O Brother, Where Art Thou How New Laws Are Governing the Collection and Use of Geolocation Information Inside Apps

Trying to find out where someone is located is valuable information for businesses and attorneys, but there are new laws winding their way through Congress which directly impact how this information is obtained. 

In 2000, George Clooney appeared in the Joel and Ethan Coen comedy titled O Brother, Where Art Thou? The Coen brothers’ movie created the story as a modern satire loosely based on Homer’s poem, The Odyssey. The film is set in 1937 rural Mississippi and the title is a reference to a 1941 film titled Sullivan’s Travels. 

In the movie, Ulysses Everett McGill (played by Clooney) walks into a general store and asks a clerk when the store would have in stock certain car parts and Clooney’s hair jelly of choice, Dapper Dan. In response to Clooney’s query, the man in the store tells Clooney it would be two weeks to get the car parts he needed and two weeks to get the jelly.  In true Clooney fashion, his character retorts, “Well isn’t this place a geographical oddity. Two weeks from everywhere!”  

Fast forward fourteen years since the release of the film to the age of the smartphone and Clooney would not have to ask that question. He could simply ask Siri to find an auto parts store or a beauty supply store near him. Siri, using the geolocation capabilities in Clooney’s iPhone would be able to tell exactly where he was in the world and within seconds, tell him the closet businesses meeting the descriptions. Using the phone’s location, Siri could even provide Clooney with turn by turn directions to the businesses. 

Knowledge of such capabilities begs the question: What is geolocation? Geolocation is the process of determining the geographic location of a particular object, like a computer terminal, a mobile phone or tablet. 

There are different types of geolocation. IP Geolocation identifies the object’s IP (Internet protocol) address, then determines what country, state, city, ZIP Code, organization, or location the IP address has been assigned to. Using W3C geolocation, the World Wide Web Consortium (W3C) relies on a standardized ability to retrieve the geographic location. Finally, Geocoding relies on geographic coordinates (latitude and longitude) from other data like a city or an address. In short, it is a way to find out where you are when you are holding your smart phone or tablet.  

In the movie, the title suggests the answer to the location question may be provided by a higher authority, but in 2014, the answer may really be determined by a number of new US laws governing the collection and use of geolocation information. These laws were introduced in 2013-2014 and are presently in committee.  

Senator Ron Wyden (D-OR), Mark Kirk (R-IL) and Congressman Jason Chaffetz (R-UT) reintroduced the House GPS Action on March 21, 2013. Shortly after introduction, the bills were referred to the judiciary committee for each chamber and to the House intelligence committee.

The GPS Act provides guidance to law enforcement officers and to private companies. The Act assists law enforcement in determining the amount of geolocation evidence they need if they want to track an individuals’ movement or location. Private companies can also benefit from the Act as it provides guidance as to how the companies should respond to law enforcement requests and what the companies need to do to protect customer information. The Act has a tertiary effect of providing consumers with the confidence that their privacy rights are being protected. Modeled after the federal wiretapping statutes, the GPS Act creates a modern day process to obtain warrants that will enable law enforcement to obtain geolocation information from a suspect, much in the same way warrants for wiretaps are currently obtain. The GPS Act.

The GPS Act primarily and most directly impacts law enforcement. However, given the sensitivity of this information and the vast amount collected on a daily basis, it is reasonable to assume that the Act will impact the manner in which such information is obtained in a civil litigation. Currently, in California, you must obtain consent from both individuals before you record a conversation. It is reasonable to assume that in a civil context, unless actual and valid consent is obtained from the consumer, a strong argument could be made that such evidence could not be introduced in a hearing or at trial.

The GPS Act includes certain punitive provisions which could cause problems of a criminal and civil nature. The Act creates criminal penalties for people/companies that track a person’s movements without obtaining consent. Additionally, it is very likely that the FTC or California’s Attorney General could use the Act as a means of finding civil penalties for violation of Business and Professions Code Section 17200, as an Unfair Business Practice, which has been the section of choice in similar prosecutions. 

Thus, if the law makes it out of committee and passes, I would expect this Act to be an additional arrow in the FTC’s arsenal of statutes to enforce its desire to increase transparency in the area of privacy.

The Online Communications and Geolocation Protection Act (OCGP Act) includes similar safeguards as the GPS Act, but the provisions extend to online communications.  On March 6, 2013, Representatives Zoe Lofgren (D-CA), Ted Poe (R-TX), and Suzan Del Bene (D-WA) the bill was promptly referred to the House judiciary and intelligence committees. The bill remains in committee for further evaluation.

The OCGP Act changes the federal criminal code by permitting a governmental entity to require the disclosure of electronic information, including geolocation data, pursuant to a duly obtained warrant. Upon receiving the warrant from the governmental entity, the business must provide a copy of the warrant to the service subscriber, customer or user. Generally, the OCGP Act prevents the intentional gathering, disclosing or using geolocation information. The OCGP Act includes exemptions when the parent consents for their child, to assist an emergency responder to locate an individual in danger or when the information is otherwise generally available to the public. The exemptions are reasonable and are not likely, as has been the case with many exemptions, to completely undermine the intent of the statute.

An example of just how important geolocation can be is demonstrated in a very recent unpublished California criminal case entitled, People v. Juarez, 2014 Cal. App. Unpub. Lexis 5707. The case involved sexual abuse incidents which occurred in 2010. In 2012, the victim, as part of the investigation, contacted the perpetrator. The police contacted the perpetrator’s cell phone provider and provided facts to support the exigent circumstances exception to obtaining a warrant. 

Based on these facts, the cell phone provider produced an address near the location of the perpetrator’s cell phone (using geolocation technology). Police rushed to the location and arrested the perpetrator. Juarez moved to suppress the geolocation data on the grounds that the police invaded his privacy without a warrant. The court denied the motion to suppress and held that Juarez had no reasonable expectation of privacy in his geolocation data.

What is particularly noteworthy about the OCGP Act is the effect of a violation. If the information is obtain in violation of the Act, the evidence can’t be used in “any trial, hearing, or other government proceeding.” However, the geolocation information can be used in a civil action to obtain relief for violations of the Act. Additionally, the OCGP Act specifically provides for civil actions to recover damages from persons, other than the United States, when the information is obtained in violation of the Act.  

The next important question involves the definition of, “damage.” The OCGP Act does not define what the Act considers damages. Thus, the concept is left to the courts to decide. In January 2014, the case involving a data breach relating to Sony’s Playstation survived a Motion to Dismiss in District Court. In the class action entitled, In re: Sony Gaming Networks and Customer Data Security Breach Litigation, 2014 U.S. Dist. Lexis 7353, the plaintiffs alleged that they suffered damages as a result of the data breach. The plaintiffs conceded their negligence claims sought only economic losses such as credit monitoring fees, loss of use and value of the product and the loss of use and value of certain third party services.  

However, the Plaintiff’s sought to establish their negligence claims based on the special relationship exception set forth in  J’air Corp. vs. Gregory,  (1979) 24 Cal. 3d 799. According to J’aire, a special relationship exists if: (1) the extent to which the transaction was intended to affect the plaintiff, (2) the foreseeability of harm to the plaintiff, (3) the degree of certainty that the plaintiff suffered injury, (4) the closeness of the connection between the defendant's conduct and the injury suffered, (5) the moral blame attached to the defendant's conduct and (6) the policy of preventing future harm. Id. At 804-805. The court in Sony concluded that no special relationship existed and dismissed the negligence claim. However, the Sony case provides an excellent analysis of what is “damage” to support various claims and what the courts consider pure speculation. Any California attorney who practices in this area of law or who has clients involved in a data breach claim are strongly encouraged to review the case and its rationale.  

The Location Privacy Protection Act of 2014, if enacted into law, would prohibit companies, without obtaining proper consent, from collecting or disclosing geolocation information from a smart phone. As with the OCGP Act, it includes exceptions for parents tracking their children, emergency services and law enforcement. The bill also prohibits the development and distribution of so called, “stalking apps.” Stalking apps are mobile apps used by individuals to secretly track the movements of individuals; think jealous wife following husband or concerned parents of teenagers. 

 

According to Senator Franken, The Location Privacy Protection Act of 2014 (“LPPA”) fixes outdated federal law to protect consumers and victims of stalking. As is the common theme in all these new laws, and many existing laws, the LPPA requires companies who want to obtain geolocation information to first obtain consent and to tell the people who do consent, how the information is being shared. Additionally, the LPPA exempts compliance to parents tracking their children, in emergency and other similar situations. As an additional safeguard, the Act requires companies that collect geolocation data from 1,000 or more devices to post on line how they collect the information, the kinds of information collected, how they share/use the information and how people can prevent the collection and sharing of the information.  

 

At the heart of the LPPA are provisions which completely ban the development, operation and sale of stalking apps. As a deterrent, enforcement is authorized to seize the proceeds from the sale of the apps to fund anti-stalking efforts. However, this provision is undermined by the practicality of what really occurs in the market place. Specifically, such stalking apps are not “sold.”  The apps are offered for free – so there are no proceeds from the sale of the apps. In reality, the developer makes money from the free app by selling the information obtained from consumers who use the apps. Consequently, the hammer of disgorging proceeds from the sale of the app, unless courts interpret a “sale” to include the sale of the information to a third party, is entirely without teeth.

The committee hearings on the LPPA are progressing. As recently as June 4, 2014, the United States Government Accountability Office (“GAO”) testified about its recent findings on the following topics: 1) sharing and use of location data by companies; 2) actions by companies and federal agencies to protect location data; and 3) privacy risks associated with collecting the data. The GOA testified that, of the companies it surveyed, they did not properly disclose to customers what they did with the geolocation data even if the companies had privacy policies or similar practices. As a result, the GAO testified, the consumer is not always aware of what is being with the information collected by the companies.  Of the privacy policies the GAO reviewed, it found the policies failed to tell the customer how long the company would keep the information. Thus, the company could keep the information indefinitely, which creates a higher risk of identity theft.

  

The Federal Trade Commission provided some additional insight during the Senate’s hearing on the LPPA. Jessica Rich, the Director of the FTC’s Bureau of Consumer Protection, recommended that the FTC, as the “federal government’s leading privacy enforcement agency,” should be permitted to enforce the LPPA to pursuant to Section 5 of the FTC Act. As currently drafted, the LPPA allows only the Department of Justice to enforce the Act, after consulting with the FTC. 

As mentioned earlier in this article, on June 25, 2014 the United States Supreme Court issued its opinion in Riley vs. California 134 S. Ct. 2473 (2014)  in which it addressed the question of whether the police properly searched Riley’s mobile phone as part of a traffic violation stop. The officer reviewed certain information on the phone and noticed the repeated use of a term associated with a street gang.  

At the police station two hours later, a detective specializing in gangs further examined the phone’s digital contents. Based in part on the photos and videos the detective found, the stated charged Riley in connection with a shooting that occurred several weeks earlier and sought an enhanced sentence based on Riley’s gang membership. Riley moved to suppress all evidence that the police obtained from his cell phone. The trial court denied the motion and convicted Riley. The Court of Appeal affirmed the denial and the conviction. However, the Supreme Court reversed the judgment and remanded the case to the trial court.

Justice Roberts observed that cell phones “are now such a pervasive and insistent part of daily life that the proverbial visitor from Mars might conclude they were an important feature of human anatomy.” Id. At 2485. Further, in rejecting the United States assertion that searching data stored on a cell phone is materially indistinguishable from searches of a person’s physical items, Justice Roberts retorted, “[t]hat is like saying a ride on a horseback is materially indistinguishable from a flight to the moon.” Id. At 2488.

The court particularly noted the immense storage capacity of the most common phone equates to far more than anyone ever stores in their own home. The court recognized, “The sum of an individual’s private life can be reconstructed through a thousand photographs labeled with dates, locations, and descriptions; the same cannot be said of a photograph or two of loved ones tucked into a wallet.” Id. At 2489 (Emphasis added for use in this article). The Supreme Court went on to say, “Data on a cell phone can also reveal where a person has been. Historic location information is a standard feature on many smart phones and can reconstruct someone’s specific movements down to the minute, not only around town but also within a particular building.” Id. At 2490.

Justice Roberts’ discussion of geolocation data and the significance of the data obtained by a smart phone is particularly relevant to attorneys practicing in California. Since 2012, the FTC and California Attorney General Kamala Harris have, practically speaking, entered into a virtual partnership in combating perceived abuses of the data culled from smart phones. California attorneys should expect that California will continue to lead the nation in promulgating additional legislation similar to the bills discussed in this article. 

Additionally, the increased use of “wearable” devices, which connect you to the internet via an app on your mobile device or through a “hot spot,” increases the importance of geolocation and these laws. Whether you are wearing a wrist band that monitors your mileage and calories or have a contact lens which monitors your glucose level, this information can be transmitted via an app or by merely connecting to a wireless hot spot. In addition to the specific information, your geolocation data can also be transmitted. Consequently, a company can link the medical information with the geolocation data and use the combined information to market to you in a very targeted and timely manner. 

California SB 962, otherwise known as the “Kill Switch” law was approved by Governor Brown on August 25, 2014 and just recently became law. The law requires that all smart phone sold in California or shipped to California residents have some form of technology which permits a consumer to disable the phone if it is acquired by an unauthorized user.

The law is intended to address the increasing number of thefts of smart phones in California. However, the new law creates an interesting dilemma for the use of geolocation information by law enforcement. Frequently, smartphones are stolen and used in the commission of a crime. Law enforcement can use the geolocation from the phone, as well as much of the information obtained from the phone once it is in the unauthorized user’s possession to solve the crime or to obtain information to solve other crimes. If the purchaser uses the “kill switch” technology as soon as the phone is stolen, the opportunity to solve other crime is lost. Of course, at the same time, the victim’s personal information is protected as soon as possible. Thus, the new law has both pitfalls and benefits in this age of technology.  

Clearly, whether you talk with Odysseus, George Clooney or Chief Justice Roberts, the answer to the question, “Where are you?” will be very different. According to Odysseus, it would likely involve some reference to the Gods and the moon/sun. According to George Clooney, it would involve his ability to acquire car parts and hair gel. 

However, Justice Roberts clearly understands that that answer has much more to do with your GPS coordinates, IP address and whether you gave Google consent to locate you. As we transition into an increasingly computerized, technologically associated daily life, the future answer to such a question will likely be found…. in the 21st century version of a cloud!