Refunds for Minors, Parents, and Guardians for Purchases of Facebook Credits

On May 26, 2016, the U.S. District Court for the Northern District of California approved the settlement of a class action against Facebook involving in-app purchases of Facebook Credits by minor children. The case was maintained on behalf of a class of children who were Facebook users (“child users”) below the age of 18 from whose Facebook accounts Facebook Credits were purchased. The case was filed by two minor children through their parents on February 23, 2012. The two children and the class were represented by attorneys Brooks Cutter and John R. Parker of the Cutter Law Firm in Sacramento, California; Daniel B. Edelman of the firm of Katz, Marshall & Banks in Washington, D.C.; and Benjamin Edelman, an associate professor at the Harvard Business School. On March 10, 2015, the Court certified the case as a class action for purposes of declaratory and injunctive relief on behalf of all minor children who were users of Facebook from whose Facebook accounts Facebook Credits were purchased at any time between February 23, 2008 and the date of the certification order, March 10, 2015. At the same time, the Court declined to certify a class action for purposes of class-wide monetary relief.

During the period covered by the suit, hundreds of thousands of child users purchased Facebook Credits for use in playing Facebook-based games and applications. To make such purchases, child users generally used credit cards, debit cards or other payment instruments that belonged to their parents or other responsible adults. Facebook made a practice of retaining the payment information provided at the time of the child user’s initial purchase for easy use in later purchases. Facebook advised that purchases by children were to be made only with the permission of the parent or guardian. Facebook did not, however, require evidence that any of the purchases was actually authorized by the parent, guardian or owner of the payment instrument. In many instances, the child user did not have authorization to use the card or other payment instrument to purchase Facebook Credits. Facebook specified in its terms of use that all transactions are “final”. It later stated that all transactions are “final except as otherwise required by law”.

Facebook’s Terms of Use state that purchase transactions are governed by the law of California. The Family Code of California provides that contracts with minors are voidable by the minor at any time before attaining the age of 18 or within a reasonable time thereafter. The court applied that principle to this case: “The law shields minors from their lack of judgment and experience and under certain conditions vests in them the right to disaffirm their contracts. Although in many instances such disaffirmance may be a hardship upon those who deal with an infant, the right to avoid his contracts is conferred by law upon a minor for his protection against his own improvidence and the designs of others. It is the policy of the law to protect a minor against himself and his indiscretions and immaturity as well as against the machinations of other people and to discourage adults from contracting with an infant.” (MTD decision, October 25, 2012, at pp. 11-12.) The court continued: “[O]ne who provides a minor with goods and services does so at her own risk.” (Id. at p.12.)

Facebook defended the claims in part by arguing that kids had received and used the electronic goods they paid for. The court specifically rejected this reasoning, finding that kids are entitled to refunds even for items they used. “Under California law, a minor may disaffirm all obligations under a contract, even for services previously rendered, without restoring consideration or the value of services rendered to the other party.” (MTD Decision at p.14, internal quotation marks omitted)

Prior to the settlement, Facebook provided an online procedure for refund requests in various specific circumstances such as fraudulent use of a user’s account by a third-party. Facebook’s refund procedure did not include an option to request a refund on the ground that the purchase was made when the user was a minor.

The settlement requires Facebook to apply refund practices and policies with respect to U.S. minors that comply with the California Family Code.

The settlement further requires Facebook to “add to its refund request form for In-App Purchases for U.S. users a checkbox or substantially similar functionality with accompanying text such that users are able to indicate that the In-App Purchases for which they are seeking a refund was made when the user was minor.”

The settlement additionally requires Facebook to “implement a dedicated queue within Facebook to address refund requests in In-App Purchases, made by U.S. Minors subject to verification of minority. The employees staffing the dedicated queue will receive further training regarding how to analyze and process such refund requests in accordance with applicable law.”

If you or your minor child were charged for Facebook credits purchased from an account belonging to someone age 17 or younger, you may be entitled to obtain refunds for such purchases through the use of the dedicated queue established by Facebook as a result of the settlement. Both minor account holders and the parents and guardians of such minors are entitled to claim such refunds. Claim refunds via the Facebook refund tool.

Free access to selected case documents via

Current Ask Toolbar Practices

Last year I documented Ask toolbars installing without consent as well as installing by targeting kids. Ask staff admitted both practices are unacceptable, and Ask promised to make them stop. Unfortunately, Ask has not succeeded.

In today’s post, I report notable current Ask practices. I show Ask ads running on kids sites and in various noxious spyware, specifically contrary to Ask’s prior promises. I document yet another installation of Ask’s toolbar that occurs without user notice or consent. I point out why Ask’s toolbar is inherently objectionable — especially its rearrangement of users’ browsers and its excessive pay-per-click ads to the effective exclusion of ordinary organic links. I compare Ask’s practices with its staff’s promises and with governing law — especially "deceptive door opener" FTC precedent, prohibiting misleading initial statements even where clarified by subsequent statements.


Current Practices of IAC/Ask Toolbars

180’s Newest Installation Practices

I’ve previously covered a variety of misleading and/or nonconsensual installations by 180solutions. I’ve recorded numerous installations through exploits (1, 2, 3, 4, 5) — without any user consent at all. I’ve found installations in poorly-disclosed bundles — for example, disclosing 180’s inclusion, but only if users happen to scroll to page 16 of a 54-page license. I’ve even documented deceptive installations at kids sites, where 180 installs without showing or mentioning a license agreement.

The Doll Idol site, which encourages users to install 180 software without a frank disclosure of 180's true effects.The Doll Idol site, which encourages users to install 180 software without a frank disclosure of 180’s true effects.

180 has cleaned up some of these practices, but the core deception remains. 180 still installs its software in circumstances where reasonable users wouldn’t expect to receive such software — including web sites that substantially cater to kids. And users still aren’t fairly told what they’re slated to receive. 180 says that it shows "advertising," but no on-screen text warns users that these ads appear in much-hated pop-ups. 180 systematically downplays the privacy consequences of installing its software — prominently telling users what the software won’t do, but failing to disclose what the software does track and transmit. All told, users may have to press a button before 180 installs on their computer, but users can’t reasonably be claimed to understand what they’re purportedly accepting.

Screenshots and detailed analysis:

180solutions’s Misleading Installation Methods –

What’s So Hot About Hotbar? updated May 19, 2005

Last week Sunbelt announced that Hotbar sent Sunbelt a Cease and Desist letter, apparently demanding that Sunbelt stop detecting Hotbar software and offering users an option to remove it. I immediately updated my Threats page. But then I started wondering: How does Hotbar get onto users’ PCs? And what does Hotbar do once installed?

My new Hotbar Installs via Banner Ads at Kids Sites shows a variety of unsavory Hotbar practices: Promoting Hotbar advertising software at sites targeting kids, using banners with smiley faces but without mention of ads. Failing to affirmatively show a license agreement, and burying advertising terms so many screens into the license and below such counterintuitively-labeled section headings that users cannot reasonably find the key provisions. First affirmatively mentioning advertising on a screen that offers no Cancel button for users to decline the installation. And ultimately bombarding users with ads in pop-ups, web browser toolbars, Windows Explorer toolbars, auto-opening sidebars, and even desktop icons.

Meanwhile, Hotbar’s C&D indicates that their software is no longer detected by Microsoft Anti-Spyware, Lavasoft Ad-Aware, or McAfee. Why not? Consider Microsoft’s policy statement: "Windows AntiSpyware (Beta) alerts the user to the presence of any automatic pop-up advertising appearing outside the context of the program they are currently using." This certainly describes Hotbar’s pop-up ads. Yet somehow Hotbar has caused — convinced? persuaded? threatened? — Microsoft not to detect their program.

Of course Hotbar is not the only party to blame. Hotbar’s ads arrive at kids sites through ads syndicated by Fastclick (NASDAQ: FSTC). As a publicly-traded company, surely Fastclick could find a better business than foisting advertising software onto unsuspecting kids.

I’ve recently received a copy of the Cease and Desist letter (PDF) Hotbar sent to Sunbelt. Sunbelt says they’ll be responding shortly, and I’m looking forward to reading their response. Meanwhile, some inaccuracies in the letter are so egregious that I feel obliged to note them immediately.

Hotbar claims to provide its users with "explicit explanations" of its services, and Hotbar therefore claims that users "provide … full conscious consent to each and every aspect of Hotbar software." That’s not what I’ve seen when I’ve tested Hotbar. Rather, I have observed Hotbar install without even mentioning the word "ads" until a screen at which users aren’t given a "cancel" button. And nowhere does Hotbar affirmatively show users any mention of its numerous forms of ads (pop-ups, pop-unders, toolbar ads, auto-opening sidebars, and even desktop icons). To say Hotbar users "consent to each and every aspect" is truly a puzzling misstatement of the facts — that’s not what I’ve observed, nor is it what I’ve chronicled in screenshots and videos.

Hotbar then claims that Sunbelt "misrepresent[s]" Hotbar when it calls "Hotbar" adware. I don’t get it. How else is Sunbelt supposed to describe a program that tracks users’ online activities and shows ads, including pop-up ads? If Claria is adware — and even Claria says it is! — then surely Hotbar is properly called adware too. Perhaps reasonable people could disagree about the propriety of calling Hotbar spyware. But "adware"? No.

Does Jeeves Ask for Permission?

I continue my misleading installation series with a look at installation practices of Ask Jeeves. My new Ask Jeeves Toolbar Installs via Banner Ads at Kids Sites shows a misleading banner ad particularly likely to target kids. When users click on this banner, AJ neither shows nor references any license agreement. And AJ uses euphemisms like "accessible directly from your browser" rather than explicitly admitting that it will install a web browser toolbar.

But that’s not the worst of AJ’s practices. Over the past six months, I’ve captured a series of videos showing Ask Jeeves’ MyWay and MySearch software installed through security holes — without notice, disclosure, or consent. For example, in a video I made on March 12, I received more than a dozen different programs including the Ask Jeeves MySearch toolbar — without me ever requesting anything, and without me ever clicking "Yes" or "Accept" in any dialog box. Watch the video and see for yourself. Warning: The video is 16+ minutes long. Security exploit occurs at 6:00, and Ask Jeeves MySearch software is first seen at 15:50. In this same testing, I also received installation of 180solutions, multiple programs from eXact Advertising, the IBIS WebSearch toolbar, PeopleOnPage, ShopAtHomeSelect, SurfSideKick, WindUpdates, and many more. The underlying network transmissions show that the security exploit at issue was syndicated through the ad network — Mamma Media, publicly-traded on Nasdaq Small Cap.

I have other videos available upon request, including nonconsensual AJ installations dating back to November 2004. See also my November 2004 exploit video.

I’m surprised that Ask Jeeves allows these nonconsensual installations. Ask Jeeves is a publicly-traded company with a 10-digit valuation (slated to be acquired by InterActiveCorp for $1.85 billion). If Ask Jeeves staff made a serious effort to screen and supervise their distribution partners, they could prevent this kind of mess.

The biggest news last week was a lawsuit filed by the New York Attorney General’s office against Intermix Media, whose KeenValue, IncrediFind, and other programs show popup ads, add extra browser toolbars, and intercept error messages. These practices are objectionable in and of themselves, but the complaint focuses on the programs’ misleading installations. Sometimes the programs install with no notice at all, the complaint says, and sometimes only with hidden or misleading disclosures users are unlikely to notice or understand.

I have the sense that this suit is the first of many. There are certainly plenty of similar offenders, even big companies with major venture capital funding. I have often written about software from 180solutions, Direct Revenue, and eXact Advertising installing through security holes, practices I’ve continued to observe (including in the video linked above). And Claria’s tricky installations share many of the deceptive characteristics the AG attributes to Intermix, like hiding key terms in "lengthy, legalistic license agreements" and using "vague, incomplete" disclosure text. (See NYAG complaint (PDF), paragraph 9.) So I doubt the NY AG’s office would approve of the Ask Jeeves practices I’m documenting today, nor the other misleading tactics on my spyware installation methods index.

Misleading Installations of the Week: PacerD, and Claria’s Dope Wars

It’s Monday morning, so time for more misleading installations. Just like last week, I couldn’t stop at only a single example; again I’m providing two.

PacerD’s misleading pop-ups ask users to "please click yes" to accept "free browser enhancements." In fact what PacerD offers is an unusually large bundle of a dozen different programs, only some of them disclosed in fine print in PacerD’s mislabeled (apparent, purported) license agreement, which in turn is only shown at a user’s specific request. But click "Yes" once, and your computer will take a turn for the worse, with no subsequent opportunity to cancel.

The PacerD Installation Bundle

As usual, Claria’s approach is somewhat more subtle. When Claria bundles its advertising software with the "Dope Wars" video game, Claria prominently tells users that it will deliver advertising. But Claria mentions effects on privacy only midway through a 43-page license agreement, that begins with three tedious pages of all-caps text. My sense is that few "Dope Wars" players are likely to wade through this lengthy license. So if Dope Wars users install Claria, they’ll do so without first understanding what Claria will do to their PCs.

Claria’s Misleading Installation Methods – Dope Wars

On some level, these two installations could hardly be more different. PacerD installs a dozen programs from numerous different companies; Claria installs just one. PacerD shows a popup while users are just trying to surf the web; Claria’s interruption comes as users are trying to install software they actually want. But in relevant respects, I think these installations are surprisingly similar. For one, both seek to convert users’ computers into advertising channels — tracking what users do, and showing extra advertising. Also, both installations tell users something about the programs they are asked to accept, and both give savvy users an opportunity to learn more, but in each case the prominent on-screen text omits important facts users need to know in order to make sensible choices.

Misleading Installations of the Week: Claria and 180 at Kids Sites

"Adware" companies say their businesses are predicated on user consent. (Claria: "… consumers who agree … "; 180: "permission-based … opt-in"). Notwithstanding, companies’ claims, there’s no doubt that this kind of advertising software is sometimes installed without consent. See the video I posted last year.

But what about those users who supposedly do consent to receive extra pop-ups? Why did they agree to receive extra advertising that so many other users seem to despise? My sense is that users often don’t understand what they’re getting — due to serious deficiencies in installation disclosures. In two new articles, I examine and analyze the installation procedures of Claria and 180, raising doubts as to whether users reasonably knew what would happen when they "accepted" these programs., a site targeting children, that nonetheless promotes 180solutions.Can we say that a user "consents" to an installation if the installation occurred after a user was presented with a misleading advertisement that looked like a Windows dialog box? If that advertisement was embedded within a site substantially catering to children? If that advertisement offered a feature known to be duplicative with software the user already has? If "authorizing" the installation required only that the user click on an ad, then click "Yes" once? If the program’s license agreement was shown to the user only after the user pressed "Yes"? These are the facts of recent installations of Claria software from ads at games site

Details: Claria’s Misleading Installation Methods –

Turning to 180: Can we say that a user consents to an installation of advertising-display software where that installation is prominently described as removing advertisements? Where the installation description uses euphemisms like "show … sponsor websites" but never explicitly states that the program will show advertisements or pop-ups? Where the installation procedure never shows or even references a license agreement? And where all this occurs at sites catering to children?

Details: 180solutions’s Misleading Installation Methods –

Lots of companies want to take advantage of users who may be a bit confused, a bit naive, or a bit too quick to click yes. But where users are recruited at sites catering to children, where ads look like Windows messages, or where installation requests resort to misleading euphemisms, I’m not inclined to say that consumers "consent" to the resulting ads and to the resulting transmission of personal information.

Benjamin Edelman v. N2H2, Inc.

I sought to research and document sites categorized and restricted by Internet blocking program N2H2. N2H2’s block site list is protected by technical measures including an encryption system, but I sought to write software that would nonetheless allow me to access, analyze, and report its contents. However, I feared that conducting this work might expose me to liability for violation of the N2H2 License, of the Copyright Act of 1976, and of the Digital Millennium Copyright Act, as well as for misappropriation of N2H2’s trade secrets. With representation by the ACLU, I therefore sought from federal court a declaratory judgement that I could conduct this research and publication without fear of liability.

Case details including litigation documents

Empirical Analysis of Google SafeSearch

Google offers interested users a version of its search engine restricted by a service it calls SafeSearch, intended to omit references to sites with “pornography and explicit sexual content.” However, testing indicates that SafeSearch blocks at least tens of thousands of web pages without any sexually-explicit content, whether graphical or textual. Blocked results include sites operated by educational institutions, non-profits, news media, and national and local governments. Among searches on sensitive topics such as reproductive health, SafeSearch blocks results in a way that seems essentially random; it is difficult to construct a rational non-arbitrary basis for which pages are allowed and which are omitted. Full article.

Large-Scale Registration of Domains with Typographical Errors

Large-Scale Registration of Domains with Typographical Errors. (January 2003)

The author reports more than eight thousand domains that consist of minor variations on the addresses of well-known web sites, reflecting typographical errors often made by Internet users manually typing these addresses into their web browsers. Although the majority of these domain names are variations of sites frequently used by children, and although their domain names do not suggest the presence of sexually-explicit content, more than 90% offer extensive sexually-explicit content. In addition, these domains are presented in a way that temporarily disables a browser’s Back and Exit commands, preventing users from exiting easily. Most or all of the domains are registered to an individual previously enjoined by the FTC from operating domains that are typographic variations on famous names, and these domains remain operational subsequent to an injunction ordering their suspension.