2H 2016 Quick Links, Part 9 (Privacy/Security)

* California AB 691: “Revised Uniform Fiduciary Access to Digital Assets Act.” The key part is the new Probate Code Sec. 873(a):

A user may use an online tool to direct the custodian to disclose to a designated recipient or not disclose some or all of the user’s digital assets, including the content of electronic communications. If the online tool allows the user to modify or delete a direction at all times, a direction regarding disclosure using an online tool overrides a contrary direction by the user in a will, trust, power of attorney, or other record

Background from the Recorder.

* California also passed AB 1687, the anti-IMDb law designed to overturn the Hoang case. The main operative text, codified in Civil Code 1798.83.5:

(b) A commercial online entertainment employment service provider that enters into a contractual agreement to provide employment services to an individual for a subscription payment shall not, upon request by the subscriber, do either of the following: (1) Publish or make public the subscriber’s date of birth or age information in an online profile of the subscriber. (2) Share the subscriber’s date of birth or age information with any Internet Web sites for the purpose of publication.

IMDb is challenging the law in court.

* Matera v. Google, 2016 WL 5339806 (N.D. Cal. Sept. 23, 2016)

many courts since Spokeo have placed dispositive weight on whether a plaintiff alleges the violation of a substantive, rather than procedural, statutory right. If the right created by statute is substantive, courts have generally found that Congress permissibly “elevated [the harm recognized by the statute] to the status of legally cognizable injuries,” and thus that a plaintiff alleging violation of a substantive statutory right has Article III standing….In sum, the Court concludes that the judgment of Congress and the California Legislature indicate that the alleged violations of Plaintiff’s statutory rights under the Wiretap Act and CIPA constitute concrete injury in fact. This conclusion is supported by the historical practice of courts recognizing that the unauthorized interception of communication constitutes cognizable injury.

But also…

the Terms of Service analyzed in Gmail stated, “You should look at the terms regularly. We’ll post notice of modifications to these terms on this page….If you do not agree to the modified terms for a Service, you should discontinue your use of that Service.” Applying these principles to the instant case, users of the individual Gmail service agreed to the 2014 TOS upon its posting

Whoa, we have a lot of caselaw rejecting these types of amendment clauses. This favorable amendment ruling still doesn’t help Google because the court says the contract terms didn’t cover the applicable scenarios and didn’t apply retroactively.

Google has tentatively settled this case.

* In re: Facebook Privacy Litigation, 2016 WL 3523850 (N.D. Cal. June 28, 2016). Lawsuit over Facebook’s alleged disclosure of private info in referral URLs is mostly dismissed for lack of Article III standing.

* Luis v. Zang, 2016 WL 4363151 (6th Cir. Aug. 16, 2016). Maker of WebWatcher software cannot shake ECPA claims on motion to dismiss. Prior blog post.

* Carlson v. Gamestop, 2016 WL 4363162 (8th Cir. Aug. 16, 2016):

Carlsen has provided sufficient facts alleging that he is party to a binding contract—the terms of service, which include the Game Informer privacy policy—with GameStop, and GameStop does not dispute this contractual relationship. Carlsen also has alleged that GameStop has violated that policy by “systematically disclos[ing] Game Informer’s users’ PII … to third party Facebook and/or allow[ing] Facebook to directly collect that information itself.” This allegation of breach is both concrete and particularized, as the breach allegedly already has occurred, and any consequences of the breach have occurred specifically to Carlsen as a result of the actions of GameStop’s alleged systematic disclosure via the Facebook SDK. Additionally, Carlsen alleged that he has suffered damages as a result of GameStop’s breach in the form of devaluation of his Game Informer subscription in an amount equal to the difference between the value of the subscription that he paid for and the value of the subscription that he received, i.e., a subscription with compromised privacy protection. Accordingly, Carlsen has alleged an “actual” injury.

However…

Carlsen argues that GameStop promised not to disclose PII and that this PII included his Facebook ID and browser history. We conclude, however, that the privacy policy unambiguously does not include those pieces of information among the protected PII. The privacy policy refers to PII and notes that it:

may include: your name, home address and zip code, telephone number, e-mail address and (for those purchasing products online) credit card or checking account information including billing and shipping addresses and zip codes….

The PII set forth in the privacy policy does not encompass a user’s Facebook ID and browsing history for two reasons: (1) not only do a user’s Facebook ID and browsing history fail to appear on the list of what PII might include, but (2) those data are neither specifically solicited by Game Informer nor voluntarily submitted in response to such solicitation.

* Opperman v. Path, 2016 WL 4719263 (N.D. Cal. Sept. 8, 2016). Yelp cannot defeat “intrusion into seclusion” claim on summary judgment related to its app’s grabbing and storing users’ contacts.

* Lior Jacob Strahilevitz & Matthew B. Kugler, Is Privacy Policy Language Irrelevant to Consumers?, 45 Journal of Legal Studies __ (forthcoming 2017). The abstract:

Consumers almost never read privacy policies, but if they did read such policies closely how would they interpret them? This article reports the results of two experiments in which census-weighted samples of more than a thousand Americans read short excerpts from Facebook, Yahoo, and Google’s privacy policies concerning the use of facial recognition software and automated content analysis on emails. The question of what consumers have consented to under these policies has been central in recent high-stakes class action lawsuits. Experimental subjects were randomly assigned to read language from either the current policies, which explicitly describe Facebook, Yahoo, and Google’s controversial practices, or language from policies that were adjudicated to be insufficient to notify consumers about the companies’ practices. Despite evidence that many experimental subjects read these privacy policy excerpts closely, subjects who saw the explicit policy language and those who saw the ambiguous / vague policy language did not differ in their assessment of whether their assent to that language would allow Facebook, Yahoo, and Google to engage in the practices at issue. More surprisingly still, even though consumers rated both Facebook’s use of facial recognition software and Google and Yahoo’s use of automated content analysis as highly intrusive, they generally regarded their assent to even vague privacy policy language as allowing the companies to engage in those practices. Also, only a little more than a third of the participants expressed a willingness to pay any money to avoid automated content analysis of their emails. A replication study that included strong measures of participant attention confirmed the results from the first experiment and suggests that those reading the policies more carefully were not more likely to draw distinctions between them.

Our study shows that courts and laypeople can understand the same privacy policy language quite differently. Taken together, these results provide important evidence for the propositions that (1) social norms and user experiences with technological applications, not privacy policies, will drive users’ understanding of the nature of their bargain with firms, that (2) this is the case even when users read those policies reasonably carefully, that (3) most users of email and social networking sites believe that Facebook, Yahoo, and Google are authorized to engage in controversial and invasive practices implicating user privacy, and that (4) there is presently little reason to expect the development of a robust market for premium privacy-protective email and social networking applications in the United States.

* Alessandro Acquisti et al, Nudges for Privacy and Security: Understanding and Assisting Users’ Choices Online. From the intro:

we review research in relevant fields (such as behavioral decision research, behavioral economics, and experimental psychology) to gain insights into the impact of cognitive and behavioral biases on online security and privacy decision making (Section 2). Then, we review interventions developed in various fields (such as decision research, human-computer interaction, and persuasive technologies) aimed at helping users make “better” online security and privacy decisions, i.e., decisions that minimize adverse outcomes or are less likely to be regretted. We show how this work shares similarities with mechanisms developed to nudge people in a variety of other domains, such as health and retirement planning. We broadly refer to these efforts as “nudging research,” regardless of the originating field of study. We posit that all these efforts can be largely viewed as implementations of soft paternalistic concepts, whereby interventions are intended to gently guide users towards safer practices rather than imposing particular decisions. In doing so, we suggest that prior work on the design of user interface technologies for security and privacy can be examined from a nudging perspective: every design decision potentially nudges users in one direction or another. Furthermore, we point to examples of existing interfaces that nudge individuals either towards more protective behaviors (Section 3) or, sometimes, towards riskier ones (Section 4). We further discuss practical and ethical questions associated with nudging for security and privacy, along with a discussion of design and research challenges in this area (Section 5). Finally, we conclude with a summary of insights identified in this review (Section 6).

* A.G. Schneiderman Announces Results Of “Operation Child Tracker,” Ending Illegal Online Tracking Of Children At Some Of Nation’s Most Popular Kids’ Websites

* NY Times: Defending Against Hackers Took a Back Seat at Yahoo, Insiders Say