Logging Data Before Form Submitted Is Wiretap?
Cohen v. Casper
Class Complaint – Casper, through its agent NaviStone, allegedly captured data entered on web forms – in real time – before plaintiff submitted the web forms. Plaintiff claimed data was collected through NaviStone tags on the Casper website, tags which allegedly contemporaneously intercepted contents of plaintiff’s communications with the Casper website. Plaintiff further claimed the collection was done “immediately, automatically, and secretly,” irrespective of any purchase.
[S.D. N.Y.; 1:17-cv-09325]
Marketing. If you are in the United States and make a purchase using the Site, information collected from you may be made available to select third parties who offer products or services that may be of interest to you. If you prefer that we not share your information with such third parties, send an email to email@example.com within thirty (30) days of your purchase. Note that if it has been more than thirty (30) days since your purchase, your opt-out may not apply to marketing initiatives that are already underway.
Or, will the court otherwise find that service provider NaviStone is a party to the communication, thus there is no interception? Stay tuned…
BTW – NaviStone was the subject of a recent internet exposé, This Company Has Already Logged Your Personal Data Before You Hit Submit, which is cited in the complaint.
Driver’s License Swipe Leads To Class Action
Skiles v. Tesla
Class complaint – Tesla allegedly collected and shared plaintiff’s personal information without his knowledge or consent. Plaintiff claimed his personal information was collected (intercepted) when the magnetic stripe of his driver’s license was scanned via iPad (through an app created by Appstream) when he sought to test drive a Tesla. Plaintiff claimed he provided his license to verify he was legally permitted to drive, however the information was used to ‘score’ him based on his creditworthiness, and used to enroll him in marketing databases without his consent (purposes not permitted under the DPPA), in excess of any consent he provided. Plaintiff claimed an Experian ‘Mosiac’ score (a consumer report) was created and used for marketing purposes (without his knowledge or consent), and the information was stored in a Salesforce marketing database, a database which he had no ability to control regarding the use or distribution of his personal information.
Named plaintiffs include Tesla, Appstream, Experian, and Salesforce. Claims were filed under the FCRA, ECPA, and DPPA.
[N.D. CA; 3:17-cv-05434]
jbho: a reminder that remedies available for violating the DPPA make it attractive for class actions. A private right of action for knowing violations allows a court to award (18 USC §2724):
(1) actual damages, but not less than liquidated damages in the amount of $2,500
(2) punitive damages upon proof of willful or reckless disregard of the law
(3) reasonable attorney’s fees and other litigation costs reasonably incurred
(4) other preliminary and equitable relief as the court determines to be appropriate
Rushing v. Viacom
Class complaint – Viacom allegedly collected, used, and shared personal information of children without notice to, or consent of, parents. The information was allegedly collected by advertising and analytics SDKs Viacom implemented in its child directed gaming apps, including the Nickelodeon Llama Spit Spit app. Plaintiff’s claimed Viacom did not implement a mechanism for obtaining verifiable parental consent, and the SDKs never checked if verifiable parental consent had been obtained.
The complaint names Disney and three SDK makers (Upsight, and Unity Technologies). Claims were filed under the California Constitutional Right to Privacy, as well as Intrusion Upon Seclusion claims.
[N.D. CA; 3:17-cv-04492]
jbho: as stated below, know your SDKs!
Rushing v. Disney
Class complaint – Disney allegedly collected, used, and shared personal information of children without notice to, or consent of, parents. The information was allegedly collected by advertising and analytics SDKs Disney implemented in its child directed gaming apps, including the Princess Palace Pets app. Plaintiff’s claimed Disney did not implement a mechanism for obtaining verifiable parental consent, and the SDKs never checked if verifiable parental consent had been obtained.
The complaint names Disney and three SDK makers (Upsight, Unity Technologies, and Kochava). Claims were filed under the California Constitutional Right to Privacy, as well as Intrusion Upon Seclusion claims.
[N.D. CA; 3:17-cv-04419]
jbho: another reminder to make sure you know what your apps are doing. Technological ignorance is no excuse.
Interesting here are the theories of liability. Although COPPA is the centerpoint of the action, the lack of a private right of action means plaintiffs must get creative in their pleadings. Using the COPPA definition should help broaden the types of information deemed ‘personal.’ Per 16 CFR §312.2:
“Personal information means individually identifiable information about an individual collected online, including:
(1) A first and last name;
(2) A home or other physical address including street name and name of a city or town;
(3) Online contact information as defined in this section;
(4) A screen or user name where it functions in the same manner as online contact information, as defined in this section;
(5) A telephone number;
(6) A Social Security number;
(7) A persistent identifier that can be used to recognize a user over time and across different Web sites or online services. Such persistent identifier includes, but is not limited to, a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier;
(8) A photograph, video, or audio file where such file contains a child’s image or voice;
(9) Geolocation information sufficient to identify street name and name of a city or town; or
(10) Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described in this definition.” Emphasis added.
Note that the complaint here is remarkably similar to the complaint in McDonald v. Kiloo APS (below). Both were filed by the same attorneys from LIEFF CABRASER HEIMANN & BERNSTEIN, LLP and CARNEY BATES & PULLIAM, PLLC.
McDonald v. Kiloo APS
Class complaint – Kiloo allegedly collected, used, and shared personal information of children without notice to, or consent of, parents. The information was allegedly collected by advertising and analytics SDKs Kiloo implemented in its child directed gaming apps, including the Subway Surfers app. Plaintiff’s claimed Kiloo did not implement a mechanism for obtaining verifiable parental consent, and the SDKs never checked if verifiable parental consent had been obtained.
The complaint names Kiloo and seven SDK makers (AdColony, Chartboost, Flurry, InMobi, ironSource, Tapjoy, and Vungle). Claims were filed under the California Constitutional Right to Privacy, N.Y. Gen. Bus. Law §349 (deceptive acts and practices) as well as Intrusion Upon Seclusion claims.
[N.D. CA; 3:17-cv-04344]
jbho: yet another reminder to make sure you know what your apps are doing. Technological ignorance is no excuse.
Note that the complaint here is remarkably similar to the complaint in Rushing v. Disney (above). Both were filed by the same attorneys from LIEFF CABRASER HEIMANN & BERNSTEIN, LLP and CARNEY BATES & PULLIAM, PLLC.
Transit App Allegedly Secretly Tracked Users Without Notice Or Consent
Moreno v. BART
Claims have been filed under California’s Cellular Communications Interception Act and Consumers Legal Remedies Act, as well as claims of Intrusion Upon Seclusion and violation of privacy rights under the California Constitution.
[N.D. CA; 4:17-cv-02911]
jbho: another complaint that uses detailed technical information to support its claims. If you are responsible for vetting apps, you might want to learn how to use these tools, or hire someone who already knows them.
Also of interest is that contract formation may be at risk because of app design. Remember that Uber may not be able to enforce arbitration provisions in its user agreement due to similar alleged design flaws. Users can’t consent to terms they don’t see.
Note also the complaint focuses on collection of IMEIs, which although not forbidden, is discouraged by Google. Another reason to question what your developers are collecting and whether you really need it.
Email Scanning Class Action Against Email Blocking Service
Cooper v. Slice (UnrollMe)
Class Complaint – UnrollMe allegedly used its spam blocking service to intercept, read, and store contents of consumer email communications, all without consumer knowledge or consent.
[N.D. CA; 3:17-cv-02340]
jbho: The impetus for this appears to be the recent NYT article accusing Uber of buying Lyft-sent emails from UnrollMe.
It is an interesting case. Screenshots in the complaint do seem to indicate UnrollMe will read emails, and users must “Allow” that at sign up.
Headphone App Allegedly Listens To Listeners
Zak v. Bose
Class complaint – Bose allegedly captured data on audio programs listened to through its mobile app, and allegedly shared the captured data, along with other personal identifiers, with third parties. Data was allegedly ‘intercepted’ while transmitted to the headphones, and included songs, radio broadcasts, podcasts, etc. that potentially revealed sensitive information about politics, religious views, personalities, etc. Plaintiff alleged the data was captured and shared without consumer knowledge or consent.
[N.D. Ill; 1:17-cv-02928]
jbho: I’m a little surprised plaintiff didn’t try to pursue VPPA claims, since it sounds like if someone was watching a movie, that would have been slurped up and shared as well? Allegedly, of course. Perhaps too difficult to show commonality (a movie watcher subclass?).
The interception argument may be a tough one if the communication endpoints are the Bose app & Bose headphones. I suppose a determination will need to be made on the true origination point of the transmission.
Nonetheless, a reminder to keep an eye on your mobile developers, and make sure “privacy by design” is being implemented. That means:
• Knowing what your apps need
• Knowing what your apps are actually doing (including any imported code from third party SDKs)
• Turning off the functions you don’t need
• Getting consent for data/functions you do need
• Making sure your privacy policies are updated, and are clearly and conspicuously posted – in the app, and on the AppStore/Play
Smart Massage Device Maker Settles for $3.75 Million
N.P. v. Standard Innovation (We-Vibe)
Preliminary $3.75 settlement – We-Vibe – through an app linked to its personal massage device – allegedly recorded highly consumers’ product use without knowledge or consent. See more.
The preliminary settlement amount is CAD $5 Million (~USD $3,750,000), distributed across an App Class (downloaded the We-Connect app and used it to control a We-Vibe Brand product), and a Purchaser Class (purchased a Bluetooth enabled We-Vibe brand product).
Highlights include (in USD $):
• $3,750,000 non- reversionary settlement fund
• $500 for each ‘App Class’ class member (expected)
• $40 for each ‘Purchaser Class’ class member (expected)
• $5,000 for each class representative (requested)
• $1,250,000 for class counsel (1/3 of settlement fund, requested)
[N.D. Ill; 1:16-cv-08655]
jbho: same as before: make sure you know what your apps are doing, disclose that behavior, and get appropriate consent.
NYAG Fines Three App Makers $30,000 For Unsubstantiated Performance Claims & Lack Of Privacy Disclosures
AG Schneiderman announced a settlement with Health app makers Cardiio, Runtastic, & Matis for alleged misleading performance claims, and sharing information without appropriate user knowledge or consent.
• Cardiio and Runtastic allegedly claimed their apps could measure heart rate, but were unable to provide evidence supporting those claims. Cardiio also ‘misleadingly implied’ it was endorsed by MIT
• Matis claimed its app could turn any smartphone into a fetal heart monitor, but failed to provide evidence it had been tested against devices scientifically proven to amplify the sound of a fetal heartbeat
The AG further alleged the apps collected sensitive health information, Device IDs, or GPS information without adequate disclosure to, or consent of, the user. Nor did the policies disclose the information collected was not protected under HIPAA. The privacy polices also permitted each to essentially share the sensitive data with anyone the app maker chose.
Under the settlement, each app maker must modify its claims, and only make claims that have been validated by qualified researchers. Records of such testing must be maintained and made available to the AG on demand. Additionally, each must make clear their apps are not medical devices and are not approved by the FDA.
Each must also pay the following monetary penalties:
• Cardiio – $5,000
• Runtastic – $5,000
• Matis – $20,000
With respect to privacy, each must update their privacy policies to disclose what data is collected, how it is shared, with whom, and how it is protected. Each must also get express consent before collecting or sharing data. Where aggregate data will be shared, each must get contractual guarantees data recipients will not re-identify the data.
Each must also establish security policies to protect data collected through their apps, and review the policies bi-annually.
Also worth noting, is that the AG stated a device ID is personal.
“Runtastic collected and provided to third parties the unique device identifier of users of Heart Rate Monitor, which is personally identifiable information”
Another Class Action Over Eavesdropping Smart TVs
Siegel v. Samsung
Class complaint – Samsung allegedly recorded private communications with its Smart TVs (including child voices) and shared the communications data with third parties – all allegedly without consumer knowledge or consent. The data was allegedly collected through built-in ‘always on’ recording devices that were not disclosed to the user.
Although the complaint stated defendant’s activities violated multiple federal laws (CCPA, COPPA, ECPA), the compalint focused on the New Jersey Consumer Fraud Act (CFA) for its cause of action.
[D. N.J.; 2:17-cv-01687]
jbho: variation on a theme: know what your devices are doing and get consent for that processing.
FYI, EPIC issued a formal complaint the FTC on the same matter back in 2015 https://epic.org/privacy/internet/ftc/samsung/
Runing App Allegedly Snooped At Rest
Vasil v. Kiip
Class complaint – mobile marketer Kiip, through its mobile SDK, allegedly collected and used data from consumer mobile phones without user knowledge or consent. The Kiip SDK allegedly collected consumers personal information, geolocation data, and device identifiers, even when the underlying app was not in use or a consumer was not using the phone. Plaintiff also claimed Kiip failed to inform its partners using Kiip technology of the alleged surreptitious data collection.
[N.D. Ill; 1:16-cv-09937]
jbho: Two reasons to know what data your apps are collecting:
1) avoid public embarrassment, regulatory action, or litigation
2) keep your insurance coverage
In an interesting development, Kiip’s insurer, Admiral, has filed a motion for judgement that it has no duty to defend or indemnify Kiip since the policy specifically excludes:
• intentional acts, including by error or omission
• unauthorized data collection
BTW: the complaint specifically mentioned the Runkeeper app as one that allegedly collected data through the Kiip SDK. Originally caught by a Norwegian consumer protection group, Runkeeper issued an apology stating the ‘bug’ had been fixed (https://blog.runkeeper.com/4714/a-message-to-our-users/).
NY AG Settles With App Makers
AB Mobile Apps and Bizness Apps allegedly collected personal information through their apps, but failed disclose polices for what data was collected and how it was used. As part of the settlement,each has either added privacy policies to their apps, or pulled them from the App Store/Google Play.
jbho: no discussion of monetary penalties, so this may just be a ‘name and shame’ reminder to clearly and conspicuously disclose data collection, use, sharing, and retention practices.
Also, it’s probably a good idea to keep an inventory of your apps, and if they are no longer being used or supported, you should pull them from the App Store/Google Play.
Alleged Built-In Snooping Class Action
Bonds v. Blu Products
Class Complaint – Blu allegedly pre-installed Adups firmware on its phones without consumer knowledge or consent. The Adups software allegedly intercepted and recorded sensitive personal information including telephone numbers, contact lists, call history, full body of text messages, unique device identifiers and “fine-grained device location information,” and transmitted the information to servers in China. In addition to the privacy violations, plaintiffs alleged diminished value of phones as the surreptitious collection and transmission of data increased costs to keep batteries charged as well as decreased the total lifespan of the phone. Plaintiff could neither reasonably detect nor delete/disable the Adups firmware.
Plaintiff stated he would not have purchased the phone – which he used to send/receive calls and texts that included sensitive personal and work-related information – had he been aware that information was being secretly intercepted and shared. Claims have been filed under the ECPA, Federal Wiretap Act, Magnuson-Moss Warranty Act, as well as Intrusion upon Seclusion and Trespass to Chattels claims.
UPDATED: 10Apr2017 – the case has been consolidated with Aguilar v. Blu Products [S.D. FL; 1:16-cv-25131] (Doc#29).
[S.D. FL; 1:16-cv-24892]
jbho: once again, if you are asking consumers to install software on their devices, you better know what that software does. And get consent for that processing.
Note that the allegedly surreptitious activities were identified in a security bulletin published by Kryptowire (http://www.kryptowire.com/adups_security_analysis.html). You may remember the name Kryptowire as the firm hired by the BBB to help the inspect websites & apps for compliance with DAA principles: http://www.asrcreviews.org/accountability-program-announces-work-with-kryptowire/. I’m seeing more and more complaints citing computer code and using ‘forensic accounting’ to identify statutory violations, so technical ignorance may no longer be an excuse for not knowing what is going on in your apps.
And finally, plaintiff here is represented by Girard Gibbs LLP. The Rosen Law Firm published its opw alert on this matter (http://www.rosenlegal.com/newsroom-210.html), indicating more lawsuits are likely to follow.
PS: Blu Products provides low cost phones, where costs are subsidized by advertising revenue (users must consent to see ads on their phones). So this whole thing may go away on that basis alone. Stay Tuned…
Fan Says Colts Eavesdropped Through Mobile App (UPDATED)
Rackemann v. Lisnr
UPDATE: 22Feb2017 – Motion to dismiss denied, case transferred to Indiana
The court ruled that in admitting the app filtered recorded audio to identify ‘inaudible’ beacon tones, the app must by design first capture and record all audio, which made plaintiff’s claims plausible at the motion to dismiss phase. The court did agree with Defendants that the case should be heard where the Colts and its fans, including plaintiff, were located.
(Doc 47 – Order on Motion to Transfer Case)
UPDATE: 3Oct2017 – dismissed in part (Doc#129). The court found plaintiff had standing since he sufficiently alleged a violation of his substantive interest in the privacy of his communications, and the alleged invasion of privacy constituted a concrete harm congress sought to protect against. On Wiretap claims, the court found that plaintiff adequately pled that:
(i) it was reasonable to infer that his smartphone was activated by defendants (precise dates and times to be determined at discovery),
(ii) the app captured and recorded audio – audio that was acquired and analyzed by defendants, and
(iii) the app records the content of audible communications.
The court declined to consider defendant’s contention the app did not record audible sounds as a fact not susceptible to judicial notice.
The court declined to dismiss claims against the Colts since the alleged interception was performed by the Colts app. The court also declined to dismiss claims against LISNR, since “the precise manner and degree to which LISNR’s software or server were involved in any alleged interception involves the consideration of facts.” The court reached a similar conclusion in declining to dismiss claims against Adept Mobile, who helped the Colts integrate the LISNR technology into the app.
The court dismissed data ‘use’ claims, as plaintiff failed to allege any specific use of intercepted data (only generally alleged it was ‘used for marketing’). However, the court did leave the door open to cure the use claims, and gave plaintiff 30 days to file an amended complaint.
[W.D. PA; 2:16-cv-01573]
jbho: a recurring theme – if you are asking consumers to install software on their devices, you better know what that software does. And get consent for that processing.
Not that the complaint provides a ‘forensic account’ of the app’s actual computer code to support the claims. There seems to be a trend of technical information being included in complaints. As plaintiff’s bar becomes more tech savvy, you should make sure your products are appropriately vetted – preferably in lab environment.
Also interesting, plaintiff uses a company press release as further evidence of defendant’s intention to eavesdrop:
BTW: a similar complaint to the one recently filed in California against the Golden State Warriors (see below). A trend developing?
App Maker Gets Up-Close and Personal
N.P. v. Standard Innovation (We-Vibe)
Class Complaint – We-Vibe – through an app linked to its personal massage device – allegedly recorded highly intimate and sensitive data regarding consumers’ product use without knowledge or consent. We-Vibe allegedly collected data despite in-app promises user connections were secure. Plaintiff claims she would not have purchased We-Vibe if she had known it was designed to secretly monitor, intercept, and transmit consumer usage information. Plaintiff has filed claims under:
(1) Federal Wiretap Act
(2) Illinois Eavesdropping Statute
(3) Intrusion upon Seclusion
(4) Unjust Enrichment
(5) Illinois Consumer Fraud and Deceptive Business Practice Act
UPDATE: 29Nov2016: Parties executed a Memorandum of Understanding (“MOU”) through mediation, and are in the process of drafting a Class Action Settlement Agreement. A 60 day stay of the litigation was granted (Doc#19).
[N.D. Ill; 1:16-cv-08655]
jbho: before you roll out a mobile app, make sure you know what it’s doing, disclose that behavior, and get appropriate consent.
This ‘vulnerability’ was first disclosed at the recent DefCon security conference. Another reason to invest in a testing lab, or secure a vendor who can do a technical screening of your products before you go live with them.
BTW: a good example of the difference between privacy and security. According to screenshots in the complaint, it appears in-app disclosures said the connection was secure, but was silent on whether the connection was private.
$9 Million Deal Approved In HTC, Samsung Data Suit
In re Carrier IQ Consumer Privacy Litigation
Order approving $9M settlement – AT&T Mobility Inc., HTC Corp., LG Electronics Inc., Motorola Mobility Inc., Samsung Electronics Co. and Sprint Corp allegedly tracked and recorded private user information – without knowledge or consent – from plaintiffs’ mobile phones through use of pre-installed Carrier IQ software. The Carrier IQ software – allegedly installed on 141,000,000 mobile devices worldwide – was allegedly designed and deployed to intercepts private communications, content, and data, including: URLs containing HTTP and HTTPS query strings embedded with Internet search terms user names, passwords, granular geo-location information, SMS text message content, and application purchases and uses. Carrier IQ allegedly failed to implement reasonable security controls in the collection and use of the aforementioned data.
In addition to privacy and security violations, plaintiffs allege the undisclosed software caused harm through taxing device batteries, processors, and memory.
Claims were filed under the Federal Wiretap Act, state privacy statutes (35 states), and state consumer protection acts (21 states), as well as under the Magnuson-Moss Warranty Act, and the Implied Warranty of Merchantability (against the device manufacturers – Plaintiffs claim they would not have purchased mobile devices had they known that the Carrier IQ Software was present).
- $9,000,000 settlement
- $5,900,000 non-reversionary settlement fund for class members
- $138 – $149 for each class member (expected)
- $75,000 for plaintiffs/class representatives
- $3,000 each for plaintiffs/class representatives who expended less than 26 hours (5)
- $5,000 for remaining plaintiffs/class representatives (12)
- $655,500 for settlement administration
- $2,358,933.72 for class counsel (26% of settlement fund)
[N.D. CA; 12-md-02330]
jbho: same as below – if you are asking consumers to install software on their devices, you better know what that software does.
As background, independent security and privacy researcher, Trevor Eckhart, discovered Carrier IQ running on his Android OS HTC mobile device in November 2011. Working with others in the Android developer community, Eckhart published the results of his Carrier IQ Software analysis on his website, http://www.androidsecuritytest.com. The analysis showed software hidden deeply on his device that would never be known to the average user (finding the software required ‘rooting’ a device, which not only requires great technical skill, but voids warranties as well). For more information, check our Eckhart’s video at https://www.youtube.com/watch?v=T17XQI_AYNo .
BTW: HTC entered into a consent order for its involvement in the Carrier IQ affair. No fines were issued, but they got the usual compliance program requirements with 20 years of biennial audits.
Fan Say Golden State Warriors Eavesdropped Through Mobile App (UPDATED)
Satchell v. Sonic Notify
UPDATE: 13Feb2017 – Dismissed, leave to amend (Doc#54). The court ruled that although plaintiff had standing – invasion of privacy was an injury-in-fact – plaintiff failed to show communications were ‘intercepted’ since she could not show defendants acquired or used the contents of any communication. The court did grant leave to amend, finding “the court cannot say it would be a futile act.”
UPDATE: 20Nov2017 – motion to dismiss denied in part (Doc#89). The court found Plaintiff cured deficiencies in her previous complaint (cited at least four instances where she app was running during private conversations), and sufficiently alleged facts to show Signal360 engaged in acts that would qualify as interception under the Wiretap Act, and the Warriors had access to information generated by Signal360 sufficient to show interception as to the Warriors.
The court dismissed claims against Yinzcam, finding there was no evidence Yinzcam seized or redirected any communications itself (they only made sure the microphone would turn on/off). The court distinguished Yinzcam’s role here from Adept Mobile’s role in Rackemann v. Lisnr (W.D. PA; 2:16-cv-01573), finding Adept Mobile was alleged to have dictated when microphones should be activated, making it a party to the (alleged) interception. In this case, the Warriers and Signal360 were alleged to have established those rules. As there was no secondary liability under ECPA (no ‘conspiracy’ or ‘aiding and abetting’ called out in the statute), claims against Yinzcam were dismissed. Any futher amendment would be futile, so claims were dismissed with prejudice.
[N.D. CA; 3:16-cv-04961]
jbho: same as above, if you are asking consumers to install software on their devices, you better know what that software does. And get consent for that processing.