While California leads the nation in privacy protection, the CCPA has posed significant challenges to organizations subject to the new law due to its sometimes ambiguous language and broad provisions. The Act was purposefully written with broad language, giving the express authority to the California Attorney General to enact regulations and clarify specific provisions of the Act. One of the areas the Attorney General did not address in its Draft Regulations is the question of what is considered a “sale” under the CCPA?

Per the Act, “sale” is defined as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” Section 1798.140(t)(1) (emphasis added). However, the Act does not define what “other valuable consideration” means, which has caused challenges for businesses to determine whether they are considered a seller under the Act.

Until further guidance is provided by the Attorney General or the legislature, we must look to the courts in order to understand how “sale” may be defined in the context of “valuable consideration.” Since the CCPA has not seen any enforcement action, there is no case law on point. However, we can still look to California courts, which have given meaning to “valuable consideration” in other contexts.

One source we can look to is California contract law. The basis of any contract is consideration, which “must be an act or a return promise, bargained for and given in exchange for the promise.” Simmons v. Cal. Inst. of Tech., 34 Cal. 2d 264, 272 (1949). Under this test, the key question is whether the exchange motivated the other party’s promise or performance. Furthermore, both parties must understand and have intended for the bargained for exchange. One common example of non-monetary consideration are nondisclosure agreements where one party agrees to allow another access to confidential information in exchange for service.

If valuable consideration under the CCPA is interpreted in a manner consistent with California contract law, any agreement between two parties where personal information is exchanged in order to motivate the other party’s promise or performance would be considered a sale under the CCPA. For example, when a company includes advertising cookies on their website and the advertiser is able to use the personal information to help improve retargeting or cross targeting to the consumer. In such a case, the company receives a benefit that would likely be considered a sale under the CCPA.

However, this may be too broad an interpretation. California courts have narrowed the scope of valuable consideration by holding, even where an exchange induces another party’s promise or performance, this exchange will be considered too remote or ancillary, and is not consideration, where the exchange is not material to the bargain. See People v. Shira, 62 Cal. App. 3d 442. For example, if a company gets anonymous demographic information in return for including an advertiser’s cookies on its site, this may be considered too remote or ancillary under this line of reasoning.

Ultimately, the scope of the CCPA’s definition of “sale” will likely remain elusive until its meaning under the CCPA is tested.

So, “why am I getting all these Privacy Policy update emails?”

The GDPR applies to any organization that processes or controls the personal data of any data subject in the EU whether or not the organization is based in the EU. Article 3. Because the internet makes it easy for US-based organizations to provide services to international consumers, many US-based organizations will inevitably provide their products and services to EU-based data subjects, and are thus subject to the GDPR’s requirements.

What does the GDPR require?

For the most part the GDPR is yet another iteration of the Fair Information Practices (“FIPs”) which were developed in 1980 by The Organisation for Economic Co-operation (“OECD”). These eight FIP principles for the protection of personal data, which anticipated the Internet and instantaneous exchange of personal data, have continued to be the backbone of privacy frameworks and legislation enacted by the EU and elsewhere:

Collection Limitation Principle – There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

Data Quality Principle – Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.

Purpose Specification Principle – The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.

Use Limitation Principle – Personal data should not be disclosed, made available or otherwise used for purposes other than those specified

Security Safeguards Principle – Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.

Openness Principle – There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.

Individual Participation Principle – An individual should have the right, among other things, to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him.

Accountability Principle – A data controller should be accountable for complying with measures which give effect to the principles stated above.

To be sure, there are additional specific requirements under the Regulation. Though, any of the GDPR’s requirements can broadly fall under one or more of the above OECD principles. Specific requirements of the GDPR include, among others:

• A particular controller or processor should use a risk-based lens to assess its data privacy risks in an “objective” manner “by which it is established whether data processing operations involve a risk or a high risk.” Recital 76. If the assessment yields a high risk, the GDPR requires a formal Data Protection Impact Assessment (“DPIA”). Article 35.

• Appointment of a Data Protection Officer (“DPO”) for controllers and processors involved in high-risk processing activities, i.e., where one of a company’s core activities is the large-scale monitoring of individuals’ data or processing of special categories of personal data (such racial or ethnic origin, political opinions, religious or philosophical beliefs, and the like, defined in Article 9). Article 37.

• A data breach notification requirement. In the event of a personal data breach, a data controller must notify the supervisory authority (most likely the supervisory authority of the member state where the controller has its corporate headquarters) not later than 72 hours after having become aware of it. Article 33, 55, and 56. If the data breach “is likely to result in a high risk to the rights and freedoms of individuals,” the data controller must also notify the affected data subjects “without undue delay.” Article 34.

As with any sweeping regulatory regime, there is still uncertainty that is (in some cases) still being resolved by guidance from EU member states’ supervisory authorities. In the coming months and years we will see how the GDPR takes hold and how EU courts will interpret its regulatory language.

The suit alleges Snapchat violated BIPA because its “proprietary facial recognition technology scans a user’s face . . . and collects, stores and uses, geometric data relating to the unique points and contours (i.e., biometric identifiers) of each face.”

Additionally, the suit alleges Snapchat never informed its users of the “specific purpose and length of term for which their biometric identifiers or information would be collected, stored and used, nor did Snapchat obtain a written consent or release from any of these users.” The suit further alleges “Snapchat does not have written, publicly available policies identifying its retention schedules or guidelines for permanently destroying users’ biometric identifiers or information.”

BIPA requires software companies to inform its users “in writing that a biometric identifier or biometric information is being collected or stored.” Additionally, the Act requires companies to disclose the “length of term for which a biometric identifier or biometric information is being collected, stored, and used.” Most importantly, the Act requires companies to “receive[] a written release executed by the subject of the biometric identifier or biometric information.”

Last year, Facebook faced a similar class action lawsuit brought under the same Illinois law.

Case info: Martinez et al v. Snapchat, Inc., case number 2:16-cv-05182, out of the U.S. District Court for the Central District of California.

When Apple rejected the DOJ’s request, the government proposed an “alternative” course of action would be to request “the [iPhone’s] source code and Apple’s private electronic signature” so it could modify the mobile phone’s software itself. But, it seems that the DOJ has now backed off their position.

The DOJ’s Motion indicates that the FBI has teamed up with an “outside party” to garner access to the data stored on the mobile phone. This unnamed party supposedly has the ability to defeat the iPhone’s encryption without compromising the data contained within.

Native advertisements have been used for decades in print media (and are referred to by the portmanteau “advertorial“). But the FTC believes the emergence of native advertisements online pose problems for consumers because native advertisements “mask the signals consumers customarily . . . rel[y] upon to recognize an advertis[ement] or promotional message.” This sometimes makes it extremely difficult for consumers to differentiate between actual content and advertisements, and are therefore deceptive:

Regardless of the medium in which an advertising or promotional message is disseminated, deception occurs when consumers acting reasonably under the circumstances are misled about its nature or source, and such misleading impression is likely to affect their decisions or conduct regarding the advertised product or the advertising.

The FTC policy statement explains that an advertisement’s format is deceptive if it materially misleads consumers about the advertisement’s commercial nature. In conclusion, the FTC issued guidelines that can help businesses avoid deceiving consumers:

Deception occurs when an advertisement misleads reasonable consumers as to its true nature or source, including that a party other than the sponsoring advertiser is the source of an advertising or promotional message, and such misleading representation is material. In this regard, a misleading representation is material if it is likely to affect consumers’ choices or conduct regarding the advertised product or the advertisement, such as by leading consumers to give greater credence to advertising claims or to interact with advertising with which they otherwise would not have interacted.

Advertisements that fall into this category of deceptive marketing are deceptive even if the communicated value of the advertisement is truthful and non-misleading.

The FTC vote approving the policy statement was unanimous (4-0).

“No person . . . shall be compelled in any criminal case to be a witness against himself.”

As discussed in a previous post, the Fifth Amendment covers encryption of computers when the encryption “key” is a password since compelling the production of a password requires a defendant to reveal “the contents of [his] mind,” which is a testimonial act, forcing the defendant to be witness against himself. See United States v. Doe (In re Grand Jury Subpoena Duces Tecum), 670 F.3d 1335, 1345 (11th Cir. 2012).

A court recently extended this doctrine to encrypted smartphones. In SEC v. Huang, the U.S. District Court for the Eastern District of Pennsylvania rejected the SEC’s attempt to compel the production of a password to decrypt a smartphone.

There does not seem to be a principled distinction between computer passwords, which have readily been found to be protected, and smartphone passwords, which are just smaller computers. Rather, what is interesting about this decision is the court’s application of the “foregone conclusion” exception to the Fifth amendment protection against self-incrimination.

The foregone conclusion exception to the Fifth Amendment provides the rule against compelling self-incrimination can be overcome if the testimonial information protected is a foregone conclusion. That is, “where the location, existence, and authenticity of the purported evidence is known with reasonable particularity, the contents of the individual’s mind are not used against him, and therefore no Fifth Amendment protection is available.” Doe, 670 F.3d at 1344 (emphasis added).

While in Huang, based on the particular circumstances in the case, the SEC could certainly demonstrate the defendant was the sole owner of the phone, the court found that the SEC did not indicate with “reasonable particularity” the “existence” of any of the requested documents actually existing on the smartphones. And therefore the court found that the foregone conclusion doctrine did not apply.

“No person . . . shall be compelled in any criminal case to be a witness against himself.”

U.S. Const. amend. V.

Known as the prohibition against self-incrimination, this clause of the Fifth Amendment is commonly asserted by defendants in criminal trials. While its applicability in those contexts is quite settled, the Fifth Amendment’s place in the realm of computerized encryption is still a bit murky.

Generally, the Right against Self-Incrimination

A criminal defendant must demonstrate three factors to successfully assert their right against self-incrimination under the Fifth Amendment: (1) compulsion, (2) a testimonial communication or act, and (3) incrimination. See Fisher v. United States, 425 U.S. 391, 408 (1976).

The former and latter are simple enough to demonstrate. When a defendant is subpoenaed to act, the act is compelled. And an act is incriminating if the act exposes that person to criminal liability.

The salient question for the Fifth Amendment and the right against self-incrimination, especially within the context of technology, is whether compelling a defendant to act constitutes a “testimonial” act.

An act is testimonial when the government compels an individual to use “the contents of his own mind to explicitly or implicitly communicate some statement of fact” which allows law enforcement to learn facts it didn’t already know. United States v. Doe (In re Grand Jury Subpoena Duces Tecum), 670 F.3d 1335, 1345 (11th Cir. 2012) (internal citations omitted).

For example, being required to provide your fingerprint (or a DNA sample) pursuant to a legally obtained warrant or probable cause is not a testimonial act because you are not revealing “the contents of your mind.” Thus, you would be unable to assert your right against self-incrimination when you’re being fingerprinted. See generally Schmerber v. Cal., 384 U.S. 757, 764 (1966).

The same is true for being compelled to unlock a safe with a physical key because it can not be correctly considered “the contents of your mind” and therefore it is not a testimonial act. Doe, 670 F.3d at 1345.

On the contrary, revealing the combination to a safe is a testimonial act because the combination to a safe constitutes the “contents of [a person’s] own mind.” Further, producing the combination to a safe explicitly or implicitly communicates a statement of fact that allows law enforcement to learn facts it didn’t already know. Therefore, providing the combination to a safe is a testimonial act that is protected by the Fifth Amendment. Id. at 1346.

Encryption and the Right against Self-Incrimination

Extending the Doe safe analogy works well for encryption. But when it comes to encryption, using the terms “key” and “combination” may become confusing to the uninitiated. So, before continuing, it’s worth clarifying that technically speaking encryption “keys” are actually “combinations” that help a computer program decipher the contents of a file or disk. An encryption key is not a physical “key” that opens a lock. Rather it is a combination that provides the instructions to decipher the contents of a file or disk. As such the term encryption “key” is a misnomer. However, historically, the “combinations” that are used to encrypt computer files have often been referred to as encryption “keys.”

But it doesn’t matter much what they’re called. What matters is that the Fifth Amendment applies to the compelled act of production of encryption keys because, as the content of a person’s mind, law enforcement would be learning new facts beyond simply the encryption key itself. So, like the production of a combination to a safe, the production of an encryption key is a “testimonial act” by a defendant of their knowledge of the existence and location of potentially incriminating files, and their control and dominion of the encrypted files.

Therefore, a defendant can properly assert their Fifth Amendment right against self-incrimination when being forced to decrypt files on a computer or a disk. But, there’s ways law enforcement can legally get around the Fifth Amendment using the foregone conclusion doctrine.

Superfish injects product recommendations into search results and displays ads on otherwise legitimate pages. But, it also includes a universal self-signed certificate authority. This universal certificate authority allows man-in-the-middle attacks to inject ads even on secure encrypted (SSL) pages without triggering browser security warnings. Thus, making Lenovo laptops vulnerable to malware and malicious man-in-the-middle attacks. Additionally, Superfish adware uses memory resources and consumes bandwidth, affecting computer and network performance.

The Plaintiff, a blogger from San Diego, Jessica Bennett, alleges her laptop was damaged as a result of Lenovo’s pre-installation of Superfish on her laptop.

The complaint requests a jury trial and class action certification. The complaint charges both Lenovo and Superfish with violations of: The California Invasion of Privacy Act (CIPA); The Federal Electronic Communications Privacy Act (ECPA); Trespass to personal chattel under California common law; and “fraudulent” business practices under California’s Unfair Competition Law.

On December 12, 2014, the court found Dish Network liable for over 50 million calls that violated the FTC’s Telemarketing Sales Rule (TSR). See 16 C.F.R. 310. The court found Dish Network violated Do-Not-Call, entity-specific, and abandoned-call rules – along with various violations of state laws. The court made this decision in a partial summary judgment in favor of the FTC. U.S. v. Dish Network, LLC, No. 09-3073, slip op. (C.D. Ill. Dec. 12, 2014).

Summary judgement is appropriate when “the movant shows that there is no genuine dispute as to any material fact. . .” Fed. R. Civ. P. 56(a) (emphasis added). Here, the court found the DOJ sufficiently showed there were no disputes as to any material fact because Dish Network “failed to dispute with any evidence” the DOJ’s allegations. U.S. v. Dish Network, LLC, No. 09-3073, slip op. at 4. Therefore, summary judgment against Dish Network was appropriate.

However, the court did leave questions for trial. Particularly, the court reserved the determination of penalties for trial. Id. at 4. Penalties for violating the TSR can be up to $16,000 for each instance. Federal Civil Penalties Inflation Adjustment Act, 74 Fed. Reg. 857 (Jan. 9, 2009) (amending 15 U.S.C. 45(m)(1)(A)).

Auernheimer and his friend Spitler discovered a publicly accessible page on AT&T’s website that displayed subscriber email addresses when prompted with a unique ICC ID serial number. This page was available to anyone that had the URL (which, as of 1/21/2015, is still publicly available at: https://dcp2.att.com/OEPNDClient/openPage?ICCID=). Auernheimer and Spitler realized that these unique ICC ID serial numbers followed a predictable pattern. The pair wrote a script that could gather email addresses by feeding the page with these predictable ICC ID serial numbers. In all, they ended up collecting around 114,000 different email addresses.

At trial in United States v. Auernheimer the key issue was determining the meaning of “without authorization” under the CFAA. And, more importantly, whether Auernheimer (Spitler accepted a plea deal and never went to trial) intentionally accessed AT&T’s web servers without authorization.

The government argued that Auernheimer accessed AT&T’s web servers “without authorization” because AT&T did not design nor intend the page to be publicly available. And Auernheimer argued the page was publicly available which, by default, should grant him authorization to access the page.

The District Court looked to the 6th Circuit’s decision in Pulte Homes to help determine what “without authorization” means:

Congress left the interpretation of “without authorization” to the courts, we again start with ordinary usage. The plain meaning of “authorization” is “[t]he conferment of legality; … sanction.” Commonly understood, then, a defendant who accesses a computer “without authorization” does so without sanction or permission.

Pulte Homes, Inc. v. Laborers’ International Union Of North America, 648 F.3d 295, 303-04 (6th Cir. 2011).

In convicting Auernheimer, The District Court reasons that Auernheimer accessed AT&T’s website without permission – and therefore without authorization. However, the Court mysteriously fails to convincingly identify where Auernheimer lost the permission to access a publicly available website.

Fortunately for Auernheimer, the 3rd Circuit overturned the conviction on appeal. Unfortunately though, the 3rd Circuit opted to forego answering the salient question of “what does ‘without authorization’ mean?” Instead, the 3rd Circuit issued an opinion vacating Auernheimer’s conviction on the basis that venue in New Jersey was improper. United States v. Auernheimer, 748 F. 3d 525 (3rd Cir. 2014).

Though the 3rd Circuit did not address the substantive question of the legality of Auernheimer’s use of a script to access the AT&T page, they appeared skeptical of the original conviction. The 3rd Circuit noted that “no evidence was advanced at trial that the [script] ever breached any password gate or other code-based barrier. The [script] simply accessed the publicly facing portion of the login screen and scraped information that AT&T unintentionally published.” Auernheimer, 748 F. 3d at 534 n.5.

So the answer appears to be, based on the footnote in the 3rd Circuit’s opinion in Auernheimer, if you are not breaching a password gate or other code-based barrier, you can not be convicted of accessing a publicly available page “without authorization.”

Breadth

Because of the manner it was written and interpreted, the CFAA governs much of our regular online activity. As summarized above, the CFAA prohibits intentional access of a computer “without authorization” or “exceeding authorized access” to obtain information from a “protected computer.” Each of these elements allows from the courts sweeping discretion in applying the CFAA.

Without Authorization

The first type of CFAA breach stems from intentionally accessing a protected computer “without authorization”.

“Congress did not define the phrase ‘without authorization,’ perhaps assuming that the words speak for themselves. The meaning, however, has proven to be elusive.” EF Cultural Travel BV v. Explorica, 274 F.3d 577, 582 n.10 (1st Cir. 2001).

This elusive nature of “without authorization” led the lower court in EF Cultural Travel BV to apply a vague “reasonable expectation” standard. The reasonable expectation standard defines access without authorization as access that is not “in line with the reasonable expectations” of the website owner and its users.

Other courts look to “intended function” to determine whether access was authorized. United States v. Morris, 928 F.2d 504, 510 (2d Cir. 1991). This approach mysteriously allows for a subjective analysis of a website’s intended function.

Perhaps the most sensible approach is found in LVRC Holdings LLC v. Brekka. The 9th Circuit held “that a person uses a computer ‘without authorization’ under [the CFAA] when the person has not received permission to use the computer for any purpose (such as when a hacker accesses someone’s computer without any permission), or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.” LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1135 (9th Cir. 2009).

Exceeding Authorized Access

The second type of CFAA breach arises when access to a protected computer “exceeds authorized access”.

Congress rather generously defines the term “exceeds authorized access” as “access[ing] a computer with authorization and . . . us[ing] such access to obtain or alter information in the computer that the accesser is not entitled . . . to obtain or alter.” 18 U.S.C. § 1030(e)(6).

These issues typically arise in the context of employer-employee relationships. In EF Cultural Travel BV, the Defendant, a former employee of the Plaintiff, was found to have exceeded his authorized access to the Plaintiff’s website by using his proprietary knowledge of the Plaintiff’s website (protected by a “broad confidentiality agreement prohibiting . . . disclosure of any information ‘which might reasonably be construed to be contrary to the interests of [the Plaintiff]'”) to assist in the development of a “web scraper” that made “wholesale use” of the Plaintiff’s information. EF Cultural Travel BV, 274 F.3d 577 at 583.

Protected computer

A protected computer is a computer used by a financial institution, or the U.S. Government, or more importantly, a computer affecting interstate commerce or communication. Because a protected computer is a computer affecting interstate communication, people using ordinary internet connected personal computers (and mobile devices) can been subjected to prosecution under the CFAA due to the inherent interstate nature of normal internet communication.

In US v. Trotter, the Defendant argued that his former employer’s computer network was not a “protected computer” as set forth in 18 U.S.C. § 1030(e)(2)(B). The 8th Circuit rejected this claim and affirmed the Defendant’s conviction because the Defendant admitted, at a plea hearing, that his former employer’s network was connected to the internet. The Court used this admission to determine the computer network met the statutory definition of a “protected computer.” US v. Trotter, 478 F.3d 918, 921 (8th Cir. 2007); see also United States v. Walters, No. 05-15739, 2 (11th Cir. 2006) (“the internet is an instrumentality of interstate commerce”).

Whereas in United States v. Kane the Court determined that exploiting a software bug in a video poker machine does not constitute a CFAA breach because the video poker machine was not connected to the internet. Therefore, it did not qualify as a “protected computer” affecting interstate commerce or communication. Report & Recommendation of United States Magistrate Judge at 6, United States v. Kane, No. 2:11-cr-00022-MMD-GWF (D. Nev. Oct. 15, 2012). Though, the video poker machine was likely a “computer” under the definition of the CFAA (see 18 U.S.C. § 1030(e)(1)), it was not a “protected computer.”

Specific Criminal Conduct

While the CFAA is written broadly, it also includes provisions prohibiting specific types of conduct such as:

• Computer espionage (See 18 U.S.C. § 1030(a)(1))

• Computer trespassing in private or public computers (See 18 U.S.C. § 1030(a)(2)-(3))

• Committing fraud with computer (See 18 U.S.C. § 1030(a)(4))

• Distribution of malicious code (i.e. malware, spyware, and including DDOS attacks) (See 18 U.S.C. § 1030(a)(5))

• Trafficking in passwords (See 18 U.S.C. § 1030(a)(6))

• Threats to damage a protected computer (See 18 U.S.C. § 1030(a)(7))

• And conspiracy or attempt to violate any of the specific criminal conduct in Sections (a)(1)-(7) (See 18 U.S.C. § 1030(b))

Civil Liability

The CFAA is mainly a criminal statute (evidenced by its location in Title 18 of the U.S. Code). However, it also includes a civil cause of action (See 18 U.S.C. § 1030(g)) that permits compensatory damages, injunctive and other equitable relief for any specific conduct described in 18 U.S.C. § 1030(a)-(b) if the conduct caused:

• Loss of at least $5,000 in value

• Impairment, or potential impairment, of the medical examination, diagnosis, treatment, or care to one or more persons

• Physical injury to any person

• A threat to public health or safety

• Damage affecting a computer used by or for an entity of the U.S. Government

• Damage affecting 10 or more protected computers during any 1-year period

Civil liability, under the CFAA, is subject to a 2-year statute of limitations.