Eavesdropping and Spying by Smart TVs and Devices
New York Law Journal
In July, The Guardian cited a whistleblower working for Apple that Apple contractors “regularly hear confidential medical information, drug deals and recordings of couples having sex, as part of their job of providing quality control, or ‘grading’, the company’s Siri voice assistant.” A. Hern, “Apple Contractors ‘regularly hear confidential details’ on Siri recordings,” The Guardian, July 26, 2019.
Apple responded that a small portion of Siri requests are analyzed to improve Siri and dictation. User requests are not associated with the user’s Apple ID. The “grading” task is passed on to contractors working for the company around the world. The data, says Apple, is used “to help Siri and dictation … understand you better and recognize what you say.”
The whistleblower (who requested anonymity for fear of losing his job) said, however, that Siri can accidentally be activated when it mistakenly hears its “wake word”, the phrase “hey Siri”, but also in other ways. For example, if an Apple Watch detects it has been raised and then hears speech, Siri is automatically activated. Said the whistleblower: “There have been countless instances of recordings featuring private discussions between doctors and patients, business deals, seemingly criminal dealings, sexual encounters and so on. These recordings are accompanied by user data showing location, contact details and app data.”
Accidental activations led to the receipt of the most sensitive data that was sent to Apple. Although Siri is included on most Apple devices, the Apple watch and the company’s Home Pod smart speaker are the most frequent sources of mistaken recordings. “The regularity of accidental triggers on the watch is incredibly high … . The watch can record some snippets that will be 30 seconds—not that long but you can gather a good idea of what’s going on.” Apple is not alone in employing human oversight of its automatic voice assistants. Amazon staff listened to some Alexa recordings and Google workers did the same with Google Assistant.
On August 28, Forbes reported that Apple apologized for the eavesdropping after taking the whole month of August to review its process of handling Siri recordings. Apple announced that it “will turn it off by default and bring the human evaluation process in-house.” Jeb Su, “Apple Apologizes for Eavesdropping on Customers, Keeping Siri Recordings Without Permission,” Forbes (Aug. 28, 2019). Nevertheless, more whistleblowers have emerged and, particularly, overseas sources expressed surprise by the number of false triggers when Siri activates on its own, enabling conversations to be heard.
Legal developments now abound. On September 1, it was reported that the Federal Trade Commission (FTC) approved a settlement with Google’s YouTube of more than $150 million to resolve a complaint that YouTube knowingly collected personal information of children under the age of 13 without parental consent and used it for online advertising aimed at children in violation of a federal statute, the Children’s Online Privacy Protection Act (COPPA). The agency’s enforcement action was triggered by a complaint filed by a coalition of privacy advocates. “YouTube Reportedly Will Pay More Than $150 Million to Settle FTC Allegations of COPPA Violations,” Lexology (Sept. 1, 2019).
On September 4, Dan M. Clark’s New York Law Journal article was headlined: “Google, YouTube Agree to Pay $170M to FTC, NY AG’s Office in Online Privacy Settlement.” Clark said it was the “largest-ever settlement in an enforcement matter brought under a federal law intended to prevent companies from collecting personal data from young users without the consent of their parents.” The FTC issued a news release on the settlement. The FTC Commissioners split 3-2 on approval. The dissenters held that the amount to be paid was too low. They also urged Congress to approve additional digital privacy legislation to give state attorneys general more power to seek “meaningful” financial penalties. YouTube agreed to implement reforms to avoid future violations of the federal statute. Clark, supra.
In June, a Massachusetts woman filed a putative class action suit in a Seattle federal court claiming that Amazon is unlawfully recording children with its Alexa voice assistant and unlawfully retaining those recordings to contribute to a “massive database of billions of voice recordings containing the private details of millions of Americans.” The woman, who bought an Alexa Echo Dot in August 2018, is seeking class action status to sue on behalf of children in eight states that require dual-party consent for “the recording of oral communications.” K. Tiffany, “Amazon is being sued for recording children’s voices with Alexa,” Vox (June 14, 2019); see also “How Google and Amazon are ‘Spying’ on you” (Consumer Watchdog Expose); D.R. Stoller, “Popular Smart Home Devices Carry Cybersecurity Risks” (Bloomberg Law, updated Nov. 20, 2018).
“Smart” TVs do their share of spying as well. See H. Tsukayama, “These Smart TVs Were Apparently Spying on Their Owners,” Wash. Post (Feb. 6, 2017); Z. Doffman, “Samsung’s Warning to Owners of QLED Smart TVs Is Quickly Deleted,” Forbes (June 18, 2019). The FTC and New Jersey Attorney General filed a complaint against Vizio, a maker of millions of Internet-connected Vizio televisions. What consumers didn’t know was that, while they were watching their TVs, Vizio was watching them. The TVs automatically tracked what consumers were watching and transmitted the data back to its servers. Vizio even retrofitted older models by installing tracking software remotely. Consumers were not clearly told of the foregoing nor were their consents obtained. A host of personal details were developed allowing other companies to track and target Vizio consumers across devices. Vizio settled the matter with a $1.5 million payment to the FTC and an additional $700,000 civil penalty to New Jersey, along with undertaking remedial steps. For details, see L. Fair, “What Vizio was doing behind the TV screen,” Federal Trade Commission (Feb. 6, 2017). Vizio also was hit with separate class actions.
Two federal court decisions issued in August reflect the litigation potential, as well as the tensions and hurdles in prosecuting or defending such “smart”-device privacy claims. In In re Google Cookie Placement Consumer Privacy Litigation, 2019 U.S. App. LEXIS 23467 (3d Cir. Aug. 6, 2019), the U.S. Court of Appeals for the Third Circuit reviewed a lower court order approving a privacy class action settlement where the only benefit received by the class was defendant’s payment of a cy pres award to organizations the defendant approved.
Then, on August 20, a U.S. District Court Judge in New Jersey issued a “Letter Order” granting in part and rejecting in part defendants’ motions to dismiss five statutory causes of action based on defendants’ Smart TVs surreptitiously collecting data on plaintiffs, what programs they watch, when they watch them, and certain identifying information including their IP addresses, MAC addresses and zip codes. Defendants then allegedly sell that data to third parties, who use it to provide targeted advertisements to the same consumers. White v. Samsung Electronics America, Civ. Action No. 17-1775 (D.N.J. Aug. 20, 2019) (Judge Madeline Cox Arleo).
Let’s start with the Third Circuit’s decision in the Google Cookie Placement litigation. The class action settlement approved by the federal district court in Delaware purported to resolve claims that Google created a web browser “cookie” that tracks an Internet user’s data (as the Third Circuit put it: “think following the trail of cookie crumbs”). For some Safari or Internet Explorer browser users, the cookie may have operated even if the user configured privacy settings to prevent it from tracking data. The class plaintiffs claimed Google invaded users’ privacy under California’s Constitution and the state “tort of intrusion upon seclusion” (meaning the intrusion into a private place, conversation, or matter in a highly offensive manner). Injunctive relief was sought.
The class settlement approved by the lower court provided the following: Google agreed to stop using the cookies for Safari browsers and to pay $5.5 million to cover class counsel’s fees and costs; Google would pay incentive awards for the named class representatives; Google would pay cy pres distributions to primarily data privacy organizations who all must agree to use the funds to research and promote browser privacy; class members, however, would not be directly compensated; and Google would obtain a class-wide release of all class-member claims, including for money damages that did or could stem from the subject matter of the litigation.
There was a lone objector, the famous Theodore H. Frank, who challenged the terms of the approved settlement as unfair. Frank argued that class members should get direct distributions before any resort to cy pres awards. The latter “properly belongs to the class as compensation,” the objector argued. Frank also challenged the choice of cy pres recipients because of their “pre-existing relationships with Google and class counsel.” Frank’s arguments seemingly resonated with the Third Circuit appellate panel. The court deemed the district court’s “cursory” class-certification and fairness analysis to be “insufficient for us to review” the order approving the settlement. The appellate court also found “particularly concerning” the settlement’s broad release of class claims for money damages and its designation of cy pres recipients. Therefore, the settlement was vacated and the matter remanded for further proceedings in the court below. In re Google, LEXIS at *4-*5.
The circuit panel questioned “whether a defendant can ever obtain a class-wide release of claims for money damages” in an injunctive class settlement and remanded this legal question to the district court to answer. The appellate judges also were “troubled” by the selection of the cy pres recipients due to pre-existing associations between them and class counsel or Google. This question was remanded to the district court for further fact-finding. In re Google, LEXIS at *25-*31.
The circuit court commented: “[t]he vista view of this case is not pretty … an Internet behemoth with unprecedented tools for monitoring private conduct told millions of Americans it would not track their personal browser history, and then it did so anyway to profit from the data.” In re Google, LEXIS at *30-*31. For a discussion on what this decision means in the broader context of class action settlements generally—not just those involving spying and privacy litigation—see D.M. McMillan and S. Tillotson, “Third Circuit Smacks Down Class Action Settlement in Google Cookie Placement Litigation,” Lexology, Aug. 29, 2019.
In White v. Samsung Electronics America, the plaintiffs sued Samsung and Sony, manufacturers of Smart TVs, for privacy invasions based upon five statutory causes of action: (1) the tracking and transmission of consumers’ data violates the New Jersey Consumer Fraud Act; (2) that defendants failed to disclose their data collection in violation of the same Consumer Fraud Act; (3) a violation of the Video Privacy Protection Act; (4) a violation of the federal Wiretap Act; and (5) a violation of Florida’s Deceptive and Unfair Trade Practices Act. A sixth claim was for common law negligent misrepresentation. Plaintiffs sought damages and injunctive relief on behalf of themselves and two putative classes.
The federal district judge, however, concluded that plaintiffs failed to plead with sufficient particularity an “ascertainable loss”, as required under the New Jersey Consumer Fraud Act. That loss (either an out-of-pocket loss or a diminution in value) must not be “hypothetical or illusory” and must be calculable due to the violation. But plaintiffs did not plead any method or show how the loss would be calculated, nor did they allege any emotional damages from having their personal information exposed. White, Letter Order, at pp. 3-4. The same reasons flawed the Florida Deceptive Practices claim. Id. at 5.
Controlling Third Circuit precedent foreclosed plaintiffs’ Video Privacy Protection Act claims. Since plaintiffs alleged only that defendants obtained their IP addresses (an Internet-protocol address, which is a 10-digit identification tag used by computers to locate specific websites), their MAC addresses (a media access control address which is a “unique number assigned to all network interface devices used to distinguish and target the devices attached to a network”), and zip codes, these did not constitute “personally identifiable information” under the federal statute. Id. at 5-6. The Wiretap statute allegations, however, were deemed sufficient at this stage. Id. at 6-8. But the common law misrepresentation claims were rejected for plaintiffs’ failure to plead that any special relationship existed between them and either Sony or Samsung. Id. at 8.
As the foregoing survey reflects, privacy lawsuits and regulatory complaints are mushrooming. The experiences of Smart TVs and device manufacturers in these arenas has caused some changes in their disclosures and “opt-out” features to consumers. These corrective practices arguably will strengthen some defenses against claims. Yet, there are scores of millions of Smart TVs and devices sold before the remedial measures were instituted. Further, the directions to consumers to delete recordings are not so simple. See H. Denham, “Here’s How You Can Delete Voice Records on Your Smart Devices,” The Washington Post (Aug. 14, 2019). Many likely will ignore the prompts. So, for such not-so-savvy consumers, will litigation be a promising avenue? Time will tell.