July 04, 2012
Judge Koh Whittles Down iPhone App Privacy Lawsuit – In re iPhone Application Litig.
[Post by Venkat Balasubramani]
In re iPhone Application Litig., 11-MD-02250-LHK (N.D. Cal.; June 12, 2012)
Plaintiffs brought a putative class action against Apple and several “mobile industry defendants.” The basic allegations are that apps available for free in the app store improperly allowed for the disclosure of personal information to the mobile industry defendants, who have acquired personal details (addresses, current whereabouts, unique device identifier, gender, age, zip code, and time zone) from plaintiffs and tracked them. Judge Koh granted the bulk of defendants’ motion to dismiss with prejudice in open court and recently issued a written order setting forth the court’s reasons. It’s a thorough order that digs in to privacy claims under federal statutes, and well worth reading in its entirety. (Kudos to Judge Koh. She consistently cranks out some must-read orders in this corner of the blogosphere.)
Standing: Citing to the Ninth Circuit’s opinion in Edwards v. First American Corp., among other cases, the court says that plaintiffs’ allegations that defendants violated the Wiretap Act and Stored Communications Act in accessing plaintiffs’ own personal information is sufficient to confer standing. (See this post from Wendy Davis that talks about ongoing litigation involving Video Privacy Protection Act claims against Hulu and discusses the issue of how the Supreme Court's ruling in the Edwards case can affect other privacy cases. Between the time Judge Koh issued her order and I finished up this blog post, the Supreme Court dismissed Edwards without a ruling, leaving intact the Ninth Circuit's opinion.)
Stored Communications Act: The SCA requires plaintiff to show that defendants accessed “a facility through which an electronic communications service” is provided without authorization and accesses wire or electronic communications that are “in storage”.
Judge Koh says: (1) plaintiffs' iPhones are not “facilities through which electronic communications services” are provided; (2) the data in question is not in “storage” that is either incidental to transmission or for backup purposes; and (3) the exception allowing access by service providers applies to the mobile industry defendants (but not to Apple). The most interesting of these conclusions is the first one, and this conclusion is contrary to several cases that have gone the other way (that this court says “provide little analysis on this point of law”). Citing to Crowley v. Cybersource, the court says that treating computers or devices of end users (as opposed to service providers) as facilities would render other parts of the statute illogical.
Wiretap Act: Plaintiffs’ Wiretap Act claims require them to show that defendants intercepted “the content” of wire, oral, or electronic communications. The court agrees with Apple that the identities of parties to a communication and “other call data” is not “content” under the Wiretap Act. Plaintiffs cited to In re Pharmatrak for the proposition that the “contents” of a communication includes any personally identifiable information, but the court disagrees, noting that Pharmatrak relied on a Supreme Court case from the 70s that discussed an earlier version of the Wiretap Act. The statute was since amended to specifically take out “information concerning the identity of the parties” to a communication. [Apple also argued that it shouldn’t be held liable for any interception because it was an intended recipient of the information, but the court rejects this argument.]
Computer Fraud and Abuse Act: The court says there are two problems with plaintiffs’ claims under the Computer Fraud and Abuse Act. First, plaintiffs voluntarily downloaded the apps and thus would have “serious difficulty pleading a CFAA violation.” Additionally, the court says that plaintiffs will not be able to satisfy the $5,000 damage threshold necessary to assert a CFAA claim. The argument that the use of personal information benefited the mobile industry defendants and generated a benefit of over $5,000 to them does not fly with the court (citing In re Zynga and Del Vecchio v. Amazon). Second, the court also finds plaintiffs’ argument that creation of the location history files consumed the devices’ memory and shortened battery life to not be “plausible.” Damage means there has to be some notable impairment of performance, and the court says plaintiffs cannot demonstrate that here.
California Constitution: The California Constitution protects against privacy intrusions by both public and private actors. In order to be actionable, the defendant’s intrusion must be sufficiently serious in nature to constitute “an egregious breach of the social norms underlying the privacy right.” The court says plaintiffs’ allegations fall short on this score.
Other State Law Claims: Plaintiffs asserted a slew of other state law claims, the bulk of which fell by the wayside. These included conversion (personal data is not the type of property that can be converted); trespass (citing Intel v. Hamidi); negligence (as to negligence claims against Apple, hello, Section 230). The court did allow two state law claims to go forward: (1) Consumer Legal Remedies Act claims and (2) claims under California unfair competition statute.
Judge Koh's ruling is extremely thorough and holds the plaintiffs' claims up to some harsh scrutiny. It's not difficult to see that it will be widely cited in privacy cases. Two things that are most significant about this ruling (other than the fact that it thoroughly neuters a class action that at first glance seems like it would get over the motion to dismiss hurdle):
First, the court's ruling that plaintiffs' devices are not facilities under the Stored Communications Act will be relevant in a variety of scenarios. I recently blogged about claims brought against an employer for "shoulder surfing" an employee-co-worker's Facebook page, and a Stored Communications Act claim under this scenario doesn't look so promising in light of Judge Koh's ruling. (See “Accessing an Employee's Facebook Posts by "Shoulder Surfing" a Coworker's Page States Privacy Claim.”) It's worth noting that in the Computer Fraud and Abuse Act scenario, mobile phones have been found to constitute protected computers.
Second, the court also affirms that privacy plaintiffs will not be able to satisfy the jurisdictional threshold by asserting that they suffered $5,000 worth of loss to their personal information. The court's position that while personal information may be property in the metaphysical sense, this does not translate into loss for CFAA purposes, is part of a growing body of cases that have rejected attempts by privacy plaintiffs to rely on defendants' exploitation of personal information for the proposition that this information has economic value.
It's interesting that after blasting the federal claims, the court allows the UCL claims to proceed. Plaintiffs' allegations were pretty slim here and if this is all that is necessary, plaintiffs will be able to overcome a motion to dismiss every time.
Finally, I remain curious about the applicability of Section 230 in this scenario and why Apple doesn't push this issue. (I'm sure they have some reason for doing so; maybe Barnes v. Yahoo is an easy workaround for plaintiffs.)
The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon
A Look at the Commercial Privacy Bill of Rights Act of 2011
Flash Cookies Lawsuit Tossed for Lack of Harm--La Court v. Specific Media
Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff -- Claridge v. RockYou
Another Lawsuit over Flash Cookies Fails -- Bose v. Interclick
LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds--Low v. LinkedIn
The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon
Facebook and Zynga Privacy Litigation Dismissed With Prejudice [Catch up Post]