The Volokh Conspiracy
Mostly law professors | Sometimes contrarian | Often libertarian | Always independent
The FCC's broadband privacy regulations are gone. But don't forget about the Wiretap Act.
President Trump recently signed a congressional resolution completing the repeal of broadband privacy rules announced by the Obama-era Federal Communications Commission. According to news reports, the purpose of the repeal was to allow broadband Internet service providers to conduct the same sort of monitoring of user online activities, such as Web-surfing habits, that companies like Google and Facebook can conduct.
I don't know much about communications law or the proposed regulations. But the description of what the repeal was designed to do made me wonder: Isn't that kind of monitoring mostly illegal under the Wiretap Act? As I see it, the Wiretap Act substantially limits what kinds of surveillance broadband providers can conduct even without the Obama-era rules. Given that, it's not clear to me how much the repeal actually matters.
Conversely, if broadband providers wrongly think the repeal gives them a green light to monitor how users surf the Web, they may face some pretty significant class-action lawsuits they don't currently expect. Depending on the details, those class-action suits may very possibly be meritorious—and if so, could carry statutory damages so high that the lawsuits could be "bet the company" litigation. This post will given an overview of that legal risk.
I. Introduction to the Wiretap Act
The Wiretap Act, for those who don't know it, is a federal criminal and civil statute that prohibits intercepting contents of communications without the consent of a party to the communication. It started as a telephone privacy statute—it prohibited third-party wiretapping of a telephone call—but was expanded to the Internet in 1986. Today the Wiretap Act applies to pretty much every communications network and gives telephone and Internet users pretty strong privacy protections.
Violating the Wiretap Act is a big deal. It is not only a federal felony but also triggers powerful civil remedies. Under 18 U.S.C. 2520, any person who has been unlawfully wiretapped can get civil damages from the violator that can include "statutory damages of whichever is the greater of $100 a day for each day of violation or $10,000," or actual damages, if they are greater than that; includes "punitive damages in appropriate cases"; and includes "a reasonable attorney's fee and other litigation costs reasonably incurred." With statutory damages at $10,000 for each person wiretapped, a company that violates the Wiretap Act with respect to its customers on a large scale risks a super-high damage award.
Next let's go through the key elements of the statute to see why monitoring of Web-surfing might violate it.
II. Interception of Contents
Violating the Wiretap Act generally requires intercepting "contents" of communications. The leading case on the meaning of contents in the context of Web-surfing is In re Google Cookie Placement Consumer Privacy Litigation Litigation, 806 F.3d 125 (3d Cir. 2015), a case I blogged about at length when it was handed down. The basic idea is that URLs can contain contents under the Wiretap Act because whether information is contents depends on what the computer is doing with it. If a computer is merely passing on information that it doesn't actually use, acting only as a conduit, the information passed on counts as contents with respect to that computer and collecting it collects contents under the Wiretap Act.
The 3rd Circuit didn't decide exactly where the content/non-content line was. But the court strongly hinted that, for a delivery service such as a broadband provider, the part of URLs that aren't about the IP address needed to deliver the Web page counts as contents. See slip op. at 26. If that is right, then a broadband provider that collects the full URLs its users are requesting is obtaining the contents of its users' communications.
What can broadband providers do to avoid liability? They can limit the collection of Web-surfing information to what they need to gather to deliver the communication. That means the provider can collect IP addresses but generally can't collect full URLs without triggering the Wiretap Act. (Interception also requires real-time acquisition, but I assume that's how broadband providers would collect the information anyway, so I won't dwell on that element.)
III. Did a Party to the Communication Consent?
The next big issue is consent. Interception is legal if a "party to the communication"—that is, the person who is surfing the Internet and having URLs collected—has consented to the acquisition. I've heard some people say that Terms of Service found in broadband contracts should suffice and avoid liability. But I don't think this works, for two reasons. The first reason involves the consent standard, and the second reason involves who is a party to the communication.
The first reason is that the standard for consent is very likely not met by Terms of Service. The relevant circuit caselaw on the consent standard was mostly handed down in the context of telephone calls, in part because there's a suppression remedy for unlawful interception of telephone calls. (The suppression remedy gives defendants an incentive to litigate the issue and has led to a significant body of circuit court caselaw.) The circuit cases indicate that consent exists when a person has received clear notice of the monitoring and has elected to proceed anyway. The classic example is monitoring of prison phones, where there is clear written notice all over and right next to the phone indicating that the phone calls will be monitored. See, e.g, United States v. Amen, 831 F.2d 373, 378 (2d Cir. 1987).
Importantly, however, the standard is consent in fact rather than constructive consent. The issue is whether the person did consent because he received notice and proceeded, rather than whether he should have known about the monitoring. Here's how the First Circuit summarized the law in United States v. Lanoue, 571 F.3d 966 (1st Cir. 1995):
Deficient notice will almost always defeat a claim of implied consent. See Williams v. Poulos, 11 F.3d 271, 282 (1st Cir.1993); Campiti, 611 F.2d at 390, 393. Keeping in mind that implied consent is not constructive consent but " 'consent in fact,' " consent might be implied in spite of deficient notice, but only in a rare case where the court can conclude with assurance " 'from surrounding circumstances … that the [party] knowingly agreed to the surveillance.'" Griggs-Ryan v. Smith, 904 F.2d 112, 116-17 (1st Cir.1990) (quoting Amen, 831 F.2d at 378) (emphasis supplied). We emphasize that "consent should not casually be inferred," Griggs-Ryan, 904 F.2d at 117, particularly in a case of deficient notice. The surrounding circumstances must convincingly show that the party knew about and consented to the interception in spite of the lack of formal notice or deficient formal notice.
Under that standard, a provision in a Terms of Service somewhere shouldn't be enough to generate consent unless the particular user actually saw the notice of monitoring. Because most users don't read Terms of Service—I certainly don't—the fact that there is a term tucked away that a person theoretically should read (but no one actually does) shouldn't be sufficient under the circuit caselaw to generate Wiretap Act consent. Clearer notice is required under the relevant circuit precedent, such as something that really gets in a user's face and really puts them on notice. As far as I know, the broadband providers don't have anything that clear and direct in mind.
Granted, there is some precedent in some district courts suggesting a looser standard for consent. In particular, Judge Lucy Koh has handed down some decisions suggesting that clear Terms of Service governing scanning practices for an email account generate Wiretap Act consent. See, e.g., In re Google Inc., 2013 WL 5423918, at *14 (N.D. Cal. 2013); In re Yahoo Mail Litigation, 7 F.Supp.3d 1016 (N.D. Cal. 2014). In those cases, it was not contested that people read the Terms of Service when they set up an email account. The question was therefore whether the Terms of Service, when read, were clear enough to put users on notice of the monitoring.
I don't think Koh's reasoning should give much comfort to broadband providers hoping to get Wiretap Act consent through Terms of Service, though. As I noted, most people don't read Terms of Service. That reality may not have been pointed out (for reasons unclear) in the specific cases before Koh. But it's the reality, and I think it's reality that matters. Cf. Jandak v. Village of Brookfield, 520 F. Supp. 815, 820 n. 5 (N.D. Ill. 1981) (noting that Wiretap Act consent hinges on whether the party to the communication actually knew of the monitoring, not whether "the party reasonably should have known").
The second problem with a Terms-of-Service-as-consent theory is that the Wiretap Act gives statutory rights to parties to communications rather than to account holders. Let's say you agree with Koh that Terms of Service are enough to generate consent for subscribers. Even if that's right, that would be only enough to avoid liability for those people who signed up for the broadband accounts. It's common for one person to set up the account and for everyone else in the family or house to use it. That means most people who use the service never consented to anything: They just hopped on the network and started to use it without knowing anything about the provider's policies. Even assuming that most people read Terms of Service when they set up an account with a broadband provider, most people don't read Terms of Service when they just hop on a wireless network with a broadband provider that someone else set up. It's hard to see how such users consented.
A reader not familiar with the Wiretap Act might think this is a little strange: Shouldn't the rights go with the person who set up the account rather than the person who happens to use it? But the Wiretap Act's answer is emphatically "no." The whole structure of the Wiretap Act is that it's the party to the communication—the person actually talking on the phone, or the person actually using the computer network—who has rights. And if you didn't set up the account, and you just happened to hop on to a wireless hotspot and have no idea who the provider is or what its policies are, I don't see how you consented to monitoring based on Terms of Service you never saw or (in some cases) couldn't see even if you tried.
IV. Possible Defenses
That's the basic case for liability if broadband providers try to collect beyond IP addresses. Are there possible defenses to liability? Yes, although I don't see any as a clear winner. I'll run through four possibilities below.
The first defense might be to invoke arbitration clauses. From what I understand, broadband contracts include an arbitration clause. Does that mean account holders can't sue in federal court? Maybe. But again, the Wiretap Act gives rights to parties to communications rather than to account holders. I don't know much about arbitration clauses, but I would be surprised if you can be bound by an arbitration clause in a contract you never entered into. I would think that the people who use the monitored services but didn't have the contract for the account can still sue (as could the websites visited, I suppose).
A second defense might be to try to invoke the extension telephone exception, 18 U.S.C. § 2510(5)(a), which exempts from the definition of intercept "any telephone or telegraph instrument, equipment or facility, or any component thereof … being used by a provider of wire or electronic communication service in the ordinary course of its business[.]" Maybe what the broadband providers want to do is in the ordinary course of their business, and is therefore allowed? That argument is weak. The extension telephone exception is a telephone-specific exception to the statute that allows employers to listen in on employee calls. It doesn't allow businesses to wiretap customers just because they do it broadly. See generally Briggs v. American Air Filter Co., 630 F.2d 414, 418 (5th Cir. 1980) (reviewing legislative history of Title III).
A third defense would be to argue that the trial court should decline to award statutory damages. Several circuits have held that trial courts maintain the discretion not to award statutory damages under Title III. See, e.g., Nalley v. Nalley, 53 F.3d 649 (4th Cir. 1995); Dorris v. Absher, 179 F.3d 420 (6th Cir. 1999). Under these cases, statutory damages are all or nothing: The trial judge can either award each person illegally wiretapped the statutory $10,000 or else award them zero. Companies might argue that an award of $10,000 per person monitored would amount to such massive liability that trial judges should exercise their discretion and instead award damages of zero. This seems like a possible argument, but I gather it's a claim made at the end of a case rather than the beginning. Given that, it's not without considerable risk.
A fourth defense is the trickiest. Under the Cybersecurity Act of 2015, which I explained in relevant part here, network providers can intercept communications "for a cybersecurity purpose." A broadband provider might come up with the following scheme: First, create a program that intercepts full URLs and other contents for a cybersecurity purpose as permitted by the Cybersecurity Act of 2015. Then, after those contents are collected, disclose the communications for a different purpose such as to sell the data thanks to the repeal of the broadband rules.
I would think the disclosure for a different purpose would be governed by the bar on disclosure under 18 U.S.C. 2702 of the Stored Communications Act as it relates to contents. The trick is that providers could argue under a range of various theories that perhaps the Section 2702 ban didn't apply. The details of the arguments are complex, as they're really about the ECS/RCS distinction that is the source of endless confusion to a lot of lawyers who study the Stored Communications Act. Given that this post is long enough, I won't bother to go into the details. Suffice it to say that these are possible arguments but very technical ones and not at all obviously correct. And they would also hinge on the court accepting that the collecting the full URLs was really for a cybersecurity purpose and not for the purpose of collecting the information to use it for other reasons. The litigation risks would be considerable.
I have been told that the arguments above never entered the debate over the FCC regulations because communications lawyers just don't think about the Wiretap Act. The Wiretap Act is a criminal statute in Title 18, and it's just something off the radar screen of lawyers who practice communications law. If so, that should change. Depending on what the broadband providers want to do, the Wiretap Act may be a serious bar to the companies doing it legally. And given the hammer of statutory damages that the Wiretap Act allows, a mistake that implicates the Wiretap Act might end up as a very costly mistake.