24 September 2011 – With the arrival of the iPhone 5 there has been great expectation of what Apple can deliver, but iPhone users who took legal action against both Apple and advertising companies alleging violation of privacy rights through the permission of third party applications to collect and use personal information, have had their claims dismissed in an action that one technology blogger said had “shredded the complainant”.
In the Technology & Marketing Law Blog, Eric Goldman wrote:
iPhone users sued Apple and various advertising networks, alleging that defendants violated their privacy rights “by… allowing third party applications that run on [iOS devices] to collect and make use of… personal information without user consent or knowledge.” The court dismisses the claims, but grants leave to amend.
Judge Koh’s order has the feel of a professor grading an exam, and it covers a lot of ground, including many cases we’ve blogged about. (It’s well worth the read.)
Plaintiffs alleged that Apple made public statements about protecting user privacy but the design of its iOS system “permit[ted] apps that subject consumers to privacy exploits and security vulnerabilities.” Plaintiffs alleged that Apple devices allow apps to track, access and use the following customer information: address book, cell phone numbers, file system, geolocation, International Mobile Subscriber Identity (IMSI), keyboard cache, photographs, SIM card serial number, and unique device identifier (UDID).
Plaintiffs claimed that they were not put on notice of this tracking. Plaintiffs also alleged that the “Mobile Industry Defendants” exploited this information and “use[d] the merger of personal information to effectively or actually de-anonymize consumers.” Despite being put on notice, Plaintiffs claimed Apple did not take any action to prevent this tracking and use of information.
Plaintiffs argued that they suffered three types of injury: (1) their personal information was misappropriated; (2) the personal information diminished in value; and (3) they suffered lost “opportunity costs” in having installed the apps and suffered a diminution in value of their devices because the devices are “less secure” and “less valuable.” The court says that the complaint has a deeper standing issue: plaintiffs failed to allege what injury they suffered personally (or as a class) as well as identify what apps they used, what personal information was accessed, and what harm resulted. The court also says that the allegations are “especially slim with respect to… Apple.”
The court also says that there’s another issue with the complaint: plaintiffs fail to allege a “concrete harm.” Citing to Specific Media, JetBlue, and Doubleclick, the court says, “[as in Specific Media, plaintiffs have] not alleged any ‘particularized example’ of economic injury or harm to their computers, but instead offer only abstract concepts, such as ‘opportunity costs,’ ‘value-for-value exchanges,’ ‘consumer choice,’ and ‘diminished performance.'”
Plaintiffs pointed to Doe v. AOL, but the court distinguishes it on the basis that in that case there were “specific allegations” of the danger of public disclosure of “highly sensitive information.” Plaintiffs’ allegations in this case “come nowhere close” to the allegations in AOL. Plaintiffs also cite the Facebook privacy case, but the court distinguishes it on the basis that the Facebook privacy case involved Wiretap Act claims which only require a showing that a person’s communication was “intercepted, disclosed or used” in violation of the statute. Here, there’s no analogous statute.
The court also says that the alleged injuries are not “fairly traceable” to defendants. There is no allegation that Apple misappropriated the data, and plaintiffs did not distinguish between the “mobile industry defendants,” which made it tough to figure out which of the defendants the plaintiffs are trying to hold liable and for what misappropriation. The court dismisses on the basis of standing with a cautionary note to plaintiffs: “any amended complaint must provide specific allegations with respect to the causal connection between the exact harm alleged (whatever it is) and each Defendants’ conduct or role in that harm.”
Although the court dismisses on standing grounds, it goes on to address alternate arguments raised by defendants and other issues in the case.
Apple argued that various end-user agreements barred claims for the alleged injuries. Plaintiffs argued that the agreements were contracts of adhesion. The court says that plaintiffs will have trouble with both prongs of the adhesion argument as they have alternatives available, and the contract in question is for a recreational activity. The court does not outright reject the adhesion argument, but it sends plaintiffs a signal that they should articulate in their amended complaint why Apple should be held responsible despite any terms in the agreements.
Particularity and the absence of app developers
The court says that, as to the mobile industry defendants, the complaint fails to allege what role each of the defendants played in the alleged harm. This needs to be fixed in any amended complaint. Apple also raised the argument that the app developers were necessary parties but the court rejects this argument. At this stage, the court declines to dismiss the lawsuit for failure to join the developers.
The court identifies two problems with the negligence claims. Apple does not necessarily have a legal duty to protect end-user information from third-party app developers and damages are speculative.
Breach of the duty of good faith
The court tells plaintiffs to identify which of the end user agreements and privacy agreements plaintiffs are using to support their duty of good faith claim.
Consumer Legal Remedies Act
The court questions whether the statute is applicable at all to software–it covers the sale of goods and services (citing Ferrington v. McAfee).
Consumer Fraud and Abuse Act
The court says that plaintiffs’ Computer Fraud and Abuse Act claims are deficient for three reasons. First, there is no allegation that Apple acted “knowingly.” Plaintiffs only allege that Apple failed to take “meaningful steps” to police third-party developers. Second, since the software was downloaded voluntarily, this tends to undermine a claim that the access was “without authorization” or “exceeded authorized access.” Finally, the court says that only economic damages are available and damages for “death, personal injury, mental distress, and the like” are not available. There are no allegations of economic harm. Although damages can be aggregated where the violation can be described as “one act,” plaintiffs failed to point to any “single act” of harm by defendants.
California’s anti-hacking statute
Trespass to chattels
Under Intel v. Hamidi, a trespass to chattels claim based on access to a computer server requires impairment or loss of use. The court says plaintiffs have not adequately pled this element.
In order to bring an unfair competition claim, a plaintiff needs to have suffered damage or lost money or other property. The court says it is skeptical of the “personal information as currency” argument (citing to the recent Facebook privacy ruling). The court also says that it’s unclear as to whether plaintiffs paid money for the apps in question.
There is no separate cause of action for unjust enrichment under California law. The court says that restitution may be available as an equitable remedy in lieu of contract damages. If plaintiffs amend their complaint, they are directed to clarify what they are looking for in terms of restitution.
Judge Koh goes through and basically shreds the complaint. A consistent theme is the plaintiffs’ lack of specificity. This is not surprising, because the trigger for the complaint is a news story or a scholarly study, rather than a specific event that a plaintiff had awareness of when it happened. The court’s order makes clear that, even if plaintiffs get past the allegation of harm issue, there are numerous other hurdles that stand in the way of holding the defendants liable. In particular, she says that Apple as the third party is somewhat removed from the information collection, and plaintiffs are not going to have an easy time holding Apple liable. Apple may also have a robust defense in its end user agreement(s). Other than knocking down plaintiffs’ unconscionability argument, the court did not get into specifics of what those agreements contain that may limit Apple’s liability, but that they are sure to contain something.
All of this has to be good news for Apple. It’s also somewhat surprising that the issue of arbitration has not come up. Apple may be able to assert a Section 230 defense, either based on section (c)(1) for its putative liability based on the developers’ actions, or under (c)(2) for the negligence claim that it failed to police its App Store properly.
Lower courts have overwhelmingly rejected the latest wave of privacy class actions, and evinced deep skepticism towards the theory that the collection of personal information alone by a private entity constitutes harm. Courts also do not seem excited about the theory that tracking somehow harms end users because it diminishes the value of their personal information, nor do they seem excited about the “information as currency” argument. I think it’s fair to say that, while the case law leans towards the defendants, there’s not necessarily a ton of Ninth Circuit precedent that directly speaks to the issues raised by tracking cases, although it’s possible that some set of plaintiffs may have better luck in the Ninth Circuit.