Netflix Sued for "Largest Voluntary Privacy Breach To Date"

Posted on December 28, 2009 by Natalie Newman

On December 17, 2009, a class action suit was filed against online movie rental giant, Netflix, Inc., in the United States District Court for the Northern District of California. Plaintiffs in the suit are claiming that Netflix has “perpetrated the largest voluntary privacy breach to date.”

According to the Complaint, Netflix knowingly and voluntarily disclosed the sensitive and personal information of approximately 480,000 Netflix subscribers when Netflix provided participants in a contest initiated to improve Netflix’s movie recommendation systems with data sets containing over 100 million subscriber movie ratings and preferences. Netflix has claimed that the data sets provided to the contest participants were anonymized and that the subscribers’ movie ratings were accompanied only by “a numeric identifier unique to the subscriber” (as opposed to the subscriber’s name or other personal information). However, the complaint sites the results of several researchers who, in fact, were able to crack Netflix’s anonymization process and identify individual subscribers. 

 

Plaintiffs argue this disclosure constitutes a sever invasion of their privacy by Netflix, which violates, among other things, the Video Privacy Protection Act of 1988 (18 U.S.C. 2710 (2002)). Additionally, the lead plaintiff in this case, Jane Doe, claims that Netflix’s disclosure of her movie rental history and ratings has and/or will “identify or permit inference of her sexual orientation… [which… ] would negatively affect her ability to pursue her livelihood and support her family, and would hinder her and her children’ ability to live peaceful lives within Plaintiff Doe’s community.”

 

The Video Privacy Protection Act (the “Act”) was originally enacted in 1998 (in response to a public disclosure of a Supreme Court nominee, Robert Bork’s, video rental history), and, according to the Electronic Privacy Information Center, while not often invoked, the Act “stands as one of the strongest protections of consumer privacy against a specific form of data collection.”

 

The Act prohibits, with certain exceptions, any “video tape service provider” from “knowingly disclosing the personally identifiable information concerning any customer of such provider” (18 U.S.C. 2710(b)). The Act defines a “video tape service provider” as “any person, engaged in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials…” and “personally identifiable information” as including “information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider” (18 U.S.C. 2710(a)). 

 

In addition to violating this prohibition on the disclosure of personally identifiable information, the Plaintiffs in Doe v. Netflix also allege that Netflix violated another provision of the Act, which requires that a video tape service provider “destroy personally identifiable information as soon as practicable, but no later than one year from the date the information is no longer necessary for the purpose for which it was collected” (18 U.S.C. 2710(e)). 

 

The Plaintiffs are demanding relief in the form of (among other things) statutory damages, actual damages, punitive damages, injunctive relief, disgorgement of wrongfully obtained profits and revenues, and attorneys’ fees.

 

In addition to the Act, a number of states, including California, have also enacted similar video privacy laws. In addition to the Act and other laws, the Complaint alleges that Netflix has violated the California Customer Records Act (CA Civil Code 1798.80).

 
Tags: , , , , ,

No Doubt No Reasonable Suspicion Required -- Laptops Now Fair Game at the Border

Posted on May 5, 2008 by Proskauer Rose LLP

My very first blog post addressed a precedent-setting decision of the Central District of California holding that federal agents could not conduct a border search of the private and personal information stored on a traveler’s computer hard drive or electronic storage devices without reasonable suspicion. Eighteen months later, the Ninth Circuit has squarely reversed that decision. In a short opinion filed April 21, 2008, Judge O’Scannlain wrote in U.S. v. Arnold, No. 06-50581, that "reasonable suspicion is not needed for customs officials to search a laptop or other personal electronic storage devices at the border." As far as the Ninth Circuit is concerned, for purposes of border searches under the Fourth Amendment, laptops and other electronic storage devices are not so much like a home or the human mind – they are more akin to luggage or a car.

Arnold never claimed that the government’s search of his laptop damaged it in any way, therefore not invoking the "exceptional damage to property" exception to suspicionless searches. Further, although Arnold did raise the "particularly offensive manner" exception, the court found there was nothing in the record to "indicate that the manner in which the CBP officers conducted the search was ‘particularly offensive’ in comparison with other lawful border searches." The customs officers simply asked Arnold to boot up his laptop and looked at what was there. The court failed to discern any meaningful distinction between such a search and suspicionless searches of travelers’ luggage at the border.

The court also refused to adopt Arnold’s analogy to a search of a home, noting that the Supreme Court has rejected applying Fourth Amendment protections afforded to homes to property "‘capable of functioning as a home’" simply due to its size. The Court also rejected the notion that the quality or nature of the container merited a distinction in this case. A laptop, the court reasoned, is more like a mobile home than a home or office; the Supreme Court has refused to treat a mobile home differently from other vehicles due to the fact that it is readily movable and the expectation of privacy with respect to a car is significantly less than that relating to a home or office. The court also noted that case law does not support a finding that a search is particularly offensive due to the storage capacity of the object.

Finally, the court rejected Arnold’s argument that the First Amendment requires reasonable suspicion for a border search where the risk is high that expressive material will be exposed. The court refused to create a split with the Fourth Circuit’s decision in United States v. Ickes, 393 F. 3d 501 (4th Cir. 2005). The Fourth Circuit declined to "carve out a First Amendment exception to th[e border search] doctrine because such a rule would: (1) protect terrorist communications ‘which are inherently ‘expressive’’; (2) create an unworkable standard for government agents who ‘would have to decide—on their feet—which expressive material is covered by the First Amendment'; and (3) contravene the weight of Supreme Court precedent refusing to subject government action to greater scrutiny with respect to the Fourth Amendment when an alleged First Amendment interest is also at stake."

Needless to say, the Ninth Circuit’s decision in Arnold has significant implications for anyone who travels with unencrypted confidential and/or personally identifiable information on a laptop or other electronic storage device. Companies with personnel who routinely travel with such sensitive information must reevaluate information security policies and consider measures that will protect such information from unauthorized access during international travel. It is not a given that affected entities and individuals can wipe laptops and other storage devices clean of such information prior to travel. Such procedures may create practical problems and inefficiencies, and even run afoul of legal or litigation holds requiring the preservation of data in a particular form.
Tags: , , , , , , , , , , , , , , ,

Consumer Advocates Target Online Behavioral Advertising: Broad Regulation Threatens to Impede Delivery of Relevant Advertising and Business Models for Free Online Content

Posted on March 27, 2008 by Proskauer Rose LLP

In the wake of the December 2007 FTC statement proposing self-regulatory principles for businesses that are engaged in online behavioral targeting (click here for earlier blog post), that activity has continued to provoke consumer groups who advocate for government regulation. The legislature in New York has taken notice and is considering a first of its kind bill, the Third Party Internet Advertising Consumer's Bill of Rights Act of 2008, to regulate third parties Internet advertisers’ tracking activities. The New York legislature’s activity coincides with significant opposition in the European Union to online behavioral advertising practices.   

Online behavioral targeting is the process of tracking online users’ behavior and serving ads tailored to that behavior. While the methods vary, the primary methods used online are cookie-based, conveying to advertisers web pages a user visits. Companies may also use search data. This information is sometimes combined with demographic data such as geographic location, to help further personalize advertisements. Glossed over by consumer groups is the fact that tracking usually is conducted anonymously with data collected linked only to a computer’s Internet Protocol (IP) address, not name or other personally identifiable information. In addition, responsible Internet companies are expected to provide clear notice and opportunities for consumers not to participate in such programs. Still, consumer groups have seized on reports of Internet Service Providers contracting with companies such as Nebu-Ad, Phorm and Adzilla who use so-called “deep packet inspection” to collect data on every page a user visits rather than just those that are part of an online advertising network. 

The ongoing debate over online behavioral targeting is significant not only because such targeting enables consumers to receive ads that are more relevant and useful to them, but as the FTC has recognized, restrictions that inhibit companies’ ability to obtain advertising revenue may fundamentally affect the ability of the Internet to continue to offer valuable content for free.

The New York Bill

The New York bill, with versions in the Assembly and Senate (A. 9275 and S. 6441) is based on the Network Advertising Initiative (NAI) self-regulatory principles. The NAI is a group of online advertising firms and it adopted its principles in 2002. The bill would create an extensive regime of consumer notice and choice for third party tracking of different types of consumer online activity. Absent obtaining a consumer’s prior affirmative consent or opt-in, third parties would be prohibited from collecting personally identifiable information online in some situations (when merged with certain other previously collected data). Consumers would have the right to opt-out of any online tracking involving non-personally identifiable information. The bill would require clear notice by third party advertising companies on their own sites of their profiling activities, the types of data they collect, how they use the data, the opt-out process, and the length of time the data is retained. And, it would require third party advertising companies to contractually require the sites to whom they provide services to include notice and opt-out options.  

Notably, the bill would prohibit a third party from tracking information from websites when it does not have a contractual relationship with the website owner. This provision could have major implications for the companies described above that contract with Internet Service Providers to monitor surfing activity across all websites a consumer visits. The bill is also significant because it would effectively create a national law – companies with a national online presence would necessarily be doing business in New York as well.                    

The European Union 

The press has recently reported about controversy in the U.K. concerning reports that the country’s three largest ISPs, BT, Talk Talk, and Virgin Media, had contracted with Phorm for behavioral targeting services. A U.K. think tank, the Foundation for Information Policy Research (FIPR) submitted an open letter to the U.K Information Commissioner charging that Phorm’s activities violate British privacy law and the European Union’s Data Protection Directive by not affording consumers opt-in choice for the tracking. Phorm is claiming that it uses a cookie with a random number assigned to track information so that it does not collect personally identifiable information. 

The issue of online monitoring continues to draw the attention of European Union regulators with more activity expected in the near future. Although the E.U. approved the Google-Doubleclick merger, the E.U. Article 29 Working Party comprised of data privacy regulators from each of the E.U.’s member states has stated that even search engines based outside of the E.U. may fall under the E.U. Data Protection Directive. In addition, the Chairman of the Article 29 Working Party has asserted that IP addresses standing alone constitutes personally identifiable information. This stands in contrast to how IP addresses are viewed in the U.S. The Article 29 Working Party is expected to issue a report in April concerning the privacy implications of Internet search engines, which should further address these issues.     

Industry and Interest Group Guidelines        

In addition to the activity discussed above, industry and consumer interest groups continue to propose new guidelines. The NAI announced late last year it is planning to revise its guidelines while just last month the Interactive Advertising Bureau – an organization comprised of many leading Internet companies – issued self-regulatory guidelines similar to the FTC’s but designed to give companies more flexibility in their approach to notice and choice. Earlier this month, the Center for Democracy and Technology issued its Privacy Principles for the Development of User Controls for Behavioral Targeting, which focuses on allowing consumers to express their preferences for behavioral targeting, having those preferences remain in place until altered by the consumer, and encouraging companies to have readily available and easily understandable policies.
Tags: , , , , , , , , , , , , , , , , , , , , , , , , ,

FTC Staff Issues Proposed Self Regulatory Principles for Behavioral Advertising and Seeks Comment

Posted on December 20, 2007 by Proskauer Rose LLP

FTC staff issued a statement today proposing four “self-regulatory” principles to guide businesses engaged in online behavioral advertising. FTC staff also seeks public comments on these principles as well as additional information on what other uses businesses are making of online tracking data. Interested parties can submit comments by February 22, 2008. 

The statement, titled “Online Behavioral Advertising: Moving the Discussion Forward to Possible Self-Regulatory Principles” follows from the FTC’s town hall meeting held in early November 2007. There, FTC considered privacy issues raised by behavioral advertising and heard from consumer interest groups and businesses’ alike.  The agenda and links to material related to the town hall meeting can be found here.    

The self-regulatory approach taken by FTC staff recognizes the benefits behavioral advertising provides. Specifically, FTC staff recognizes that ad-supported content makes newspapers and other valuable information from around the world more readily available to consumers online and that many consumers value personalized ads. FTC staff is, however, concerned that behavioral advertising and the related data collection “is largely invisible and unknown to consumers.” The four principles FTC staff has proposed to address concerns over transparency and consumer choice state that: 

(1) every website that collects data for behavioral advertising should include “a clear, concise, consumer-friendly and prominent statement” that (a) consumer data is being collected online for behavioral advertising, and (b) consumers can exercise choice on collection of their data for such purposes, with a “clear, easy-to-use, and accessible method” provided for doing so;  

(2) a company engaged in behavioral targeting should reasonably secure the data collected and only retain it “as long as necessary to fulfill a legitimate business purpose or a law enforcement need”;

(3) a company should obtain consumers' "affirmative express consent" if it is going to use personal data for a materially different purpose than was disclosed when the data was collected; and 

(4) a company should obtain "affirmative express consent" before collecting "sensitive" consumer data (such as health data, sexual orientation, and children's data). FTC staff is seeking further comment on the types of data that constitute "sensitive" information and whether instead of consumer choice, a prohibition on collection of such data would be a better approach; 

FTC staff seeks comments on the four proposed principles generally, including their feasibility and the costs and benefits of offering choices for behavioral advertising. FTC also staff seeks additional information on the secondary uses of tracking data that extend beyond behavioral marketing. Specifically, FTC staff seeks information on what secondary uses of tracking data is occurring, which of those uses raises privacy concerns, whether those concerns extend to non-personally identifiable information in addition to personally identifiable information, and whether some heightened form of protection relating to secondary uses is warranted. 

The FTC vote to approve release of the principles was 5-0. The related FTC press release is available here.
Tags: , , , , , , , , , , ,