Third Party Data Monitoring and Collection on the Internet:
Is it Illegal Wiretapping?


Wednesday, Jun. 04, 2003

When - if ever - can third parties legally monitor your Internet activity? The answer is still unclear.

However, a recent ruling by the U.S. Court of Appeals for the First Circuit provides at least some guidance. In In Re Pharmatrak, Inc. Privacy Litigation, the court suggested that such data collection might violate provisions of the Electronic Communications Privacy Act of 1986 (ECPA), which expanded anti-wiretapping protections to include electronic communications. Under the ECPA, it is unlawful to intercept communications between two parties intentionally if neither consents to the interception.

The Pharmatrak ruling shows that the ECPA has potential to protect privacy on the Internet, when privacy is violated by third party data collection. But the ECPA's limitations suggest that protection is far from complete.

Data Collection, and the Facts of the Pharmatrak Case

This type of data collection is done through cookies and "web bugs" (mini bits of code left on user's PCs); analysis of access logs and web forms; and similar methods. Data collection can allow a third party to track an Internet user's repeat visits to a site, as well as her or her surfing or shopping habits.

Typically, the information is not linked to an individual, but rather to a PC or a numerical identifier. However, privacy and consumer advocates have expressed concern that linking of data to individuals could occur. Indeed, online advertising provider DoubleClick initially announced it might do just that - but due to intense public criticism and governmental scrutiny, it changed its mind.

And imagine a user's identity being linked to sensitive searches that he or she has conducted. If someone searched health or medical web sites to learn about cancer cures or sexually transmitted diseases, the nature of the searches conducted is precisely the type of information that a user may want to keep private. The Pharmatrak case - involving the drug and pharmaceutical sector - highlights the possible perils of matching a user's identity with his or her web search data.

The Pharmatrak case itself arose in 2000, when a group of Internet users sued Pharmatrak, along with several of its pharmaceutical company clients, for violating the ECPA.

Pharmatrak's data monitoring service, NETcompare, collected information about web users as they accessed its clients' sites, to perform intra-industry comparisons of web site traffic and usage in the pharmaceutical industry. It did so by installing software on clients' web sites - with the clients' consent, but without the consent of their users.

At the time, Pharmatrak did not seek personally identifiable data about the overwhelming majority of users. In fact, at least some of Pharmatrak's clients asked the company specifically not to do so.

But it ended up doing so with respect to 232 users - who included the plaintiffs in the suit. Whether this collection was intentional remains to be seen. And, according to news reports, its web site stated that it might collect personally identifiable data in the future. Privacy advocates raised alarm bells about the web site notice.

How Pharmatrak's Software Worked

Here's how Pharmatrak's software worked: When an individual Internet user visited a client's site, the software Pharmatrak has installed - through the use of web bugs, "cookies" and the like - caused the user's computer to communicate with both the client's servers, and Pharmatrak's own servers. Pharmatrak was able to access the information on its clients' servers as well as its own.

The software collected data including the length of time a user spent at a client site; the pages the user visited; the URL of the sites visited just before the client site; and the "query string" of any search used to get to the client site.

As the First Circuit explained in its recent decision: "A cookie is a piece of information sent by a web server to a web browser that the browser software is expected to save and to send back whenever the browser makes additional requests of the server (such as when the user visits additional web pages at the same or related sites)." Specifically, "[e]ach Pharmatrak cookie contained a unique alphanumeric identifier that allowed Pharmatrak to track a user as she navigated through a client's site and to identify a repeat user each time she visited clients' sites."

Pharmatrak employed something known as a "persistent" cookie - one that does not expire at the end of an online session. Pharmatrak distributed approximately 18.7 million persistent cookies through NETcompare (and thus monitored approximately the same number of users). Thus, Pharmatrak could collect data on separate surfing sessions using the same computer, to learn, for instance, if the same computer had visited two client websites in different sessions.

How could Pharmatrak match the computer with the individual user? Through web forms users filled out for other purposes - such as, on one site, to obtain a rebate.

The personal information in 197 of the 232 user profiles was recorded due to an interaction between NETcompare and computer code created by one pharmaceutical client, Pharmacia, for one of its rebate webpages.

For short periods during 2000 and 2001, Pharmatrak's client Pharmacia used the "get" method to transmit information from a rebate form on one of its web pages to its server. The same information went to Pharmatrak and contained personally identifiable data.

As the First Circuit observed, web servers employ two distinct methods to transmit information entered into online forms: the "get" method and the "post" method. The get method is generally used for short forms such as the "Search" box of an Internet search engine. The post method is normally used for longer forms and forms that ask a user for private information.

When a server uses the get method, the information entered into an online form becomes appended to the next URL. For example, if a user enters his or her name into a form and submits it, then the person's name will be appended to the string at the end of the URL of the web page showing the search results. By contrast, if a web site transmits information via the post method, then that information does not appear in the URL.

The following types of personal information were found on Pharmatrak servers: user names, addresses, telephone numbers, email addresses, dates of birth, genders, insurance statuses, education levels, occupations, medical conditions, medications.

Reasons for visiting a particular web site were also found. This is what privacy advocates fear most - linkage indicating intensely private information, such as why someone visited a health site.

There is no evidence Pharmatrak warned its clients about the consequences of using the get method. The instructions, in fact, made no distinction between methods of transmission.

The ECPA's One-Party Consent Rule and How It Was Applied

At the district court level, Pharmatrak and the other defendants initially won summary judgment. The ECPA includes a "one-party consent" rule, under which a single party's prior consent to interception makes an e-wiretap legal. Thus, the court held that even if users didn't consent to Pharmatrak's interception of their data, that didn't matter - because the pharmaceutical companies had.

The district court so held even despite the fact that the client companies had not specifically consented to Pharmatrak's collecting information linked to specific individuals.

The Court of Appeals, however, held that this specific consent was required. And it pointed out that "Far from consenting to the collection of personally identifiable information, the pharmaceutical clients explicitly conditioned their purchase of NETcompare on the fact that it would not collect such information." As a result, the Court of Appeals reversed the lower court's ruling, and allowed the users' suit to proceed.

The Court of Appeals ruling was plainly correct: Otherwise, monitoring companies could routinely exceed their clients' mandate, to users' and clients' detriment.

Now, at the district court level, the users will prevail if they can show that Pharmatrak's interception of the data they communicated on their web forms was intentional - another requirement of the ECPA. (For complex technical reasons, it is far from clear whether the plaintiffs will prevail, for Pharmatrak's interception may have been inadvertent.)

The ECPA Protects Companies, But Apparently Not Their Users

Unfortunately, users appear to be left out in the cold. The Pharmatrak decision makes it clear that companies offering specialized data collection services must work within the scope of their contract with clients, or else risk ECPA liability.

But as long at the client site alone consents, both the data collection companies and the clients are safe from lawsuits from users, due to the ECPA's "one-party consent" rule. Two rulings made clear this is the law.

In In re DoubleClick Inc. Privacy Litigation, the Southern District of New York district court dismissed claims under the ECPA, the Computer Fraud and Abuse Act, and the Wiretap Act arising out of DoubleClick's use of cookies to gather information about the users of its client sites to help "target" online advertising to that users. Since the client sites had consented, the court held there was no claim.

Similarly, in Dane Chance, et al. v. Avenue A, Inc., the district court dismissed ECPA and Wiretap Act claims based on Avenue A's use of cookies to gather information about particular users' activity at client websites to be used to "target" advertising. Again, client consent was held to be all that was required.

What Can Individual Users Do to Protect Privacy?

Given these rulings, what remedies, if any, are still available to individual users who do not want their personalized data intercepted? Breach of contract claims against the client sites may provide the most promise.

Users who want to prevent this kind of monitoring should carefully read the sites' "click to agree" contracts and privacy policies before they provide personalized data by filling out web forms. Unless the site promises there will be no personalized monitoring, they should not fill out the forms.

If the site promises, and violates its promise, then they should alert the Federal Trade Commission and their state attorney general, who are authorized to police deceptive or fraudulent trade practices. If surreptitious data monitoring is taking place, then a lawsuit may very well follow.

Meanwhile, data collection companies should make sure not to offer "one size fits all" services, but rather, to tailor their services to individual clients' privacy polices, or risk violating the ECPA.

Similarly, Internet businesses that contract for such services need to be vigilant in reviewing the collection practices of these third party service providers and ensure that there is compliance with the underlying privacy policy. If not, as in Pharmatrak, they may also find themselves subject to lawsuits.

Anita Ramasastry is an Assistant Professor of Law at the University of Washington School of Law in Seattle and a Director of the Shidler Center for Law, Commerce & Technology. Her other columns on cyberlaw, surveillance, and other issues are included in the archive of her columns on this site.

FindLaw Career Center

    Select a Job Title

      Post a Job  |  View More Jobs

    View More