The District of Massachusetts granted the
defendants' motion for summary judgment in a
consolidated civil case that interpreted several
key federal computer crime statutes. The case is
In re Pharmatrak Privacy Litigation, -- F. Supp.2d
--, 2002 WL 1880387 (D. Mass, Aug. 13, 2002)
(Tauro, J.).
This case involves a suit against pharmaceutical
companies for having hired the Pharmatrak
company to monitor the companies' websites and
provide a monthly analysis of web site traffic.
Pharmatrak placed cookies and web bugs on the
computers of users who visited the websites, and
also allegedly read the referrer URL contained in
Internet requests directed to the websites.
According to the complaint, the Pharmatrak
software also recorded information that users
entered into the websites, and also recorded URL
query strings resulting from web searches.
The plaintiffs alleged that this monitoring violated
the Wiretap Act (aka Title III, 18 U.S.C. 2510-22),
the Stored Communications Act (aka ECPA, 18
U.S.C. 2701-11) and the Computer Fraud and
Abuse Act (18 U.S.C. 1030). The defendants
moved for summary judgment.
The Court granted the defendants' motion on all
three counts. First, the Court rejected the
Wiretap Act claims. The plaintiffs alleged that the
Pharmatrak software had intercepted the
plaintiffs' electronic communications in violation
of the Wiretap Act. Although neither the
complaint nor the opinion specifies which of the
communications were "contents" covered by the
Wiretap Act (a rather remarkable oversight given
the recent high profile debate over whether
search query URLs are contents raised by the
USA Patriot Act last October), the Court
concluded that the pharmaceutical websites were
parties to the communication who could consent
to Pharmatrak's monitoring pursuant to the
consent exception, 18 U.S.C. 2511(2)(d). As far
as it goes, this seems correct.
The Court next rejected the Stored
Communications Act claims on multiple grounds-
- one of which is important and clearly right, and
at least one of which is clearly wrong. The
plaintiffs claimed that the monitoring of the user's
computers had violated 18 U.S.C. 2701, a
criminal statute that is primarily designed to
punish hackers who hack into ISPs and read e-
mails and other stored files. The Court rejected
this argument first on the (correct) ground that
individual internet users are not providers of
electronic communications service under ECPA.
This section is home to the opinion's best
passage:
"Plaintiffs find it noteworthy that '[p]ersonal
computers provide consumers with the
opportunity to access the Internet and send or
receive electronic communications,' and that
'[w]ithout personal computers, most consumers
would not be able to access the Internet or
electronic communications.' Fair enough, but
without a telephone, most consumers would not
be able to access telephone lines, and without
televisions, most consumers would not be able to
access cable television. Just as telephones and
televisions are necessary devices by which
consumers access particular services, personal
computers are necessary devices by which
consumers connect to the Internet. While it is
possible for modern computers to perform
server- like functions, there is no evidence that
any of the Plaintiffs used their computers in this
way. While computers and telephones certainly
provide services in the general sense of the word,
that is not enough for the purposes of the ECPA.
The relevant service is Internet access, and the
service is provided through ISPs or other servers,
not though Plaintiffs' PCs"
Nicely put. Just when things were looking good,
however, the court goofed, ruling that in the
alternative, the websites were "users" under
ECPA who could consent to the monitoring. It's
only an alternative holding, I realize, but it's quite
clearly incorrect: ECPA follows the client/server
model, and uses the word "user" to refer to the
clients and "provider" to refer to the server. It
turns EPCA on its head to view the websites as
clients of the user's PC's (a mistake made in the
Doubleclick opinion).
The Court then added yet another alternative
holding, to the effect that the monitoring did not
violate 2701 because 2701 refers only to
contents "in electronic storage," that is, held pre-
access such as unopened e-mails. While this is
a correct statement about the scope of 2701, it's
quite beside the point, because as the court held
in the first place, the user's PCs are not providers
under ECPA (and web bugs and cookies aren't
electronic communications, either).
Finally, the court rejected the claim that the
monitoring had triggered the civil damages
provision of 18 U.S.C. 1030 on the ground that
there was no showing of the $5,000 damage
needed to bring a civil action under 18 U.S.C.
1030(g).
[by Orin S. Kerr's Computer Crime Case Updates Mailinglist]
22:07
#
G!