1st Circuit Holds Monitoring Web Site Traffic Can Violate Wiretap Act

May 9, 2003. The U.S. Court of Appeals (1stCir) issued its opinion in In Re Pharmatrak Privacy Litigation, reversing a District Court summary judgment in a case brought under the Electronic Communications Privacy Act (ECPA) involving web site monitoring.

Introduction. The Wiretap Act, as amended by the ECPA, provides a private cause of action against anyone who "intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication." The plaintiffs alleged that third party monitoring of web site visits, through the use of cookies, analysis of access logs, and web forms, constituted a prohibited interception of electronic communications. The District Court held that the web site visitors consented to the interception, and dismissed the claim. The Appeals Court reversed.

The opinion contains detailed explanations of the technology involved, included access logs, cookies, web forms, and get and post methods. And, its conclusions are based on the specific technological details of this case. Moreover, the holding appears to be limited to a narrow set of facts not present in most situations involving web site monitoring.

In this case, the web site operators contracted with a third party to conduct monitoring, and did not disclose this third party involvement to users. More importantly, this third party exceeded the usual techniques of web site monitoring (involving access logs and cookies, which are anonymous), and also accessed some personally identifying information of web site visitors who filled out web forms, the data of which was sent to the web site operators by the "get" method. This means that the data was appended to the uniform resource locator (URL) of the web address receiving the form. And since it was a part of the URL, it was available to this third party.

Parties. Pharmatrak sold a web site traffic monitoring service named NETcompare to pharmaceutical companies. NETcompare collected information about the web users in the course of their accessing the web sites of pharmaceutical companies that used the NETcompare service. Its parent company is Glocal Communications.

Pfizer, Pharmacia (which was recently acquired by Pfizer), Smithkline Beecham (which merged with Glaxco Wellcome to form GlaxSmithKline), American Home Products (now Wyeth), and Novartis were five pharmaceutical companies that purchased the NETcompare service, from June 1998 through November 2000, for the purpose of obtaining information that would enable them to do intra-industry comparisons of web site traffic and usage. The pharmaceutical companies did not seek personal or identifying data.

The plaintiffs are individuals who visited the web sites of these pharmaceutical companies.

Pharmatrak's Technology. The Appeals Court described the Pharmatrak technology in detail. It wrote that "A pharmaceutical client installed NETcompare by adding five to ten lines of HTML code to each webpage it wished to track and configuring the pages to interface with Pharmatrak's technology. When a user visited the website of a Pharmatrak client, Pharmatrak's HTML code instructed the user's computer to contact Pharmatrak's web server and retrieve from it a tiny, invisible graphic image known as a ``clear GIF´´ (or a ``web bug´´). The purpose of the clear GIF was to cause the user's computer to communicate directly with Pharmatrak's web server. When the user's computer requested the clear GIF, Pharmatrak's web servers responded by either placing or accessing a ``persistent cookie´´ on the user's computer. On a user's first visit to a webpage monitored by NETcompare, Pharmatrak's servers would plant a cookie on the user's computer. If the user had already visited a NETcompare webpage, then Pharmatrak's servers would access the information on the existing cookie." (Footnotes have been omitted from all quotations to the Appeals Court's opinion.)

The Appeals Court continued that "A cookie is a piece of information sent by a web server to a web browser that the browser software is expected to save and to send back whenever the browser makes additional requests of the server (such as when the user visits additional webpages at the same or related sites). A persistent cookie is one that does not expire at the end of an online session. Cookies are widely used on the internet by reputable websites to promote convenience and customization. Cookies often store user preferences, login and registration information, or information related to an online ``shopping cart.´´ Cookies may also contain unique identifiers that allow a website to differentiate among users."

In addition, "Each Pharmatrak cookie contained a unique alphanumeric identifier that allowed Pharmatrak to track a user as she navigated through a client's site and to identify a repeat user each time she visited clients' sites. If a person visited www.pfizer.com in June 2000 and www.pharmacia.com in July 2000, for example, then the persistent cookie on her computer would indicate to Pharmatrak that the same computer had been used to visit both sites. As NETcompare tracked a user through a website, it used JavaScript and a JavaApplet to record information such as the URLs the user visited. This data was recorded on the access logs of Pharmatrak's web servers."

"Pharmatrak sent monthly reports to its clients juxtaposing the data collected by NETcompare about all pharmaceutical clients. These reports covered topics such as the most heavily used parts of a particular site; which site was receiving the most hits in particular areas such as investor or media relations; and the most important links to a site." Finally, the Court noted that "The monthly reports did not contain any personally identifiable information about users."

Personally Identifying Information. The pharmaceutical companies did not seek personally identifying information, and Pharmatrak did not provide any to them. However, the Appeals Court wrote that "Pharmatrak nevertheless collected some personal information on a small number of users. Pharmatrak distributed approximately 18.7 million persistent cookies through NETcompare. The number of unique cookies provides a rough estimate of the number of users Pharmatrak monitored. Plaintiffs' expert was able to develop individual profiles for just 232 users."

This personally identifying information was collected via web site forms that used the "get" rather than the "post" method to transmit data. For example, one company had a form in its web site for obtaining a rebate. It used the "get" method to send the form data, meaning that it was appended to the URL. The Court elaborated that "Web servers use two methods to transmit information entered into online forms: the get method and the post method. The get method is generally used for short forms such as the ``Search´´ box at Yahoo! and other online search engines. The post method is normally used for longer forms and forms soliciting private information. When a server uses the get method, the information entered into the online form becomes appended to the next URL."

"By contrast, if a website transmits information via the post method, then that information does not appear in the URL. Since NETcompare was designed to record the full URLs of the webpages a user viewed immediately before and during a visit to a client's site, Pharmatrak recorded personal information transmitted using the get method", wrote the Court.

Statute. 18 U.S.C. § 2511(1) provides, in part, that "any person who (a) intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication ... shall be punished as provided in subsection (4) or shall be subject to suit as provided in subsection (5)."

Also, 18 U.S.C. § 2510 provides, in part, that "any person whose wire, oral, or electronic communication is intercepted, disclosed, or intentionally used in violation of this chapter may in a civil action recover from the person or entity, other than the United States, which engaged in that violation such relief as may be appropriate."

District Court. In August 2000, the Plaintiffs filed a complaint in U.S. District Court (DMass) against Pharmatrak, Glocal, and the five pharmaceutical companies alleging violation of Title I of the ECPA (18 U.S.C. § 2510 et seq.), violation of Title II of the ECPA (18 U.S.C. 2701 et seq.), violation of the Computer Fraud and Abuse Act (18 U.S.C. § 1030), violation of various Massachusetts state statutes, as well as invasion of privacy, trespass to chattels and conversion, and unjust enrichment. Plaintiffs also sought, and obtained, class action status.

Defendants moved for summary judgment. The District Court granted this summary judgment motion as to the ECPA claims on the grounds that Pharmatrak's activities fell within an exception to the statute where one party consents to an interception. It also granted summary judgment on the other federal law claim. Having held for defendants on all of the federal questions, the District Court declined to retain jurisdiction over the state law claims, and dismissed the action, without prejudice as to the state law claims.

Appeals Court. The Appeals Court reversed and remanded. The opinion only addresses the ECPA issues.

The Court began its analysis by stating that the "plaintiffs must show five elements to make their claim under Title I of the ECPA: that a defendant (1) intentionally (2) intercepted, endeavored to intercept or procured another person to intercept or endeavor to intercept (3) the contents of (4) an electronic communication (5) using a device. This showing is subject to certain statutory exceptions, such as consent."

It then noted that "Pharmatrak has not contested whether it used a device or obtained the contents of an electronic communication." The only issues raised by Pharmatrak was whether there was consent to the interception, and whether there was an interception.

The Court wrote, in dicta, that "This is appropriate. ... Transmissions of completed online forms, such as the one at Pharmacia's Detrol website, to the pharmaceutical defendants constitute electronic communications. ... The ECPA also says that ``'contents,' when used with respect to any wire, oral, or electronic communication, includes any information concerning the substance, purport, or meaning of that communication." 18 U.S.C. § 2510(8). This definition encompasses personally identifiable information such as a party's name, date of birth, and medical condition.´´"

The analysis of the Appeals Court was that the communications were between the web site visitors and the pharmaceutical companies that maintained web sites. The interception was done by Pharmatrak. The communications that were intercepted were the limited number of transmissions of personally identifying information contained in such things as the "get" method sending of web form data.

Pharmatrak had asserted that there was consent to the interception, because the pharmaceutical companies consented. The District Court agreed, but not the Appeals Court. It found that Pharmatrak had not met the standard for consent under 1st Circuit law. In particular, it noted that there could not be consent when the pharmaceutical companies had told Pharmatrak that they did not want personally identifying information.

The Court also held that the web site users did not consent. Pharmatrak's involvement was not known to web surfers. And the "pharmaceutical companies' websites gave no indication that use meant consent to collection of personal information by a third party".

The Court also found that there was an "interception" within the meaning of the Wiretap Act. The Court reviewed the different opinions regarding whether an interception must be an interception of transit, as opposed to an acquisition from storage. However, the Court concluded that it need not address the transit versus storage debate because in this case, the personally identifying information collected by Pharmatrak was obtained in transit.

The Appeals Court added some significant comments in dicta. It wrote that "We share the concern of the Ninth and Eleventh Circuits about the judicial interpretation of a statute written prior to the widespread usage of the internet and the World Wide Web in a case involving purported interceptions of online communications. See Steiger, 318 F.3d at 1047 (quoting Konop, 302 F.3d at 874). In particular, the storage-transit dichotomy adopted by earlier courts may be less than apt to address current problems. As one court recently observed, "[T]echnology has, to some extent, overtaken language. Traveling the internet, electronic communications are often -- perhaps constantly -- both 'in transit' and 'in storage' simultaneously, a linguistic but not a technological paradox." United States v. Councilman, 245 F. Supp. 2d 319, 321 (D. Mass. 2003)."

Editor's Note. Readers may want to assess the objectivity of Tech Law Journal in writing a news story about web site monitoring. See, for example, TLJ Memorandum regarding "E-Mail Monitoring" by TLJ, dated January 1, 2003, and TLJ Memorandum regarding "Disclosure of Information to Third Parties", dated January 1, 2003.