Pages

21 October 2015

If you think your emails are private, think again


We continue to believe – and file lawsuits presuming – that what we write in our emails is private. Nothing could be further from the truth.

When you type up a racy email to a loved one, do you consider the details private

Most of us would probably say yes, even though such messages often end up filtered through intelligence agencies and service providers.

On the other hand, as the digital world becomes more personalised, consumers have begun to accept, appreciate and apparently request relevant connections between their online behavior and displayed advertisements.

It’s fairly commonplace now. Type camping gear into your browser, and for the next few weeks you’ll see online ads for shoes, stoves, shirts and even fashion accessories, all specially designed for camping.

But when you send an email to a family member, or when you receive an email from a friend, do you expect the same type of follow-on advertising as you do from internet searches?

Or do you expect some different level of privacy simply because the information is cloaked in an email?

That’s the issue at stake in a pending lawsuit against Yahoo! Inc.

The case against Yahoo

Plaintiffs filed an email privacy lawsuit against Yahoo in the US District Court for the Northern District of California under several privacy laws, including the Stored Communications Act – a federal law that prohibits an email service provider from knowingly divulging to any person or entity the contents of a communication while in electronic storage.

Under the SCA, an email service provider may, however, properly disclose the contents of such communications with the lawful consent of the originator or an addressee or the intended recipient of such communication.

Earlier this year in May, Judge Lucy Koh granted plaintiffs' request to proceed in the lawsuit as a nationwide class action.

Class actions allow plaintiffs with identical or similar claims to come together as a group in one lawsuit against a common defendant, rather than each plaintiff bringing his or her own individual lawsuit against the same defendant. Typically, many of the claimants would not have the resources to pursue their individual claims for oftentimes relatively modest economic damages. A class action allows them to pool their resources, hire attorneys on a contingency basis to limit or eliminate plaintiffs’ out-of-pocket expenses and seek potentially larger awards than would likely result from a series of individual lawsuits.

Koh is the same judge who denied class action certification in a similar email privacy case against Google last year. The key difference, as Judge Koh noted in her May ruling, is that the plaintiffs in the Yahoo case sought to include in the class of plaintiffs only non-Yahoo Mail subscribers, while the plaintiffs in the Google case tried to include subscribers as well.

This is important because of the issue of notice and consent: did non-Yahoo Mail subscribers have notice of (and thereby consent to) Yahoo’s publicly disclosed policy of scanning, and possibly sharing, emails simply by corresponding with a subscriber?

Given the express language in the SCA that lawful consent of the originator or an addressee or the intended recipient of such communication is sufficient, and given Judge Koh’s prior ruling that Yahoo’s terms of service establishes consent of the Yahoo Mail subscribers – the answer appears to be yes.

In its request to the Ninth Circuit Court of Appeals for permission to appeal Judge Koh’s class action order, Yahoo argued in part that the court improperly decided that the issue of consent could be analyzed within a class action. Yahoo argued that since consent is an issue that is specific to each potential plaintiff’s behavior and action, it would not be appropriate to examine it on a “class” basis, but rather it should be looked at on an “individual” basis. Yahoo’s request was denied without discussion. A preliminary trial date for the Yahoo case has been set for February 8.

Consumer expectations of privacy

At first blush, it’s tempting to say that emails are different from online behavior and internet search histories, and therefore deserve a heightened level of privacy. An email, like its offline counterpart US mail, is personal, private and akin to a confidential one-on-one conversation written with a specific recipient in mind.

And recent lawsuits underscore this temptation. A new case filed a few weeks ago in California federal court alleges that Twitter is “eavesdropping" on users’ private messages in violation of federal and state privacy laws. Another suit filed earlier in September in the Northern District of California alleges that Google unlawfully diverted non-Gmail users’ email messages to extract content.

But one of the key issues in the case against Yahoo is whether email users – specifically those who do not subscribe to Yahoo Mail – consented to Yahoo’s publicly stated policy that emails sent through its service are scanned and analyzed by the company.

Yes, Yahoo’s publicly available web pages, including the Yahoo Mail page, disclose its scanning practices and the possible sharing of email content with third parities, yet the plaintiffs argue that before sending an email to a Yahoo user or before receiving an email from a Yahoo user, they were not given notice of that policy and therefore did give their consent to it.

The plaintiffs' argument, while superficially plausible, will be a challenging one to make. Companies such as Yahoo and Google have long provided notices and disclosures to consumers, yet consumers rarely read privacy policies or terms of use.

So given this persistent choice either to not read or to disregard privacy disclosures, can plaintiffs (whether as individuals or as a group) really object to scanning emails for targeted advertising – whether they’re subscribers or not?

Leaving aside the issue of consent for the moment, is our online behavior or our internet searches really any less personal – or any less private – than the content of messages sent by users of a free email service that publicly discloses that their emails will be scanned and possibly shared with third parties?

No, they really aren’t.

As The New York Times noted in April 2014 in Sweeping Away a Search History:

Your search history contains some of the most personal information you will ever reveal online: your health, mental state, interests, travel locations, fears and shopping habits. And that is information most people would want to keep private.

Given the intensely private nature of internet searches and email messages, it’s hard to think that consumers would somehow expect more privacy in one than in the other, especially when they use Yahoo Mail, Gmail or other services that users know rely on advertising to support the product. And neither should we expect complete privacy if we use a paid email service to send a personal message to a user of one of the free services.

Realistic levels of privacy

It’s clear from Judge Koh’s earlier rulings that Yahoo users do not have a right to privacy in the messages that they send to or receive from a Yahoo email user given the respective terms of service governing Yahoo Mail.

But do the non-Yahoo users who willingly sent an email to a Yahoo account holder (and presumably received some) have a right to privacy when the account holder has none?

The plaintiffs allege that Yahoo intercepts and scans subscribers’ incoming and outgoing emails for content, including the content of emails to and from nonsubscribers. The plaintiffs further allege that Yahoo copies the entirety of such emails and:

extracts keywords from the body of the email, reviews and extracts links and attachments, classifies the email based on its content[,] … [and] subjects the copied email and extracted information to additional analysis to create targeted advertising for its subscribers, and stores it for later use.

Plaintiffs allege that Yahoo intercepts, reads and learns the content of non-Yahoo subscribers' email communications without the non-Yahoo subscribers' consent. The plaintiffs say such conduct violates the California Invasion of Privacy Act. Judge Koh certified the nationwide class action with regard to the SCA claim and a California-only subclass with regard to the California state law claim under CIPA.

Unlike the Google case, in which Koh denied the plaintiffs’ request for class action certification, the alleged privacy claims in the class action against Yahoo are no longer for money damages (since plaintiffs abandoned their claim for money damages when they moved the court for class action certification). Rather, it is about asking the court to determine that Yahoo’s acts violate the SCA and, if so, that Yahoo be prohibited from engaging in that practice in the future.

The plaintiffs won a short-term victory in achieving class action certification, but this bigger issue over whether they can object to the scanning process – based on a right to privacy – given Yahoo’s disclosure of its scanning and possible sharing practices and given that they chose to send and/or receive an email to a Yahoo user, is far from being decided in their favor.

And they’ll have a tough road ahead making their case, because an important lesson we’ll all learn eventually is that email privacy can sometimes be a digital paradox.

Lydia A. Jones, Adjunct Professor of Law, Vanderbilt University

No comments:

Post a Comment