In January 2024, Nevada filed a lawsuit against Meta, alleging that the company used deceptive practices and manipulative design choices to increase profits at the expense of young users’ well-being.

This case will attempt to answer:

1. Does Meta’s use of addictive design practices violate consumer protection laws?
2. What defines a “deceptive trade practice” in the context of social media?
3. Would implementing encryption on Meta’s Messenger endanger young users?

Timeline & Other Events

• January 30, 2024 – Nevada Attorney General Aaron Ford files a lawsuit against Meta Platforms, Inc. in state court, targeting Facebook, Instagram, and Messenger. The complaint alleges that these platforms employ features designed to addict young users, prioritizing engagement over their well-being.¹
• February 26, 2024 – Nevada seeks a temporary restraining order (TRO) to prevent Meta from implementing E2EE on Messenger for users under 18, citing concerns that encryption could hinder law enforcement’s ability to protect children.²
• March 20, 2024 – A Nevada state court begins hearings on the state’s motion to block Meta’s use of E2EE for minors on Messenger. Privacy advocates warn that restricting encryption could undermine user security.³
• October 7, 2024 – District Judge Joanna Kishner rules that the Nevada court has jurisdiction over the lawsuit against Meta’s Messenger. Some claims are dismissed with the option to amend, but the case proceeds, focusing on allegations that Meta’s practices harm young users.⁴
• December 1, 2024 – The U.S. Supreme Court dismisses Meta’s appeal in a separate, multibillion-dollar class-action lawsuit concerning the Cambridge Analytica scandal, allowing the case to proceed. This ruling reflects the broader legal challenges Meta faces regarding privacy and data security.⁵

Facts of the Case
On January 30, 2024, the Plaintiff, the State of Nevada, filed a lawsuit against Defendant Meta. Nevada alleges that Meta employs manipulative design practices to addict young users to their platform, prioritizing monetary gain over considerations of mental health and adolescent development.⁶ The state also contends that Meta deceptively omits and misrepresents facts about Messenger, a communication software it offers. In particular, the state highlights the use of End-to-End Encryption (E2EE)—a technology that ensures only the sender and receiver can access messages, excluding law enforcement, Meta, or third parties.⁷

The lawsuit accuses Meta of engaging in deceptive and unconscionable acts in violation of the Nevada Deceptive Trade Practices Act (“NDTPA”).⁸ Nevada further asserts claims of product liability, citing design defects and failure to warn, alongside claims of negligence and unjust enrichment.⁹

The State of Nevada seeks damages, including punitive damages, in an amount to be determined at trial.¹⁰

Nevada’s Allegations

Nevada alleges that Meta is using manipulative design practices and misrepresents the risks of their social media platform presents to young users.¹¹ Thus, Nevada is going to try and prove that Meta violated the Deceptive Trade Practices Act by conducting Deceptive Acts and Unconscionable Acts and is further liable under Product Liability for both design defect and failure to warn. Finally, Nevada will argue Meta is guilty of negligence by acting in a “willful, wanton, malicious, reckless, oppressive, and/or fraudulent” manner.¹²

Meta’s Response

According to an article in Bloomberg Law, Meta contradicts the state’s argument for urgent injunctive relief by noting end-to-end encryption has been an optional feature on Messenger for eight years. Meta is also arguing that Nevada doesn’t have jurisdiction over the case and that both the First Amendment and Section 230 of the federal Communications Decency Act, a federal legal liability shield for tech companies from user content, bars the state’s request for temporary relief.¹³

Notes

This lawsuit corners companies by forcing a choice between facing litigation risks or providing insecure communication to users (ideally, transparently; realistically, with the insecurity minimized).

Beyond insecure communication methods and the case broadly: Nevada’s complaint highlights many problematic design elements widely used by social media companies beyond Meta to entrap users and encourage usage. Increased use begets improved consumer tracking and user profiles. Some examples of these problematic design elements include:

1. Low-Friction Variable Rewards: Actions yielding unpredictable rewards result in longer engagement in the action that predictable rewards. This is also the primary mechanism at work in slot machines, keeping players sitting in front of machines for hours on end.
2. Social Manipulation. Specifically, through popularity/reciprocity of a young user’s account or content. Gamification of popularity through number of friends or connections, interactions with contents, or usernames of specific other users who interacted with their content.
3. Ephemeral Content. Young Users are developmentally wired such that the fear of missing out (“FOMO”) is a “repeatedly identified driver of smartphone and social media use.” Companies induce constant engagement by making certain content ephemeral which leads to “avoidance” meaning an individual performs a behavior to avoid a negative outcome. For example, checking a message that expires in 24 hours.

Many opponents of E2EE, argue such an implementation on Meta’s platforms would result in a reduction of reports on tens-of millions of Child Sexual Abuse Material (CSAM) reported through Meta’s platform in 2020 (this makes up 95% of all reports in 2020¹⁴), and make it easier for abusers to groom or propagate CSAM.

It’s true that E2EE would restrict access to many problematic communications. Furthermore, implementing E2EE could further enable predators. However, there are a few currently implemented solutions including: 1) checking hashes of files against the CSAM database to enable encryption but also enable CSAM detection, this obviously is not foolproof and would likely still permit much of the nefarious activity on Meta’s platforms to continue unencumbered, 2) requiring a parent or guardian to be present through the account creation, verified using a webcam and local person recognition (to ensure 2 people are in the frame), and a QR code generated on the adult’s verified phone, cryptographically linked to their account, and presented at the time of creation, 3) use keyword detections and image recognition to identify grooming or suspicious behavior and notifying the parent or guardian associated with the account automatically, 4) allow a second private decryption key and copies of all interactions sent to parent accounts, and 5) require parents to authorize all friend requests or conversation requests through their account.

Implementing some or all of these solutions would still not be airtight but would increase the number of detections if E2EE were implemented. Finally, a solution that is more difficult to implement: educate children on safe social media usage or restrict access until they are older.

The Nevada lawsuit against Meta’s encryption tool threatens access to a primary means of private communication for many minors and adults. Privacy and security organizations argue that impeding encryption creates vulnerabilities for both criminals and government officials. Furthermore, A Nevada win could pave the way for other states to challenge encryption technologies using product liability theory (Product liability is within the domain of legal liability. Strict liability is imposed on a defendant solely based on the nature of their alleged conduct: it does not consider intent or any mitigating actions. Product liability is a manner of conduct that results in strict liability: all parties in a chain of distribution can be liable for consumer injuries, regardless of their intent or the amount of reasonable care they exercise. Importantly, there is no federal products liability law, so minutia vary state to state¹⁵).

This case highlights an important concern with restricting encryption technology that hearkens back to the foundational philosophy behind an expectation of privacy. The ability to communicate freely and securely has long been considered essential to both personal freedom and a democratic society; undermining encryption threatens to erode the privacy afforded to individuals.

In the same way, individuals feel private and secure conversing in their homes; and in the same way, that expectation of privacy was recognized by Warren and Brandeis in the 1890 paper “The Right to Privacy” and later enshrined in landmark Supreme Court decisions like Griswold v. Connecticut, which was the first court case to recognize privacy as a fundamental right derived from the 14th amendment.

This case puts personal privacy is at stake for everyone from adults to kids. End-to-end encryption (E2EE) does not make it impossible for law enforcement to pursue digital criminals, but it does ensure that individuals have the same level of privacy in their digital communications as they do in their physical homes. People have an expectation of privacy on digital messaging platform, the courts should codify that protection. If not for personal privacy, then for national security. If secure communications are compromised state secrets could be compromised and bad actors could manipulate citzens. The very foundation of democracy is at risk.

External Support for Nevada

CHILD USA and The National Center on Sexual Exploitation filed an amicus brief on March 14, 2024, in support of the State of Nevada. They argue that Meta’s encryption policies shield powerful technology companies while leaving vulnerable children unprotected online.

The brief states that Meta’s decision to make E2EE the default setting on Messenger knowingly enables child exploitation and prevents law enforcement from detecting child sexual abuse material (CSAM).

The organizations also challenge Meta’s reliance on Section 230, stating that the Communications Decency Act was never intended to shield tech companies from liability for their own design choices.

External Support for Meta

On March 11, 2024, several privacy advocacy organizations—including the ACLU, EFF, Mozilla, and Signal—filed an amicus brief in support of Meta. They argue that banning or restricting E2EE would harm online security for all users, not just criminals.

The brief emphasizes that law enforcement still has multiple legal avenues to investigate crimes and that banning encryption would set a dangerous precedent for digital privacy rights.

The brief also challenges Nevada’s consumer protection argument, arguing that encryption is a security feature, not an unfair trade practice.

Relevant Legal Precedents and Arguments

Among the Amicus Briefs and the Redacted lawsuit, many cases were cited. Here are some relevant cases.

First Amendment & Encryption Cases

• Bernstein v. Dept. of Justice, 176 F.3d 1132 (9th Cir. 1999) – A landmark case where the Ninth Circuit ruled that encryption software is protected speech under the First Amendment. This precedent is critical to Meta’s defense, as Nevada seeks to restrict the implementation of end-to-end encryption.

• In re Apple, Inc., 149 F. Supp. 3d 341 (E.D.N.Y. 2016) – The government sought to compel Apple to unlock an iPhone for a criminal investigation, invoking the All Writs Act. The court ruled against compelled assistance, reinforcing that companies cannot be forced to undermine their own security features—a principle Meta will likely invoke.

• United States v. Warshak, 631 F.3d 266 (6th Cir. 2010) – The court held that individuals have a reasonable expectation of privacy in their electronic communications, requiring law enforcement to obtain a warrant before accessing stored emails. This case supports the argument that digital privacy protections extend to encrypted communications.

Product Liability and Corporate Duty Cases

• F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015) – The Third Circuit upheld the FTC’s authority to regulate cybersecurity practices, affirming that companies can be held liable for failing to protect user data. Nevada may attempt to argue that Meta’s encryption policy constitutes an unfair trade practice under the Nevada Deceptive Trade Practices Act (NDTPA).

• In the Matter of Facebook, Inc., No. C-4365, 2012 WL 3518628 (F.T.C) (July 27, 2012) – The FTC’s settlement with Facebook over deceptive privacy practices established stricter consumer protection obligations, a precedent relevant to Nevada’s misrepresentation claims against Meta.

Nevada-Specific Consumer Protection & Negligence Cases

• Poole v. Nev. Auto Dealership Invs., LLC, 2019 Nev. App. – This case clarified that intent to deceive is not required under Nevada’s Deceptive Trade Practices Act; only awareness of the act or omission is necessary. Nevada will rely on this interpretation to argue that Meta’s conduct is deceptive, even if no explicit intent to mislead is proven.

• Turner v. Mandalay Sports Entertainment, LLC, 124 Nev. 213 – A Nevada Supreme Court case defining negligence by outlining the four elements: duty, breach, causation, and damages. Nevada may use this precedent to argue that Meta had a foreseeable duty to prevent harm to young users.

• Estate of Smith ex rel. Smith v. Mahoney’s Silver Nugget, Inc., 127 Nev. 855 – This case refined the foreseeability requirement in negligence claims, which is central to Nevada’s argument that Meta should have foreseen the risks of its platform design on children’s mental health.

Fourth Amendment & Digital Privacy Cases

• Carpenter v. United States, 138 S. Ct. 2206 (2018) – The Supreme Court ruled that law enforcement must obtain a warrant for historical cell-site location data, reinforcing strong Fourth Amendment protections for digital communications. This case supports Meta’s argument that encryption aligns with constitutional privacy protections.

• United States v. Shipp, 392 F. Supp. 3d 300 (E.D.N.Y. 2019) – The court emphasized the need for specificity in social media search warrants to avoid Fourth Amendment violations. This case highlights that government access to digital content must be carefully limited, a point Meta is likely to raise in its defense.

Section 230 of the Communications Decency Act (CDA) Cases

• Gunn v. Minton, 568 U.S. 251 – This Supreme Court ruling clarified that state law claims involving federal statutes must have substantial impact to fall under federal jurisdiction. This precedent could be relevant if Meta challenges Nevada’s ability to regulate encryption under state law.

• Spence v. Meta Platforms, N.D. Cal. Case No. 3:22-cv-03294 – This case cited internal Meta research about Instagram’s impact on teenage mental health, which Nevada may reference to support its claim that Meta knowingly created an addictive, harmful platform.

Encryption & Law Enforcement Debate Cases

• New Mexico ex rel. Balderas v. Tiny Lab Prods., 457 F. Supp. 3d 1103 – The court found that unauthorized data collection from children violated privacy laws, which Nevada may cite to support its claim that Meta facilitates child exploitation by enabling encryption.

• McDonald v. Kiloo ApS, 385 F. Supp. 3d 1022 – A federal ruling recognizing that secretly collecting children’s personal data can constitute an egregious privacy violation. Nevada may cite this case to argue that Meta’s encryption policy shields data misuse from scrutiny.

Broader Legal Trends

Many government and law enforcement agencies have long opposed the implementation and use of E2EE. However, the FBI recently recommended encrypted messaging after a breach on major US cellular carriers that could reveal FBI informants and compromise an intelligence pipeline.¹⁶

Case Status

CAL will continue to follow the Meta and Nevada case and update this article with advancements. The outcome of this case will be precedent setting: it has the ability to enshrine private digital communication or lay bare the nitty-gritty of each message users send for anyone who puts in enough effort to look.

1. Nevada attorney general launches go-it-alone lawsuits against social media firms in state court ↩︎
2. The State of Nevada, Plaintiff(s) vs. Meta Platforms, Inc., Defendant(s) ↩︎
3. Meta Encryption Privacy Fight Begins in Nevada State Court ↩︎
4. The State of Nevada, Plaintiff(s) vs. Meta Platforms, Inc., Defendant(s) ↩︎
5. Supreme Court allows multibillion-dollar class action to proceed against Meta ↩︎
6. Nevada Meta Messenger Complaint (redacted), p1-4 ↩︎
7. Nevada Meta Messenger Complaint (redacted), p5 ↩︎
8. Nevada Deceptive Trade Practices Act, N.R.S. §§ 598.0903 through 598.0999 ↩︎
9. Nevada Meta Messenger Complaint (redacted), p108-111 ↩︎
10. Nevada Meta Messenger Complaint (redacted), p108-111 ↩︎
11. Nevada Meta Messenger Complaint (redacted), p5 ↩︎
12. Nevada Meta Messenger Complaint (redacted), p110 ↩︎
13. Meta Encryption Privacy Fight Begins in Nevada State Court ↩︎
14. Campaign aims to stop Facebook encryption plans over child abuse fears ↩︎
15. Understanding the Interplay Between Strict Liability and Product Liability ↩︎
16. US officials recommend encrypted messaging to evade hackers in telecom networks ↩︎