Updated: 24.11.2002; 16:46:11 Uhr.
disLEXia
lies, laws, legal research, crime and the internet
        

Sunday, August 18, 2002

DOUBLECLICK DEJA VU: CIVIL LITIGATION OVER COOKIES AND WEB BUGS LEADS TO IMPORTANT STATEMENTS ABOUT TITLE III, ECPA, and 18 U.S.C. 1030 / Pharmatrak

The District of Massachusetts granted the defendants' motion for summary judgment in a consolidated civil case that interpreted several key federal computer crime statutes. The case is In re Pharmatrak Privacy Litigation, -- F. Supp.2d --, 2002 WL 1880387 (D. Mass, Aug. 13, 2002) (Tauro, J.).

This case involves a suit against pharmaceutical companies for having hired the Pharmatrak company to monitor the companies' websites and provide a monthly analysis of web site traffic. Pharmatrak placed cookies and web bugs on the computers of users who visited the websites, and also allegedly read the referrer URL contained in Internet requests directed to the websites. According to the complaint, the Pharmatrak software also recorded information that users entered into the websites, and also recorded URL query strings resulting from web searches.

The plaintiffs alleged that this monitoring violated the Wiretap Act (aka Title III, 18 U.S.C. 2510-22), the Stored Communications Act (aka ECPA, 18 U.S.C. 2701-11) and the Computer Fraud and Abuse Act (18 U.S.C. 1030). The defendants moved for summary judgment.

The Court granted the defendants' motion on all three counts. First, the Court rejected the Wiretap Act claims. The plaintiffs alleged that the Pharmatrak software had intercepted the plaintiffs' electronic communications in violation of the Wiretap Act. Although neither the complaint nor the opinion specifies which of the communications were "contents" covered by the Wiretap Act (a rather remarkable oversight given the recent high profile debate over whether search query URLs are contents raised by the USA Patriot Act last October), the Court concluded that the pharmaceutical websites were parties to the communication who could consent to Pharmatrak's monitoring pursuant to the consent exception, 18 U.S.C. 2511(2)(d). As far as it goes, this seems correct.

The Court next rejected the Stored Communications Act claims on multiple grounds- - one of which is important and clearly right, and at least one of which is clearly wrong. The plaintiffs claimed that the monitoring of the user's computers had violated 18 U.S.C. 2701, a criminal statute that is primarily designed to punish hackers who hack into ISPs and read e- mails and other stored files. The Court rejected this argument first on the (correct) ground that individual internet users are not providers of electronic communications service under ECPA. This section is home to the opinion's best passage:

"Plaintiffs find it noteworthy that '[p]ersonal computers provide consumers with the opportunity to access the Internet and send or receive electronic communications,' and that '[w]ithout personal computers, most consumers would not be able to access the Internet or electronic communications.' Fair enough, but without a telephone, most consumers would not be able to access telephone lines, and without televisions, most consumers would not be able to access cable television. Just as telephones and televisions are necessary devices by which consumers access particular services, personal computers are necessary devices by which consumers connect to the Internet. While it is possible for modern computers to perform server- like functions, there is no evidence that any of the Plaintiffs used their computers in this way. While computers and telephones certainly provide services in the general sense of the word, that is not enough for the purposes of the ECPA. The relevant service is Internet access, and the service is provided through ISPs or other servers, not though Plaintiffs' PCs"

Nicely put. Just when things were looking good, however, the court goofed, ruling that in the alternative, the websites were "users" under ECPA who could consent to the monitoring. It's only an alternative holding, I realize, but it's quite clearly incorrect: ECPA follows the client/server model, and uses the word "user" to refer to the clients and "provider" to refer to the server. It turns EPCA on its head to view the websites as clients of the user's PC's (a mistake made in the Doubleclick opinion).

The Court then added yet another alternative holding, to the effect that the monitoring did not violate 2701 because 2701 refers only to contents "in electronic storage," that is, held pre- access such as unopened e-mails. While this is a correct statement about the scope of 2701, it's quite beside the point, because as the court held in the first place, the user's PCs are not providers under ECPA (and web bugs and cookies aren't electronic communications, either).

Finally, the court rejected the claim that the monitoring had triggered the civil damages provision of 18 U.S.C. 1030 on the ground that there was no showing of the $5,000 damage needed to bring a civil action under 18 U.S.C. 1030(g).

[by Orin S. Kerr's Computer Crime Case Updates Mailinglist]
22:07 # G!


Maximillian Dornseif, 2002.
 
August 2002
Sun Mon Tue Wed Thu Fri Sat
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31
Jul   Sep
Search
about this disLEXia thing
presentations
scientific publications
logner Texts
my old homepage
categories in this weblog
Subsections of this WebLog
bloging by me
german language content
hacks
computer investigations
computer incidents
going to court
events and conferences
statistics and the like
privacy
main page

Subscribe to "disLEXia" in Radio UserLand.

Click to see the XML version of this web page.

Click here to send an email to the editor of this weblog.