In re DoubleClick

Last updated

In re DoubleClick Inc. Privacy Litigation
NewYork-southern.gif
United States District Court for the Southern District of New York
Date decidedMar. 28, 2001
Docket nos. 1:00-cv-00641
Citations154 F. Supp. 2d 497
Judge sitting Naomi Reice Buchwald
Case history
Subsequent actionsComplaint dismissed and judgment entered by In re DoubleClick Inc. Privacy Litig., No. 1:00-cv-00641, 2002 U.S. Dist. LEXIS 27099 (S.D.N.Y. May 23, 2002).
Case holding
DoubleClick's placement of web browser cookies on computer hard drives of internet users who accessed DoubleClick-affiliated web sites did not violate the Stored Communications Act, the Wiretap Statute or the Computer Fraud and Abuse Act.
Keywords
Computer Fraud and Abuse Act, Privacy law, Stored Communications Act, Wiretap Statute

In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497 (S.D.N.Y. 2001) [1] ("DoubleClick"), had Internet users initiate proceedings against DoubleClick, alleging that DoubleClick's placement of web cookies on computer hard drives of Internet users who accessed DoubleClick-affiliated web sites constituted violations of three federal laws: The Stored Communications Act, the Wiretap Statute and the Computer Fraud and Abuse Act.

Contents

The court held that DoubleClick was not liable under any of the three federal laws because it fell within the consent exceptions under the Stored Communications Act and the Wiretap Statute. DoubleClick was not excluded from the consent exception of the Wiretap Statute because it did not intercept the communications for criminal or tortious purposes. DoubleClick was also not liable under the Computer Fraud and Abuse Act because the plaintiffs had failed to meet the statutory threshold of $5,000 in losses. The court established that damages under the Computer Fraud and Abuse Act may only be aggregated for the unauthorized access of each cookie.

Facts

DoubleClick engaged in behavioral targeting and placed a cookie on each user's computer hard drive when the user accessed DoubleClick-affiliated web sites. DoubleClick was then able to track the users' web surfing activities and build user profiles for the purposes of delivering targeted advertisements. DoubleClick's server identifies the user's profile by the cookie identification number and presents the user with advertisements tailored to the user's interest. The plaintiffs claimed that DoubleClick's obtaining of user information stored in the web cookies constituted unauthorized access and interception of their electronic communications with the web sites they were accessing.

Stored Communications Act Claim

The Stored Communications Act, 18 U.S.C.   § 2701, proscribes the intentional unauthorized access of electronic communication while it is in electronic storage. [2] The consent exception within the Stored Communications Act excludes the interception of communications between users and web sites by DoubleClick. [3]

The court in assessing DoubleClick's relationship with its affiliated web sites held that the web sites had engaged DoubleClick for the precise purpose of delivering targeted advertisements. DoubleClick is only able to provide tailored advertising to specific users by gathering user information and tracking users’ online activities based on the web sites' agreement to actively notify DoubleClick when users accessed the site, namely, through the use of cookies. Thus, the web sites had effectively consented to DoubleClick's interception of users' communications with the web sites. This is despite web sites' failure to understand the technology used by DoubleClick in the provision of targeted advertising.

The court held that the long term residence of DoubleClick's cookies on users hard drives excludes the cookies from the definition of "electronic storage" which connotes temporary and transitory storage. [3] Cookies’ identification numbers, which are sent from users' computers, also do not fall within the confines of "electronic storage" and the Stored Communications Act. DoubleClick could not be held liable for accessing the cookies or cookie identification numbers.

The court in DoubleClick further held that even if cookies' identification numbers were assumed to be "electronic communication[s] . . . in electronic storage," DoubleClick's access is still authorized because the Stored Communications Act exempts conduct which is authorized by a user of the service with respect to a communication of or intended for that user. The cookies' identification numbers are internal to DoubleClick communications and are both "of" and "intended for" DoubleClick.

"DoubleClick creates the cookies, assigns them identification numbers, and places them on plaintiffs' hard drives. The cookies and their identification numbers are vital to DoubleClick and meaningless to anyone else. In contrast, virtually all plaintiffs are unaware that the cookies exist, that these cookies have identification numbers, that DoubleClick accesses these identification numbers and that these numbers are critical to DoubleClick's operations." [1]

Wiretap Statute Claim

The Wiretap Statute, 18 U.S.C.   § 2511, restrains the intention or endeavour to intercept any electronic communication or the procurement of any other person to do so. [4]

The court applied its analysis under the Stored Communications Act to determine DoubleClick’s liability under the Wiretap Statute, relying on the similar attributes of both statutes. Based on the presumption that DoubleClick falls within the ambit of the Wiretap Statute, the court proceeded to determine whether DoubleClick was excluded from liability by virtue of the consent exception under the Wiretap Statute. The court held that DoubleClick was exempt from liability for intercepting the communications under the Wiretap Statute because the web sites, being one of the parties to the electronic communication with the users, had given DoubleClick prior consent to the interception. The court held that the consent exception remains valid as the communication was not intercepted for the purpose of committing any criminal or tortious act.

Computer Fraud and Abuse Act Claim

The Computer Fraud and Abuse Act, 18 U.S.C.   § 1030, prohibits the intentional access of a protected computer to obtain information without authorization which causes at least $5,000 damage or loss resulting from a single unauthorized access. [5] 18 U.S.C.   § 1030(a)(5)(A) proscribes the intentional and unauthorized causing of damage to a protected computer resulting from knowingly causing the transmission of a program, information, code, or command.

The plaintiffs sought damages for the loss caused accruing from the unauthorized access of their computers and the misappropriation of information by DoubleClick. DoubleClick did not dispute that plaintiffs' computers were protected under the Computer Fraud and Abuse Act or that its access was unauthorized. The court stated that damages and losses under the Computer Fraud and Abuse Act may only be aggregated across victims and over time for a single act. Since each access of a cookie on users' computers constitutes a single and separate act of unauthorized access, damages and losses may only be aggregated for each cookie and cannot be aggregated across multiple computers. The court dismissed the plaintiffs' claim under the Computer Fraud and Abuse Act on the grounds that the damage caused by each cookie did not meet the statutory threshold of $5,000.

Plaintiffs' alleged emotional distress due to DoubleClick’s invasion of their privacy, trespass to their personal property, and misappropriation of confidential data was not actionable under the Computer Fraud and Abuse Act which only authorized the recovery of economic losses. The court denied the plaintiffs' claim that the alleged damage to the value of their individual demographic information, arising from DoubleClick's collection of user information, constitutes compensable economic loss. The court noted that while demographic information was valuable, its collection did not represent economic loss.

DoubleClick Settlement

DoubleClick eventually entered into a settlement agreement with the plaintiffs. Under the settlement's terms, DoubleClick was required to explain its privacy policy in "easy-to-read" language; conduct a public information campaign consisting of 300 million banner ads inviting consumers to learn more about protecting their privacy; and institute data purging and opt-in procedures among other requirements. [6]

Related Research Articles

Telephone tapping is the monitoring of telephone and Internet-based conversations by a third party, often by covert means. The wire tap received its name because, historically, the monitoring connection was an actual electrical tap on the telephone line. Legal wiretapping by a government agency is also called lawful interception. Passive wiretapping monitors or records the traffic, while active wiretapping alters or otherwise affects it.

A pen register, or dialed number recorder (DNR), is an electronic device that records all numbers called from a particular telephone line. The term has come to include any device or program that performs similar functions to an original pen register, including programs monitoring Internet communications.

Electronic Communications Privacy Act US Act of Congress

The Electronic Communications Privacy Act of 1986 (ECPA) was enacted by the United States Congress to extend restrictions on government wire taps of telephone calls to include transmissions of electronic data by computer, added new provisions prohibiting access to stored electronic communications, i.e., the Stored Communications Act, and added so-called pen trap provisions that permit the tracing of telephone communications . ECPA was an amendment to Title III of the Omnibus Crime Control and Safe Streets Act of 1968, which was primarily designed to prevent unauthorized government access to private electronic communications. The ECPA has been amended by the Communications Assistance for Law Enforcement Act (CALEA) of 1994, the USA PATRIOT Act (2001), the USA PATRIOT reauthorization acts (2006), and the FISA Amendments Act (2008).

Internet privacy right or mandate of personal privacy concerning the storing, repurposing, provision to third parties, and displaying of information pertaining to oneself via of the Internet; a subset of data privacy

Internet privacy involves the right or mandate of personal privacy concerning the storing, repurposing, provision to third parties, and displaying of information pertaining to oneself via the Internet. Internet privacy is a subset of data privacy. Privacy concerns have been articulated from the beginnings of large-scale computer sharing.

Video Privacy Protection Act

The Video Privacy Protection Act (VPPA) was a bill passed by the United States Congress in 1988 as Pub.L. 100–618 and signed into law by President Ronald Reagan. It was created to prevent what it refers to as "wrongful disclosure of video tape rental or sale records [or similar audio visual materials, to cover items such as video games and the future DVD format]." Congress passed the VPPA after Robert Bork's video rental history was published during his Supreme Court nomination. It makes any "video tape service provider" that discloses rental information outside the ordinary course of business liable for up to $2500 in actual damages.

Email privacy is a broad topic dealing with issues of unauthorized access and inspection of electronic mail. This unauthorized access can happen while an email is in transit, as well as when it is stored on email servers or on a user computer. In countries with a constitutional guarantee of the secrecy of correspondence, whether email can be equated with letters and has legal protection from all forms of eavesdropping comes under question because of the very nature of email. This is especially important as relatively more communication occurs via email compared to via postal mail.

Web scraping, web harvesting, or web data extraction is data scraping used for extracting data from websites. Web scraping software may access the World Wide Web directly using the Hypertext Transfer Protocol, or through a web browser. While web scraping can be done manually by a software user, the term typically refers to automated processes implemented using a bot or web crawler. It is a form of copying, in which specific data is gathered and copied from the web, typically into a central local database or spreadsheet, for later retrieval or analysis.

<i>Specht v. Netscape Communications Corp.</i>

Specht v. Netscape, 306 F.3d 17, is a case in the United States Court of Appeals for the Second Circuit regarding the enforceability of browse-wrap software licenses. The court held that merely clicking on a download button does not show assent to license terms if those terms were not conspicuous and if it was not explicit to the consumer that clicking meant agreeing to the license.

An HTTP cookie is a small piece of data sent from a website and stored on the user's computer by the user's web browser while the user is browsing. Cookies were designed to be a reliable mechanism for websites to remember stateful information or to record the user's browsing activity. They can also be used to remember arbitrary pieces of information that the user previously entered into form fields such as names, addresses, passwords, and credit-card numbers.

Privacy and Electronic Communications Directive 2002

Privacy and Electronic Communications Directive 2002/58/EC on Privacy and Electronic Communications, otherwise known as ePrivacy Directive (ePD), is an EU directive on data protection and privacy in the digital age. It presents a continuation of earlier efforts, most directly the Data Protection Directive. It deals with the regulation of a number of important issues such as confidentiality of information, treatment of traffic data, spam and cookies. This Directive has been amended by Directive 2009/136, which introduces several changes, especially in what concerns cookies, that are now subject to prior consent.

A 'device fingerprint', machine fingerprint, or browser fingerprint is information collected about a remote computing device for the purpose of identification. Fingerprints can be used to fully or partially identify individual users or devices even when persistent cookies can't be read or stored in the browser, the client IP address is hidden, and even if one switches to another browser on the same device. This may allow a remote application to detect and prevent online identity theft and credit card fraud, but also to compile long-term records of individuals' browsing histories even when they're attempting to avoid tracking, raising a major concern for internet privacy advocates. Some computer security experts consider the ease of bulk parameter extraction offered by web browsers to be a security hole.

Information technology law concerns the law of information technology, including computing and the internet. It is related to legal informatics, and governs the digital dissemination of both (digitalized) information and software, information security and electronic commerce. aspects and it has been described as "paper laws" for a "paperless environment". It raises specific issues of intellectual property in computing and online, contract law, privacy, freedom of expression, and jurisdiction.

Browse-wrap is a term used in Internet law to refer to a contract or license agreement covering access to or use of materials on a web site or downloadable product. In a browse-wrap agreement, the terms and conditions of use for a website or other downloadable product are posted on the website, typically as a hyperlink at the bottom of the screen. Unlike a clickwrap agreement, where the user must manifest assent to the terms and conditions by clicking on an "I agree" box, a browse-wrap agreement does not require this type of express manifestation of assent. Rather, a web-site user purportedly gives his or her assent by simply using the product — such as by entering the website or downloading software.

The Driver's Privacy Protection Act of 1994, Title XXX of the Violent Crime Control and Law Enforcement Act, is a United States federal statute governing the privacy and disclosure of personal information gathered by state Departments of Motor Vehicles.

<i>Lane v. Facebook, Inc.</i>

Lane v. Facebook was a class-action lawsuit in the United States District Court for the Northern District of California regarding internet privacy and social media. In December 2007, Facebook launched Beacon, which resulted in users' private information being posted on Facebook without consent. Facebook ended up terminating the Beacon program, and created a $9.5 million fund for privacy and security. There was no money awarded to Facebook users affected negatively by the Beacon program.

Cyber crime, or computer crime, refers to any crime that involves a computer and a network. The computer may have been used in the commission of a crime, or it may be the target. Netcrime refers, more precisely, to criminal exploitation of the Internet. Issues surrounding this type of crime have become high-profile, particularly those surrounding hacking, copyright infringement, identity theft, child pornography, and child grooming. There are also problems of privacy when confidential information is lost or intercepted, lawfully or otherwise.

Konop v. Hawaiian Airlines, Inc., 236 F.3d 1035 (2001) was a case in which the United States Court of Appeals for the Ninth Circuit affirmed in part and overturned in part the ruling of the United States District Court for the Central District of California. The court held that the defendant, Hawaiian Airlines, could not be held liable for violation of the federal Wiretap Act when it gained access to the plaintiff's website because the contents of the plaintiff's website were in storage, and thus could not be intercepted under the meaning of the Wiretap Act.

The following outline is provided as an overview of and topical guide to computer security:

Privacy and the United States government consists of enacted legislation, funding of regulatory agencies, enforcement of court precedents, creation of congressional committees, evaluation of judicial decisions, and implementation of executive orders in response to major court cases and technological change. Because the United States government is composed of three distinct branches governed by both the separation of powers and checks and balances, the change in privacy practice can be separated relative to the actions performed by the three branches.

Search engine privacy is a subset of internet privacy that deals with user data being collected by search engines. Both types of privacy fall under the umbrella of information privacy. Privacy concerns regarding search engines can take many forms, such as search engines logging individual search queries, browsing history, IP adresses, and cookies of users, and conducting user profiling in general. The collection of personally identifiable information of users by search engines is referred to as "tracking".

References

  1. 1 2 In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497 (S.D.N.Y. 2001).
  2. The Stored Communications Act 18 U.S.C.   § 2701
  3. 1 2 18 U.S.C.   § 2510
  4. The Wiretap Statute 18 U.S.C.   § 2511
  5. The Computer Fraud and Abuse Act 18 U.S.C.   § 1030
  6. In re DoubleClick Inc. Privacy Litigation, Settlement Agreement (2002).