It was not long ago when we were first spooked to see advertisements in our browsers directed at things we were talking about “offline” moments earlier. Could our smart phones be recording our conversations? Is it legal? Is it even possible?
Well, short answer—your smartphone is always listening to you and analyzing your phrases (at least in short bursts) but it is not—as far as we know—using that information to direct advertising to your phone or computer browser. But is any level of surveillance of our conversations by Big-Tech really lawful? That is the question being determined in a huge piece of litigation here in California and the results could really change the (Consumer Privacy) World.
In In re Google, No. 19-cv-04286-BLF, 2020 U.S. Dist. LEXIS 80971 (N.D. Cal. May 6, 2020) the Court was asked to determine the sufficiency of allegations contending that Google Assistant’s surveillance of smartphone conversations violated-amongst other statutes-the Stored Communications Act (“SCA”), and The California Invasion of Privacy Act (“CIPA”). Plaintiff’s theory was that Google’s privacy policy did not adequately cover that Defendants recorded and stored “false-accepts” (when the Google Assistant misperceives other words as the hotwords-“Hey Google”, “Okay Google”-and starts recording) AND then uses these “false-accepts” to improve the voice recognition capabilities of the Google Assistant, such that users could fairly be said to have “agreed” to have “human-subcontractors” review their audio scripts. The Court determined Plaintiff had to be more detailed in alleging these claims.
Let’s break this down a bit.
No “Facility” for SCA Claim—But Google’s Privacy Policy Can’t Save it from “Disclosure” SCA Claim
Plaintiff brought two SCA claims, asserting violations of both 2701(a)(governing unauthorized access) and 2702(b)(governing disclosure of information) of the Act.
To make a “facility” claim under 18 U.S.C. § 2701(a) of the SCA, plaintiffs must show that defendants: (1) gained unauthorized access to a “facility” where it (2) accessed an electronic communication in “electronic storage.”
While the statute defines “electronic storage” (more on that on another day), the statute does not define “facility,” which always makes it a hot topic of discussion. Plaintiffs here did not allege that the Google Assist software was a facility, but instead, referred to the smart devices that use the software as the “facility”-rookie move in the Northern District, and one the Court was not keen to accept. The Court’s response: “[C]ourts in this Circuit and others have interpreted “facility” to exclude users’ personal devices.” Yikes, and went on to say “Although the Court is skeptical that Plaintiffs will be able to articulate yet another theory of unlawful access to an electronic storage “facility”, the Court will nonetheless grant leave to amend.” Even more concerning for Plaintiffs, the Court stated it was “skeptical that software could properly be considered a facility.” And in fact, other districts have agreed. See for example Cousineau v. Microsoft Corp., 6 F. Supp. 3d 1167, 1174 (W.D. Wash. 2014), where the court indicated “a facility must perform server-like functions.” It’s unlikely that Plaintiffs will be able to prove that Google Assist meets the definition of facility, but plaintiffs’ counsels have always been very creative, so I’m keen to see how far they would go to allege that in the amended complaint.
Plaintiffs fared better with their disclosure claim, however, resulting in a ruling that could have a huge impact on silicon valley. A company violates 18 U.S.C. § 2702(a) if it knowingly and without authorization divulges contents of communication while in electronic storage. In In Re Google, Plaintiff alleged that Google disclosed audio and transcripts to subcontractors for analysis “to improve the functionality” of the Google Assistant without consent. Stated differently: people were listening to your recorded conversations, not just robots.
Google hoped to use the “permission” defense under 18 U.S.C. § 2702(b) exceptions, stating that Plaintiffs “explicitly consented to any disclosure by agreeing to their Privacy Policy” But Google—the Court held—failed to read its own fine print. What the Privacy Policy actually said was: “We provide personal information to our affiliates and other trusted businesses or persons to process it for us, based on our instructions and in compliance with our Privacy Policy and other appropriate confidentiality and security measures. For example, we use service providers to help us with customer support.” But that is just not the same as disclosing that recordings of conversations would be provided to third-parties for review.
In the Court’s view, the Privacy Policy did not indicate that by “process[ing]” Google would be allowing human reviewers to listen to the audio. That’s just a bridge too far. Google also tried to argue that Plaintiffs use of the term “third parties” to refer to the subcontractors was improper since their subcontractors are “employees or agents” and not “third parties,” as required under 18 U.S.C. § 2702(a), but that argument was also squarely rejected because whether an entity is a “third party” within the meaning of the statute is a factual question, and not one that could be determined via a 12(b)(6) motion to dismiss. In the end, the Court found that Plaintiffs adequately pled their claim for unlawful disclosure, and Google’s motion was denied.
CIPA Claim—No Eavesdropping/Wiretapping Because Consumers Have Knowingly Allowed Google to Have a Recording Device in their Homes
Plaintiffs here alleged that Google violated the provisions of CIPA addressing “wiretapping” and “eavesdropping.” These claims did not survive the pleadings stage.
Wiretapping, as defined by the California Supreme Court, protects against three distinct and mutually independent patterns of conduct: (i)”intentional wiretapping,” (ii) “willfully attempting to learn the contents or meaning of a communication in transit over a wire,” and (iii) “attempting to use or communicate information obtained as a result of engaging in either of the two previous activities. Here there were no “wires” to tap—the smartphone was being used in this content as a recording device, not as part of any wire transmission.
As to Eavesdropping, CIPA protects (1) “confidential communications” and (2) “intentional” conduct. While the Court had little problem determining that Google’s conduct of holding onto recordings and sharing them with subcontractors was plenty “intentional” the Court was unconvinced that the conversations themselves were all confidential. After all, we all know that Google is listening to us these days right? But in seriousness, the Court determined Plaintiff had failed to plead facts showing that that consumers had a reasonable expectation that the conversation was not being overheard or recorded. And without being able to establish “confidential communication,” Plaintiffs would not be able to argue that Google violated CIPA’s eavesdropping clause, making the claim futile.
The Court was also keen to point that under CIPA, the plaintiff bringing a claim has the burden to prove that the defendant lacked consent to record. Whereas under SCA, consent is only a defense, essentially instructing Plaintiffs to better frame their CIPA allegations.
We are not expecting this putative class of Plaintiffs to go away so easy. Plaintiffs have until June 5 to file an amended complaint, so stay tuned for more!