Facebook user drops lawsuit over virus

Updated at 5:50 p.m. PDT with plaintiff saying he will drop the lawsuit; at 2:35 p.m. with legal expert comment; at 1:15 p.m. with information from Facebook's terms of service; and at 12:30 p.m. with more details, comment, and background.

The newly restored profile photo of Theodore Karantsalis on Facebook.

(Credit: Demos Karantsalis)

A Florida librarian and activist said on Tuesday that he will drop a civil lawsuit he filed against Facebook alleging that the social network failed to adequately protect users from a virus.

Theodore Karantsalis, of Miami Springs, Fla., was seeking $70.50 from Facebook in the lawsuit, which was filed a week ago in Miami-Dade County court.

"I spoke with FB's law department and the case has been resolved," Karantsalis wrote in an e-mail late Tuesday. "I will file the attached Notice of Dismissal tomorrow. We agreed to add each other as 'friends' and 'poke' each other periodically. Also, FB is going to send me a T-shirt and I'm going to wear it in my profile photo."

Facebook spokesman Barry Schnitt said: "Obviously, we're pleased."

In the lawsuit, Karantsalis had alleged that Facebook breached a "legal duty to exercise at least reasonable care with regard to the safety of its network" on May 14 when it failed to properly contain a virus that spread across the social network. Karantsalis claimed his account was compromised and temporarily disabled and that his photos and friends were not restored.

"We're very interested to hear how he came up with the figure of $70.50," Schnitt wrote in an e-mail to CNET News early on Tuesday. "He's not going to get it but we promise to refund all the money he paid to use Facebook. Seriously, we're glad to know how important Facebook is to Mr. Karantsalis but his account was not disabled, is currently active, and he is using it, so I'm not sure what the problem is."

Karantsalis does have his account back up, but he said he had to manually re-add the photos and friends.

When Karantsalis' account was found to have been compromised nearly two weeks ago, Facebook reset his password and notified him via e-mail, as is the company's standard practice, Schnitt said. Facebook did not delete his photos and friends, he said.

In a phone interview, Karantsalis said the problem started when friends e-mailed and called him on May 14 to tell him that his name on Facebook had been changed to "John Doe" and it was being used to send out spam that directed people to a phishing site with a URL ending in ".im."

He said he does not know how his account was compromised and that he did not fall for a phishing scam. He said he teaches college classes on safe computing practices at Miami Dade College, where he works as assistant library director, according to Linked In.

Karantsalis said he arrived at the damages amount by figuring that each of the approximately 250 friends he had to re-add was worth 30 cents.

"Basically, I filed to get their attention," he said before agreeing to drop the suit. "Facebook has failed to respond to my e-mails and my phone calls."

"I'm a librarian and privacy advocate and take extra precautions with regard to safety," he had written in an e-mail to CNET News. "I've used PGP since 1995, an anonymous proxy, etc. If something like this can happen to me, then it's a big deal. FB is under reporting the amount of people affected."

According to a quick glance at Facebook's Statement of Rights and Responsibilities (terms of service, in common parlance), Karantsalis' suit may not have held up in court. It states that claims should be filed in Santa Clara County in California and limits Facebook's liability.

"WE TRY TO KEEP FACEBOOK UP, BUG-FREE, AND SAFE, BUT YOU USE IT AT YOUR OWN RISK," the statement says. "WE DO NOT GUARANTEE THAT FACEBOOK WILL BE SAFE OR SECURE...WE WILL NOT BE LIABLE TO YOU FOR ANY LOST PROFITS OR OTHER CONSEQUENTIAL, SPECIAL, INDIRECT, OR INCIDENTAL DAMAGES ARISING OUT OF OR IN CONNECTION WITH THIS STATEMENT OR FACEBOOK, EVEN IF WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES."

One lawyer said that from a legal standpoint Karantsalis' claim was "DOA" (dead-on-arrival).

"Per 47 USC 230, Facebook is not liable for third-party conduct and has no legal duty to protect its users from third party-caused harms," Eric Goldman, an associate professor at the Santa Clara University School of Law and director of High Tech Law Institute, wrote in an e-mail. "There are at least two federal appellate cases supporting this proposition. See Green v. AOL (AOL not liable for user-posted virus placed into AOL chatroom); and Doe v. MySpace (MySpace had no obligation to police its premises to prevent users from harming each other)."

"If anything, Karantsalis might be on the hook to Facebook for filing such a meritless lawsuit," he said.

Karantsalis, who is also a journalist and blogger, has a history of filing lawsuits. He sued the city of Miami Springs for allegedly violating the Americans with Disabilities Act for not providing sufficient access to roads and sidewalks. (He has multiple sclerosis.) Karantsalis also won more than $750 in damages and court fees after suing Sprint and Wells Fargo when his Sprint invoice and personal data were exposed to a stranger who banks online at Wells Fargo (Karantsalis does not bank there). In addition, he sued the U.S. Defense Department and Air Force under the Freedom of Information Act for information on the 1986 U.S. raid on Libya.

Asked to comment on his litigious background, Karantsalis said he has acted to protect his privacy when corporations negligently exposed his personal information. In other cases, he said he tries to "fight for the underdog" and is an advocate for the Multiple Sclerosis Society.

Meanwhile, Facebook, founded in 2004, has had its share of viruses and other scams. In the latest incident, for instance, the site was hit by a combined phishing/drive-by-download attack which stole log-in information and downloaded the Koobface worm and other malware onto computers on Thursday.