He’s seen Silicon Valley’s vision for the future, and it’s enough to keep him awake at night. If the tech wizards get their way, says Chicago attorney Jay Edelson, we will soon be living in a world of total interconnectivity.
“When you wake up, your cellphone will know where you are and who you’re with,” Edelson says. “When you go to your car, it will know who’s in your car and be able to play music and suggest where to eat lunch based on everyone’s shared likes. And when you go to shop, the mannequins will be recording you, can tell it’s you in the store and will suggest different promotions.”
While some of that might sound appealing, Edelson sees this utopian vision of the future in a more ominous light, one in which personal privacy has been insidiously — and often unknowingly — traded for convenience, entertainment and even security.
Long before privacy became an issue of national concern, Edelson, who majored in philosophy at Brandeis University, saw the makings of what he calls a great debate. And since launching Edelson P.C. in 2007, he has been shaping that debate by suing the likes of Facebook, Google, Apple, Amazon and Netflix for privacy law violations. So far, he’s won more than $1 billion in settlements for his efforts — not to mention a reputation as Public Enemy No. 1 in Silicon Valley.
So it is perhaps a bit surprising to find that Edelson has modeled his offices in Chicago and San Francisco to look exactly like those of the corporations he sues. In Chicago, his industrial River North space, with sweeping skyline views, boasts a hip orange-and-gray color scheme, sleek sectional furniture and a conference table that converts for impromptu table tennis games.
Attorneys and staffers — dressed in jeans and casual chic apparel, sporting hipster beards and tousled bobs — look like Central Casting hired them for a reality television show about a top-drawer tech company in Silicon Valley. They cruise the halls on their hoverboards, hang out and crack jokes in each other’s offbeat offices and enjoy healthy gourmet lunches prepared by the firm’s personal chef.
Edelson’s office is the warmest and fuzziest of all, featuring a huge collection of stuffed polar bears, furry rugs, blankets and pillows, framed family photos and lounge-esque seating — from which the merits of potential lawsuits are hashed out while, quite often, wearing shorts and flip-flops.
But, hanging on a valet stand in the corner, a lone shirt and suit jacket send another message: That this low-key, beach-loving, Ping Pong- playing guy is an attorney, not a techie; he was raised on the East Coast, not the West; and he not only can but already has brought some of Silicon Valley’s biggest players to their knees.
His method is surprisingly low-tech. So far, every single one of Edelson’s cases against technology companies have been based on existing state and federal privacy laws, some of which have been on the books for years. The Video Privacy Protection Act provided the basis for Edelson’s suit against Netflix, and the Michigan Video Rental Privacy Act was the heart of a suit against Pandora.
“The VRPA was created for a reason: To protect consumer privacy and allow them to consume media in private,” says Chris Dore, a partner in charge of Edelson’s investigative team. “In our view, simply because the technology and businesses in existence at the time the law was passed have faded away, does not mean the spirit and purpose of the law should be abandoned and not applied to new businesses serving the same purpose.”
Even if Congress passed new laws right now to deal specifically with new technology, Dore says, that technology will have changed by the time legislation is enacted.
In the majority of Edelson’s cases, consumers have no idea their privacy rights have been violated. For example, his lawsuit against comScore, a data analytics company, accused the company of bundling its software with free screensavers, leading consumers to unknowingly download a program on their computers that collected everything from their search queries to their file names and passwords to credit card numbers — valuable information that comScore would then sell. Edelson’s class action was settled (as most of them are) for a precedent-setting $14 million.
“It was a huge wake-up call to all the data brokers and aggregators out there who understand that they now have to be accountable,” Edelson says.
But the question of accountability becomes complicated when it’s hard to prove a tech firm’s actions caused a person actual harm. One of Edelson’s biggest cases to date, Spokeo Inc. v. Robins, was argued before the U.S. Supreme Court in November and is still awaiting the high court’s ruling as of Chicago Lawyer’s press time. Firm client Thomas Robins alleges in a class action that people-searching site Spokeo published incorrect personal and financial information about him in its database in violation of the Fair Credit Reporting Act. While Robins could not show concrete damage caused by the incorrect data, he is unemployed and contends the inaccurate information could potentially prevent him from getting a job.
Earlier in the case’s journey, a panel at the 9th U.S. Circuit Court of Appeals found Congress crafted the law in a way that does not require proof of harm to state a cause of action. As such, Robins can suffer “a violation of the statutory right without suffering actual damages,” in the 9th Circuit’s words.
It wasn’t the first such complaint against the search engine. Three years ago, Spokeo settled with the Federal Trade Commission after it alleged Spokeo had “marketed consumer profiles to companies in the human resources, background screening and recruiting industries without taking steps to protect consumers required under the Fair Credit Reporting Act.”
While the FTC swings a much heavier hammer than any private litigant Dore says, it certainly helps Edelson’s case against Spokeo before the Supreme Court. The recent death of Justice Antonin Scalia, who many thought to be a reliable vote in favor of Spokeo, has only served to intensify Silicon Valley’s close watch on the case.
Edelson, however, remains unfazed.
“Scalia’s death was obviously unfortunate and our condolences go out to his family and friends,” he says. “But in terms of its impact on our case, we expected it to win with Justice Scalia there. We actually thought he was one of the seven justices we were targeting. We still expect to win.”
At stake in the case is, of course, money — at $1,000 per violation, damages could add up to billions for the class — but what has the tech elite nervous is the potential for future lawsuits over similarly technical “no-harm” privacy violations.
In their joint amicus brief, Facebook, Google, Netflix, eBay, Twitter, LinkedIn and Yahoo said the “Article III standing rule adopted by the (9)th Circuit, which allows plaintiffs to bring suits in federal court based on nothing more than an allegation of a bare statutory violation without any requirement of actual harm, is contrary to this (c)ourt’s precedent and renders technology companies, including amici, uniquely vulnerable to baseless and abusive litigation.”
Yet to millions of American consumers, there seems to be plenty of evidence of harm. According to the IRS, 2.7 million taxpayers had their identities stolen last year. In a recent Gallup Poll, one in four Americans said their information has been hacked.
Some of that information is health-care data, which contains far more than just a credit card number and Social Security number. In February, hackers broke into the Hollywood Presbyterian Medical Center’s servers in Los Angeles, demanding millions in ransom in order to return its computer system and electronic health records.
Through one method or another, the health information of one in three Americans will have been compromised by the end of this year, the International Data Corp. says.
“The idea that people aren’t harmed or that data isn’t valuable simply isn’t true,” Edelson says. “Silicon Valley knows the value of data. They’re trained to grab it and exploit it. Facebook knows that if they can control data, they’re worth billions of dollars. It’s the big lie that there’s no value in data.”
The current fight between Apple and the FBI illuminates just how complex the issue of preserving privacy in the digital age has become. It has also put Apple in the unexpected position of championing consumer privacy rights, and Edelson in the unexpected position of backing Apple.
In a recent opinion piece for the Chicago Tribune, Edelson defended Apple’s justifications for wanting to keep its system secure. “Having a secure system protects consumers from data breaches, ‘ransomware’ pirates, nation-states looking for secrets, and — yes — even terrorists (who are increasingly engaging in cyberterrorism),” he wrote. “I never thought I would be standing with Apple in a high-stakes privacy battle. But the FBI’s unprecedented demands on Apple are troubling. And Apple is right to rebuff them.”
But Apple is not necessarily the best advocate for consumer privacy rights, says Lior Strahilevitz, a tenured professor at the University of Chicago Law School. “I think it’s valuable for any company — whether it’s Apple, Microsoft or Google — to identify privacy issues that their customers might care about,” he says. “But Apple is a forceful advocate for privacy when it furthers their business interests. There are other advocates that can serve that role.”
Edelson plans to file an amicus brief to ensure the consumer perspective is presented.
According to Strahilevitz, the need for experienced consumer technology and privacy lawyers is growing as fast as technology. “For graduates of good schools with strong understanding of privacy, there are tremendous opportunities right now,” he says. “Every Fortune 500 company has been on a hiring spree looking for young lawyers to defend against the types of lawsuits that a firm like Edelson brings.”
One of those lawsuits is a case against Facebook for allegedly storing images of user’s faces without their permission, thereby violating Illinois’ Biometric Information Privacy Act. According to the suit, the plaintiff was tagged in a photo uploaded to Facebook by someone else without his permission.
Edelson’s lawsuit, which seeks to represent a class of Illinois residents who aren’t Facebook users but have been tagged in photos on the website, has stirred up ongoing concerns about user privacy with privacy advocates saying the company’s facial-recognition technology should only be used with explicit permission.
“Our finding is that the language does essentially nothing to shape their understanding of the deal they’re entering into with Facebook,” he says. “People have expectations that they bring with them. While they do care about Facebook’s practices and think they’re intrusive, they also recognize they’re getting a lot of value out of Facebook.”
Whether the deal is worth it remains to be seen, but privacy has clearly struck a chord, Dore says. “People understand that the digital, convenient world we’ve created for ourselves has a very scary underbelly,” he warns.
Edelson thinks that underbelly is the consequence of what is, at its core, a narcissistic culture. “I call it the Steve Jobs hubris problem,” he says. “Look at Uber. It’s terrific in many ways, but they’ve created this successful company even though every law prohibits them from operating a private taxi service. They have this hubris.”
It’s a problem, he says, that applies to other technology firms, who tend not to care about either employment laws — citing the rapid growth of the online gig economy — or consumer privacy laws.
Chicago might not be the first place that comes to mind when addressing the issue of digital privacy, but for Edelson, it makes perfect sense. “We have a huge vibrant tech community here, and the courts are terrific,” he says. “Chicago is the best training ground in the world for learning how to be a smart, tough litigator.”
It’s also a place where Edelson is less likely to run into his detractors.
Not that he’s worried. When he opened his office in San Francisco last November, he invited a number of people from the tech industry. After all, he’s a fan. “I love the tech companies,” Edelson says. “I have the Apple Watch, Apple phones and all of that. But I do think they need to be held accountable.”
On the rare occasion he is asked to consult for a startup, Edelson’s advice is surprisingly simple. “If your business is premised on misleading the public, you’re going to run into trouble down the road,” he says, noting that many in the tech industry, including the Spokeo executives, opt out of their own systems, which means a quick search of their names yields no results. “They do it with zero irony. Their moral compass is off.”
In the gilded age of Silicon Valley, Edelson is prepared to take on its barons — dinner with the Zuckerbergs be damned. “It is a very important battle that we’re waging here,” he says. “I understand why I’m not on their Christmas list.”
Edelson cases in the appellate courts
Yershov v. Gannett Satellite Information Network Inc.
No. 1:2014cv13112, 1st U.S. Circuit Court of Appeals
Whether Gannett violated the Video Privacy Protection Act when it disclosed a USA Today app user’s unique Android identification and video-viewing history to a third-party data miner. Gannett argued an Android ID is not personally identifying information and that users of its app are not “subscribers” under the VPPA. Edelson argued that due to the nature of the data analytics business, a unique number associated with a user account or a specific device can and will be subsequently matched with other information that makes them personally identifiable. This case was argued March 8 before a panel of judges that included former Supreme Court justice David Souter.
Eichenberger v. ESPN Inc.
No. 2:2014cv00463, 9th U.S. Circuit Court of Appeals
Locklear v. Dow Jones & Co. Inc.
No. 1:2014cv00744, 11th Circuit Court of Appeals
These two cases raise basically identical issues: Whether the defendants violated the VPPA when they disclosed a user’s Roku identification and video-viewing history to a third-party data miner. (Roku is a service that allows for online video streaming to a TV.) At issue is whether a Roku set-top box’s unique device identifier is personally identifiable information under the VPPA.
Carlsen v. GameStop Inc., et al.
No. 0:2014cv03131, 8th U.S. Circuit Court of Appeals
Deacon v. Pandora Media Inc.
No. 4:2011cv04674, 9th U.S. Circuit Court of Appeals
Whether music-streaming service Pandora is covered by the Michigan Video Rental Privacy Act because it is in the business of “renting” or “lending” sound recordings, which would prevent it from disclosing users’ personal information. The 9th Circuit asked the Michigan Supreme Court to weigh in on the meaning of the terms renting and lending in the law. The certified question is scheduled for argument before the state’s high court on April 27. (In re Certified Question: Deacon v Pandora Media Inc., No, 151104)