The availability of third-party keyboard apps on the new iOS 8 operating system for Apple mobile devices created quite a buzz. It also served as a reminder for any developer of apps that transmit data or communications from a user’s host device to external servers to be cognizant of the risks associated with such data collection, whether intended for misuse or not.
Though previously available on the Android operating system, third-party keyboard apps such as SwiftKey, Fleksy and Swype broke through with Apple for the first time on iOS 8,MacRumors.com and Tech Republic report. iOS 8 comes stock on the newly released iPhone 6 and is available for download on earlier iPhone versions. Third-party keyboard apps provide aesthetic variety and features such as the ability for users to type without lifting their fingers from the keyboard by tracing their fingers between letters or numbers. Some keyboard apps also have the capability of recording a user’s keystrokes and transmitting the data contained in those keystrokes to external servers, according to MacRumors.com and a technology blog written by IT expert Lenny Zeltser. In some cases, this allows the app to require less hard drive storage space on the host device and to provide upgrades more efficiently.
But any time software operates in the background to record and transmit a user’s data or electronic communications from a host device to an external server, it risks running afoul of federal and state wiretapping laws. Apple and the three keyboard apps listed above seem to have done a good job minimizing their risk and protecting consumers by:
- Containing their data processing functions within the host device’s internal hard drive unless the user selects optional features and functions;
- Requiring the user to grant “full access” to the app before it will operate; and
- Not using the apps’ keystroke transmission capabilities to mine data for income-generating purposes.
But developers of similar new third-party keyboards and other apps that are capable of recording and transmitting a user’s data and electronic communications to external servers should be careful not to unwittingly subject themselves to potential liability under federal and state wiretapping laws. This is true regardless of whether new app developers actually intend to eavesdrop on electronic communications or use their data collection capabilities to generate revenue by selling mined data to advertisers.
The Electronic Communications Privacy Act of 1986 (ECPA) amended the Wiretap Act, codified at 18 U.S.C. § 2510 et seq., to prohibit the interception of “electronic communication[s].” The Wiretap Act prohibits any person from intentionally intercepting, endeavoring to intercept or procuring another person to intercept a wire, oral or electronic communication, as those terms are defined in the statute. 18 U.S.C. § 2511(1)(a). In addition, the Wiretap Act prohibits a person from intentionally using or disclosing, or endeavoring to use or disclose, the contents of a wire, oral or electronic communication when the person knows or has reason to know that the communication was intercepted in violation of the statute. 18 U.S.C. § 2511(1)(c)-(d). A violation of the Wiretap Act carries potential criminal penalties, and the statute also allows private civil lawsuits. 18 U.S.C. §§ 2511(4), 2520. Many states have analogous wiretapping laws that prohibit the interception, use or disclosure of electronic communications such as text or email messages, and many of these laws are more restrictive than the federal law.
The Wiretap Act defines “electronic communication” broadly to mean “any transfer of signs, signals, writing, images, sounds, data or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce.” 18 U.S.C. § 2510(12). The Act similarly defines “intercept” both broadly and vaguely to mean “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.” Id. § 2510(4).
Courts have interpreted these terms to include recording a computer user’s keystrokes, email, or other communications when the data is contemporaneously transmitted outside the internal hardware of the computer. See, e.g., Byrd v. Aaron’s, Inc., 14 F. Supp. 3d 667, 677, 690-91 (W.D. Pa. 2014) (holding that plaintiffs stated a valid Wiretap Act claim when their complaint alleged that defendant’s franchisees had installed a software program on rent-to-own computers that allowed them to record and transmit keystrokes, screenshots, and webcam images back to their servers, and that defendant knowingly allowed this to happen);Arrington v. ColorTyme, Inc., 972 F. Supp. 2d 733, 737-38, 746-47 (W.D. Pa. 2013) (denying a motion to dismiss for a Wiretap Act claim where the complaint alleged that defendant’s franchisee surreptitiously installed software on a rent-to-own computer that recorded and simultaneously transmitted the user’s keystrokes, screen shots, webcam photographs, and location information to external servers, and that defendant had procured this practice);Klumb v. Goan, 884 F. Supp. 2d 644, 647-48, 661-62 (E.D. Tenn. 2012) (holding that a woman who installed software on her husband’s computer that recorded keystrokes, websites visited, applications used, and screenshots of instant messages and cached webpages, and automatically and simultaneously forwarded copies of intercepted messages to the woman’s email account, had violated the Wiretap Act and its Tennessee analog). But see Halperin v. Int’l Web Servs., LLC, N.D. Ill. No. 13 C 8573, 2014 U.S. Dist. LEXIS 138600, *17 (Sept. 30, 2014) (explaining that “keylogger” software that records keystrokes but does not transmit those keystrokes outside the computer from which they were recorded does not violate the Wiretap Act). Thus, transmitting keystrokes and other electronic communications from a host mobile device to external servers contemporaneously with the recording of that data could violate the Wiretap Act and its state analogs, but recording the data for internal use on the host mobile device itself would not likely be a violation.
An app developer must weigh the risks of building the transmission of user data to external servers into the app against the utility of that function to the app’s operation. If a developer believes the most efficient operation of its app requires the transmission of data and communications between the user’s host device and external servers, then the developer should protect itself by being upfront with consumers about the transmission and requiring a user’s consent for such features. For example, a SwiftKey blog explains that its app transmits keystroke data to external servers to operate features such as “language models, personalized learning and keyboard preferences” so that the size of its keyboard extension stays manageable and so that the app can provide upgrades more efficiently, but only after the user grants the app “full access” and opts in to SwiftKey’s cloud service.
Obtaining a user’s consent to a transmission before the app transmits a user’s data or communications to external servers is important. The Wiretap Act includes an exception to liability if the interceptor is a party to the communication or if the interceptor obtains consent to intercept from one of the parties to the communication. 18 U.S.C. § 2511(2)(d). But, consent is not unlimited. A party may consent to the interception of only a part of a communication or to some communications but not others. In re Pharmatrak, Inc. Privacy Litig., 329 F.3d 9, 19 (1st Cir. 2003). Thus, an app developer should provide a detailed description of the data and communications its app transmits to external servers, and require consent to all of those functions. And even then, the developer must weigh the risks of transmitting data and communications to its external servers because in some states obtaining consent only from the sender of an electronic communication is not enough.
Though the Wiretap Act and the majority of states require the consent of only one party to the communication, wiretap statutes in 12 states — most prominently California, Florida and Illinois, and Ohio neighbors Michigan and Pennsylvania — require consent from all parties to the communication for the consent exception to apply. Thus, a developer risks running afoul of a state’s wiretapping law if it records and transmits keystrokes or other data used in a text message or email even if the sender has consented.
In summary, app developers would be wise to consider the following when building their apps:
- Weigh the utility of offloading some features and functions to external servers against the risks that come with transmitting user data outside the host device. Though the legal risks are real — as outlined above — developers also should be cognizant of users’ perceptions about privacy and data security.
- Be upfront with users about the transmission of data from the host device to the apps’ external servers. Do not attempt to hide the transmission from users.
- Obtain consent to the transmission from the user in as detailed a manner as reasonably possible. Keep in mind, however, that in some states a user’s consent does not protect the developer from liability for transmitting certain types of data that involve electronic communications to other persons outside the reach of the user’s consent.