August 22, 2011
Deep Packet Inspection Lawsuits: NebuAd Partner ISP Wins Summary Judgment -- Kirch v. Embarq
The fallout from Nebuad's ill-fated deep packet inspection continues to percolate through the courts. Plaintiffs sued NebuAd and ISPs in the same forum in Northern California, but the ISPs were dismissed on jurisdictional grounds, requiring plaintiffs to pursue them through local lawsuits. NebuAd reportedly shut down, but lawyers recently announced a settlement over claims against NebuAd. (See: "NebuAd Settles Lawsuit Over Behavioral Targeting Tests.") Interestingly, the $2.4M from the proposed settlement will go to public interest organizations and the lawyers--there's no class payout, and just small payments to the named plaintiffs. This is fairly typical in privacy lawsuits, but settlements like these have elicited a few challenges, most prominently in Facebook's Beacon settlement (which is currently on appeal to the Ninth Circuit).
This particular case is one of the end users' cases against ISPs. They brought claims for violation of the Computer Fraud and Abuse Act, Electronic Communications Privacy Act, invasion of privacy and trespass to chattels. They voluntarily dismissed the invasion of privacy, trespass and CFAA claims. This left the ECPA claim. (The court says the claims were dismissed pursuant to "stipulation," but does not get into detail as to whether there was any settlement associated with this dismissal.)
No derivative liability: The court found for summary judgment purposes that Embarq did not have access to the contents of user communications. Embarq admittedly facilitated NebuAd's tracking and targeting, but this is not enough for plaintiffs to hold Embarq liable:
As plaintiffs' expert testified, Embarq's role was to install the NebuAd device so as to furnish the UTA connection to NebuAd. In other words, the NebuAd device . . . goes into place, then all of the raw data that flows through Embarq is directed to that device, where NebuAd does the analysis and, apparently, separates out the Port 80 traffic. Moreover, plaintiffs cite no authority that Embarq's access to the raw data that flowed through its network constitutes a violation of the ECPA, which requires an entity to actually acquire the contents of those communications. There is nothing in the record that Embarq itself acquired the contents of any communications as they flowed through its network; instead, plaintiffs' theory rests on the notion that the NebuAd System extracted the contents of the communications. Plaintiffs' assertion that Embarq 'endeavored to intercept' communications falls short of creating civil liability under the ECPA, which creates liability for actual interception.
Plaintiffs pointed to the contractual relationship between Embarq and NebuAd as a basis for holding Embarq indirectly liable. The court says clearly that the "civil liability provision of the ECPA . . . does not provide for secondary liability."
Embarq may use information such as the websites you visit or online searches that you conduct to deliver or facilitate the delivery of targeted advertisements. The delivery of these advertisements will be based on anonymous surfing behavior and will not include users' names, email addresses, telephone numbers, or any other Personally Identifiable Information.
You may choose to opt out of this preference advertising service. By opting out, you will continue to receive advertisements as normal; but these advertisements will be less relevant and less useful to you. If you would like to opt out, click here. (embarq.com/options)
Subscribers were given an opportunity to opt-out by clicking on a link. Plaintiffs made three arguments as to why this consent should not be viewed as being effective, but the court summarily rejects them all, relying in part on Mortensen v. Bresnan: (1) the scope of the disclosure was inadequate and did not identify NebuAd; (2) the notice was not conspicuous enough; and (3) the opt-out mechanism was insufficient.
The NebuAd deep packet inspection idea was ill-fated, but it's interesting to see the litigation play out as it has. NebuAd's insurers settled for a relatively small amount. The claims against the individual ISPs are struggling, and when you throw requests to compel arbitration based on the Supreme Court's decision in Concepcion into the mix, it's going to end up being a long road for plaintiffs.
I'm not sure I can think of a principled reason for this, but I've always viewed deep packet inspection as something that crossed the line. But under existing privacy laws, it's not easy to hold ISPs who partnered with NebuAd liable. Privacy plaintiffs continue to push the envelope but they are repeatedly rebuffed by the courts. As Eric notes, the statutes under which plaintiffs assert causes of action in privacy class actions are convoluted, confusing, and in need of a much-anticipated revamp.
As with the flash cookie cases, I'm curious about the FTC's role in the regulatory quagmire. I would think they could have a significant effect in the area if they came in and took type of action they took against the likes of Google and Twitter against the players in this space. Maybe I'm missing something or there are institutional factors at play (or activities going on behind the scenes), but it certainly seems like the FTC has extracted a large quantity of blood in some situations but is ineffectual or slow to act in others.
Previous posts on NebuAd:
Wendy Davis: "Embarq Wins Privacy Suit Stemming From NebuAd Tests"
1) For sake of completeness, I note that a 47 USC 230 defense wouldn't have helped Embarq against the derivative ECPA claim because 230's immunity expressly excludes ECPA claims. See 47 USC 230(e)(4). Thus, this case failed on the prima facie elements. The court says confidently (cites omitted):
The civil liability provision of the ECPA, however, does not provide for secondary liability, as liability attaches only to the party that actually intercepted a communication. As numerous courts have consistently held, a defendant does not “intercept” a communication merely by allowing or enabling, or even directing, another party to intercept communications.
2) The court's conclusion about consent is interesting:
This summary, very much in line with the Mortensen case, shows an extreme judicial deference to Embarq's contract--both in terms of letting broad opaque language serve as user "consent" and letting Embarq unilaterally amend the contract to add new and different terms. We've seen other courts push back on both practices, so I wouldn't recommend Embarq's approach as an industry best practice. It seems especially odd that courts have been so deferential on consent issues given the inherent disagreeability of NebuAd's DPI practices.
3) Along with last week's Bose v. Interclick ruling, chalk this up as another plaintiff loss in a privacy case that most people probably thought was a slam dunk. So many of the pending privacy lawsuits are filed solely because defendants will pay to avoid the adjudication costs of defending their practices under poorly drafted statutes, not because there's any fundamental merit to the cases. We desperately need a complete rewrite of the CFAA and ECPA simply to put them in English so that everyone has a better sense of which cases are meritorious from the outset.
4) An interesting factoid: NebuAd paid less than $30k to Embarq for the trial period. Note to future IAPs who want to experiment with potentially privacy-invasive technologies: it isn't a good financial deal for you! Or, at minimum, get the vendor's insurer to stand behind the vendor's indemnity clause so that you won't spend many multiples of the associated revenue defending yourself when the vendor goes belly-up.