Court Rules URI Content Subject to Wiretap Rules
On May 9, 2003, the First Circuit U.S. Court of Appeals has issued a key ruling, defining that "content" protected by the Electronic Communications Privacy Act (ECPA) can include part of URIs -- Web addresses that include search terms or the results of fill-out forms.
"The decision recognizes that URIs are more than the Web equivalent of telephone numbers," commented Matt Curtin, Interhack's founder, and expert witness for the Plaintiffs in this litigation. "URIs can contain the content of a communication from one party to another. Query strings that include search terms, and the results of fill-out forms, for example, are the content of the communication."
In its decision, the Court wrote:
Pharmatrak argues that there was no intercept because "there were always two separate communications: one between the Web user and the Pharmaceutical Client, and the other between the Web user and Pharmatrak." This argument fails for two reasons. First, as a matter of law, even the circuits adopting a narrow reading of the Wiretap Act merely require that the acquisition occur at the same time as the transmission; they do not require that the acquisition somehow constitute the same communication as the transmission. Second, Pharmatrak acquired the same URL query string (sometimes containing personal information) exchanged as part of the communication between the pharmaceutical client and the user. Separate, but simultaneous and identical, communications satisfy even the strictest real-time requirement.
Privacy is serious business. Online privacy can be subtle, and needs attention to be addressed properly. Friday's decision helps to clarify some important issues regarding what is protected "content" under ECPA.
For More Information
- CNET News: Court draws a line for online privacy.
- U.S. Court of Appeals for the First Circuit: Opinion 02-2138.01A.
About Interhack
Interhack is a provider of information assurance, forensic computing, and IT professional services. With practice areas covering domains such as electronic privacy and security for HIPAA, GLBA, and other industry regulation, Interhack helps companies all over North America to be sure that they can say what they do, and do what they say.