Is Apple’s Siri an Illegal Wiretap?
- September 15, 2021
- Clayton Rice, Q.C.
Intelligent virtual assistants are computer programs that perform functions based on a command or question. They are often called software agents because they act for users in an agency relationship. Some virtual assistants interpret human speech and respond by way of synthesized voices. Others work in text or by uploading images. Apple, Google and Amazon are all prominent in the virtual assistant market with products such as Apple’s Siri, Google Assistant and Amazon’s Alexa that have raised privacy and ethical concerns. Activation by voice poses a threat to privacy because such a feature requires a device to be always on – and always listening.
In an article titled Apple contractors ‘regularly hear confidential details’ on Siri recordings published in The Guardian edition of July 26, 2019, tech journalist Alex Hern broke the story that Apple had hired outside contractors to review recordings made by Siri devices and that many recordings were made without the knowledge of the individuals recorded. (here) The content of the unauthorized recordings included “confidential medical information, drug deals, and recordings of couples having sex”. The contractors were tasked with determining what triggered Siri into action – whether a “wake phrase” such as “Hey, Siri” was used or something else such as “[t]he sound of a zip”. Mr. Hern went on to discuss two controversial revelations. First, Siri is routinely triggered by accident without any “wake phrase”. Second, a “small portion” of recordings, both deliberate and accidental, were sent to the third-party contractors. A week later, both Apple and Amazon announced they would limit the use of humans to review conversations on Siri and Alexa. (here)
On August 7, 2019, a class action complaint was filed against Apple in the United States District Court, Northern District of California, San Jose Division, styled as Fumiko Lopez et al v. Apple Inc. (here) The plaintiffs claim violations of California statutes governing the invasion of privacy, unfair competition and consumer protection. The complaint has evolved through various amendments during the early life of the litigation in consequence of motions to dismiss brought by Apple and leave granted by the court to amend the complaint. The plaintiffs claimed in the original pleading that Apple “intentionally and without the consent of all parties to a confidential communication” used an “electronic amplifying or recording device” to record confidential communications. They sought an injunction and damages of $5,000 for each violation. It is the claim for violation of the federal Wiretap Act and the state penal statute that will be the focus of my comments in this post. (at paras. 59 and 61)
2. The Law
Title III of the Omnibus Crime Control and Safe Streets Act of 1968 is also known as the Wiretap Act. (here) It was passed by the United States Congress in response to widespread wiretapping by government agencies and private individuals without the consent of the parties. Title III originally covered only wire and oral communications but was revised in 1986 to include electronic communications. A violation of the statute occurs where any person “intentionally intercepts […] any wire, oral, or electronic communication” or “intentionally discloses” or “uses” their contents while “knowing or having reason to know that the information was obtained through the [unlawful] interception.” It is a constitutional issue. The United States Supreme Court held in Katz v. United States, 389 U.S. 347 (1967) that the Fourth Amendment protection against unreasonable search and seizure applies to all communications where an individual has a reasonable expectation of privacy which I discussed in previous posts to On The Wire. (here and here)
The Invasion of Privacy Act of California (CIPA), contained in the California Penal Code, was enacted in 1967 to replace previous laws that permitted recording of telephone conversations when one party consented. It was recognized by the lawmakers that new technology used for eavesdropping on private communications created “a serious threat to the free exercise of personal liberties and cannot be tolerated in a free and civilized society.” (here and here) Section 631(a) of CIPA protects communications “in transit or passing over any wire, line, or cable,” and those “being sent from, or received at any place within this state.” Section 632(a) prohibits “eavesdropping and recording” regardless of “whether the communication is carried on among the parties in the presence of one another or by means of a […] device.” Section 632 is restricted to confidential communications. Section 631 is not. The distinction acknowledges that communications over a wire are inherently confidential as “confined to the parties” and not “open to the public”.
3. Motions to Dismiss
On February 10, 2021, and September 2, 2021, Judge Jeffrey S. White released two orders granting and denying, in part, motions to dismiss brought by Apple in the Lopez case. The first was a motion to dismiss the plaintiffs’ amended complaint. (here) The second was a motion to dismiss the plaintiffs’ revised second amended complaint. (here) I will only comment on those aspects of the rulings that touch upon the wiretap issues.
(a) Order Filed February 10, 2021
Apple advanced five arguments. First, that it had not “intercepted” communications because it was the intended recipient of them. Second, that because the plaintiffs admit that Siri activations were “accidental”, they cannot allege “intentional” interception. Third, that the plaintiffs failed to assert that the intercepted communications were subject to a reasonable expectation of privacy. Fourth, that interception was not unlawful under the federal wiretap statute because “one of the parties to the communication has given prior consent to such interception.” Fifth, under s. 2511(1)(c) of the statute, a party that intentionally discloses to “any other person” the contents of communications while “knowing or having reason to know that the information was obtained through the interception” of communications in violation of the statute is separately liable. Apple sought to dismiss for failure to plead a predicate interception. (at pp. 7-10) Judge White denied Apple’s motion on grounds 1, 2 and 4. The motion was granted on grounds 3 and 5.
In denying Apple’s motion, Judge White made three key findings. First, the intended recipients of “discussions between doctors and patients, confidential business deals, and sexual encounters” were doctors, business counterparts and sexual partners – not Apple. Second, the plaintiffs allege that Apple knows of the accidental Siri triggers and, instead of deleting the recordings, sent them to third party contractors to improve Siri’s functioning. The allegation that Apple failed to take remedial action while knowing of the accidental activations was adequate, at this stage of the litigation, to make the conduct “intentional”. Third, Apple argued that the plaintiffs consented to interception because the Software License Agreement states that Apple does not warrant that Siri will be “uninterrupted and error free.” Such a general disclaimer, however, was not specific and unambiguous enough to represent that Siri may activate by accident. The plaintiffs were granted leave to further amend the complaint to allege that their own communications were intercepted and disclosed.
(b) Order Filed September 2, 2021
Because the plaintiffs had failed to allege that their particular communications were intercepted, they failed to establish standing or state claims for laws that require a reasonable expectation of privacy. In a revised second amended complaint, the plaintiffs sought to remedy the defects by adding factual allegations regarding their use of Siri-enabled devices. Specific allegations were made that one plaintiff observed Siri activating while having a private conversation in his bedroom while another asserts that he received targeted advertising tailored to his medical condition after talking to his doctor in the presence of his device. (at p. 3) Judge White held that, drawing all inferences in favour of the plaintiffs at this stage of the proceedings, “the complaint plausibly alleges that targeted advertising arose from Siri interception, rather than another commercial auditory interception device.” (at p. 4) On a motion to dismiss, the court’s inquiry is limited to the allegations in the complaint which are accepted as true and construed in the light most favourable to the plaintiff. Judge White concluded that the plaintiffs adequately alleged standing for purposes of the privacy claims and the standard had been met.
Judge White emphasized, however, that the allegations regarding dissemination remained sparse. Nevertheless, because the information regarding the review of Siri recordings by third party contractors lies exclusively in Apple’s possession, the allegations made by the plaintiffs were sufficient at this stage. A plaintiff is not precluded from pleading facts based upon information and belief “where the facts are peculiarly within the possession and control of the defendant.” See e.g., Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 555 (2007); and, Soo Park v. Thompson, 851 F.3d 910, 928 (9th Cir. 2017)
The recent ruling in Lopez followed a ruling in a similar putative consumer class action involving Google Assistant filed in the same court on July 26, 2019. Originally styled as Asif Kumandan et al v. Google LLC et al, the Google litigation involves three separate cases that have now been consolidated as In Re Google Assistant Privacy Litigation. (here) The genesis of the allegations dates back to July 10, 2019, when VRT NWS, a Belgian media outlet, released the story that “thousands of [Google] employees” were systematically listening to audio files recorded by Google Home smart speakers and the Google Assistant smartphone app from devices around the world. The files included audio that did not contain a “hot word”. The plaintiffs allege that Google Assistant may be activated when it misinterprets a “hot word” that triggers a “false accept”. They claim that Google does not destroy the audio recordings but retains them for personalized advertising and to analyze the accuracy of Google Assistant. The case recently survived a motion to dismiss in a ruling by Judge Beth Labson Freeman filed on July 7, 2021. (here)
Some of the strongest laws governing wiretapping in the United States are in California. Absent the consent of all parties, interception of a private communication may not only be inadmissible in court but may also constitute a crime. It is illegal for anyone to eavesdrop on or record a confidential communication without the consent of all parties to the communication. California is therefore known as a “two-party” state distinct from the weaker protection in jurisdictions such as Canada that permit “one-party” consent unless the originator or recipient of the communication is an agent of the state. Although many lawyers recognize that civil liability is difficult to prove in these cases, the potential of criminal liability and the prospect of multiplier damages heighten the seriousness of potential consequences for many defendants. The risk for a defendant with deep pockets, however, may simply lie in crossing swords with robust privacy laws. Just how much does Apple want a judicial answer to the question – is Siri an illegal wiretap?