Surveillance warning: Does Jay-Z’s new Android app that collects massive amounts of information from those who install and use it violate criminal law under the Computer Fraud and Abuse Act (CFAA)?
Prior to the release of the Jay-Z’s new album, “Magna Carta . . . Holy Grail,” Samsung published a mobile app intended to distribute a million downloads of the album – purchased by Samsung for $5 each. According to the Electronic Privacy Information Center (EPIC), the app collects massive amounts of personal information from users, including location data and data pulled from other accounts and other apps on the users’ phones.” “The Magna Carta app also includes hidden spam techniques that force users to hpromote the album.” New York Times music critic Jon Pareles, wrote that the app not only acquired account information — including email addresses and social media usernames — for the handset owner prior to running, but also demanded a working login to Facebook or Twitter, plus permission to post to those accounts, before it would unlock the new album. Likewise, unlocking the album lyrics required making further posts to promote the album.
Because of these privacy concerns, EPIC filed a complaint with the FTC alleging that the app also “interfered with the functionality of the users’ smartphones in ways that users could not reasonably have expected,” such as requiring that the device accept messages relayed by Samsung, which might incur data charges. The app could also control the device’s vibration setting, preventing the device from going into sleep mode, according to the complaint. EPIC said it requested that the FTC “require Samsung to suspend the distribution of the app until the privacy problems are fixed and to implement the privacy protections contained in the Consumer Privacy Bill of Rights.” There is little doubt that many people would find that the app constitutes an invasion of privacy, but what is less clear is whether the sale of the app also violates criminal law under the CFAA.The broadest provision of the CFAA prohibits the intentional access of a protected computer without authorization or in excess of authorized access for the purpose of obtaining information from a private sector computer involved in interstate commerce. As an initial matter, there is no question that the CFAA includes cell phones. The CFAA’s definition of a computer includes not only laptop or desktop computers, but also “electronic . . . or other high speed data processing device performing logical, arithmetic, or storage functions.” The Eighth Circuit in United States v. Kramer, 631 F.3d 900 (8th Cir. 2011) held explicitly that this definition includes cell phones.
Next, there is also little question that one of the purposes of the app is to obtain information. Thus, the only open question with regard to the Magna Carta app is whether the installation and use of the app to collect data is in excess of authorization or without authorization.
By purchasing the app, the user is consenting to the installation of the app on his or her cell phone. However, this does not necessarily mean that the purchaser is also giving his permission or authorization for the Magna Carta app to collect information. The issue of what it means to access a computer without authorization or in excess of authorization is far from settled and different courts have found that the terms have different, even contrary, meanings. Under one approach, the Second Circuit found that the defendant had accessed computers without authorization, because the defendant had used weaknesses in several programs to obtain access in unintended ways. United States v. Morris, 928 F.2d 504 (2d Cir. 1991). The intended functions of the program accessed by the defendant in Morris were to send e-mail and to let users query information about other users. However, the defendant “did not send or read email nor discover information about other users; instead he found holes in both programs that permitted him a special and unauthorized access route into other computers.”
Applying that understanding here, the ostensible intended function of the Magna Carta app is to provide the purchaser with a copy of the new Jay-Z album before its official release. However, after the purchaser had downloaded the app and installed it on his android smart phone, the app performed other functions that may or may not were intended or authorized by the purchaser of the app. It’s hard to imagine that a purchaser would have intended for the app to collect personal information. There is nothing to suggest that when purchasing the app, the user consented to the collection of such information. Without such consent, it appears that the sale and installation of the app may violate the CFAA.