A recent decision by the U.S. Court of Appeals for the Sixth Circuit shed light on theories plaintiffs will use in privacy litigation against owners of Internet of Things (IoT) connected devices.
Already known in the legal blogosphere as "the butt dialing case," the court's July 21, 2015 opinion in Huff v. Spaw considered federal eavesdropping claims brought against Carol Spaw, who received--and recorded--an accidentally dialed call. The Sixth Circuit concluded that James Huff, who accidentally made the call, did not have a reasonable expectation of privacy in the conversation, because, accidentally or not, he is the one who placed the call. The person to whom he was speaking, however--his wife, Bertha Huff--did state a valid claim for eavesdropping, because she could not have known under the circumstances that she was being recorded by the phone in her husband's pocket.
The ramifications of this decision extend far beyond phones. The court's own opinion drew the connection between this holding and IoT devices when it observed that James Huff's claims would have failed for the same reason "if he inadvertently used a webcam to broadcast his in-home activities to ... third parties," citing, of all things, the 1999 movie American Pie. By the same token, of course, Mrs. Huff would have had a claim if someone had watched her in the house because James had left the webcams on. Eavesdropping case law on this point is legion, both here in Michigan and elsewhere, in the context of men who install secret cameras to record, for example, showers or sexual encounters. The FTC has likewise made clear that intercepting broadcasts from in-home IoT webcams invades the privacy rights of those in the home.
This point was made even clearer to me during the IAPP KnowledgeNet meeting I attended yesterday in Detroit on IoT privacy issues. As a group, we considered the implications of that stereotypical IoT device, the connected refrigerator. In this hypothetical, the smart fridge collected every type of data imaginable, including video, user biometrics, and the like. But in discussing the steps that should be taken to obtain user consent to the collection and use of this data, it became clear that typically approaches to obtaining informed consent (i.e., clicking "I Agree" to a privacy policy once) wouldn't fit. That's because it's not just the purchaser of the device or even the owner of the home who uses the fridge. It's also the rest of the family, their houseguests, and any subsequent purchasers of the fridge. Some of these users may be minors, intoxicated, or otherwise incapable of giving consent. In reality, most would not even realize the extent of data being collected. Just like Mrs. Huff, therefore, they may retain a valid expectation of privacy--and the owner of the device may be the one responsible for allowing that privacy to be invaded.
As Shakespeare may have said if he had written The Tempest today, "Oh brave new world, that has such fridges in 't!"
