Return
to Nicholas Johnson's Main Web Site www.nicholasjohnson.org
The Internet Community
Has Spoken;
Now We Will Tell You
What We Are Placing On Your Computer
Jeremy Peterson
Cyberspace Law Seminar
University of Iowa College
of Law
April 16, 2004
I.
INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . 3
A. Case Study - In re Pharmatrak,
Inc. . . . . . . . . 3
II.
COMMON TERMS . . . . . . . . . . . . . . . . . . . . . . 8
A. What is the Internet?
. . . . . . . . . . . . . . . 8
B. What is a Website?
. . . . . . . . . . . . . . . . 9
C. What are Internet Cookies
(Cookies)? . . . . . . . 10
D. What are Action Tags?
. . . . . . . . . . . . . . . 11
E. What is Data/Web Mining?
. . . . . . . . . . . . . 12
III. CONCERNS ABOUT INTERNET COOKIES AND ACTION TAGS . . . . 12
IV.
CURRENT LEGISLATION . . . . . . . . . . . . . . . . . . 16
A. Computer Fraud and Abuse
Act . . . . . . . . . . . 16
B. The Stored Communications
Act . . . . . . . . . . . 18
C. The Federal Wiretap Act
. . . . . . . . . . . . . . 19
D. Summary . . . . . . .
. . . . . . . . . . . . . . . 20
V.
STATE TRESPASS TO CHATTEL CLAIMS . . . . . . . . . . . . 21
A. Virginia State Law
. . . . . . . . . . . . . . . . 21
1. America Online, Inc.
v. IMS . . . . . . . . . 21
B. California State Law
. . . . . . . . . . . . . . . 23
1. Oyster Software, Inc.
v.
Forms Processing, Inc. .
. . . . . . . . . . . 23
VI.
ALTERNATIVE PROPOSALS . . . . . . . . . . . . . . . . . 24
A. Self-Governing Programs
/ Alternatives
to Legislation . .
. . . . . . . . . . . . . . . . 25
1. Organization for the
Advancement
of Structured Information
Standards . . . . . 25
B. New Legislation . . .
. . . . . . . . . . . . . . . 27
1. Advantages of the New
Legislation . . . . . . 31
2. Disadvantages of the
New Legislation . . . . . 31
VII.
THE PAPER'S SOLUTION . . . . . . . . . . . . . . . . . . 32
A. Organization's Policies
and Standards . . . . . . . 34
B. Advantages of the Proposed
Organization . . . . . . 35
C. Disadvantages of the
Proposed Organization . . . . 39
VIII. CONCLUSION . . . . . . . . . . . . . . . . . . . . 41
A. Case Study - In re Pharmatrak, Inc.
The Internet continues to expand. With no universal governing body promoting standards, and with legal rules adapting or emerging slowly, security has become a pressing issue. Computer hackers have been able to attack computers and websites using the Internet. Because each company has its own software and procedures to secure the Internet, no real standard to protect web transactions has emerged.
The situation in In re Pharmatrak, Inc. (Pharmatrak) is a typical example of how websites can use cookies to gather information about Internet users.1 Pharmatrak illustrates how a simple idea, monitoring website traffic to determine how to better serve the consumer, can be mishandled and lead to personal information reaching the hands of parties that the user did not intend to have the information.
In Pharmatrak, "[i]nternet users sued [a] web-monitoring corporation and pharmaceutical corporations, alleging that defendants secretly intercepted and accessed their personal information through the use of 'cookies'" without the users' consent.2 In this case, the pharmaceutical companies created their own websites.3 Internet users visited these websites to obtain information both about the drugs they used and available rebates.4 To analyze and monitor Internet user activity on their websites, the pharmaceutical companies hired Pharmatrak.5 Pharmatrak used a service called "NETcompare" to analyze and monitor this website activity.6
NETcompare recorded which webpages on the client's website a user viewed, the length of time the user viewed each webpage, the order in which the user viewed the webpages, and various other information.7 NETcompare gathered this information behind the scenes.8 The Internet user never knew that Pharmatrak or anyone else was gathering this information.9 NETcompare "accessed information about the Internet users and collected certain information meant to permit the pharmaceutical companies to do intra-industry comparisons of website traffic and usage."10 NETcompare allowed pharmaceutical companies "to compare [their] performance with that of other clients in the same industry."11
To utilize NETcompare, pharmaceutical
companies added "five to ten lines of HTML code to each webpage" that they
wanted monitored.12 When the Internet user accessed the pharmaceutical
company's webpage, the "HTML code instructed the user's computer to contact
Pharmatrak's web server" for the purpose of "communicat[ing] directly with
Pharmatrak's web server."13 Once the communication was established,
Pharmatrak "either plac[ed] or access[ed] a 'persistent cookie' on the
user's computer."14 If the user had not visited the website before,
Pharmatrak would download a cookie onto the user's computer.15 Otherwise,
"Pharmatrak's servers would access the information [stored in] the existing
cookie."16 "Each Pharmatrak cookie contained a unique alphanumeric
identifier that allowed Pharmatrak to track a user as [the user] navigated
through a client's site[.]"17 The cookie was also able to determine
each time the user visited the website.18
Almost all of the pharmaceutical
companies explicitly told Pharmatrak that they did not want Pharmatrak
to record any "personal or identifying data" about the Internet users that
visited their websites.19 Pharmatrak assured the pharmaceutical companies
that it would not collect such data.20 The former Chief Technology
Officer and Managing Director for Pharmatrak claimed, "NETcompare was not
designed to collect any personal information whatsoever."21 Even
though Pharmatrak gave assurances, the plaintiffs found personal and identifying
information on Pharmatrak's computers.22
Of the 18.7 million cookies
that Pharmatrak distributed to Internet users - some computers and/or users
may have had more than one cookie - the plaintiffs were able to find profiles
for 232 individual users on Pharmatrak's computers.23 Some of the
personal information that plaintiffs found included: "names, addresses,
telephone numbers, email addresses, dates of birth, genders, insurance
statuses, education levels, occupations, medical conditions, medications,
and reasons for visiting the particular website."24
Pharmatrak is an example
of how websites can gather information without the user's knowledge.
Websites can even contract with third parties to gather the information.
When companies use cookies and action tags to gather information, there
is no standard as to what the companies are recording. If a website
prompts an Internet user that it is downloading a cookie on the user's
computer, normally the user does not know what information the cookie is
gathering. The bigger problem occurs when it is a third party cookie
or action tag, because then not only is the cookie or action tag gathering
information, but also the third party controls exactly what and how the
cookie or action tag gathers the information.
Because currently there
are no standards for how and when websites can use cookies or action tags,
this paper details different solutions to protect an Internet user.
This paper first looked to how companies can use Internet cookies and action
tags to record information about visitors to the companies' website.
Next, the paper will define terms that the paper discusses.
This paper will then focus on three current federal statutes that four cases have examined. This paper will detail Internet users' struggles litigating under these statutes. Then, the paper will look at how state courts have examined similar issues. Specifically, it will focus on Virginia and California trespass to chattels claims. The paper will then spotlight two alternative methods to promote and protect Internet standards. One looks at a not-for-profit organization that is developing e-business standards. The other will look at factors to consider in enacting a new statute designed to provide a remedy for Internet users for websites using cookies and action tags. The paper also analyzes the advantages and disadvantages of creating such a statute.
Finally, the paper will propose a better solution to the problem. This solution would create a volunteer not-for-profit organization to develop standards on how to inform Internet users of what websites are downloading and what information they are gathering.
This section defines five of the common terms that this paper discusses: Internet, website, cookie, action tag, and data mining.
A. What is the Internet?
The Internet is a global arrangement of computer networks.25 "The Net," and "World Wide Web" are just a couple of the popular ways people refer to the Internet.26 As long as one has access, anyone can access the Internet.27 The most common way for users to access the Internet is by using a web browser on a personal computer.28 A couple of the more popular web browsers are Internet Explorer and Netscape. People now can also access the Internet through other means, such as PDAs.29
The Internet was originally designed for researchers at universities to talk to each other.30 The Internet is used to disseminate information through a variety of sources; it allows users both to read newspapers from around the world and to communicate through instant messaging.31 The Internet is also responsible for transferring electronic mail (e-mail).32 For a further explanation of the Internet, see the "Finding of Fact" within EFF/ACLU v. Reno CDA.33
B. What is a Website?
A website consists of one or more webpages.34 Webpages display the information a company wants to present to the Internet user. Webpages can be either static or interactive.
A static webpage only presents the information and does not interact with the user. A static webpage may contain links to other webpages or websites, but the information presented does not change based off the users actions. For example, the user may read information off webpage X and then select the link to webpage Y. When that user returns to webpage X, assuming the owners did not update the webpage, the information presented will be unchanged.
An interactive webpage will sometimes change the information presented based off the user's actions. For example, an Internet user can access the "Iowa State University's -- Phone Book" webpage35 and then enter information in three different fields -- name, email@iastate.edu, department -- and/or select a Department from a list options. After entering this information, the user can select the "Submit" button and the website will present a webpage based off the information user entered. If the user went back to the "Iowa State University's -- Phone Book" webpage and entered in different information, depending on what the user entered, the website may return a different result on the webpage.
C. What are Internet Cookies (Cookies)?
A cookie is a small text file that a website downloads onto a user's computer to record and store information.36 One primary function of a cookie involves interactions between the website's computer server and the Internet user's computer.37 Cookies allow the website's computer server to "develop a memory of the communications between the two parties."38 A cookie records a variety of information from the user - ranging from a username and password to credit card numbers.39 A website designs its cookie so that the website is the only party that can read the cookie.40 Websites can also authorize third parties to read its cookie.41
Popular websites, such as Yahoo.com and the Washington Post.com, provide "convenience and customization" throughout their websites through the use of cookies.42 Cookies operate to store information about the user, such as "shopping cart" information, user preferences, or login and registration information.43 Websites use cookies to identify specific Internet users who visit its website.44
Websites can use two different types of cookies - "session" or "persistent".45 The difference between a session and a persistent cookie is its expiration date.46 A website terminates a "session" cookie after the Internet user closes the web browser.47 However, a website leaves a "persistent" cookie on an Internet user's computer and continues to use the cookie until the cookie's expiration date or when the user deletes the cookie.48 "While session cookies may be useful for one-time online surveys or other inquiries that require only brief storage of limited information, persistent cookies permit the aggregation of personal information over an extended period of time whenever an individual returns to a site that can access the cookie files."49
D. What are Action Tags?
Action tags are very similar to cookies.50 Action tags are invisible and are on websites to record the Internet user's movements throughout the website.51 A website can program action tags to perform more evil purposes than gathering information.52 Action tags can "retrieve files stored on a computer hard drive, record conversations through a computer microphone or transmit images from a computer's video camera without the user's knowledge."53 Since webpages or e-mails can embed action tags in HTML code, most users are not aware that action tags are present, "unlike cookies, which are detectable by most web browsers."54 By embedding action tags within html e-mails, the action tags can inform the Internet user if an e-mail recipient has opened or acted upon the e-mail.55
E. What is Data/Web Mining?
"Data mining is sorting
through data to identify patterns and establish relationships."56
"[W]eb mining is the integration of information gathered by traditional
data mining methodologies and techniques with information gathered by traditional
data mining methodologies and techniques with information gathered over
the [Internet]."57 "Web mining is used to understand customer behavior,
evaluate the effectiveness of a particular Web site, and help quantify
the success of a marketing campaign."58 "The information gathered
through Web mingling is evaluated . . . by using traditional data mining
parameters such as . . . examination of sequential patterns."59
A variety of concerns associated
with unmonitored action tags and the placement of cookies onto an unsuspecting
Internet user's computer exist. These range from unauthorized access
to recording personal information.
The main concern is that
a website has the ability to place cookies onto an Internet user's computer
without the user knowing what the website placed on the user's computer.
The cookie can track what the user has done not only on that website, but
also on other websites.
A user can adjust how a web browser handles whether to accept cookies. In Internet Explorer,60 the user can select "Internet Options" from the "Tools" drop down menu. From there, the user selects the "Privacy" tab and then the user can adjust the settings to his or her desired level. At the "Medium High" level, the configuration of the web browser is to reject "cookies that use personally identifiable information without your explicit consent."61 However, depending upon how the user has configured the web browser, the Internet user will not know exactly what the cookie is doing and what information the website is gleaning through the cookie.
Whether the website is allowing
a third party to download a cookie that the third party manages is another
concern. An example of this occurred in Pharmatrak when the pharmaceutical
companies allowed Pharmatrak to download a cookie onto the Internet user's
computer.62 Pharmatrak controlled what information its cookie gathered
from the Internet user.63 Although an Internet user may adjust the
web browser so that only cookies he or she accepts are downloaded, when
he or she visits the website and are prompted to download the cookie, he
or she may unknowingly download a third party cookie.
Public computers present
a unique problem with the ability to manage and download cookies.
Computers available for general public use (for example, computers in public
libraries) are likely to have various security measures restricting what
the computer user can and cannot do with the computer. The computer
administrator may configure the web browser to always accept cookies, and
because of the security measures, the user may not be able to change this
setting. This would result in the website downloading a cookie onto
the public computer. The cookie may then record what the Internet
user is doing without the user being able to prevent the cookie from gathering
this information or from deleting the information when the user is finished.
Another concern is how much
space the cookie is utilizing on the user's hard drive. According
to a recent Law Review article, a cookie "typically occupies less than
four kilobytes of memory."64 Even though this is not a very large
amount of space, nothing prevents the website from increasing the size
of cookie beyond four kilobytes to a much more significant size.
Action tags also present
other concerns. Action tags, like cookies, record an Internet user's
actions while visiting a website.65 The Internet user does not see
the action tags on the website. The Internet user also does not know
what the tags are doing.66 Because the action tags are not visible
and conduct their entire information gathering behind the scenes, Internet
users may not know that the website is recording the information.67
Action tags may be more dangerous than cookies; unlike cookies, most web
browsers do not usually detect action tags.68
Cookies and action tags can be and are very beneficial to websites. Companies that use their website to benefit their consumers can use cookies to create better and more efficient websites. In Pharmatrak, for example, the pharmaceutical companies used cookies to monitor which webpages Internet users looked at on their website.69 The companies could then decide if Internet users appeared confused about how to navigate through their website to find information. Cookies will also allow the company to determine what information the users looked at the most. The company can then make sure the website presents this information quickly and easily for the user. This paper is not advocating that companies stop using cookies or action tags.
This paper acknowledges the benefits associated with websites using cookies, but the concerns articulated above outweigh the benefits offered using cookies or action tags. This paper advocates that websites that want to utilize the benefits of cookies or action tags simply inform the Internet user every time it or a third party gathers information.
Three federal statutes enable Internet users to bring claims against a website owner or third party for placing a cookie on the user's hard drive. Statutes also prohibit the use of action tags while the user is viewing the website.
A. Computer Fraud and Abuse Act70
The Computer Fraud
and Abuse Act (CFAA) bars anyone, including website operators, from unauthorized,
purposeful access of a protected computer.71 The CFAA creates a cause
of action if there is an unauthorized access by someone who "knowingly
causes the transmission of a program, information, code, or command, and
as a result of such conduct intentionally causes damage[,]"72 "recklessly
causes damage[,]"73 or "causes damage[.]"74 The CFAA also bars "accessing
and obtaining 'information from any protected computer if the conduct involved
an interstate or foreign communication.'"75 The CFAA authorizes an
Internet user who suffers "damage or loss" to bring a civil action.76
The definition of damage
is significant in proving the threshold amount for an Internet user bringing
a civil action under the CFAA.77 In Chance v. Avenue A, Inc. (Avenue
A), the court found that in order to maintain a civil cause of action,
the Internet user must have suffered at least $5,000 in damages.78
According to the courts, "[t]he damage amount can be aggregated across
both time and individual computers, but it cannot be aggregated across
separate acts."79 However, the court in Avenue A found that each
time the webpage accessed the cookie this constituted a single act.80
This would be so even though this communication happened many times, and
with extraordinary speed each time an Internet user viewed a webpage.81
The courts in four cases - Avenue A, Pharmatrak, In re Intuit Privacy Litigation (Intuit), and In re DoubleClick Inc. (DoubleClick) - found that the plaintiffs failed to meet the $5,000 threshold damages.82
The court in Avenue A determined when a website or third party transmits a cookie to the Internet user's computer there is practically no economic harm, unlike when a computer hacker destroys files or otherwise causes substantial damage.83 The plaintiffs in Avenue A tried to "circumvent the statute's $5,000 threshold by arguing 'loss,' as opposed to 'damages,' is not subject to that threshold."84 The court determined that you could not read that "loss" was not subject to the damages threshold requirement since it did not meet the $5,000 loss threshold.85
B. The Stored Communications Act86
The Stored Communications Act, part of Title II of the Electronic Communications Privacy Act (ECPA), Congress intended to stop hackers from accessing and manipulating "certain stored electronic communications."87 The Act prohibits a website or third party from exceeding his or her authorization to access a computer. The Act also bars a website operator or third party without authorization, from intentionally accessing "a facility though which an electronic communication service is provided" if the party "thereby obtains, [or] alters . . . a wire or electronic communication while it is in electronic storage in such system[.]"88 There is an exception clause if the plaintiff authorized the defendant to perform the conduct.89
The DoubleClick court determined that the Act targets only communications that are temporarily stored. Because the cookies were located on the Internet user's hard drive for an extended period of time, the cookies did not qualify as electronic storage under § 2510(17) of Title 18 of the United States Code.90 Therefore, the cookies do not qualify under the Stored Communications Act.91 The court went further and said that even if the cookies were determined to qualify as electronic storage, the user authorized the access to the cookies on his hard drive.92
The courts in DoubleClick, Avenue A, and Pharmatrak all found that the defendants met the exception under the Stored Communications Act and dismissed the plaintiffs' claims.93
However, the court in Intuit did not grant defendant's motion to dismiss under the Stored Communications Act.94 The court allowed the plaintiffs' action to continue under the Act because the defendant's claims directly conflicted with the plaintiffs' allegations and under a Rule 12(b)(6) motion, the court must accept the plaintiffs' allegations as true.95
C. The Federal Wiretap Act96
The Congress amended the Federal Wiretap Act, part of Title I of the ECPA, to include protection for "data and electronic transmissions."97 The Federal Wiretap Act prohibits a party from "intentionally intercept[ing], endeavor[ing] to intercept, or procure[ing] any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication[.]"98 Section 2520 of Title 18 of the United States Code provides a private actor the right to file a civil suit.99 A party violates the Federal wiretap act if he or she: "(1) intentionally (2) intercepted, endeavored to intercept or procured another person to intercept or endeavor to intercept (3) the contents of (4) an electronic communication (5) using a device."100 Of course, consent to the interception is a defense - although the defendant has the burden of proving consent.101
The courts in DoubleClick and Avenue A found that even though there was an interception of communications, the Internet users consented.102 The courts in DoubleClick, Avenue A, and Intuit found "consent" because the Internet users did not state a sufficient claim of "tortious or criminal" purpose.103
The district court in Pharmatrak, on remand, determined that the intent requirement under the Federal Wiretap Act requires that the web monitoring company "intentionally sought to collect personal data" - something it found.104 Plaintiffs failed to rebut defendant's arguments for summary judgment105 and accordingly, the court granted defendant's motion for summary judgment.106
D. Summary
Under the CFAA, the Stored Communications Act, and the Federal Wiretap Act, Internet users have been able to survive only one motion for summary judgment.107 Courts have held that placing a cookie or using an action tag does not constitute "substantial harm."108 As a result, Internet users have not been able to show the damages required by the CFAA.109 In three cases defendants successfully argued that Internet users had "consented" to the placement of the cookies.110 In the same three cases, the courts found defendants did not have a "tortious or criminal purpose."111 In another, the court found the defendants did not "knowingly" record the Internet users' information.112 Given that only one case ever survived summary judgment, it is unlikely these laws will be very effective in controlling cookies or action tags in federal court.
Some state courts recognize "trespass to chattels" as a potential legal theory for protection from, or damages for unauthorized intrusion into computers.
A. Virginia State Law
1. America Online, Inc. v. IMS (IMS)113
In IMS, the state court granted America Online's motion for summary judgment.114 America Online (AOL) notified a marketing company, IMS, to stop sending its subscribers bulk e-mail messages, or "SPAM."115 The marketing company continued sending unauthorized SPAM for more than 10 months, a total of more than 60 million messages.116 Under Virginia "trespass to chattels law, AOL had to show that the marketing company "intentionally" interfered with AOL's personal property.117 AOL also had to mitigate the possibility that it had authorized the marketing company's interference.118 Finally, AOL had to prove the marketing company's SPAM had harmed AOL's computer system's "'condition, quality, or value.'"119
Of course, cookies are not email. A plaintiff will have to prove that the placement of a cookie or use of an action tag was unauthorized.120 Most web browsers offer their users the opportunity to select their level of cookie acceptance. If a user fails to adjust this feature (or is unaware they have it) can the user be said to have "authorized" the placement of the cookies? Users' sophistication regarding the ways in which their web browser interacts with a webpage is not yet widespread. Moreover, on some computers the security restrictions may make it impossible for the Internet user to configure the web browser to accept, deny, or prompt when a website is trying to download a cookie.
If the Internet user is able to prove that a website placed or accessed the cookie without authorization, he or she still has to show that the cookie harmed his or her computer system's "'condition, quality, or value.'"121 Because of the relatively small size of a cookie, proving that the user's computer suffered harm is difficult. Manufacturers build today's computers with so much hard drive space and processing power that the loss of either from a downloaded cookie or action tag is de minimis.
B. California State Law
1. Oyster Software, Inc. v. Forms Processing, Inc. (Oyster)122
Forms Processing, Inc. (FPI) "hired [a third party] to increase its [website's] prominence with search engines."123 The third party sent robots to Oyster's website to copy and use Oyster's metatags on FPI's website.124
Oyster filed a suit claiming trespass to chattels under California law.125 California requires the plaintiff "show that an intentional interference with the possession of personal property has proximately caused injury" to recover under trespass to chattels.126 Oyster did not claim that FPI's actions "interfered with the basic function of Oyster's computer system."127 Plaintiff admitted the robots only created little more than a brief and slight interference.128 However, the court found this was enough; Oyster could prove trespass to chattels without showing "substantial" interference.129
Thus, it is easier for a plaintiff to survive a motion for summary judgment in California than in Virginia. The plaintiff must still show an "intentional interference[,]" but the user can meet this requirement without showing a "substantial interference[.]"130 It is enough that the cookie "placed a 'negligible' load on [his or her] computer[.]"131
The main problem with relying on state "trespass to chattels" law is jurisdiction. There may be situations when the user and the cookie distributors are located in the same state. However, this will often not be the case. It is conceivable to imagine a company operating a website that has its principal place of business in California while the Internet user lives in a different state. The parties would have to litigate which jurisdiction is controlling. This discussion may have a significant determination on whether the court recognizes trespass to chattels when a website downloads a cookie. In California, the court allows a "negligible" interference to survive summary judgment132, but a different state court may require a more substantial showing of interference.
In light of the Internet users lack of success to litigate under the current options, there are two different ways to precede - "Self-Governing Programs" or new legislation.
A. Self-Governing Programs / Alternatives to Legislation
1. Organization for the Advancement of Structured Information Standards (OASIS)133
OASIS is a great example of a voluntary organization designed to help promote e-business standards.134 OASIS is an international, not-for-profit organization.135 It strives to set universal e-business standards, including development and application of these standards.136 OASIS's members dictate its agenda.137 "OASIS produces worldwide standards for security, Web services, conformance, business transactions, supply chain, public sector, and interoperability within and between marketplaces."138 OASIS has technical committees discussing a variety of topics ranging from "Business Transactions" to "Web Services Security."139
OASIS currently has a group called "Web Services Business Process."140 Participants include Microsoft, IBM, and Sun Microsystems.141
Instead of creating individual and proprietary solutions, Microsoft, IBM, and Sun Microsystems (all rival companies), announced in the summer of 2002 their intent to join OASIS to develop "a technical standard to make sure Web services transactions are secure."142 The group provided the specifications to OASIS, enabling all users to use the same standards.143 This cooperation will allow businesses to conduct online transactions using the same standard, decreasing the fear that the other party does not follow a similar security policy.144 By creating a group within OASIS, the companies sacrificed the opportunity to try to corner the market on web transaction security. This cooperation allowed the creation of a standard practice to design hardware and software to protect web transactions.
OASIS shows how competing companies can collaborate to develop standards for the Internet and not sacrifice a substantial competitive advantage. By collaborating, the companies also helped foster a more controlled expansion of the Internet. Without this alliance, websites may possess different levels of web transaction security, and the Internet user may not know whether his or her web transactions are truly secure.
OASIS is a great example of how alternatives to government regulation can achieve a positive result for both companies and Internet users. One of the advantages of OASIS is that it has already achieved success in developing various standards with the Internet, such as web transactions.145
Another advantage is that OASIS already has an established membership.146 If OASIS designed and implemented standards for how owners of websites could use cookies and action tags, OASIS could use its current membership basis to help promote the standards.
One of the disadvantages of OASIS is that it does not provide the owner of a website with any identifiable "seal" that he or she can place on his or her website. Without a seal on the website, an Internet user likely will not know whether the website is following OASIS's standards.
Another disadvantage of OASIS is its primary focus on e-business.147 Although websites utilize cookies and action tags a lot in e-business, websites also use them outside the realm of e-business, such as how ABC uses cookies on its ESPN website.148
B. New Legislation
As discussed above, plaintiffs have had minimal success surviving motions for summary judgment when plaintiffs used the CFAA, the Stored Communications Act, and the Federal Wiretap Act.149 Plaintiffs have had some success under various state law claims of trespass to chattels in similar situations.150 Unfortunately, with the state law claims, there is no guarantee of uniformity between the states. Some states may require a higher showing of interference than other states. A federal statute that addresses the failures of previous state and federal laws would protect Internet users from websites downloading cookies onto their hard drives.
First, the statute needs to apply to all parties who place a cookie onto an Internet user's hard drive. This would include not only the company owning the website, but also any third party companies that the website may or may not have authorized to download the third party's cookie.
Second, the statute needs to address the information the party is gathering while the Internet user is viewing the website. The "information" should cover everything from what webpages the Internet user viewed, to any personal information the Internet user provided such as birth date and name.
Third, the statute needs to allow for an exception when the Internet user consents to the downloading of the cookie. Websites may need to use cookies to provide secure Internet transactions, such as ordering prescription drugs, or to provide a special service, such as customizable webpages. The statute must recognize that some Internet web browsers have a default setting to accept all cookies without prompting the Internet user. If the configuration of the web browser is set to automatically accept cookies, a presumption may arise that the Internet user has expressly accepted any and all cookies that a party downloads, regardless of whether the Internet user configured the web browser.
The statute needs to presume public computers have security restrictions preventing an Internet user from changing how the public computer will accept and deny cookies. The statute would presume that the configuration on the public computer's web browser is set to accept some cookies. Therefore, the statute will have to presume that the Internet user consented to any information recorded by a cookie on a public computer.
Fourth, the statute needs to provide that if the Internet user gives consent to a party to download a cookie or use an action tag for a specific purpose and the party exceeds this authority, then the party has violated this statute.
Fifth, if the statute has a damage threshold - like the CFAA - the statute needs to account for the relatively minimal processing intrusion on the Internet user's computer and the hardship in proving actual economic damages stemming from a cookie or an action tag.
Sixth, the statute needs to account for action tags. It is significant to recognize that websites embed action tags within a webpage, unlike cookies, which websites download onto the Internet user's computer. Since action tags provide less of an intrusion on the Internet user's actual computer hard drive, the statute will need to be cognizant of this difference. The statute will recognize that even though a website does not download an action tag, it can still perform the same functions that a cookie does without the Internet user's knowledge. The statute will also acknowledge that action tags will have some intrusion on a computer's processing information from the Internet, such as the time it takes the webpage to load. The statute will require that without consent from the user, any information an action tag gathers will violate the statute. Although action tags provide less of an intrusion on the Internet user's actual computer, the user will still have to meet the damage threshold.
Seventh, the statute needs to provide the Internet user with a sufficient remedy. This remedy should include an opportunity for the Internet user to obtain a preliminary injunction barring the party from gathering any data or downloading any cookies onto the user's computer. The statute should require a high standard of proof that continued substantial economic and computer system harm would result without the injunction. The high burden of proof is required since the injunction may place an undue hardship on the defendant to prevent further cookies from being downloaded, especially if the user uses multiple computers.
Eighth, the statute needs to require an intention by the party(s) to download a cookie or use an action tag. There should be a presumption that any cookie that a website or third party downloads or any action tag a website uses was intentional. A high standard of proof should be required to overcome this presumption.
1. Advantages of the New Legislation
One advantage of a new Federal statute would be to provide Internet users another opportunity to claim relief. Currently, the three federal statutes do not provide the Internet users much relief.151
Another advantage is that even though some plaintiffs have found success under state trespass to chattel claims, this new statute will provide all Internet users with the opportunity to seek relief under the same statute. A company that has a website using cookies can conduct its principal place of business anywhere in the world. Likewise, the computer the website is hosted on can be accessed anywhere in the world that has access to the Internet. The Internet user can also access the website from anywhere in the world. It is not inconceivable that the website, the company, and the Internet user will all be located in different states. This presents a problem in deciding which state has jurisdiction and therefore, which state law applies. The new statute will solve the questions on what law applies and prevent a company from forum shopping.
2. Disadvantages of the New Legislation
Litigation costs, however,
are likely to prohibit the average Internet user from filing any claim
regarding cookies or action tags. To prove harm, the Internet user
will likely have to use an expert witness to testify, increasing the cost
of litigation.
Another challenge is the
difficulty in writing a statute to provide a remedy from a website downloading
a cookie or using an action tag without authorization. This paper
provides a guideline for what a new statute should entail, but it is difficult
to frame a statute to account for the relatively small intrusion from a
cookie or an action tag. The damage threshold is particularly problematic.
Even with a low threshold amount for damages, this standard may still be
too difficult or costly for an Internet user to prove. If a user
can never prove damages and therefore can never receive relief, then the
statute serves no purpose.
This paper proposes a collaboration between companies and Internet users to formulate a not-for-profit online organization designed to create a best practices standard for websites using cookies or action tags. The main goal of the organization will be to define standards for websites to inform an Internet user of the website's non-visible actions.
Current legislation is inadequate
to prevent websites from using cookies and action tags to place files an
Internet user's computer either permanently and/or while he or she is viewing
website. The most applicable Federal Statute, the CFAA, requires
a minimum threshold of damages.152 For any computer owner, it is
very difficult to prove damages from a cookie placed on a computer that
is roughly 0.02% of a standard 1.4 mb floppy disk.153 Manufacturers
currently make computers with hard drives around 40 GB's. Because
a 37.2 gigabyte hard drive is approximately 27,446 standard floppy disks,
it is difficult for a computer owner to show damage to his or her computer
by a file that is 0.02% of one standard floppy disk.
The judicial process is
also an ineffective way for most computer users to prevent websites from
placing cookies on their computers. The process is time-consuming
and costly for an average computer user to remedy his or her grievance.
An average computer user will have neither the time nor the money to track
down which website placed the cookie onto his or her computer. The
user is then forced to find a lawyer who is knowledgeable enough to litigate
the claim. A computer user is likely to not be offended by a party
downloading a cookie onto his or her computer if the party informed him
or her both that it was placing the cookie on the computer and of the cookie's
purpose.
This organization will create a "seal" that members will place on their website to show that they belong to the organization.154 This will allow visitors to each website to know which websites are members of the organization and therefore follow the organization's policies and standards. The seal will also link to the regulating organization's website where people can view its policies and standards.
A. Organization's Policies and Standards
To join the organization, the companies' websites must adhere to the organization's policies and standards. The organization will list the members on its website. The policies and standards of the organization do not prevent websites from utilizing cookies, action tags, and new technologies designed to monitor and download files onto the computer user's computer. However, the regulations dictate that certain information be presented to the user about what is happening behind the scenes unknown to website visitors. If the website downloads a cookie, the organization requires that the website disclose to the computer user what the website is doing. The website will have to inform the user what it is downloading, what purpose the file serves, and if any reporting or monitoring is going to take place. The standards will focus on the following:
(1) what, if anything, the website is placing on the Internet user's computer (e.g., placing a cookie on the user's hard drive);B. Advantages of the Proposed Organization
(2) what, if anything, the website is allowing a third party to download onto the Internet user's computer (e.g., Pharmatrak downloading its cookie through the pharmaceutical companies' websites);
(3) what, if anything, the cookie the website placed onto the user's computer is doing;
(4) what, if anything, any action tag the website has is doing;
(5) what, if anything, any action tag the website is allowing a third party to use is doing; and
(6) what, if anything, the information the cookie or action tag gathers will be used for (e.g., whether the information is kept internally or whether the information will be sold to other companies).
The organization's "seal" provides an advantage over other solutions. The "seal" will be a beacon to Internet users that this particular website is addressing the user's personal information privacy concerns. The "seal" will designate that this website follows the policies and standards set forth by the organization. The "seal" also provides a link to the organization, which will allow the user to see exactly what the website agreed to disclose to the user.
Websites and companies that join the organization will receive a competitive advantage over nonparticipating websites. For example, take a user wanting to purchase a widget from a retail website. The user conducted a search and found two options, website A and website B. Both websites are selling exactly the same widget at the same price. Assuming everything else is equal (e.g., no difference in shipping), the user will randomly choose either website to purchase the widget. However, if website A is a member of the organization and website B is not, then this presents the user with a comparable difference between the websites. If the user is cautious about conducting business through the Internet, specifically regarding an intrusion into the user's privacy, the user will use website A. The user makes this choice knowing that even if website A places a cookie on the user's computer and monitors the user's shopping experience on A's website, the user will be warned. Therefore, the Internet user will know exactly what website A is doing. Whereas, if the user uses website B, the user will not know what the website is doing.
Another advantage of joining this organization is that the organization's standards are uniform standards for all websites. Unlike a federal statute, these standards will apply to websites throughout the world. Internet users will feel safe using websites that have Internet addresses outside the United States. Internet users will not have to worry that websites outside the United States' jurisdiction are downloading cookies or using action tags without their permission if they are a member of the organization.
This organization also alleviates the public computer problem discussed above. If an Internet user is using a public computer to visit a website, the user will not have to worry about how the computer administrator configured the web browser to handle cookies or action tags. If the user visits a website whose owner is a member of the organization, then user knows that regardless of the web browser's configuration, the website will still inform the user what, if anything, the website is downloading.
An additional advantage is that the organization is able to protect Internet users that do not know how to configure their web browsers to accept or deny cookies. People that are unfamiliar with computers or the Internet do not realize they can adjust the web browser. There will be a presumption that the Internet user consented to the website downloading a cookie if the configuration on the web browser is set to always accept cookies. This organization eliminates this problem. Because the organization requires its members to inform the user what the website will be gathering, this will allow a user to leave a website that he or she does not want gathering his or her information.
This organization can also easily adapt to rapidly changing technologies. Although this organizations primary concern is with cookies and action tags, technology will likely create new methods to gather information about the Internet user. If a company develops a new technology, hypothetically called MOP, that allows the company to monitor Internet users' activity through a process and maybe even a system unknown today, this organization's policies and standards may not apply. However, unlike statutes, which are notorious for being slow to evolve to new areas, this organization can quickly adapt to any new technologies that emerge. The members would only have to get together to best decide how to inform the user when visiting a website that the website is using MOP technology. This flexibility will allow the organization to continually update its policies and standards to ensure that websites always inform Internet users what they are downloading and what information they are recording.
Another advantage is that the members will police themselves and the Internet community. If a member of the organization is not complying with the policies and standards set forth by the organization, then the organization will revoke its membership. If an owner of a website is not a member of the organization and places the "seal" on its site indicating that it is a member, there will be no membership for the organization to revoke. However, the organization will be able commence an action to force the website owner to remove the organization's "seal" under theories, such as trademark violation and fraud.
C. Disadvantages of the Proposed Organization
One of the main challenges is to convince companies to join the new organization. The more companies that join in the beginning, the more successful the organization will become. Companies will likely be skeptical of joining right away for fear of relinquishing a competitive advantage by becoming members. However, this skepticism is irrational. The organization does not prohibit the companies from using any cookies or action tags. Instead, the organization requires the websites to inform the Internet user what they are doing.
Another disadvantage stems from companies that use cookies to collect information about Internet users (ex. Pharmatrak). Pharmatrak and other companies that utilize cookies to perform data mining functions will likely resist both having to inform Internet users that they are collecting information and to announce what they are doing with the information (e.g., if they are selling the information). Although companies like Pharmatrak may see this as a disadvantage, there will still be a market for these companies' services.
If a company joins the organization, it is likely that it will still want to monitor Internet activity on its website. For example, the pharmaceutical companies hired Pharmatrak, a third party, to analyze and monitor Internet user activity on their websites.155 Presumably, one of the reasons the pharmaceutical companies hired a third party to monitor activity on their website was that the pharmaceutical companies did not have the resources to monitor the websites themselves.
A company (e.g., pharmaceutical company) whose primary business is not in the Internet industry, but who does conduct business through the Internet, may not possess the computer sophistication to monitor its own website. It may be cost prohibitive for a company to develop and maintain the requisite resources to monitor website activity in-house. However, companies, like Pharmatrak, may provide an inexpensive alternative. All the company is doing by joining this new organization is proclaiming that it adheres to the organization's policies. The company will still be able to monitor its website activity either in-house or by hiring a third party; the company will just have to provide the appropriate level of notice.
Although the three current statutes have achieved some success through the courts, the ultimate problem with these options for Internet users is proving damages. The hardship of proving damages coupled with the financial burden of litigating the issues through the court system make the current solutions impractical. Therefore, Internet users need to look in a different direction. This paper suggests creating an Internet-wide standard with policies regulating how websites inform Internet users when the website uses cookies, action tags, or any other technological means to gather information about the Internet user.
1 In re Pharmatrak, Inc. Privacy Litigation, 329 F.3d 9, 9 (1st Cir. 2003)[hereinafter Pharmatrak, Ct. of App. opinion].
2 Id.
3 Id. at 12.
4 Id.
5 Id.
6 Pharmatrak, Ct. of App. opinion, supra note 1, at 12.
7 Id. at 13.
8 Id.
9 Id.
10 Id. at 12.
11 Pharmatrak, Ct. of App. opinion, supra note 1, at 13.
12 Id.
13 Id. at 13-14.
14 Id. at 14.
15 Id.
16 Pharmatrak, Ct. of App. opinion, supra note 1 at 14.
17 Id.
18 Id.
19 Id.
20 Id.
21 Pharmatrak, Ct. of App. opinion, supra note 1 at 14.
22 Id. at 12.
23 Id. at 15.
24 Id.
25 Definitions, searchWebServices.com, at http://searchwebservices.techtarget.com/sDefinition/0,,sid26_gci212370,00.html (last visited Mar. 30, 2004)(defining Internet as "The Internet, sometimes called simply "the Net," is a worldwide system of computer networks").
26 Definitions, searchWebServices.com, at http://searchwebservices.techtarget.com/sDefinition/0,,sid26_gci212370,00.html (last visited Mar. 30, 2004).
27 Definitions, searchWebServices.com, at http://searchwebservices.techtarget.com/sDefinition/0,,sid26_gci212370,00.html (last visited Mar. 30, 2004).
28 Definitions, searchWebServices.com, at http://searchwebservices.techtarget.com/sDefinition/0,,sid26_gci211708,00.html (last visited Mar. 30, 2004)(defining browser as "A browser is an application program that provides a way to look at and interact with all the information on the World Wide Web.").
29 Definitions, searchMobileComputing.com, at http://searchmobilecomputing.techtarget.com/sDefinition/0,,sid40_gci214287,00.html (last visited Mar. 30, 2004)(defining PDA as "PDA (personal digital assistant) is a term for any small mobile hand-held device that provides computing and information storage and retrieval capabilities for personal or business use, often for keeping schedule calendars and address book information handy.").
30Definitions, searchWebServices.com, at http://searchwebservices.techtarget.com/sDefinition/0,,sid26_gci212370,00.html (last visited Mar. 30, 2004).
31 Definitions, searchWebServices.com, at http://searchwebservices.techtarget.com/sDefinition/0,,sid26_gci212370,00.html (last visited Mar. 30, 2004).
32 Definitions, searchWebServices.com, at http://searchmobilecomputing.techtarget.com/sDefinition/0,,sid40_gci212051,00.html (last visited Mar. 30, 2004)(defining e-mail as "E-mail (electronic mail) is the exchange of computer-stored messages by telecommunication" and is popular use of the Internet).
33 ACLU v. Reno, 929 F.Supp. 824 (E.D.Pa. 1996).
34 See Definitions, searchWebServices.com, at http://searchwebservices.techtarget.com/sDefinition/0,,sid26_gci213352,00.html (last visited Mar. 30, 2004)(defining websites as a group of web pages).
35 Phone Book, Iowa State University, at http://ph.iastate.edu/cgi-bin/phonebook (last visited Mar. 30, 2004).
36 Chance v. Avenue A, Inc., 165 F.Supp.2d 1153, 1156 (W.D. Wash. 2001)[hereinafter Avenue A].
37 Id.
38 Id.
39 Id.
40 Id.
41 Avenue A, supra note 36, at 1156.
42 Pharmatrak, Ct. of App. opinion, supra note 1, at 14.
43 Id.
44 Id.
45 Michael R. Siebecker, Cookies and the Common Law: Are Internet Advertisers Trespassing on our Computers?, 76 S. CAL. L. REV. 893, 897 (2003)[hereinafter Siebecker].
46 Id.
47 Id.
48 Id.
49 Id.
50 Avenue A, supra note 36, at 1156-1157.
51 Id. ( "By monitoring the mouse movements and key strokes of the user, ostensibly communications between the user's computer and the web site, Avenue A is able to update its cookie on the user's hard drive to reflect the user's web viewing habits.").
52 Jeffrey P. Cunard & Jennifer B. Coplan, Internet and E-Commerce: A Summary of Legal Developments, in COMMUNICATIONS LAW 2002 (2002), at 727 PLI/Pat 159, 267 (2002); Jeffrey P. Cunard & Jennifer B. Coplan, Selected Topics in E-Commerce and Internet Law: 2001, in MCLE MARATHON 2001 (2001), at 112 PLI/NY 241, 322-323 (2001); Jeffrey P. Cunard & Jennifer B. Coplan, Developments in Internet and E-Commerce Law: 2001, in COMMUNICATIONS LAW 2001 (2001), at 678 PLI/Pat 935, 1014-1015 (2001).
53 Jeffrey P. Cunard & Jennifer B. Coplan, Internet and E-Commerce: A Summary of Legal Developments, in COMMUNICATIONS LAW 2002 (2002), at 727 PLI/Pat 159, 267 (2002); Jeffrey P. Cunard & Jennifer B. Coplan, Selected Topics in E-Commerce and Internet Law: 2001, in MCLE MARATHON 2001 (2001), at 112 PLI/NY 241, 322-323 (2001); Jeffrey P. Cunard & Jennifer B. Coplan, Developments in Internet and E-Commerce Law: 2001, in COMMUNICATIONS LAW 2001 (2001), at 678 PLI/Pat 935, 1014-1015 (2001).
54 Jeffrey P. Cunard & Jennifer B. Coplan, Internet and E-Commerce: A Summary of Legal Developments, in COMMUNICATIONS LAW 2002 (2002), at 727 PLI/Pat 159, 267 (2002); Jeffrey P. Cunard & Jennifer B. Coplan, Selected Topics in E-Commerce and Internet Law: 2001, in MCLE MARATHON 2001 (2001), at 112 PLI/NY 241, 322-323 (2001); Jeffrey P. Cunard & Jennifer B. Coplan, Developments in Internet and E-Commerce Law: 2001, in COMMUNICATIONS LAW 2001 (2001), at 678 PLI/Pat 935, 1014-1015 (2001).
55 Alexander H. Burke, Information Harvesting on the Internet: A Consumer's Perspective on 2001 Proposed Legislation Restricting the Use of Cookies and Information Sharing, 14 LOY. CONSUMER L. REV. 125, 132 (2002).
56 Definitions, searchCRM.com, at http://searchcrm.techtarget.com/sDefinition/0,,sid11_gci211901,00.html (last visited Mar. 30, 2004).
57 Definitions, searchCRM.com, at http://searchcrm.techtarget.com/sDefinition/0,,sid11_gci789009,00.html (last visited Mar. 30, 2004).
58 Definitions, searchCRM.com, at http://searchcrm.techtarget.com/sDefinition/0,,sid11_gci789009,00.html (last visited Mar. 30, 2004).
59 Definitions, searchCRM.com, at http://searchcrm.techtarget.com/sDefinition/0,,sid11_gci789009,00.html (last visited Mar. 30, 2004).
60 Internet Explorer version 6.0.2600.
61 Internet Explorer version 6.0.2600.
62 Pharmatrak, Ct. of App. opinion, supra note 1, at 12.
63 Id. at 12-13.
64 Siebecker, supra note 45, at 897.
65 Avenue A, supra note 36, at 1156-1157.
66 Id.
67 Id.
68 Jeffrey P. Cunard & Jennifer B. Coplan, Internet and E-Commerce: A Summary of Legal Developments, in COMMUNICATIONS LAW 2002 (2002), at 727 PLI/Pat 159, 267 (2002); Jeffrey P. Cunard & Jennifer B. Coplan, Selected Topics in E-Commerce and Internet Law: 2001, in MCLE MARATHON 2001 (2001), at 112 PLI/NY 241, 322-323 (2001); Jeffrey P. Cunard & Jennifer B. Coplan, Developments in Internet and E-Commerce Law: 2001, in COMMUNICATIONS LAW 2001 (2001), at 678 PLI/Pat 935, 1014-1015 (2001).
69 Pharmatrak, Ct. of App. opinion, supra note 1, at 9.
70 18 U.S.C.A. § 1030
(2004).
"(a) Whoever--
. . .
(5)(A)(i) knowingly causes
the transmission of a program, information, code, or command, and as a
result of such conduct, intentionally causes damage without authorization,
to a protected computer;
(ii) intentionally accesses
a protected computer without authorization, and as a result of such conduct,
recklessly causes damage; or
(iii) intentionally accesses
a protected computer without authorization, and as a result of such conduct,
causes damage; and
(B) by conduct described
in clause (i), (ii), or (iii) of subparagraph (A), caused (or, in the case
of an attempted offense, would, if completed, have caused)--
(i) loss to 1 or more persons
during any 1-year period (and, for purposes of an investigation, prosecution,
or other proceeding brought by the United States only, loss resulting from
a related course of conduct affecting 1 or more other protected computers)
aggregating at least $5,000 in value;
(ii) the modification or
impairment, or potential modification or impairment, of the medical examination,
diagnosis, treatment, or care of 1 or more
individuals;
(iii) physical injury to
any person;
(iv) a threat to public
health or safety; or
(v) damage affecting a computer
system used by or for a government entity in furtherance of the administration
of justice, national defense, or national security;
. . .
(g) Any person who suffers
damage or loss by reason of a violation of this section may maintain a
civil action against the violator to obtain compensatory damages and injunctive
relief or other equitable relief. A civil action for a violation of this
section may be brought only if the conduct involves 1 of the factors set
forth in clause (i), (ii), (iii), (iv), or (v) of subsection (a)(5)(B).
Damages for a violation involving only conduct described in subsection
(a)(5)(B)(i) are limited to economic damages. No action may be brought
under this subsection unless such action is begun within 2 years of the
date of the act complained of or the date of the discovery of the damage.
No action may be brought under this subsection for the negligent design
or manufacture of computer hardware, computer software, or firmware.
. . ."
71 Avenue A, supra note 36, at 1158; 18 U.S.C.A. § 1030 (2004).
72 Avenue A, supra note 36, at 1158; 18 U.S.C.A. § 1030(a)(5)(i) (2004).
73 Avenue A, supra note 36, at 1158; 18 U.S.C.A. § 1030(a)(5)(ii) (2004).
74 Avenue A, supra note 36, at 1158; 18 U.S.C.A. § 1030(a)(5)(iii) (2004).
75 Avenue A, supra note 36, at 1158 (quoting 18 U.S.C.A. § 1030(a)(5)(iii) (2004)).
76 Avenue A, supra note 36, at 1158; 18 U.S.C.A. § 1030(g) (2004).
77 Avenue A, supra note 36, at 1158.
78 Id.
79 Id at 1158-1159 (The unambiguous language of the CFAA "limits the threshold to a single act.").
80 Id.
81 Id.
82 Avenue A, supra note 36, at 1159-1160; In re Pharmatrak, Inc Privacy Litigation, 220 F.Supp.2d 4, 15 (D.Mass. 2002)[hereinafter Pharmatrak, D. Ct. opinion 2002]; In re Intuit Privacy Litigation, 138 F.Supp.2d 1272, 1280-1281 (C.D.Cal. 2001)[hereinafter Intuit]; In re DoubleClick, Inc. Privacy Litigation, 154 F.Supp.2d 497, 526 (S.D.N.Y. 2001)[hereinafter DoubleClick].
83 Avenue A, supra note 36, at 1159.
84 Id.; 18 U.S.C.A. § 1030(g) (2004).
85 Avenue A, supra note 36, at 1159; 18 U.S.C. § 1030(g) (2004).
86 18 U.S.C.A. § 2701
(2004).
"(a) Offense.--Except as
provided in subsection (c) of this section whoever--
(1) intentionally accesses
without authorization a facility through which an electronic communication
service is provided; or
(2) intentionally exceeds
an authorization to access that facility;
and thereby obtains, alters,
or prevents authorized access to a wire or electronic communication while
it is in electronic storage in such system shall be punished as provided
in subsection (b) of this section.
(b) Punishment.--The punishment
for an offense under subsection (a) of this section is--
(1) if the offense is committed
for purposes of commercial advantage, malicious destruction or damage,
or private commercial gain, or in furtherance of any criminal or tortious
act in violation of the Constitution or laws of the United States or any
State--
(A) a fine under this title
or imprisonment for not more than 5 years, or both, in the case of a first
offense under this subparagraph; and
(B) a fine under this title
or imprisonment for not more than 10 years, or both, for any subsequent
offense under this subparagraph; and
(2) in any other case--
(A) a fine under this title
or imprisonment for not more than 1 year or both, in the case of a first
offense under this paragraph; and
(B) a fine under this title
or imprisonment for not more than 5 years, or both, in the case of an offense
under this subparagraph that occurs after a conviction of another offense
under this section.
(c) Exceptions.--Subsection
(a) of this section does not apply with respect to conduct authorized--
(1) by the person or entity
providing a wire or electronic communications service;
(2) by a user of that service
with respect to a communication of or intended for that user; or
(3) in section 2703, 2704
or 2518 of this title."
87 DoubleClick, supra note 82, at 507-508.
88 Id. at 507 (quoting 18 U.S.C.A. § 2701).
89 Id. at 507; 18 U.S.C.A. § 2701.
90 DoubleClick, supra note 82, at 511.
91 Id. ("Putting aside the issue of whether the cookie identification numbers are electronic communications at all, DoubleClick does not need anyone's authority to access them. The cookies' long-term residence on plaintiffs' hard drives places them outside of § 2510(17)'s definition of "electronic storage"91 and, hence, Title II's protection.").
92 Id. at 513 ("In every practical sense, the cookies' identification numbers are internal DoubleClick communications--both 'of' and 'intended for' DoubleClick.").
93 Id. at 514 ("In light of the above findings, we rule that all of plaintiffs' communications accessed by DoubleClick fall under § 2701(c)(2)'s exception or outside Title II and, accordingly, are not actionable. Therefore, plaintiffs' claim under the Title II (Claim I) is dismissed."); Avenue A, supra note 36, at 1162 ("In sum, web sites are users of the electronic communication service provided, as Plaintiffs allege, by personal computers accessing the Internet, and Avenue A's alleged access of the communications between personal computers and web sites is authorized by the web sites. As a result, the exception to the Stored Communications Act applies to Avenue A and judgment as a matter of law is appropriate."); Pharmatrak, D. Ct. opinion, 2002, supra note 82, at 5-6.
94 Intuit, supra note 82, at 1277.
95 Id. ("If the thrust of Defendant's 'third party' contention is that it was authorized to access data in Plaintiffs' computer, the court must reject it as it directly conflicts with Plaintiffs' allegations that Defendant was not so authorized, which allegations the court must accept as true for the purposes of a Rule 12(b)(6) motion to dismiss . . . The court concludes that [Plaintiff's] allegation [that Defendant accessed data contained in 'cookies' that it placed in Plaintiffs' computers' electronic storage] satisfies the liberal requirements of Rule 8(a)(2) . . . the court [also] concludes that Plaintiffs' allegations are not impermissibly factually inconsistent . . . The fact that Plaintiffs have alleged that certain electronic communications were intercepted in transit at one time does not preclude it from also alleging that other electronic communications were accessed while in electronic storage at another time.").
96 18 U.S.C.A. § 2511
(2004).
18 U.S.C.A. § 2520 (2004).
"(a) In general.--Except
as provided in section 2511(2)(a)(ii), any person whose wire, oral, or
electronic communication is intercepted, disclosed, or intentionally used
in violation of this chapter may in a civil action recover from the person
or entity, other than the United States, which engaged in that violation
such relief as may be appropriate.
(b) Relief.--In an action
under this section, appropriate relief includes--
(1) such preliminary and
other equitable or declaratory relief as may be appropriate;
(2) damages under subsection
(c) and punitive damages in appropriate cases; and
(3) a reasonable attorney's
fee and other litigation costs reasonably incurred.
. . .
(e) Limitation.--A civil
action under this section may not be commenced later than two years after
the date upon which the claimant first has a reasonable opportunity to
discover the violation.
. . ."
97 Pharmatrak, Ct. of App. opinion, supra note 1, at 18.
98 18 U.S.C.A. § 2511(1)(a) (2004).
99 18 U.S.C.A. § 2520 (2004).
100 Pharmatrak, Ct. of App. opinion, supra note 1, at 18.
101 Id. at 18-19.
102 DoubleClick, supra note 82, at 519; Avenue A, supra note 36, at 1163.
103 DoubleClick, supra note 82, at 519; Avenue A, supra note 36, at 1163; Intuit, supra note 82, at 1279.
104 In re Pharmatrak, Inc. Privacy Litigation, 292 F.Supp.2d 263, 268 (D.Mass. 2003)[hereinafter Pharmatrak, D. Ct. opinion, 2003].
105 Id. at 266 ("Defendants argue that none of the facts indicates any kind of actionable intent on their part, and set forth three principal arguments in support of their summary judgement motion: (1) there was only a small amount of personal data actually found on Pharmatrak's computer servers; (2) errors from third parties caused the collection of the personal data; and (3) Defendants had no knowledge of the existence of the personal data until after Plaintiffs' filed their lawsuit.").
106 Id. at 268.
107 Intuit, supra note 82, at 1277.
108 Avenue A, supra note 36, at 1159-1160; Pharmatrak, D. Ct. opinion, 2002, supra note 82, at 15; Intuit, supra note 82, at 1280-1281; DoubleClick, supra note 82, at 526.
109 Avenue A, supra note 36, at 1159-1160; Pharmatrak, D. Ct. opinion, 2002, supra note 82, at 15; Intuit, supra note 82, at 1280-1281; DoubleClick, supra note 82, at 526.
110 DoubleClick, supra note 82, at 514 ("In light of the above findings, we rule that all of plaintiffs' communications accessed by DoubleClick fall under § 2701(c)(2)'s exception or outside Title II and, accordingly, are not actionable. Therefore, plaintiffs' claim under the Title II (Claim I) is dismissed."); Avenue A, supra note 36, at 1162 ("In sum, web sites are users of the electronic communication service provided, as Plaintiffs allege, by personal computers accessing the Internet, and Avenue A's alleged access of the communications between personal computers and web sites is authorized by the web sites. As a result, the exception to the Stored Communications Act applies to Avenue A and judgment as a matter of law is appropriate."); Pharmatrak, D. Ct. opinion, 2002, supra note 82, 5-6.
111 DoubleClick, supra note 82, at 519; Avenue A, supra note 36, at 1163; Intuit, supra note 82, at 1279.
112 Pharmatrak, D. Ct. opinion, 2003, supra note 104, at 268.
113 America Online, Inc. v. IMS, 24 F.Supp.2d 548, 548 (E.D. Va. 1998)[hereinafter IMS].
114 Id.
115 Id. at 549.
116 Id.
117 Id. at 550; See American Online, Inc. v. LCGM, Inc., 46 F.Supp.2d 444, 451-452 (E.D. Va. 1998)[hereinafter LCGM].
118 IMS, supra note 113, at 550; See LCGM, supra note 117, at 451-452.
119 IMS, supra note 113, at 550 (quoting Restatement (Second) of Torts § 218(b); See LCGM, supra note 117, at 452.
120 IMS, supra note 113, at 550; See LCGM, supra note 117, at 451-452.
121 IMS, supra note 113, at 550 (quoting Restatement (Second) of Torts § 218(b); See LCGM, supra note 117, at 452.
122 Oyster Software, Inc. v. Forms Processing, Inc., 2001 WL 1736382 (N.D. Cal. 2001)[hereinafter Oyster].
123 Id. at 2.
124 Id.
125 Id.
126 Id. at 12; See eBay Inc. v. Bidder's Edge, Inc., 100 F.Supp.2d 1058, 1069 (N.D. Cal. 2000).
127 Oyster, supra note 122, at 13.
128 Id.
129 Id.
130 Id (emphasis added).
131 Id.
132 Oyster, supra note 122, at 13.
133 Homepage, OASIS, at http://www.oasis-open.org/home/index.php (last visited Mar. 30, 2004).
134 Homepage, OASIS, at http://www.oasis-open.org/home/index.php (last visited Mar. 30, 2004) (defining OASIS as volunteer organization promoting e-business standards.).
135 About, OASIS, at http://www.oasis-open.org/who/ (last visited Mar. 30, 2004).
136 About, OASIS, at http://www.oasis-open.org/who/ (last visited Mar. 30, 2004).
137 About, OASIS, at http://www.oasis-open.org/who/ (last visited Mar. 30, 2004).
138 About, OASIS, at http://www.oasis-open.org/who/ (last visited Mar. 30, 2004).
139 See Homepage, OASIS, at http://www.oasis-open.org/home/index.php (last visited Mar. 30, 2004) (defining technical committees as including "Business Tractions" and "Web Services Security.").
140 Web Services Business Process Execution Language TC, OASIS, at http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wsbpel (last visited Mar. 30, 2004).
141 Web Services Business Process Execution Language TC, OASIS, at http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wsbpel (last visited Mar. 30, 2004).
142 Wired News, Stop the Presses: Sun Joins MS (Jun. 27, 2002) at http://www.wired.com/news/business/0,1367,53540,00.html (last visited Mar. 30, 2004).
143 Wired News, Stop the Presses: Sun Joins MS (Jun. 27, 2002) at http://www.wired.com/news/business/0,1367,53540,00.html (last visited Mar. 30, 2004).
144 Wired News, Stop the Presses: Sun Joins MS (Jun. 27, 2002) at http://www.wired.com/news/business/0,1367,53540,00.html (last visited Mar. 30, 2004).
145 See Homepage, OASIS, at http://www.oasis-open.org/home/index.php (last visited Mar. 30, 2004).
146 See Homepage, OASIS, at http://www.oasis-open.org/home/index.php (last visited Mar. 30, 2004).
147 Homepage, OASIS, at http://www.oasis-open.org/home/index.php (last visited Mar. 30, 2004).
148 Terms of Use of ABC Sports Website, ABC SPORTS, at http://espn.go.com/abcsports/legal/termsofuse.html (last visited Mar. 30, 2004).
149 In re DoubleClick Inc. Privacy Litigation, 154 F.Supp.2d 497 (S.D.N.Y. 2001); Chance v. Avenue A, Inc., 165 F.Supp.2d 1153 (W.D.Wash. 2001); In re Intuit Privacy Litigation, 138 F.Supp.2d 1272 (C.D.Cal. 2001); In re Pharmatrak, Inc. Privacy Litigation, 292 F.Supp.2d 263 (D.Mass. 2003).
150 Oyster Software, Inc. v. Forms Processing, Inc., 2001 WL 1736382 (N.D. Cal. 2001); America Online, Inc. v. IMS, 24 F.Supp.2d 548 (E.D. Va. 1998); American Online, Inc. v. LCGM, Inc., 46 F.Supp.2d 444 (E.D. Va. 1998).
151 See In re DoubleClick Inc. Privacy Litigation, 154 F.Supp.2d 497 (S.D.N.Y. 2001); Chance v. Avenue A, Inc., 165 F.Supp.2d 1153 (W.D.Wash. 2001); In re Intuit Privacy Litigation, 138 F.Supp.2d 1272 (C.D.Cal. 2001); In re Pharmatrak, Inc. Privacy Litigation, 292 F.Supp.2d 263 (D.Mass. 2003).
152 $5,000 minimum damages under 18 U.S.C. §1030.
153 Based off an average of 98 cookies on my hard drive on 3/1/2004. The total size of the cookies was 24,958 bytes. The average size was approximately 254.67 bytes. The average size of a standard 1.4 mb floppy disk is 1,457,664 bytes.
154 To protect from rouge web sites placing the seal on their web site with being apart of the organization, the seal the organization will trademark the seal.
155 Pharmatrak, D. Ct. opinion, 2003, supra note 104, at 12.