Normally, I don’t blog about something that isn’t strictly related to criminal defense. However, a story in The Daily Journal caught my eye today partly because of claims that Meta — the parent company of Facebook — is accused of violating wiretap and privacy laws, as well as the Health Insurance Portability and Accountability Act of 1996. Seems that Meta has possibly collected too much metadata in its never-ending quest to make money off the people who use its products. They’ve allegedly made the medical information of millions of people a little too portable, without (so far) any accountability.
Meta Pixel is a product for Meta Business that, according to the plaintiffs, allows developers to add an invisible bug on webpages and use cookies to create dynamic ads catered for individual users to maximize the likelihood of them clicking on ads.
Jonathan Lo, “Injunction sought to end Meta collection of medical data” (November 10, 2022)(paywall)
It’s Not Just Meta
The main reason I decided to write about this is that I realize too many people just don’t know about it. (But, as you will see below, there is a potential criminal law connection.)
I largely abandoned Facebook some time ago. Still, I occasionally pop back in to check something, but then deactivate the account again (and delete all the cookies they drop on me). I do still use Instagram and Twitter. Not without some trepidation.
Especially now that Twitter has developed a Musky Odor.
I’m sure Meta is not the only company doing illegal, illicit, and unethical stuff with our stuff. They’re all ravenous for too much metadata. As I just mentioned, Twitter developed a Musky Odor, and here’s the first major bit of fall-out over it:
So, now I have an account at Mastodon, too.
Meta Pixel Grabbing MyChart Data?
Where I live, a lot of health care utilizes something called “MyChart” to communicate with patients.
To get a sense of how widespread use of the tool is within hospitals, the site tested websites for Newsweek’s top 100 hospitals in America. The researchers found that 33 of the sites had Meta Pixel in place, and that seven major health systems were using the tool within patient portals.
— Anne Zieger, “Meta Faces Legal Firestorm As Hospitals Cite Its Pixel Tool In Health Data Breaches” (November 9, 2022)
This information can include things like messages between health care workers (including doctors) and patients, prescriptions, and medical reports, among other things.
The [WakeMed Health and Hospitals] health system recently found that Pixel might have transmitted data entered in MyChart back to Facebook.
— Anne Zieger, “Meta Faces Legal Firestorm As Hospitals Cite Its Pixel Tool In Health Data Breaches” (November 9, 2022)
Chances are, then, that Meta has a lot of health care data.
I wonder if they’re only collecting data on people who have Meta accounts, which I believe would include Facebook and Instagram (at least). Or are they just collecting all the medical data that they can?
Linking Social Media and Medical Data
Interestingly, there has been some experimentation where patients willingly allowed their social media accounts to be linked with their electronic medical record (EMR) data. The objective?
To determine the acceptability to patients and potential utility to researchers of a database linking patients’ social media content with their electronic medical record (EMR) data.
— Padrez KA, Ungar L, Schwartz HA, et al “Linking social media and medical record data: a study of adults presenting to an academic, urban emergency department” BMJ Quality & Safety 25:414-423 (2016)
Some 71% of people in the study gave their permission for such a linkage.
And therein lies an important point: those people consented to giving medical professionals access to their social media. Facebook’s parent company just grabbed too much metadata, without anyone’s permission.
Could There Be Criminal Charges?
To be frank, I seriously doubt that there would be any criminal charges from this, though some have argued for it, and it is theoretically possible.
In 2019, a Democratic Senator suggested such a possibility for Mark Zuckerberg.
U.S. Senator Ron Wyden (D-Oregon), in an interview with Willamette Week, suggested that Mark Zuckerberg should face a prison term for lying to American citizens about Facebook’s privacy lapses.
— Todd Haselton, “Senator says Facebook’s Mark Zuckerberg should face ‘possibility of a prison term’” (September 3, 2019)
The Senator even introduced a bill to do just that.
“Mark Zuckerberg won’t take Americans’ privacy seriously unless he feels personal consequences,” said Wyden, in a press statement. “A slap on the wrist from the FTC won’t do the job, so under my bill he’d face jail time for lying to the government.”
— Lindsey O’Donnell, “Execs Could Face Jail Time For Privacy Violations” (October 18, 2019)
The Mind Your Own Business Act of 2019, to my knowledge, did not become law. But a version Senator Wyden submitted in April 2021 appears to have become law. The text of that law does include criminal penalties, including potential prison sentences of 10 and 20 years for various violations of the Act.
Conclusion
In the long run, I do not know if anyone would be charged with a crime for Meta’s potential HIPPA violations. Tech corporations grabbing too much metadata is a little outside the wheelhouse of my normal criminal defense practice.
I thought, however, that this might be a useful post to inform you. Who knows? Maybe you’ll want to follow me to Mastodon.
