Why privacy settlements like Facebook’s “Sponsored Stories” lawsuit aren’t working

A legal process intended to compensate consumers and promote privacy is instead breeding alarmism and lining lawyers’ pockets — while letting the tech companies that created the privacy problems brush off the mistakes as a cost of doing business.

This point was reinforced yet again last week when the John D. and Catherine T. MacArthur Foundation revealed that it will turn down its share of a $20 million settlement intended to compensate Facebook(s fb) users whose photos were misused for advertising. The Foundation, one of 14 non-profit groups selected to receive money by Facebook and class action lawyers, declined the award on the ground that it doesn’t work on issues related to consumer privacy.

The news is just the latest example of how pricey lawsuits filed in the name of consumers’ privacy often do little to educate people about how companies like Facebook and Google(s goog) actually use customer data. Instead, the legal process appears to be perpetuating a cottage industry in “privacy panic” that leaves ordinary internet users excluded and discouraged.

Groups “surprised” to receive money

In late August, a federal judge in San Francisco gave final approval to a revised $20 million class action settlement intended to benefit more than 150 million Facebook users. Legal filings show that $5 million will be paid for lawyers and fees, while 614,994 Facebook users who submitted claims will receive $15 each. The remaining $5 million or so will be divided among 14 non-profit groups, who will collect either 10 percent or 6 percent of the pot (see chart at end of story).

As part of an investigation to determine how the money was awarded and how it will be spent, GigaOM contacted the non-profit recipients as well as Facebook and the class action lawyers who brought the suit. In response, the John D. and Catherine T. MacArthur Foundation provided the following statement:

“[..]MacArthur did not ask to participate. The Foundation has informed lawyers representing both parties in the settlement that we respectfully decline to accept any settlement funds. Instead, in this case, we have suggested those funds be redirected to other non-profit organizations engaged in the underlying issues and identified in the settlement as possible recipients.[..]”

While some organizations, including Stanford Law’s Center for Internet and Society, filed court documents to explain why they were suited to receive the money, others described the money as a gift from the blue.

“We were surprised but delighted,” said Larry Magid, who runs ConnectSafely, a non-profit that creates resources to help parents and children navigate the web and social media sites like SnapChat and Facebook. (ConnectSafely receives funding from Facebook, a fact it discloses).

Several other non-profits likewise expressed a lack of familiarity with the deal, including details about the amount they were to receive or how they had been selected in the first place.

Overall, the recipients, which include respected names like the Electronic Frontier Foundation and Harvard’s Berkman Center, do not have specific plans for educating Facebook users about how the social network uses their photos. Instead, they stated by email that they would use the money for privacy research and advocacy, some of which would relate to Facebook.

Eric Goldman, a law professor involved with the High Tech Law Institute at Santa Clara University, which is one of the recipients, is very familiar with the case. He explained that the Institute has yet to form specific plans, in part because the nature of the legal process has meant it’s been unclear when the money will be forthcoming.

“When we get to the point of making plans, we will carefully follow any instructions from the court, and we will take very seriously our obligations to provide value to the class,” said Goldman by email.

Four of the 14 groups who will receive money — the Berkeley Center for Law and Technology, NYU’s Information Law Institute, WiredSafety and the Joan Ganz Cooney Center — did not respond at all to inquiries about the settlement.

For this story, GigaOM repeatedly contacted Facebook and the class action lawyers to inquire how the non-profit groups selected by the settlement were selected, and how the money should be spent. They did not respond.

A settlement from “thin air”

The MacArthur Foundation’s decision to turn back the Facebook money is not the first nor the most serious objection to the Sponsored Stories settlement process. Last year, in a watershed ruling, the judge overseeing the case blew up an earlier version of the settlement and scolded the lawyers for plucking numbers out of “thin air” and for using a “clear-sailing” provision that ensured Facebook wouldn’t challenge the lawyers’ fees.

That earlier deal likewise required Facebook to pay $20 million but did not call for any of the money to go to Facebook users. Instead, it called for the cash to be split 50-50 between lawyers and non-profit groups. Under the revised scheme, Facebook users could apply to receive cash. The final amount — $5 or $10 — would be determined by how many people applied; in the end, so few people made a claim that the deal ultimately awarded $15 to those who did.

While the judge has finally signed off on the deal, it will still be a while until anyone gets paid; at least one Facebook user has appealed, while some privacy groups claim it doesn’t do enough to protect minors.

Facebook, Google and the “Privacy Panic” industry

The Facebook “Sponsored Stories” settlement has probably received more media attention than any other privacy-related class action deal in the tech industry, but it’s hardly the first of its kind. In recent years, there has been a steady drip-drip of other litigation involving big tech companies that hundreds of millions of people use of a daily basis.

Other prominent class action settlements include: $8.5 million for Google Buzz (a failed social network that exposed a person’s frequent contacts before asking them); $8.5 million for Facebook Beacon (which revealed peoples’ online purchases); $3.5 million for Adobe (which used invasive Flash cookies).

In all of these cases, the class action system appeared, on the surface, to be doing its job: punishing companies through a legal process more powerful than what a single citizen could muster on his or her own. In theory, every user who suffered a privacy violation received a bit of compensation while the tech companies learned to be more careful about privacy.

Unfortunately, it hasn’t worked out that way. As with the first version of the “Sponsored Stories” settlement, users in the other privacy cases didn’t get any of the millions paid out in their name; instead, the deals paid money to lawyers and to privacy groups for undefined work.

The result is not simply a disconnect between consumers and the legal process that collects money in their name. The process also provides an incentive for groups to employ alarmist tactics.

In a phone interview, a former spokesman for a major technology company complained that certain organizations engaged in “privacy panic” — issuing dramatic press releases over big events, small events and non-events — in order to pressure tech firms into paying settlement money. The spokesman, who did not want to be identified, added that only some organizations engage in such behavior but that the media and the public often fail to distinguish between which groups are credible and which are not.

Another person, who formerly served on the board of an oft-quoted privacy watchdog, related that privacy alarms were part of the group’s fund-raising strategy.

An alternative to the privacy merry-go-round?

Last week, not long after Judge Seeborg approved the final version of the Sponsored Stories settlement, the New York Times reported that the Federal Trade Commission is looking into Facebook’s new privacy policies, which were supposed to go into place this month. At the same time, Sen. Edward Markey (D-Ma) is pressing the agency to launch a larger investigation into whether “Facebook users will lose control over their personal information.”

These new calls for investigation and widespread unease with Facebook’s privacy practices illustrate how consumers may be winning in court, but ultimately losing out in the larger battle to understand and control how tech companies use their personal information.

Under the current model, the legal process serves to stoke privacy panic while also failing to explain to consumers the basic nature of the contract they undertake when they sign on to Facebook or Google: consumers receive an incredibly useful product for no money, but pay instead with personal information that the companies collect for advertising.

In many cases, the tech companies are reluctant to make the nature of the trade-off explicit, preferring instead to offer reassurances like, “It’s actually a good thing to be tagged in more photos” (as Facebook did while attempting to quell the latest privacy concerns). The result is a yawning information gap between the tech companies and their users.

The $10 or $20 million pay-outs, meanwhile, amount to little more than rounding errors for the massive tech companies, and will do nothing to discourage them from barreling forward with invasive new features.

One solution to this could entail courts ordering that future privacy pay-outs be directed specifically at the company and the harm involved — and to invite consumers, rather than companies and class action lawyers, to vote on how the money should be directed. They could also force the tech companies to use other forms of media like television (rather than obscure websites larded with legalese) to explain their advertising practices. The result would likely diminish the sense of powerlessness and confusion that, for many, pervades current attitudes about privacy.

How Facebook sponsored stories money will be spent
Organization Settlement amount (approx) What they’re doing with it
Center for Democracy and Technology  $500,000 “We plan to expand our privacy work — advocating for comprehensive privacy law, more aggressive application of existing law, reform of government access laws, etc.”
Electronic Frontier Foundation  $500,000 “We would put it towards efforts to advocate for users’ privacy rights. In the case of Facebook, this has generally meant analyzing changes to site policies or technology, and then highlighting the privacy implications for users. Facebook is also included in EFF’s annual ‘Who Has Your Back’ report.”
MacArthur Foundation  $500,000 “MacArthur did not ask to participate. The Foundation has informed lawyers representing both parties in the settlement that we respectfully decline to accept any settlement funds.”
Joan Ganz Cooney Center  $500000 Did not respond.
Berkman Center for Internet and Society (Harvard Law School)  $300,000 “Cy pres funding would mainly benefit the Berkman Center’s Youth and Media Lab…cy pres funds would support research (focus groups, surveys) on privacy-relevant youth and social media practices in the commercial context; privacy curriculum development; and creation of educational privacy tools.”
Information Law Institute (NYU Law School)  $300,000 Did not respond.
Berkeley Center for Law and Technology (Berkeley Law School)  $300,000 Did not respond.
Center for Internet and Society (Stanford Law School)  $300,000 “Continue our work with WC3 on developing the Do Not Track specifications…Second, CIS will continue its [work] building tools with the Stanford Security Lab for users to learn more about third-party web tracking and developing technologies that allow advertisers to continue operations without compromising user privacy.”
High Tech Law Institute (Santa Clara University School of Law)  $300,000 “Because any cy pres payouts still could be years away (depending on appeals), and until recently it wasn’t even clear there would be any cy pres funds at all, we have not yet developed any specific plans for allocating the cy pres funds. When we get to the point of making plans, we will carefully follow any instructions from the court, and we will take very seriously our obligations to provide value to the class.”
Campaign for Commercial-Free Childhood  $300,000 “Funds will help us address the escalation of child-targeted marketing made possible through new, portable technologies offering apps, gaming, virtual worlds, and social networking to younger and younger children. In addition, we plan to expand our efforts to protect students’ confidential data from being leveraged for commercial purposes.”
Consumers Federation of America  $300,000 “We haven’t heard anything formally about this nor do we have a good idea of any amount that may be received. But if we did receive funds, we would undertake a multi-year effort to encourage consumer users of social media to make more informed decisions.”
Rose Foundation: Consumer Privacy Rights Fund  $300,000 “The RFP will invite proposals that would educate users, regulators, and enterprises regarding critical issues relating to the protection of privacy, identity and personal information thorough user control, and that protect users from online threats.”
ConnectSafely.org  $300,000 ConnectSafely will use the funds to continue educating children about social media and to produce information for parents and kids about popular websites, including Facebook.
WiredSafety.org  $300,000 Did not respond.

Table by Rani Molla

Image by Lisa S. via Shutterstock