Home | Databases | WorldLII | Search | Feedback Privacy Law and Policy Reporter

Lindsay, David --- "Cases and complaints" [2002] PrivLawPRpr 43; (2002) 9(5) Privacy Law and Policy Reporter 96

Cases and complaints

David Lindsay

IN RE PHARMATRAK, INC PRIVACY LITIGATION

US District Court, District of Massachusetts,Civil Action No 00-11672-JLT,13 August 2002

This casenote examines the recent decision of Tauro J of the United States District Court for the District of Massachusetts in In re Pharmatrak, Inc Privacy Litigation, and explains some ,of the implications for Australian internet users and for privacy policy development in Australia. The case highlights the extent to which existing US privacy laws fail to provide adequate privacy protection for ,internet users.

Facts

The plaintiffs, who were internet users of pharmaceutical websites, brought a class action against a number of large pharmaceutical companies that operated the sites, and against the data mining and profiling company, Pharmatrak, Inc. Pharmatrak, which ceased operating shortly after the ,action was initiated, was hired by the pharmaceutical companies to monitor their websites and to provide a monthly summary of website traffic. As part of the agreement with the companies, Pharmatrak represented that it did ,not collect ‘personally identifiable information’.

The pharmaceutical companies purchased a service from Pharmatrak known as ‘NETcompare’, which was designed to monitor activity on the relevant web pages. The main component of the monitoring service worked as follows. First, contacting one of the company’s websites resulted in a request being sent to Pharmatrak’s web server. Second, the server sent a clear GIF (or ‘web bug’),[1] causing the user’s browser to contact Pharmatrak’s web server directly. Third, the server sent a ‘cookie’ to the user’s computer.[2] The cookies, which were programmed ,to expire after 90 days, allowed Pharmatrak to collect information from repeat users of the pharmaceutical companies’ websites. Pharmatrak also evidently used Javascript to collect information regarding web pages visited by users prior to accessing the relevant websites. Finally, information was collected from material submitted by users, for example, by completion of online registration.

A computer scientist hired by the plaintiffs was able to determine that, with the assistance of relational databases, Pharmatrak was capable ,of collecting considerable personal information, including names, addresses, telephone numbers, dates of birth, sex, insurance status, medical conditions, education levels and occupations. There was no evidence that Pharmatrak used the information to create detailed profiles,[3] although ,it was possible to do so.

US law

The plaintiffs alleged that by collecting the information without consent, the pharmaceutical companies and Pharmatrak infringed US wiretap, anti-hacking and computer fraud laws. In a summary judgment, Tauro J dismissed the case.

The plaintiffs first argued that Pharmatrak’s activities amounted to an unlawful interception under Title I of the Electronic Communications Privacy Act of 1986 (the ECPA),[4] which is commonly known as the Wiretap Act. Section 2511(1)(a) of the Wiretap Act provides that, subject to exceptions, it ,is unlawful to intentionally intercept a wire, oral or electronic communication. Under s 2511(1)(d), an interception is not unlawful if it is conducted by a party to the communication, or a party to the communication has given prior consent to an interception by a third party, provided that the interception ,is not undertaken for a criminal or tortious purpose. The main issue ,before the Court was whether the pharmaceutical companies had consented to Pharmatrak intercepting the communication. The plaintiffs claimed that the companies had not consented because Pharmatrak had expressly agreed not to collect personally identifiable information. ,The Court, however, held that consent to the web monitoring service necessarily included consent to the interception, regardless of whether the pharmaceutical companies were aware of the precise mechanisms of the service.[5] The Court further concluded that there was no evidence to suggest that the interception was for a criminal or tortious purpose. In so holding, Tauro J adopted the reasoning of the earlier DoubleClick decision, which ,had held that the purpose requirement is to be narrowly construed.[6]

The second claim made by the plaintiffs was that by collecting data from users’ computers, the defendants had engaged in unlawful hacking under Title II of the ECPA,[7] commonly known as the Stored Communications Act. Section 2701(a) of that Act makes it unlawful to intentionally access a ‘facility through which an electronic communication service is provided’ without authorisation, and thereby obtain access to a communication stored electronically. The defendants argued that the plaintiffs’ computers were not ‘facilities’ within the meaning of the prohibition and, even if its activities fell within the scope of the provision, that Pharmatrak’s access was authorised by the users. The Court agreed with both assertions. First, the Court held that, while personal computers are necessary for connecting to the internet, they do not provide the relevant electronic communication service, namely a service for internet access. On this view, it is servers, not users’ computers, that provide access to the internet. Second, Tauro J held Pharmatrak’s access fell within s 2701(c)(2) of the Stored Communications Act, which establishes an exception for access that is authorised by a user of a service in relation to a communication ‘of or intended for that user’. In this, the ,Court again followed the DoubleClick decision, which had held that an operator of a website was a user within the meaning of the exception. The Court also agreed with the DoubleClick decision in finding that information obtained from ‘cookies’ was not a communication in ‘electronic storage’. On this issue, the ECPA defines ‘electronic storage’ as a temporary, intermediate storage of a communication.[8] The US courts have interpreted this to mean temporary storage of a communication that is incidental to its transmission. As cookies are stored on the hard drive of a user’s computer, the DoubleClick and Pharmatrak Courts held that access ,to the cookies fell outside of the prohibition. Furthermore, Tauro J ,held that as Pharmatrak had created ,and sent the cookies, any subsequent access was necessarily authorised.

Finally, the plaintiffs claimed that the activities of the defendants contravened the Computer Fraud and Abuse Act (CFAA). The CFAA establishes a civil action where a defendant has intentionally accessed a computer without authorisation, and thereby obtained information from a protected communication, provided that the conduct involves an interstate or foreign communication.[9] For a civil remedy to lie, however, the unauthorised access must cause losses of at least US$5000. Tauro J dismissed the CFAA claim ,on the basis that, on the evidence, ,the plaintiffs failed to show sufficient damage. The Court first pointed out ,that the plaintiffs were unable to show that their computers were damaged. Furthermore, the Court held that any possible losses for invasion of privacy, ,or loss of control over personal information, was insufficient to meet the damage threshold, even assuming such losses could be taken into account. This conclusion conforms to that reached by the DoubleClick Court, which had also doubted whether the ‘economic value’ ,of demographic information could be counted towards the damage threshold.

Implications for Australia

We can now see a pattern of decisions emerging from the US, in which plaintiffs are unsuccessful in attempting to use US interception and computer crimes laws to seek to protect online privacy by preventing the unauthorised collection of personal information by ‘spyware’,[10] such as cookies and web bugs. Although there are points in ,the Pharmatrak decision where the approach taken to the relevant legislation could have been explained more clearly, the application of the laws to the activities in question seems hard to fault. After all, the use of ‘spyware’ to obtain information about internet users does not fit easily within laws directed at either the unlawful interception of communications or unlawful hacking. Nevertheless, Pharmatrak’s activities resulted in the collection of a significant amount of personal information, including sensitive health information, without the informed consent of users of the websites operated by the pharmaceutical companies. Moreover, in conjunction with the use of relational databases, ,the activities had the potential for the production of considerably more information regarding internet users.

The problems faced by the plaintiffs in Pharmatrak in attempting to find a remedy, under US law, to the perceived privacy invasions illustrate some weaknesses with US privacy regimes, but should also suggest some of the complexities involved in developing policies for protecting personal information online. On the one hand, applying conventional data protection principles, it might be thought that personal information should not, in general, be collected without the consent of the internet user. On the other hand, however, the collection of anonymised data, such as data relating to internet traffic, has undoubted advantages, including the potential for enhancing the quality of web pages and improving the efficiency of internet use. Moreover, technologies such as web bugs have other potentially positive uses, such as tracking copyright infringements. Arguably, it is not the information collection technologies as such that present the main problem, ,but the way in which the technologies are used, including use to produce personally identifying material by further processing, including data-matching. Furthermore, even if a blanket ban on technologies such ,as web bugs were possible, the decentralised nature of the internet makes it difficult to effectively enforce attempts to regulate technologies. Moreover, at least at this stage, there appears to have been insufficient consideration given to the policy options available for dealing with the unregulated collection and matching ,of internet information by the use of ‘spyware’ for any satisfactory regulatory responses to be formulated.

At present, then, the cases emerging from the US, including the DoubleClick and Pharmatrak decisions, indicate that internet users accessing websites hosted in the US have little or no legal protection against technologies such as invisible web bugs. As many websites accessed from Australia, including sites for accessing health and pharmaceutical information, are hosted in the US, this has potentially important consequences for Australian internet users. The most important implication is that Australians should be aware that, in many circumstances, the only safe way to ensure the protection of personal information online is by the use of self-help measures. A variety of technologies are available for detecting and/or blocking ‘spyware’ technologies. For example, a service known as ‘bugnosis’ tests graphics on web pages to detect whether the html code includes web bugs.[11] It is extremely difficult, however, to determine whether an invisible GIF file has been installed to track internet users, or for some other purpose, such as to align the web page. Moreover, ‘bugnosis’ does not block web bugs; it merely detects whether or not a web page contains an invisible GIF. The only measures currently available for blocking web bugs are general ‘advertisement blockers’, such as ‘Guidescope’,[12] ‘WebWasher’[13] and ‘AdSubstract’.[14] As these technologies operate by blocking third party content, however, they may have negative effects on internet performance. Moreover, it is time consuming to locate and install such technologies.

The absence of a clear US policy on the use of ‘spyware’ such as web bugs would also appear to have implications for the development of Australian policies relating to the protection of online privacy. One implication might be that, given that little that can be done to externally influence the direction of US regulatory regimes, Australian policy should concentrate on consumer education and training in relation to privacy enhancing technologies (PETs). It is, moreover, possible that more could be done to promote Australian input into the development of consumer privacy protection technologies. On the other hand, to leave the protection of online information completely to the vagaries ,of an ‘arms race’ between ‘spyware’ and PETs would seem to be tantamount to abdicating policy responsibility. The challenge facing all national regimes confronting issues relating to online privacy is to develop flexible regulatory regimes that are capable of accomm-odating rapid technological change, without making public policy outcomes completely dependent upon techno-logical developments, while avoiding inadvertently creating incentives for socially wasteful ‘arms races’ between privacy invasive and privacy enhancing technologies.

David Lindsay, Research Fellow, Faculty of Law, University of Melbourne.

[1] GIF, which stands for ‘graphics interface format’, is a de facto standard for graphic images on the web. The term ‘web bug’ was coined by Richard M Smith to refer to GIF files used to monitor internet use. Richard Smith’s web bug FAQ is available at <www.privacyfoundation.org>.

[2] A ‘cookie’ is a small piece of information sent to a user’s computer within the http header and commonly stored on the user’s hard drive.

[3] An information paper prepared ,for the Office of the Federal Privacy Commissioner defines ‘profiling’ as ‘the process of ascertaining characteristics which are closely associated with a particular target group and the subsequent searching of databases to identify other individuals who have the same or similar characteristics’: see Maguire S ‘Privacy and profiling’ Information paper no 2 p 1, available ,at <www.privacy.gov.au>.

[4] 18 USC s 2510.

[5] In this respect, the judgment is consistent with the previous US decisions to consider the issue, In re DoubleClick Inc Privacy Litigation , 154 F Supp 2d 497 (SDNY 2001) and Chance v Avenue A Inc 165 F Supp ,2d 1153 (WD Wash 2001).

[6] 154 F Supp 2d 497, 515 (SDNY 2001).

[7] 18 USC s 2701.

[8] 18 USC s 2510(17).

[9] 18 USC ss 1030(a), (g).

[10] ‘Spyware’, in relation to the internet, may be defined as ‘programming that is put in someone’s computer to secretly gather information about the user and relay it to advertisers or other interested parties’: see <whatis.techtarget.com> (definition of ‘spyware’).

[11] The bugnosis FAQ is available at <www.bugnosis.org>.

[12] See <www.guidescope.com>.

[13] See <www.webwasher.com>.

[14] See <www.adsubtract.com>.