Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

Specifically, the complaint alleged that the Android application shared, by default, all content on the user’s phone, whether preexisting, downloaded or user-generated (e.g. “intimate pictures,” as characterized by the FTC).  If the user wanted to limit the sharing by changing the application’s settings, the user had to “laboriously unshare individual files” by affirmatively deselecting specific files not to share as opposed to affirmatively selecting specific files to share. The FTC also noted that there was no notice that adequately informed users of the consequences of the mobile application’s default settings, which amounted to unfair acts or practices in violation of Section 5 of the FTC Act.  With regard to the FrostWire desktop application, the FTC alleged that, by not clearly disclosing that items downloaded and saved by a user would be automatically shared in addition to the items in another folder specifically designated for sharing, FrostWire violated Section 5(a) of the FTC Act which prohibits deceptive acts or practices.  According to the FTC, users believed that the default settings would allow only the sharing of content in the shared folder, when, in actuality, the application shared all content the user downloaded.

Pursuant to the settlement, FrostWire:

• is prohibited from misrepresenting its file-sharing settings and must clearly and prominently disclose to the user which user-generated files and which downloaded files will be shared and with whom; 
• must modify its applications so that the user must affirmatively select which user-generated and downloaded content to share with other P2P users (as opposed to a default setting which allows for sharing);
• must update older versions of the mobile and desktop applications to reflect the terms of the settlement; and
• is subject to standard compliance monitoring and reporting obligations.

Perhaps if FrostWire implemented a “privacy by design” program, as proposed by the FTC in its December 2010 Preliminary FTC Staff Report, it would not have found itself addressing the FTC's allegations.  One thing is certain: This action demonstrates that, as mobile applications that make sharing content ever easier flood the market, the FTC is keeping a vigilant eye on companies that operate in this space so that users can take “intimate pictures” without having to worry about unwittingly sharing them with other P2P users. 

 Jerome Heckenkamp, a student at University of Wisconsin at Madison, was charged under 18 U.S.C. § 1030(b)(5), the Computer Fraud and Abuse Act, in connection with an alleged attempt to hack into protected systems at University of Wisconsin and Broadcom. At trial, Heckenkamp moved to suppress evidence obtained from two searches of his computer. The first search occurred after Broadcom security alerted the University that a University computer was being used in an attack on Broadcom. A University computer investigator, Jeffrey Savoy, identified the IP address of the offending computer, determined that it also posed an immediate threat to the University’s sensitive systems, and performed a remote search of Heckenkamp’s computer to confirm that it was the computer responsible. Later that day, Savoy suspected that Heckenkamp changed his computer’s IP address in an attempt to mask his activities. Notwithstanding the FBI’s recommendation that Savoy wait for a warrant before proceeding, Savoy, with the help of campus police, entered Heckenkamp’s room when the door was ajar and ran a series of commands that confirmed Heckenkamp was responsible for the attacks. Savoy justified the warrantless search on the grounds that the University’s systems could have been critically damaged and that Heckenkamp could gain access to confidential student files. Heckenkamp was a skilled computer programmer and was familiar with University systems; he had been fired from his position at the University computer help desk for attempting to access University systems without authorization.

Heckenkamp reaffirms the importance of establishing and distributing policies regarding the monitoring of computer use. The panel relied heavily on the fact that the University had no such announced policy, and in fact had assured students of data confidentiality:

A person’s reasonable expectation of privacy may be diminished in transmissions over the Internet or e-mail that have already arrived at the recipient. However, the mere act of accessing a network does not in itself extinguish privacy expectations, nor does the fact that others may have occasional access to the computer. However, privacy expectations may be reduced if the user is advised that information transmitted through the network is not confidential and that the systems administrators may monitor communications transmitted by the user. United States v. Angevine, 281 F.3d 1130, 1134 (10th Cir. 2002) [professor using university computer]; United States v. Simons, 206 F.3d 392, 398 (4th Cir. 2000) [federal employee using federal computer system].

In the instant case, there was no announced monitoring policy on the network. To the contrary, the university’s computer policy itself provides that ‘[i]n general, all computer and electronic files should be free from access by any but the authorized users of those files. Exceptions to this basic principle shall be kept to a minimum and made only where essential to . . . protect the integrity of the University and the rights and property of the State.’

 Heckenkamp at 3888 (citations and quotations omitted).       

The Ninth Circuit likely will have to clarify in future litigation the scope of reduced privacy expectations where users are advised of monitoring.

A copy of the Heckenkamp opinion is available here.