The new intrusion.

Author:Bambauer, Jane Yakowitz
Position:Tort of intrusion upon seclusion - III. The New Intrusion through Conclusion, with footnotes, p. 239-275

    In 2000, as privacy scholars began to convene, anticipate, and collectively fret over the mounting privacy troubles in the age of the Internet, Michael Froomkin suggested that the community might have to consider whether modern data collection practices "constitute an invasive tort of some type." (154) He recognized that, if privacy law can address invasive collection techniques, that will relieve the need for regulation to address problems downstream. (155) This Part takes up Froomkin's challenge. It will show how the intrusion tort can be clarified and modernized to tackle the most troubling data collection practices. (156)

    1. Ubiquitous Data Exhaust

      Recall the fictional General Motors spy from the Introduction who followed Ralph Nader down every aisle of a store, taking note of every product he examined or put, temporarily, into his cart, somehow managing to collect all this information without being detected. (157) This crudely describes the type of information collected by web tracking technologies like cookies and web bugs. Websites are not particularly unique in this regard; nearly all machines and gadgets produce data about their users for some functional purpose. But since web tracking incorporates most of the issues that arise from other forms of data exhaust, an understanding of intrusion's application to website data provides an instructive template.

      Suppose Arthur visits the website for the first time. Pandora streams music based on bands that Arthur identifies as "seeds." Arthur is able to listen to the customized radio station and create an account for free; Pandora's business model relies on advertising, which is serviced by DoubleClick (now a subsidiary of Google). (158)

      When Arthur types into his browser, his computer sends packets of data through the network of networks that constitutes the Internet until the packets reach their destination--Pandora's servers. Pandora's servers reconstruct the packets into the request message (essentially, "I want to see your home page").

      Pandora automatically sends a response to Arthur's computer containing three elements. First, the response includes the HTML or Javascript code and other files like JPEGs of pictures so that Arthur's computer can build and display the webpage. Now, Arthur's computer will have everything he needs to view the page except for the advertisements. Second, the response includes cookies and, perhaps, action tags or web bugs, which are additional files stored on Arthur's computer that keep track of his online activities. Third, the response includes an IP address link that directs Arthur's computer to communicate with DoubleClick's server so DoubleClick can send the files needed to fill in the ad space. When that happens, DoubleClick places its own cookie on Arthur's computer, if he does not already have a DoubleClick cookie. (He probably does, in which case the IP address link would also contain his unique DoubleClick cookie ID.) DoubleClick will then send a targeted ad to Arthur.

      The cookies--both Pandora's and DoubleClick's--record limited categories of information, sometimes including the user's passwords and browsing histories. But most crucially, the cookies contain a unique ID string of characters which will enable the cookie-placing entity to look up details collected from previous visits and stored on their own servers. For example, if Arthur had a preexisting Pandora cookie, it may have recorded content that Arthur typed into his browser to transmit to Pandora in past visits--his name and password, or the names of the bands he used to seed his radio station, for example. Cookies can be used to look up any content once communicated between the user and the website, so if a user has provided their name, e-mail address, search terms, or credit card information to the website they are visiting, the website and the third party intermediary advertisers may have logged the information so that it could be associated later with the unique cookie ID.

      Pandora can also store location information about the pages Arthur visited within the Pandora website. This may be of limited interest in the context of an online radio station website, but location information is more consequential when one considers a cookie placed by WebMD (and the cookies of its third party advertising affiliates). WebMD might record that Arthur's computer visited the site's gonorrhea page. Action tags (also known as "web bugs" or "clear gifs") work with cookies to record even more particularized information, such as the user's mouse movements across the website, and keystrokes that were entered into fields on the webpage but never actually sent (because the user deleted the content or decided not to submit the information). The action tag is loaded directly onto the HTML page as the user views it, though it is not visible, and it writes the keystroke and mouse movement details onto the user's cookie profile. (159)

      The creators of Web browsers (like Microsoft's Explorer, Mozilla's Firefox, and Google's Chrome) implement a number of industry standards developed by the Internet Engineering Task Force. The standards are referred to as Requests for Comments ("RFCs") to show the Task Force's commitment to consensus, adaptation, and non-stasis. The RFCs specify that information recorded on one party's cookie must be encrypted, cannot be observed by others, and must not contain malicious code (designed to inspect or tamper with the computer user's files). Though the RFCs are technically industry self-regulation and, in theory, a new browser could ignore the standards, the RFCs have the force of network effects. If a browser does not implement one or more of the RFCs, it could have compatibility problems with other servers and users on the Internet and fail to function properly. Some of the RFCs are also supported by public law. If a third-party website or entity attempted to access a cookie without the authorization of the computer user or the website that placed the cookie, this act would presumably violate the Stored Communications Act. (160) And if a cookie was programmed with malicious code designed to vandalize the computer user's files, the cookie would violate the Computer Fraud and Abuse Act. (161)

      While web tracking technologies are capable of capturing granular detail about computer users, the details are often accessed to improve visitors' experiences. These are benefits web users have come to expect. For example, the cookie can store the Arthur's login information and password, and it can recall which pages on the site Arthur has viewed so that the hyperlinks appear in a different color. Even mouse and keylogging data can be aggregated across a site's users and analyzed to assess whether the information architecture of the site is causing confusion or inefficiency.

      The cookie databases of third party intermediaries like DoubleClick cannot claim to have the same aim of helping the user's experience, and they record the same types of details. Moreover, they capture data during the interactions the user has with all of the intermediary's affiliated websites. Thus, DoubleClick's cookie has far more information about Arthur than Pandora's cookie. DoubleClick has all of the information on Pandora's cookie, as well as all the information on Toys R Us's cookie, as well as all the information on the New York Times' cookie, and so forth. A quick session of websurfing could increase the detail in the DoubleClick cookies significantly because of DoubleClick's aggregation of market power. Neil Richards has characterized these "uber-databases" as inherently problematic. (162) The vast scale differences between what was once known about people and what can be known about them today is also at the heart of Paul Ohm's critique of the accretion of information in our personal "databases of ruin." (163) But it is not analytically rigorous to say that a difference in scale is a difference in kind. Without a coherent theory of harm, accretion is merely a description of the information ecosystem we live in today and not, necessarily, a threat.

      Offensive observations, on the other hand, are fully realized privacy harms as soon as they occur. A legal challenge that focuses on these harms has the most likelihood of success.

    2. Failed Attempts

      So far, every legal challenge to Web tracking has tried to force-fit the facts into federal statutory schemes that were designed to prevent something else. (164) Attempts to recover using the Computer Fraud and Abuse Act (CFAA) falter on the $5000 damages and economic loss requirement--a threshold chosen by Congress to ensure that only the most malicious incidents of hacking are ensnared by federal criminal and civil liability. (165) Challenges based on the Wiretap Act fail because the website tracking the user is a party to the communication. Even the website's third party intermediaries, such as DoubleClick, fall outside the scope of the Wiretap Act because of the one-party consent rule; so long as one party to the conversation consents to a recording or interception, the statute's prohibitions do not apply. (166) Since Pandora authorizes DoubleClick to access its communications with Arthur, DoubleClick's data capture has the same legal consequences that Pandora's does. (167)

      The plaintiffs' bar has not made a serious attempt to deter web tracking through tort law. State causes of action were alleged in major web tracking cases like In re DoubleClick and Avenue A, but after the federal courts dismissed the statutory claims and withdrew ancillary jurisdiction over the state claims, (168) the cases evaporated. The state claims were never fully litigated--probably a reflection of the trial lawyers' confidence in the likelihood of winning based on a novel interpretation of privacy torts. Recent lawsuits against Google, Clearspring Technologies, and Disney that challenge the use of flash...

To continue reading