October 23, 2018

Is Metadata Protected by the Wiretap Act? Third Circuit: It Depends!

In general, “metadata” is data that describes other data and summarizes basic information about data, which can make finding and working with particular instances of data easier. But does that definition mean that metadata, such as URLs, are categorically non-content? For example, such a bright line distinction would mean that there is no substantive difference, for example, between the URL “www.webmd.com” and “www.webmd.com/alchoholabuse.” The former URL provides very little information about the visitor’s communications with WebMd, while the latter provides specific information other than simply the visitor was communication with WebMd. This is not an unimportant distinction since the federal Wiretap Act, which was enacted in 1968 to regulate telephone wiretapping prohibits the interception of the “contents” of a communication without the consent of a “party to the communication.” In 1986, Congress expanded the scope of the Wiretap Act to include computer networks. In an important privacy decision, on November 10, 2015, although the Third Circuit in In Re: Google Inc. Cookie Placement Privacy Litigation, dismissed the Wiretap Act claim under Rule 12(b)(6), it determined that obtaining URLs by Google did involve the collection of at least some content under the Wiretap Act.

Unbeknownst to many Internet users, a user’s visits to websites are recorded through the use of tracking cookies that have been previously placed on the user’s browser so when the user visits a Web site, the Web site can have a third-party site send to the user’s browser highly targeted advertisements. The litigation involved allegations that Google violated the Wiretap Act, the Stored Communications Act and the Computer Fraud and Abuse Act under federal law, and various California state laws include the right to privacy. With regard to the Wiretap Act, plaintiffs argued that the defendants violated the Wiretap Act on the grounds that the use of tracking cookies created a record of what websites users visited without their knowledge. Users could set their browsers to block these third party cookies, but he browser would not actually block them. In other words, advertising companies were able to gather this valuable information without the users’ knowledge. While the Third Circuit ultimately dismissed the Wiretap Act claims, the Third Circuit did find that Google’s actions amounted to “deceit and disregard” as it “not only contravened the cookie blockers—it held itself out as respecting ….”

The district court dismissed the plaintiffs’ Wiretap Act claim on the basis that the defendants’ alleged conduct did not involve the acquisition of communications’ “content.” While the plaintiffs alleged that the defendants acquired and tracked the URLs they visited, the Act defines “contents” as “any information concerning the substance, purport, or meaning of the communication [at issue].” 18 U.S.C. § 2510(8)). The District Court held that, “[a]s described their name, ‘Universal Resource Locators …. a URL is a location identifier and does not concern [] the substance, purport or meaning’ of an electronic communication.’” In re Google, 988 F.Supp.2d at 444 (quoting 18 U.S.C. § 2510(8)).

The Third Circuit rejected the district court’s conclusion that location identifiers can never meet the definition of “contents” under the Wiretap Act. Rather, the Court explained that the “inquiry is a case-specific one turning on the role the [information] played in the intercepted communication.” On one hand, where the information performs “a routing function” for that particular communication, it would not be covered under the Wiretap Act since it is not contents information. On the other, if the information “comprises part of a communication’s substance” to the party destination, it is content for that communication.”

With regard to URLs, the Court agreed with a recently declassified decision by the Foreign Intelligence Surveillance Court that “queried URLs can be content as well routing information, for instance in the case of URLs that reproduce search engine inquiries.” Whether a URL involves “contents” is determined by “how much information would be revealed by disclosure of the URL.” The Court also noted a number of courts have found “post-cut-through digits in the telephone context–.i.e. numbers dialed from a telephone after a call is already setup or ‘cut through,” to be content beyond the permissible scope of a pen register, which is analogous to URLs that “may serve to convey different messages to different audiences. For instance, the domain name portion of the URL—everything before the ‘.com’—instructs a centralized web server to direct the user to a particular website, but post-domain name portions of the URL are designed to communicate to the visited website which webpage content to sent the user.” Based on this understanding, the Court concluded that “between the information revealed by highly-detailed URLs and their functional parallels to post-cut-through digits, we are persuaded that—at a minimum—some queried URLs qualify as content.”

Despite this conclusion, the Third Circuit dismissed the Wiretap Act count on the basis that Google and the other defendant-advertising companies were parties to the communications: “In short, our understanding of the plaintiffs’ allegations is that the defendants acquired the plaintiffs’ internet history information when, in the course of requesting webpage advertising content at the direction of the visited website, the plaintiffs’ browsers sent the information directly to the defendants’ servers.”

While the Third Circuit decision with regard to the Wiretap Act left the location of the content/metadata line for another day, there are a number of important conclusions that can be drawn especially with regard to how it may limit Internet monitoring by both the government and private companies.

First, the Court’s reasoning in a sense applies even more to government, since the government is not a party to the communication, thus, they could not claim consent as a defense. In other words, at least within the Third Circuit, there is no doubt that the government must obtain a search warrant to obtain content metadata. The Department of Justice claims that it already does so, but now the DOJ is prevented from changing its policy in the Third Case so long as this case remains good.

Second, the decision also put private companies that use surveillance techniques on notice that techniques to collection users’ information may be viewed as illegal. This is especially true because the Court, while dismissing the federal claims, did reinstate California state law claims under tort law and the state’s constitutional right to privacy.

Third, the decision may encourage plaintiff’s to bring litigation in states that have a state version of the federal Wiretap act and are require the consent of every party to the communication.

In addition, Google is not the only company that has gotten into trouble for using cookie blocking technology. Last month, MoPub Inc. a mobile ad server owned by Twitter, was sued in California court for using “super cookies” to track and store the Internet browsing history of anyone accessing the web through their Verizon smartphone. The suit alleges that MoPub then used this information to build a personal profile which it then used to send targeted advertising, without subscribers’ knowledge or consent. Similar to the Google litigation, MoPub is accused of misleading subscribers who believed that their browser’s “opt-out” mechanism would stop MoPub’s tracking.

Companies that use tracking technology should remain informed about the law in this area which is evolving rapidly and the specific language of their privacy practices, including what data is being collected, how that data is being used, and with whom the company may be sharing the data.

Speak Your Mind