Mobile

Subscribe to Mobile via RSS

Last week the WSJ published an article detailing how companies are monetizing smartphone location data by selling it to hedge fund clients.  The data vendor featured in the WSJ article obtains geolocation data from about 1,000 apps that fund managers use to predict trends involving public companies.  However, as we’ve

Courts are increasingly taking a magnifying glass to electronic contracting processes, particularly how the presentation of the terms of service and call to action are displayed.  As such, companies might take a second look at their own user registration and e-commerce purchase processes to ensure they offer reasonably conspicuous notice of the existence of contract terms and obtain manifestation of assent by the user to those terms.  Courts will generally enforce clickwrap style agreements as long as the layout and language of the site or mobile app give the user reasonable notice that a click will manifest assent to an agreement.  Last year, the Second Circuit, in the notable Meyer opinion, blessed Uber’s mobile contracting process, but in considering a similar Uber platform, a New York state court late last month declined to compel the arbitration of user claims due to what the court considered an “ambiguous registration process.”  (Ramos v. Uber Technologies, Inc., 2018 NY Slip Op 28162 (N.Y. Sup. Ct. Kings Cty. May 31, 2018)).  Such conflicting rulings highlight the importance of web design in determining if a service’s terms are deemed enforceable.

In this long-running dispute that has been previously dubbed “The World Series of IP cases” by the presiding judge, Oracle America Inc. (“Oracle”) accuses Google Inc. (“Google”) of unauthorized use of some of its Java-related copyrights in Google’s Android software platform. Specifically, Oracle alleges that Google infringed the declaring code of certain Java API packages for use in Android, including copying the elaborate taxonomy covering 37 packages that involves multiple classes and methods.  Google had declined to obtain a license from Oracle to use the Java APIs in its platform or license the same under an open source GPL license; instead it copied the declaring code from the 37 Java API packages (over 11,000 lines of code), but wrote its own implementing code.  Google designed it this way, believing that Java application programmers would want to find the same 37 sets of functionalities in the new Android system callable by the same names as used in Java.

We have been closely following the legal and legislative developments relating to biometric privacy, and in particular, the flow of litigation under the Illinois biometrics privacy law.   It was interesting to see how the Illinois law (as well as a similar Texas law) influenced Google’s  offering of a new facial recognition feature on the Google Arts & Culture app. (It is also interesting to note that the media coverage of the app has made the Illinois and Texas laws subjects of mainstream discourse.)

The Google Arts & Culture app, which was originally released a couple years ago, offers users virtual tours of museums and a searchable database of other art-related content.  What recently made it one of the hottest free apps is a new entertaining tool that compares a selfie to a database of great works of art and presents the results that most closely match the user’s face.  [Note: My classical art doppelgänger is “Portrait of a Gentleman in Red” by Rosalba Carriera. What’s yours?].  However, out of an apparent abundance of caution, Google has disabled this art-twinning function in Illinois and Texas, presumably because those states have biometric privacy laws that regulate the collection and use of biometric identifiers like facial templates; while the Texas statute can only be enforced by the state attorney general, Illinois’s Biometric Information Privacy Act (BIPA) contains a private right of action and remedies that include statutory damages. Interestingly, Washington users are able to access this tool, despite Washington having enacted its own biometric privacy law last year.  Perhaps that is because, as described in the referenced blog post, compliance under the Washington statute is less demanding than under the Illinois or Texas statutes.

This week’s Apple X announcement was not more than a few hours old, and the questions began to come in. Apple’s introduction of Face ID facial recognition on its new phone – although already available in some form on several Android phones – generated curiosity, concerns and creativity.  Unfortunately, the details about specifically how the recognition feature will really work are yet unknown.  All the public knows right now is that the phone’s facial “capture” function, powered by an updated camera and sensor array, will direct 30,000 infrared dots around a user’s face and create a hashed value that will presumably be matched against a user’s face during the unlocking procedure.

The questions and issues this raises are too numerous and varied to address in a single blog post. I will simply point out that the concerns over Face ID range from spoofing (e.g., Can the phone be unlocked by a picture? [Apple says no, explaining that the system will map the depth of faces]) to security (e.g., Is the “face map” or hashed value stored in a database which can be breached? [Apple, says no, like fingerprints in Apple’s current Touch ID feature, the face map will be securely stored locally on the device]).

One issue that I thought was particularly interesting, however, relates to the ability of apps residing on a phone to interact with facial captures. Unless disabled, Face ID could potentially be “always on,” ready to capture facial images to authenticate the unlocking of the phone, and possibly capturing facial images as the user interacts with the unlocked phone.  So, clients have asked: Will the apps on the phone be able to access and use those facial captures?

In recent years, courts have issued varying rulings as to whether online or mobile users adequately consented to user agreements or terms of service when completing an online purchase or registering for a service.  In each case, judges have examined the facts closely, particularly the user interface that presents the terms to the user before he or she completes a transaction.  In an important ruling vindicating Uber’s user registration and electronic contracting process, the Second Circuit reversed the lower court and held that the notice of Uber’s terms of service was reasonably conspicuous and that the plaintiff unambiguously manifested assent to the terms, and therefore agreed to arbitrate his claims with Uber. (Meyer v. Uber Technologies, Inc., 2017 WL 3526682 (2d Cir. Aug. 17, 2017)).  While clearly good news for Uber in this litigation, in blessing Uber’s mobile contracting process, the court also established something of a template for other mobile apps to follow to ensure that their terms and conditions will be enforceable against their members or users. 

Craigslist has used a variety of technological and legal methods to prevent unauthorized parties from violating its terms of use by scraping, linking to, or accessing user postings for their own commercial purposes. For example, in April, craigslist obtained a $60.5 million judgment against a real estate listings site that had allegedly received scraped craigslist data from another entity. And craigslist recently reached a $31 million settlement and stipulated judgment with Instamotor, an online and app-based used car listing service, over claims that Instamotor scraped craigslist content to create listings on its own service and sent unsolicited emails to craigslist users for promotional purposes.  (Craigslist, Inc. v. Instamotor, Inc., No. 17-02449 (Stipulated Judgment and Permanent Injunction Aug. 3, 2017)).  

Update: On March 9, 2017, Google filed a motion requesting the court certify an interlocutory appeal.  In particular, Google contends that the following question satisfies the statutory criteria: whether the term “biometric identifier,” as defined in Illinois Biometric Privacy Act, includes information derived from photographs.

We’ve closely followed the numerous biometric privacy disputes and legislative developments surrounding the Illinois Biometric Information Privacy Act (BIPA), which precludes the unauthorized collection and storing of some types of biometric data.  In the latest ruling, an Illinois district court refused to dismiss a putative class action alleging that the cloud-based Google Photos service violated BIPA by automatically uploading plaintiffs’ mobile photos and allegedly scanning them to create unique face templates (or “faceprints”) for subsequent photo-tagging without consent.  (Rivera v. Google, Inc., No. 16-02714 (N.D. Ill. Feb. 27, 2017)).

This is the third instance where a district court refused, at an early stage of a litigation, to dismiss BIPA claims relating to the online collection of facial templates for photo-tagging purposes.  Unlike those prior courts’ relatively cursory interpretations, however, the Rivera court’s expansive 30-page opinion is the deepest dive yet into the statutory scheme (and purported vagaries) of the Illinois statute.  The decision is the latest must-read for mobile or online services that collect and store biometric data from users as to what extent their activities might fall under the Illinois biometric privacy statute.  It may well turn out that the plaintiffs’ claims in Rivera (as well as the ongoing biometric privacy litigation going on in California) may prove unsuccessful on procedural or statutory grounds, yet, these initial takes on the scope of BIPA stress the importance of examining current practices and rollouts of new services that feature biometrics. 

UPDATE: In late October 2016, the parties notified the court that they were in discussions to settle the matter and would jointly stipulate to a dismissal of the action without prejudice.  On November 2nd, the court dismissed the action.

Title V of the Telecommunications Act of 1996, also known as the “Communications Decency Act of 1996” or “CDA” was signed into law in February 1996.  The goal of the CDA was to control the exposure of minors to indecent material, but the law’s passage provoked legal challenges and pertinent sections of the Act were subsequently struck down by the Supreme Court as unconstitutional limitations on free speech. Yet, one section of the CDA, §230, remained intact and has proven to encourage the growth of web-based, interactive services.

Over the last few years, website operators, search engines and other interactive services have enjoyed a relative stable period of CDA immunity under Section 230 of the Communications Decency Act (CDA) from liability associated with user-generated content.  Despite a few outliers, Section 230 has been generally interpreted by most courts to protect website operators and other “interactive computer services” against claims arising out of third-party content.

However, a recent dispute involving a Snapchat feature known as “Discover” raises new questions under the CDA.  The feature showcases certain interactive “channels” from selected partners who curate content daily.  Last month, a parent of a 14-year old filed a putative class action against Snapchat claiming that her son was exposed to inappropriately racy content, particularly since, as plaintiff alleges, Snapchat does not tailor its feeds for adult and younger users.  (Doe v. Snapchat, Inc., No. 16-04955 (C.D. Cal. filed July 7, 2016)).  The complaint asserts that while Snapchat’s terms of service prohibit users under 13 from signing up for the service, it does not include any warnings about any possible “offensive” content on Snapchat for those under 18, beyond stating some “Community Guidelines” about what types of material users should not post in “Stories” or “Snaps.”