Court Tells Plaintiff Oft-Abused Wiretap Act Can’t Be Abused To Cover Website Interactions

Very few states laws can be considered to be “famous.” Almost any state law immediately recognized by people in other states can only be described as “infamous.” The Wiretap Law enacted in Massachusetts is definitely infamous.

For years, this statute was abused by law enforcement officers and other state employees to punish or prosecute residents who recorded them performing their public duties. This sort of thing occurred regularly in the state until a federal court told the state government the law couldn’t be used to arrest people for recording cops or other government employees.

But the law remains problematic, not just because of this oft-observed abuse but because the law’s language is vague enough to encompass almost any definition of communication and almost any entity that might have the ability to eavesdrop on the communications of others.

Because of that, it takes the Massachusetts Supreme Judicial Court 93 pages [PDF] to arrive at the obvious conclusion that a hospital website passing browser information on to advertisers and other third parties is not a violation of the Wiretap Act. (via Courthouse News Service)

The plaintiff visited the website of two hospitals. During these visits to their sites, she accessed publicly-available information. At no time did she interact with any health care professionals, chatbots, chatbots pretending to be health care professionals, or provide any of her personal information (including any health issues) to anyone or anything.

Sometime later, she decided to sue both of the hospitals whose sites she had visited, claiming that their sharing of her browsing activity with third parties was somehow the sort of eavesdropping and communications interception the state law was enacted to deter.

The court is sympathetic. But even considering the vague language of the state law, it can’t find anything that would suggest the law was written to prevent websites from sharing user information with third parties.

Put most simply (and ahead of another 90 pages of discussion, including some dissenting opinions), the state law was designed to combat the sort of thing people most commonly associate with wiretaps: the interception of personal communications. While “wiretap” has historically referred to telephone conversations, it is understood that it also covers personal electronic communications. However, no conversations occurred here:

The interactions here are not with another person but with a website. Nor are they personal conversations or messages being intercepted, but rather the tracking of a website user’s browsing of, and interaction with, information published on a website.

That’s not to say it’s ok for any and all websites to harvest as much information as they can in order to please advertisers, data brokers, or some innate desire to just collect as much as you can because you never know when it might prove useful. In fact, there may still be some cause of action here. But the Wiretap Act isn’t the vehicle for redress.

Make no mistake, the hospitals’ alleged conduct here raises serious concerns, and may indeed violate various other statutes and give rise to common-law causes of action more specifically directed at the improper handling of confidential information, particularly confidential medical information. And we do not in any way minimize the serious threat to privacy presented by the proliferation of third-party tracking of an individual’s website browsing activity for advertising purposes. These concerns, however, should be addressed to the Legislature.

On top of that, the hospital sites provided a pop-up message to first-time visitors informing them of the sites’ use of cookies and providing links to privacy policies and third-party use of collected data. That’s hardly a furtive act, the sort of thing the Wiretap Act was written to address. Even if it’s true no one reads the fine print and that sites tend to gather way more info than might seem necessary, it’s not as though the websites accessed the plaintiff’s computer on their own and started looking for data to gather or, more directly, personal information to intercept.

Even if the statute is vague and even if the court is inclined to believe simply browsing a website could be construed as a personal communication between the site visitor and the website, reading the state statute this way would result in the criminalization of information gathering at any website anywhere, something clearly not intended by legislators when they crafted the law.

In analyzing whether the interception of this information constitutes a criminal violation, we must keep in mind that the statute does not distinguish medical information from other information, or hospital websites from other websites.

Consequently, we must impose a common definition of communication of information for all websites. For example, would it be a criminal violation if a user browses a music or sports website to inquire about particular songs or athletes, and the music website or sports website tracks its users, and shares that information with Internet advertisers without the user’s consent? Under this interpretation, it would appear that thousands of website owners could potentially face severe criminal and civil penalties for using tracking tools needed to support an advertising-based business model that is so common on the Internet.

While no doubt there are some legislators that would like to see this very thing happen, that simply isn’t the case here. Demanding better privacy protections for web users is a good thing, but a Wiretap Act clearly meant to criminalize illegal interception of personal communications isn’t the way to achieve this end. That was never the case here, and recent jurisprudence concerning the public recording of public officials further narrows the breadth of the law to target only the eavesdropping and interception of private communications legislators had in mind when they wrote it. While it’s easy to expand the law to cover text messages, email, and private messages via social media platforms, it’s impossible to believe the surface-level gathering of user interaction data could possibly be considered a violation of this law.