What do your text messages say about you? A lot, apparently. Things like where you are, where you’ve been, what you bought there, and what credit card you used are frequently stored on the servers of the most popular phone apps.
This is a concern to many data privacy and cybersecurity experts who have been surprised by the alarming breadth of permissions and access often granted when users download and use common messaging and social keyboard apps like SnapChat, BitMoji, SwiftKey, and WordFlow. With the massive amounts of data these app developers must be accessing to recommend your current mood, your next meal, even your next word, it leaves us wondering: Is anything we type on our phones secure and what could possible data breaches mean for us and the future of litigation?
What Data is Being Transmitted?
No matter how and what you like to send from your phone, “there’s a keyboard for that.” Want your phone to learn from you and adapt to the way you type? No problem. Want a keyboard with insanely accurate auto-correct and intelligent next-word prediction to reduce your keystrokes? You got it. Want a keyboard app with a million new emojis or even an avatar that looks, dresses, and acts just like you? If you don’t, it’s likely you know someone that does. But how much access do these apps require to provide the type of customized ease of use that they do? On some devices, if you grant keyboard apps full access—which the app developers often recommend you do—you are allowing the developer to access, collect, and transmit all data you type on your keyboard. This includes anything you have previously typed, as well as sensitive information such as credit card numbers and street addresses.
This can lead to questions about hackability, even for keyboard apps that come pre-installed on your phone. As early as 2015, Samsung was under fire for exposed vulnerability with its integrated SwiftKey application. The embedded keyboard application had a weakness that, should a user be connected to a compromised wi-fi network, allowed the phone to be hacked through the keyboard application. When litigation is filed to determine liability for breaches, phone manufacturers, app developers, and wi-fi providers may be considered liable.
Now, if you do not allow “full access,” most operating systems will revert to their secure keyboard when the phone recognizes you are entering sensitive log-in and password information or credit card numbers, billing and shipping addresses, etc. But, how often do you read the fine print when a newly downloaded app prompts you to “Allow” or “Don’t Allow” access to your phone’s information. Often, you click “Allow” and think nothing more of it. Many of these apps have clearly-stated privacy policies that concede while they do have access to the data you type, they do not share it with any third parties outside of legal obligation. They use it only to improve their product or fix glitches found in the program. However, simply because the app developer is not selling the data to third party vendors, does not change the fact that the data stored on their servers, where your credit card and log-in information would be vulnerable to hacking.
Perhaps more frightening than the vulnerability of data transmitted using these types of keyboard and avatar apps is the geographical exposure. SnapChat was highlighted in a recent article on geo location privacy, revealing how a user had unknowingly exposed her home address to all of her Snap contacts while using SnapChat’s new Snap Map feature. “When I first opened Snap Map,” the author writes, “I saw the Bitmoji for one of my friends in a residential area.” While the user believed her location would only post when she chose to add it to her Snap storyline (much like “checking in” on Facebook), it was actually posting her location, unbeknownst to her, each time she was opening the app.
Privacy litigation concerning smartphone apps is already making its way through the courts. Earlier this year, a court in the Northern District of California took on a case that tested the applicability of the Electronic Communications Privacy Act as it pertains to smartphone apps. In the case, Satchell v. Sonic Notify, Inc., the plaintiff alleged that a sports team mobile application recorded conversation without her knowledge or consent. The app utilizes “novel beacon technology,” which uses a smartphone’s microphone to listen for Signal360 audio beacons, allowing the application to provide users with targeted advertisements. The court found that there was reasonable cause to believe that there was intangible harm associated with the invasion of privacy, but that there was no proof that the creators of the app purposefully intercepted the plaintiff’s communications.
While location broadcasting can be very frightening for parents, another concern is proprietary information. If you’re using a keyboard app and texting or emailing with co-workers and colleagues on your phone about, say, a pending patent application, engineering schematics, sensitive intellectual property, etc., you may want to re-think that “convenient” app and switch back to your standard smartphone board. This is all information that is stored on your device or application servers that is potentially discoverable by your opposing counsel.
Have you been involved in the rise of wireless technology litigation, whether it be focused on data breaches, privacy acts, discoverability issues, or anything else? We expect to see litigation crop up for violations of trade secret protection if data is leaked, consumer fraud class actions against app developers for failure to adequately disclose data collection and use policies, as well as patent infringement suits if sensitive intellectual property information is hacked and utilized. We’d like to hear your insights.