Who's Right On Privacy?

Advertisers are constantly looking for new ways to obtain more information from and about online consumers in an effort to provide a more enriching and satisfying online experience for the consumer. At the same time, consumers are becoming more and more knowledgeable about the online collection of their information and are finding new ways to prevent it. As technology evolves, advertisers are seeking to strike a balance between their business objectives and the rights and desires of the modern consumer. What if an advertiser were able to collect weeks, or even months of personal data, including a consumer's location, time zone, photographs, text from blogs, shopping cart contents, emails and a history of web pages visited, all without the consumer giving consent? Would the collection of such information merely provide for a significantly enriched user experience, or does it present a substantial invasion of privacy? The World Privacy Forum fears the latter, and along with various class action plaintiffs' lawyers, points to the increasing use of HTML5 as a data collection vehicle as the source of grave concern.

HTML5 is the fifth version of Hypertext Markup Language used to create web pages and "promises to usher in a new era of Internet browsing within the next few years."1 Most people had never heard of HTML5 until 2010, when Steve Jobs, CEO of Apple, publicly declared that the iPod touch, iPad, and iPhone would not support the use of Adobe's Flash Player to play video content on those devices in what is now commonly referred to as the Adobe Flash vs. HTML5 "war." Despite all reports to the contrary, Jobs vehemently denied that his choice was a business decision, contending instead that the use of Flash exposed users to heightened security risks, shortens battery life, and that Flash was created during the "PC Era" and therefore is not compatible with touch devices.2 Instead of Flash, Apple uses HTML5 in connection with its animation and video content.

Proponents of HTML5 hail it as an important technology breakthrough for reasons beyond Apple's choice to use it. From a development perspective, HTML5 will make it easier for users to check e-mail offline, find a favorite restaurant or shop on a smartphone, and view multimedia content without downloading extra software.3 How does HTML5 accomplish this? HTML5 was devised with the goal of allowing developers to use a single method to embed a video based on open standards (i.e. not controlled by one company). In other words, HTML5 will work everywhere and on every device, regardless of whether such device is an Apple, a PC, a smartphone or a tablet.

And from an activation perspective, companies are using HTML5 in order to create web-based applications that consumers can access and download directly from their web browser, rather than through a proprietary digital distribution platform, like Apple's App Store. Use of HTML5 in this manner allows consumers to access applications through their Internet browser from any device (whether it is an Apple or Android based device). By providing the application through the web instead of the Apple App Store, companies are able to avoid the thirty percent cut Apple takes of each transaction that takes place in its Apple App Store. In fact, shortly after Jobs announced that iPads, iPods and iPhones would not support the use of the Adobe Flash Player, the Financial Times used HTML5 to create a web-based application for use on Apple devices. It used HTML5 specifically to bypass payments to Apple. Angry Birds followed soon after. Angry Birds was initially developed using "native code" for the iPhone and iPod touch. In May of this year, however, the game's creator, Finnish company Rovio, released a browser version of the game, which was backed by Google and not sold through the Apple App Store. Most recently, Amazon used HTML5 to write its new Kindle Cloud Reader as a part of its "buy once, read everywhere" initiative. In the news release announcing the launch of the Cloud Reader, Amazon's Kindle Director stated "we have written the application from the ground up in HTML5, so that customers can access their content offline directly from their browser. The flexibility of HTML5 allows us to build one application that automatically adapts to the platform you're using - from Chrome to iOS."4

During a time when Capitol Hill is seeing a flurry of proposed privacy legislation relating to the collection of personal data and the introduction of "do not track" legislation, privacy advocates are fearful of what the increasing use of HTML5 will mean to the protection of consumer privacy. Most consumers are already familiar with the use of "cookies." Cookies are a website's way of remembering who the user is. A cookie is a small text file that a website either transfers to a user's hard drive or stores temporarily in a computer's memory. Websites use cookies to monitor and maintain information about how users navigate and otherwise interact with the website. Most web browsers (including internet explorer, Mozilla and Opera) accept cookies automatically, but settings on each web browser allow users to control the use of cookies and have them deleted manually or automatically on a pre-determined schedule. Deleting cookies or refusing to accept them does not generally have a significant impact on the user experience.

HTML5 can be used to track user data, much like a cookie is used, but the differences between HTML5 and traditional cookies are significant. HTML5 and its additional features present more tracking opportunities than cookies because the technology uses a process in which large amounts of data can be collected and stored on a consumer's hard drive while the consumer is online. Because of that process, advertisers and others can see weeks or even months of personal data, including, but not limited to a user's location, time zone, photographs, text from blogs, shopping cart contents, e-mails and a history of the Web pages visited. Further, HTML5 can also be used to repopulate browser cookies, even after a user has deleted them. Controls to prevent this kind of data collection are far from widespread and arguably difficult for the typical consumer to navigate.

HTML5 is still a developing tool. Nevertheless, the current rate of use of HTML5 and the forecast for its future uses are significant. Some technology experts predict that HTML5 will replace the Adobe Flash Player in the next ten years.5 In addition, many websites are seeking to enable the use of a hybrid HTML5/Flash player in order to reach a wider consumer base.6

Even though HTML5 is still in its infancy, its use has already inspired a series of class action lawsuits. The most publicized example is Aughenbaugh and Weber v. Ringleader Digital, Inc., et al., No. 8:2010-cv-01407 (C.D.CA), initially filed in the Central District of California and later transferred to the Southern District of New York. Defendants in Aughenbaugh included content providers such as, The Travel Channel, Accuweather, CNN Money and Merriam-Webster's mobile dictionary site, all of which use HTML5 technology in connection with their websites.

The plaintiffs in Augenbaugh alleged that the use of HTML5 significantly violated the privacy of computer users by creating a persistent and essentially undeletable identifier on iPhone devices. Specifically, the plaintiffs contended that HTML5 violated the federal Computer Fraud and Abuse Act ("CFAA") because it intentionally accesses a user's computer, without or in excess of authorization, to obtain information from that computer or impair the integrity of the computer systems or data contained therein. The plaintiffs also cited violations of the California Computer Crime Law by tampering, interfering with or accessing the plaintiffs' computers without authorization. In sum, the lawsuit charged that HTML5 technology allowed the defendants to access private data (by tracking their browsing) in violation of the plaintiffs' expectation of privacy and the law.

Aughenbaugh was voluntarily dismissed without prejudice in late June, but similar claims are being made by plaintiffs in several other pending actions. Courts have upheld the use of cookies in the past, which is helpful precedent for the defendants. But plaintiffs argue that HTML5 is different, and in particular, the ability of HTML5 to repopulate information without consumer consent could significantly alter the analysis.

Regardless of the outcome of any HTML5 lawsuit, website operators are starting to revisit their online privacy policies to make sure they provide consumers with adequate notice of their information collection practices, including HTML5 data collection. Providing notice of HTML5 data collection is consistent with the Federal Trade Commission's longstanding "notice and consent" approach to privacy protection. Taking this approach should reduce the risk of being named as a defendant in one of these class action lawsuits because many of the suits are based on the premise that the disclosures that were made were inadequate. Whether courts will agree remains to be seen. But it seems clear that the useful applications that HTML5 can be used for, and the privacy and other legal issues that are triggered by them, are just starting to play out.

1 Tanzina Vega, New Web Code Draws Concern Over Privacy Risks N.Y. Times, October 10, 2010.

2 See

3 Tanzina Vega, New Web Code Draws Concern Over Privacy Risks N.Y. Times, October 10, 2010.

4 See

5 Tanzina Vega, New Web Code Draws Concern Over Privacy Risks N.Y. Times, October 10, 2010.

6 Id.

Published .