Websurfing and the Wiretap Act

|The Volokh Conspiracy |

The federal Wiretap Act is the major privacy law that protects privacy in communications. The Wiretap Act prohibits intercepting the contents of a communication without the consent of at least one of the parties to the communication. As enacted in 1968, the law was intended primarily to regulate wiretapping of telephone calls. In that context, the law is pretty clear: The law prohibits using a wiretapping device to tap the phone line without the consent of one of the participants on the call.

But times have changed. In 1986, Congress extended the Wiretap Act to the Internet. Applying the Wiretap Act to the Internet can be tricky because the Internet enables person-to-computer communications. As I explained back in 2003, the switch from person-to-person telephone communications to person-to-computer Internet communications creates two tricky interpretive problems. First, how do you identify "contents" of person-to-computer communications? And second, when is a computer a "party to the communication"?

In this post, I want to focus on a particularly tricky and important application of the problem that is raised in a case now pending in the Third Circuit: How does the Wiretap Act apply to surveillance of websurfing? Say a person is surfing the web, and a surveillance device is monitoring the URLs that a person is visiting. When, if at all, can that violate the Wiretap Act? Are the URLs contents or metadata, and if URLs are contents, who are the parties to that communication that can consent?

These are tough and important questions. Here are some thoughts.

Let's start with the issue of whether or when URLs count as "contents" of communications. You can look at URLs in two ways. First, maybe they're just the addressing information like a phone number and therefore metadata. Second, maybe they're a person's message to a computer and therefore contents.

So which is right? I tend to think they're both right. URLS can be both contents and metadata, as I see it, depending on which specific leg of the communication we're focusing on. That's the case because the line between contents and metadata is not abstract but contextual with respect to each communication. Here's how I put the point in my contribution to a treatise of which I am a co-author, Lafave, et. al., Criminal Procedure, 4.4(d):

[T]he line between content and non-content information is inherently relative. If A sends a letter to B, asking him to deliver a package to C at a particular address, the contents of that letter are contents from A to B but mere non-content addressing information with respect to the delivery of the package to C. In the case of e-mail, for example, a list of e-mail addresses sent as an attachment to an e-mail communication from one person to another are contents rather than addressing information. In short, whether an e-mail address is content or non-content information depends entirely on the circumstances.

This may seem confusing at first, so let me offer a simple and low-tech example. Imagine a telephone call back in the early days when there were human operators at the switchboard. You would call the operator and say, "Please connect me to Pennsylvania 6-5000." The operator would then plug your line into the switch for Pennsylvania 6-5000, setting up a call between you and the party at that number.

Now ask the question, is "Pennsylvania 6-5000" contents or metadata? I think the answer is, well, both. Your speaking of the number was part of the contents of a communication between you and the telephone operator. On the other hand, a telephone company record that you had called Pennsylvania 6-5000 is metadata with respect to the call that was subsequently placed. Whether the information was contents or metadata depends on whether you are drawing the contents/metadata distinction with respect to the first leg of the communication (you speaking to the operator) or the second leg of the communication (you speaking with whoever answers at Pennsylvania 6-5000).

Wait, you're wondering, how can there be two answers to whether something is content or metadata? That might seem strange at first. But the trick is to realize that what seems like a single call really consists of multiple communications. In the case of the call to Pennsylvania 6-5000, there were two communications; you-to-operator and you-to-the-person-who-picked-up-at-736-5000. To determine if a particular surveillance method violated the Wiretap Act, you have to look at each of the legs in sequence and check if the monitoring violated the Wiretap Act in either leg.

Let's do that for the call to Pennsylvania 6-5000. For the first leg of the communication, you-to-operator, the number Pennsylvania 6-5000 constituted contents. But the operator was a party to that communication who could consent to monitoring, so the operator's recording that number wouldn't violate the Wiretap Act. For the second communication, you-to-the-person-who-picked-up-at-736-5000, the number was metadata instead of contents. The operator recording the call wouldn't violate the Wiretap Act for that leg of the call because the number dialed was metadata with respect to that leg of the call even though the operator was not a party to the communication to it. In short, there were two different legs of the call with different information as "contents" and different people as "parties" to the communication.

The pending Third Circuit case, In re Google Cookie Placement Consumer Privacy Litigation, raises analogous issues but with the added wrinkle of a switch to person-to-computer communications. The case involves a class action suit about third party tracking cookies that can be used when you surf the web. When you visit a website, the website may have a third party site send ads to your browser and may leave records about your usage on a cookie on your browser. Because lots of companies can use these third party sites, the third party sites may be able to collect records of your browsing online through that cookie. The pending case involves code that was used that allowed third party tracking cookies even when the browser was set not to allow third party cookies. The case raises lots of different claims, but here I'll just focus on one: was the Wiretap Act violated by the disclosure of URLs to the third party sites?

The district court ruled that it was not, reasoning that that no contents of communications were intercepted. URLs are not contents, the district court ruled categorically. But I don't think that blunt answer is quite right. I'm skeptical that URLS are non-content information in an absolute sense. If a true third party installed a monitoring tool that intercepted every URL that a person visited in the course of delivery from the user to the other party to the communication, then there's a good argument that the URLs are contents for the leg of the communication from the user to the recipient—much like "Pennsylvania 6-5000" was the contents of the call from the caller to the telephone operator.

With that said, I don't think the the Wiretap Act was violated in the acquisition of URLs in this particular case. Here I have to be extra cautious, because the facts of the cases seem pretty complex; I'm not sure I understand all of the facts based on the having read the briefs. But based on what I can tell, my take is that collecting URLs does not violate the Wiretap Act in this case because when you break down the legs of the communication, there was no leg in which contents were intercepted without the consent of a party to that leg of the communication.

Here's why. In the simple call to Pennsylvania 6-5000, there were two legs of the communication to consider. When a user enters a URL into a browser, on the other hand, there are more steps that go on behind the scenes. When you enter in a URL into your browser and hit enter, computers take that information and send it around back and forth in order to present the webpage that you requested. Exactly what happens is pretty complicated. But as is relevant here, we can break down the communications into four steps for simple web visit:

1) The browser sends a request to the website asking it to send a page back to it.
2) The website sends some information back to the requesting browser. If the website is configured to do so, it also sends back a message to the browser telling it where it can get additional pieces of data that will be collected into the webpage such as third party advertisements.
3) If the website sent back the additional message about getting additional data, the browser automatically sends additional requests to the different computers (third parties) that host the additional data to complete the webpage. The additional requests automatically include the URL of the website that the browser is trying to see.
4) The different computers at the third parties send their pieces of information back to the browser to complete the webpage.

As I understand the complaint in the Third Circuit case, the responses to the browser requests were alleged to have improperly stored records of what had happened on the browser in the form of cookies—third party tracking cookies—even though the users thought that the storage of this information was not allowed.

Was the Wiretap Act violated here? No, it seems to me. Start with legs 1 and 2, the communications from browser to website. Regardless of whether you call the URL contents or metadata, the end website was a party to the communication that consented. It is like the telephone operator hearing the request, and it can listen to what it is being told. The same is true with legs 3 and 4. Regardless of whether you call the passed on URL contents or metadata, the third party is a "party to the communication" for legs 3 and 4. It can listen to what it is being told, too.

You might think, wait, how can the third parties be parties to the communication for legs three and four if the user didn't intend to communicate with them? I think that's the case for two reasons. First, the caselaw on telephone wiretapping holds that a person is a party regardless of whether the sender of the communication knows who they are. This has come up in the telephone caselaw when a criminal calls a co-conspirator's home phone, and it so happens that the police are executing a warrant at the co-conspirator's home at that moment. An officer picks up the phone and listens as the caller says incriminating things. Held: No Wiretap violation because the officer is a party to the communication, even though the caller thought he was speaking to someone else. See, e.g, State v. Lamontagne, 136 N.H. 575 (1992). This strikes me as similar, with the sender of the web request knowingly sending out the browser info that gets routed to the third party.

Second, if you say that the third party is not a party to the communication, then presumably you would say that the website visited is such a party. But the third party learned of the URL only because the website was working with the third party to send some of the webpage to the user. Thus, the website party consented to the monitoring by the third party. Either way, I don't see how you get to a Wiretap Act violation.

Finally, although I don't have a view of most of the other arguments raised in the pending case, I should flag two issues on which I do have some views. First, it's very clear that there is no SCA violation: There is no provider/user relationship at play that is needed to trigger the SCA. See generally here at 8-9; see also Garcia v. City of Laredo, 702 F.3d 788 (5th Cir. 2012) (same). Similarly, I don't think the CFAA claims work for reasons explained here at 24-25.

UPDATE: Jonathan Mayer, who first discovered the use of third party tracking cookies that led to press coverage of this issue and prompted the lawsuits, points out that he discusses URLs as contents vs. metadata here in his online surveillance course.