The Tenth Circuit ruled on December 28 that Embarq, an ISP, cannot be liable as an aider and abettor under the Electronic Communications Privacy Act (ECPA) for allowing a third party, an online advertising company, to install a monitoring device on the ISP’s network, as the provisions of the ECPA do not include aiding-and-abettting language.
Facts of the Case
Kathleen and Terry Birch filed a putative class action against two Internet service providers (ISPs), Embarq Management Company and United Telephone Company of Eastern Kansas (collectively “Embarq”). Plaintiffs, subscribers to Embarq’s broadband Internet services, had initially alleged common law claims for invasion of privacy by intrusion into seclusion and trespass to chattels, and also violation of two federal statutes, the ECPA and the Computer Fraud and Abuse Act (CFAA). Plaintiffs agreed later to dismiss some of their claims, and only the claim that Embarq had violated the ECPA remained.
Plaintiffs claimed violation of the ECPA, which amended the Wiretap Act, and makes it a crime to intercept “any wire, oral, or electronic communication.” The statute defines ‘intercept’ as “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.”
However, there is no interception under the ECPA if the contents of a communication are acquired in the ordinary course of business of an ISP, or if a party to the communication consents to its interception.
Embarq had argued in front of the US district court for the district of Kansas that it could not be held liable under the ECPA because the Act does not provide for liability of aiders and abettors, and that Embarq had not itself intercepted plaintiffs’ communications.
The district court granted summary judgment to Embarq on August 19, 2011, and the plaintiffs appealed. The Tenth Circuit affirmed the district court’s judgment.
NebuAd’s Business Model (Defunct)
According to the uncontroverted facts as stated in the District Court’s grant of summary judgment, Embarq contracted with NebuAd, an online behavioral tracking company, which is no longer in business, and allowed NebuAd to install its Ultra-Transparent Appliance (UTA) on the ISP’s networks. The UTA was able to monitor theISPs’ users’ inbound and outbound communications. NebuAd was inspecting the content of users’ Internet traffic, and used that knowledge to create de-identified user profiles which allowed it to deliver targeted advertisements to the ISP’s users. NebuAd shared the advertising profits with the ISP.
Interception of Communication
The district court interpreted the ECPA as defining interception of a communication as coming into possession or controlling the substance, purport or meaning of that communication. The court agreed with defendant that Embarq had no access to the information that NebuAd extracted from the communications traveling through the UTA, nor did it have access to the profiles constructed from that information.
The Tenth Circuit agreed with the district court, noting that “it is undisputed that the only access Embarq had to the data extracted by NebuAd was in its capacity as an ISP, not because of any special relationship with NebuAd…” and also noted that “Embarq did not engage in an “interception” under the ECPA because of the ordinary-course-of-business exclusion from the definition of interception.” The Tenth Circuit was satisfied that “the undisputed facts establish that NebuAd’s use of the UTA gave Embarq access to no more of its users’ electronic communications than it had in the ordinary course of its business as an ISP.”
Aiding and Abetting
Plaintiffs tried to hold Embarq secondarily liable based on its contractual relationship with NebuAd, arguing that Embarq was indirectly liable as a procurer, aider, abettor or co-conspirator of NebuAd’s alleged violation of the ECPA. The District court held that the ECPA does not provide for such secondary liability, as liability attaches only to the party that actually intercepts the communication, citing In re Toys R US, Inc. Privacy Litigation (N.D. Cal. 2001), where the court held the Wiretap Act does not provide a cause of action against aiders and abetters. The Tenth Circuit affirmed.
The Tenth Circuit did not, however, address the issue of consent by not-opting out of the ISP’s service, but the District Court had held that Embarq was entitled to summary judgment based on plaintiffs’consent, which is expressly excluded from the category of “unlawful interceptions.”
When Bob Dykes, NebuAd’s CEO testified before the House Subcommittee on Telecommunications and the Internet in July 2008, he stated that his company required from ISPs “to provide robust, advance notice and our operations and our privacy protections to their subscribers, who at any time can exercise their choice not to participate.” He further stated that if an user chooses to opt out, NebuAd would delete this user’s anonymous profile and ignore from then on his
For the district court, since plaintiffs continued to use the Internet after these changes, they were bound by the changes and thus impliedly consented to having their Internet activity monitored. Plaintiffs also argued unsuccessfully that NebuAd had to be identified specifically as a third party, that the privacy notice was not conspicuous enough, and that the opt-out mechanism was insufficient because it did not prevent NebuAd from collecting their data.