Henson et al v. Turn, Inc.

Northern District of California, cand-4:2015-cv-01497

ORDER by Judge Laurel Beeler adjudicating {{87}} Discovery Letter Brief, {{90}} Discovery Letter Brief. As set forth in the attached order, the court adopts the plaintiffs' discovery proposals, with the slight modification that the plaintiffs should produce the dates (but not the content) of the entries in their browsing history (as they are doing for their cookies). Turn's request for the plaintiffs to allow it to directly inspect their mobile devices (or produce complete forensic i mages of their devices) and for the plaintiffs to produce their complete browsing history and cookies, is denied. Going forward, if any other discovery disputes arise, the parties must comply with the dispute procedures in the undersigned's standing order (attached).

Interested in this case?

Current View

Full Text

9 1 2 3 4 5 6 7 8 UNITED STATES DISTRICT COURT 9 NORTHERN DISTRICT OF CALIFORNIA 10 San Francisco Division 11 ANTHONY HENSON, et al., Case No. 15-cv-01497-JSW (LB) 12 Plaintiffs, ORDER ADJUDICATING DISCOVERY Northern District of California United States District Court DISPUTE REGARDING REQUESTS 13 v. FOR (1) INSPECTION OR FORENSIC IMAGES OF MOBILE DEVICES, 14 TURN, INC., (2) WEB BROWSING HISTORY, AND (3) COOKIES 15 Defendant. Re: ECF No. 87, 90 16 17 INTRODUCTION 18 Plaintiffs Anthony Henson and William Cintron, subscribers to Verizon's cellular and data 19 services, bring this data-privacy class action against defendant Turn, Inc. The plaintiffs' 20 allegations center around "cookies": lines of software code that monitor and gather information 21 about users' browsing and app use. Web browsers, computers, and mobile devices have settings 22 that allow users to block or delete cookies from their devices. The plaintiffs allege Turn engaged 23 in a practice of placing so-called "zombie cookies" on users' devices: cookies that users either 24 cannot delete or block or that, when users try to delete them, "respawn" to continue tracking users 25 across the web. The plaintiffs, both New York residents, bring claims for (1) violations of New 26 York General Business Law § 349, which makes unlawful "[d]eceptive acts or practices in the 27 conduct of any business, trade or commerce or in the furnishing of any service in [New York]," 28 and (2) trespass to chattels. ORDER – No. 15-cv-01497-JSW (LB) 9 1 Turn issued a number of discovery requests for production ("RFPs") to the plaintiffs. Among 2 other things, Turn requested that the plaintiffs (1) produce their mobile devices for inspection or 3 produce complete forensic images of their devices (RFP 1), (2) produce their full web browsing 4 history from their devices (RFP 32), and (3) produce all cookies stored on or deleted from their 5 devices (RFP 33).1 The plaintiffs argue that Turn's requests are overbroad and invade their privacy 6 rights. The plaintiffs propose instead that they produce (1) their web browsing history and cookies 7 associated with Turn partner websites (contingent on Turn's identifying such sites) and (2) the 8 date fields (but not the content) of all other cookies on their mobile devices.2 The plaintiffs oppose 9 allowing Turn to inspect their devices or producing complete forensic images of their devices.3 10 Judge White referred all discovery matters to the undersigned.4 The undersigned can decide 11 the parties' dispute without a hearing. N.D. Cal. Civ. L.R. 7-1(b). For the following reasons, the 12 undersigned adopts the plaintiffs' proposals, as slightly modified below. Northern District of California United States District Court 13 14 STATEMENT 15 1. The Plaintiffs' Allegations 16 Users increasingly use a single mobile device — a smartphone or a tablet — for their online 17 activities, including web browsing, reading the news, listening to radio content, accessing their 18 banking information and managing their finances, shopping online, using GPS for directions and 19 traffic updates, communicating over email and social networks, and reading sites like WebMD to 20 assess their medical condition.5 Marketing companies like Turn have developed ways to place 21 22 1 Joint Letter Br. – ECF No. 90 at 2–5; Joint Letter Br. Ex. 1 – ECF No. 90-1. (The parties filed two 23 copies of the letter brief, one at ECF No. 87 without an exhibit, and one at ECF No. 90 with an exhibit containing RFPs 1, 32, and 33, and the plaintiffs' responses thereto. Other than the exhibit, the letters 24 are identical.) Citations refer to material in the Electronic Case File ("ECF"); pinpoint citations are to the ECF-generated page numbers at the top of documents. 25 2 Joint Letter Br. – ECF No. 90 at 8–9. 26 3 Id. at 7. 27 4 Referral Order – ECF No. 88. 5 Compl. – ECF No. 1 at 3 (¶¶ 2–3). 28 ORDER – No. 15-cv-01497-JSW (LB) 2 9 1 "tracking beacons" on these devices — lines of code called "cookies" — through web browsers or 2 other smartphone apps.6 Cookies monitor and gather information about a user's website browsing 3 and app use, which includes personal information regarding the user's daily routines.7 The 4 resulting data is analyzed and used to target advertisements that match the user's profile.8 5 Consumers have expressed discomfort at the idea of an unknown third party surreptitiously 6 monitoring their online activity for commercial purposes.9 As one academic study reported: 7 Web browsing history is inextricably linked to personal information. The pages a user visits can reveal her location, interests, purchases, employment status, sexual 8 orientation, financial challenges, medical conditions, and more. Examining individual page loads is often adequate to draw many conclusions about a user; 9 analyzing patterns of activity allows yet more inferences. . . . In mid-2011, we 10 discovered that an advertising network, Epic Marketplace, had publicly exposed its interest segment data, offering a rare glimpse of what third-party trackers seek to 11 learn about users. User segments included menopause, getting pregnant, repairing bad credit, and debt relief. Several months later we found that the free online dating 12 website OkCupid was sending to the data provider Lotame how often a user drinks, Northern District of California United States District Court smokes, and does drugs. When Krishnamurthy et al. tested search queries on ten 13 popular health websites, they found a third party learned of the user's query on nine 14 of them.10 15 In a 2013 white paper issued in conjunction with Forbes, Turn surveyed Americans' attitudes 16 about online tracking, marketing, and privacy.11 The survey found that, among other things, 69% 17 of participants deleted cookies in order to "shield their online privacy," 56% of participants "are 18 generally uncomfortable with the amount of information companies know about them or could 19 learn about them through their activities," and 54% of participants felt that "their privacy concerns 20 21 6 22 Id. at 3 (¶ 3), 9 (¶ 27). 7 Id. at 3 (¶ 3). 23 8 Id. at 3 (¶ 3), 9 (¶¶ 25–27). 24 9 Id. at 3–4 (¶ 4), 9 (¶ 28). 10 25 Id. at 9–10 (¶ 29) (citing Jonathan R. Mayer & John C. Mitchell, Third-Party Web Tracking: Policy and Technology, 2012 IEEE Symposium on Security & Privacy 413, 415 (2012)). 26 11 Id. at 11 (¶ 33) (citing Forbes, The Promise of Privacy: Respecting Consumers' Limits While Realizing the Marketing Benefits of Big Data (2013) (The Promise of Privacy), available at 27 http://images.forbes.com/forbesinsights/StudyPDFs/turn_promise_of_privacy_report.pdf (last visited Oct. 22, 2018)). 28 ORDER – No. 15-cv-01497-JSW (LB) 3 9 1 outweigh[ed] any benefits derived from sharing information with businesses."12 In light of privacy 2 concerns, manufacturers and software companies developed functions for clearing and blocking 3 cookies, which have long been standard features on all smartphones, tablets, computers, and web 4 browsers.13 5 Turn developed a method that allegedly made an "end-run" around users' cookie-blocking- 6 and-deleting technologies.14 Turn allegedly did so through a Verizon function that created a 7 persistent, unique identifier header ("UIDH" or "X-UIDH") for Verizon subscribers.15 Each 8 Verizon customer had a unique X-UIDH value.16 Verizon embedded that unique X-UIDH value 9 into the header of every HTTP request that its customers made from their mobile devices.17 Turn 10 monitored the web traffic of its partner websites, searching for HTTP requests from Verizon 11 customers (and the attendant X-UIDH values embedded in the requests).18 Upon receiving an 12 HTTP request, Turn would check the X-UIDH value in the request against a database of values Northern District of California United States District Court 13 that it had stored from previous cookies.19 If there was a match, Turn would place a new cookie on 14 the user's device that contained all of the values from the old cookies in its database that were 15 associated with the same X-UIDH — even if the user had previously deleted cookies from her 16 device in an effort to not be tracked.20 Turn refers to this as "respawning," which led security 17 18 19 12 Id. (citing The Promise of Privacy at 15). 20 13 Id. at 4 (¶ 5), 10 (¶¶ 30–31). 21 14 Id. at 11 (¶ 35). 15 22 Id. at 4 (¶¶ 7–8), 13 (¶ 43). 16 Id. at 12 (¶ 40). 23 17 Id. An "HTTP request" is a request from a device to a web server for the website that a user is trying 24 to view. Id. (¶ 38). For example, if a user wants to view the New York Times's website and types www.nytimes.com into her phone's web browser, the web browser sends an HTTP request to the 25 Times's web server at http://www.nytimes.com. Id. The server then sends data back to the user's web browser, which enables the user to view the Times's website. Id. 26 18 Id. at 13 (¶ 43). 19 27 Id. 20 Id. at 13–14 (¶ 43). 28 ORDER – No. 15-cv-01497-JSW (LB) 4 9 1 experts to refer to these cookies as "zombie cookies" because they have the ability to regenerate 2 and continue to track users despite users' attempts to not be tracked.21 3 The plaintiffs alleged the following example of this process at work, citing in part an analysis 4 conducted by Stanford professor Jeremy Mayer.22 Without a Verizon X-UIDH, when a user visits 5 a Turn partner website, the website might place a cookie in her browser with a certain ID number 6 (the example ID number used in the complaint of the cookie placed in the user's browser was 7 2415230717135370700).23 8 9 10 11 12 Northern District of California United States District Court 13 As long as the cookie remains in the browser, it allegedly transmits the user's browsing history 14 back to the third party that first generated the cookie.24 15 16 17 18 19 20 21 22 23 24 21 Id. at 5 (¶ 9), 11–12 (¶ 35). 25 22 Id. at 13–15 (¶¶ 42–47) (citing Jonathan Mayer, The Turn-Verizon Zombie Cookie, Web Policy (Jan. 14, 2015), http://webpolicy.org/2015/01/14/turn-verizon-zombie-cookie (last visited Oct. 22, 2018)). 26 23 Id. at 14 (¶ 45). The ID numbers used here are the ones used in Professor Mayer's analysis and cited 27 in the plaintiffs' complaint. 24 Id. at 9 (¶ 27). 28 ORDER – No. 15-cv-01497-JSW (LB) 5 9 1 If the user then deletes her cookies: 2 3 4 5 6 7 and then visits another Turn partner website, the website would place a new cookie in her browser 8 with a new ID number (the new example ID number used in the complaint was 9 4425321986559530189).25 10 11 12 Northern District of California United States District Court 13 14 15 With a Verizon X-UIDH, however, when a user visits a Turn partner website, the website 16 might place a cookie in her browser with a certain ID number (the example X-UIDH used in the 17 complaint was "OTgxNT...," and the example ID number of the cookie placed in the user's 18 browser was 4012847891611109688).26 19 20 21 22 23 24 25 25 Id. at 14 (¶ 45). 26 26 Id. The complaint characterizes 4012847891611109688 as the Verizon X-UIDH in Professor Mayer's example, id. (¶ 46), but Professor Mayer's article shows that the Verizon X-UIDH in his 27 example is actually OTgxNT..., and 4012847891611109688 is an ID number that is set in the cookie placed in the user's browser. 28 ORDER – No. 15-cv-01497-JSW (LB) 6 9 1 If the user then deletes her cookies: 2 3 4 5 6 7 and visits another Turn partner website, the website recognizes the Verizon X-UIDH and places a 8 cookie in her browser with the same ID as before and all of the values from the user's old cookie 9 that Turn stored within its database.27 10 11 12 Northern District of California United States District Court 13 14 15 16 2. The Parties' Discovery Dispute 17 The parties raise disputes with respect to three of Turn's requests for production: RFP 1, RFP 18 32, and RFP 33.28 RFP 1 is a request for the plaintiffs to produce "[a]ll mobile devices with which 19 You accessed the internet via the Verizon network during the alleged Class Period" (or complete 20 forensic images of the devices).29 RFP 32 is a request for the plaintiffs to produce "[a]ll data from 21 each Mobile Device reflecting or regarding the user's web browsing history, including web pages 22 viewed either through a dedicated browser application or an 'in-app' browser embedded in another 23 type of application."30 RFP 33 is a request for the plaintiffs to produce "[a]ll data from each 24 27 25 Id. (¶¶ 43–45). 28 Joint Letter Br. – ECF No. 90. 26 29 Joint Letter Br. Ex. 1 – ECF No. 90-1 at 1; Joint Letter Br. – ECF No. 90 at 2 (proposing forensic 27 images as an alternative to production of the devices). 30 Joint Letter Br. Ex 1 – ECF No. 90-1 at 2. 28 ORDER – No. 15-cv-01497-JSW (LB) 7 9 1 Mobile Device reflecting or regarding any cookies stored on and/or deleted from the device, 2 including the filenames, contents, and creation/modification/deletion dates of each cookie."31 3 2.1 RFP 1: Inspection or Complete Forensic Images of the Plaintiffs' Mobile Devices 4 Turn argues that the plaintiffs' mobile devices "are at the very heart of this case."32 5 Specifically, with respect to the plaintiffs' New York unfair-business-practices claim, Turn argues 6 that the claim "is wholly dependent on allegations about the content of Plaintiffs' phones, 7 including whether Turn placed (and replaced) cookies on the phones, what kind of cookies Turn 8 placed on the phones (if any) and when, whether Plaintiffs regularly deleted cookies and their 9 browsing history from their phones, whether Turn 'circumvented device settings' on the phones, 10 and what information (if any) was gathered from the phones."33 With respect to the plaintiffs' 11 trespass-to-chattels claim, Turn argues that "the phones are the very 'chattels' that Plaintiffs allege 12 Turn 'trespassed[.]'"34 Turn argues that "[i]t's hard to imagine a closer connection between Northern District of California United States District Court 13 plaintiffs' claims and their phones to justify allowing Turn's digital forensics experts to analyze 14 them directly."35 15 The plaintiffs respond that allowing Turn to inspect their devices or producing a complete 16 forensic image would allow Turn to "access to Plaintiffs' entire phones and thus access to their 17 private text messages, emails, contact lists, photographs and web browsing histories unrelated to 18 Turn."36 The plaintiffs represent that they objected to RFP 1 and invited Turn to make requests for 19 specific information, which prompted Turn to issue a second, more specific set of requests — 20 RFPs 27–35 — for which (aside from RFPs 32 and 33) the plaintiffs have produced responsive 21 22 23 31 24 Id. 32 Joint Letter Br. – ECF No. 90 at 2. 25 33 Id. at 3 (citing Compl. – ECF No. 1 at 22 (¶ 81)). 26 34 Id. 35 27 Id. 36 Id. at 8. 28 ORDER – No. 15-cv-01497-JSW (LB) 8 9 1 information.37 The plaintiffs argue that Turn's request for the full contents of their devices "flies in 2 the face of Rule 26(b)'s relevancy and proportionality requirements."38 3 2.2 RFP 32: Production of the Web Browsing History on the Plaintiffs' Devices 4 Turn argues that it is entitled to review the plaintiffs' complete browsing history "[(1)] to 5 investigate whether and to what extent Plaintiffs even visited websites that worked with Turn 6 cookies; [(2)] to test Plaintiffs' claim that they regularly deleted their browsing history in order to 7 protect their privacy; and [(3)] to show that it does not constitute personally identifiable 8 information implicating a protected privacy interest in any event."39 Turn also argues that the 9 plaintiffs alleged that its cookies "transmit[] a user's web-browsing history back to the third party 10 that generated the cookie, thus allowing the third party to glean valuable information about the 11 user and her (presumed) interests" and that it "is entitled to discovery into all evidence that would 12 provide those allegations untrue."40 Northern District of California United States District Court 13 The plaintiffs respond that producing their full web browser history is overbroad, irrelevant, 14 and invasive of their privacy interests.41 They argue that "people often browse the Internet for 15 private reasons, such as health, dating, finances, and personal interests."42 In response to Turn's 16 first argument, the plaintiffs state that they are willing to produce all browsing history associated 17 with Turn partner websites, contingent on Turn's identifying its partner websites.43 In response to 18 Turn's second argument, the plaintiffs state that (1) their web browsing history does not speak to 19 the zombie-cookie scheme they allege, and that (2) in any event, Turn can discover whether the 20 plaintiffs regularly deleted their browsing history by asking for the date ranges of the history on 21 22 37 Id. at 6. The top of page 6 identifies the two requests to which the plaintiffs objected as RFP 31 (web browsing history) and RFP 32 (cookies), but the rest of the joint letter brief and the exhibit identifies 23 these as RFPs 32 and 33, respectively. 38 24 Id. at 7. 39 Id. at 5. 25 40 Id. at 4–5. 26 41 Id. at 8–9. 27 42 Id. at 8 (citing Compl. – ECF No. 8–10 (¶¶ 24–29), 15–16 (¶¶ 50–52)). 43 Id. 28 ORDER – No. 15-cv-01497-JSW (LB) 9 9 1 their devices, without the contents of the history.44 In response to Turn's third point, the plaintiffs 2 argue that they "need not disclose the contents of every website ever visited in order to allege that 3 Turn's surreptitious tracking of their web browsing violates Plaintiffs' privacy" and that "whether 4 the information Turn catalogued implicates PII [personally identifiable information] is best 5 determined by evaluating the information Turn has or had in its possession."45 The plaintiffs also 6 argue that "Turn ignores that it obtains web browsing information by establishing relationships 7 with Turn partner websites, and using cookies to track users as they visit those websites over time. 8 And yet Turn's request is not limited to browsing history related to Turn's partner websites — it 9 seeks everything."46 10 2.3 RFP 33: Production of Cookies on the Plaintiffs' Devices 11 Turn argues that it is entitled to review all cookies stored on the plaintiffs' mobile devices "to 12 technically examine what Turn cookies (if any) are on Plaintiffs' devices and compare them to Northern District of California United States District Court 13 standard browser cookies — including other non-Turn cookies that Plaintiffs permitted on their 14 devices."47 Turn argues that "if Plaintiffs have numerous cookies on their devices over a wide 15 range of installation dates, that information would prove their claim [that they regularly deleted 16 cookies] to be false."48 Turn also argues that "if the devices have cookies dated after the 17 complaint, it suggests a failure to preserve key evidence in its original condition."49 18 The plaintiffs respond that their cookies implicate the same privacy interests as their web 19 browsing history.50 The plaintiffs state that they are willing to produce cookie data related to any 20 21 22 23 44 Id. at 9. 45 24 Id. 46 Id. (emphasis in original). 25 47 Id. at 4. 26 48 Id. at 5. 49 27 Id. 50 Id. at 9. 28 ORDER – No. 15-cv-01497-JSW (LB) 10 9 1 Turn partner website, to identify the date fields (but not the contents) of all other cookies, and to 2 meet and confer to consider requests for specific cookies.51 3 4 ANALYSIS 5 1. Inspection or Complete Forensic Images of the Plaintiffs' Mobile Devices 6 The undersigned denies Turn's request to require the plaintiffs to produce their mobile devices 7 for Turn's inspection or, in the alternative, to produce complete forensic images of their mobile 8 devices. Federal Rule of Civil Procedure 26(b)(1) limits discovery to matters that are (1) "relevant 9 to any party's claim or defense" and (2) "proportional to the needs of the case[.]" Turn's request to 10 inspect the plaintiffs' mobile devices or for complete forensic images call for information that is 11 not relevant and is disproportional to the needs of the case. 12 With respect to relevance, as the plaintiffs correctly point out (and as Turn does not address), Northern District of California United States District Court 13 Turn's request to directly inspect the plaintiffs' mobile devices or for complete forensic images of 14 the devices threatens to sweep in documents and information that are not relevant to the issues in 15 this case, such as the plaintiffs' private text messages, emails, contact lists, and photographs. Just 16 as a hypothetical request from the plaintiffs for Turn to allow them to directly inspect its emails 17 servers (or produce complete forensic image of its servers) would likely sweep in numerous emails 18 that are not relevant to this action, Turn's request for the plaintiffs to allow it to directly inspect 19 their mobile devices (or produce complete forensic images of their devices) would likely sweep in 20 numerous irrelevant documents as well. See John B. v. Goetz, 531 F.3d 448, 457–58 (6th Cir. 21 2008) (noting that "imaging of these computers and devices will result in the duplication of 22 confidential and private information unrelated to the [] litigation"); Salazar v. Bocanegra, No. 23 12cv0053 MV/LAM, 2012 WL 12893938, at *2 (D.N.M. July 27, 2012) (noting that forensic 24 images, due to their broad nature, may include information irrelevant to the parties' claims or 25 defenses); Sony BMG Music Entm't v. Arellanes, No. 4:05-CV-328, 2006 WL 8201075, at *1 26 27 51 Id. 28 ORDER – No. 15-cv-01497-JSW (LB) 11 9 1 (E.D. Tex. Oct. 27, 2006) (finding meritorious responding party's argument that a full forensic 2 image of her computer hard drive would sweep in irrelevant documents).52 3 With respect to proportionality, Turn's request for the plaintiffs to allow it to inspect their 4 mobile devices (or produce complete forensic images of their devices) is disproportional to the 5 needs of the case. While questions of proportionality often arise in the context of disputes about 6 the expense of discovery,53 proportionality is not limited to such financial considerations. Courts 7 and commentators have recognized that privacy interests can be a consideration in evaluating 8 proportionality, particularly in the context of a request to inspect personal electronic devices. 9 Tingle v. Hebert, No. 15-626-JWD-EWD, 2018 WL 1726667, at *7–8 (M.D. La. Apr. 10, 2018) 10 (finding that "Defendants have also made no showing that the requested forensic examination of 11 Plaintiff's personal cell phone and personal email accounts are proportional to the needs of this 12 case" and holding that "'[t]he utility of permitting a forensic examination of personal cell phones Northern District of California United States District Court 13 must be weighed against inherent privacy concerns'") (quoting John Crane Grp. Corp. v. Energy 14 Devices of Tex., Inc., No. 6:14-CV-178, 2015 WL 11112540, at *2 (E.D. Tex. Oct. 30, 2015)); 15 Crabtree v. Angie's List, Inc., No. 1:16-cv-00877-SEB-MJD, 2017 WL 413242, at *3 (S.D. Ind. 16 Jan. 31, 2017) (denying request to forensically examine plaintiff's personal cell phones and 17 holding that the forensic examination "is not proportional to the needs of the case because any 18 benefit the data might provide is outweighed by Plaintiffs' significant privacy and confidentiality 19 interests"); Hespe v. City of Chicago, No. 13 C 7998, at *3 (N.D. Ill. Dec. 15, 2016) (affirming 20 order denying request to inspect plaintiff's personal computer and cell phone because, among 21 other things, inspection "is not 'proportional to the needs of this case' because any benefit the 22 inspection might provide is 'outweighed by plaintiff's privacy and confidentiality interests'"); 23 Areizaga v. ADW Corp., No. 3:14-cv-2899-B, 2016 WL 9526396, at *3 (N.D. Tex. Aug. 1, 2016) 24 25 52 Turn's request might sweep in privileged documents as well, such as emails the plaintiffs might 26 have sent their attorneys that may be stored in email applications on their mobile devices. Cf. Sony BMG, 2006 WL 8201075, at *1. 27 53 Rule 26(b)(1) expressly provides that "whether the burden or expense of the proposed discovery outweighs its likely benefit" is a consideration in evaluating proportionality. 28 ORDER – No. 15-cv-01497-JSW (LB) 12 9 1 (denying request to inspect plaintiff's personal computer, smart phone, and other electronic 2 devices because the request "is not proportional to the needs of the case at this time, when 3 weighing [defendant]'s explanation and showing as to the information that it believes might be 4 obtainable and might be relevant against the significant privacy and confidentiality concerns 5 implicated by [defendant]'s request"); In re Anthem, Inc. Data Breach Litig., No. 15-md-02617 6 LHK (NC), 2016 WL 11505231, at *1–2 (N.D. Cal. Apr. 8, 2016) (denying request to inspect or 7 forensically image plaintiffs' computers, tablets, and smartphones as "invad[ing] plaintiffs' 8 privacy interests" and "disproportional to the needs of the case"); Agnieszka A. McPeak, Social 9 Media, Smartphones, and Proportional Privacy in Civil Discovery, 64 U. Kan. L. Rev. 235, 288– 10 91 (2015) (arguing that courts should consider privacy burdens in evaluating proportionality under 11 Rule 26(b)(1)); see John B., 531 F.3d at 460 (issuing writ of mandamus to set aside orders for 12 forensic imaging of state-owned and privately-owned employee computers because, among other Northern District of California United States District Court 13 things, "[t]he district court's compelled forensic imaging orders here fail to account properly for 14 the significant privacy and confidentiality concerns present in this case"); see also Johnson v. 15 Nyack Hosp., 169 F.R.D. 550, 562 (S.D.N.Y. 1996) (holding that Rule 26 allows courts to limit 16 discovery on account of burden, including "where the burden is not measured in the time or 17 expense required to respond to requested discovery, but lies instead in the adverse consequences 18 of the disclosure of sensitive, albeit unprivileged, material," and that courts should consider "the 19 burdens imposed on the [responding parties]' privacy and other interests"). 20 As the Supreme Court has recognized, "[m]odern cell phones are not just another 21 technological convenience. With all they contain and all they may reveal, they hold for many 22 Americans 'the privacies of life.'" Riley v. California, 134 S. Ct. 2473, 2494–95 (2014) (citation 23 omitted). As the Court observed: 24 Even the most basic phones that sell for less than $20 might hold photographs, picture messages, text messages, Internet browsing history, a calendar, a thousand- 25 entry phone book, and so on. . . . 26 .... . . . . [I]t is no exaggeration to say that many of the more than 90% of American 27 adults who own a cell phone keep on their person a digital record of nearly every 28 aspect of their lives — from the mundane to the intimate. . . . ORDER – No. 15-cv-01497-JSW (LB) 13 9 1. . . . An Internet search and browsing history, for example, can be found on an Internet-enabled phone and could reveal an individual's private interests or 2 concerns — perhaps a search for certain symptoms of disease, coupled with 3 frequent visits to WebMD. Data on a cell phone can also reveal where a person has been. Historic location information is a standard feature on many smart phones and 4 can reconstruct someone's specific movements down to the minute, not only around town but also within a particular building. . . . 5 Mobile application software on a cell phone, or "apps," offer a range of tools 6 for managing detailed information about all aspects of a person's life. There are apps for Democratic Party news and Republican Party news; apps for alcohol, drug, 7 and gambling addictions; apps for sharing prayer requests; apps for tracking pregnancy symptoms; apps for planning your budget; apps for every conceivable 8 hobby or pastime; apps for improving your romantic life. There are popular apps 9 for buying or selling just about anything, and the records of such transactions may be accessible on the phone indefinitely. There are over a million apps available in 10 each of the two major app stores; the phrase "there's an app for that" is now part of the popular lexicon. The average smart phone user has installed 33 apps, which 11 together can form a revealing montage of the user's life. 12 Id. at 2489–90 (citations omitted); accord McPeak, 64 U. Kan. L. Rev. at 244–45 (discussing how Northern District of California United States District Court 13 a smartphone can contain information about its owner and her emails, text messages, phone calls, 14 calendars, social-media accounts, photographs, videos, what books she reads, what music she 15 listens to, where she goes, when she sleeps, what she buys, and whom she dates — "[q]uite 16 simply, her [smartp]hone is a portal to a complete, intimate portrait of her entire life"). While 17 Riley was a criminal case, courts have applied its observations about the privacy concerns 18 implicated by modern cell phones in the context of civil discovery as well. See Bakhit v. Safety 19 Mktg., Inc., No. 3:13CV1049 (JCH), 2014 WL 2916490, at *3 (D. Conn. June 26, 2014) (citing 20 Riley in denying civil-discovery request to inspect personal cell phones). 21 Turn cites no authorities to support its request that the plaintiffs allow it to directly inspect 22 their mobile devices (or produce complete forensic images of their devices). Turn cites to several 23 cases where courts have ordered a party responding to a discovery request to forensically image its 24 devices — in situations where there was a "sufficient nexus" between the party's devices and the 25 claims or defenses at issue.54 But forensic imaging itself is not the issue here. The plaintiffs 26 27 54 Joint Letter Br. – ECF No. 90 at 3 (citing cases). 28 ORDER – No. 15-cv-01497-JSW (LB) 14 9 1 represent that they have already forensically imaged their devices and are producing information 2 from those images.55 What Turn raises is the separate issue of its being allowed to directly access 3 its opponents' devices or forensic images. None of the cases it cites supports that proposition. 4 Turn's first case, Calyon v. Mizuho Securities USA, Inc., No. 07CIV02241RODF, 2007 WL 5 1468889 (S.D.N.Y. May 18, 2007), undercuts its request for direct access to the plaintiffs' devices 6 or forensic images. That case, like this one, involved a discovery request for the responding parties 7 (there, the defendants) to produce forensic images of their personal devices. Id. at *1. There, as 8 here, the responding parties created forensic images of their devices and offered to search the 9 images (or to have a neutral third-party expert search the images) and produce responsive 10 information. Id. at *2. There, as here, the requesting party demanded that it be allowed to directly 11 inspect the entirety of the responding parties' forensic images. Id. at *1 ("At bottom, [the 12 requesting party] maintains that only its expert — as opposed to the [responding parties]' expert or Northern District of California United States District Court 13 an independent third-party expert — would possess the requisite incentive to search exhaustively 14 for evidence, and that only [its] expert would be able to confer with [its] counsel on an on-going 15 basis to refine search methods.") (emphasis in original). The court denied the requesting party's 16 request, finding that the requesting party had not made a showing as to why it would be entitled to 17 such "extraordinary" access. Id. at *5. Turn's other cases likewise do not support its position. In 18 each of them, the responding party or a neutral third-party expert accessed and produced 19 information from the responding party's forensic images. In none of them did the requesting party 20 directly access its opponent's devices or forensic images. Cf. Lifetouch Nat'l Sch. Studios, Inc. v. 21 Moss-Williams, No. C10-05297 RMW (HRL), 2013 WL 11235928, at *2 (N.D. Cal. Oct. 15, 22 2013) (adopting parties' stipulated protocol that a neutral third-party forensic expert would image 23 computers and produce responsive information therefrom to the parties and that "[n]either [the 24 requesting party]'s personnel nor counsel will ever inspect or otherwise handle [the responding 25 26 55 Id. at 7 ("Most importantly, Plaintiffs have already forensically imaged the devices and are 27 producing the categories of information requested, subject to the remaining dispute over web browsing history and cookies, outlined below."). 28 ORDER – No. 15-cv-01497-JSW (LB) 15 9 1 party]'s computers") (citing Stipulated Protective Protocol for Inspection of the Computers, 2 Lifetouch Nat'l Sch. Studios Inc. v. Moss-Williams, No. C10-05297 RMW (HRL) (N.D. Cal. filed 3 July 9, 2012), ECF No. 78 at 4–6); Genworth Fin. Wealth Mgmt., Inc. v. McMullan, 267 F.R.D. 4 443, 449 (D. Conn. 2010) (ordering a third-party forensic expert to image the responding party's 5 devices and provide recovered data to the responding party, which would review data for 6 responsiveness and privilege before producing data to requesting party); see also Sony BMG, 2006 7 WL 8201075, at *1 (denying a party's request to directly inspect the forensic image of its 8 opponent's hard drive in lieu of a neutral third-party expert's doing so).56 9 The parties appear to have in place a protocol for producing information from the plaintiffs' 10 devices or forensic images. Turn has issued nine RFPs (RFPs 27–35) for specific information from 11 the plaintiffs' devices.57 The plaintiffs represent (and Turn does not deny) that they have produced 12 information from their devices responsive to all of these requests (other than with respect to RFPs Northern District of California United States District Court 13 32 and 33 regarding the browsing-history and cookie disputes the parties raise in their joint letter 14 brief, which the undersigned addresses below).58 Given this, and in light of the fact that the 15 plaintiffs' devices likely contain information not relevant to this case, may contain privileged 16 information, and implicate significant privacy concerns, Turn's request for the plaintiffs to allow it 17 to directly inspect their devices (or produce complete forensic images of their devices) is not 18 relevant or proportional to the needs of this case. 19 2. Full Web Browsing History and Cookies 20 The plaintiffs have produced or have offered to produce (1) their web browsing history and 21 cookies associated with Turn partner websites (contingent on Turn's identifying such sites) and 22 23 56 Turn also cites Austin v. Foodliner, Inc., No. 16-cv-07185-HSG (DMR), 2018 WL 1168694 (N.D. Cal. Mar. 6, 2018), to argue that the protective order in this case "is more than sufficient to protect 24 Plaintiffs' privacy concerns." Joint Letter Br. – ECF No. 90 at 5. But the information at issue in Austin was just phone-number contact information, and the court there specifically distinguished such contact 25 information from "the disclosure of medical or financial information" or information that "implicates special privacy concerns or threatens 'undue intrusion into one's personal life.'" Austin, 2018 WL 26 1168694, at *2 (citation omitted). 27 57 Joint Letter Br. – ECF No. 90 at 6. 58 Id. 28 ORDER – No. 15-cv-01497-JSW (LB) 16 9 1 (2) the date fields (but not the content) of all other cookies on their mobile devices.59 The plaintiffs 2 also represent that they offered to meet and confer with Turn to consider requests for specific 3 cookies.60 The undersigned finds the plaintiffs' position and proposals to be reasonable and 4 proportional, with a slight modification — the plaintiffs should produce the dates (but not the 5 content) of the entries in their browsing history (as they are doing for their cookies). 6 The undersigned denies Turn's request to require the plaintiffs to produce their full web 7 browsing history and cookie data. As discussed above, requiring the plaintiffs to produce their full 8 browsing history presents significant privacy concerns. See Riley, 134 S. Ct. at 2490 ("An Internet 9 search and browsing history, for example, can be found on an Internet-enabled phone and could 10 reveal an individual's private interests or concerns — perhaps a search for certain symptoms of 11 disease, coupled with frequent visits to WebMD."). Cookies, which the plaintiffs assert (and Turn 12 does not deny) are closely associated with websites,61 raise similar privacy concerns. Turn has not Northern District of California United States District Court 13 shown that its request for the plaintiffs' full browsing history and cookies as they relate to 14 websites other than Turn partner websites is relevant or proportional to the needs of this case. 15 Turn claims that it needs to examine what Turn cookies are on the plaintiffs' devices,62 but the 16 plaintiffs have agreed to produce those cookies, so there is no dispute there. Turn claims it needs 17 web browsing history to determine whether the plaintiffs visited websites that worked with Turn 18 cookies in the first place,63 but the plaintiffs have agreed to produce their browsing history and 19 cookies for those sites, so again there is no dispute there. Turn claims it needs to compare its 20 21 22 59 Id. at 8–9 ("Plaintiffs are amenable — just as they were with regard to cookies — to produce all browsing history associated with Turn partner websites, contingent on Turn's identifying its partner 23 websites. . . . Plaintiffs produced cookie data associated with the turn.com domain, and offered to produce cookie data related to any Turn partner websites. Additionally, Plaintiffs identified the date 24 fields (but not their content) for all other cookies on Plaintiffs' devices (regardless of their association with Turn). . . . Plaintiffs offered in meet and confer to consider requests for specific cookies[.]"). 25 60 Id. at 9. 26 61 Id. at 9. 62 27 Id. at 4. 63 Id. at 5. 28 ORDER – No. 15-cv-01497-JSW (LB) 17 9 1 cookies to standard browser cookies,64 but it does not need all of the cookies on the plaintiffs' 2 devices to run that comparison. Turn claims that it needs to determine whether the plaintiffs 3 regularly deleted their cookies or browsing histories as they allege,65 but it can do so through the 4 date fields of the plaintiffs' cookies and browsing histories and does not need the full content of 5 the cookies and histories to do so. Turn claims that the plaintiffs argued that Turn's cookies 6 transmit a user's web-browsing history back to Turn,66 but Turn has not shown why it needs the 7 plaintiffs' full browsing history to determine what information was or was not transmitted back to 8 Turn (information that is presumably within Turn's possession, custody, or control). Given all this, 9 and in light of the significant privacy concerns present here, Turn has not shown that its request 10 for plaintiffs' full browsing history or cookies is relevant or proportional to the needs of this case. 11 * * * 12 As another court in this district noted in the context of a data-breach case, "[t]here is an Northern District of California United States District Court 13 Orwellian irony to the proposition that in order to get relief for a theft of one's personal 14 information, a person has to disclose even more personal information, including an inspection of 15 all his or her devices that connect to the internet. If the Court were to grant [that] request, it would 16 further invade plaintiffs' privacy interests and deter current and future data theft victims from 17 pursuing relief." In re Anthem Data Breach, 2016 WL 11505231, at *1. The same holds true here. 18 There is an Orwellian irony to the proposition that in order to get relief for a company's alleged 19 surreptitious monitoring of users' mobile device and web activity, a person has to allow the 20 company unfettered access to inspect his mobile device or his web browsing history. Allowing this 21 discovery would further invade the plaintiffs' privacy interests and may deter current and future 22 plaintiffs from pursuing similar relief. Cf. Rivera v. NIBCO, Inc., 364 F.3d 1057, 1065 (9th Cir. 23 2004) (affirming district court's refusal to allow discovery into certain private information of 24 plaintiffs in a Title VII employment case because, among other things, "[t]he chilling effect such 25 26 64 Id. at 4. 65 27 Id. at 4–5. 66 Id. at 4. 28 ORDER – No. 15-cv-01497-JSW (LB) 18 9 1 discovery could have on the bringing of civil rights actions unacceptably burdens the public 2 interest"). 3 The undersigned does not mean to imply that there could never be an instance where a request 4 to directly inspect a litigant's electronic devices or forensic images, or a request that a litigant 5 produce his complete web browsing history or cookies, would be relevant and proportional. There 6 may be situations where such a request would be proper, and this order is without prejudice to 7 Turn's renewing its request should such a situation arise. But that situation has not presented itself 8 here. Turn's request for the plaintiffs to allow it to directly inspect their mobile devices (or 9 produce complete forensic images of their devices) and for the plaintiffs to produce their complete 10 browsing history and cookies, is denied. 11 12 CONCLUSION Northern District of California United States District Court 13 The court adopts the plaintiffs' proposals, with the slight modification that the plaintiffs should 14 also produce the dates of the entries in their browsing history. 15 Going forward, if any other discovery disputes arise, the parties must comply with the dispute 16 procedures in the undersigned's standing order (attached). The procedures in it require, among 17 other things, that if a meet and confer by other means does not resolve the parties' dispute, lead 18 counsel for the parties must meet and confer in person (if counsel are local) and then submit a joint 19 letter brief with information about any unresolved disputes. The letter brief must be filed under the 20 Civil Events category of "Motions and Related Filings > Motions – General > Discovery Letter 21 Brief." After reviewing the joint letter brief, the court will evaluate whether further proceedings 22 are necessary, including any further briefing or argument. 23 24 IT IS SO ORDERED. 25 Dated: October 22, 2018 26 ______________________________________ LAUREL BEELER 27 United States Magistrate Judge 28 ORDER – No. 15-cv-01497-JSW (LB) 19