While Washington’s comprehensive data privacy bill (SB 6182) — inspired by California’s CCPA — died when legislators could not hammer out a compromise over enforcement mechanisms, the state legislature did reach agreement and Gov. Jay Inslee signed into law a facial recognition bill (SB 6280) that provides some important privacy and antidiscrimination provisions regarding state and local governmental use of the technology. Continue Reading
Will the Role of Facial Recognition Grow in a Post-COVID-19 World?
An interesting New York Times article last week posited that governments’ use of digital surveillance techniques for the COVID-19 response – such as the tracking of geolocation to gauge quarantine restrictions – would lead to more pervasive digital tracking in the future. On a related note, there have been reports of an increased use of facial recognition technologies as governments use digital tools to respond to the outbreak.
These developments bring to mind some interesting questions:
In the future, given our collective experience with this invisible foe, will there be a move away from contact-based security and access control systems to “germless” and “touchless” processes?
If so, what role will be played by facial recognition and other biometrics-based systems in that shift?
Facial recognition is already in place and has, in some cases, began to replace contact-based systems. For example, facial recognition is being used in airports for security screenings, baggage drops, passport control and gate check-ins – and is largely being presented as an option to travelers to ease overcrowding and speed up processing time. Further, in March 2017, the President issued an executive order expediting the deployment of biometric verification of the identities of certain foreign travelers crossing U.S. borders. Indeed, U.S. Customs and Border Protection continues to roll out biometric scanning at checkpoints, such as recently at the Brownsville, Texas Port of Entry (but in December 2019 decided against making it mandatory for U.S. citizens to participate in airport facial recognition scanning when entering/leaving the country).
Thus, given these existing uses of the technology today, will the world’s coronavirus experience spur the adoption of even wider use of facial recognition and similar “touchless” systems in the United States and abroad? If so, it is possible that facial recognition and similar technologies that minimize face-to-face encounters will become the norm for “checking in” large numbers of people, not only at airports and border crossings, but at stadiums, commuting systems, office buildings, government meetings and even at grocery stores (with the development of “cashierless” technology). Other “touchless” forms of biometrics – iris recognition, gait, etc. – may also see increased adoption. If so, it is possible that “contact” forms of biometrics (e.g., fingerprint systems) may be deemphasized over time, although that is likely to be a slow process due to the significant level of incumbent fingerprint-based systems in use today.
It is not clear that existing and emerging laws would support, in a consistent and balanced manner, such a widespread use of biometrics. As it stands, the legislative landscape in the United States associated with facial recognition addresses is inconsistent and complex.
A number of states have laws that address biometric information. Most notably, the Illinois Biometric Information Privacy Act has been the source of quite a bit of class-action litigation related to facial recognition technology. Also, among other state laws that address biometrics, the California Consumer Privacy Act (CCPA) includes “biometric information” within its definition of “personal information” regulated under the Act (See Cal. Civ. Code §1798.40(o)(1)(E)) and New York’s SHIELD Act, which recently amended the state’s data breach notification law and data security requirements, includes “biometric information” within its definition of “private information.” Last year, California enacted a three-year moratorium on the use by law enforcement of facial recognition (and other biometric surveillance) in connection with body cameras. Numerous municipalities also have enacted restriction on the use of facial recognition. On the federal level, a number of the recently introduced privacy bills, including Senator Cantwell’s Consumer Online Privacy Rights Act, take direct aim at facial recognition and biometrics.
The laws address important concerns associated with privacy, data security, and the shortcomings and failures of facial recognition technology. The issues they intend to address include how data is captured, how is it processed, how is it stored, how it is used, and who has access to it. In addition, there are significant concerns related to racial discrimination and the possibility of false positives or negatives, as well as inaccurate results or insufficient testing. Unfortunately, however, while many of these laws and proposals address issues associated with private sector, government and law enforcement use of facial recognition technology, they are in many ways inconsistent and difficult to satisfy across multiple jurisdictions.
Public health experts are saying that another similar pandemic is possible – and even likely – in the future. In order to use biometrics effectively to mitigate such risk, we need a uniform regulatory structure promoting such use while also protecting the privacy and civil rights of individuals. After the current crisis is resolved and life is back to normal, it may be worthwhile for representatives of the nation’s technology community, civil rights and privacy advocates, and the legal community to work together to find a regulatory structure that protects privacy and civil rights while encouraging the use facial recognition to reduce the likelihood of similar public health emergencies in the future.
FTC Paid Endorser Settlement Sets Framework for Advertiser Best Practices
Teami, LLC (“Teami”), a marketer of teas and skincare products, agreed to settle FTC charges alleging that its retained social media influencers did not sufficiently disclose that they were being paid to promote Teami’s products. The FTC’s Complaint also included allegations that Teami made unsupported weight-loss and health claims about its products, an issue that is beyond the scope of this blog post. The Stipulated Order for Permanent Injunction and Monetary Judgment was approved by a Florida district on March 17, 2020.
This settlement is significant in that it identifies clear steps that an advertiser can follow in the interest of avoiding similar FTC allegations of deception with respect to paid endorsers. Compliance in this area remains an ongoing concern as the FTC reiterated in a statement accompanying the settlement that: “[T]he Commission is committed to seeking strong remedies against advertisers that deceive consumers because deceptive or inaccurate information online prevents consumers from making informed purchasing decisions….” Continue Reading
Supreme Court Rules That States Cannot be Sued for Copyright Infringement, For Now…
The U.S. Supreme Court’s busy intellectual property term (with six copyright and trademark cases) rolls on. On March 23, SCOTUS ruled in Allen v. Cooper, 589 U.S. ___, No. 18-877 (Mar. 23, 2020), that states, absent consent, may not be sued for copyright infringement. In particular, SCOTUS held that Congress did not have a sufficient constitutional basis to abrogate states’ sovereign immunity in copyright infringement actions when it passed the Copyright Remedy Clarification Act of 1990 (CRCA). However, the Court noted that, going forward, the ruling would not prohibit Congress from passing a more “tailored” copyright remedy statute if it found a valid basis to suspend sovereign immunity in copyright infringement cases against states. Continue Reading
Online Platforms Sidestep Claims over User Content Decisions and Social App Functions
Despite continued scrutiny over the legal immunity online providers enjoy under Section 230 of the Communications Decency Act (CDA), online platforms continue to successfully invoke its protections. This is illustrated by three recent decisions in which courts dismissed claims that sought to impose liability on providers for hosting or restricting access to user content and for providing a much-discussed social media app filter.
In one case, a California district court dismissed a negligence claim against online real estate database Zillow over a fraudulent posting, holding that any allegation of a duty to monitor new users and prevent false listing information inherently derives from Zillow’s status as a publisher and is therefore barred by the CDA. (924 Bel Air Road LLC v. Zillow Group Inc., No. 19-01368 (C.D. Cal. Feb. 18, 2020)). In the second, the Ninth Circuit, in an important ruling, affirmed the dismissal of claims against YouTube for violations of the First Amendment and the Lanham Act over its decision to restrict access to the plaintiff’s uploaded videos. The Ninth Circuit found that despite YouTube’s ubiquity and its role as a public-facing platform, it is a private forum not subject to judicial scrutiny under the First Amendment. It also found that its statements concerning its content moderation policies could not form a basis of false advertising liability. (Prager Univ. v. Google LLC, No. 18-15712 (9th Cir. Feb. 26, 2020)). And in a third case, the operator of the messaging app Snapchat was granted CDA immunity in a wrongful death suit brought by individuals killed in a high-speed automobile crash where one of the boys in the car had sent a snap using the app’s Speed Filter, which had captured the speed of the car at 123MPH, minutes before the fatal accident. (Lemmon v. Snap, Inc., No. 19-4504 (C.D. Cal. Feb. 25, 2020)). Continue Reading
LinkedIn Files Petition to the Supreme Court in hiQ Web Scraping Case
This past week, LinkedIn filed a petition for a writ of certiorari asking the Supreme Court to overturn the Ninth Circuit’s blockbuster ruling in hiQ Labs, Inc. v. LinkedIn Corp., 938 F.3d 985 (9th Cir. 2019). The case concerned the scope of Computer Fraud and Abuse Act (CFAA) liability associated with web scraping of publicly available social media profile data. In the appellate court ruling, the appeals court affirmed the lower court’s order granting a preliminary injunction barring LinkedIn from blocking hiQ from accessing and scraping publicly available LinkedIn member profiles. Mostly notably, the Ninth Circuit held that hiQ had shown a likelihood of success on the merits in its claim that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access “without authorization” under the CFAA. LinkedIn feels otherwise, and posed, as the question presented:
“Whether a company that deploys anonymous computer ‘bots’ to circumvent technical barriers and harvest millions of individuals’ personal data from computer servers that host public-facing websites—even after the computer servers’ owner has expressly denied permission to access the data—‘intentionally accesses a computer without authorization’ in violation of the Computer Fraud and Abuse Act.”
Protecting against Cybersecurity Threats when Working from Home
With the spread of the novel coronavirus (COVID-19), many organizations are requiring or permitting employees to work remotely. This post is intended to remind employers and employees that in the haste to implement widespread work-from-home strategies, data security concerns cannot be forgotten.
Employers and employees alike should remain vigilant of increased cybersecurity threats, some of which specifically target remote access strategies. Unfortunately, as noted in a prior blog post, cybercriminals will not be curtailing their efforts to access valuable data during the outbreak, and in fact, will likely take advantage of some of the confusion and communication issues that might arise under the circumstances to perpetrate their schemes.
Employees working from home may be accessing or transmitting company trade secrets as well as personal information of individuals. Inappropriate exposure of either type of data can lead to significant adverse consequences for a company. Exposure of trade secrets or confidential business information can potentially cause significant business damage or loss. Exposure of personal information can potentially trigger state or federal data breach notification laws, and result in significant liabilities for a company as well as expanded identity theft issues for individuals. The threat is not only an online concern – physical security is at issue as well. Unauthorized access to printed copies of sensitive documents could lead to additional exposures. Continue Reading
Coronavirus and the “100% Work-From-Home” Scenario: Review Agreements with Vendors of Remote Access Technology
As part of the response to the outbreak of COVID-19, many organizations are working on contingency and business continuity plans that include an all-employee “work-from-home” scenario. If it becomes necessary to implement such a plan, all employees of the organization will access the organization’s networks and systems remotely. Unfortunately, many organizations that are testing these plans are discovering that that their remote access technologies may not be able to handle, without significant degradation in performance, the volume of activity this will generate. Indeed, given the complex host of business applications and collaboration tools that many businesses employ, many entities may not be fully ready for their entire workforce to access their systems remotely without first checking in with their vendors and IT personnel.
This is understandable. Except for the case of those businesses that always operate “virtually” — without any fixed offices — most organizations build their remote access infrastructure (including the related telecommunications, security, videoconferencing, collaboration and other software tools that are involved in remote access) based on an assumption that only a portion of an organization’s employees will use remote access at any given point in time. For example, contractual service level commitments (in which vendors promise certain levels of performance of their systems) often assume a simultaneous user base being a subset of all employees of the organization. Further, SaaS-based services that are priced based on a specific number of “simultaneous users” may not anticipate all, or substantially all, of the company’s employees using the service at the same time.
Organizations should be reviewing their agreements with the myriad set of vendors that provide software related to remote access. These reviews should evaluate what commitments, if any, are included in those agreements that may be helpful in what may be this unprecedented “100% work-from-home” effort. To the extent contractual deficiencies or other issues are identified, early engagement with vendors can be helpful. For example, in the event service level commitments appear insufficient to meet anticipated demand, an early discussion with the vendor may result in an increased allocation of the vendor’s resources to that customer. And while some SaaS service agreements priced by the number of simultaneous users may allow customers to exceed simultaneous user limits (with a premium true-up at a later date), others impose hard blocks on usage in excess of contract limitations. To the extent these issues are identified in an agreement, customers are best served by engaging with the vendor in advance – to avoid premium true-ups or interference in service. Continue Reading
Facebook Brings Suit against Mobile Marketing Firm for Siphoning User Data without Authorization
In continuing its push to enforce its terms and policies against developers that engage in unauthorized collection or scraping of user data, Facebook brought suit last month against mobile marketing and data analytics firm OneAudience LLC. (Facebook, Inc. v. OneAudience LLC, No. 20-01461 (N.D. Cal. Complaint filed Feb. 27, 2020)). Facebook alleges that OneAudience harvested Facebook users’ profile data and device data in contravention of Facebook’s terms and developer policies. OneAudience purportedly gathered this data by paying app developers to bundle OneAudience’s software development kit (SDK) into their apps and then harvesting data for those users that logged into those apps via Facebook credentials. Continue Reading
The Coronavirus and Force Majeure Clauses
Beyond the human toll of the current global health crisis, the coronavirus outbreak is having serious economic repercussions to the global economy and the supply chains on which it depends. Dun & Bradstreet reported, “at least 51,000 (163 Fortune 1000) companies around the world have one or more direct or Tier 1 suppliers in the impacted regions, and at least five million companies (938 Fortune 1000) around the world have one or more Tier 2 suppliers in the impacted region.” Factory closings, transportation restrictions and general concerns about a potential pandemic are causing shortages of critical supplies and employees, and are testing the bounds and obligations of various contracts entered into between vendors and customers.
As a result of this disruption, many businesses are assessing their contracts to understand the extent of their rights, remedies and obligations with respect to their business partners. Suppliers of goods and services unable to deliver on contractual obligations are looking to see what provisions, if any, may protect them from a default. And in turn, recipients encountering delays from suppliers unable to deliver goods and services in a timely manner (or at all) are also looking to their agreements to see what rights, obligations, and remedies they may have in these circumstances. Continue Reading
