Court Rules for ISP in Deep Packet Inspection Lawsuit

Mon, 07 Jan 2013 10:00:00 -0500

Barbara Miller co-authored this post.

A few years back, the use of deep packet inspection software – software that examines individual data packets in a broadband transmission – to deliver targeted advertising was a hot topic in regulatory and privacy circles. Those activities spawned a series of cases against the DPI companies and their Internet Service Provider (“ISP”) partners. In one such case, the ISP just won an important victory closing a potentially troublesome area of liability. On December 28, 2012, in Kirch v. Embarq Management Co, the Tenth Circuit held that an ISP was not liable under the Electronic Communications Privacy Act of 1986 (“ECPA”) for authorizing an online advertising company to collect and use certain customer electronic information for the purpose of targeted direct online advertising. This ruling effectively ends this particular case against Embarq and likely will close a chapter in the deep-packet inspection saga. However, because the Tenth Circuit’s finding is closely tied to the facts of this case, ISPs should carefully consider potential liability under the ECPA for any actions involving the collection of customer information for purposes other than provision of ISP services.

The ECPA prohibits the interception of electronic communications and imposes civil liability for those that intercept such communications. The electronic communications covered under the ECPA include traffic on the Internet.

In 2007, Embarq authorized a third party (NebuAd) to collect certain information from Embarq’s network relating to the websites visited by some Embarq customers in order to permit NebuAd to target these customers with specific online advertisements. The information was collected using an Ultra Transparent Device installed on Embarq’s network that then sent the customer information to NebuAd servers. The information provided enabled NebuAd to identify user computers based on an assigned number, but not to identify the customers themselves. One of these customers filed suit in federal asserting that this violated the ECPA.

The Tenth Circuit held that Embarq did not “intercept” electronic communications under the ECPA because Embarq did not collect or use the data collected by NebuAd and “the only access Embarq had to the data extracted by NebuAd was in its capacity as an ISP.” There is an exception to prohibited interceptions in the ECPA when the interception occurs via equipment used by a provider of electronic communication service in the ordinary course of business. Because Embarq had no access to data other than that to which it has access in the ordinary course of business providing internet service, its actions here fell within that exception. Thus, the ruling likely will insulate future ISPs from liability under the ECPA where the ISP does not itself intercept any customer communications or data. In light of the prevalence of targeted online advertising, a contrary holding could have had far-reaching implications for ISPs.

Moreover, the Tenth Circuit held that the ISP does not have third-party liability for the actions of NebuAd. Consistent with other courts, the court held that there is no “aider and abettor” liability under the ECPA. Therefore, Embarq could not be liable to plaintiffs, even if NebuAd (rather than Embarq) violated the ECPA. The court thus did not need to determine whether NebuAd’s actions violated the ECPA.

Google Street View Investigation Indicates Expansive View of FCC Enforcement Powers

Thu, 11 Nov 2010 17:26:24 -0500

News reports last week that the FCC is investigating possible violations by Google underscore the expansive view that this FCC is taking of its enforcement powers. According to reports such as this Wash Post article, the FCC has confirmed that it is investigating Google's alleged capture of user data from open WiFi connections when it gathered information for its Street View product. The FCC investigation comes on the heels of an FTC no action letter released in late October concerning the same actions by Google.

So what is the FCC investigating?

This is the most interesting question resulting from the reports. The FCC, of course, has used its bully pulpit to investigate Google before. But it is not clear here what potential violations the FCC may be investigating. As we've seen, because Google is not a carrier (and clearly was not acting as a carrier in capturing WiFi data), the FCC would have to warn Google before it could impose any fines for its actions. If, as has been suggested, the FCC is investigating whether Google violated wiretapping laws, that, too would suggest an expansive view of FCC powers. The FCC has never issued an order enforcing the Electronic Communications Privacy Act or the Stored Communications Act, the two principal wiretapping statutes, and it is not clear that the FCC has authority to enforce either act.

Unfortunately, the publicly available information does not reveal the nature of the Google investigation. To learn more, we will have to wait for the FCC take action, assuming it has authority to do so.

CommLaw Monitor

Court Rules for ISP in Deep Packet Inspection Lawsuit

Google Street View Investigation Indicates Expansive View of FCC Enforcement Powers