ECPA/Wiretap

January 2018

Another App Maker Gets Too Close For Comfort

S.D. v. Hytto (d/b/a/ Lovense)
Class Complaint – Lovense, through a Body Chat app linked to its Lush personal massage device, allegedly recorded highly intimate and sensitive data regarding consumers’ product use without knowledge or consent. Plaintiff alleged the data was collected and shared despite representations user connections were secure and not stored on Hytto servers.

Plaintiff claimed she paid a premium for what she believed to me a secure product that could be used in confidence. Plaintiff further claimed the Lush product was not fully usable without the Body Chat app, and she would not have purchased the product had she known it was designed to secretly monitor, intercept, and transmit consumer usage information.
[N.D. CA; 4:18-cv-00688]
jbho: sound familiar? Remember that We-Vibe (N.P. v. Standard Innovation – N.D. Ill; 1:16-cv-08655) ended up settling for $3.75 million for similar alleged privacy violations.

No coincidence that plaintiff here is represented by EDELSON PC, who represented the We-Vibe plaintiffs. The present action also defines two classes: a Purchase Class and an App Class.

 

December 2017

Logging Data Before Form Submitted Is Wiretap?

Cohen v. Casper
Class Complaint – Casper, through its agent NaviStone, allegedly captured data entered on web forms – in real time – before plaintiff submitted web forms. Plaintiff claimed data was collected through NaviStone tags on the Casper website, tags which allegedly contemporaneously intercepted contents of plaintiff’s communications with the Casper website. Plaintiff further claimed the collection was done “immediately, automatically, and secretly,” irrespective of any purchase.
[S.D. N.Y.; 1:17-cv-09325]
jbho: another complaint that uses detailed technical information to support its claims. Here it will be interesting to see if the sharing with NaviStone is covered under Casper’s privacy policy:

Marketing. If you are in the United States and make a purchase using the Site, information collected from you may be made available to select third parties who offer products or services that may be of interest to you. If you prefer that we not share your information with such third parties, send an email to privacy@casper.com within thirty (30) days of your purchase. Note that if it has been more than thirty (30) days since your purchase, your opt-out may not apply to marketing initiatives that are already underway.
(Casper Privacy Policy as of 31Jan2017 https://casper.com/privacy/)

Or, will the court otherwise find that service provider NaviStone is a party to the communication, thus there is no interception? Stay tuned…

BTW – NaviStone was the subject of a recent internet exposé, This Company Has Already Logged Your Personal Data Before You Hit Submit, which is cited in the complaint.

Update: 12Jul2018 – dismissed (Doc #57). The court found that ECPA claims failed, since Casper was a party to the communications, and ECPA was a one-party consent statute (NaviStone had Casper’s consent). Furthermore, there was no intent to use the information “recorded” to harm or injure plaintiff. Defendant de-anonymized and disclosed data to other parties for marketing, not with the intention to commit a tort. Finally, to the extent Casper possessed a device specifically designed for wiretapping (e.g., Navistone technology), the statute (18USC §2512) provided no private right of action.

On SCA claims, the court followed precedent that communications stored on personal devices are not held in “electronic storage,” nor was a personal device an “electronic communication service.”

As to NYGBL claims, the only alleged injury was a general invasion of privacy, not that plaintiff was harmed by any exposure of his information. Plaintiff did not allege the exposed information was sensitive or that it was exposed for any reason other than marketing. Similarly, false advertising claims failed since “(plaintiff) cites no case law demonstrating that a privacy policy can constitute advertising.”

The opinion addressed claims against three separate retailers using Navistone services:

• Cohen v. Casper (S.D. N.Y.; 1:17-cv-09325)
• Cohen v. Tyrwhitt (S.D. N.Y.; 1:17-cv-09389)
• Cohen v. Moosejaw (S.D. N.Y.; 1:17-cv-09391)

 

Interesting that the content of the privacy policy didn’t come into question. The court noted, “even assuming the conduct was materially misleading, Cohen’s inability to identify a cognizable injury is fatal.” Although, the court wasn’t entirely unsympathetic. “While Cohen alleges conduct raising troubling privacy concerns, that conduct does not violate any of the statutes on which Cohen predicates his claims.”

And thus we have the CaCPA?

 

 

September 2017

Driver’s License Swipe Leads To Class Action

Skiles v. Tesla
Class complaint – Tesla allegedly collected and shared plaintiff’s personal information without his knowledge or consent. Plaintiff claimed his personal information was collected (intercepted) when the magnetic stripe of his driver’s license was scanned via iPad (through an app created by Appstream) when he sought to test drive a Tesla. Plaintiff claimed he provided his license to verify he was legally permitted to drive, however the information was used to ‘score’ him based on his creditworthiness, and used to enroll him in marketing databases without his consent (purposes not permitted under the DPPA), in excess of any consent he provided. Plaintiff claimed an Experian ‘Mosiac’ score (a consumer report) was created and used for marketing purposes (without his knowledge or consent), and the information was stored in a Salesforce marketing database, a database which he had no ability to control regarding the use or distribution of his personal information.

Named plaintiffs include Tesla, Appstream, Experian, and Salesforce. Claims were filed under the FCRA, ECPA, and DPPA.
[N.D. CA; 3:17-cv-05434]
jbho: a reminder that remedies available for violating the DPPA make it attractive for class actions. A private right of action for knowing violations allows a court to award (18 USC §2724):
(1) actual damages, but not less than liquidated damages in the amount of $2,500
(2) punitive damages upon proof of willful or reckless disregard of the law
(3) reasonable attorney’s fees and other litigation costs reasonably incurred
(4) other preliminary and equitable relief as the court determines to be appropriate

 

August 2017

Third Time’s The Charm? Undisclosed Child Data Collection In Game App

Rushing v. Viacom
Class complaint – Viacom allegedly collected, used, and shared personal information of children without notice to, or consent of, parents. The information was allegedly collected by advertising and analytics SDKs Viacom implemented in its child directed gaming apps, including the Nickelodeon Llama Spit Spit app. Plaintiff’s claimed Viacom did not implement a mechanism for obtaining verifiable parental consent, and the SDKs never checked if verifiable parental consent had been obtained.

The complaint names Disney and three SDK makers (Upsight, and Unity Technologies). Claims were filed under the California Constitutional Right to Privacy, as well as Intrusion Upon Seclusion claims.
[N.D. CA; 3:17-cv-04492]
jbho: as stated below, know your SDKs!

UPDATE: 15Oct2018 – Motion to compel arbitration denied (Doc#83). Viacom did not meet requirements for actual notice or constructive notice of the End User License Agreement (EULA), since the EULA was only visible through a link titled “more,” and it was not necessary for a user to click on that “more” hyperlink to get the app or being playing the game. Since users were unlikely to see the browsewrap agreement at issue, no contract was formed, and the arbitration portions were not enforceable.

“A user cannot accept an offer through silence and inaction where she could not reasonably have known that an offer was ever made to her.”

 

Undisclosed Child Data Collection In Princess Palace Pets App

Rushing v. Disney
Class complaint – Disney allegedly collected, used, and shared personal information of children without notice to, or consent of, parents. The information was allegedly collected by advertising and analytics SDKs Disney implemented in its child directed gaming apps, including the Princess Palace Pets app. Plaintiff’s claimed Disney did not implement a mechanism for obtaining verifiable parental consent, and the SDKs never checked if verifiable parental consent had been obtained.

The complaint names Disney and three SDK makers (Upsight, Unity Technologies, and Kochava). Claims were filed under the California Constitutional Right to Privacy, as well as Intrusion Upon Seclusion claims.
[N.D. CA; 3:17-cv-04419]
jbho: another reminder to make sure you know what your apps are doing. Technological ignorance is no excuse.

Interesting here are the theories of liability. Although COPPA is the centerpoint of the action, the lack of a private right of action means plaintiffs must get creative in their pleadings. Using the COPPA definition should help broaden the types of information deemed ‘personal.’ Per 16 CFR §312.2:
“Personal information means individually identifiable information about an individual collected online, including:
(1) A first and last name;
(2) A home or other physical address including street name and name of a city or town;
(3) Online contact information as defined in this section;
(4) A screen or user name where it functions in the same manner as online contact information, as defined in this section;
(5) A telephone number;
(6) A Social Security number;
(7) A persistent identifier that can be used to recognize a user over time and across different Web sites or online services. Such persistent identifier includes, but is not limited to, a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier;
(8) A photograph, video, or audio file where such file contains a child’s image or voice;
(9) Geolocation information sufficient to identify street name and name of a city or town; or
(10) Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described in this definition.” Emphasis added.

Note that the complaint here is remarkably similar to the complaint in McDonald v. Kiloo APS (below). Both were filed by the same attorneys from LIEFF CABRASER HEIMANN & BERNSTEIN, LLP and CARNEY BATES & PULLIAM, PLLC.

Undisclosed Child Data Collection In Subway Surfer App

McDonald v. Kiloo APS
Class complaint – Kiloo allegedly collected, used, and shared personal information of children without notice to, or consent of, parents. The information was allegedly collected by advertising and analytics SDKs Kiloo implemented in its child directed gaming apps, including the Subway Surfers app. Plaintiff’s claimed Kiloo did not implement a mechanism for obtaining verifiable parental consent, and the SDKs never checked if verifiable parental consent had been obtained.

The complaint names Kiloo and seven SDK makers (AdColony, Chartboost, Flurry, InMobi, ironSource, Tapjoy, and Vungle). Claims were filed under the California Constitutional Right to Privacy, N.Y. Gen. Bus. Law §349 (deceptive acts and practices) as well as Intrusion Upon Seclusion claims.
[N.D. CA; 3:17-cv-04344]
jbho: yet another reminder to make sure you know what your apps are doing. Technological ignorance is no excuse.

Note that the complaint here is remarkably similar to the complaint in Rushing v. Disney (above). Both were filed by the same attorneys from LIEFF CABRASER HEIMANN & BERNSTEIN, LLP and CARNEY BATES & PULLIAM, PLLC.

May 2017

Transit App Allegedly Secretly Tracked Users Without Notice Or Consent

Moreno v. BART
Class complaint – Bay Area Rapid Transit (BART) allegedly collected personal information, device identifiers, and location data through its Watch app without user knowledge or consent. The purpose of the app was to allow BART riders to quickly and discreetly alert security personnel about safety or security concerns. However, plaintiff alleged, the app secretly collected unique cellular identifiers, periodically monitored user locations, and tracked identities of anonymous reporters. The app allegedly did not specifically request permission for such collection and use, and although mentioned (with dubious specificity) in the terms and privacy policy, those agreements were not seen by plaintiff, as the links were obscured by the keyboard on data entry screens.

Claims have been filed under California’s Cellular Communications Interception Act and Consumers Legal Remedies Act, as well as claims of Intrusion Upon Seclusion and violation of privacy rights under the California Constitution.
[N.D. CA; 4:17-cv-02911]
jbho: another complaint that uses detailed technical information to support its claims. If you are responsible for vetting apps, you might want to learn how to use these tools, or hire someone who already knows them.

Also of interest is that contract formation may be at risk because of app design. Remember that Uber may not be able to enforce arbitration provisions in its user agreement due to similar alleged design flaws. Users can’t consent to terms they don’t see.

Note also the complaint focuses on collection of IMEIs, which although not forbidden, is discouraged by Google. Another reason to question what your developers are collecting and whether you really need it.

BTW: the Watch App privacy policy (elerts.com/privacy) was updated on 26 May 2017. The complaint was filed on 22 May 2017. Curious timing… 

UPDATE: 24Aug2018 – preliminary settlement (Doc#92). The parties have agreed on injunctive relief and cash payment of $60,000 to class representative and class counsel. The injunctive relief prohibits BART (and its app developers) from collecting IMEI, limits the types of personal information that may be collected, and specifies where collection must be voluntary (including location data). The requested monetary relief provides $2,500 for the class representative, and $57,500 for class counsel.

The injunctive relief under the proposed Settlement was obtained without releasing any of the Settlement Class Members’ claims for monetary relief (meaning class members retain the right to bring suit against Defendant for the full extent of any damages they believe they are entitled to for the conduct alleged in the case).

 

April 2017

Email Scanning Class Action Against Email Blocking Service

Cooper v. Slice (UnrollMe)
Class Complaint – UnrollMe allegedly used its spam blocking service to intercept, read, and store contents of consumer email communications, all without consumer knowledge or consent.
[N.D. CA; 3:17-cv-02340][S.D. N.Y.; 1:17-cv-07102]
jbho: The impetus for this appears to be the recent NYT article accusing Uber of buying Lyft-sent emails from UnrollMe.

It is an interesting case. Screenshots in the complaint do seem to indicate UnrollMe will read emails, and users must “Allow” that at sign up.

Nonetheless, based on the complaint, I’d say you might want to make sure you privacy policy is consistent with your marketing materials. And you should make sure PR people are well prepared with responses when things go south (the UnrollMe CEO is quoted in the complaint as saying the privacy policy & terms “weren’t explicit enough.”)

UPDATE: 14Sept2017 – transferred (Doc#41). The court found that plaintiff’s consented to the forum-selection clause in UnrollMe’s Terms of Use, when they checked a box to agree to hyperlinked terms.

The case was transferred to the Southern District of New York (S.D. N.Y.; 1:17-cv-07102).

UPDATE: 6Jun2018 – dismissed (Doc#66). On standing, there were potentially three types of harm alleged:
(1) UnrollMe sold raw email account information
— Not adequately alleged – that Lyft could identify users didn’t mean they were part of the data set sold by UnrollMe
(2) UnrollMe sold anonymized emails that could easily be re-identified
— Not adequately alleged – the mere possibility that someone might de-anonymize emails was not enough to constitute an injury in fact
(3) UnrollMe sold anonymized emails without consent
— Adequately alleged – Whether there was valid consent was a merits issue, not a standing issue. The complaint adequately alleged that the sale was nonconsensual.
Thus, plaintiff had standing, albeit only for the alleged sale of anonymized emails.

However, plaintiff failed to state a claim upon which relief could be granted. Plaintiffs conceded they agreed to UnrollMe’s privacy policy, a policy that stated:

“(w)e may collect, use, transfer, sell, and disclose non-personal information for any purpose (and) may collect and use your commercial transactional messages and associated data to build anonymous market research products and services with trusted business partners.”

This was exactly what UnrollMe did. The court did sympathize with plaintiffs, but consent was clear. “(p)laintiffs are probably right that most users thought UnrollMe would reduce the noise of internet marketing rather than increase it. But while UnrollMe’s conduct may be unseemly, it still falls within the ambit of the privacy policy.” ECPA/SCA claims failed for the same reason.

Finally, the court rejected plaintiffs contention the privacy policy was unconscionable.          “(T)he mere fact that the privacy policy is a dense take-it-or-leave-it contract does not render it procedurally unconscionable.” Additionally, plaintiffs could simply not use the (free) UnrollMe service.

Since all claims depended on lack of consent, and UnrollMe obtained a valid consent to sell plaintiffs anonymized data, plaintiffs failed to state a claim.

BTW: my favorite quote in the opinion: “But it is also true that those consumers agreed to the Faustian bargain that undergirds much of the internet: you give me a free service, and I suppress the knowledge that you are probably selling my data to digital touts. We may not like it, but it is not per se unlawful.“

Headphone App Allegedly Listens To Listeners

Zak v. Bose
Class complaint – Bose allegedly captured data on audio programs listened to through its mobile app, and allegedly shared the captured data, along with other personal identifiers, with third parties. Data was allegedly ‘intercepted’ while transmitted to the headphones, and included songs, radio broadcasts, podcasts, etc. that potentially revealed sensitive information about politics, religious views, personalities, etc. Plaintiff alleged the data was captured and shared without consumer knowledge or consent.
[N.D. Ill; 1:17-cv-02928]
jbho: I’m a little surprised plaintiff didn’t try to pursue VPPA claims, since it sounds like if someone was watching a movie, that would have been slurped up and shared as well? Allegedly, of course. Perhaps too difficult to show commonality (a movie watcher subclass?).

The interception argument may be a tough one if the communication endpoints are the Bose app & Bose headphones. I suppose a determination will need to be made on the true origination point of the transmission.

Nonetheless, a reminder to keep an eye on your mobile developers, and make sure “privacy by design” is being implemented. That means:
• Knowing what your apps need
• Knowing what your apps are actually doing (including any imported code from third party SDKs)
• Turning off the functions you don’t need
• Getting consent for data/functions you do need
• Making sure your privacy policies are updated, and are clearly and conspicuously posted – in the app, and on the AppStore/Play

March 2017

Smart Massage Device Maker Settles for $3.75 Million

N.P. v. Standard Innovation (We-Vibe)

Preliminary $3.75 settlement – We-Vibe – through an app linked to its personal massage device – allegedly recorded highly sensitive information on consumers’ product use without knowledge or consent. See more.

The preliminary settlement amount is CAD $5 Million (~USD $3,750,000), distributed across an App Class (downloaded the We-Connect app and used it to control a We-Vibe Brand product), and a Purchaser Class (purchased a Bluetooth enabled We-Vibe brand product).

Highlights include (in USD $):
• $3,750,000 non- reversionary settlement fund
— $750,000 for the Purchaser Class
— $3,000,000 for the App Class
• $500 $100 for each ‘App Class’ class member (expected)
• $40 $20 for each ‘Purchaser Class’ class member (expected)
• $5,000 for each class representative (requested)
• $1,250,000 $1,011,522.89 for class counsel (1/3 30% of settlement fund, requested)

UPDATE: 15Aug2017 – final judgment and order of dismissal with prejudice (Doc#56).
Standard Innovations also agreed to stop collecting personal information, destroy all previously collected personal information, update its privacy policy to accurately reflect its practices, and offer an opt-out for third party data sharing.
[N.D. Ill; 1:16-cv-08655]
jbho: same as before: make sure you know what your apps are doing, disclose that behavior, and get appropriate consent.

NYAG Fines Three App Makers $30,000 For Unsubstantiated Performance Claims & Lack Of Privacy Disclosures

AG Schneiderman announced a settlement with Health app makers Cardiio, Runtastic, & Matis for alleged misleading performance claims, and sharing information without appropriate user knowledge or consent.
• Cardiio and Runtastic allegedly claimed their apps could measure heart rate, but were unable to provide evidence supporting those claims. Cardiio also ‘misleadingly implied’ it was endorsed by MIT
• Matis claimed its app could turn any smartphone into a fetal heart monitor, but failed to provide evidence it had been tested against devices scientifically proven to amplify the sound of a fetal heartbeat

The AG further alleged the apps collected sensitive health information, Device IDs, or GPS information without adequate disclosure to, or consent of, the user. Nor did the policies disclose the information collected was not protected under HIPAA. The privacy polices also permitted each to essentially share the sensitive data with anyone the app maker chose.

Under the settlement, each app maker must modify its claims, and only make claims that have been validated by qualified researchers. Records of such testing must be maintained and made available to the AG on demand. Additionally, each must make clear their apps are not medical devices and are not approved by the FDA.

Each must also pay the following monetary penalties:
• Cardiio – $5,000
• Runtastic – $5,000
• Matis – $20,000

With respect to privacy, each must update their privacy policies to disclose what data is collected, how it is shared, with whom, and how it is protected. Each must also get express consent before collecting or sharing data. Where aggregate data will be shared, each must get contractual guarantees data recipients will not re-identify the data.

Each must also establish security policies to protect data collected through their apps, and review the policies bi-annually.
https://ag.ny.gov/press-release/ag-schneiderman-announces-settlements-three-mobile-health-application-developers
jbho: this one is likely more about the alleged deceptive advertising than data collection, particularly since the AG stated the apps could be harmful if consumers were relying on inaccurate or misleading results for health purposes. But still interesting that the AG is making them get active consent to the privacy policy.

Also worth noting, is that the AG stated a device ID is personal.

“Runtastic collected and provided to third parties the unique device identifier of users of Heart Rate Monitor, which is personally identifiable information”

Another Class Action Over Eavesdropping Smart TVs

Siegel v. Samsung
Class complaint – Samsung allegedly recorded private communications with its Smart TVs (including child voices) and shared the communications data with third parties – all allegedly without consumer knowledge or consent. The data was allegedly collected through built-in ‘always on’ recording devices that were not disclosed to the user.

Although the complaint stated defendant’s activities violated multiple federal laws (CCPA, COPPA, ECPA), the compalint focused on the New Jersey Consumer Fraud Act (CFA) for its cause of action.
[D. N.J.; 2:17-cv-01687]
jbho: variation on a theme: know what your devices are doing and get consent for that processing.

FYI, EPIC issued a formal complaint the FTC on the same matter back in 2015 https://epic.org/privacy/internet/ftc/samsung/

February 2017

Runing App Allegedly Snooped At Rest

Vasil v. Kiip
Class complaint – mobile marketer Kiip, through its mobile SDK, allegedly collected and used data from consumer mobile phones without user knowledge or consent. The Kiip SDK allegedly collected consumers personal information, geolocation data, and device identifiers, even when the underlying app was not in use or a consumer was not using the phone. Plaintiffs also claimed Kiip failed to inform its partners using Kiip technology of the alleged surreptitious data collection.

UPDATE: 5Mar2018 – motion to dismiss denied in part (Doc #21). The court found that Kiip was not a party to communications between plaintiffs within the meaning of either the Wiretap Act or the Illinois Eavesdropping Act. “Kiip, like Runkeeper, had the ability to monitor in real-time certain events in the lives of Runkeeper users. Kiip, however, continued to collect information about Runkeeper users when they were not using the Runkeeper app, and even continued to mine data when Runkeeper users were not using their phones at all … Kiip did not obtain consent from any Runkeeper user to collect information while the Runkeeper app or the smartphone were not in use.”

On Wiretap Act claims, the court found the interception of geolocation/device information was insufficiently pled, as the complaint contained no allegations concerning who was supposed to receive the ‘geolocational’ content of a communication.

As for other personal data (e.g., health/fitness info, run routes, etc.), they were clearly contents of communications between plaintiffs and Runkeeper, and plaintiffs adequately pled that Kiip had captured (while plaintiffs were not using their phones) information intended for Runkeeper. However, the capture was not contemporaneous with the communication, thus not an ‘interception’ (plaintiffs alleged only that the information taken without consent while it was stored in the Runkeeper app, after the communications were completed). Thus, Wiretap Act claims were dismissed, but without prejudice.

On Illinois Eavesdropping Act claims, the court found that just because there was a direct transmission from plaintiffs’ phones to Kiip’s servers did not make Kiip a party to a communication. Kiip could not have been a party to a communication executed without plaintiffs’ knowledge. Kiip was not a substitute for Runkeeper; it surreptitiously received plaintiffs’ information in addition to Runkeeper. And although a cell phone could be considered a tracking device in some contexts (tracking device communications being exempted from the Act), the data in question was not being communicated in the context of a tracking device. Thus, the motion to dismiss state law claims was denied (and unjust enrichment claims could proceed along with Illinois Eavesdropping Act claims).

Plaintiffs’ amended complaint is due 16 April 2018, Defendant’s response to the amended complaint is due 21 May 2018, and a status hearing is (re)set for 29 May 2018.
[N.D. Ill; 1:16-cv-09937]
jbho: Two reasons to know what data your apps are collecting:
1) avoid public embarrassment, regulatory action, or litigation
2) keep your insurance coverage

In an interesting development, Kiip’s insurer, Admiral, has filed a motion for judgement that it has no duty to defend or indemnify Kiip since the policy specifically excludes:
• intentional acts, including by error or omission
• unauthorized data collection
UPDATE: 3Apr2018 – since both plaintiff and defendant were citizens of Delaware, the Illinois district court determined it lacked subject matter jurisdiction over the non-diverse parties. Admiral voluntarily dimsissed the case (N.D. Ill.; 1:17-cv-00580; Doc#7).

BTW: the complaint specifically mentioned the Runkeeper app as one that allegedly collected data through the Kiip SDK. Originally caught by a Norwegian consumer protection group, Runkeeper issued an apology stating the ‘bug’ had been fixed (https://blog.runkeeper.com/4714/a-message-to-our-users/).

NY AG Settles With App Makers

AB Mobile Apps and Bizness Apps allegedly collected personal information through their apps, but failed disclose polices for what data was collected and how it was used. As part of the settlement,each has either added privacy policies to their apps, or pulled them from the App Store/Google Play.
https://ag.ny.gov/press-release/ag-schneiderman-announces-settlements-mobile-app-developers-failure-disclose-data
jbho: no discussion of monetary penalties, so this may just be a ‘name and shame’ reminder to clearly and conspicuously disclose data collection, use, sharing, and retention practices.

Also, it’s probably a good idea to keep an inventory of your apps, and if they are no longer being used or supported, you should pull them from the App Store/Google Play.

November 2016

Alleged Built-In Snooping Class Action

Bonds v. Blu Products
Class Complaint – Blu allegedly pre-installed Adups firmware on its phones without consumer knowledge or consent. The Adups software allegedly intercepted and recorded sensitive personal information including telephone numbers, contact lists, call history, full body of text messages, unique device identifiers and “fine-grained device location information,” and transmitted the information to servers in China. In addition to the privacy violations, plaintiffs alleged diminished value of phones as the surreptitious collection and transmission of data increased costs to keep batteries charged as well as decreased the total lifespan of the phone. Plaintiff could neither reasonably detect nor delete/disable the Adups firmware.

Plaintiff stated he would not have purchased the phone – which he used to send/receive calls and texts that included sensitive personal and work-related information – had he been aware that information was being secretly intercepted and shared. Claims have been filed under the ECPA, Federal Wiretap Act, Magnuson-Moss Warranty Act, as well as Intrusion upon Seclusion and Trespass to Chattels claims.

UPDATED:  10Apr2017 – the case has been consolidated with Aguilar v. Blu Products [S.D. FL; 1:16-cv-25131] (Doc#29).

[S.D. FL; 1:16-cv-24892]
jbho: once again, if you are asking consumers to install software on their devices, you better know what that software does. And get consent for that processing.

Note that the allegedly surreptitious activities were identified in a security bulletin published by Kryptowire (http://www.kryptowire.com/adups_security_analysis.html). You may remember the name Kryptowire as the firm hired by the BBB to help the inspect websites & apps for compliance with DAA principles: http://www.asrcreviews.org/accountability-program-announces-work-with-kryptowire/. I’m seeing more and more complaints citing computer code and using ‘forensic accounting’ to identify statutory violations, so technical ignorance may no longer be an excuse for not knowing what is going on in your apps.

And finally, plaintiff here is represented by Girard Gibbs LLP. The Rosen Law Firm published its opw alert on this matter (http://www.rosenlegal.com/newsroom-210.html), indicating more lawsuits are likely to follow.

PS: Blu Products provides low cost phones, where costs are subsidized by advertising revenue (users must consent to see ads on their phones). So this whole thing may go away on that basis alone. Stay Tuned…

October 2016

Fan Says Colts Eavesdropped Through Mobile App (UPDATED)  

Rackemann v. Lisnr
Class complaint – Defendants allegedly intercepted consumers’ oral communications without their knowledge or consent. Interception was allegedly performed by an Indianapolis Colts mobile app, developed by mobile app company Adept Mobile, using Lisnr’s inaudible Smart Tones audio beacon technology. The audio beacon technology was allegedly not disclosed in the App’s Terms of Service or Privacy Policy, and no part of the App’s user interface displays a warning that the microphone was turned on.

UPDATE: 22Feb2017 – Motion to dismiss denied, case transferred to Indiana
The court ruled that in admitting the app filtered recorded audio to identify ‘inaudible’ beacon tones, the app must by design first capture and record all audio, which made plaintiff’s claims plausible at the motion to dismiss phase. The court did agree with Defendants that the case should be heard where the Colts and its fans, including plaintiff, were located.
(Doc 47 – Order on Motion to Transfer Case)

UPDATE: 3Oct2017 – dismissed in part (Doc#129). The court found plaintiff had standing since he sufficiently alleged a violation of his substantive interest in the privacy of his communications, and the alleged invasion of privacy constituted a concrete harm congress sought to protect against. On Wiretap claims, the court found that plaintiff adequately pled that:
(i) it was reasonable to infer that his smartphone was activated by defendants (precise dates and times to be determined at discovery),
(ii) the app captured and recorded audio – audio that was acquired and analyzed by defendants, and
(iii) the app records the content of audible communications.
The court declined to consider defendant’s contention the app did not record audible sounds as a fact not susceptible to judicial notice.

The court declined to dismiss claims against the Colts since the alleged interception was performed by the Colts app. The court also declined to dismiss claims against LISNR, since “the precise manner and degree to which LISNR’s software or server were involved in any alleged interception involves the consideration of facts.” The court reached a similar conclusion in declining to dismiss claims against Adept Mobile, who helped the Colts integrate the LISNR technology into the app.

The court dismissed data ‘use’ claims, as plaintiff failed to allege any specific use of intercepted data (only generally alleged it was ‘used for marketing’). However, the court did leave the door open to cure the use claims, and gave plaintiff 30 days to file an amended complaint.

[W.D. PA; 2:16-cv-01573]
jbho: a recurring theme – if you are asking consumers to install software on their devices, you better know what that software does. And get consent for that processing.

Not that the complaint provides a ‘forensic account’ of the app’s actual computer code to support the claims. There seems to be a trend of technical information being included in complaints. As plaintiff’s bar becomes more tech savvy, you should make sure your products are appropriately vetted – preferably in lab environment.

Also interesting, plaintiff uses a company press release as further evidence of defendant’s intention to eavesdrop:
http://lisnr.com/portfolio-items/lisnr-sidearm-sports-to-bring-location-based-mobile-messaging-to-college-sports-fans/

BTW: a similar complaint to the one recently filed in California against the Golden State Warriors (see below). A trend developing?

September 2016

App Maker Gets Up-Close and Personal

N.P. v. Standard Innovation (We-Vibe)
Class Complaint – We-Vibe – through an app linked to its personal massage device – allegedly recorded highly intimate and sensitive data regarding consumers’ product use without knowledge or consent. We-Vibe allegedly collected data despite in-app promises user connections were secure. Plaintiff claims she would not have purchased We-Vibe if she had known it was designed to secretly monitor, intercept, and transmit consumer usage information. Plaintiff has filed claims under:
(1) Federal Wiretap Act
(2) Illinois Eavesdropping Statute
(3) Intrusion upon Seclusion
(4) Unjust Enrichment
(5) Illinois Consumer Fraud and Deceptive Business Practice Act

UPDATE: 29Nov2016: Parties executed a Memorandum of Understanding (“MOU”) through mediation, and are in the process of drafting a Class Action Settlement Agreement. A 60 day stay of the litigation was granted (Doc#19).

[N.D. Ill; 1:16-cv-08655]
jbho: before you roll out a mobile app, make sure you know what it’s doing, disclose that behavior, and get appropriate consent.

This ‘vulnerability’ was first disclosed at the recent DefCon security conference. Another reason to invest in a testing lab, or secure a vendor who can do a technical screening of your products before you go live with them.
https://www.defcon.org/html/defcon-24/dc-24-speakers.html#follower

BTW: a good example of the difference between privacy and security. According to screenshots in the complaint, it appears in-app disclosures said the connection was secure, but was silent on whether the connection was private.

August 2016

$9 Million Deal Approved In HTC, Samsung Data Suit

In re Carrier IQ Consumer Privacy Litigation
Order approving $9M settlement – AT&T Mobility Inc., HTC Corp., LG Electronics Inc., Motorola Mobility Inc., Samsung Electronics Co. and Sprint Corp allegedly tracked and recorded private user information – without knowledge or consent – from plaintiffs’ mobile phones through use of pre-installed Carrier IQ software. The Carrier IQ software – allegedly installed on 141,000,000 mobile devices worldwide – was allegedly designed and deployed to intercepts private communications, content, and data, including: URLs containing HTTP and HTTPS query strings embedded with Internet search terms user names, passwords, granular geo-location information, SMS text message content, and application purchases and uses. Carrier IQ allegedly failed to implement reasonable security controls in the collection and use of the aforementioned data.

In addition to privacy and security violations, plaintiffs allege the undisclosed software caused harm through taxing device batteries, processors, and memory.

Claims were filed under the Federal Wiretap Act, state privacy statutes (35 states), and state consumer protection acts (21 states), as well as under the Magnuson-Moss Warranty Act, and the Implied Warranty of Merchantability (against the device manufacturers – Plaintiffs claim they would not have purchased mobile devices had they known that the Carrier IQ Software was present).

Highlights include:

• $9,000,000 settlement
• $5,900,000 non-reversionary settlement fund for class members
  • $138 – $149 for each class member (expected)
• $75,000 for plaintiffs/class representatives
  • $3,000 each for plaintiffs/class representatives who expended less than 26 hours (5)
  • $5,000 for remaining plaintiffs/class representatives (12)
• $655,500 for settlement administration
• $2,358,933.72 for class counsel (26% of settlement fund)

[N.D. CA; 12-md-02330]
jbho: same as below – if you are asking consumers to install software on their devices, you better know what that software does.

As background, independent security and privacy researcher, Trevor Eckhart, discovered Carrier IQ running on his Android OS HTC mobile device in November 2011. Working with others in the Android developer community, Eckhart published the results of his Carrier IQ Software analysis on his website, http://www.androidsecuritytest.com. The analysis showed software hidden deeply on his device that would never be known to the average user (finding the software required ‘rooting’ a device, which not only requires great technical skill, but voids warranties as well). For more information, check our Eckhart’s video at https://www.youtube.com/watch?v=T17XQI_AYNo .

BTW: HTC entered into a consent order for its involvement in the Carrier IQ affair. No fines were issued, but they got the usual compliance program requirements with 20 years of biennial audits.

Fan Say Golden State Warriors Eavesdropped Through Mobile App (UPDATED)

Satchell v. Sonic Notify
Class complaint – Defendants allegedly intercept consumers’ oral communications without their consent. Interception was allegedly performed by a Golden State Warriors mobile app, developed by mobile app company Yinzcam, using Sonic Notify’s Signal360 audio beacon technology. The audio beacon technology allegedly secretly activated the built-in microphone on a consumer’s mobile – irrespective of whether a consumer was actively using the App or if it was merely running in the background. Plaintiff claimed the audio beacon technology was not disclosed in the App’s Terms of Service, Privacy Policy, or system settings.

UPDATE: 13Feb2017 – Dismissed, leave to amend (Doc#54). The court ruled that although plaintiff had standing – invasion of privacy was an injury-in-fact – plaintiff failed to show communications were ‘intercepted’ since she could not show defendants acquired or used the contents of any communication. The court did grant leave to amend, finding “the court cannot say it would be a futile act.”

UPDATE: 20Nov2017 – motion to dismiss denied in part (Doc#89). The court found Plaintiff cured deficiencies in her previous complaint (cited at least four instances where she app was running during private conversations), and sufficiently alleged facts to show Signal360 engaged in acts that would qualify as interception under the Wiretap Act, and the Warriors had access to information generated by Signal360 sufficient to show interception as to the Warriors.

The court dismissed claims against Yinzcam, finding there was no evidence Yinzcam seized or redirected any communications itself (they only made sure the microphone would turn on/off). The court distinguished Yinzcam’s role here from Adept Mobile’s role in Rackemann v. Lisnr (W.D. PA; 2:16-cv-01573), finding Adept Mobile was alleged to have dictated when microphones should be activated, making it a party to the (alleged) interception. In this case, the Warriers and Signal360 were alleged to have established those rules. As there was no secondary liability under ECPA (no ‘conspiracy’ or ‘aiding and abetting’ called out in the statute), claims against Yinzcam were dismissed. Any futher amendment would be futile, so claims were dismissed with prejudice.

UPDATE: 19Jan2018 – order selecting ADR process (Doc#98). The remaining defendants (Signal360 and the Golden State Warriors) agreed to resolve claims through and alternative dispute resolution (ADR) process to begin between October 12, 2018 (the deadline for Plaintiff to file her reply in support of class certification) and November 9, 2018 (the hearing date for Plaintiff’s motion for class certification).

[N.D. CA; 3:16-cv-04961]
jbho: same as above, if you are asking consumers to install software on their devices, you better know what that software does. And get consent for that processing.