Echo Trigger – A Primer
The "trigger" aspect of Echo Trigger involves the use of account data to initiate a data download. The download is done securely and is done without needing to provide merchant name, or sensitive card credentials. Instead, the account data is used to download account-specific information that is non-persistent, and is not shared across parties. In other words, the merchant downloads the account data and uses the downloaded data to perform the trigger action.
Account data is transmitted electronically , as an encrypted file, and is retrieved from a secure area on a system. The trigger action thus doesn’t result in sharing of card credentials (such as the last four) as a function of the trigger. Instead it results in downloading of account-specific information. As with the rest of Echo Trigger, this technique helps prevent transmission of sensitive card credentials and instead replaces that mechanism with a secure way to transmit account-specific information.
Legal Issues Surrounding Echo Trigger
Despite how useful and innovative the Echo Trigger may be in practice, this technology is not without legal challenges and controversies. Most notably the technology is likely to raise issues relating to privacy, the unauthorized recording of private conversations, and data security risks. Privacy laws across most states in the U.S. are designed to protect individuals’ reasonable expectation of privacy in their communications. In certain states the common law action for invasion of privacy exists, while other state legislatures have codified this right, such as in California (Cal. Penal Code, § 632). The right to privacy protects individuals against the eavesdropping and recording of their private communications. Individuals have a reasonable expectation of privacy in their personal communications, whether that be with their landline or a cell phone. Depending upon the state, liability can turn on certain factors such as whether the target in the conversation was aware of and consented to the recording, or whether the defendant did in fact record same. However, to date there has not been any case law addressing the Echo Trigger technology. Instead, these lawsuits have been focused on general recording devices like tape players, microphones, or spy glasses. Some of the privacy concerns about Echo Trigger technology may be avoided by having the trigger set forth in the Alexa app in the individual’s phone, though this would still carry some risk. For example, take the scenario in which an individual changes the trigger to a certain "keyword" on the Alexa app. That individual then has a private conversation with another person, and makes reference to the "keyword." If the "keyword" is captured by the Echo Trigger, then the recording will be sent to the cloud and subject to the terms below. These privacy concerns are not unfounded, as this very scenario occurred when an Alexa device (Alexa Stop/Start function) interpreted a private conversation as a command, and proceeded to send the audio clip of the private conversation as a message to the device owner’s contact. In addition to privacy concerns that may arise from the use of an Echo Trigger, there are also concerns regarding the security of the information stored. It has been suggested that part of the Echo Trigger device’s functionality requires that individuals to provide copies of background noises in their homes, e.g., washing machines, vacuum cleaners, dishwashers, air-conditioning units, etc. These background sounds and noises will be stored in the cloud, which raises its own risks from data privacy and security standpoints. For instance, Alexa users are already aware that their Echo device is all ears—even when they don’t want it to be. According to reports, Amazon has admitted that Alexa devices are always listening in order to detect its wake word (or trigger word). To help alleviate any data privacy and security concerns that may arise around the storage of personal data in the cloud, Amazon Alexa requires the user to consent to its privacy policy, as highlighted in its Terms of Use:
Privacy Law and Echo Trigger
Echo Trigger is not a new concept, but it does rely on technology that is not yet ubiquitous in the market. As such, current privacy legislation has no application to this kind of technology. However, it is highly likely that as voice and other technologies evolve and become more commonplace in workplaces, privacy legislation will address the issue sooner than later and will be reviewed or updated accordingly.
The General Data Protection Regulation ("GDPR"), in general terms, regulates the processing of personal data of individuals in the European Union ("EU"). It applies to any entity processing the personal data of EU individuals. Aspects of designing a product that uses Echo Trigger technology would certainly touch on data processing in a way that might apply to the GDPR. The GDPR would apply to the extent that collected data related to an EU citizen or EU resident, and where the entity either offers goods and services to the EU individuals, or monitors the behavior of the EU individuals.
The California Consumer Privacy Act requires businesses to set out their "collection practices" in a "business privacy policy," which includes information about the categories of "personal information collected." In reading the text of the privacy law, it is not unreasonable to interpret "collected" information as information gathered by a physical device such as Echo Trigger. A business that uses Echo Trigger technology would be required to include information regarding data collection in its privacy policy. However, as Echo Trigger technology is not yet widespread, the Act will not come into play until consumers are making requests of companies regarding their data being collected by devices such as Echo Trigger.
Other jurisdictions may enact similar legislation in the future.
Echo Trigger – Case Studies
A landmark case that is frequently called upon when discussing the legal implications of echo trigger technology is Midwest Air Technologies, Inc. v. Genlyte Thomas Group (No. 5:02CV3169), 2005 WL 3291457, (N.D. Ohio Nov. 27, 2005). The dispute in this case clarified that the automatic transfer of high-frequency echos from a mobile device to a transponder does not constitute infringement under 35 U.S.C. § 271(b). The plaintiff, Genlyte, had won a court ruling in its favor alleging that among other things, the defendants were liable for induced patent infringement. Upon appeal, the court affirmed in part and reversed in part.
The court affirmed the lower court’s decision that the use of "awrless" wireless modems was not infringing since the modem was not linked to a transponder. The court also found that a transponder which was connected directly to a wire line connection was also non-infringing. However, the court reversed the lower court ruling regarding the automatic transfer of echos from mobile devices to transponders since the district court had found that dual prong tests were met . The court ruled that "in order to be liable for [inducing infringement], a defendant must have had specific intent to cause infringement by third parties." However, it went on to state that the "[i]f the products themselves are capable of non-infringing uses, the plaintiff can only prevail by showing that [the alleged infringer] encouraged or otherwise induced infringers to use the products so as to infringe." In this case, since the product had a dual purpose, "inducement liability is available only if th[is defendant] knew or should have known that [the product] was being used" to infringe.
The court also discussed the case of Paperclip Ltd. v. MGM, No. 1:05-CV-01240, 2007 U.S. Dist. LEXIS 94063 (D.D.C. Dec. 14, 2007) which found that evidence of a user manual and website with allegedly infringing instructions was insufficient to create reasonable awareness of infringement.
In an earlier case involving the same patent, the court had found that the removal of features which allowed for control of key functions via remote control and replacement with voice controls constituted modification of the device so as to avoid patent infringement.
Echo Trigger – Future Legal Issues
As with any technology, the future of Echo Trigger holds potential for both regulatory changes and novel legal considerations. As the technology progresses, preneed contract providers may also be thinking about what to do when an insured passes away, a hospital loses its privileges, or a change in technology creates confusion or questions around the manner in which a trust was to be funded, whether by cash or the issuance of shares in an insurance company where the insured has not paid premiums or where the company is no longer in business, or even the contractual language itself. For example, if the contract states insurance coverage will be provided through the use of interest accrued upon deposit of cash in the trust vs. the total premiums collected is to be placed in the trust, preneed providers and trustees may be faced with questions when the appropriate funding vehicle cannot be identified, or is not as clear as a task it is to attempt to ask artificial intelligence technology to interpret. Unlike other technologies, this is an area where it is likely that courts will have to rule on issues related to its application to consumer preneed contracts, and regulation . Earlier this year, there were concerns about whether Tennessee’s preneed regulatory risks to insurance companies that offered Echo Trigger and similar products violated Tennessee’s law requiring prearranged funeral contracts to be backed by insurance policies. A rule was created to address whether a prearranged funeral or prearranged cremation contract could only be funded through insurance policies in Tennessee. Although the rule passed, it has been placed on hold since February 5, 2019 because the Department of Commerce and Insurance is awaiting information from the National Funeral Directors Association and others. The Tennessee experience, however, demonstrates the ripple effect of new technologies that might span multiple states. While it appears that the state of Tennessee has the preneed market in mind for establishing a path forward, that is not to say other states may not take a different approach.
The fact that technology and marketing can often develop more quickly than regulation creates risk for providers and state regulators alike. For this reason, providers should stay apprised of emerging technologies and seek guidance from their trusted counsel when questions arise as to regulatory compliance.