News: 1723246090

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Twilio's Segment SDK challenged with wiretapping claim

(2024/08/10)


Twilio, a communications service provider, was sued on Thursday based on allegations that the developer's Segment software siphons data from mobile apps without consent.

The case, [1]Bender v. Twilio, Inc [PDF], was filed in a federal court in San Francisco, California. It alleges that Twilio's Segment SDK – a software development kit that gets added to mobile apps to provide data collection and analysis – violates America's [2]Wiretap Act , the [3]California Wiretap Act , and California's Comprehensive Computer Data Access and Fraud Act ( [4]CDAFA ).

"Twilio surreptitiously collects sensitive data from consumers through its SDK in real time," the complaint claims. "Twilio collects identity information such as the consumer’s name and email address, mobile advertising IDs (MAIDs), the mobile app name, and device fingerprint data (which includes the consumer’s device make and model, operating system version, and cell phone carrier name among other information)."

[5]

[6]The SDK gathers, it's claimed, not just data associated with the app user and device hardware, but also in-app activities, including search terms, keystrokes, search results, button and menu interactions, and requested pages.

[7]

[8]

The app at issue in this case is called [9]Calm , which in its [10]privacy policy describes extensive data collection and sharing but does not specifically mention Twilio or the Segment SDK. The lawsuit contends that the data collected by this mental-health application is "incredibly sensitive" because it relates to stress, anxiety, and depression.

Keep Calm and carry on?

"The problem with Twilio is that consumers do not know that by interacting with an app which has embedded the Segment SDK that their sensitive data is being surreptitiously siphoned off by an unknown third party," the complaint says. "Consumers are never informed about the Segment SDK being embedded into the app, they never consent to Twilio’s data collection practices, nor are they allowed to opt-in or opt-out of Twilio’s data collection practices – if they even know who or what Twilio and Segment are."

When The Register launched Calm using a network proxy on iOS prior to account creation, we noted network calls to segment.com, as well as various other services like appsflyersdk.com, perimeterx.net, iterable.com, segment.io, and googleapis.com (Firebase).

The charges against Twilio echo an ongoing case, [11]Greenley v. Kochava, Inc [PDF], which was filed in 2022 and has yet to be resolved.

[12]When is a privacy button not a privacy button? When Google runs it, claims lawsuit

[13]Apple demands app makers explain use of sensitive APIs

[14]FTC secures first databroker settlement banning sale of sensitive location data

[15]Location tracking report: X-Mode SDK use much more widespread than first thought

Kochava, a data broker also being [16]sued by the US Federal Trade Commission for allegedly collecting and selling geolocation data, sought to have the wiretapping claim dismissed because its SDK is not " [17]a pen register " – the legal term for a phone or computer-logging device that records phone numbers or IP addresses but not the content of communication.

But the judge in the Greenley case [18]rejected [PDF] Kochava's argument and refused to dismiss the wiretapping claim, citing the California Invasion of Privacy Act (CIPA) and the California Penal Code: "[T]he court rejects the contention that a private company’s surreptitiously embedded software installed in a telephone cannot constitute a 'pen register.'"

[19]

In other words, data collection without disclosure and consent may run afoul of wiretapping laws at least in California, if the court finds in favor of the plaintiff and the decisions survive appeal.

However, the Twilio claim doesn't cite Section 638.51 of CIPA; it relies on other wiretap statutes, so it's unclear how the lawsuit will fare as litigation continues.

California courts [20]have [21]tossed many past ad-related wiretapping claims for various deficiencies, but not all of them.

[22]

A claim that Google broke wiretapping laws by collecting data from H&R Block's tax preparation website was recently [23]allowed to move forward. Similarly, a wiretapping lawsuit against Peloton over data captured by a third-party vendor's chatbot also [24]survived a motion to dismiss.

Twilio and Calm did not immediately respond to requests for comment. ®

Get our [25]Tech Resources



[1] https://storage.courtlistener.com/recap/gov.uscourts.cand.434000/gov.uscourts.cand.434000.1.0.pdf

[2] https://www.law.cornell.edu/uscode/text/18/2511

[3] https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=PEN&sectionNum=632

[4] https://www.justia.com/trials-litigation/docs/caci/1800/1812/

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/applications&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zrbl5yqe2isTVX76iqlVDwAAAE0&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[6] https://segment.com/docs/connections/spec/

[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/applications&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zrbl5yqe2isTVX76iqlVDwAAAE0&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/applications&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zrbl5yqe2isTVX76iqlVDwAAAE0&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[9] https://www.calm.com/

[10] https://www.calm.com/privacy-policy

[11] https://storage.courtlistener.com/recap/gov.uscourts.casd.741822/gov.uscourts.casd.741822.36.0.pdf

[12] https://www.theregister.com/2023/10/24/google_privacy_button/

[13] https://www.theregister.com/2023/07/29/apple_developer_api/

[14] https://www.theregister.com/2024/01/15/infosec_in_brief/

[15] https://www.theregister.com/2021/02/03/location_tracking_report_xmode_sdk/

[16] https://www.ftc.gov/legal-library/browse/cases-proceedings/ftc-v-kochava-inc

[17] https://www.law.cornell.edu/wex/pen_register

[18] https://storage.courtlistener.com/recap/gov.uscourts.casd.741822/gov.uscourts.casd.741822.27.0.pdf

[19] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/applications&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zrbl5yqe2isTVX76iqlVDwAAAE0&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[20] https://www.proskauer.com/blog/court-rejects-claims-that-websites-live-chat-feature-violates-californias-prohibitions-on-wiretapping-and-eavesdropping

[21] https://www.globalpolicywatch.com/2024/07/california-federal-court-dismisses-complaint-accusing-google-of-wiretapping-customer-service-calls/

[22] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/applications&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zrbl5yqe2isTVX76iqlVDwAAAE0&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[23] https://www.courthousenews.com/google-cant-escape-class-action-claiming-it-collected-read-private-tax-information/

[24] https://www.insidetechlaw.com/blog/2024/07/chatbot-data-for-ai-improvement-leads-to-wiretapping-lawsuit

[25] https://whitepapers.theregister.com/



Tech douche bros

ecofeco

... are ALWAYS gonna tech douche bro.

Keep Calm and Carry On

ddol

Surely Calm are at fault here for embedding the SDK in their app, and initiating data logging before the user can consent?

Very few things actually get manufactured these days, because in an
infinitely large Universe, such as the one in which we live, most things one
could possibly imagine, and a lot of things one would rather not, grow
somewhere. A forest was discovered recently in which most of the trees grew
ratchet screwdrivers as fruit. The life cycle of the ratchet screwdriver is
quite interesting. Once picked it needs a dark dusty drawer in which it can
lie undisturbed for years. Then one night it suddenly hatches, discards its
outer skin that crumbles into dust, and emerges as a totally unidentifiable
little metal object with flanges at both ends and a sort of ridge and a hole
for a screw. This, when found, will get thrown away. No one knows what the
screwdriver is supposed to gain from this. Nature, in her infinite wisdom,
is presumably working on it.