Tuesday, May 27, 2014

Apple loses 230 defense to app privacy claims but still wins dismissal

Opperman v. Path, Inc., 2014 WL 1973378,  No. 13-cv-00453 (N.D. Cal. May 14, 2014)
This big class action against Apple and fourteen app developers has a lot of issues; I’ll try to focus on the consumer protection parts.  Plaintiffs alleged that the apps at issue were surreptitiously “stealing and disseminating” the contact information stored by customers on Apple devices.
Apple exercises strong control over App Store offerings, and its devices have Apple apps that can’t be removed, including Contacts (address book) and the App Store.  Apple allegedly claims to review each app before it’s allowed in the store and claims to protect privacy strongly, representing that its products are “safe and secure.”  While Apple’s app guidelines bar the transmission of user data without prior permission, Apple’s guidance to app developers allegedly encourage data theft. 
Apple tells developers, “don’t force people to give you information you can easily find for yourself, such as their contacts or calendar information,” and “[i]f possible, avoid requiring users to indicate their agreement to your [end user license agreement] when they first start your application. Without an agreement displayed, users can enjoy your application without delay.”  Thus, plaintiffs alleged that “Apple taught Program registrants’ to incorporate forbidden data harvesting functionalities – even for private “contacts” – into their Apps and encouraged Program registrants to design those functions to operate in non-discernible manners that would not be noticed by the iDevice owner. These App Defendants, apparently in accord with Apple’s instructions, did just that with their identified Apps.” In addition, plaintiffs alleged: “Apple’s Program tutorials and developer sites [ ] teach Program registrants how to code and build apps that non-consensually access, manipulate, alter, use and upload the mobile address books maintained on Apple iDevices.”
In some cases, apps allegedly accessed user data without any prompt at all, while in other cases, the apps “surreptitiously accessed and uploaded information from users’ Contacts app through a ‘Find Friends’ feature without disclosing to users that the feature would leave their private information vulnerable to unauthorized download by the third-party app manufacturer.”  As a result, many apps could have users’ address books stored in their own databases.  According to a congressional letter, one developer claimed to have a database containing “Mark Zuckerberg’s cell phone number, Larry Ellison’s home phone number and Bill Gates’ cell phone number.
After controversy about this, in September 2012, Apple released iOS 6, “which updated privacy settings on iDevices in a manner that discloses which apps access users’ contacts, calendars, reminders, photos, and other personal information, and allows users a way to prevent certain apps from accessing certain information.”
Plaintiffs alleged that Apple repeatedly touted its safety and security, sometimes in particular mentioning apps’ access to data.  When the App Store launched, Steve Jobs explained, “[t]here are going to be some apps that we’re not going to distribute. Porn, malicious apps, apps that invade your privacy.”  Similar statements followed from Jobs and others.  In September 2011, Apple’s website stated that “iOS 4 is highly secure from the moment you turn on your iPhone. All apps run in a safe environment, so a website or app can’t access data from other apps.” Apple also assured consumers that, for data-security purposes, “Applications on the device are ‘sandboxed’ so they cannot access data stored by other applications.”  More generally, plaintiffs alleged that Apple cultivated an image in which security and privacy were key promises.
Plaintiffs alleged they saw and relied on Apple’s website, in-store advertisements, and television advertising in purchasing their iDevices, and that they would have paid less for their devices, or not purchased them at all, had they known they were vulnerable to privacy attacks.
Apple challenged Article III standing.  The court framed the allegations this way: “Plaintiffs allege, with respect to Apple, that they suffered injury in the form of having overpaid for their iDevices, because they would have paid less for their devices, or not purchased them at all, if Apple had disclosed that it had failed adequately to secure the devices from the alleged intrusion.”  This was a palpable economic injury, long recognized as sufficient for standing.
Apple argued that plaintiffs hadn’t satisfied the causation requirement because they didn’t identify Apple’s specific representations that led to the overpayment.  But standing isn’t merits.  The alleged injury was fairly traceable to Apple, not the result of the independent action of some third party not before the court. 
The court rejected application of In re LinkedIn User Privacy Litig., 932 F. Supp. 2d 1089 (N.D. Cal. 2013), which held that “something more” was required than overpaying for a defective product, but that was because plaintiffs there were only pleading breach of contract (a difference between what they were promised and what they received).  But once a defect is sufficiently and plausibly pled, economic losses are readily established: defective products aren’t worth as much.  The “something more” could be allegations about value based on market forces, or could be “sufficiently detailed, non-conclusory allegations of the product defect.”  The allegations here, about the product design allowing third parties to take address book information without consent, sufficed.
Plus, plaintiffs established standing through their statutory claims because “[t]he injury required by Article III can exist solely by virtue of ‘statutes creating legal rights, the invasion of which creates standing.’”  However, plaintiffs lacked Article III standing based on alleged injury to property rights in the address books, which doomed their claims for conversion and trespass.
Apple then argued that non-resident plaintiffs couldn’t bring California claims.  But that conflated extraterritorial application of California law and choice of law.  Whether a non-resident can assert a California statutory claim is a constitutional question based on whether California has sufficiently significant contacts with the claims.  The court didn’t reach the choice of law issue, but noted that the presumption against extraterritorial application of California law doesn’t apply where the alleged misconduct occurs in California.
Apple moved to dismiss all claims against it under CDA §230, except for claims based on its own alleged misrepresentations.  Plaintiffs’ argument that Apple could choose what apps to remove got nowhere; that’s still editorial/publisher-like.  But Apple could be liable if it was responsible, in whole or in part, for creating or developing the allegedly unlawful material—if it contributed materially to the material’s alleged unlawfulness.  Providing neutral tools wasn’t enough. 
The court found that not all CDA defenses can be resolved on a motion to dismiss.  Here, the complaint pled sufficient conduct to make Apple itself an “information content provider” whose conduct is not protected by the CDA.  Plaintiffs alleged that Apple’s “iOS Human Interface Guidelines” for developers encouraged data theft. “Among the guidelines are several suggestions that do, on their face, appear to encourage the practices Plaintiffs complain of in this case,” such as instructions not to force people to provide information the app could easily find for itself, such as contacts or calendar information, and instructions to avoid having users agree to the EULA when they first launch an app.  Plaintiffs alleged: “Apple taught Program registrants to incorporate forbidden data harvesting functionalities – even for private ‘contacts’– into their Apps and encouraged Program registrants to design those functions to operate in non-discernible manners that would not be noticed by the iDevice owner.” This was conduct that went beyond traditional editorial functions of a publisher, and beyond providing neutral tools.  However, not all of plaintiffs’ allegations about Apple’s conduct took it outside §230.  Apple’s review guidelines and actual review of apps was “fundamental ‘publisher’ activity protected by the CDA,” as was failing to remove offending apps from the App Store and advertising third-party apps for its own financial advantage.  So was mere provision of a software development kit, which was a neutral tool.
Apple argued that plaintiffs’ California statutory and negligent misrepresentation claims failed because plaintiffs didn’t identify any specific misrepresentations on which they relied in buying. Rule 9(b) requires such claims to be pled with particularity, plus plaintiffs had to adequately plead injury and causation/detrimental reliance.  But misrepresentation need not be the only cause of the purchase, and an inference of reliance arises from a material misrepresentation.
The court found the claims of reliance inadequate; allegations that a plaintiff viewed Apple’s website were insufficient to allege viewing of or reliance on particular representations.  The court considered whether Tobacco II’s exception for long-term and extensive ad campaigns applied.  Factors to be considered: “First, to state the obvious, a plaintiff must allege that she actually saw or heard the defendant’s advertising campaign…. Second, the advertising campaign at issue should be sufficiently lengthy in duration, and widespread in dissemination, that it would be unrealistic to require the plaintiff to plead each misrepresentation she saw and relied upon.”  How long and extensive is a fact-intensive question—campaigns could be too short (six months) or insufficiently extensive (two ads over eighteen months). 
Third, plaintiffs should “describe in the complaint, and preferably attach to it, a ‘representative sample’ of the advertisements at issue in order adequately to notify the defendant of the precise nature of the misrepresentation claim.”  This accommodates defendants’ rights to a sufficiently specific pleading and plaintiffs’ rights against overly burdensome requirements in cases involving multiple misrepresentations.  Fourth, the similarity of the alleged misrepresentations in the campaign is important.  “[T]he advertisements at issue should be similar enough to be considered as part of one campaign, or the delivery of a single message or set of messages, rather than a disparate set of advertising content published in the ordinary course of commerce.” 
“Fifth, in the absence of specific misrepresentations, a complaint subject to Rule 9(b)’s requirements should plead with particularity, and separately, when and how each named plaintiff was exposed to the advertising campaign. It is not sufficient to plead as a group, nor is it sufficient simply to allege general exposure without more detail.”  This ensures that the ads at issue were ones consumers “were likely to have viewed, as opposed to representations that were isolated or more narrowly disseminated, such as statements buried on a rarely-viewed webpage, or made on an investor phone conference. Certainly, such representations could be part of an advertising campaign, but the complaint should describe the mechanism of dissemination for all identified representations.”  Sixth, the date of purchase or reliance must be determinable.  Representations prior to purchase are relevant, but not those after.  Thus, the plaintiff must describe as best she can the date of purchase, the timeframe of the ads at issue, and when she was exposed to them.
Applying these factors, plaintiffs didn’t adequately allege a long-term advertising campaign that exused them from pleading specific reliance. First, it wasn’t clear that they were actually exposed to the ad campaign.  Second, the complaint didn’t have sufficient detail about the extent of the advertising, not just its length—how often the ads were published or in which media.  Third, the complaint didn’t attach or describe a representative sample of the ads at issue. Though they identified some specific representations on Apple’s website/made by Apple employees (including former and current CEOs), that wasn’t enough.  “After reading the complaint asserted against it, a defendant should be able to understand which advertising is alleged to be misleading, and how it is misleading, so that it may prepare a defense and identify in discovery the remainder of the advertising at issue – and just as importantly, that advertising which is not at issue.”  Fourth, because of this insufficient detail, the court couldn’t conclude that the alleged misrepresentations had sufficient similarity to constitute a single message/set of messages susceptible to uniform treatment.  Fifth, plaintiffs didn’t allege how they were exposed—it wasn’t enough to allege that they “viewed Apple’s website, saw in-store advertisements, and/or [were] aware of Apple’s representations regarding the safety and security of the iDevices prior to purchasing their own iDevices.” Sixth, they didn’t allege when specifically they bought their devices.
What about failure to disclose claims?  Plaintiffs alleged that Apple had an affirmative duty to disclose material facts of which it had exclusive knowledge—the vulnerability of plaintiffs’ devices to the theft of their address books by third party apps.  Because plaintiffs didn’t adequately identify Apple’s misrepresentations, they weren’t entitled to claim a duty to disclose arising from Apple’s partial representations.  They also argued that there was a duty to disclose because Apple had exclusive knowledge of material facts not known to them and that Apple actively concealed material facts.  But still, “‘[a] manufacturer’s duty to consumers is limited to its warranty obligations absent either an affirmative misrepresentation or a safety issue.’”  Plaintiffs failed to allege anything about Apple’s warranty obligations or duration.  Thus the statutory consumer protection and negligent misrepresentation claims were dismissed.
The CFAA and related California computer fraud law claims were dismissed because Apple didn’t violate them.  The design defect and failure to warn claims failed because there was no physical harm to people or property.  The negligence claims were barred by the economic loss doctrine.
That was it for Apple.  How about the app defendants?
They too argued Article III standing.  Plaintiffs alleged diminished mobile device resources (storage, battery life, bandwidth), but there was no quantification or other indication that this was anything more than de minimis.  Nor could plaintiffs allege a continuing need for injunctive relief, since all the defendants discontinued their practices when the practice of transmitting user address books was made public, and Apple has instituted new privacy controls.
Plaintiffs argued that the app defendants interfered with their property rights in their address books.  But standing can’t be based solely on the theory that the value of a plaintiff’s personal information has been diminished.  The plaintiff needs to allege how the defendant’s use of the information deprived the plaintiff of the information’s economic value. “Put another way, a plaintiff must do more than point to the dollars in a defendant’s pocket; he must sufficiently allege that in the process he lost dollars of his own.”  Plaintiffs didn’t do this.  Although other privacy cases involved computer-generated information and not user-entered information, in any case plaintiffs must tie allegations that their personal information has value to the alleged injury they suffered.
However, two theories of injury were sufficient for standing.  First, the statutory claims: injury required by Article III can exist solely from statutes creating legal rights. Second, the common law claim for invasion of privacy conferred standing, regardless of the merits.  Thus, the common law claims against the app defendants went, except for the invasion of privacy claims.
The California UCL claims were dismissed because plaintiffs couldn’t show they lost money or property.
How about invasion of privacy through intrusion upon seclusion?  Plaintiffs alleged that the intrusion was “highly offensive to a reasonable person,” as evidenced by the “myriad newspaper articles, blogs, op eds., and investigative exposes’ [that] were written complaining and objecting vehemently to these defendants’ practices.”  Congress opened inquiries to investigate, and some defendants publicly apologized. 
The app defendants didn’t contest that plaintiffs had a legally protectable privacy interest in their address books, nor did they contest that the apps intruded upon that interest. Instead, they argued that plaintiffs didn’t have a reasonable expectation of privacy in their information, and that the intrusion wasn’t sufficiently offensive to create a claim.  This tort requires an “objectively reasonable expectation of seclusion or solitude in the place, conversation or data source.”  Advance notice may create or inhibit reasonable expectations, as may the presence or absence of opportunities to consent to activities affecting privacy interests.
Here, the court found that plaintiffs’ expectation of privacy in their address books contained on their iDevices in this circumstance was reasonable; apps that copied the address books without consent or any prompt interfered with that reasonable expectation.  But other apps copied address books after prompting users to “find friends” who used the same app, notifying users that the app would scan their address books.  “Although the prompts required Plaintiffs to consent, Plaintiffs’ expectation of privacy in that circumstance was still reasonable. Plaintiffs allege that they would not have consented had they known that their apps would not only scan their address books to determine whether their friends were using the same app, but then upload the address books to the app developer for other purposes.”  Plaintiffs alleged that their consent was obtained by fraud; this was enough to plead that their consent was invalid.
Was the intrusion at issue “highly offensive”? According to the Restatement, “[a] court determining the existence of ‘offensiveness’ would consider the degree of intrusion, the context, conduct and circumstances surrounding the intrusion as well as the intruder’s motives and objectives, the setting into which he intrudes, and the expectations of those whose privacy is invaded.”  A previous case held that the surreptitious tracking of personal data and geolocation information was not an “egregious breach of social norms.”  But that was distinguishable.  The theft of information in personal contact lists is more private than a mailing address.  And the court didn’t believe that it qualified as “routine commercial behavior.”  Also, the tort didn’t require a highly offensive use of the private information, only an intrusion; for example, a California court found an intrusion upon seclusion claim viable where a patient’s doctor performed a breast examination in front of a pharmaceutical salesperson without revealing that the salesperson was not a medical professional. The Restatement expressly disavows any limitation requiring use of the information. The offensiveness of the intrusion was a question better left to a jury.
The app defendants also argued that plaintiffs failed to allege economic injury from the intrusion, but that wasn’t required. Damages are available for “anxiety, embarrassment, humiliation, shame, depression, feelings of powerlessness, anguish, etc.”
However, the claim based on public disclosure of private facts failed. It wasn’t enough that plaintiffs’ address books were transmitted unencrypted, or over public wifi.
The CFAA and California computer fraud claims were also dismissed; the apps didn’t circumvent any restrictions on access.  The Electronic Communications Privacy Act and state wiretap statute claims were also dismissed.

No comments:

Post a Comment