In a recent ruling (available here) in the In Re: Google Inc. Cookie Placement Consumer Privacy Litigation case, the U.S. Third Circuit Court of Appeals upheld a lower court’s dismissal of all claims under federal law, including claims under the Wiretap Act (18 USC § 2510 et seq.), the Stored Communications Act (18 USC § 2701), and the Computer Fraud and Abuse Act (18 USC § 1030) (though certain state law claims remain). The court’s discussion of the Wiretap claim is particularly noteworthy as the court explicitly stated that in certain circumstances third party tracking of URLs visited by an online user can constitute a violation of the statute.
The plaintiffs accused Google of bypassing the third party cookie blockers in their Safari and Internet Explorer browsers. Google admitted that it detected the relevant browser configurations and engineered around the constraints, but denied this was a violation of law.
Because the details of how Google did this are critical to the court’s determination, it is worth pausing to look at a few technical details. Google realized that both browsers permitted third party cookies to be used, even if a user had third party cookie blocking enabled, if the browser communicated with the third party server through an HTML form submission. HTML forms are used to submit user input to a server. Generally when a user fills in information on a webpage then clicks a button to submit the information to the website, the fields on the page that the user interacts with are contained inside a form. An HTML form can send information to a server by one of two methods that are defined in the HTTP protocol: the GET method (which was used by Google) and the POST method. The relevant difference is that the GET method sends the information from the form to the server as part of the URL (a query string). The POST method sends the same information but embeds it in the message body.
The federal Wiretap Act, prohibits intentionally intercepting the contents of an electronic communication using a device. The statute contains an exception for a party to the communication. In other words, under federal law it is legal for a participant in a communication to record the communication (though not for purposes of violating any state or federal law).
The Third Circuit noted that information needed to route a communication is given much less protection under the law than the content itself. However, the court explained that routing information (including a URL visited by user) cannot be categorically treated as non-content because there is often a blending of routing and content. The court observed that when a user performs a search on a search engine, the search terms are included in a query string, which clearly makes the URL “content” not merely routing information.
To illustrate this point, we searched for the phrase “Edward Snowden” in several search engines. The phrase is clearly visible in each result page URL.
Additionally, while a domain name resolves to an IP address (an IP address being only routing information), a full URL includes the specific documents being accessed by name, which can reveal a great deal about the content of a communication. For example, the URLs http://www.Domain.com/EdwardSnowdenTraitor.html and http://www.OtherDomain.com/EdwardSnowdenHero.html reveal information about the content. Curiously, the court did not even mention the possibility that the domain name itself might reveal content. It is not hard to imagine domain names that on their own convey content – EdwardSnowdenHero.com and EdwardSnowdenTraitor.com, for example.
The Third Circuit went on to explain why Google was not liable in this case and in doing so provided technology firms with a clear indication of what not to do. To work around the browser settings, Google loaded an HTML form with its advertising-related content into the page being loaded by an end-user. The page then submitted the form directly to Google’s servers, which returned the advertisements and cookie to the user’s browser. While a form is usually submitted in response to a user action (such as a button click) it can be submitted by code without user involvement, which is what Google did. The court noted it was the direct browser-to-Google communication that was used to gather tracking data and install a cookie in the user’s browser. This communication was separate from the user’s communication with the website being visited and thus made Google a party to the communication where tracking functions were being performed. As a party to the communication, Google was exempted from the prohibitions in the federal wiretapping law. If Google had put itself in the middle of the browser-to-website communication, the outcome may have been different.
The Third Circuit then specifically described what would be a violation of the wiretapping law. If Google had not merely used content in communications to which it was a party but had used a technology “capable of capturing communications sent by the plaintiffs and intended for first-party websites, and then transmitting” the captured communications to Google, this would be a violation of law.