CFAA

For the fourth time in the past two months, Apple has been sued for allegedly violating the privacy of iPad and iPhone users.  Like the previous three suits (two of which we discussed in this post), Rodimer v. Apple, Inc. [PDF] alleges that Apple transmitted “personal information,” including Unique Device IDs (“UDIDs”) to application developers

Ringleader Digital — an online advertising firm specializing in the mobile market — has agreed to settle two putative class actions that were filed against it last fall.  The plaintiffs alleged that Ringleader violated the federal Computer Fraud and Abuse Act, 18 U.S.C. § 1030, as well as various state privacy and consumer protection laws, by using HTML5 software to track users’ online activities.  Under the proposed settlement agreement [PDF], Ringleader will pay $30,000 to the named plaintiffs in both actions and $670,000 in attorneys’ fees.  The proposed agreement also provides for significant injunctive relief.

This is the second notable settlement of a privacy litigation in the past three months.  As we discussed in a previous post, online marketing firms Quantcast and Clearspring settled several privacy suits arising from the alleged use of “Flash cookies” to track users’ browsing activities for advertising purposes.  As with the Quantcast/Clearspring settlement, the settlement announced in the Ringleader cases is somewhat surprising given the strong defenses Ringleader appeared to have to the asserted claims and the limited release obtained.  Eric Bosset, Simon Frankel, Mali Friedman, and I recently published an article in the Intellectual Property & Technology Law Journal that details some of those defenses.        Continue Reading Ringleader Agrees to Settle Privacy Suits

A recent decision from the Eleventh Circuit highlights an ongoing issue under the Computer Fraud and Abuse Act (“CFAA”): the significance of policy-based restrictions when determining whether a person accessed a protected computer “without authorization” or “exceeded authorized access.”

In United States v. Rodriguez [PDF], the Eleventh Circuit upheld the criminal conviction of a Social Security Administration (“SSA”) employee, who, as part of his job duties, had access to SSA databases containing sensitive information about individuals.  According to the Eleventh Circuit, Rodriguez exceeded his authorized access when he looked up personal acquaintances in the databases, in violation of agency policies that prohibited employees from obtaining database information without a business reason.Continue Reading Recent CFAA Cases Address Defendants’ Violations of Employer Policies

Just two days after the Director of the FTC’s Bureau of Consumer Protection announced that the agency would not tolerate an “arms race” aimed at developing technologies that subvert user choice regarding online tracking, two firms accused of employing such technologies agreed to settle lawsuits against them.  Quantcast and Clearspring–which provide web analytics and certain functionality to consumer-facing websites–were named in several class action complaints this summer.  The suits alleged that the companies used “Flash cookies” (i.e., local shared objects stored in the memory of Adobe’s Flash Player plug-in) to track user activity on websites where Quantcast and Clearspring provide their services.  The publishers of some of those sites were also named in the suits.  

Although the use of traditional “HTTP” cookies for tracking has become so commonplace as to be relatively uncontroversial, Flash cookies have been criticized because they are unaffected by browser privacy settings.  Moreover, as noted by researchers at UC-Berkeley, Flash cookies can be used to re-create or “respawn” browser cookies after a user deletes the latter.  The plaintiffs in the Quantcast and Clearspring cases seized on these distinctive qualities in asserting that the defendants used Flash cookies to “circumvent” users’ privacy settings.  The complaints included claims under the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, the Video Privacy Protection Act, and various state laws.Continue Reading Quantcast, Clearspring Agree to Settle “Flash Cookies” Suits