Following Supreme Court Precedent, Federal Court Says Unexpected Collection Of Data Doesn’t Violate The CFAA

https://i0.wp.com/www.techdirt.com/wp-content/uploads/2022/05/Screenshot-2022-05-14-1.22.33-PM.png?w=229&ssl=1

Last summer, the Supreme Court finally applied some common sense to the Computer Fraud and Abuse Act (CFAA). The government has long read this law to apply to pretty much any computer access it (or federal court litigants) doesn’t like, jeopardizing the livelihood of security researchers, app developers, and anyone who might access a system in ways the owner did not expect.

Allowing the government’s interpretation of the CFAA to move forward wasn’t an option, as the Supreme Court explained:

If the “exceeds authorized access” clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals. Take the workplace. Employers commonly state that computers and electronic devices can be used only for business purposes. So on the Government’s reading of the statute, an employee who sends a personal e-mail or reads the news using her work computer has violated the CFAA.

Or consider the Internet. Many websites, services, and databases “which provide ‘information’ from ‘protected computer[s],’ §1030(a)(2)(C)’” authorize a user’s access only upon his agreement to follow specified terms of service. If the “exceeds authorized access” clause encompasses violations of circumstance-based access restrictions on employers’ computers, it is difficult to see why it would not also encompass violations of such restrictions on website providers’ computers. And indeed, numerous amici explain why the Government’s reading of subsection (a)(2) would do just that: criminalize everything from embellishing an online-dating profile to using a pseudonym on Facebook

A decision [PDF] handed down by a New York federal court follows the Van Buren ruling to dismiss a lawsuit brought against a third-party app that collects and shares TikTok data to provide app users with another way to interact with the popular video sharing app. (h/t Orin Kerr)

Triller may exceed users’ expectations about what will be collected or shared, but it makes it pretty obvious it’s in the collection/sharing business. To utilize Triller, users have to opt in to data sharing right up front, as the court points out:

“To post, comment, or like videos, or to watch certain content on the App, users must create a Triller account.” ¶¶ 8, 30. When creating an account, a user is presented with a screen, depicted below, that provides various ways to sign up for an account:

This first step makes it clear Triller will need access to other social media services. Users can go the email route, but that won’t stop the app’s interaction with TikTok data. Hyperlinks on the sign-up screen directs users to the terms of service and privacy policy — something few users will (understandably) actually read.

But all the processes are in place to inform users about their interactions with Triller and its access to other social media services’ data. The court spends three pages describing the contents of these policies the litigant apparently did not read.

This is not to say users should be victimized by deliberately obtuse and convoluted terms of service agreements. If anything, more service providers should be required to explain, in plain English, what data will be collected and how it will be shared. But that’s a consumer law issue, not a CFAA issue, which is supposed to be limited to malicious hacking efforts.

Being unaware of what an app intends to do with user data is not a cause for action under the CFAA, especially now that some guardrails have been applied by the nation’s top court.

Wilson alleges that Triller exceeded its authorized access by causing users “to download and install the App” to their mobile devices without informing users that the App contained code that went beyond what users expected the App to do,” by collecting and then disclosing the users’ information. However, as Triller argues, even assuming that Wilson is not bound by the Terms and thus did not authorize Triller to collect and disclose her information, it is not the case that Triller collects this information by accessing parts of her device that she expected or understood to be “off limits” to Triller. Van Buren, 141 S. Ct. at 1662. Rather, Wilson merely alleges that Triller collects and then shares information about the manner in which she and other users interact through the App with Triller’s own servers. Thus, at most, Wilson alleges that Triller misused the information it collected about her, which is insufficient to state a claim under the CFAA.

Wilson can appeal. But she cannot revive this lawsuit at this level. The federal court says the Van Buren ruling — along with other facts in this case — make it impossible to bring an actionable claim.

Accordingly, Wilson’s CFAA claim is dismissed with prejudice.

That terminates the CFAA claims. Other arguments were raised, but the court isn’t impressed by any of them. The Video Privacy Protection Act (VPPA) is exhumed from Blockbuster’s grave because TikTok content is, after all, recorded video. Violations of PII (personally identifiable information) dissemination restrictions are alleged. These are tied together and they both fail as well.

While the complaint alleges what sort of information could be included on a user’s profile and then ultimately disclosed to the third parties, it contains no allegation as to what information was actually included on Wilson’s profile nor how that information could be used by a third party to identify Wilson. Indeed, the complaint lacks any allegation that would allow the Court to infer a “firm and readily foreseeable” connection between the information disclosed and Wilson’s identify, thus failing to state a claim under the VPPA even assuming the broader approach set out in Yershov.

These claims survive dismissal. So does Wilson’s claim about unjust enrichment under New York state law — something predicated almost entirely on the size of the hyperlinks directing users to Triller’s privacy policy and terms of service. Those can be amended, but there’s nothing in the decision that suggests they’ll survive dismissal again.

Wilson also brings a claim under Illinois’ more restrictive state law concerning user data (the same one used to secure a settlement from Clearview over its web scraping tactics), but it’s unclear how this law applies to a Illinois resident utilizing a service that is a Delaware corporation being sued in a New York federal court. It appears the opt-in process will be the determining factor, and that’s definitely going to weigh against the plaintiff. Unlike Clearview, which scrapes the web without obtaining permission from anyone or any site, Triller requires access to other social media sites to even function.

It’s a good decision that makes use of recent Supreme Court precedent to deter bogus CFAA claims. While Wilson may have legit claims under federal and state consumer laws (although this doesn’t appear to be the case here…), the CFAA should be limited to prosecution and lawsuits directed against actual malicious hacking, rather than app developers who are voluntarily given access to user information by users. This doesn’t mean entities like Triller should be let off the hook for obscuring data demands and sharing info behind walls of legal text. But the CFAA is the wrong tool to use to protect consumers from abusive apps.

Techdirt