January 07, 2013
Privacy Plaintiffs in Deep Packet Inspection Case Get No Love From the Tenth Circuit -- Kirch v. Embarq Managmenet
[Post by Venkat Balasubramani]
Kirch v. Embarq Management, No. 11-3275 (10th Cir. Dec. 28, 2012)
This is an appeal from one of the many lawsuits against IAPs for implementing the ill-fated NebuAd “deep packet inspection” system. Here’s my post on the district court grant of summary judgment in favor of Embarq: Deep Packet Inspection Lawsuits: NebuAd Partner ISP Wins Summary Judgment. Plaintiffs do not fare any better in their appeal.
On the factual side, plaintiffs were not able to develop any evidence that (1) Embarq obtained or utilized any of the data extracted by NebuAd, or (2) the flow of data through Embarq’s system differed in any way from how data typically flowed through Embarq's system (the big exception being that the data was routed in a way that allowed NebuAd to extract data regarding plaintiffs).
Canvassing the ECPA's legislative history and context, and the fact that there’s no general federal statutory liability for aiding and abetting (absent a clear Congressional directive), the court says that Embarq cannot be held liable for any alleged ECPA violations of NebuAd. Thus, the court looks to see if Embarq violated the ECPA directly.
With respect to whether Embarq itself “intercepted” plaintiffs’ communications, the court notes the clunky application of the term "intercept" to the facts. "Interception" is defined as the "acquisition" of a communication's “contents,” but the line between "access" and "acquisition" is murky at best. The court instead relies on the portion of the definition of “device” that excludes any equipment “used by a provider of wire or electronic communication services in the ordinary course of its business.” Noting there was no dispute that Embarq only acquired the same access to the data that it had as an IAP, the court concludes that Embarq falls under this exception and can't be held liable for intercepting plaintiffs' communications.
Ouch. There were some mildly favorable facts to Embarq (the fact that it was paid an absurdly small amount of money for participating in the DPI test), but I still find the emphatic defense win somewhat remarkable. Privacy plaintiffs just cannot seem to catch a break.
The lack of a derivative liability concept under the ECPA is significant, and a majority of courts have said there is no derivative liability under either the ECPA or the Computer Fraud and Abuse Act. (See also Valentine v. WideOpen West Finance (another NebuAd case) and the somewhat factually bizarre CAIR v. Gaubatz which recently came to the same conclusion on the ECPA issue; the CAIR case fell through the cracks of the blogging queue.)
Interestingly, in Valentine, the district court granted summary judgment on the basis that plaintiffs failed to adequately allege any interception but left things open as to whether plaintiffs could state a claim for "disclosure" or "use" of communications under 2511. The court directed the parties to file additional briefs on this issue.
Courthouse News: ISPs Duck Class Claims of Targeted Ad Spyware
Wendy Davis: Appeals Court Sides With Embarq in Privacy Lawsuit
InsidePrivacy: Two New Decisions on the Wiretap Act and Secondary Liability
Bloomberg/BNA: ISP Falls Beyond Reach of ECPA for Role In Transmitting User Traffic to NebuAd
NebuAd Deep Packet Inspection Lawsuits Sputter -- Deering v. CenturyTel & Green v. Cable One
Deep Packet Inspection (NebuAd) Litigation: Court Dismisses ECPA Claim but CFAA Claim Continues
Deep Packet Inspection Lawsuits: NebuAd Partner ISP Wins Summary Judgment
[image credit: Shutterstock/lightspring - Internet privacy and spying on line with a computer laptop and the web by hacking or cyber virus that steals your technology data and follows your social media history]