Appeals Court Says Downloading And Using A Free App Doesn't Make You A 'Subscriber'

from the a-device-is-not-a-person,-even-if-they're-inseperable dept

Wed, Oct 14th 2015 12:37pm — Tim Cushing

A plaintiff invoking the Video Protection Privacy Act (VPPA) has just been handed a second defeat in his lawsuit against Cartoon Network. The Eleventh Circuit Appeals Court has reached the same conclusion as the lower court, albeit for different reasons.

Originally written to protect consumers against the release of their VHS rental history, the VPPA has since been invoked in various lawsuits to address the release of protected "subscriber information" to third parties, including more than one against the Blockbuster of today: Netflix.

The most recent VPPA lawsuit against Netflix argued that showing viewing history (upon login to an account) violated the account holder's privacy. The Ninth Circuit Court of Appeals found in favor of Netflix, rather than the person who felt they should still have viewing history privacy despite leaving accounts logged in and/or sharing login information.

This one is a bit more tangled and involves Cartoon Network's phone app, rather than the new face of video rentals. The CN app allows users to view the network's videos. It does not require a login to do so. Because no login was required, the plaintiff felt the app wouldn't gather or disseminate "personal information." Well, the app does collect some information, which is specific to the device, but not necessarily the person.

Cartoon Network identifies and tracks an Android smartphone user on the CN app through his mobile device identification or Android ID, which is “a 64-bit number (hex string) that is randomly generated when a user initially sets up his device and should remain constant for the lifetime of the user’s device.” Cartoon Network keeps track of an Android user’s viewing history by maintaining a record of “every video clip or [episode] viewed by the user” via the Android ID number. Cartoon Network then sends this information to a third-party data analytics company called Bango. Each time a user closes out of the CN app on his Android device, “[a] complete record”—including the user’s “Android ID and a list of the videos he viewed”—is sent to Bango.

Bango, of course, is the subsidization behind the free app.

Bango specializes “in tracking individual behaviors across the Internet and mobile applications . . . [and claims] that its technology ‘reveals customer behavior, engagement and loyalty across and between all [ ] websites and apps.’” Bango uses Android IDs “to identify and track specific users across multiple electronic devices, applications, and services.” Because Bango is apparently “smarter than the average bear,” see The Yogi Bear Show, Trying to Escape Jellystone Park (Hanna-Barbera Prod. 1961), it can “automatically” link an Android ID to a particular person by compiling information about that individual from other websites, applications, and sources. So when Cartoon Network sends Bango the Android ID of a CN app user along with his video viewing history, Bango associates that video history with a particular individual.

It was this tracking that bothered Mark Ellis, who sued on behalf of himself and "others similarly situated."

The decision doesn't head off into a discussion of what is or isn't personally-identifiable and subject to the restraints of the VPPA. Instead, it discusses the difference between a "subscriber" and someone with no viable legal claim at all. The lower court decided Ellis' minimal connection to Cartoon Network (via its free app and his phone's ID) was enough to grant him standing as a "subscriber." But it also found that the information gathered by CN wasn't "personally identifiable" under the VPPA definitions. An Android ID identifies a device, not a person, even if only one person uses it for the lifetime of the device (see also: privacy arguments about license plate readers).

Ellis appealed this finding, and struck out again, but from the other side of the plate.

Mr. Ellis did not sign up for or establish an account with Cartoon Network, did not provide any personal information to Cartoon Network, did not make any payments to Cartoon Network for use of the CN app, did not become a registered user of Cartoon Network or the CN app, did not receive a Cartoon Network ID, did not establish a Cartoon Network profile, did not sign up for any periodic services or transmissions, and did not make any commitment or establish any relationship that would allow him to have access to exclusive or restricted content.

Mr. Ellis simply watched video clips on the CN app, which he downloaded onto his Android smartphone for free. In our view, downloading an app for free and using it to view content at no cost is not enough to make a user of the app a “subscriber” under the VPPA, as there is no ongoing commitment or relationship between the user and the entity which owns and operates the app. Importantly, such a user is free to delete the app without consequences whenever he likes, and never access its content again. The downloading of an app, we think, is the equivalent of adding a particular website to one’s Internet browser as a favorite, allowing quicker access to the website’s content. Under the circumstances, Mr. Ellis was not a “subscriber.”

Having found that Ellis is not a subscriber, the court doesn't weigh in on the issue of the information gathered and distributed by the app. It infers -- by its discussion of previous cases -- that the app behaves more like a website cookie that tracks unregistered users by device info rather than more personally-identifiable data.

Had Ellis increased his level of interaction -- say, by creating an account -- he would have had a better chance at being recognized as a "subscriber." Of course, had he done this, he would have had to agree to CN's terms of service, which likely contains plenty of fine print "disclosing" its relationship with Bango, as well as to what is specifically collected and passed on. So, there would have been no cognizable injury in that case either.

V Cartoon Network (PDF)V Cartoon Network (Text)

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: apps, cartoon network, eleventh circuit, privacy, subscribers, vppa
Companies: cartoon network

14 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

John Fenderson (profile), 14 Oct 2015 @ 12:44pm

PII
The decision doesn't head off into a discussion of what is or isn't personally-identifiable

That's too bad, since device IDs are clearly PII. That contracts and the law don't recognize this plain truth is a shame.
[ link to this | view in chronology ]
- tqk (profile), 14 Oct 2015 @ 4:54pm
  
  Re: PII
  That's too bad, since device IDs are clearly PII.
  
  I don't see how anyone (with technical knowledge) could believe that, any more than an IP address or a licence plate is PII (which they're not). If your unsecured wifi router is used by war-drivers, or your wife or kid borrows your cell-phone or vehicle, you can't be personally fingered for what they do with it.
  [ link to this | view in chronology ]
  - John Fenderson (profile), 15 Oct 2015 @ 6:32am
    
    Re: Re: PII
    True, but you are fingered as the owner of the device, so device IDs do identify you personally. IP addresses are different, as they can change, but device IDs are a constant.
    [ link to this | view in chronology ]
  - John Fenderson (profile), 15 Oct 2015 @ 6:33am
    
    Re: Re: PII
    Oh, and I do consider license plates to be PII.
    [ link to this | view in chronology ]
Whoever, 14 Oct 2015 @ 1:08pm

In Europe?
European websites now have notifications about the use of cookies and frequently, opt-out instructions, I wonder if there will be similar issues over tracking by cellphone apps?
[ link to this | view in chronology ]
Chris Brand, 14 Oct 2015 @ 1:10pm

Strange logic
"there is no ongoing commitment or relationship between the user and the entity which owns and operates the app. Importantly, such a user is free to delete the app without consequences whenever he likes, and never access its content again"

As opposed to a magazine subscription, which can presumably never be cancelled ?
[ link to this | view in chronology ]
- Anonymous Coward, 14 Oct 2015 @ 2:28pm
  
  Re: Strange logic
  You can cancel it, but that requires interaction between user and entity. There are potentially consequences of cancellation, such as (potentially) losing access to content which the entity is obligated to produce or financial penalties. You have to tell them you want to cancel.
  
  With the app, there are no obligations from either side in terms of what is or isn't done at any stage.
  [ link to this | view in chronology ]
Anonymous Coward, 14 Oct 2015 @ 1:18pm

If it's "free", YOU are the product, proven yet again.
>>> Bango uses Android IDs “to identify and track specific users across multiple electronic devices, applications, and services.” -- Android is "free" from what multi-national mega-corporation?
[ link to this | view in chronology ]
- Anonymous Coward, 14 Oct 2015 @ 3:00pm
  
  Re: If it's "free", YOU are the product, proven yet again.
  Seriously seek help. You have a problem.
  [ link to this | view in chronology ]
- tqk (profile), 14 Oct 2015 @ 5:08pm
  
  Re: Ding. Woof, woof! Grrr ...
  Android is "free" from what multi-national mega-corporation?
  
  First, it's not free. Presumably you paid money for that device and its OS was included to make it work. Second, what's that got to do with anything here, other than you smelled Google so your Pavlov's Dog reflex kicked in?
  
  How much do they pay you to slander Google at every opportunity, if I may ask?
  [ link to this | view in chronology ]
Anonymous Coward, 14 Oct 2015 @ 1:26pm

>That's too bad, since device IDs are clearly PII.

Yes, but how's a lawyer to know which device IDs are PII and which aren't? Because, on the other hand, a home WI-FI router device ID is equally clearly NOT PII, as courts have managed to rule in a number of copyright troll cases.

What the lawyerly-substitute-for-mind does in such cases is treat them all the same "for the sake of the precedent", to ensure consistency--which is not, in the abstract, necessarily a contemptible goal. Because writing a legal distinction between the cases is not trivial.

Say, a wi-fi access point is NOT PII, but a device designed to be carried on person or in purse IS PII? How about a cell phone that supports wi-fi tethering, or the old clearwire battery-powered pocket wi-fi?

In simple fact, ANY device ID may or not be personal really depends solely on the way it's used--and, because of the complexity of configuring devices, even the person who primarily uses the device can't know exactly how the device is really being used.
[ link to this | view in chronology ]
- Anonymous Coward, 14 Oct 2015 @ 2:30pm
  
  Re:
  Agreed. It does partly depend on how the Android ID is generated though. Since it says device specific, presumably there is no user account information.
  
  Android 4.2 and on have the ability to have multiple user accounts. If it is device specific, then it's not PII to have a device known, since it could have multiple user accounts, much like a PC in a family, for example.
  [ link to this | view in chronology ]
- John Fenderson (profile), 15 Oct 2015 @ 6:35am
  
  Re:
  I believe the law is radically incorrect in defining what counts as PII. In my view, PII is any information that can be used to identify an individual. Device IDs can be used for this easily, even router device IDs. Therefore they are PII.
  
  I am fully aware that the law disagrees with my definition, but the law is wrong.
  [ link to this | view in chronology ]
Not an Electronic Rodent (profile), 15 Oct 2015 @ 6:10am

Brilliant motivation
Soooo... let me get this straight:
You're saying that is one were to pirate all the CN content, one would get to see the content at no cost AND have privacy; but if one were to use their official application one would get to see their content at no cost but have NO privacy?

Hmmmm.... let me think about that for a moment....
[ link to this | view in chronology ]