New Media and Technology Law Blog

A Busy Month in the Facebook Photo Tagging Biometric Privacy Dispute

As discussed in past posts about the long-running Facebook biometric privacy class action, users are challenging Facebook’s “Tag Suggestions” program, which scans for and identifies people in uploaded photographs for photo tagging. The class alleges that Facebook collected and stored their biometric data without prior notice or consent in violation of the Illinois Biometric Information Privacy Act (BIPA), 740 Ill. Comp. Stat. 14/1 et seq.  While other technology companies face BIPA actions over photo tagging functions, In Re Facebook is the headliner of sorts for BIPA litigation, being the most closely-watched and fully-litigated.

There have been a host of new developments in this case as the parties continued to joust when the prospect of a trial was looming.  Earlier this month, a California district court denied both parties’ motions for summary judgment and found that a “multitude of factual disputes” barred judgment as a matter of law for either side.   (In re Facebook Biometric Information Privacy Litig., No. 15-03747 (N.D. Cal. May 14, 2018)).  The court’s prior orders over the past several years provide the context for the denial of summary judgment and the court’s refusal to revisit procedural rulings. See: In re Facebook Biometric Info. Privacy Litig., 185 F. Supp. 3d 1155 (N.D. Cal. 2016) (declining to enforce California choice of law provision in user agreement and applying Illinois law and refusing to find that the text of BIPA excludes from its scope all information involving photographs); Patel v. Facebook Inc., 290 F. Supp. 3d 948 (N.D. Cal. 2018) (declining to dismiss based on lack of Article III standing); In re Facebook Biometric Info. Privacy Litig., No. 15-03747, 2018 WL 1794295 (N.D. Cal. Apr. 16, 2018) (certifying Illinois user class and refusing Facebook’s renewed arguments to dismiss on procedural grounds).  Continue Reading

Unanticipated Mobile Data Leaks Remain an Ongoing Issue

There has been a lot of attention in the media lately with respect to the Facebook/Cambridge Analytica issue and its fall-out (including today’s coverage of the announcement that Facebook suspended almost 200 apps pending a more complete investigation in whether any user data was misused). As part of that discussion, Apple’s CEO Tim Cook has been one of many voices criticizing Facebook’s practices.  It is interesting then to note then that Apple is quietly beginning to enforce long-standing and long-ignored rules in the Apple iOS developer’s agreement and App Store Review Guidelines that, except for two limited exceptions, precluded an app publisher from sharing information collected from users on their phones with third parties. According to a recent article in 9to5mac.com, Apple is now removing those apps from the app store that are sharing data in violation of these restrictions.

It will be interesting to see how this all plays out and whether this development captures the media’s attention the way the Facebook episode did.  This latest episode highlights that instances of consumer data accessed by third parties in the mobile context is an issue that may be broader than first thought.

Researchers May Challenge the Constitutionality of the CFAA “Access” Provision as Applied to Web Scraping

Such Scraping “Plausibly Falls within the Ambit of the First Amendment”

The Ninth Circuit is currently considering the appeal of the landmark hiQ decision, where a lower court had granted an injunction that limited the applicability of the federal Computer Fraud and Abuse Act (CFAA) to the blocking of an entity engaging in commercial data scraping of a public website.  While we wait for that decision, there has been another fascinating development regarding scraping, this time involving a challenge to the CFAA brought by academic researchers.  In Sandvig v. Sessions, No. 16-1368 (D.D.C. Mar. 30, 2018), a group of professors and a media organization, which are conducting research into whether the use of algorithms by various housing and employment websites to automate decisions produces discriminatory effects, brought a constitutional challenge alleging that the potential threat of criminal prosecution under the CFAA for accessing a website “without authorization” (based upon the researchers’ data scraping done in violation of the site’s terms of use) violates their First Amendment rights.

In a preliminary decision, a district court held that the plaintiffs have standing and allowed their as-applied constitutional challenge to the CFAA to go forward with regard to the activity of creating fictitious accounts on web services for research purposes.  The decision contains vivid language on the nature of the public internet as well as how the plaintiffs’ automated collection and use of publicly available web data would not violate the CFAA’s “access” provision even if a website’s terms of service prohibits such automated access (at least with respect to the facts of this case, which involves academic or journalistic research as opposed to commercial or competitive activities). Continue Reading

Illinois Considering Amendments to Biometric Privacy Law (BIPA) That Would Create Major Exemptions to Its Scope

We have written before about the issues presented by the Illinois Biometric Information Privacy Act, 740 Ill. Comp Stat. 14/1 (“BIPA”).  BIPA is still the only state biometric privacy statute with a private right of action. It has garnered national attention and become the epicenter of biometrics-based litigation, with dozens of cases pending alleging violations of the statute (defendants include employers of all types, social media platforms, service providers, and many other businesses that interact with Illinois residents).  Just as the privacy concerns surrounding the collection and storage of biometric data have come into sharper focus with more and more companies employing such technologies for digital authentication, security and other uses, the litigation surrounding BIPA has garnered much controversy and the legislature has previously been called upon to amend the statute to limit its reach.  The Illinois legislature is now considering a bill (SB3053) that would fundamentally alter the privacy protections under BIPA Continue Reading

FOSTA Signed into Law, Amends CDA Section 230 to Allow Enforcement against Online Providers for Knowingly Facilitating Sex Trafficking

Today, the President signed H.R. 1865, the “Allow States and Victims to Fight Online Sex Trafficking Act of 2017” (commonly known as “FOSTA”).  The law is intended to limit the immunity provided under Section 230 of the Communications Decency Act (“CDA Section 230”) for online services that knowingly host third-party content that promotes or facilitates sex trafficking. As drafted, the law has retroactive effect and applies even with respect to activities occurring prior to its enactment. Continue Reading

Facebook Granted Dismissal of Biometric Privacy Claims Brought by “Non-Users”

This week, the District Court for the Northern District of California dismissed the Gullen putative class action asserting Illinois biometric privacy claims brought by “non-users” based on evidence that the social media site did not use its facial recognition technology on business or organizational accounts (as opposed to personal social media pages).  (Gullen v. Facebook, Inc., No. 16-00937 (N.D. Cal. Apr. 3, 2018)).  This ruling on the merits follows a decision last month where the court refused to dismiss the action due to lack of standing.  In Gullen, the plaintiff alleged that Facebook violated the Illinois Biometric Information Privacy Act (BIPA), 740 Ill. Comp. Stat. 14/1 et seq. (“BIPA”), by collecting his biometric identifiers without notice or consent via Tag Suggestions, its facial recognition-based system of photo tagging.  The plaintiff’s claim was based upon a single photograph uploaded to an organizational page.  A declaration by a software engineer for the defendant confirmed that not all photos uploaded to Facebook undergo facial recognition and that plaintiff’s photo was not scanned, and since plaintiff failed to rebut such evidence, the court granted summary judgment in the site’s favor.

While the Gullen action was dismissed on factual grounds, the companion In re Facebook Biometric Privacy Litig. action involving Facebook users remains ongoing and raises important legal issues surrounding BIPA, including the scope of the statute as it relates to uploaded photographs and the sufficiency of Facebook’s notice and consent procedures, as well as constitutional issues regarding the extraterritorial reach of BIPA to activities and cloud-based transactions that allegedly occurred outside of Illinois.

Federal Circuit Again Reverses California Court in Oracle-Google Copyright Dispute over Java APIs – Releases a Major Ruling on Fair Use in the Software Context

In this long-running dispute that has been previously dubbed “The World Series of IP cases” by the presiding judge, Oracle America Inc. (“Oracle”) accuses Google Inc. (“Google”) of unauthorized use of some of its Java-related copyrights in Google’s Android software platform. Specifically, Oracle alleges that Google infringed the declaring code of certain Java API packages for use in Android, including copying the elaborate taxonomy covering 37 packages that involves multiple classes and methods.  Google had declined to obtain a license from Oracle to use the Java APIs in its platform or license the same under an open source GPL license; instead it copied the declaring code from the 37 Java API packages (over 11,000 lines of code), but wrote its own implementing code.  Google designed it this way, believing that Java application programmers would want to find the same 37 sets of functionalities in the new Android system callable by the same names as used in Java. Continue Reading

Federal Omnibus Spending Bill Includes CLOUD Act – Outlines Obligations of Providers to Turn over Electronic Communications Stored Overseas and Procedures to Quash for Comity Purposes

In the flurry of deal-making that resulted in a 2,232-page funding bill released Wednesday, lawmakers negotiated the inclusion of “The Clarifying Lawful Overseas Use of Data Act” (often referred to as the “CLOUD Act”) (see page 2,201 of the bill text).  The CLOUD Act provides a procedural structure for law enforcement to pursue the preservation or production of data and other information residing on servers located overseas that is within the possession, custody or control of the provider.

In this age of cloud computing, data can rest overseas or in multiple locations. As we’ve previously discussed, it is increasingly common to see extraterritorial legal disputes arise when parties attempt to apply laws passed before the digital age to our current landscape. Continue Reading

New York Court Rebuffs Ninth Circuit’s Copyright “Server Test,” Finds Embedded Tweet Displaying Copyrighted Image to Be Infringement

UPDATE: On March 19, 2018, the district court granted the defendant’s motion for certification of the court’s February 15th partial summary judgment decision for interlocutory appeal to the Second Circuit.  In allowing immediate appeal, the court agreed that its prior order “has created tremendous uncertainty for online publishers” and “given the frequency with which embedded images are ‘retweeted,’ the resolution of this legal question has an impact beyond this case.”  We will closely follow the appeal of this important copyright issue.

UPDATE: On July 17, 2018, the Second Circuit denied the petition for interlocutory appeal.

A New York district court recently held that a host of online news publishers and media websites that embedded certain tweets (containing unauthorized uploads of plaintiff’s copyrighted photo) on their websites violated the plaintiff’s exclusive display right, despite the fact that the image at issue was hosted on a server owned and operated by an unrelated third party (i.e., Twitter).  (See Goldman v. Breitbart News Network, LLC, No. 17-03144 (S.D.N.Y. Feb. 15, 2018)).  In doing so, the court declined to adopt the Ninth Circuit’s so-called “server test” first espoused in the 2007 Perfect 10 decision, which held that the infringement of the public display right in a photographic image depends, in part, on where the image was hosted.

Under the “server test,” only a server that actually stored the photographs and “serves that electronic information directly to the user (`i.e., physically sending ones and zeroes over the Internet to the user’s browser’) could infringe the copyright holder’s rights.” In its ruling, the Goldman court granted the plaintiff’s motion for partial summary judgment, and determined that the reasoning of the Perfect 10 decision, which applied to a search engine’s image search function and display of full-size images hosted on third-party servers to a user, was not applicable to the embedding practices the media sites engaged in.  Continue Reading

California Court Declines to Dismiss Illinois Facial Recognition/Biometric Privacy Suit against Facebook on Standing Grounds

UPDATE: On March 2, 2018, in a related biometric privacy litigation surrounding Tag Suggestions brought by non-users of Facebook, a California district court in a brief order declined to dismiss the action for lack of standing, citing its reasoning in the Patel opinion.  (Gullen v. Facebook, Inc., No. 16-00937 (N.D. Cal. Mar. 2, 2018)). While Facebook offered evidence that it does not store faceprint data on non-users, but only analyzes it to see if there is a match, the court stated such substantive arguments are best left for summary judgment or trial.  Note: the Gullen case is related to the consolidated Facebook biometric privacy litigation and as such, is being heard before the same judge. The difference between the two actions is that Gullen involves non-Facebook users, whereas the plaintiffs in In re Facebook are registered users.

This past week, a California district court again declined Facebook’s motion to dismiss an ongoing litigation involving claims under the Illinois Biometric Information Privacy Act, 740 Ill. Comp Stat. 14/1 (“BIPA”), surrounding Tag Suggestions, its facial recognition-based system of photo tagging.  In 2016, the court declined to dismiss the action based upon, among other things, Facebook’s contention that BIPA categorically excludes digital photographs from its scope.  This time around, the court declined to dismiss the plaintiffs’ complaint for lack of standing under the Supreme Court’s 2016 Spokeo decision on the ground that plaintiffs have failed to allege a concrete injury in fact.  (Patel v. Facebook, Inc., No. 15-03747 (N.D. Cal. Feb. 26, 2018) (cases consolidated at In re Facebook Biometric Information Privacy Litig., No. 15-03747 (N.D. Cal.)).  As a result, Facebook will be forced to continue to litigate this action.

This dispute is being closely watched as there are a number of similar pending BIPA suits relating to biometrics and facial recognition  and other defendants are looking at which of Facebook’s defenses might hold sway with a court.  Continue Reading

LexBlog