Consumer Groups, Stakeholders React to Petition Requesting Halt in Vehicle-to-Vehicle Communications Service Due to Cybersecurity Concerns

A variety of advocacy groups and industry stakeholders filed comments yesterday in response to a petition by non-profit Public Knowledge to halt operation of the Dedicated Short-Range Communications (DSRC) service.  The nascent DSRC service, which operates in the 5.9 GHz band, enables vehicle-to-vehicle and vehicle-to-infrastructure communications to protect the safety of drivers and passengers and for commercial purposes.  Concerned that DSRC capabilities, combined with vulnerabilities in vehicles’ operating systems, could compromise vehicle owners’ privacy and provide a new vector for cyberattacks, Public Knowledge petitioned the Federal Communications Commission (FCC) in June to “immediately prohibit use of DSRC until it adopts service rules protecting the cybersecurity and privacy of DSRC users.”  The FCC called for comments on the proposal last month.

Public Knowledge’s petition found a number of supporters in consumer advocacy groups.  A half-dozen organizations joined Public Knowledge’s comment in support of its petition, which proposes rules addressing “the substantial privacy and data breach issues presented by the commercialization of DSRC spectrum” and requiring DSRC licensees to submit cybersecurity plans.  Over a dozen privacy and consumer advocates also submitted a joint letter in support of the petition, echoing these points.

Opposition to the proposal, however, was strong and came from varied quarters.  A working group responsible for certain DSRC security standards argued that “comprehensive security and privacy features are already fully integrated into DSRC technology.”  California’s Department of Transportation also weighed in, highlighting the state’s significant investment in DSRC-related technology and stressing the considerable safety benefits that may be realized with widespread adoption of DSRC.  Finally, General Motors—whose 2017 Cadillac CTS will feature the technology—filed a spirited opposition, calling the petition’s fears “unsubstantiated” and its request for relief “legally baseless.”

Those voicing privacy and cybersecurity concerns related to DSRC have already found a receptive ear in some corners of Washington.  Senators Edward Markey and Richard Blumenthal wrote FCC Chairman Tom Wheeler earlier this month, proposing a number of measures to prohibit commercial use of the DSRC spectrum, require licensees to submit cybersecurity plans, and provide for timely notifications if breaches occur.  The two Senators introduced a related bill, the Security and Privacy in Your Car Act (S. 1806), last year.  In addition, the National Highway Traffic Safety Administration is studying related issues.

Sixth Circuit Allows Lawsuit to Proceed Against Electronic Monitoring Software Company

In a 2-1 decision on August 16, the Sixth Circuit refused to dismiss a claim against the maker of an online surveillance tool for wiretapping under both federal and state laws, and for intrusion against seclusion.  While the breadth of this holding is unclear, and the case may be an outlier, the Sixth Circuit’s reasoning provides a potential new roadmap for plaintiffs seeking to hold companies that make and operate electronic monitoring software and devices responsible for the actions of their users under wiretapping laws.

The Plaintiff, Javier Luis, started an over-the-internet extra-marital relationship with Catherine Zang in 2009, after meeting her in an America Online chat room for discussions of metaphysics.  When the husband grew suspicious, he installed “WebWatcher” surveillance software on the computer used by Ms. Zang, and subsequently used the resulting evidence in the couple’s divorce proceedings.  Mr. Luis, filed the lawsuit pro se against “Awareness,” the creator of WebWatcher, and other parties including Ms. Zang’s husband.  All parties but Awareness settled and the district court dismissed Mr. Luis’ claims against Awareness.  The Vanderbilt Law School appellate clinic represented Mr. Luis in his appeal, alleging that Awareness had:

  • violated the Federal Electronic Communications Privacy Act (ECPA) and its Ohio analog by intentionally intercepting Plaintiff’s electronic communications in violation of 18 U.S.C § 2511;
  • violated ECPA by manufacturing, marketing, selling, and operating software that Awareness had reason to know was to be used primarily for the illegal interception of electronic communication in violation of § 2512; and
  • invaded Plaintiff’s privacy under the common-law tort of intrusion upon seclusion.

The district court initially dismissed the Plaintiff’s lawsuit on all counts, but the Sixth Circuit reversed in each instance.

First, considering ECPA’s interception provision under § 2511, the Sixth Circuit joined the majority view that the term “intercept” requires contemporaneous acquisition of an electronic communication, and cannot apply to the acquisition of electronic communications already “at rest” in electronic storage.  However, despite Awareness’s claims that its software did not capture any communications in real-time, the Court found sufficient ambiguity in WebWatcher’s marketing material—as cited in the Complaint—for Plaintiff to survive a motion to dismiss.

Awareness also argued, as the district court had held, that its user, Mr. Zang, was the person who had legally intercepted Plaintiff’s communication, and that the software company had no direct role in that process.  However, the Sixth Circuit found that “once installed on a computer, WebWatcher automatically acquires and transmits communications to servers that Awareness owns and maintains.  The alleged intercept of a communication thus occurs at the point where WebWatcher—without any active input from the user—captures the communication and reroutes it to Awareness’s own servers.”  The Court also found it relevant that Awareness manufactures and conducts “all marketing” for WebWatcher.  Notably, as the dissent criticizes, “[Plaintiff’s] novel theory of liability does not appear even to have been tried, much less to have been successful, in any previous case.”

This holding is especially significant because courts have overwhelmingly declined to find a cause of action for secondary liability under ECPA when manufacturers “merely provided a means through which a third party subsequently intercepts communications.”  See In re Carrier IQ, Inc., 78 F. Supp. 3d 1051, 1089 (N.D. Cal. 2015) (collecting cases).  Here, though, the Sixth Circuit relied on the fact that Awareness not only manufactured the WebWatcher program—but also continued to operate it even after its sale to a user.  Thus, by framing Awareness’s involvement in terms of direct liability by way of its post-sale interactions, the Court may open a new avenue for plaintiffs to pursue manufacturers under ECPA.  Moreover, the Communications Decency Act—which software companies often rely on as a shield against users’ actions—expressly does not apply to ECPA, or any similar State law.  See 47 U.S.C. § 230(e)(4).

Second, continuing to break new ground, the Sixth Circuit found that Awareness was independently and civilly liable as the manufacturer or the WebWatcher software under § 2512, which creates a fine for persons who “manufacture[], assemble[], possess[], or sell[] any electronic, mechanical, or other device, knowing or having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications.”  § 2512(b).  Taking the Complaint on its face, the Sixth Circuit found that Awareness marketed its software as means for one spouse to illegally monitor the communications of another spouse, in a way that goes “far beyond” any legitimate purpose.  However, this section on its face applies only to criminal penalties, and not civil remedies.  Moreover, most courts—including every Circuit Court to date—have found that civil remedies in ECPA lawsuits are only available for interception claims under § 2511, and not for other provisions such as § 2512.

Nevertheless, the Sixth Circuit found that these cases were mostly distinguishable because they involved the simple possession  or “mere sale” of a device primarily useful for wiretapping, while the instant case involved the manufacture, marketing, and sale of a device, allegedly with knowledge that it would be primarily used to illegally intercept electronic communications.  It therefore held that a company is only liable for civil claims under § 2512 when it “also plays an active role in the use of the relevant device to intercept, disclose, or intentionally use a plaintiff’s electronic communications.”

Third, and finally, the Sixth Circuit found that Plaintiff had sufficiently alleged an intrusion upon seclusion under Ohio law.  As with the Wiretap allegations, the district court found that any liability should be attributed to the spouse who installed and used the software, and not the software company itself.  The Sixth Circuit disagreed, finding that just as Awareness had itself violated the federal and state Wiretap Acts, it had itself intruded upon Plaintiff’s privacy, concluding that it was insignificant that “a different party was actually more culpable.”

It is unclear how influential Luis v Zang will be over the development of ECPA law.  For example, putting aside the merits of its reasoning, the Court put significant stock in the fact that Awareness’s software was allegedly marketed and sold primarily for the purpose of illegal surveillance, and it is not clear that its holding can be extending to companies creating products with more legitimate uses.  Moreover, the Plaintiff’s Complaint was filed pro-se and evaluated under a motion to dismiss standard, and it is unclear whether the Plaintiff will be able to muster sufficient proof at later stages in the case.  However, this lack of clarity could lead to more litigation, especially against cloud software providers who continue to play some role in their software’s operation.

EU Organizations Call for More Support for Cloud Computing in Healthcare

The EU-U.S. Privacy Shield’s recent introduction has created an efficient mechanism to ensure that trans-Atlantic personal data flows are lawful.  With that in place, attention is now turning back to restrictions within the EU, particularly around hosting data in cloud computing services.

European healthcare is particularly affected by such restrictions.  This has motivated a significant group of organizations and policymakers to come together and launch a collective “call to action” to European policymakers, urging greater support and reforms to enable broader use of cloud computing in healthcare.  The Call to Action was previewed at eHealth Week 2016 in June. Continue Reading

China Releases Draft Implementing Regulations for Consumer Rights Protection Law

China’s State Administration of Industry and Commerce (“SAIC”) has released for public comment a draft regulation implementing recent amendments to a consumer protection law that would, among other things, supplement existing privacy obligations for businesses operating in China.

The “Regulations on the Implementation of the Law on the Protection of the Rights and Interests of Consumers” (“Draft Implementing Regulations”) implement certain provisions of the Law on the Protection of the Rights and Interests of Consumers (“Consumer Rights Protection Law” or “CRPL”; unofficial English translation by available here), which underwent significant revisions in October 2013. The Draft Implementing Regulations reiterate and supplement data privacy and security obligations imposed in the CRPL and in the Measures on Penalties for Infringing Upon the Rights and Interests of Consumers (“CRPL Penalty Measures”; unofficial English translation by Covington available here), which was promulgated in January 2015 and discussed in our previous article here. Continue Reading

UK Government Considering New Patient Data Security and Research Consent Standards, Sanctions

A new post on the Covington eHealth blog reports that the UK government is running a consultation around NHS patient data security standards and a new legal framework for secondary uses (e.g. research) of patient data.  To find out more about the proposals and the consultation, please click here.

Users of Pandora’s Free Service Are Not Customers Under Michigan Privacy Statute, But Questions Remain

Courts continue to grapple with how to apply existing privacy laws to new (and even not-so-new) technology. The recent Ninth Circuit decision, affirming the Northern District of California’s decision to dismiss a proposed class action suit against Pandora for disclosure of listener music preferences in violation of Michigan’s Preservation of Personal Privacy Act (PPPA), resolved the narrow question before it while explicitly leaving others open. Although Pandora can continue to disclose listener preference data publicly, subject to its Terms of Use, the decision leaves unsettled how broadly this right could apply, and how current and future technologies could impact that right.

After certifying to the Michigan Supreme Court the questions of whether Pandora is in the business of “renting” or “lending” sound recordings, and if the plaintiff  (Peter Deacon) is a “customer” of Pandora under the PPPA, the Ninth Circuit adopted the Michigan court’s interpretation that Pandora, through its free, ad-supported service, is not in the business of renting or lending sound recordings and that Deacon is not a customer under the PPPA. Continue Reading

FTC: LabMD’s Data Security Practices Violated the FTC Act

The Federal Trade Commission (FTC) issued a unanimous opinion and order today, vacating the Administrative Law Judge’s (ALJ) initial decision and finding that LabMD’s data security practices were “unfair” under Section 5 of the FTC Act.  In August 2013, the FTC issued a complaint against LabMD, alleging that its failure to implement adequate data security measures led to the disclosure of patient information from LabMD’s networks.  As we previously reported, FTC staff appealed the ALJ’s November 2015 initial decision dismissing the FTC’s complaint against LabMD for allegedly “unfair” data security practices.  The Commission’s Chief ALJ had dismissed the complaint on the ground that there was no injury or likelihood of injury to consumers because there was no evidence of misuse of any of the personal information at issue.  The Commission Opinion reverses that finding and holds that injury, for purposes of the FTC Act, was established on a record of insufficient data security protections.

The Commission’s opinion in LabMD further bolsters the FTC’s authority to regulate corporate data security practices, which was affirmed last year by the Third Circuit in Wyndham.  It also clarifies and expands upon the Commission’s interpretation of the unfairness test under Section 5 of the FTC Act as it relates to data security.  Continue Reading

ONC Report to Congress Identifies Gaps in Oversight of Privacy and Security of mHealth Technologies and Health Social Media

Today we published a post on the Covington eHealth blog regarding a recent report by the U.S. Department of Health and Human Services (HHS), Office of the National Coordinator for Health Information Technology (ONC).  The ONC report highlights “large gaps” in policies and oversight surrounding access to and security and privacy of health information held by certain “mHealth technologies” and “health social media.”  The Covington eHealth post is available here.

White House Releases Presidential Policy Directive on U.S. Cyber Incident Response

The White House has released a Presidential Policy Directive on United States Cyber Incident Coordination (PPD-41).  PPD-41 is part of President Obama’s broader Cybersecurity National Action Plan, which was unveiled this past February. Continue Reading

Auto Industry Releases Cybersecurity Best Practices

The Automotive Information Sharing and Analysis Center (“Auto-ISAC”) has released a set of cybersecurity best practices for the automotive industry.  The best practices are primarily geared toward automakers, but note that suppliers of motor vehicle components might also benefit from implementing them.

The best practices include seven functions, each of which includes several recommendations: (1) governance; (2) risk assessment and management; (3) security by design;  (4) threat detection and protection; (5) incident response; (6) training and awareness; and (7) collaboration and engagement with appropriate third parties.  The recommendations incorporate established cybersecurity resources and standards from organizations such as the International Organization for Standardization and National Institute of Standards and Technology.

Given the variation among automakers, the best practices do not prescribe specific technical or organizational solutions, and are only “suggested measures.”  The Auto-ISAC also commits to updating the best practices over time to “reflect the constantly evolving cyber landscape.”