Twilio, a communications service provider, was sued on Thursday based on allegations that the developer’s Segment software siphons data from mobile apps without consent.
The case, Bender v. Twilio, Inc [PDF], was filed in a federal court in San Francisco, California. It alleges that Twilio’s Segment SDK – a software development kit that gets added to mobile apps to provide data collection and analysis – violates America’s Wiretap Act, the California Wiretap Act, and California’s Comprehensive Computer Data Access and Fraud Act (CDAFA).
“Twilio surreptitiously collects sensitive data from consumers through its SDK in real time,” the complaint claims. “Twilio collects identity information such as the consumer’s name and email address, mobile advertising IDs (MAIDs), the mobile app name, and device fingerprint data (which includes the consumer’s device make and model, operating system version, and cell phone carrier name among other information).”
The SDK gathers, it’s claimed, not just data associated with the app user and device hardware, but also in-app activities, including search terms, keystrokes, search results, button and menu interactions, and requested pages.
The app at issue in this case is called Calm, which in its privacy policy describes extensive data collection and sharing but does not specifically mention Twilio or the Segment SDK. The lawsuit contends that the data collected by this mental-health application is “incredibly sensitive” because it relates to stress, anxiety, and depression.
Keep Calm and carry on?
“The problem with Twilio is that consumers do not know that by interacting with an app which has embedded the Segment SDK that their sensitive data is being surreptitiously siphoned off by an unknown third party,” the complaint says. “Consumers are never informed about the Segment SDK being embedded into the app, they never consent to Twilio’s data collection practices, nor are they allowed to opt-in or opt-out of Twilio’s data collection practices – if they even know who or what Twilio and Segment are.”
When The Register launched Calm using a network proxy on iOS prior to account creation, we noted network calls to segment.com, as well as various other services like appsflyersdk.com, perimeterx.net, iterable.com, segment.io, and googleapis.com (Firebase).
The charges against Twilio echo an ongoing case, Greenley v. Kochava, Inc [PDF], which was filed in 2022 and has yet to be resolved.
Kochava, a data broker also being sued by the US Federal Trade Commission for allegedly collecting and selling geolocation data, sought to have the wiretapping claim dismissed because its SDK is not “a pen register” – the legal term for a phone or computer-logging device that records phone numbers or IP addresses but not the content of communication.
But the judge in the Greenley case rejected [PDF] Kochava’s argument and refused to dismiss the wiretapping claim, citing the California Invasion of Privacy Act (CIPA) and the California Penal Code: “[T]he court rejects the contention that a private company’s surreptitiously embedded software installed in a telephone cannot constitute a ‘pen register.'”
In other words, data collection without disclosure and consent may run afoul of wiretapping laws at least in California, if the court finds in favor of the plaintiff and the decisions survive appeal.
However, the Twilio claim doesn’t cite Section 638.51 of CIPA; it relies on other wiretap statutes, so it’s unclear how the lawsuit will fare as litigation continues.
California courts have tossed many past ad-related wiretapping claims for various deficiencies, but not all of them.
A claim that Google broke wiretapping laws by collecting data from H&R Block’s tax preparation website was recently allowed to move forward. Similarly, a wiretapping lawsuit against Peloton over data captured by a third-party vendor’s chatbot also survived a motion to dismiss.
Twilio and Calm did not immediately respond to requests for comment. ®