Updated at 5:50 p.m. PDT with plaintiff saying he will drop the lawsuit; at 2:35 p.m. with legal expert comment; at 1:15 p.m. with information from Facebook's terms of service; and at 12:30 p.m. with more details, comment, and background.
The newly restored profile photo of Theodore Karantsalis on Facebook.
(Credit: Demos Karantsalis)A Florida librarian and activist said on Tuesday that he will drop a civil lawsuit he filed against Facebook alleging that the social network failed to adequately protect users from a virus.
Theodore Karantsalis, of Miami Springs, Fla., was seeking $70.50 from Facebook in the lawsuit, which was filed a week ago in Miami-Dade County court.
"I spoke with FB's law department and the case has been resolved," Karantsalis wrote in an e-mail late Tuesday. "I will file the attached Notice of Dismissal tomorrow. We agreed to add each other as 'friends' and 'poke' each other periodically. Also, FB is going to send me a T-shirt and I'm going to wear it in my profile photo."
Facebook spokesman Barry Schnitt said: "Obviously, we're pleased."
In the lawsuit, Karantsalis had alleged that Facebook breached a "legal duty to exercise at least reasonable care with regard to the safety of its network" on May 14 when it failed to properly contain a virus that spread across the social network. Karantsalis claimed his account was compromised and temporarily disabled and that his photos and friends were not restored.
"We're very interested to hear how he came up with the figure of $70.50," Schnitt wrote in an e-mail to CNET News early on Tuesday. "He's not going to get it but we promise to refund all the money he paid to use Facebook. Seriously, we're glad to know how important Facebook is to Mr. Karantsalis but his account was not disabled, is currently active, and he is using it, so I'm not sure what the problem is."
Karantsalis does have his account back up, but he said he had to manually re-add the photos and friends.
When Karantsalis' account was found to have been compromised nearly two weeks ago, Facebook reset his password and notified him via e-mail, as is the company's standard practice, Schnitt said. Facebook did not delete his photos and friends, he said.
In a phone interview, Karantsalis said the problem started when friends e-mailed and called him on May 14 to tell him that his name on Facebook had been changed to "John Doe" and it was being used to send out spam that directed people to a phishing site with a URL ending in ".im."
He said he does not know how his account was compromised and that he did not fall for a phishing scam. He said he teaches college classes on safe computing practices at Miami Dade College, where he works as assistant library director, according to Linked In.
Karantsalis said he arrived at the damages amount by figuring that each of the approximately 250 friends he had to re-add was worth 30 cents.
"Basically, I filed to get their attention," he said before agreeing to drop the suit. "Facebook has failed to respond to my e-mails and my phone calls."
"I'm a librarian and privacy advocate and take extra precautions with regard to safety," he had written in an e-mail to CNET News. "I've used PGP since 1995, an anonymous proxy, etc. If something like this can happen to me, then it's a big deal. FB is under reporting the amount of people affected."
According to a quick glance at Facebook's Statement of Rights and Responsibilities (terms of service, in common parlance), Karantsalis' suit may not have held up in court. It states that claims should be filed in Santa Clara County in California and limits Facebook's liability.
"WE TRY TO KEEP FACEBOOK UP, BUG-FREE, AND SAFE, BUT YOU USE IT AT YOUR OWN RISK," the statement says. "WE DO NOT GUARANTEE THAT FACEBOOK WILL BE SAFE OR SECURE...WE WILL NOT BE LIABLE TO YOU FOR ANY LOST PROFITS OR OTHER CONSEQUENTIAL, SPECIAL, INDIRECT, OR INCIDENTAL DAMAGES ARISING OUT OF OR IN CONNECTION WITH THIS STATEMENT OR FACEBOOK, EVEN IF WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES."
One lawyer said that from a legal standpoint Karantsalis' claim was "DOA" (dead-on-arrival).
"Per 47 USC 230, Facebook is not liable for third-party conduct and has no legal duty to protect its users from third party-caused harms," Eric Goldman, an associate professor at the Santa Clara University School of Law and director of High Tech Law Institute, wrote in an e-mail. "There are at least two federal appellate cases supporting this proposition. See Green v. AOL (AOL not liable for user-posted virus placed into AOL chatroom); and Doe v. MySpace (MySpace had no obligation to police its premises to prevent users from harming each other)."
"If anything, Karantsalis might be on the hook to Facebook for filing such a meritless lawsuit," he said.
Karantsalis, who is also a journalist and blogger, has a history of filing lawsuits. He sued the city of Miami Springs for allegedly violating the Americans with Disabilities Act for not providing sufficient access to roads and sidewalks. (He has multiple sclerosis.) Karantsalis also won more than $750 in damages and court fees after suing Sprint and Wells Fargo when his Sprint invoice and personal data were exposed to a stranger who banks online at Wells Fargo (Karantsalis does not bank there). In addition, he sued the U.S. Defense Department and Air Force under the Freedom of Information Act for information on the 1986 U.S. raid on Libya.
Asked to comment on his litigious background, Karantsalis said he has acted to protect his privacy when corporations negligently exposed his personal information. In other cases, he said he tries to "fight for the underdog" and is an advocate for the Multiple Sclerosis Society.
Meanwhile, Facebook, founded in 2004, has had its share of viruses and other scams. In the latest incident, for instance, the site was hit by a combined phishing/drive-by-download attack which stole log-in information and downloaded the Koobface worm and other malware onto computers on Thursday.
Payment processor Heartland Payment Systems has been sued over a data breach it disclosed publicly on Inauguration Day last week.
The lawsuit, filed on Tuesday in U.S. District Court in Trenton, N.J., alleges that Heartland failed to adequately safeguard the compromised consumer data, did not notify consumers about the breach in a timely manner as required by law, and has not offered to compensate consumers for costs they may incur in protecting themselves from identity fraud.
In a statement that coincided with President Barack Obama's inauguration events, Heartland said the breach occurred last year but that it found evidence of the intrusion only in the previous week and immediately notified law enforcement and credit card companies.
Heartland was alerted in late October to suspicious activity surrounding processed card transactions by Visa and MasterCard and hired forensic auditors who uncovered malicious software that compromised data in the company's network, said Robert H.B. Baldwin Jr., chief financial officer of Heartland, last week.
The lawsuit seeks damages and relief for the "inexplicable delay, questionable timing, and inaccuracies concerning the disclosures" with regard to the data breach, which is believed to be the largest in U.S. history.
Heartland executives have declined to specify how many consumers or accounts were affected. The company handles 100 million transactions per month for more than 250,000 merchants.
The lawsuit, first reported by SearchSecurity news site, also accuses Heartland of negligence in taking more than two months to determine the existence and scope of the breach and criticizes the company for failing to identify which merchants were affected by the breach.
The suit was filed on behalf of Woodbury, Minn., resident Alicia Cooper, who was notified last week by her credit union that a card associated with her account was included in the breach. It seeks class action status.
A Heartland spokesman said the company could not comment on litigation.
Meanwhile, the U.S. Secret Service has identified a suspect in the breach who resides outside the country, according to a report late last week on the Storefront Backtalk blog.
Secret Service officials did not return a call seeking comment and a U.S. Department of Justice spokeswoman said she could not comment on the investigation. Update 2:35 p.m. PST: A Secret Service spokesman said the agency "is not releasing any information at this time" on the investigation.
Heartland announced on Tuesday that it would deploy an end-to-end encryption system to secure data in databases and as it is transferred around the network. Heartland also said it has formed an internal department dedicated to the project.
Facebook has been awarded $873 million in damages against a Canadian man accused of sending spam messages to its members.
The default judgment was issued in federal court in San Jose, Calif., on Friday against Adam Guerbuez, of Montreal, and his company, Atlantis Blue Capital. The ruling also forbids Guerbuez from using Facebook or interacting with its members ever again.
Facebook doesn't expect to necessarily collect the money because "it's unlikely that Geurbez and Atlantis Blue Capital could ever honor the judgment rendered against them," Max Kelly, Facebook's director of security, wrote in a blog posting on Monday. "We are confident that this award represents a powerful deterrent to anyone and everyone who would seek to abuse Facebook and its users."
Neither Guerbuez, who has made money selling videos showing people attacking the homeless in Montreal, nor Atlantis Blue Capital could be reached for comment.
Facebook noticed an uptick in spam beginning in the spring, with Facebook members receiving messages from friends and other members offering things like herbal marijuana and male enhancement pills for sale, a spokesman said. The messages were coming from Facebook accounts that had been compromised.
Facebook sued under the Can-Spam (Controlling the Assault of Non-Solicited Pornography and Marketing) Act, which bans "false and misleading" marketing e-mails. Although the law was written for e-mails, a judgment in favor of MySpace in May set the precedent for extending the law to messages sent within social networks. In that case, MySpace was awarded $234 million to be paid by so-called Spam King Sanford Wallace and another man.
The Facebook award is the largest judgment in history for a case brought under the Can-Spam Act, according to Kelly.
Facebook has beefed up its antispam technology since the spring, creating tools that can delete spam messages from accounts and block URLs that direct people to spam Web sites.
- prev
- 1
- next
