1st Circuit Holds Monitoring Web Site Traffic Can Violate Wiretap Act

May 9, 2003. The U.S. Court of Appeals (1stCir) issued its opinion in In
Re Pharmatrak Privacy Litigation, reversing a District Court summary
judgment in a case brought under the Electronic Communications Privacy Act
(ECPA) involving web site monitoring.

Introduction. The Wiretap Act, as amended by the ECPA, provides a private
cause of action against anyone who "intentionally intercepts, endeavors to
intercept, or procures any other person to intercept or endeavor to
intercept, any wire, oral, or electronic communication." The plaintiffs
alleged that third party monitoring of web site visits, through the use of
cookies, analysis of access logs, and web forms, constituted a prohibited
interception of electronic communications. The District Court held that
the web site visitors consented to the interception, and dismissed the
claim. The Appeals Court reversed.

The opinion contains detailed explanations of the technology involved,
included access logs, cookies, web forms, and get and post methods. And,
its conclusions are based on the specific technological details of this
case. Moreover, the holding appears to be limited to a narrow set of facts
not present in most situations involving web site monitoring.

In this case, the web site operators contracted with a third party to
conduct monitoring, and did not disclose this third party involvement to
users. More importantly, this third party exceeded the usual techniques of
web site monitoring (involving access logs and cookies, which are
anonymous), and also accessed some personally identifying information of
web site visitors who filled out web forms, the data of which was sent to
the web site operators by the "get" method. This means that the data was
appended to the uniform resource locator (URL) of the web address
receiving the form. And since it was a part of the URL, it was available
to this third party.

Parties. Pharmatrak sold a web site traffic monitoring service named
NETcompare to pharmaceutical companies. NETcompare collected information
about the web users in the course of their accessing the web sites of
pharmaceutical companies that used the NETcompare service. Its parent
company is Glocal Communications.

Pfizer, Pharmacia (which was recently acquired by Pfizer), Smithkline
Beecham (which merged with Glaxco Wellcome to form GlaxSmithKline),
American Home Products (now Wyeth), and Novartis were five pharmaceutical
companies that purchased the NETcompare service, from June 1998 through
November 2000, for the purpose of obtaining information that would enable
them to do intra-industry comparisons of web site traffic and usage. The
pharmaceutical companies did not seek personal or identifying data.

The plaintiffs are individuals who visited the web sites of these
pharmaceutical companies.

Pharmatrak's Technology. The Appeals Court described the Pharmatrak
technology in detail. It wrote that "A pharmaceutical client installed
NETcompare by adding five to ten lines of HTML code to each webpage it
wished to track and configuring the pages to interface with Pharmatrak's
technology. When a user visited the website of a Pharmatrak client,
Pharmatrak's HTML code instructed the user's computer to contact
Pharmatrak's web server and retrieve from it a tiny, invisible graphic
image known as a ``clear GIF´´ (or a ``web bug´´). The purpose of the
clear GIF was to cause the user's computer to communicate directly with
Pharmatrak's web server. When the user's computer requested the clear GIF,
Pharmatrak's web servers responded by either placing or accessing a
``persistent cookie´´ on the user's computer. On a user's first visit to a
webpage monitored by NETcompare, Pharmatrak's servers would plant a cookie
on the user's computer. If the user had already visited a NETcompare
webpage, then Pharmatrak's servers would access the information on the
existing cookie." (Footnotes have been omitted from all quotations to the
Appeals Court's opinion.)

The Appeals Court continued that "A cookie is a piece of information sent
by a web server to a web browser that the browser software is expected to
save and to send back whenever the browser makes additional requests of
the server (such as when the user visits additional webpages at the same
or related sites). A persistent cookie is one that does not expire at the
end of an online session. Cookies are widely used on the internet by
reputable websites to promote convenience and customization. Cookies often
store user preferences, login and registration information, or information
related to an online ``shopping cart.´´ Cookies may also contain unique
identifiers that allow a website to differentiate among users."

In addition, "Each Pharmatrak cookie contained a unique alphanumeric
identifier that allowed Pharmatrak to track a user as she navigated
through a client's site and to identify a repeat user each time she
visited clients' sites. If a person visited www.pfizer.com in June 2000
and www.pharmacia.com in July 2000, for example, then the persistent
cookie on her computer would indicate to Pharmatrak that the same computer
had been used to visit both sites. As NETcompare tracked a user through a
website, it used JavaScript and a JavaApplet to record information such as
the URLs the user visited. This data was recorded on the access logs of
Pharmatrak's web servers."

"Pharmatrak sent monthly reports to its clients juxtaposing the data
collected by NETcompare about all pharmaceutical clients. These reports
covered topics such as the most heavily used parts of a particular site;
which site was receiving the most hits in particular areas such as
investor or media relations; and the most important links to a site."
Finally, the Court noted that "The monthly reports did not contain any
personally identifiable information about users."

Personally Identifying Information. The pharmaceutical companies did not
seek personally identifying information, and Pharmatrak did not provide
any to them. However, the Appeals Court wrote that "Pharmatrak
nevertheless collected some personal information on a small number of
users. Pharmatrak distributed approximately 18.7 million persistent
cookies through NETcompare. The number of unique cookies provides a rough
estimate of the number of users Pharmatrak monitored. Plaintiffs' expert
was able to develop individual profiles for just 232 users."

This personally identifying information was collected via web site forms
that used the "get" rather than the "post" method to transmit data. For
example, one company had a form in its web site for obtaining a rebate. It
used the "get" method to send the form data, meaning that it was appended
to the URL. The Court elaborated that "Web servers use two methods to
transmit information entered into online forms: the get method and the
post method. The get method is generally used for short forms such as the
``Search´´ box at Yahoo! and other online search engines. The post method
is normally used for longer forms and forms soliciting private
information. When a server uses the get method, the information entered
into the online form becomes appended to the next URL."

"By contrast, if a website transmits information via the post method, then
that information does not appear in the URL. Since NETcompare was designed
to record the full URLs of the webpages a user viewed immediately before
and during a visit to a client's site, Pharmatrak recorded personal
information transmitted using the get method", wrote the Court.

Statute. 18 U.S.C. § 2511(1) provides, in part, that "any person who (a)
intentionally intercepts, endeavors to intercept, or procures any other
person to intercept or endeavor to intercept, any wire, oral, or
electronic communication ... shall be punished as provided in subsection
(4) or shall be subject to suit as provided in subsection (5)."

Also, 18 U.S.C. § 2510 provides, in part, that "any person whose wire,
oral, or electronic communication is intercepted, disclosed, or
intentionally used in violation of this chapter may in a civil action
recover from the person or entity, other than the United States, which
engaged in that violation such relief as may be appropriate."

District Court. In August 2000, the Plaintiffs filed a complaint in U.S.
District Court (DMass) against Pharmatrak, Glocal, and the five
pharmaceutical companies alleging violation of Title I of the ECPA (18
U.S.C. § 2510 et seq.), violation of Title II of the ECPA (18 U.S.C. 2701
et seq.), violation of the Computer Fraud and Abuse Act (18 U.S.C. §
1030), violation of various Massachusetts state statutes, as well as
invasion of privacy, trespass to chattels and conversion, and unjust
enrichment. Plaintiffs also sought, and obtained, class action status.

Defendants moved for summary judgment. The District Court granted this
summary judgment motion as to the ECPA claims on the grounds that
Pharmatrak's activities fell within an exception to the statute where one
party consents to an interception. It also granted summary judgment on the
other federal law claim. Having held for defendants on all of the federal
questions, the District Court declined to retain jurisdiction over the
state law claims, and dismissed the action, without prejudice as to the
state law claims.

Appeals Court. The Appeals Court reversed and remanded. The opinion only
addresses the ECPA issues.

The Court began its analysis by stating that the "plaintiffs must show
five elements to make their claim under Title I of the ECPA: that a
defendant (1) intentionally (2) intercepted, endeavored to intercept or
procured another person to intercept or endeavor to intercept (3) the
contents of (4) an electronic communication (5) using a device. This
showing is subject to certain statutory exceptions, such as consent."

It then noted that "Pharmatrak has not contested whether it used a device
or obtained the contents of an electronic communication." The only issues
raised by Pharmatrak was whether there was consent to the interception,
and whether there was an interception.

The Court wrote, in dicta, that "This is appropriate. ... Transmissions of
completed online forms, such as the one at Pharmacia's Detrol website, to
the pharmaceutical defendants constitute electronic communications. ...
The ECPA also says that ``'contents,' when used with respect to any wire,
oral, or electronic communication, includes any information concerning the
substance, purport, or meaning of that communication." 18 U.S.C. §
2510(8). This definition encompasses personally identifiable information
such as a party's name, date of birth, and medical condition.´´"

The analysis of the Appeals Court was that the communications were between
the web site visitors and the pharmaceutical companies that maintained web
sites. The interception was done by Pharmatrak. The communications that
were intercepted were the limited number of transmissions of personally
identifying information contained in such things as the "get" method
sending of web form data.

Pharmatrak had asserted that there was consent to the interception,
because the pharmaceutical companies consented. The District Court agreed,
but not the Appeals Court. It found that Pharmatrak had not met the
standard for consent under 1st Circuit law. In particular, it noted that
there could not be consent when the pharmaceutical companies had told
Pharmatrak that they did not want personally identifying information.

The Court also held that the web site users did not consent. Pharmatrak's
involvement was not known to web surfers. And the "pharmaceutical
companies' websites gave no indication that use meant consent to
collection of personal information by a third party".

The Court also found that there was an "interception" within the meaning
of the Wiretap Act. The Court reviewed the different opinions regarding
whether an interception must be an interception of transit, as opposed to
an acquisition from storage. However, the Court concluded that it need not
address the transit versus storage debate because in this case, the
personally identifying information collected by Pharmatrak was obtained in
transit.

The Appeals Court added some significant comments in dicta. It wrote that
"We share the concern of the Ninth and Eleventh Circuits about the
judicial interpretation of a statute written prior to the widespread usage
of the internet and the World Wide Web in a case involving purported
interceptions of online communications. See Steiger, 318 F.3d at 1047
(quoting Konop, 302 F.3d at 874). In particular, the storage-transit
dichotomy adopted by earlier courts may be less than apt to address
current problems. As one court recently observed, "[T]echnology has, to
some extent, overtaken language. Traveling the internet, electronic
communications are often -- perhaps constantly -- both 'in transit' and
'in storage' simultaneously, a linguistic but not a technological
paradox." United States v. Councilman, 245 F. Supp. 2d 319, 321 (D. Mass.
2003)."

Editor's Note. Readers may want to assess the objectivity of Tech Law
Journal in writing a news story about web site monitoring. See, for
example, TLJ Memorandum regarding "E-Mail Monitoring" by TLJ, dated
January 1, 2003, and TLJ Memorandum regarding "Disclosure of Information
to Third Parties", dated January 1, 2003.