A federal appellate court in Denver recently upheld summary judgment for an Internet service provider (ISP) defending class action allegations that it violated the Electronic Communications Privacy Act of 1986 (ECPA) by acquiring information about subscriber websurfing activities as part of a program to tailor online advertisements for its subscribers.
Online advertisers and advertising firms, as well as web publishers and website hosts, will have just as much interest as communication carriers in the Tenth Circuit's year-end decision, which solidifies a spate of recent district court decisions confirming the compliance of various online advertising platforms with state and federal privacy laws. The new decision is one of very few federal appellate court decisions construing ECPA's application to online behavioral advertising, and distinguishes entities directly acquiring Internet traffic from businesses whose participation is less direct and therefore not subject to ECPA liability under an aiding and abetting theory. The decision also recognizes that by defining authorized "interceptions" to include ordinary-course-of-business acquisitions of electronic communications, Congress immunized the ISP's challenged activity from ECPA claims.
THE EMBARQ LITIGATION
Kirch v. Embarq Management Co., (Dec. 28, 2012 10th Cir.) involved an online advertising system developed by now-defunct NebuAd Inc., which used a device (called an "Ultra Transparent Device" or "UTA") installed in an ISP server to monitor Internet traffic of the ISP's customers.1 Anonymized segments of that traffic were allegedly transmitted to and used by NebuAd to compile user profiles and then deliver targeted online advertising to the ISP's customers. In November 2007, Embarq contracted with NebuAd to test the system at a facility Embarq maintained in Gardner, Kansas, where the Kirches subscribed to Embarq's Internet service. Under the contract, advertising profits were split by NebuAd and its ISP partners.2 After a Congressional investigation raised concerns about the NebuAd system, Embarq stopped using it in March 2008.
Plaintiffs filed suit in the District of Kansas, alleging that Embarq's deployment of NebuAd's online advertising technology constituted an unlawful interception of electronic communications in violation of ECPA. Plaintiffs' theory was that because Embarq failed to adequately notify its Internet service subscribers about the use of NebuAd's system, customers' Internet traffic was being unlawfully intercepted by the UTA device in violation of ECPA.3 ECPA prohibits the interception of "electronic communication" and imposes criminal and civil liability. 18 U.S.C. §§ 2511, 2520. Under ECPA, Internet traffic constitutes "electronic communication." Id. §2510(12). ECPA defines "intercept" as "the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device," but the statute excludes from that definition a number of ordinarycourse- of-business acquisitions of communications, including "any telephone or telegraph instrument, equipment, or facility, or any component thereof . . . (ii) being used by a provider of wire or electronic communication service in the ordinary course of business . . . ." Id. §2510(5)(a).
After discovery, Embarq moved for summary judgment which the district court granted. The district court first ruled that Embarq had not intercepted plaintiffs' communications because, regardless of what information the NebuAd System extracted from Internet traffic traversing through the UTA, Embarq had no access to that information or to the profiles constructed from that information. Plaintiffs' theory was that NebuAd extracted contents of the communications, not Embarq, and there was no evidence that Embarq actually acquired the contents of digitized Internet traffic flowing through its servers. Because ECPA defines "intercept" to mean "the acquisition of the contents" of a communication, and because "contents" is defined to mean not merely the medium of an electronic communication but "the substance, purport or meaning of that communication," Embarq had not "acquired" its subscribers' electronic communications under ECPA. The district court then rejected the argument that Embarq could be held liable on a theory of aiding and abetting NebuAd's alleged "interceptions," because ancillary liability theories of "aiding and abetting" are not available under ECPA.
THE TENTH CIRCUIT'S AFFIRMANCE
The Tenth Circuit affirmed summary judgment, expanding upon both the limitations of plaintiffs' aiding and abetting theory and application of ECPA's ordinarycourse- of-business defenses. The Tenth Circuit held that because ECPA creates no aiding and abetting civil liability, Embarq could be liable under the statute only if Embarq itself intercepted the plaintiffs' Internet communications. Because it was undisputed that the ISP Embarq did not acquire the contents of the Kirches' Internet traffic (a function the NebuAd device allegedly performed when that traffic traversed the UTA), nor did Embarq have access to that data or to the profiles NebuAd constructed from it, Embarq could not be found to have intercepted the plaintiffs' electronic communications. The Tenth Circuit observed that ECPA's predecessor statute imposed civil liability for those who "procure" an interception, but ECPA's 1986 enactment amended the statute's civil provisions by deleting the "procure" clause and thereby removed aiding and abetting liability from the statutory regime.
The Tenth Circuit's decision also acknowledged undisputable evidence that Embarq's use of the NebuAd UTA gave that ISP no more of its users' electronic communications than Embarq otherwise had in the ordinary course of its business as a service provider. Embarq was therefore shielded from liability under the statutory authority granted by ECPA for "any instrument" being "used by a provider of wire or electronic communication service in the ordinary course of its business . . . ." 18 U.S.C. § 2510(5)(a). Embarq did not obtain access to the digitized Internet traffic of its subscribers in any way other than as an ISP carrier handling its users' traffic, nor did the ISP have access to the data and profiles that NebuAd allegedly derived from Embarq's customer traffic via its UTA. Since Embarq did not come into possession of anything more than the Internet traffic it already handled in the ordinary course of its ISP service, the conduct alleged did not place Embarq's conduct outside section 2510(5)'s safe harbor provisions.
Embarq makes it clear that carriers, advertisers and website publishers are not exposed to civil ECPA claims simply by participating in online advertising programs. But participants in online advertising programs must remain diligent to ensure that programs comply with applicable laws. While the facts presented did not take this case beyond "aiding and abetting" liability, "many variables enter into the equation on how much aid is 'substantial aid' sufficient to invoke liability." Halberstam v. Welch, 705 F.2d 472, 483 (D.C. Cir. 1983). Even where "aiding and abetting" theories are not available, a party might remain subject to primary or joint liability theories when it knowingly participates in an enterprise or conspiracy through direct commission of unlawful acts that further the primary wrongdoer's goals. Id. at 479; Restatement of Torts 2d § 876(b). This sort of "enterprise" or "instrumentality" liability theory does not rely on "aiding and abetting" principles – it is a theory of direct liability.
The Embarq decision also promotes clarity about the types of electronic communication interceptions authorized by ECPA. Plaintiffs' lawyers have been challenging online and mobile advertising programs under a variety of statutory and traditional common law tort theories, getting modest settlements in some cases while losing motions to dismiss in most others. The circumstances under which a business can access Internet communications in the ordinary course of its business is a question that Congress left to Section 2510(5)(a)'s "safe harbor" provision and, consistent with ECPA, an advertiser or publisher's participation in these programs does not violate the Act.
1 Embarq was initially sued in the Northern District of California as part of a larger putative class action against NebuAd and all ISP companies who deployed its advertising service. The ISP defendants successfully moved to dismiss that action on jurisdictional grounds. See Valentine v. NebuAd, Inc., et al., No. C08-05113 TEH (N.D. Cal. Oct. 6, 2009).
2 See Valentine v. NebuAd, Inc., No. C08-05113 THE (N.D. Cal. April 4, 2011) (Order denying NebuAd motion to dismiss)
3 The Kirches also asserted state law claims and a violation of the federal Computer Fraud and Abuse Act, but these additional claims were dismissed with prejudice by stipulation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.