Websurfing and the Wiretap Act, part 2: The Third Circuit's ruling
The Third Circuit has handed down a very important opinion on Internet surveillance law: In re Google Cookie Placement Consumer Privacy Litigation (Nov. 10, 2015). The decision is the first case to grapple in detail with how the Wiretap Act applies to the Internet. If you're interested in surveillance law, you need to give this opinion a close and careful read. It's a big deal. It leaves some things undecided, but it also suggests that the Wiretap Act provides pretty strong privacy protections online.
This post will go over the decision, explore its reasoning and conclude with its implications.
I. The Case
As I explained in my first post back in June, the case involves a class action lawsuit about tracking cookies that can be placed on your browser when you surf the Web. When you visit a Web site, the Web site may have a third-party site send ads to your browser and may leave records about your usage on a cookie on your browser. Because lots of companies can use these third-party sites, the third-party sites may be able to collect records of your browsing online through that cookie.
In this case, the plaintiffs argued that the Wiretap Act was violated because the use of tracking cookies created a record of what Web sites users visited without their knowledge. Users could set their browsers to block these third-party cookies, but the browser wouldn't actually block them. That meant that the advertising companies learned what Web sites users were visiting without the users' knowledge. The big legal question was whether this surveillance violates the federal Wiretap Act. (There were other claims, but I'll bypass them here.)
II. The Important Legal Question
To understand the significance of this case, a little background is necessary. The Wiretap Act was enacted in 1968 to regulate telephone wiretapping. It's a pretty straightforward law when applied to telephone calls. Under the law, no one can use a wiretapping device to tap into a phone call unless someone on the call consents. In the language of the statute, no one can intercept the "contents" of a communication without the consent of a "party to the communication."
In 1986, Congress expanded the Wiretap Act so that it applies to computer networks. Congress didn't realize it at the time, but expanding the Wiretap Act to the Internet raised some really tricky questions. Traditional telephone calls are person-to-person, where application of the Wiretap Act is pretty clear. But Internet communications are often person-to-computer or computer-to-computer. That raises two questions: When are such communications "contents" that the Wiretap Act regulates, and who are the "parties to the communication" that can consent?
These questions are particularly hard when you need to apply the framework to the World Wide Web, which wasn't invented until after the Wiretap Act had been expanded to the Internet.
You're probably thinking that there must be a lot of caselaw on this. The Wiretap Act has applied to the Internet since 1986, after all, and the Web has been around since the 1990s. But although these issues were spotted a long time ago, there has been a remarkable absence of caselaw on them. That's probably because there is no statutory suppression remedy for violations in the criminal context. But whatever the reason, there is surprisingly little caselaw on how the Wiretap Act applies to the Internet in general and Websurfing specifically.
III. The District Court's Ruling
The district court dismissed the Wiretap Act claim under Rule 12(b)(6). Although Google was "plausibly" a party to the communication, the district court concluded, the court was uncomfortable ruling on that ground. Instead, the court ruled that the Internet addresses that the third-party cookies collected—URLs, or Uniform Resource Locators, the stuff in the command line of your browser when you surf the Web—did not constitute contents. Because no contents were intercepted, the Wiretap Act could not apply.
IV. The Third Circuit's Ruling
The Third Circuit affirmed the ruling that the Wiretap Act claim had to be dismissed under Rule 12(b)(6), but it disagreed with the reasoning of the district court. According to the Third Circuit, obtaining the URLs did collect at least some content under the Wiretap Act. On the other hand, Google was a party to the communication, so the Wiretap Act was not violated.
Let's take a close look at the court's reasoning.
First, the Third Circuit adopted a functional approach to the distinction between content and metadata. The court rejected the district court's view that URLs are categorically non-content. "[T]here is no general answer to the question" of what is content, the court explained, as the "inquiry is a case-specific one turning on the role the [information] played in the intercepted communication." When information serves "a routing function" for that communication on the way to the party destination, it is metadata with respect to that communication. If the information "comprises part of a communication's substance" to the party destination, it is content for that communication. The court approvingly quoted this explanation from a treatise:
[T]he line between content and non-content information is inherently relative. If A sends a letter to B, asking him to deliver a package to C at a particular address, the contents of that letter are contents from A to B but mere non-content addressing information with respect to the delivery of the package to C. In the case of email, for example, a list of e-mail addresses sent as an attachment to an e-mail communication from one person to another are contents rather than addressing information. In short, whether an e-mail address is content or non-content information depends entirely on the circumstances.
This means that the content/metadata inquiry is "not abstract but contextual with respect to each communication." Information can be metadata with respect to some communications—"dialing, routing, addressing, and signaling information," in the language of the Pen Register statute—and simultaneously contents with respect to other communications. To see whether the Wiretap Act was violated, you always need to focus on that specific communication and identify the parties to that communication.
Based on this conclusion, the Third Circuit concluded that at least some contents had been acquired. The court declined to say exactly where the line is—more on this in a minute—but it ruled that accepting the complaint as written, contents had been acquired.
The court then held that the case must be dismissed because Google and the other defendant-advertising companies were parties to the communications. They only acquired the URL information because the software worked by sending a request from the user's browser directly to them that included the addressing information:
If users' browsers directly communicate with the defendants about the webpages they are visiting-as the complaint pleads with particularity-then there is no need for the defendants to acquire that information from transmissions to which they are not a party. . . .
In short, our understanding of the plaintiffs' allegations is that the defendants acquired the plaintiffs' internet history information when, in the course of requesting webpage advertising content at the direction of the visited website, the plaintiffs' browsers sent that information directly to the defendants' servers.
But wait, the plaintiffs argued: If we sent that information, it is only because we were tricked into sending it. We didn't want to send it, because we thought we had blocked third-party cookies. But according to the Third Circuit, this doesn't matter:
Though we are no doubt troubled by the various deceits alleged in the complaint, we do not agree that a deceit upon the sender affects the presumptive non-liability of parties under [the party to the communication exception]. "In the context of the statute, a party to the conversation is one who takes part in the conversation." There is no statutory language indicating this excludes intended recipients who procured their entrance to a conversation through a fraud in the inducement.
So the defendants collected contents, but they were parties to the communication that they collected. The federal Wiretap Act was not violated.
V. Where Exactly is the Content/Non-Content Line?
Parts of the opinion seem to want to reach out and settle exactly where the content/metadata line is, but part of the opinion pulls back and says the court is not settling that question. What you make of the opinion depends on whether you focus on the parts that hint at the exact answer or the part that pulls away from it. I'll present both parts below.
First, the opinion hints that the important content/non-content line for Websurfing may be the line between the domain and the post-domain address. The hint comes in a part of the opinion that talks about the view that post-cut-through dialed digits—the numbers you might enter when you call an automated help line after the call has been placed—are contents with respect to that call. When you dial a phone number, the numbers you're dialing to place the call are contents to the phone company but metadata with respect to the subsequently connected call. But the post-cut-through dialed digits are different, a few courts have held. Although they are numbers that the user enters, they are contents—actual messages—with respect to the subsequently connected call.
The Third Circuit agreed with this reasoning, and stated that it "hints at a . . . reason why queried URLs might be considered content":
URL queries bear functional analogues to this process, in that different portions of a queried URL may serve to convey different messages to different audiences. For instance, the domain name portion of the URL-everything before the ".com"- instructs a centralized web server to direct the user to a particular website, but post-domain name portions of the URL are designed to communicate to the visited website which webpage content to send the user.
That "for instance" is really interesting. A bunch of courts have held that search engine queries are contents in the communication to the Web site queried—they are, after all, a message entered in by the user to the search engine company. But here the Third Circuit is suggesting a significantly more restrictive line. Maybe everything in the address after "the domain name portion" counts as contents in the communication to the Web site queried. (As an aside, although the court refers to this as "everything before .com," I assume the court meant to include the top-level domain, such as .com, .org .edu—everything that the Domain Name System servers need to get an IP address to route the communication.)
Let's explore what this might mean. The idea is that if you click on a link, it's kind of like sending a letter with the domain marked on the envelope and the rest of the address inside the letter. Say you want to read my earlier story about this case, which you can read here. If you click on the link in my last sentence, you're telling the Internet that you want to send a message to washingtonpost.com—which Domain Name System servers will translate to the IP address 192.33.31.56. The Internet will route your message to that address. When your communications arrives at 192.33.31.56, which is the location of washingtonpost.com, it will deliver the message to washingtonpost.com that you want to read the specific story located at the subdomain "news/volokh-conspiracy/wp/2015/06/04/websurfing-and-the-wiretap-act/".
This is important because monitoring of Websurfing won't take place at the Web site visited, such as washingtonpost.com. The monitoring will occur from somewhere else. From that vantage point, the domain name washingtonpost.com is just metadata with respect to the communication to washingtonpost.com. But the rest of the address is content information from that perspective: It's the "payload" of the message between your browser and washingtonpost.com.
The upshot in the government surveillance context: The government could monitor the domain a person visits without obtaining a wiretap order but would need a wiretap order to monitor the rest of the address. Put another way, the government could readily find out that you were visiting washingtonpost.com, but they would need a "super warrant" wiretap order to find out that you had requested a specific story there.
I wrote earlier that the opinion suggests a line but then backs away. Here's the backing away, which comes in a footnote shortly after the passage above:
We need not make a global determination as to what is content, and why, in the context of queried URLs. Lack of consensus, the complexity and rapid pace of change associated with the delivery of modern communications, and the facileness of direct analogy to mail and telephone cases counsel the utmost care in considering what is, and what is not, "content" in the context of web queries. Indeed, when it comes to differentiating content from non-content, . . . queried URLs [have been characterized] as "the most difficult and discussed case."
I read this footnote as leaving the court's "for instance" as a suggestion but not a holding. The court isn't answering exactly where the line is because it doesn't have to: It's enough to say that monitoring URLs on a broad scale will collect at least some contents. Exactly where the line is remains for another day, with a big hint that the line might be between the domain and everything else. This part of the opinion has the feel of a compromise. Perhaps the authoring judge wanted to draw the line clearly, but another judge on the panel wanted to be cautious and asked for the addition of the footnote.
VI. A Few Thoughts About the Third Circuit's Opinion
Here are few thoughts about the opinion and what it means.
First, I think the opinion is correct. It's somewhat easy for me to say that, as the court agreed with and quoted my earlier writing on this issue, including my earlier post and the treatise section I have written on this. So in the spirit of my adage that Brilliant People Agree With Me, I must declare this opinion "superb" and "extremely insightful." Seriously, though, this was the first thorough and careful treatment of a really hard and important issue. Good for the Third Circuit for delving into the details of it; I suspect the opinion will be very influential.
Second, although the court doesn't adopt a clear holding about the content/metadata line, cautious officials will probably want to take the domain-vs.-everything-else line as a useful line to draw. If so, the Third Circuit's ruling may have a lot of impact by drawing (or at least suggesting) a line that significantly limits Internet surveillance. That will be important not only to government officials, but also to private companies that use surveillance techniques.
Third, I suspect this opinion may have a major impact on litigation over state surveillance laws. Some states have state laws that resemble the federal Wiretap Act but require the consent of every party to the communication, not just one party to the communication. As a matter of policy, I think all-party consent statutes are really dumb. But they're on the books, and the Third Circuit's relatively broad approach to contents may inspire new litigation under all-party consent laws. With that said, there's a caveat: I think there are major Dormant Commerce Clause problems with all-party consent laws applied to Internet surveillance. Internet communications are a mostly, if not entirely, interstate means of commerce. Because an all-party consent statute necessarily tries to impose regulations on out-of-state branches of communications, I think such laws are highly problematic under the Dormant Commerce Clause. Stay tuned to see where the state litigation goes and whether the Dormant Commerce Clause challenges are raised.
Fourth, it's not obvious that the content/metadata line for the Wiretap Act is the same as the line for the Fourth Amendment. There are significant arguments that the line should be drawn differently. With that said, if the Wiretap Act is interpreted broadly, the Fourth Amendment line matters a lot less.
Fifth, I wonder if the court's approach to the content/metadata line may bolster support for the content/metadata distinction among surveillance law scholars. I have argued that the distinction is fundamental to surveillance law. Among some civil libertarian critics, however, it is common to say that there is no distinction between content and metadata because they are identical and equally revealing. I have found that, when pushed, those who say this often point to URLs as the big problem. Courts will inevitably see URLs as all metadata, they suggest, which will allow mass government surveillance of Websurfing in the United States. The Orwellian implications of this must mean that the content/metadata line is useless and must be rejected. (To be clear, the answer to this is always to "equal up" so that everything is treated as contents; it is never to "equal down" so that everything is treated as metadata.) But under the Third Circuit's opinion, the content/metadata line has a lot more bite than civil libertarians have thought. It will be really interesting to see whether this revives respect for the distinction among surveillance law scholars.