Domingo Rivera

Digital Forensics Consultant & Cyber Lawyer

Lyft Driver Sues Uber For Invasion of Privacy

Michael Gonzales sued Uber on his own behalf and as a putative class action for Lyft drivers whose electronic communications and whereabouts were allegedly intercepted, accessed, monitored, and/or transmitted by Uber. The lawsuit contained the following claims:

  1. The Wiretap Act The Federal Wiretap Act – The Act makes it unlawful to “intentionally intercept [ ] … any wire, oral, or electronic communication.” 18 U.S.C. § 2511(1)(a). Under the statute “Intercept” “means the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.” 18 U.S.C. § 2510(4).
  2. Stored Communications Act (“SCA”) – The Act provides a cause of action against anyone who ‘intentionally accesses without authorization a facility through which an electronic communication service is provided … and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage.’ ” Theofel v. Farey–Jones , 359 F.3d 1066, 1072 (9th Cir. 2004) (citing 18 U.S.C. §§ 2701(a)(1) ). Further, the SCA defines “electronic storage” as “(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for the purpose of backup protection of such communication.” 18 U.S.C. § 2510(17)(A), (B).
  3. The California Invasion of Privacy Act (“CIPA”) – The CIPA is California’s anti-wiretapping and anti-eavesdropping statute that prohibits unauthorized interceptions of communications in order to protect the right of privacy. Cal. Penal Code § 630. The analysis for a violation of CIPA is the same as that under the federal Wiretap Act.
  4. The California Computer Data Access and Fraud Act (“CDAFA”) – The California Comprehensive Computer Data Access and Fraud Act (“CDAFA”), Cal. Penal Code § 502, expand[s] the degree of protection afforded to individuals, businesses, and governmental agencies from tampering, interference, damage, and unauthorized access to lawfully created computer data and computer systems.
  5. Unfair Competition Law – California’s Unfair Competition Law (“UCL”) prohibits, and provides civil remedies for unfair competition defined as any unlawful, unfair or fraudulent business act or practice. Cal. Bus. & Prof. Code § 17200 et seq. Its purpose is to protect both consumers and competitors by promoting fair competition in commercial markets for goods and services.

The Alleged Facts Giving Rise to The Claims

In this case, the Plaintiff, a Lyft driver alleged that Uber secretly used ‘Hell spyware’ to access servers and smartphones owned and operated by Plaintiff, and Lyft. The spyware extracted information from Lyft by posing as Lyft customers in search of rides. The fake Lyft riders sent forged requests to Lyft’s servers. When Lyft’s servers received a request from a forged rider account, they believed that the ride requests were coming from actual Lyft riders, not the Hell spyware. As a result, Lyft’s servers transmitted a response to Uber’s fake Lyft requesters containing the IDs, on duty status, pricing, and exact locations of nearby Lyft drivers. The data transmitted was provided by Lyft drivers and was only intended to be delivered to actual nearby Lyft riders. According to the allegations in the Complaint, Uber used the fraudulently received geolocation data and driver identifiers “to create grid-like detection nets over cities including San Francisco, Los Angeles, and New York.”

Further, Plaintiff alleged that Uber combined the data harvested by Hell spyware with Uber’s internal records, including historical location data, to identify Lyft drivers who also worked for Uber. Uber allegedly used the information gleaned from Hell to direct more frequent and more profitable trips to Uber drivers who also used the Lyft App. By inundating these drivers with Uber rides, Uber was allegedly able to discourage drivers from accepting work on the Lyft platform, reducing the effective supply of available Lyft drivers. With the supply of Lyft drivers reduced, Lyft customers faced longer wait times and as a result would cancel the ride requested with Lyft and request a new ride from Uber, and Lyft drivers experienced decreased earnings.

The Court’s Decision

An important point to be made is that sometimes lawsuits are dismissed for technical reasons, not because the case is not valid. A Plaintiff must generally claim all the elements of a cause of action to show entitlement to relief. When the pleadings are deficient, the Court may dismiss the claims. Dismissal under those circumstances is often done in a manner that allows the Plaintiff to correct the procedural issues and file the corrected pleading. That was the case here for some of the claims, the other claims, except for the Unfair Competition claim, were permanently dismissed.

The Wiretap Claim: This claim was dismissed. The Wiretap Act defines “contents” as “including any information concerning the substance, purport, or meaning of that communication.” 18 U.S.C. § 2510(8). ” ‘[C]ontents’ refers to the intended message conveyed by the communication, and does not include record information regarding the characteristics of the message that is generated in the course of the communication.” In re Zynga Privacy Litig. , 750 F.3d 1098, 1106 (9th Cir. 2014). Record information includes the “name,” “address,” and “subscriber number or identity” of a subscriber or customer. Id. (citing 18 U.S.C. § 2702©(2) ). For example, data about a telephone call, including the number from which it was made, the time it was made, the number called, and the length of the call does not fall within the Wiretap Act because it is not the content of the communication, it is data about the communication. According to the Court, simply opening a webpage or mobile application is not a communication with content.  Since there was no “content,” the claim was dismissed. Further the Court ruled that Plaintiff not alleged and cannot allege that Uber “intercepted” the “contents” of a communication.

The Stored Communications Act Claim: The SCA claim was also dismissed. The Court found that Plaintiff’s SCA claim fails because he has not alleged facts that plausibly suggest that the communications were in “electronic storage,” meaning that the communications were temporary or were in storage for the purpose of back-up protection. Here, Plaintiff alleged that Lyft’s and Uber’s systems store the location of every driver, whether on duty or off duty, every few seconds and that neither Uber nor Lyft ever delete the geolocation data they collect from drivers. Given that this information is never deleted, the communications at issue are not stored temporarily and therefore do not fall under section (A). The Court found that section (B) of the SCA also did not apply because Plaintiff did not plead that the communications Lyft stores on its servers is backup information.

The California State Law Claims: These claims were the victims of what appears to be poor drafting. The Court refers to the claims as a recitation of “boilerplate” claims without sufficient supporting facts. For example, for the invasion of privacy claim, the Court noted that “Plaintiff’s reference to his allegation that Uber obtained the names of Lyft’s customers is puzzling as he does not explain how that translates into a serious invasion of Plaintiff’s right to privacy.” In other words, the Court did not hold that Uber’s actions were not invasion of privacy, just that the Plaintiff did not properly draft the lawsuit.

The Court did allow the Unfair Competition claim to proceed. It was the only claim that was not dismissed. You may read the full Gonzales v. Uber opinion here.