Opperman v. Path, Inc., 2014 WL 1973378, No. 13-cv-00453 (N.D. Cal. May 14, 2014)
This big class action against Apple and fourteen app
developers has a lot of issues; I’ll try to focus on the consumer protection
parts. Plaintiffs alleged that the apps at
issue were surreptitiously “stealing and disseminating” the contact information
stored by customers on Apple devices.
Apple exercises strong control over App Store offerings, and
its devices have Apple apps that can’t be removed, including Contacts (address
book) and the App Store. Apple allegedly
claims to review each app before it’s allowed in the store and claims to
protect privacy strongly, representing that its products are “safe and secure.” While Apple’s app guidelines bar the
transmission of user data without prior permission, Apple’s guidance to app
developers allegedly encourage data theft.
Apple tells developers, “don’t force people to give you
information you can easily find for yourself, such as their contacts or
calendar information,” and “[i]f possible, avoid requiring users to indicate
their agreement to your [end user license agreement] when they first start your
application. Without an agreement displayed, users can enjoy your application
without delay.” Thus, plaintiffs alleged
that “Apple taught Program registrants’ to incorporate forbidden data
harvesting functionalities – even for private “contacts” – into their Apps and
encouraged Program registrants to design those functions to operate in
non-discernible manners that would not be noticed by the iDevice owner. These
App Defendants, apparently in accord with Apple’s instructions, did just that
with their identified Apps.” In addition, plaintiffs alleged: “Apple’s Program
tutorials and developer sites [ ] teach Program registrants how to code and
build apps that non-consensually access, manipulate, alter, use and upload the
mobile address books maintained on Apple iDevices.”
In some cases, apps allegedly accessed user data without any
prompt at all, while in other cases, the apps “surreptitiously accessed and
uploaded information from users’ Contacts app through a ‘Find Friends’ feature
without disclosing to users that the feature would leave their private
information vulnerable to unauthorized download by the third-party app manufacturer.”
As a result, many apps could have users’
address books stored in their own databases.
According to a congressional letter, one developer claimed to have a
database containing “Mark Zuckerberg’s cell phone number, Larry Ellison’s home
phone number and Bill Gates’ cell phone number.
After controversy about this, in September 2012, Apple
released iOS 6, “which updated privacy settings on iDevices in a manner that
discloses which apps access users’ contacts, calendars, reminders, photos, and
other personal information, and allows users a way to prevent certain apps from
accessing certain information.”
Plaintiffs alleged that Apple repeatedly touted its safety
and security, sometimes in particular mentioning apps’ access to data. When the App Store launched, Steve Jobs
explained, “[t]here are going to be some apps that we’re not going to
distribute. Porn, malicious apps, apps that invade your privacy.” Similar statements followed from Jobs and
others. In September 2011, Apple’s
website stated that “iOS 4 is highly secure from the moment you turn on your
iPhone. All apps run in a safe environment, so a website or app can’t access
data from other apps.” Apple also assured consumers that, for data-security
purposes, “Applications on the device are ‘sandboxed’ so they cannot access
data stored by other applications.” More
generally, plaintiffs alleged that Apple cultivated an image in which security
and privacy were key promises.
Plaintiffs alleged they saw and relied on Apple’s website,
in-store advertisements, and television advertising in purchasing their
iDevices, and that they would have paid less for their devices, or not
purchased them at all, had they known they were vulnerable to privacy attacks.
Apple challenged Article III standing. The court framed the allegations this way: “Plaintiffs
allege, with respect to Apple, that they suffered injury in the form of having
overpaid for their iDevices, because they would have paid less for their
devices, or not purchased them at all, if Apple had disclosed that it had
failed adequately to secure the devices from the alleged intrusion.” This was a palpable economic injury, long
recognized as sufficient for standing.
Apple argued that plaintiffs hadn’t satisfied the causation
requirement because they didn’t identify Apple’s specific representations that
led to the overpayment. But standing
isn’t merits. The alleged injury was
fairly traceable to Apple, not the result of the independent action of some
third party not before the court.
The court rejected application of In re LinkedIn User
Privacy Litig., 932 F. Supp. 2d 1089 (N.D. Cal. 2013), which held that
“something more” was required than overpaying for a defective product, but that
was because plaintiffs there were only pleading breach of contract (a difference
between what they were promised and what they received). But once a defect is sufficiently and
plausibly pled, economic losses are readily established: defective products
aren’t worth as much. The “something
more” could be allegations about value based on market forces, or could be “sufficiently
detailed, non-conclusory allegations of the product defect.” The allegations here, about the product
design allowing third parties to take address book information without consent,
sufficed.
Plus, plaintiffs established standing through their
statutory claims because “[t]he injury required by Article III can exist solely
by virtue of ‘statutes creating legal rights, the invasion of which creates
standing.’” However, plaintiffs lacked
Article III standing based on alleged injury to property rights in the address
books, which doomed their claims for conversion and trespass.
Apple then argued that non-resident plaintiffs couldn’t
bring California claims. But that
conflated extraterritorial application of California law and choice of
law. Whether a non-resident can assert a
California statutory claim is a constitutional question based on whether
California has sufficiently significant contacts with the claims. The court didn’t reach the choice of law issue,
but noted that the presumption against extraterritorial application of
California law doesn’t apply where the alleged misconduct occurs in California.
Apple moved to dismiss all claims against it under CDA §230,
except for claims based on its own alleged misrepresentations. Plaintiffs’ argument that Apple could choose
what apps to remove got nowhere; that’s still editorial/publisher-like. But Apple could be liable if it was
responsible, in whole or in part, for creating or developing the allegedly
unlawful material—if it contributed materially to the material’s alleged
unlawfulness. Providing neutral tools
wasn’t enough.
The court found that not all CDA defenses can be resolved on
a motion to dismiss. Here, the complaint
pled sufficient conduct to make Apple itself an “information content provider”
whose conduct is not protected by the CDA.
Plaintiffs alleged that Apple’s “iOS Human Interface Guidelines” for
developers encouraged data theft. “Among the guidelines are several suggestions
that do, on their face, appear to encourage the practices Plaintiffs complain
of in this case,” such as instructions not to force people to provide
information the app could easily find for itself, such as contacts or calendar
information, and instructions to avoid having users agree to the EULA when they
first launch an app. Plaintiffs alleged:
“Apple taught Program registrants to incorporate forbidden data harvesting
functionalities – even for private ‘contacts’– into their Apps and encouraged
Program registrants to design those functions to operate in non-discernible
manners that would not be noticed by the iDevice owner.” This was conduct that
went beyond traditional editorial functions of a publisher, and beyond
providing neutral tools. However, not
all of plaintiffs’ allegations about Apple’s conduct took it outside §230. Apple’s review guidelines and actual review
of apps was “fundamental ‘publisher’ activity protected by the CDA,” as was
failing to remove offending apps from the App Store and advertising third-party
apps for its own financial advantage. So
was mere provision of a software development kit, which was a neutral tool.
Apple argued that plaintiffs’ California statutory and
negligent misrepresentation claims failed because plaintiffs didn’t identify
any specific misrepresentations on which they relied in buying. Rule 9(b)
requires such claims to be pled with particularity, plus plaintiffs had to adequately
plead injury and causation/detrimental reliance. But misrepresentation need not be the only
cause of the purchase, and an inference of reliance arises from a material
misrepresentation.
The court found the claims of reliance inadequate;
allegations that a plaintiff viewed Apple’s website were insufficient to allege
viewing of or reliance on particular representations. The court considered whether Tobacco II’s exception for long-term and
extensive ad campaigns applied. Factors
to be considered: “First, to state the obvious, a plaintiff must allege that
she actually saw or heard the defendant’s advertising campaign…. Second, the
advertising campaign at issue should be sufficiently lengthy in duration, and
widespread in dissemination, that it would be unrealistic to require the
plaintiff to plead each misrepresentation she saw and relied upon.” How long and extensive is a fact-intensive
question—campaigns could be too short (six months) or insufficiently extensive
(two ads over eighteen months).
Third, plaintiffs should “describe in the complaint, and
preferably attach to it, a ‘representative sample’ of the advertisements at
issue in order adequately to notify the defendant of the precise nature of the
misrepresentation claim.” This
accommodates defendants’ rights to a sufficiently specific pleading and
plaintiffs’ rights against overly burdensome requirements in cases involving
multiple misrepresentations. Fourth, the
similarity of the alleged misrepresentations in the campaign is important. “[T]he advertisements at issue should be
similar enough to be considered as part of one campaign, or the delivery of a
single message or set of messages, rather than a disparate set of advertising
content published in the ordinary course of commerce.”
“Fifth, in the absence of specific misrepresentations, a
complaint subject to Rule 9(b)’s requirements should plead with particularity,
and separately, when and how each named plaintiff was exposed to the
advertising campaign. It is not sufficient to plead as a group, nor is it
sufficient simply to allege general exposure without more detail.” This ensures that the ads at issue were ones
consumers “were likely to have viewed, as opposed to representations that were
isolated or more narrowly disseminated, such as statements buried on a
rarely-viewed webpage, or made on an investor phone conference. Certainly, such
representations could be part of an advertising campaign, but the complaint
should describe the mechanism of dissemination for all identified representations.” Sixth, the date of purchase or reliance must
be determinable. Representations prior
to purchase are relevant, but not those after.
Thus, the plaintiff must describe as best she can the date of purchase,
the timeframe of the ads at issue, and when she was exposed to them.
Applying these factors, plaintiffs didn’t adequately allege
a long-term advertising campaign that exused them from pleading specific
reliance. First, it wasn’t clear that they were actually exposed to the ad
campaign. Second, the complaint didn’t
have sufficient detail about the extent of the advertising, not just its
length—how often the ads were published or in which media. Third, the complaint didn’t attach or
describe a representative sample of the ads at issue. Though they identified
some specific representations on Apple’s website/made by Apple employees
(including former and current CEOs), that wasn’t enough. “After reading the complaint asserted against
it, a defendant should be able to understand which advertising is alleged to be
misleading, and how it is misleading, so that it may prepare a defense and
identify in discovery the remainder of the advertising at issue – and just as
importantly, that advertising which is not at issue.” Fourth, because of this insufficient detail,
the court couldn’t conclude that the alleged misrepresentations had sufficient
similarity to constitute a single message/set of messages susceptible to
uniform treatment. Fifth, plaintiffs
didn’t allege how they were exposed—it wasn’t enough to allege that they
“viewed Apple’s website, saw in-store advertisements, and/or [were] aware of
Apple’s representations regarding the safety and security of the iDevices prior
to purchasing their own iDevices.” Sixth, they didn’t allege when specifically
they bought their devices.
What about failure to disclose claims? Plaintiffs alleged that Apple had an
affirmative duty to disclose material facts of which it had exclusive knowledge—the
vulnerability of plaintiffs’ devices to the theft of their address books by
third party apps. Because plaintiffs
didn’t adequately identify Apple’s misrepresentations, they weren’t entitled to
claim a duty to disclose arising from Apple’s partial representations. They also argued that there was a duty to
disclose because Apple had exclusive knowledge of material facts not known to
them and that Apple actively concealed material facts. But still, “‘[a] manufacturer’s duty to
consumers is limited to its warranty obligations absent either an affirmative
misrepresentation or a safety issue.’”
Plaintiffs failed to allege anything about Apple’s warranty obligations
or duration. Thus the statutory consumer
protection and negligent misrepresentation claims were dismissed.
The CFAA and related California computer fraud law claims were
dismissed because Apple didn’t violate them.
The design defect and failure to warn claims failed because there was no
physical harm to people or property. The
negligence claims were barred by the economic loss doctrine.
That was it for Apple.
How about the app defendants?
They too argued Article III standing. Plaintiffs alleged diminished mobile device
resources (storage, battery life, bandwidth), but there was no quantification
or other indication that this was anything more than de minimis. Nor could plaintiffs allege a continuing need
for injunctive relief, since all the defendants discontinued their practices
when the practice of transmitting user address books was made public, and Apple
has instituted new privacy controls.
Plaintiffs argued that the app defendants interfered with
their property rights in their address books.
But standing can’t be based solely on the theory that the value of a
plaintiff’s personal information has been diminished. The plaintiff needs to allege how the defendant’s
use of the information deprived the plaintiff of the information’s economic
value. “Put another way, a plaintiff must do more than point to the dollars in
a defendant’s pocket; he must sufficiently allege that in the process he lost dollars
of his own.” Plaintiffs didn’t do
this. Although other privacy cases
involved computer-generated information and not user-entered information, in
any case plaintiffs must tie allegations that their personal information has
value to the alleged injury they suffered.
However, two theories of injury were sufficient for
standing. First, the statutory claims:
injury required by Article III can exist solely from statutes creating legal
rights. Second, the common law claim for invasion of privacy conferred
standing, regardless of the merits.
Thus, the common law claims against the app defendants went, except for
the invasion of privacy claims.
The California UCL claims were dismissed because plaintiffs
couldn’t show they lost money or property.
How about invasion of privacy through intrusion upon
seclusion? Plaintiffs alleged that the intrusion
was “highly offensive to a reasonable person,” as evidenced by the “myriad
newspaper articles, blogs, op eds., and investigative exposes’ [that] were
written complaining and objecting vehemently to these defendants’ practices.” Congress opened inquiries to investigate, and
some defendants publicly apologized.
The app defendants didn’t contest that plaintiffs had a legally
protectable privacy interest in their address books, nor did they contest that
the apps intruded upon that interest. Instead, they argued that plaintiffs
didn’t have a reasonable expectation of privacy in their information, and that
the intrusion wasn’t sufficiently offensive to create a claim. This tort requires an “objectively reasonable
expectation of seclusion or solitude in the place, conversation or data
source.” Advance notice may create or
inhibit reasonable expectations, as may the presence or absence of
opportunities to consent to activities affecting privacy interests.
Here, the court found that plaintiffs’ expectation of
privacy in their address books contained on their iDevices in this circumstance
was reasonable; apps that copied the address books without consent or any
prompt interfered with that reasonable expectation. But other apps copied address books after
prompting users to “find friends” who used the same app, notifying users that
the app would scan their address books.
“Although the prompts required Plaintiffs to consent, Plaintiffs’
expectation of privacy in that circumstance was still reasonable. Plaintiffs
allege that they would not have consented had they known that their apps would
not only scan their address books to determine whether their friends were using
the same app, but then upload the address books to the app developer for other
purposes.” Plaintiffs alleged that their
consent was obtained by fraud; this was enough to plead that their consent was
invalid.
Was the intrusion at issue “highly offensive”? According to
the Restatement, “[a] court determining the existence of ‘offensiveness’ would
consider the degree of intrusion, the context, conduct and circumstances
surrounding the intrusion as well as the intruder’s motives and objectives, the
setting into which he intrudes, and the expectations of those whose privacy is
invaded.” A previous case held that the
surreptitious tracking of personal data and geolocation information was not an
“egregious breach of social norms.” But
that was distinguishable. The theft of
information in personal contact lists is more private than a mailing
address. And the court didn’t believe
that it qualified as “routine commercial behavior.” Also, the tort didn’t require a highly
offensive use of the private
information, only an intrusion; for example, a California court found an
intrusion upon seclusion claim viable where a patient’s doctor performed a
breast examination in front of a pharmaceutical salesperson without revealing
that the salesperson was not a medical professional. The Restatement expressly
disavows any limitation requiring use of the information. The offensiveness of
the intrusion was a question better left to a jury.
The app defendants also argued that plaintiffs failed to
allege economic injury from the intrusion, but that wasn’t required. Damages
are available for “anxiety, embarrassment, humiliation, shame, depression,
feelings of powerlessness, anguish, etc.”
However, the claim based on public disclosure of private
facts failed. It wasn’t enough that plaintiffs’ address books were transmitted
unencrypted, or over public wifi.
The CFAA and California computer fraud claims were also
dismissed; the apps didn’t circumvent any restrictions on access. The Electronic Communications Privacy Act and
state wiretap statute claims were also dismissed.
No comments:
Post a Comment