldn’t have had a Dropbox account with the documents in the first place. Not only that, Kramer’s lawyers say that once they found the account existed, they tried to have the documents deleted so that Kramer couldn’t access them. “Mr. Kramer and his counsel explicitly admit they breached
this Court’s protective and sealing orders and destroyed evidence,” Facebook writes in its filing.
“The Dropbox cache would have been the only available record of what files Mr. Kramer accessed while he was meeting with the DCMS Committee, since Mr. Kramer claims he has no memory of what he copied for the DCMS Committee.”
Facebook notes that by Kramer’s own admission, he was in contact with Collins’ committee nearly two months before he turned the information over. What’s more, the filing points out that Kramer had earlier invited Collins to request the documents from Facebook at the suggestion of Cadwalladr. This is based on Kramer’s own statement to the court, which was reviewed by WIRED. The statement includes a series of emails between Kramer and Collins. In one, Kramer writes, “I have attached a document that should assist you and your committee as you approach Facebook for documentation and evidence … Carole recommended we send it to you.” In reply, Collins writes that he has spoken to Cadwalladr and, at her suggestion, requests a series of documents from Kramer related to the case. He goes on to say, “We are planning an international meeting of the select committee on 27th November and this could provide the perfect opportunity to explore the issues that you have been involved with.”
Facebook also expresses extreme skepticism in its filing about Kramer’s assertion that he went to Parliament last week with the intention of telling Collins he didn’t plan to comply with his orders, saying, “[Kramer] brought with him from his nearby hotel an untold number of confidential and highly confidential Facebook documents he should not even have had access to, along with a thumb drive for copying the documents.”
Facebook’s filing lays out a series of pressing questions that the tech giant hopes to get answers to through a discovery process and cross-examination of the people involved. Those questions include: What was the nature of Kramer’s interactions with Cadwalladr? How did this Dropbox account get set up? Who had access, and what documents did it include? Why did Six4Three’s lawyers delete it? Why did it take Kramer several days to tell his lawyers that he had handed over this confidential information? And perhaps most puzzling of all, why was Kramer apparently more afraid of the repercussions from Parliament than from a court in the United States?
Facebook is now demanding its own batch of internal documents from Six4Three, including emails between Kramer, his legal team, Cadwalladr, members of the DCMS committee, or any other third party. Facebook is also requesting the documents Kramer sent to Collins. And Facebook is calling for all logs related to the Dropbox account and a forensic investigation of Kramer’s laptop, the thumb drive, and the computers belonging to his legal team.
As all of this unfolds, the DCMS committee is preparing to release the underlying Facebook documents it seized from Kramer. The irony in all of this is that it hinges on a decision Facebook made to protect user privacy from apps just like Pikinis, which seized on weak data protections to pry into Facebook users’ personal photos. And yet, by pulling back the curtain on its decision-making process, Six4Three is trying to reveal the unsavory options Facebook considered en route to that decision. Facebook, in turn, is working overtime to cast Six4Three and all in its orbit as underhanded actors scheming in their own right, without regard for the law, in order to get their way. It’s unclear who, if anyone, will be vindicated if and when the documents are published in full. But if this week’s mudslinging is any indication, it’s unlikely anyone will emerge the hero.
More Great WIRED Stories