Normally, the week between Christmas and New Years Day is a quiet one in the privacy and security front. This year you might have expected it to be doubly quiet, with the entire nation’s attention focused on the fiscal cliff (since the Mayan’s were wrong and the world didn’t end). Not so fast. It turned out to be a very busy time. Here are three of my personal highlights.
The FISA Amendment Reauthorization Act of 2012, HR 5949, was signed into law by President Obama, renewing without changing the government’s authority to intercept foreign communications carried on U.S. provider’s networks without a court order. This authority has been highly controversial and is subject to a Fourth Amendment Challenge in Clapper v. Amnesty International. For now, despite concerns expressed by a variety of sources, the FAA remains law for another 5 years unless struck down by judicial action.
The Tenth Circuit Affirms Kirch v. Embarq. Remember all the flap about NebuAd? On December 28, 2012, the Tenth Circuit ended the NebuAd Litigation against Embarq, affirming the district court’s prior decision that the plaintiffs could not state a claim against Embarq for diverting its subscribers traffic to NebuAd for deep packet inspection. In a clear victory that should make plaintiffs lawyers think twice before suing ISPs for accessing communications that travel on its own network, the Tenth Circuit found that where an ISPs access to communications is a result of its provision of communications services, access to such communications in the ordinary course of its core business as an ISP, can never be an interception. Thus, sending that stream of communications to a third party, such as NebuAd, cannot be an illegal interception. And because there can be no civil aiding and abetting liability for violations of the Wiretap Act, Embarq cannot be liable. The tenth circuit’s decision is even more important than the prior district court’s decision, which relied largely on consent. Under the Tenth Circuit’s analysis, consent was never necessary to begin with because Embarq never had more access to the communications of its subscribers through its partnership with NebuAd than it had in the course of providing ISP services. This is an important decision for any ISP thinking about using deep packet inspection.
Google Prevails on Class Action Challenging Unified Privacy Policy. Also on December 28, 2012, the district court granted Google’s motion to dismiss in In re Google Privacy Litigation. In this case, the plaintiffs challenged Google’s transition to a single unified privacy policy, alleging that this new policy had material changes from the Google’s prior 70 individual privacy policies, which prevented information sharing across the entire Google platform. Relying on prior cases dismissing privacy class actions for lack of Article III standing, the court found that even though plaintiffs had “raised serious questions regarding Google’s respect for consumers’ privacy,” plaintiffs had not identified a concrete harm from the alleged combination of their personal information across Google’s products and contrary to Google’s previous policy sufficient to create an injury in fact. Simply put, failing to obey a promise allegedly made in a prior privacy policy does not by itself allow a plaintiff to bring suit in federal court without identifying a concrete way in which that failure harmed the consumer.