Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
The Courts Facebook Social Networks

Supreme Court Says Facebook Text Alerts Aren't Illegal Robocalls (theverge.com) 108

The Supreme Court has unanimously decided that Facebook text message alerts don't violate laws against unwanted auto-dialed calls. The court ruled that a lower court defined illegal "robocalls" too broadly and that the term should only apply to systems that generate lists of numbers and call them indiscriminately, not a system that simply stores numbers and automatically calls them. From a report: The lawsuit involves text messages that notify Facebook users of an attempted login. Its plaintiff, Noah Duguid, sued after receiving unwanted, erroneous notifications despite not having a Facebook account. Duguid argued that Facebook was violating the 1991 Telephone Consumer Protection Act (TCPA). An appeals court agreed, but the Supreme Court interpreted the law's definitions differently. Closely parsing the TCPA's grammar, the court concluded that an illegal auto-dialing system "must use a random or sequential number generator," and this definition "excludes equipment like Facebook's login notification system, which does not use such technology."
This discussion has been archived. No new comments can be posted.

Supreme Court Says Facebook Text Alerts Aren't Illegal Robocalls

Comments Filter:
  • WTF? (Score:5, Insightful)

    by SirSpanksALot ( 7630868 ) on Thursday April 01, 2021 @01:13PM (#61225088)
    That's a terrible interpretation... Lot's of robocallers use lists of numbers. To get rid of illegitimate calls you need to eliminate the ability to "buy" lists - The number should be required to have been given to you by the consumer, and the consumer should have to opt in to receiving those calls/texts...
    • Re:WTF? (Score:4, Interesting)

      by hjf ( 703092 ) on Thursday April 01, 2021 @01:17PM (#61225110) Homepage

      Pretty sure you have to give Facebook your number in order for it to send you login notifications.

      • Re: (Score:2, Troll)

        by sinij ( 911942 )
        Don't have FB, but from what I have seen from other platforms, including Google, is that they either force you to give phone number when creating account, or lock it down shortly after creation until you provide it. Meaning, giving FB phone number is compelled.
        • Exactly. This is the lock. Companies argue they can't provide the services without people agreeing to the terms, they leverage access to jobs, services, etc to strongarm people into agreeing to terms they don't want to agree with.

          We seriously need a bill of rights type amendment explicitly limiting rights you can contractually give up. There are some of those recognized by courts by not many. Corporations are artificial constructs legally created by the state, there is no reason we shouldn't limit them when
        • I have not given Facebook my phone number and can still use it, the very few login alert messages I got were in email. Don't know why that particular helpful advice was a problem, I got far more "you haven't logged in for awhile", or "Joebob posted an update!", which have dried up mostly in the last couple of years (or maybe I changed some settings).

          Labelling an automatic notification the same as a robocall is a bit of a stretch. The person creating the suit sounds like an overly pedantic slashdotter to b

          • Sounds like he was fishing to be a test case and the center of a class action lawsuit, worth millions. When the settlement is done, the lawyers get millions. The first few lawsuit principles get tens of thousands or more in damages, and everyone else gets a coupon for a dollar off something advertised through facebook.

            • by tlhIngan ( 30335 )

              Sounds like he was fishing to be a test case and the center of a class action lawsuit, worth millions. When the settlement is done, the lawyers get millions. The first few lawsuit principles get tens of thousands or more in damages, and everyone else gets a coupon for a dollar off something advertised through facebook.

              What should people get then? They weren't inconvenienced much for the random texts - even if you paid for each of them, at 25 cents each, it's going to take a lot to justify small claims ($40-

      • Re:WTF? (Score:5, Informative)

        by fahrbot-bot ( 874524 ) on Thursday April 01, 2021 @01:22PM (#61225142)

        Pretty sure you have to give Facebook your number in order for it to send you login notifications.

        Apparently this guy didn't have a Facebook account and got the texts anyway. I'm guessing the number was entered incorrectly or used previously by another person who had a FB account.

        • Re:WTF? (Score:4, Interesting)

          by SirSpanksALot ( 7630868 ) on Thursday April 01, 2021 @01:26PM (#61225166)
          in which case, Facebook should respect the "STOP" keyword, and stop sending them.
          • in which case, Facebook should respect the "STOP" keyword, and stop sending them.

            Ya. Historically I've avoided this as the general recommendation is to not respond as doing so confirms a valid number/delivery, but I've tried "STOP" with several seemingly above-board but unwanted texts (mostly political stuff) and have gotten good results not getting any more texts from that number, except for an immediate confirmation of the STOP request. Obviously, shadier outfits could simply start using a new number, but I guess that's the risk. Unwanted calls usually end up as voice mails that I re

            • by MrL0G1C ( 867445 )

              In the UK some numbers are very expensive to text to so replying with a STOP could cost a couple of dollars. It shouldn't be allowed and it's as clear as mud which numbers cost a lot to text, I have no idea. Everything to do with what calls cost is a complete arcane mess in the UK IMO, some numbers are free but only if you call them with the right mobile company, some are local rate but again they'll be free if you have the right contract, some numbers are 'national rate', fuck knows what that'll cost from

        • My guess is the person who had the cellphone number before him registered it to their Facebook account. But didn't change it when they gave up the number.

          The plaintiffs definition of what an autodialer was didn't make sense. His lawyers wanted every system that memorized numbers, and then called them when triggered to be classified as an autodialer.

          With their definition, anyone who used their cell phone contact list to call someone, would be using an autodialer.

      • That's probably what happened here. Someone tried to make a Facebook account, but entered their phone number incorrectly. And this guy ended up getting the text messages which resulted. If the SCotUS hadn't overturned the lower court's decision, it basically would've outlawed 2FA by text message (not that that would be a bad thing, but this would've been making it illegal for the wrong reason).

        So no it wasn't a terrible decision. It was the only decision possible which allowed reasonable legitimate pract
        • by The Rizz ( 1319 )

          No, this is not a good reasoning for their ruling. They way the SC worded it, as long as you have a list you can't violate the law, regardless of how you acquired that list.

          Part of the law is that a company can contact you if you gave them your number - if they had ruled that a company who in good faith believes you gave it to them mistakenly contacts you that it doesn't violate the law it would have worked just as well. This would have kept 2FA workable, but not made every robocaller who buys a list of num

      • But phone number's aren't ID's. And if you give up or stop paying for a line, the number will eventually be given to someone else. Locking accounts to a phone number isn't great practice.

      • From the Fine Article:

        "The lawsuit involves text messages that notify Facebook users of an attempted login. Its plaintiff, Noah Duguid, sued after receiving unwanted, erroneous notifications despite not having a Facebook account. "
        • by hjf ( 703092 )

          Yeah imagine that. Have someone enter "their" phone number incorrectly and it turns out to be yours, and then sue facebook for "robocalling".
          Then you can slip on wet floor at the supermarket, from a bottle you carried in your pocket.
          Sue disneyland for a bee sting while we're at it too.

      • by PPH ( 736903 )

        OK. I gave them my phone number. But how do they send notifications to this [staticflickr.com]?

        • by sinij ( 911942 )
          I am on DSL, so it is economical for me to maintain a land line. My bank, practicing bad security, mandated phone number as "2FA" to enable on-line banking access. I gave that landline number to my bank with understanding that porting a land line is harder and longer process than SIM-jacking. When they send me a code, my landline rings and automated system reads out the numeric code.
          • If it's a real landline, then all someone would have to do to steal the code is open up the demarc box - usually outside and unprotected - and plug a phone in instead of the house wiring. Once they are done, they can close up and leave no trace. SIM jacking is actually harder.

            • by PPH ( 736903 )

              Once they are done, they can close up and leave no trace.

              Which requires them to physically travel to the victim's neighborhood. And as far as leaving no trace: Wave at all the Ring doorbells as you drive by.

      • by SB5407 ( 4372273 )
        The summary says the plaintiff didn't have a Facebook account.
      • every robocaller can use this loophole by simply mixing their list of numbers so that are not in sequence!
        Supreme Court fails us again!

        • >"every robocaller can use this loophole by simply mixing their list of numbers so that are not in sequence!"

          I don't think that is what was interpreted.

          >" Supreme Court fails us again!"

          Then change the laws/rules to be more precise.

        • They can just use this loophole by use lists of numbers that they buy or collect.

      • Plus it might not even be facebook's fault you get a spurious text if someone else winds up getting you joe jobbed by spoofing your number to facebook when they sign up.
      • And if you had read the article, or the summary: the people complaing have no FB account.

    • That's a terrible interpretation... Lot's of robocallers use lists of numbers. To get rid of illegitimate calls you need to eliminate the ability to "buy" lists

      Exactly. From my understanding, robocallers build lists after randomly calling numbers, and if/when someone answers the call the robocaller adds that number to their list as a valid active number.

      The number should be required to have been given to you by the consumer, and the consumer should have to opt in to receiving those calls/texts...

      His number could have been owned by another person who had a Facebook account and he obtained this disconnected/unused number when he set up new phone service.

      Facebook and other service providers that ask for or, as is becoming more common, require a contact number need to have a way to remove numbers too.

      • by tlhIngan ( 30335 )

        Exactly. From my understanding, robocallers build lists after randomly calling numbers, and if/when someone answers the call the robocaller adds that number to their list as a valid active number.

        Not true anymore. Turns out keeping a list doesn't work too well because people block or block unknown callers so you end up with a small list that only gets smaller over time.

        Scammers and such don't even bother - they just have a list of numbers they go through. If they answer, they try to figure out if the person

    • by mysidia ( 191772 )

      Courts interpreted this properly. More laws are needed to prohibit other misuses and abuses. The purpose of the TCPA law that was ruled about is to prevent hammering dialers causing technical disruptions of phone systems and emergency numbers - Not to prohibit automated calling to known numbers; Not to stop annoyances; Not to stop telemarketers, etc. Again more FCC regulations may be necessary to mandate technical measures to prevent callers from spoofing or hiding Caller ID, and laws may be needed

      • Agreed. The ruling is a simple one, interpretation of the meaning of a single sentence in the definition. This isn't a ruling about constitutional powers or authority of government, merely interpreting the meaning of a single sentence.

        47 U. S. C. 227(a)(1) [cornell.edu]: The term "automatic telephone dialing system" means equipment which has the capacity -- (A) to store and produce telephone numbers to be called, using a random or sequential number generator; and (B) to dial such numbers.

        That's it. Everything else f

        • by clovis ( 4684 )

          It's like Frobnicator said.

          You can read it yourself if you (wrongly) don't trust Frobnicator:
          https://www.supremecourt.gov/o... [supremecourt.gov]

          It's kind of a fun read because it's mostly about grammar, and who doesn't enjoy a good grammar augument?
          The big mystery to me is how did the lower court (9th circuit court of appeals) come to the decision in the way that seems to be opposite of the law as written and opposite to common sense. Alito's concurring judgement talks about that.
          BTW, the 9th circuit is in what some people c

        • by Whibla ( 210729 )

          If legislators don't like it they can amend the law. The easiest would be to amend the single sentence with an item "(C)", or they could take a more comprehensive form to add an additional section.

          Agreed, in principle, though I'd suggest a simple edit to (A), rather than introducing a (C)

          47 U. S. C. 227(a)(1) [cornell.edu]: The term "automatic telephone dialing system" means equipment which has the capacity -- (A) to store and produce telephone numbers to be called, using a random or sequential number generator; and (B) to dial such numbers.

          (A) to store existing telephone numbers, or produce telephone numbers to be called using a random or sequential number generator, and...

          Either way this doesn't need to be a complex issue. This kind of thing is often slipped in as one of a hundred little items inside those 1000-page bills.

          Again, agreed, in principle, though I'm generally not in favour of tacking unrelated items into other bills, as it makes voting (especially considering cross party support) for them much ... harder to justify, shall we say...

          I seriously don't really see the problem with a specific b

    • For this case, it is Facebook sending you a message targeted meant for you in particular. Vs a list of numbers, where it isn't personal, but just to some person.

      • And at worst, they made a mistake on the number, or whether he was a member, which is also not a reason robocall lists were made, which was to handle computerized spam calls.

    • Sweet! Now I can do this, have one LLC create lists of phone numbers, and transfer/sell those lists to the automated dialing services, which then dial the numbers. Since they are dialing from a list and not random or sequential, it is all good now.
    • You keep using that phrase.. "should". I don't think you really get how our system works, but if you feel it "should" work a certain way then talk to your elected representatives, not the people interpreting the laws as defined.
    • That's a terrible interpretation...

      There are various types of SCOTUS rulings, this one is the interpretation of the wording of an existing law. They aren't deciding on constitutionality, they aren't deciding on societal guidelines or morality or any hard-to-define element. This is just the wording of a law as it happens to exist today. The entire lawsuit was about the interpretation of a single sentence with three parts: 47 U. S. C. 227(a)(1) [cornell.edu].

      If politicians want to change it they can simply include a few words to add it to the definition. T

    • It's more like the proper interpretation of a terribly written law. The law literally specified using a device that stores or produces telephone numbers using a random or sequential number generator. While the Supreme Court should clarify confusing language in laws, completely disregarding the text and saying it means something different is not their job.
    • It's not a terrible interpretation. It's an accurate interpretation of what the law says. It is, however, a terrible way for the law to define it. Blame congress for writing it that way, not the court for honestly following the law.

  • ... only apply to systems that generate lists of numbers and call them indiscriminately, not a system that simply stores numbers and automatically calls them.

    They'll just get one system to generate the numbers, and another system to call them -- thanks SCOTUS.

    • by pruss ( 246395 )

      IANAL, but you might be able to argue that the two systems taken together make up a single system that violates the law. You could perhaps still get around it by buying a randomly generated list from a different company.

      In any case, the law explicitly says: "'automatic telephone dialing system' means equipment which has the capacity—
      (A)to store or produce telephone numbers to be called, using a random or sequential number generator; and
      (B)to dial such numbers."

      I don't see how one could stretch (A) to

  • 1. I'm glad I didn't give Facebook my phone number.

    2. This kind of crap prevents 2-factor authentication from catching on.
    • SMS two factor is ridiculously insecure - to the point of being practically useless for security. If you're going to do 2 factor, use an RSA authenticator app, or a fob....
      • SMS two factor is ridiculously insecure - to the point of being practically useless for security. If you're going to do 2 factor, use an RSA authenticator app, or a fob....

        That is exactly the opposite of what I have heard. Companies are dropping RSA because it's not as secure as SMS.

        • In what world is generating the code on a server and sending it to you over text message more secure than you simply having the algorithm locally generate the code?

        • SMS two factor is ridiculously insecure - to the point of being practically useless for security. If you're going to do 2 factor, use an RSA authenticator app, or a fob....

          That is exactly the opposite of what I have heard.

          Then whatever you heard is from a bad source.

          Companies are dropping RSA because it's not as secure as SMS.

          I have no idea if companies are dropping RSA authenticators or not, but if they are it is not because they are less secure than SMS.

          To access accounts protected by 2FA someone has to steal my authenticator from me, at which point I know my account is compromised. If an account is protected by SMS, they do a SIM spoof and I won't know what happened until it is too late. My phone number is not a very hard secret, since I am listed, but knowing what device I have my

          • Re: (Score:2, Informative)

            by Thelasko ( 1196535 )

            I have no idea if companies are dropping RSA authenticators or not, but if they are it is not because they are less secure than SMS.

            I think companies are dropping RSA because the salespeople at Microsoft are convincing them their Azure MFA SMS solution is better than RSA. They may even be spreading misinformation that the Microsoft SMS solution is more secure than RSA. Of course, we now know about all of the breaches to Microsoft security infrastructure. [wikipedia.org]

            I don't work in IT, but the Fortune 500 company I work for told everyone they are dropping RSA for Microsoft SMS 2-factor to improve security.

            • The Fortune 500 company I work for told everyone they are dropping RSA for Microsoft SMS 2-factor to improve security.

              Massive security breach in a fortune 500 company in 3... 2... 1...

          • they do a SIM spoof and I won't know what happened until it is too late

            It should be noted that this is not as trivial an undertaking as you imply here.

            • they do a SIM spoof and I won't know what happened until it is too late

              It should be noted that this is not as trivial an undertaking as you imply here.

              Where did I imply that it was trivial? Please enlighten us how your reading skills unearthed that.

              Note that a SIM spoof either comes down to social engineering or having an accomplice within the telco. So compared to the act of theft/pickpocketing/robbery of a device protected by passcodes and/or biometric security (harder, requiring physical interaction with a victim) or attacking the infrastructure of the authentication system (much harder, technically) I would say that it is easier. It all boils down to

              • Where did I imply that it was trivial?

                Here:

                If an account is protected by SMS, they do a SIM spoof and I won't know what happened until it is too late

                You're contrasting it with stealing an RSA token or phone w/ authenticator app. Your second phrase also implies a quick, easy and done operation.

                (You also forget that you may be unaware of the stolen RSA token for a while)

                Neither method is terribly effective if someone is specifically targeting you. But both methods are effective to prevent attacks from someone targeting anyone they can compromise.

                If someone wants your account, they'll probably be able to get it through a variety of attacks. If some

                • Where did I imply that it was trivial?

                  Here:

                  If an account is protected by SMS, they do a SIM spoof and I won't know what happened until it is too late

                  That boils down to your reading comprehension. Nothing in that sentence claims it is trivial. That the sentence imply is trivial is your claim based on your interpretation. I have now explicitly said that I never claimed nor claim it is trivial, just that one is harder from other perspectives. One thing being harder does not make the other trivial. Is that clear or do I need to spell it out in simpler words for you?

                  You're contrasting it with stealing an RSA token or phone w/ authenticator app.

                  So, wasn't that the whole point of this discussion?

                  Your second phrase also implies a quick, easy and done operation.

                  Nope. See above. Or do you expect me to ex

        • Companies are dropping tokens/authenticator apps because of support costs.

          A new phone or lost fob causes problems. Either you create a large hassle to properly identify the user, or you've got a very large hole in your security.

          SMS is much more likely to follow the user to new devices, even with the user being an idiot.

          • SMS is much more likely to follow the user to new devices, even with the user being an idiot.

            This makes sense.

          • Why the hell would the authenticator app add increased cost? It's just a seed number, revoke that seed... The person downloads the app on their next phone which they need anyway, and is probably not paid for by the company anyway...
            • How does that person get the new one?

              How do you ensure that only that person gets the new one, including situations where they no longer have access to the old one?

              Those add costs. Some employee has to be involved in authenticating the user and distributing the new seed.

      • Challenge-response should be necessary as well, except that this would require more smarts in an app rather than having to read off numbers in a text.

  • will never get my phone number. Well that and I don't use it.

    If they actually require one, I'd just get one of those throwaway SMS accounts....

  • All the more reason to dump farcebook. Uninstall the apps, delete your accounts, revel in meatspace... don't look back.
  • give them area code 867-5309 or area code 634-5789

    • I did not recognize the second number and had to look it up - must have missed something in my muzak edumakashun...
  • use a source for the numbers that isn't a random generator or a sequential list? Any number database will do? Like the whitepages listings? Or any other list supplied by anyone else? Wow. robocalls here we go!
  • ... I click past Facebook's suggestion that I give them my phone number.

    I get all the phone spam I can handle now. I can hardly imagine how badly Facebook would abuse having my phone number.

  • by nagora ( 177841 ) on Thursday April 01, 2021 @02:44PM (#61225522)

    Unanimously wrong. Brilliant.

    Sack the lot of them.

  • Closely parsing the TCPA's grammar, the court concluded that an illegal auto-dialing system "must use a random or sequential number generator," and this definition "excludes equipment like Facebook's login notification system, which does not use such technology."

    Thanks, SCOTUS! So, as an aspiring robocaller, I just need to create two companies, one that generates random numbers and a second that buys/uses that list of numbers to make calls. Wonderful!

    Hmm, on second thought, what if I use a broken PSRNG that doesn't pass tests of uniform randomness? It would be neither random nor sequential! Good thing the SCOTUS is encouraging innovation!

    • Even less random would be to use images from the Internet as source material for your non-random dialer. You got the numbers from animated GIFs.

  • Comment removed based on user account deletion
  • Text messages don't apply to TCPA because text messages are not phone calls or faxes.

  • before calling for an armed revolt. This is not the end of the world. This does not announce open season for telemarketers. The decision does not affect unsolicited text messages, regardless of how they are sent, which are still prohibited by by the TCPA.

    https://www.supremecourt.gov/o... [supremecourt.gov]

    Sotomayor's opinion is only barely over 2 pages. I'm sure everyone here can handle reading that. In it she essentially says that congress was overly specific in their definition of "autodialer". The rest is additional

  • Considering the FCC's poor success rate at actually collecting the fines they levy against robocallers, I'm not sure it'll make any practical difference.

"The voters have spoken, the bastards..." -- unknown

Working...