App Listening For Audio Beacons May Be Illegal Wiretapping–Rackemann v. Colts
This is a lawsuit against the Colts and app developers, alleging that the Colts’ app activates a device’s microphone and temporarily records portions of audio, for advertising purposes. The app monitors the audio for “beacon tones” which are then used to deploy advertisements. The app is able to listen on command and while running in the background. The app’s terms of service allegedly does not disclose the use of beacon technology or that it activates the microphone for the purposes of “listening in”. It’s unclear from the order precisely when the listening feature was activated.
Plaintiff alleged that he downloaded the app from the Google Play store and used it to follow the Colts and as a result, the app listened in on his “private conversations”. He sued on his own behalf and on behalf of a putative class. The various defendants (the Colts, app developers) moved to dismiss. The court denies the motions.
Standing: The court first says that plaintiff has standing. Citing to Spokeo, the court says this is an example of a privacy right recognized by Congress and in the common law, and also one where damages are difficult to prove. In other words, it’s the classic statutory violation that can satisfy Article III standing even without a showing of damages (“the Court concludes that Congress exercised its judgment to codify a substantive right . . . long recognized in American jurisprudence”).
The Interception Claim: The court also says plaintiff adequately states an interception claim. Plaintiff adequately alleges that his “private” conversations were intercepted. He need not satisfy some sort of Rule 9-type standard with respect to these allegations. He also adequately alleges that his communications were “acquired”. The court says the definition of “acquired” is broad and includes where a communication is “captured or redirected in any way”. That definition is easily satisfied here based on the allegations. Finally, the court also says that the “contents” (the substance or purport) of the communications were captured.
Derivative Liability: The court also evaluates the claims by the Colts and upstream developers and providers that, while there may be primary liability under the statute, they are not liable because they did not actually engage in the interception. (The fact that everyone raised this argument is somewhat self-defeating.) Ultimately the court says it need not address the issue of aider and abettor liability, as these particular defendants are alleged to control the “listening rules” for the apps. The court also notes that the Colts’ argument is specious given that the app “belonged to” the Colts and was programmed by the Colts. The court similarly dismisses the argument of the technology provider on the basis that factual questions exist regarding the true nature of the interceptions. The court does say that, with respect to one of the defendants (the developer), the issue is somewhat more difficult as the plaintiff’s allegations regarding its “role in the operation of the App are fewer are less developed.” Nevertheless, the court says factual issues exist even as to this defendant and, in the process, cites to several derivative liability cases in the context of interception claims.
[Finally, the court does agree that plaintiff’s allegations regarding “use” of the communications are lacking and it dismisses these claims (with leave to amend).]
This is a super interesting case. You often hear chatter on social media about apps (including the big ones, such as Twitter) “listening,” but to my knowledge this is one of the first lawsuits brought against apps for this type of conduct. One wonders how prevalent in the industry this practice is and how many chickens will come home to roost. (The Warriors beat back a similar lawsuit earlier this year, although it is still ongoing: “Judge Sides With Warriors In Battle Over ‘Eavesdropping’ App“.)
This ruling is a good illustration of where Spokeo can help plaintiffs with respect to standing. There are not a ton of federal statutes out there that are intended to protect privacy and vindicate harms protected traditionally under the common law, but the Wiretap Act appears to be one of them.
The failure to seek permission from the user seems like UX malpractice, if not legal malpractice. Users informed about privacy complain about the granularity of permission, but not seeking permission at all seems like a gaffe at best. I’m curious to see the underlying app development agreement and indemnification provisions.
As Eric notes below it does not appear that any human ever listened to the conversations or that they were stored, so where’s the real harm? On the other hand, judges don’t appear very receptive to this argument, whether it comes to browsing habits, emails, or as in this case, conversations.
* Judges vary on just how rigorously they’ll screen a complaint on a motion to dismiss. This judge seemed substantially more permissive to the plaintiffs’ pleadings than I’d expect other judges to be.
* This case reminded me a lot of the Pharmatrak case from 2003, which I still teach in Internet Law. That case dealt with web beacons rather than audio beacons, but the cases share the same basic technological and legal issues. In Pharmatrak, trying to “listen” to the web beacons unintentionally ensnared personally identifiable information from healthcare patients; in this case, listening to the audio beacons led to the unwanted ensnarement of private conversations. And both cases involved finer points of the ECPA. So what’s old is new again. Surprisingly, despite its obvious relevance, the Pharmatrak case wasn’t cited in the opinion.
* Apps engaging in undisclosed surreptitious recordings are not OK. I hope and expect that they are illegal. What lawyer thinks LISNR’s business model is a good one? Cf. the Pharmatrak case again, where Pharmatrak went bankrupt after the disclosure of its unwanted capturing of PII.
* Having said that, let me ask a question based on the following 2 assumptions (that may or may not be true): (1) no human ever listened to any recordings of the app users’ private (or, for that matter, public) conversations, and (2) any recordings were flushed soon enough that they never posed a serious risk of being obtained by criminal hackers (or were encrypted sufficiently strongly that no third party could ever listen to them even if stolen). If these 2 assumptions are true, then what harm did the plaintiffs suffer, really? Wouldn’t this just be another variation of a tree that falls in the forest that no one is around to hear?
Case citation: Rackemann v. LISNR, Inc., 1:17-cv-00624-TWP-MJD (S.D. Ind. Sept. 29, 2017)