Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 1

UNITED STATES COURT OF APPEALS FOR THE TENTH CIRCUIT _________________________________________________ Kathleen KIRCH and Terry KIRCH, Plaintiffs-Appellants, v. EMBARQ MANAGEMENT CO., a Delaware corporation, and UNITED TELEPHONE COMPANY OF EASTERN KANSAS, a Delaware corporation, Defendants-Appellees, and DOE DEFENDANTS 1-5, Defendant. Case No. 11-3275

ORAL ARGUMENT REQUESTED

Appeal from an Order of the United States District Court for the District of Kansas Case No. 10-CV-2047 JAR/GLR The Honorable Julie A. Robinson

BRIEF OF DEFENDANTS-APPELLEES EMBARQ MANAGEMENT CO. AND UNITED TELEPHONE COMPANY OF EASTERN KANSAS

J. Emmett Logan STINSON MORRISON HECKER LLP 1201 Walnut, Suite 2900 Kansas City, MO 64106 (816) 691-2745

David A. Handzo Matthew E. Price JENNER & BLOCK LLP 1099 New York Ave. NW Suite 900 Washington, DC 20001 (202) 639-6000

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 2

CORPORATE DISCLOSURE STATEMENT Pursuant to Fed. R. App. P. 26.1, Defendants-Appellees Embarq Management Company and United Telephone Company of Eastern Kansas make the following corporate disclosure statement listing parties that are not direct parties in this appeal but do have some interest in, or a relationship with, the litigation or the outcome of the litigation: Embarq Management Company and United Telephone Company of Eastern Kansas are wholly owned subsidiaries of CenturyLink, Inc., a publicly traded company. No publicly traded company owns 10% or more of CenturyLink, Inc.’s shares.

i

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 3

TABLE OF CONTENTS CORPORATE DISCLOSURE STATEMENT ..........................................................i TABLE OF AUTHORITIES ....................................................................................iv GLOSSARY........................................................................................................... viii STATEMENT OF RELATED CASES ..................................................................... 1 STATEMENT OF THE ISSUES............................................................................... 1 STATEMENT OF THE CASE .................................................................................. 2 STATEMENT OF FACTS ........................................................................................ 5 A. B. C. D. The NebuAd System ............................................................................. 5 The NebuAd Test .................................................................................. 9 Plaintiffs Consented to the NebuAd Test ............................................ 10 Embarq Did Not Intercept the Content of Any Communications .................................................................................. 12 Plaintiffs’ Suit and the District Court’s Decision ............................... 13

E.

SUMMARY OF ARGUMENT ............................................................................... 17 ARGUMENT ........................................................................................................... 20 I. II. STANDARD OF REVIEW ........................................................................... 20 EMBARQ DID NOT INTERCEPT ANY COMMUNICATION AND IT CANNOT BE HELD VICARIOUSLY LIABLE FOR ANY INTERCEPTION BY NEBUAD......................................................... 20 A. Under the Wiretap Act, “Intercept” Means the “Acquisition of the Contents” of a Communication ........................... 20

ii

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 4

B.

The Undisputed Facts Show That Embarq Did Not Acquire the Contents of Any Communication .................................... 23 Embarq Cannot Be Held Civilly Liable Under the Wiretap Act For Interception Or Prohibited Use By NebuAd ............................................................................................... 27

C.

III.

THE DISTRICT COURT CORRECTLY HELD THAT EMBARQ WAS ENTITLED TO SUMMARY JUDGMENT IN VIEW OF PLAINTIFFS’ CONSENT ............................................................................ 35 A. Embarq’s Activation Agreement and Privacy Policy Allowed Embarq To Share With Third Parties the Web Sites Its Subscribers Visited ................................................................ 35 Plaintiffs’ Arguments Concerning Consent Are Without Merit and Misstate the Record on Summary Judgment ...................... 40

B.

IV.

THE NEBUAD TEST WAS CONDUCTED IN THE ORDINARY COURSE OF EMBARQ’S BUSINESS ........................................................ 44 A. The Wiretap Act Does Not Prohibit the Interception of Communications by an Internet Service Provider For a Legitimate Business Purpose .............................................................. 44 Embarq’s Conduct of the NebuAd Test Was For a Legitimate Business Purpose, Not Surreptitious, and in the Ordinary Course of Business......................................................... 47 Plaintiffs Fail to Address the “Ordinary Course of Business” Defense ............................................................................... 53

B.

C.

CONCLUSION ........................................................................................................ 55 ORAL ARGUMENT STATEMENT ...................................................................... 55 CERTIFICATE OF COMPLIANCE ....................................................................... 56 CERTIFICATE OF SERVICE ................................................................................ 57 iii

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 5

TABLE OF AUTHORITIES CASES Adams v. City of Battle Creek, 250 F.3d 980 (6th Cir. 2001)............................46, 47 Amati v. City of Woodstock, 176 F.3d 952 (7th Cir. 1999)................................38, 47 Arias v. Mutual Central Alarm Service, Inc., 202 F.3d 553 (2d Cir. 2000) ...... 46, 47 Baca v. Sklar, 398 F.3d 1210 (10th Cir. 2005) ........................................................ 20 Berry v. Funk, 146 F.3d 1003 (D.C. Cir. 1998) ....................................................... 53 Borninski v. Williamson, No. Civ. A. 3:02CV1014-L, 2005 WL 1206872 (N.D. Tex. May 17, 2005) .................................................................................. 38 Cardoso v. Calbone, 490 F.3d 1194 (10th Cir. 2007) ............................................. 20 Carpenter v. Boeing Co., 456 F.3d 1183 (10th Cir. 2006) ...................................... 54 Central Bank of Denver, N.A. v. First Interstate Bank of Denver, N.A., 511 U.S. 164 (1994) ................................................................................................... 28 Colautti v. Franklin, 439 U.S. 379 (1979) ............................................................... 21 Crowley v. CyberSource Corp., 166 F. Supp. 2d 1263 (N.D. Cal. 2001) ......... 29, 30 Deering v. CenturyTel, No. CV 10-63-BLG-RFC, 2011 WL 1842859 (D. Mont. May 16, 2011) .......................................................................................... 39 DirecTV, Inc. v. Barnes, 302 F. Supp. 2d 774 (W.D. Mich. 2004) ......................... 22 DirecTV, Inc. v. Bennett, 470 F.3d 565 (5th Cir. 2006) .......................................... 23 DirecTV, Inc. v. Goehre, No. 03-CV-1106, 2005 WL 2275940 (E.D. Wis. Sept. 19, 2005) .................................................................................................... 31 DirecTV, Inc. v. Regall, 327 F. Supp. 2d 986 (E.D. Wis. 2004) ............................. 30 DirecTV, Inc. v. Spillman, No. Civ. A. SA-04-82-XR, 2004 WL 1875045 (W.D. Tex. Aug. 23, 2004) ........................................................................... 30-31 Doe v. GTE Corp., 347 F.3d 655 (7th Cir. 2003) ............................28, 29, 30, 33, 34 iv

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 6

Franklin v. City of Chicago Police Department, No. 02-C-3354, 2004 WL 1921027 (N.D. Ill. July 9, 2004), aff’d, 175 F. App’x 740 (7th Cir. 2005) ....... 32 Freeman v. DirecTV, Inc., 457 F.3d 1001 (9th Cir. 2006) ..........................28, 33, 34 Griggs-Ryan v. Smith, 904 F.2d 112 (1st Cir. 1990) .........................................35, 38 Gunderson v. Gunderson, No. 02-1078-CVW-ODS, 2003 WL 1873912 (W.D. Mo. Apr. 14, 2003) .................................................................................. 31 Hall v. EarthLink Network, Inc., 396 F.3d 500 (2d Cir. 2005) ............................... 45 Hobbs ex rel. Hobbs v. Zenderman, 579 F.3d 1171 (10th Cir. 2009) ..................... 20 In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497 (S.D.N.Y. 2001) .............................................................................................................35, 50 In re Pharmatrak, Inc., 329 F.3d 9 (1st Cir. 2003)......................................33, 34, 41 In re Toys R Us, Inc., Privacy Litigation, No. 00-cv-2746, 2001 WL 34517252 (N.D. Cal. Oct. 9, 2001)...................................................29, 30, 31, 50 James v. Newspaper Agency Corp., 591 F.2d 579 (10th Cir. 1979) .................................................................................... 17, 19, 44, 45, 51, 54 Mauerhan v. Wagner Corp., 649 F.3d 1180 (10th Cir. 2011) ................................. 44 Mortensen v. Bresnan Communications LLC, No. CV 10-13-BLG-RFC, 2010 WL 5140454 (D. Mont. Dec. 13, 2010) .................................................... 39 PBA Local No. 38 v. Woodbridge Police Department, 832 F. Supp. 808 (D.N.J. 1993)....................................................................................................... 32 Peavy v. WFAA-TV, Inc., 221 F.3d 158 (5th Cir. 2000) ........................28, 29, 30, 33 Perkins-Carrillo v. Systemax, Inc., No. Civ. A. 1:03-CV2836-TW, 2006 WL 1553957 (N.D. Ga. May 26, 2006) ..................................................................... 32 Price v. Turner, 260 F.3d 1144 (9th Cir. 2001) ....................................................... 50 Quigley v. Rosenthal, 327 F.3d 1044 (10th Cir. 2003) ............................................ 33 Reynolds v. Spears, 93 F.3d 428 (8th Cir. 1996) ...............................................28, 33

v

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 7

Sanders v. Robert Bosch Corp., 38 F.3d 736 (4th Cir. 1994).................................. 22 Southern Ute Indian Tribe v. Sebelius, 657 F.3d 1071 (10th Cir. 2011), petition for cert. filed, 80 U.S.L.W. 3431 (U.S. Dec. 19, 2011) (No. 11762) ..................................................................................................................... 21 Stone v. INS, 514 U.S. 386 (1995) ........................................................................... 30 United States v. Amen, 831 F.2d 373 (2d Cir. 1987) ............................................... 38 United States v. Gonzales, 456 F.3d 1178 (10th Cir. 2006) .................................... 21 United States v. Lanier, 520 U.S. 259 (1997) .......................................................... 23 United States v. New York Telephone Co., 434 U.S. 159 (1977) ................18, 22, 24 United States v. Smith, 155 F.3d 1051 (9th Cir. 1998) ......................................21, 22 United States v. Van Poyck, 77 F.3d 285 (9th Cir. 1996) ..................................35, 38 United States v. Verdin-Garcia, 516 F.3d 884 (10th Cir. 2008) ............................. 35 Williams v. Poulos, 11 F.3d 271 (1st Cir. 1993)...................................................... 41 STATUTES 18 U.S.C. § 2510(4) ............................................................ 17, 18, 19, 21, 23, 24, 44 18 U.S.C. § 2510(5)(a)(ii) ......................................................................17, 19, 44, 45 18 U.S.C. § 2510(8) ................................................................................................. 22 18 U.S.C. § 2511(1)(a)(i) ......................................................................................... 30 18 U.S.C. § 2511(2)(a)(i) ......................................................................................... 53 18 U.S.C. § 2511(2)(d).................................................................................16, 27, 35 18 U.S.C. § 2520 ..........................................................................................16, 20, 27 18 U.S.C. § 2520(a) ................................................................................................. 28 18 U.S.C. § 2702 ...................................................................................................... 28 18 U.S.C. § 2707(a) ................................................................................................. 28 vi

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 8

LEGISLATIVE MATERIALS H.R. Rep. No. 99-647 (1986) ................................................................................... 30 S. Rep. No. 90-1097 (1968), reprinted in 1968 U.S.C.C.A.N. 2112 ................46, 52 OTHER AUTHORITIES Fed. R. Civ. P. 56(a)................................................................................................. 20 Webster’s Third New International Dictionary Unabridged (1993) ....................... 21

vii

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 9

GLOSSARY

CPNI ECPA ISP PII URL UTA

Customer Proprietary Network Information Electronic Communications Privacy Act Internet Service Provider Personally Identifiable Information Uniform Resource Locator Ultra-Transparent Appliance

viii

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 10

STATEMENT OF RELATED CASES Defendants-Appellees are not aware of any prior or related appeals. STATEMENT OF THE ISSUES 1. Whether the District Court correctly held that Defendants (collectively

“Embarq”) could not be held liable under the Wiretap Act when it was undisputed that they did not acquire the contents of any communication. 2. Whether the District Court correctly held that Plaintiffs consented to

the use of the websites they visited and online searches they conducted to deliver targeted advertisements. 3. Whether Embarq’s field test of an Internet advertising service run by

NebuAd, Inc., was in the ordinary course of Embarq’s business.

1

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 11

STATEMENT OF THE CASE This action arises out of a brief field test in which Embarq, an Internet Service Provider (“ISP”), permitted NebuAd, Inc. (“NebuAd”) to serve targeted Internet advertising to Embarq’s customers in and around Gardner, Kansas, based on anonymized profiles that NebuAd created. App. 273 ¶¶ 1-2; App. 60.1 Contrary to Plaintiffs’ assertions, Embarq did not “acquire[],” “cull,” or “analyz[e]” any communications. Br. 3-4. Rather, the undisputed facts show that Embarq had no access at all to its customers’ communications, other than the access it necessarily had as an ISP. Nor did Embarq have any access to the profiles that NebuAd created. App. 280 ¶¶ 51-52; App. 64 ¶¶ 51-52; App. 559 ¶ 51; App. 450. The NebuAd field test was conducted between December 2007 and March 2008. App. 275 ¶ 17; App. 60. NebuAd’s technology analyzed users’ deidentified web-surfing activity to make Internet advertising more relevant and interesting to users. App. 274 ¶ 5, 280 ¶ 48; App.60, 63. For example, if a user visited a variety of automotive websites, the advertisements the user saw while browsing certain other web pages might be for automobile-related products. Users received the same number of advertisements but were more likely to be interested

1

“App.” refers to Plaintiffs-Appellants’ Revised Appendix. “Br.” refers to Plaintiffs-Appellants’ Revised Brief. 2

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 12

in them. This kind of targeted advertising – known as “behavioral advertising” – is a massive business populated by leading American technology companies such as Google, Yahoo, Microsoft, and AOL. App. 283 ¶ 70; App. 66. In November 2008, Plaintiffs brought suit in the Northern District of California against NebuAd, Embarq, and several other ISPs alleging violations of the Wiretap Act (also known as the “Electronic Communications Privacy Act” or “ECPA”). See Valentine et al. v. NebuAd, Inc. et al., No. 3:08-cv-05113 (N.D. Cal.) (“California Case”). Plaintiffs’ California complaint alleged that NebuAd, rather than Embarq, had intercepted their electronic communications. App. 35052, 354 (¶¶ 60, 68, 75). Embarq moved to dismiss the California complaint on multiple grounds, including that Plaintiffs had failed to state a claim under the Wiretap Act in light of Embarq’s passive role. California Case, ECF No. 44. The District Court instead chose to dismiss the suit against Embarq and other ISPs for lack of personal jurisdiction without reaching the merits. California Case, ECF No. 166. Plaintiffs elected to refile their case against Embarq in the District of Kansas. App. 7-44. They also continued their suit against NebuAd in California, continuing to assert that NebuAd intercepted Plaintiffs’ communications. The California case ultimately settled. California Case, ECF No. 251.

3

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 13

Plaintiffs voluntarily dismissed three of the four counts they alleged in Kansas, App. 316-18, and Embarq then moved for summary judgment on the remaining count (the Wiretap Act). App. 264. On August 19, 2011, the District Court (the Honorable Julie A. Robinson) granted summary judgment on two independent grounds. First, it held that Embarq could not be held civilly liable for interception under the Wiretap Act because it was undisputed that Embarq did not acquire any of the information concerning its customers’ web surfing activity. Order at 12-15.2 Second, it held that Plaintiffs had consented to the use by third parties of their de-identified web-browsing behavior when they accessed the Internet under the terms of Embarq’s Privacy Policy. Id. at 15-18. Embarq had additionally argued that it could not be held liable because the NebuAd test took place in the “ordinary course of business” as that term has been interpreted by this Court. The District Court did not reach that third defense, but did “note[] that this defense also appears to have merit.” Id. at 18 n.42.

The District Court’s Order granting summary judgment to Embarq is reprinted as Ex. A to Plaintiffs-Appellants’ Brief and is also available at App. 242-60. 4

2

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 14

STATEMENT OF FACTS A. The NebuAd System.

Internet advertising networks – including those owned by companies such as Google, Yahoo, Microsoft, and AOL – seek to gain insight into an Internet user’s interests by partnering with numerous websites and tracking a user’s web-browsing activity as he surfs from one website to another. App. 370-73. The advertising networks use that information to build a profile of a user’s interests, and can then serve a user with advertising targeted to those interests. App. 373; App. 284 ¶ 80; App. 67. This is known as “behavioral advertising.” NebuAd was essentially an advertising network, but instead of partnering with numerous individual websites to gain information concerning users’ interests, it instead contracted with ISPs to allow it to install a piece of hardware – which it called the “Ultra-Transparent Appliance” or “UTA” – on the ISPs’ networks. App. 274 ¶¶ 4-5; App. 60. The UTA observed certain URLs requested by an ISP’s users3 – information comparable in kind to that used by other advertising networks to build user profiles and serve advertisements. App. 274 ¶ 6; App. 60; App. 278 ¶ 35; App. 62; App. 557 ¶ 35; App. 283 ¶ 72; App. 66; App. 562.

A “URL,” which stands for “Uniform Resource Locator,” is “the address of a web page on the world wide web.” See http://wordnet.princeton.edu/. URLs specify the host server name, directory, and file name of the Web page that a user seeks to visit. App. 277 ¶ 30; App. 62. 5

3

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 15

Appellant’s brief asserts, without citation, that “virtually all of [users’] Internet communications, including personal and sensitive content[] that flowed through this device were automatically ‘intercepted’ or ‘acquired’ by the device electronically,” Br. 3, and that “[t]he interception performed by the UTA involves analyzing substantially all of Embarq’s users’ Web transactions.” Id. at 4. That is a misrepresentation of the summary judgment record. It is undisputed that the UTA observed the “port number” of users’ communications, which identifies the type of a communication. When the UTA determined that the port number associated with a particular communication other than “Port 80” – which denotes communications with websites whose addresses begin with “http://” – the UTA ignored the communication entirely. App. 275-76 ¶¶ 20-23; App. 61; App. 55556. Accordingly, the UTA did not read customers’ email, view secure web communications, gain access to instant messages, eavesdrop on voice-over-internet communications, or view data transfers. App. 276 ¶¶ 24, 35; App. 62-63; App. 556-57; App. 460, 462. With respect to “Port 80” communications, it is undisputed that the UTA observed the URL associated with that communication, but it did not observe the content of the webpage associated with a given URL. App. 278 ¶ 36; App. 62; App. 557-58 ¶ 36. Indeed, Plaintiffs’ expert testified that NebuAd “skipped the body of what is going to be rendered in the browser,” that is, the content of the webpage itself. App. 460. 6

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 16

The UTA and remote servers hosted by NebuAd (“the NebuAd System”) automatically associated the URLs observed by the UTA with predefined market interest categories. App. 279-80 ¶¶ 43-44, 47; App. 63.4 For example, if the UTA observed the URL beginning with http://www.target.com/Kitchen-Dining, the NebuAd System might associate that URL with the market interest category “cooking.” Having mapped a URL onto a predefined market interest category, the NebuAd System then expunged the raw data and retained only the market interest category. App. 279 ¶ 44; App. 63. As Plaintiffs’ experts admitted, that automated process probably took microseconds, and certainly no more than a minute, and required no human intervention. App. 280 ¶¶ 46-47; App. 63. Using an anonymized identifier number it assigned to each user’s computer, the NebuAd System created (or updated) a de-identified “interest profile” to reflect the market interest it had observed. App. 278-79 ¶¶ 37-39; App. 62. The NebuAd System was designed so that it would not have been possible to “reverse engineer” the anonymized identifier number and ascertain the actual users associated with the

In responding to Embarq’s Statement of Undisputed Facts, Plaintiffs asserted with respect to several facts that they “lack information to Dispute this fact at this time.” E.g., App. 63 ¶¶ 43, 47. The District Court correctly considered such facts as undisputed, because Plaintiffs failed to assert that additional discovery was needed under Fed. R. Civ. P. 56(d) or to explain in detail the reasons why they could not admit or deny a fact. See Order at 5 & n.18 (citing Fed. R. Civ. P. 56(e); D. Kan. R. 56.1(e)). Plaintiffs do not contend on appeal that the District Court erred in so holding. 7

4

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 17

profiles, and there was no evidence that anyone had ever attempted to do so, let alone succeeded in doing so. App. 279 ¶¶ 41-42; App. 63. Plaintiffs’ brief on appeal asserts that “[t]he UTA had the ability to perform deep packet inspection (‘DPI’) allowing Embarq to cull Personally Identifiable Information (‘PII’) about Embarq’s customers for later use,” Br. 3, and that “all of the PII contained in the raw data was analyzed by NebuAd.” Id. at 4. Again, that assertion blatantly misrepresents the record on summary judgment. The undisputed facts were that NebuAd’s profiles were linked solely to anonymized identification numbers, App. 278-79 ¶¶ 38-39; App. 62, and that there was no evidence that anyone had ever attempted or succeeded in identifying any actual users based on the anonymized identifier numbers or profiles that NebuAd created, App. 279 ¶ 42; App. 63. See also App. 280 ¶ 48; App. 63 (admitting that NebuAd’s profiles were “de-identified”). Moreover, it was undisputed that Embarq did not even have access to any of the information gathered by the NebuAd System, including by the UTA. App. 280 ¶¶ 51-52; App. 64. Like an ordinary advertising network, the NebuAd System used the deidentified interest profiles it created to serve advertisements tailored to what it believed to be a user’s interests. App. 280 ¶ 48; App. 63. When the NebuAd System identified an opportunity to serve a tailored advertisement, NebuAd purchased the right to do so in place of the advertising network that otherwise 8

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 18

would have served the ad. App. 275 ¶ 16; App. 60. Thus, the NebuAd System did not cause users to receive any more advertisements than they otherwise would have received. App. 275 ¶ 15; App. 60. Nor did the NebuAd System serve pop-up advertisements. App. 275 ¶ 14; App. 60. B. The NebuAd Test.

In 2007, in order to support its business operations and to enable it to continue to offer high-speed Internet service to customers at competitively attractive prices, Embarq began to investigate ways it might increase its revenue from Internet advertising. Embarq also sought to enhance its subscribers’ online experience by reducing the number of irrelevant advertisements they received. Market research studies show that consumers prefer online advertisements that are targeted to their interests, as compared to advertisements that are irrelevant to their interests. App. 283 ¶¶ 66-68; App. 66. Among other vendors, Embarq received sales presentations from NebuAd, including presentations concerning the various steps NebuAd took to ensure user privacy. App. 284 ¶ 76; App. 67. In November 2007, Embarq entered into a Technology Trial Evaluation Agreement with NebuAd to test the UTA. App. 274 ¶ 7; App. 60; App. 555. Embarq personnel performed laboratory tests and determined that the UTA did not adversely affect network integrity or performance. App. 274 ¶ 8; App. 60. Embarq then decided to allow NebuAd to 9

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 19

install the UTA in the network owned and operated by its affiliate, United Telephone Company of Eastern Kansas, in and around Gardner, Kansas, in order to field test the UTA in a “live” environment (“the NebuAd test”). App. 274 ¶¶ 9-10; App. 60. The NebuAd test began in mid-December 2007 and was stopped completely by the end of March 2008. App. 275 ¶ 17; App. 60. C. Plaintiffs Consented to the NebuAd Test.

As a condition of receiving service, all Embarq customers, including Plaintiffs, had agreed to Embarq’s High-Speed Internet Activation Customer Agreement (“Activation Agreement”), which incorporated Embarq’s Privacy Policy by reference. App. 281 ¶ 57; App. 64; App. 326 § 2(c). The Activation Agreement informed subscribers that “Embarq may revise, modify, or discontinue any or all aspects of the Services, including but not limited to . . . any terms of this Agreement, upon posting of the new terms on the EMBARQ website at www.EMBARQ.com.” App. 326 § 1(c). The Activation Agreement also stated that it is a “LEGALLY BINDING CONTRACT THAT SHOULD BE READ IN ITS ENTIRETY,” and it instructed customers to click on the “accept” button if they agreed with each and every term set forth therein. App. 329. Embarq’s Privacy Policy informed subscribers that “[d]e-identified data . . . might be purchased by or shared with a third party.” App. 281 ¶ 58; App. 65; App. 335. It also informed subscribers that Embarq could disclose to third party 10

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 20

business partners customer proprietary network information (“CPNI”) and nonpublic personal information, which includes “the websites you visit,” App. 336, to enable the business partner to assist in providing Embarq’s service, App. 33334; App. 281 ¶ 59; App. 65; App. 560. The Privacy Policy also stated that “EMBARQ does not disclose CPNI and other nonpublic personal information . . ., without your consent or direction, except to business partners involved in providing EMBARQ service to customers, or as required or permitted by law.” App. 334. Finally, it informed subscribers that the terms could be updated periodically to reflect changing practices, stating specifically that “[i]f at any point we decide to use personally identifiable information in a manner that is materially different from what was stated at the time it was collected, we will notify you via posting on this page for 30 days before the material change is made and give you an opportunity to opt out of the proposed use at any time.” App. 344. Plaintiffs testified that they did not recall reviewing Embarq’s Privacy Policy, and that their habit was simply to agree to the terms of privacy policies without reviewing them. Appellant Kathleen Kirch testified that she understood that by doing so, she was bound by whatever those terms happened to be. App. 282-83 ¶ 65; App. 66; App. 561. Even though Embarq’s Privacy Policy already permitted Embarq to share de-identified data with third parties and share “the websites you visit” (without de11

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 21

identifying that data) with third party business partners, nonetheless in an abundance of caution Embarq revised its Privacy Policy in advance of the NebuAd test. In the section of the Policy concerning “USE OF PERSONAL INFORMATION,” Embarq added the following paragraphs entitled “Preference Advertising”: Embarq may use information such as the websites you visit or online searches that you conduct to deliver or facilitate the delivery of targeted advertisements. The delivery of these advertisements will be based on anonymous surfing behavior and will not include users’ names, email addresses, telephone numbers, or any other Personally Identifiable Information. You may choose to opt out of this preference advertising service. By opting out, you will continue to receive advertisements as normal; but these advertisements will be less relevant and less useful to you. If you would like to opt out, click here. (embarq.com/adsoptions) App. 282 ¶ 62; App. 65; App. 338. By clicking on the “opt out” link in the privacy policy, a subscriber could ensure that the NebuAd System would not create a profile of that subscriber and would not serve any targeted advertisements to that subscriber. App. 282 ¶ 63; App. 65. Plaintiffs did not choose to opt out. App. 282 ¶ 64; App. 65; App. 561. D. Embarq Did Not Intercept the Content of Any Communications.

Embarq’s role in the test was entirely passive, as Plaintiffs’ own expert explained. See App. 450 (“Q: What did you understand the role of the ISP in the 12

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 22

NebuAd system to be? A: The ISP as far as I know furnished the connection to the NebuAd equipment, so, it essentially connected its users to the UTA, and it connected the UTA to the rest of its network. Q: Was there any other involvement by the ISP that you are aware of? A: No. They got paid.”). It is undisputed that Embarq did not have access to the data collected by the NebuAd System; it is undisputed that Embarq did not have access to the user profiles developed by the NebuAd System; and it is undisputed that Embarq did not serve any advertisements based upon the user profiles developed by the NebuAd System. App. 280-81 ¶¶ 51-53; App. 64. E. Plaintiffs’ Suit and the District Court’s Decision.

Plaintiffs initially brought suit in the Northern District of California against Embarq and NebuAd on behalf of a putative class of 26,000 Embarq subscribers in Gardner, Kansas. The complaint in the California Case alleged that NebuAd, not Embarq, intercepted Plaintiffs’ communications. App. 351-54. With respect to Embarq, Plaintiffs’ complaint was virtually silent, alleging merely that Embarq “permitted” NebuAd’s alleged conduct and “gained profit” from it. App. 347, 355.5

In answering these allegations in the California Case, NebuAd admitted its direct primary role in the conduct alleged by Plaintiffs (even while denying the legal significance of that conduct). NebuAd admitted that it had “installed the NebuAd” Appliance which was “designed to, and actually did, screen and pass only a small and specific subset of information to a specific set of NebuAd servers for ad 13

5

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 23

When Embarq was dismissed from the California action for lack of personal jurisdiction, Plaintiffs retooled their Complaint and refiled against Embarq in the District of Kansas, alleging four counts: unlawful interception of electronic communications in violation of the Wiretap Act; unauthorized access of Plaintiffs’ computers, in violation of the Computer Fraud and Abuse Act; invasion of privacy; and trespass to chattels. App. 36-40. Plaintiffs dismissed the latter three counts, admitting that the NebuAd test did not cause damage or have any other effect on their computers. App. 316. Despite the lack of any damage, Plaintiffs continued to press their Wiretap Act claim, as the Wiretap Act would provide for at least $10,000 in statutory damages for each putative class member, see 18 U.S.C. § 2520(c)(2)(B). Following the close of discovery, Embarq moved for summary judgment on that remaining claim. The District Court granted summary judgment on two independent grounds. First, the District Court held that Embarq could not be held civilly liable under the Wiretap Act because the civil liability provision, 18 U.S.C. § 2520(a), does not provide for secondary liability, and the undisputed facts showed that

serving purposes.” California Case, ECF No. 97 (NebuAd Answer) ¶ 60. NebuAd further admitted that the Appliance “is designed to be transparent to … the ISP.” Id. ¶ 72. 14

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 24

Embarq itself did not “intercept” Plaintiffs’ electronic communications. Order at 13. The District Court noted that the term “intercept” is a term of art in the Wiretap Act, and is specifically defined to mean the “acquisition of the contents” of a communication. Order at 13 (quoting 18 U.S.C. § 2510(4)). “Contents,” in turn, is defined to mean “the substance, purport, or meaning of that communication.” Id. (quoting 18 U.S.C. § 2510(8)). Although the term “acquisition” is not defined by the statute, the District Court noted that the term commonly means “to come into possession, control, or power of disposal.” Id. (citing Webster’s Third New International Dictionary Unabridged 18-19 (1986)). Thus, the District Court concluded, “in order to ‘intercept’ a communication, one must come into possession or control of the substance, purport, or meaning of that communication.” Id. Based on the undisputed fact that Embarq had no access to the information extracted by the NebuAd System or to the profiles constructed from that information, Embarq could not be held to have “acquired the contents of any communications as they flowed through its network.” Id. at 14. To the extent that Plaintiffs sought to hold Embarq liable based upon its contractual relationship with NebuAd, the District Court noted that such liability would constitute secondary liability as a procurer, aider, abettor, or co-conspirator of NebuAd. Yet, as the District Court noted, numerous courts have held that the 15

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 25

civil liability provision of the Wiretap Act, 18 U.S.C. § 2520, does not provide for secondary liability. Order at 14 & n.30 (collecting cases). “[L]iability attaches only to the party that actually intercepted a communication.” Id. at 14. Second, the District Court held that Embarq was independently entitled to summary judgment based on Plaintiffs’ consent. Order at 15-18. The Wiretap Act creates an exception to liability for the interception of a communication “where one of the parties to the communication has given prior consent to such interception.” 18 U.S.C. § 2511(2)(d). Here, the District Court found that the Plaintiffs consented to the use by third parties of their de-identified web-browsing behavior when they accessed the Internet under the terms of Embarq’s Privacy Policy and Activation Agreement. Order at 16. The District Court reasoned, “[P]laintiffs were required to agree to the terms of the Activation Agreement in order to use Embarq’s Internet service; that Agreement incorporated the terms of the Privacy Policy, which informed subscribers that their de-identified data could be shared with third parties; that Agreement informed subscribers that the terms could be changed at any time through posting a new policy at Embarq’s website; and Embarq modified those terms in advance of the NebuAd test to add a paragraph regarding preference advertising, with an opt-out mechanism.” Id. at 18. Third, Embarq had additionally invoked another independent defense to liability. The Wiretap Act defines “interception” to mean the acquisition of the 16

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 26

contents of a communication “through the use of any electronic, mechanical, or other device.” 18 U.S.C. § 2510(4) (emphasis added). The statute creates an exception to liability by excluding from the definition of “device” “any . . . equipment or facility, or any component thereof, . . . being used by a provider of . . . electronic communication service in the ordinary course of its business.” Id. § 2510(5)(a)(ii) (emphasis added). Embarq had argued that it undertook its contractual relationship with NebuAd in the “ordinary course of its business,” a phrase that this Court has interpreted to mean with a “legitimate business purpose.” James v. Newspaper Agency Corp., 591 F.2d 579, 581-82 (10th Cir. 1979). Because the District Court granted summary judgment on the two grounds discussed above, it did not reach the “ordinary course of business” defense. However, it did note that “this defense also appears to have merit, as plaintiffs have admitted that Embarq conducted the NebuAd test to further legitimate business purposes and that behavioral advertising is a widespread business and is commonplace on the Internet.” Order at 18 n.42. SUMMARY OF ARGUMENT Plaintiffs utterly fail to grapple with the reasons for the District Court’s order granting summary judgment to Embarq. Plaintiffs devote a significant portion of their brief making arguments about the information that NebuAd’s UTA analyzed. Br. 11-14. While Plaintiffs misrepresent the factual record on that 17

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 27

subject, see supra at 5-8, their arguments also miss the point. The District Court’s decision did not turn on whether the UTA or the NebuAd System intercepted the contents of communications. Had the District Court reached the issue, the authorities would have required a decision that even NebuAd did not intercept the “contents” of communications. United States v. New York Telephone Co., 434 U.S. 159, 167 (1977). The District Court, however, decided only that Embarq did not “intercept” communications. As the District Court explained, the plain language of the Wiretap Act expressly defines the “interception” of an electronic communication to mean the “acquisition of the contents” of that communication. 18 U.S.C. § 2510(4). Yet the undisputed facts show that Embarq never had access to the data collected by the NebuAd System. Because Embarq did not “acquire” the contents of any communication, Embarq did not engage in “interception.” That is so regardless of what data NebuAd might have collected. In an effort to circumvent the plain language of the statute and the undisputed facts, Plaintiffs seek to argue that Embarq should be held liable for “interception” because NebuAd’s device was installed on its network with its consent, and because it entered into a contractual arrangement with NebuAd. In short, Plaintiffs contend that the nature of the relationship between Embarq and NebuAd requires that Embarq be held vicariously liable for NebuAd’s conduct. 18

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 28

That theory, however, finds no support in the case law interpreting the Wiretap Act. Four Circuit Courts and numerous district courts have all held that the Wiretap Act creates civil liability only for the party that actually acquired the contents of a communication, and does not permit secondary or vicarious liability. Plaintiffs make no effort to address this body of law. Embarq is also entitled to summary judgment because Plaintiffs agreed to be bound by Embarq’s Activation Agreement and Privacy Policy as a condition of service. In the Privacy Policy, Embarq informed Plaintiffs that it could share their de-identified information with third parties. It also informed them that it could share the websites they visited with third party business partners – even if that information was not de-identified – and specifically informed them that the websites they visited could be used to facilitate the delivery of targeted advertisements. Plaintiffs consented to these conditions of service, which covered the NebuAd test. Finally, Embarq is entitled to summary judgment because it conducted the NebuAd test in the “ordinary course of its business,” which is an exception to “intercept[ion]” under the Wiretap Act. 18 U.S.C. § 2510(4), (5)(a)(ii). This Court has interpreted the phrase “ordinary course of business” to mean with a “legitimate business purpose,” James, 591 F.2d at 581-82 (internal quotation marks omitted), and that condition was plainly met here, as shown by the undisputed facts. Indeed, 19

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 29

Plaintiffs do not even dispute that this defense applies, instead focusing on a different defense that Embarq has never raised. ARGUMENT I. STANDARD OF REVIEW Under Fed. R. Civ. P. 56(a), summary judgment is proper “if the movant shows that there is no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law,” Fed. R. Civ. P. 56(a). As this Court has held, “[e]vidence, including testimony, must be based on more than mere speculation, conjecture, or surmise. Unsubstantiated allegations carry no probative weight in summary judgment proceedings.” Cardoso v. Calbone, 490 F.3d 1194, 1197 (10th Cir. 2007) (quotations marks omitted; bracket in original). “Mere allegations unsupported by further evidence … are insufficient to survive a motion for summary judgment.” Baca v. Sklar, 398 F.3d 1210, 1216 (10th Cir. 2005). A district court’s grant of summary judgment is reviewed de novo. Hobbs ex rel. Hobbs v. Zenderman, 579 F.3d 1171, 1179 (10th Cir. 2009). II. EMBARQ DID NOT INTERCEPT ANY COMMUNICATION, AND IT CANNOT BE HELD VICARIOUSLY LIABLE FOR ANY INTERCEPTION BY NEBUAD. A. Under the Wiretap Act, “Intercept” Means the “Acquisition of the Contents” of a Communication.

Plaintiffs seek to hold Embarq directly liable for an unlawful “interception” in violation of the civil liability provision of the Wiretap Act, 18 U.S.C. § 2520. 20

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 30

Plaintiffs’ theory of liability is that Embarq intercepted communications when it allowed the placement of NebuAd’s UTA in its network so that network traffic flowed through the UTA. See Br. 18-19. That theory has no grounding in the plain language of the statute. As the District Court recognized, the term “intercept” is specifically defined by the Wiretap Act to mean the “acquisition of the contents” of a communication. 18 U.S.C. § 2510(4). When “the meaning of a word is clearly explained in a statute, courts are not at liberty to look beyond the statutory definition.” United States v. Smith, 155 F.3d 1051, 1057 (9th Cir. 1998); Southern Ute Indian Tribe v. Sebelius, 657 F.3d 1071, 1079 (10th Cir. 2011) (meaning of a statutory term is “not open to broad interpretation” where it is “specifically defined” by the statute), petition for cert. filed, 80 U.S.L.W. 3431 (U.S. Dec. 19, 2011) (No. 11-762); Colautti v. Franklin, 439 U.S. 379, 393 n.10 (1979) (“As a rule, ‘[a] definition which declares what a term “means” ... excludes any meaning that is not stated.’” (quoting 2A C. Sands, Statutes and Statutory Construction § 47.07 (4th ed. Supp. 1978))). The term “acquisition,” in turn, is not defined by the statute. But in common parlance, “to acquire” means “to come into possession, control, or power of disposal.” Webster’s Third New International Dictionary Unabridged 18 (1993); see also United States v. Gonzales, 456 F.3d 1178, 1182 (10th Cir. 2006) (“When a 21

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 31

statute does not specifically define a term, we construe the term in accord with its ordinary or natural meaning.”); Smith, 155 F.3d at 1055 n.7 (giving the term “acquisition,” as used in § 2510(4), “its ordinary meaning—the act of acquiring, or coming into possession of.”). Finally, the term “contents” is specifically defined by the statute to mean “the substance, purport, or meaning of that communication.” 18 U.S.C. § 2510(8). Thus, one has not “intercepted” a communication unless one comes into possession or control of the substance, purport, or meaning of that communication. See Sanders v. Robert Bosch Corp., 38 F.3d 736, 742 (4th Cir. 1994) (defendant did not acquire the contents of any communications despite the existence of an open microphone, where “there is no evidence that any [of defendant’s] employee[s] ever listened to, recorded, or otherwise acquired any conversations … by means of the open microphone.”); DirecTV, Inc. v. Barnes, 302 F. Supp. 2d 774, 779 (W.D. Mich. 2004) (a person cannot intercept a communication for purposes of the Wiretap Act “without acquiring, in some way, the contents of the communication.”); see also N.Y. Tel. Co., 434 U.S. at 167 (holding that “[p]en registers do not ‘intercept’ [within the meaning of the Wiretap Act] because they do not acquire the ‘contents’ of communications”). The correctness of this plain-language interpretation of the statute is underscored by another canon of statutory interpretation, the rule of lenity, which 22

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 32

requires that any ambiguity in language (though there is none) be resolved in Embarq’s favor. The Wiretap Act’s prohibition on “interception” is “primarily a criminal provision.” DirecTV, Inc. v. Bennett, 470 F.3d 565, 566 (5th Cir. 2006) (per curiam). And “the canon of strict construction of criminal statutes, or rule of lenity, ensures fair warning by so resolving ambiguity in a criminal statute as to apply it only to conduct clearly covered.” United States v. Lanier, 520 U.S. 259, 266 (1997). Plaintiffs’ brief nowhere addresses that straightforward interpretation of the statute’s plain language. Instead, Plaintiffs simply ignore it. They contend that Embarq can be held liable for an “interception” merely because the NebuAd test was performed on its broadband network with its consent, Br. 16, or because Embarq had signed a license agreement with NebuAd that set the terms of the NebuAd test. Id. at 17. These arguments, however, avoid the core factual question that is compelled by the statutory language: whether Embarq gained “acquisition of the contents,” 18 U.S.C. § 2510(4), of any of the electronic communications at issue. As described below, the undisputed facts show that Embarq did not. B. The Undisputed Facts Show That Embarq Did Not Acquire or Use the Contents of Any Communication.

As an initial matter, the District Court did not even reach the issue of whether NebuAd intercepted the contents of communications. NebuAd did not. While Plaintiffs devote much of their brief to inaccurate descriptions of what data 23

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 33

the UTA analyzed, in fact it is undisputed that the UTA merely observed URLs. App. 276, 278 ¶¶ 24, 35, 36; App. 62-63; App. 556-58. A URL is a means of establishing an electronic communication rather than the substance of the communication itself. It is simply an address that points to the web page that the user wishes to visit. App. 277 ¶ 30; App. 62. Thus, observing a URL is functionally identical to observing a telephone number with a pen register. The Supreme Court has held that the use of pen registers does not capture the “content” of communications, precisely because they “disclose only the telephone numbers that have been dialed – a means of establishing communication.” N.Y. Tel. Co., 434 U.S. at 167. Indeed, just as with a pen register, “one could not even determine” from observing a URL “whether a communication existed,”id., as the receiving web site might be temporarily down or the URL might be out-of-date. Thus, even if NebuAd’s conduct had been at issue, the authorities would have required a finding that NebuAd did not intercept “contents” of communications. The District Court did not need to reach that issue, however, because regardless of what data NebuAd acquired or whether that data constitutes “contents,” the undisputed facts show that Embarq did not “acqui[re]” that data and thus that Embarq did not “intercept” any communications. 18 U.S.C. § 2510(4).

24

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 34

Embarq’s role in the NebuAd test was merely to permit the installation of NebuAd’s device on Embarq’s network. Embarq did not have access to the data collected by NebuAd or to the user profiles that NebuAd created. App. 450; App. 280 ¶¶ 51-52; App. 64. Nor did Embarq use the raw data that the NebuAd System collected to serve advertisements. App. 280-81 ¶ 53; App. 64. Plaintiffs’ technical expert readily conceded as much: Q: What did you understand the role of the ISP in the NebuAd system to be? The ISP as far as I know furnished the connection to the NebuAd equipment, so, it essentially connected its users to the UTA, and it connected the UTA to the rest of the network. Was there any other involvement by the ISP that you were aware of? No. They got paid. Did the ISP have access, to your knowledge, to any of the web communications observed by NebuAd? You mean the profiles, or – Well, start with that. Did the ISP have access to the profiles? Not to my knowledge. Did the ISP get any of the raw data that NebuAd may have looked at? I don’t know. Do you have any reason to think that it did? Well, the raw data is just flowing over its network, so it has access to the raw data. 25

A:

Q: A: Q:

A: Q: A: Q: A: Q: A:

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 35

Q:

Let me ask the question this way then. Did the ISP obtain access to raw data from NebuAd in any way other than an ISP ordinarily has the raw data, which is to say that it flows through the ISP’s network? I don’t think so.

A: App. 450.

Even Plaintiffs’ Complaint acknowledges that Embarq had no role in acquiring information from the communications passing through NebuAd’s UTA, alleging only that “[i]n the operation of the Defendants’ NebuAd relationship, Defendants were responsible for installation of the Appliances; maintaining the flow of Users’ Internet traffic to the Appliances; and, subsequently, resuming the handling of intercepted communications by delivering them to their destinations.” App. 13. None of the actions that Plaintiffs attribute to Embarq in their Complaint – installation of the UTA, diversion of communications to the Appliance, or handling communications after their contents had been acquired and used by the NebuAd System to generate individual profiles – amount to “interception” (“acquisition” of “contents”) or “use” of “contents” in violation of the Wiretap Act.6

To the extent that Embarq can be regarded as having had possession of the contents of the communication merely by virtue of having possessed the communications themselves as those communications flowed through Embarq’s network, then Embarq cannot be held liable under the Wiretap Act: its subscribers gave Embarq their communications, and thus Embarq indisputably gained 26

6

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 36

Plaintiffs assert that Embarq admitted interception because, in two letters to Congress, its CEO acknowledged that Embarq had conducted a test of NebuAd’s technology. Br. 16-17. However, there has never been any dispute that Embarq conducted a test of NebuAd’s technology. The issue is whether, in conducting that test, Embarq intercepted – that is, acquired the contents of – any communications. As demonstrated above, it did not. Thus, Embarq cannot be held liable under the Wiretap Act. C. Embarq Cannot Be Held Civilly Liable Under the Wiretap Act For Interception or Prohibited Use By NebuAd.

Plaintiffs insist that they “are not seeking to hold Embarq secondarily liable” for NebuAd’s interception. Br. 19. However, the theory of their case – that Embarq is liable for interception because the UTA was installed on Embarq’s network pursuant to a “lengthy partnership agreement” with NebuAd, id. at 16-18 – is in fact premised on secondary liability. Plaintiffs assert, in essence, that the contractual relationship between Embarq and NebuAd allows Embarq to be held liable for alleged interceptions carried out by NebuAd. However, the Wiretap Act’s civil liability provision, 18 U.S.C. § 2520(a), does not authorize such secondary liability. Where Congress provides a private right of action for violation of a federal statute, secondary liability may be imposed possession of the communications with its subscribers’ consent. See 18 U.S.C. § 2511(2)(d). 27

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 37

only if there is some affirmative indication in the statutory text that Congress intended to cover “persons who do not engage in the proscribed activities at all, but who give a degree of aid to those who do.” Cent. Bank of Denver, N.A. v. First Interstate Bank of Denver, N.A., 511 U.S. 164, 176-77 (1994). In the absence of any such indication, however, “federal courts refrain from creating secondary liability.” Doe v. GTE Corp., 347 F.3d 655, 658 (7th Cir. 2003). The Wiretap Act contains no such indication of secondary liability, as four Circuit Courts and numerous district courts have held. The language of § 2520(a) imposes civil liability on “the person or entity … which engaged in that violation.” 18 U.S.C. § 2520(a) (emphasis added). The italicized phrase refers to the party that actually “intercepted, disclosed, or intentionally used” the contents of an electronic communication. Id.; see Doe, 347 F.3d at 658; Freeman v. DirecTV, Inc., 457 F.3d 1001, 1005-06 (9th Cir. 2006) (rejecting the argument that “a person or entity who aids and abets or who enters into a conspiracy is someone or something that is ‘engaged’ in a violation.”);7 Peavy v. WFAA-TV, Inc., 221 F.3d 158, 168-69 (5th Cir. 2000) (same); Reynolds v. Spears, 93 F.3d 428, 433 (8th Cir. 1996) (holding that a wife’s “acquiescence in [her husband’s] plans” to eavesdrop

Freeman involves a claim brought under the Stored Communications Act, 18 U.S.C. § 2702, but that statute uses identical language in creating liability only for the party that “engaged in that violation.” 18 U.S.C. § 2707(a). In determining that such statutory language could not create secondary liability, the Ninth Circuit drew on case law interpreting § 2520, the statute at issue in this case. 28

7

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 38

on employees’ telephone conversations “and her passive knowledge of her husband’s interceptions are insufficient as a matter of law to impute liability to her for those interceptions,” even though the wife was a “fifty percent owner of the store whose business [her husband] was attempting to protect with the interceptions.”); see also, e.g., In re Toys R Us, Inc., Privacy Litigation, No. 00-cv2746, 2001 WL 34517252, at *6-7 (N.D. Cal. Oct. 9, 2001); Crowley v. CyberSource Corp., 166 F. Supp. 2d 1263, 1269 (N.D. Cal. 2001). In Peavy, for example, a newspaper reporter directed a source to use a radio scanner surreptitiously to tape record a neighbor’s cordless telephone conversations. 221 F.3d at 164. The neighbor sued the reporter and the newspaper under the Wiretap Act, but the Fifth Circuit found that the statute did not permit a civil action for procurement. It held that Section 2520 “refers only to illegal interception, disclosure, or use, and not to procuring interception by another.” Id. at 169. Moreover, the court reached that conclusion even though, in Peavy, the reporter and the newspaper did ultimately acquire the contents of the telephone conversations that the neighbor had recorded. Id. at 164-65. In sum, “nothing in the statute condemns assistants, as opposed to those who directly perpetrate the act.” Doe, 347 F.3d at 658. The conclusion that § 2520 does not establish any secondary civil liability is further confirmed by juxtaposing that section with the criminal prohibition in 29

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 39

§ 2511(1)(a), which makes it illegal to “intentionally intercept[], endeavor[] to intercept, or procure[] any other person to intercept or endeavor to intercept, any … electronic communication” (emphasis added). No reference to “procuring” appears in § 2520. Congress’s omission of that term from the civil liability provision, § 2520, was intentional: until 1986, the civil liability provision of the Wiretap Act did create a civil cause of action against any person who “procures any other person to intercept, disclose, or use such communications.” H.R. Rep. No. 99-647, at 98-99 (1986) (comparing the pre-1986 statutory language with the amended language). But that phrase was deleted when the section was amended. See In re Toys R Us, 2001 WL 34517252, at *6 (“the Wiretap Act was amended in 1986 to narrow the class of persons who could be held civilly liable under § 2520(a).”). And “[w]hen Congress acts to amend a statute, [courts] presume it intends its amendments to have real and substantial effect.” Stone v. INS, 514 U.S. 386, 397 (1995); see Peavy, 221 F.3d at 169. Accordingly, courts have consistently rejected the argument that a defendant “intercepts” a communication merely by allowing, enabling, procuring, or directing another party to intercept communications. See Peavy, 221 F.3d at 16869 (no liability under § 2520 for “procuring” an interception); Doe, 347 F.3d at 658-59 (same); Crowley, 166 F. Supp. 2d at 1269 (same); DirecTV, Inc. v. Regall, 327 F. Supp. 2d 986, 989 (E.D. Wis. 2004) (same); DirecTV, Inc. v. Spillman, No. 30

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 40

Civ. A. SA-04-82-XR, 2004 WL 1875045, at *2 (W.D. Tex. Aug. 23, 2004) (same); Gunderson v. Gunderson, No. 02-1078-CVW-ODS, 2003 WL 1873912, at *1-2 (W.D. Mo. Apr. 14, 2003) (same); DirecTV, Inc. v. Goehre, No. 03-CV-1106, 2005 WL 2275940, at *2-3 (E.D. Wis. Sept. 19, 2005) (same). Plaintiffs make no effort to respond seriously to this well-established body of case law. Nor do they even discuss (let alone distinguish) the main case relied upon by the District Court, Toys R Us. See Order at 14-15 (citing Toys R Us, 2001 WL 34517252). In that case, the plaintiffs sought to hold Toys R Us liable under the Wiretap Act for permitting a third party, Coremetrics, to load “Web bugs” onto the computers of visitors to Toys R Us’ website. Coremetrics was in the business of tracking Internet users’ buying and websurfing habits, and its device enabled it to “monitor, intercept, transmit, and record all aspects of a Webuser’s private activity when they access Toys R Us’ Webpages or other Webpages.” 2001 WL 34517252 at *1 (quotation marks omitted). The district court granted Toys R Us’ motion to dismiss plaintiffs’ Wiretap Act claim, holding that the “plain language of § 2520(a) now limits its applicability to those who ‘intercept,’ ‘disclose,’ or ‘use’ the communications at issue” and therefore requires that “Toys R Us itself intercepted, disclosed, or used plaintiffs’ electronic communications.” Id. at *6-7 (emphasis added).

31

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 41

Rather than grappling with this case law, Plaintiffs instead make a halfhearted attempt to distinguish just three cases cited by Embarq on the ground that none of them involve facts identical to those in this case. Yet Plaintiffs fail to explain why the differences they identify are relevant to the legal analysis. Br. 1415. For example, Perkins-Carrillo v. Systemax, Inc., No. Civ. A. 1:03-CV2836TW, 2006 WL 1553957 (N.D. Ga. May 26, 2006), discussed at Br. 14-15, held that a supervisor could not be held civilly liable for interception even though he directed an employee to eavesdrop on telephone calls, because the supervisor did not himself monitor any of the calls. Perkins-Carrillo, 2006 WL 1553957, at *15. The legal principle reflected in that case – that a defendant cannot be held liable even when he directs another to intercept because civil liability attaches only to the party that actually acquires the contents of a communication – provides a basis on which to affirm summary judgment in Embarq’s favor. If a person may not be held liable for directing an interception, then it may not be held liable for permitting one either. Plaintiffs also contend (Br. 15-16) that PBA Local No. 38 v. Woodbridge Police Dep’t, 832 F. Supp. 808, 832 (D.N.J. 1993), and Franklin v. City of Chicago Police Dep’t, No. 02-C-3354, 2004 WL 1921027 (N.D. Ill. July 9, 2004), aff’d, 175 F. App’x 740 (7th Cir. 2005), are inapposite because they involved telephone companies rather than ISPs. Br. 15. Yet they do not explain why it matters 32

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 42

whether the defendant is a telephone company or some other communications service provider. The legal principle in those cases – that a service provider is not liable for interception merely because it installs, maintains, or services a device that another party uses to acquire the contents of a communication – is plainly applicable here. This Court’s decision in Quigley v. Rosenthal, 327 F.3d 1044 (10th Cir. 2003), is not to the contrary. There the defendants had failed to raise the argument that the Wiretap Act does not create civil liability for conspiracy, and accordingly the Court held that “the issue has been waived, barring plain error.” Id. at 1063. On plain error review – which the Court described as “an extraordinary, nearly insurmountable burden,” id. (quotation marks omitted) – the Court held that the defendant had “acquiesced in the plaintiff’s conspiracy theory” and noted that the defendant “has failed to cite any case” supporting its legal argument. Id. In fact, as noted above, four Circuits have rejected a conspiracy theory for civil liability. See Doe, 347 F.3d at 658; Freeman, 457 F.3d at 1005-06; Peavy, 221 F.3d at 16869; Reynolds, 93 F.3d at 433. Nothing in this Court’s decision in Quigley, therefore, undermines the conclusion that there is no secondary liability for a violation of the Wiretap Act. Plaintiffs rely heavily on In re Pharmatrak, Inc., 329 F.3d 9 (1st Cir. 2003), see Br. 11-12, but that case does not help their cause. It concerned the liability of a 33

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 43

third party that acquired, on behalf of pharmaceutical companies, information about computer users who visited the websites of the pharmaceutical companies. Thus, the case concerned liability of a party that itself had acquired the contents of electronic communications, id. at 12-13, a fact that Pharmatrak conceded, id. at 18. Here, as just discussed, Embarq did not acquire the contents of any communications. In sum, in amending § 2520, Congress carefully identified a narrow, specific class of wrongdoers it intended to be held civilly liable – namely, those who themselves intercept, disclose, or intentionally use others’ electronic communications. In contrast to the criminal prohibition of § 2511(1)(a), Congress did not create civil liability under § 2520 for aiders and abettors, procurers, or conspirers. “A statute that is this precise about who, other than the primary interceptor, can be liable, should not be read to create a penumbra of additional but unspecified liability.” Doe, 347 F.3d at 659; see also, e.g., Freeman, 457 F.3d at 1006 (“[w]hen ‘a statute is precise about who … can be liable’ courts should not implicitly read secondary liability into the statute.” (quoting Doe, 347 F.3d at 659) (ellipses in original)). Accordingly, the District Court correctly entered summary judgment in Embarq’s favor, as the undisputed facts showed that Embarq could not be held liable for “interception” in violation of the Wiretap Act.

34

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 44

III.

THE DISTRICT COURT CORRECTLY HELD THAT EMBARQ WAS ENTITLED TO SUMMARY JUDGMENT IN VIEW OF PLAINTIFFS’ CONSENT. The District Court correctly held that Embarq was independently entitled to

summary judgment based on Plaintiffs’ consent. The Wiretap Act expressly excludes from the category of “unlawful interceptions” any interceptions undertaken with consent. See 18 U.S.C. § 2511(2)(d) (no liability “where one of the parties to the communication has given prior consent to such interception.”). A. Embarq’s Activation Agreement and Privacy Policy Allowed Embarq to Share With Third Parties the Web Sites Its Subscribers Visited.

“[C]ourts have emphasized that ‘consent’ must be construed broadly under the Wiretap Act,” In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497, 514 n.23 (S.D.N.Y. 2001); Griggs-Ryan v. Smith, 904 F.2d 112, 116 (1st Cir. 1990) (“We agree … that ‘Congress intended the consent requirement to be construed broadly.’” (quoting United States v. Amen, 831 F.2d 373, 378 (2d Cir. 1987)). Such consent need not be express, but rather may be implied. United States v. Verdin-Garcia, 516 F.3d 884, 894-95 (10th Cir. 2008); United States v. Van Poyck, 77 F.3d 285, 292 (9th Cir. 1996); Griggs-Ryan, 904 F.2d at 116. Here, as a condition of providing service, all Embarq subscribers were required to agree to the terms of Embarq’s Activation Agreement, which incorporated Embarq’s Privacy Policy. App. 281 ¶ 57; App. 64; App. 326 § 2(c). 35

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 45

Well before the date of the NebuAd test, the Privacy Policy informed subscribers that “[d]e-identified data . . . might be purchased by or shared with a third party.” App. 281 ¶ 58; App. 65; App. 335. It is undisputed that the profiles built by NebuAd were de-identified. App. 280 ¶ 48; App. 63 (admitting that “[t]he targeted advertisements that the NebuAd System served were based upon the de-identified profiles it had constructed”). The Privacy Policy also stated that Embarq could disclose to third party business partners “customer proprietary network information” (“CPNI”), which includes “the websites you visit.” App. 336; App. 333-34; App. 281 ¶ 59; App. 65; App. 560. And the privacy policy further stated that “EMBARQ does not disclose CPNI and other nonpublic information (such as credit card numbers), without your consent or direction, except to business partners involved in providing EMBARQ service to customers, or as required by law.” App. 334 (emphasis added). Those privacy policy statements alone sufficed to place subscribers on notice that their web-browsing behavior – such as the URLs they visited – could be shared with third parties like NebuAd. Nonetheless, in anticipation of the NebuAd test, and per the Activation Agreement provision allowing for new terms and conditions of use to be posted on Embarq’s website, Embarq added language to its Privacy Policy specifically addressed to the NebuAd test. In the section of the Privacy Policy concerning 36

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 46

“USE OF PERSONAL INFORMATION,” it added a paragraph entitled “Preference Advertising” informing users that “Embarq may use information such as the websites you visit or online searches that you conduct to deliver or facilitate the delivery of targeted advertisements. The delivery of these advertisements will be based on anonymous surfing behavior and will not include users’ names, email addresses, telephone numbers, or any other Personally Identifiable Information.” App. 282 ¶ 62; App. 65; App. 338. The Privacy Policy also gave users the chance to opt out of Preference Advertising by clicking on a link. Id. It is undisputed that in choosing that means of notice, and in permitting users to opt-out rather than requiring them to opt-in, Embarq followed the prevailing industry practice of online advertising networks. App. 281 ¶¶ 54-55; App. 64. Plaintiffs were not among those subscribers who chose to opt out. App. 282 ¶ 64; App. 65; App. 561. Indeed, Plaintiffs testified that they did not recall reviewing Embarq’s privacy policy, and that their habit was simply to agree to the terms of privacy policies without reviewing them, understanding that by doing so they were bound by whatever those terms happened to be. See App. 488 (Q: “… [W]hen you see a privacy policy on the web, you tend to click ‘I agree’ and go through to the site, is that right?” A: “Yes.” Q: “Do you understand when you do that that you are bound by the terms of the policy?” A: “Yes.”); App. 492 (Q: 37

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 47

“What is your general practice regarding privacy policies?” A: “I normally don’t read them.” Q: “You just sort of click ‘I agree’ and go through to the website?” A: “Yes.”). Plaintiffs did not even care enough to inspect the terms of the Privacy Policy, but instead decided to acquiesce to whatever the terms happened to be. Such notice, together with Plaintiffs’ acquiescence, is more than adequate to establish consent. See Amati v. City of Woodstock, 176 F.3d 952, 955 (7th Cir. 1999) (“If there is actual notice, … there will normally be implied consent.” ); Griggs-Ryan, 904 F.2d at 117-18 (implied consent where landlord notified tenant that all of tenant’s calls would be recorded). Indeed, courts have even found consent under the Wiretap Act where a plaintiff had no opportunity to opt out of another’s monitoring of his communications. See United States v. Amen, 831 F.2d 373, 379-80 (2d Cir. 1987) (prisoners impliedly consent to the monitoring of their phone calls by prison officials); Van Poyck, 77 F.3d at 292 (same); Borninski v. Williamson, No. Civ. A 3102CV1014-L, 2005 WL 1206872, at *13 (N.D. Tex. May 17, 2005) (implied consent where, as a condition of employment, employee was required to sign a form acknowledging employer monitoring of all Internet communications). In similar actions prosecuted by the same counsel alleging the same conduct by other ISPs, the court has dismissed plaintiffs’ Wiretap Act claim on the ground that the online privacy policy and customer agreement disclosed to customers that 38

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 48

their web activity could be observed. The court held that the plaintiffs accordingly “did know of the interception and through their continued use of [the ISP’s] Internet Service, they gave or acquiesced their consent to such interception.” Mortensen v. Bresnan Commc’ns, LLC, No. CV 10-13-BLG-RFC, 2010 WL 5140454, at *5 (D. Mont. Dec. 13, 2010); Deering v. CenturyTel, No. CV 10-63BLG-RFC, 2011 WL 1842859 (D. Mont. May 16, 2011). Plaintiffs analyze the privacy policies at issue in those cases in great detail and conclude that they are better than the one issued by Embarq. Br. 21-24. That conclusion is irrelevant, because, as shown above, Embarq’s Privacy Policy sufficed to cover the conduct alleged by Plaintiffs. However, that conclusion is also unsupported. Plaintiffs emphasize that the Privacy Policy at issue in Mortensen informed customers that “when you use the Service or any Internet service, certain information relating to your use of these services may be disclosed to third parties.” Br. 23. They emphasize that the Privacy Policy at issue in Deering informed customers that CenturyTel “uses personal information to better understand [its users] needs and interests.” Id. at 24. They make no effort, however, to explain why those disclosures are better than, or even substantively different from, Embarq’s disclosures that “[d]e-identified data . . . might be purchased by or shared with a third party” and that Embarq could disclose to third party business partners “customer proprietary network information” which 39

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 49

includes “the websites you visit.” App. 281 ¶ 58; App. 65; App. 335; App. 336; App. 333-34; App. 281 ¶ 59; App. 65; App. 560. Plaintiffs also point out that the Privacy Policy at issue in Deering included a link to the NebuAd website. The Deering court, however, did not rely on this fact in holding that the plaintiff in that case had consented. B. Plaintiffs’ Arguments Concerning Consent Are Without Merit and Misstate the Record on Summary Judgment.

Plaintiffs make essentially two arguments as to why they did not consent. The first is that “[n]owhere in the Privacy Policy is NebuAd or any third party referenced.” Br. 21. However, the Privacy Policy expressly informed subscribers that “[d]e-identified data . . . might be purchased by or shared with a third party,” App. 335, and that the “websites you visit” could be shared with third party business partners. App. 333-34, 336. Thus, the Privacy Policy expressly alerted customers to the possibility that their web-browsing data would be shared with third parties. As for the notion that Embarq was required to identify NebuAd specifically, such a rule would make little sense. The purpose of a privacy policy is to make a general disclosure about the types of information that a subscriber can expect will be collected, used, and shared with third parties, thereby eliminating any need to disclose the details of every marketing partnership into which a business might enter in the future. It would be impractical to require companies to update their 40

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 50

privacy policies every time they entered into a new business partnership. Plaintiffs in particular cannot contend otherwise, because they admitted that they do not even bother to review privacy policies, but instead simply agree to their terms sight unseen. App. 488; App. 492. Clearly, Plaintiffs have no interest in learning which specific third parties may receive their de-identified web browsing data. Moreover, Plaintiffs identify no case law at all in support of the proposition that the Privacy Policy needed to identify NebuAd specifically. Plaintiffs cite Williams v. Poulos, 11 F.3d 271 (1st Cir. 1993), see Br. 20, but in that case the court found no consent because the plaintiff was never told that “he himself would be monitored.” 11 F.3d at 282. Here, of course, Plaintiffs had notice provided by the Privacy Policy. Plaintiffs also cite In re Pharmatrak, Inc., 329 F.3d 9 (1st Cir. 2003), see Br. 20-21, but that case is likewise inapposite. There, Pharmatrak had contracted with pharmaceutical companies to collect certain information on visitors to the companies’ websites. Pharmatrak was sued for having collected personally identifiable information, to which no one had consented. The companies had “explicitly conditioned their purchase of [Pharmatrak’s service] on the fact that it would not collect such information,” 329 F.3d at 20 (emphasis in original), and the companies’ websites “gave no indication” to visitors “that use meant consent to collection of personal information by a third party.” Id. at 21. Here, it is 41

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 51

undisputed that the profiles built by NebuAd were de-identified, App. 280 ¶ 48; App. 63, and Embarq gave subscribers express notice that such de-identified information could be shared with third parties. App. 281 ¶ 58; App. 65; App. 335. Further, Embarq told its subscribers that CPNI, including the “websites you visit,” could be shared with third parties along with other non-public personal information. App. 336; App. 333-34; App. 281 ¶ 59; App. 65; App. 560. Plaintiffs’ second argument is that the Privacy Policy failed to disclose that “the UTA intercepted and analyzed virtually all of the Internet traffic that passed through it, including personal information,” or that NebuAd would “inspect every layer of the users’ communication[s] (including personal and sensitive information) – not just the domain names in the individual web addresses.” Br. 21. Plaintiffs also assert that “Embarq did not disclose . . . that the . . . UTA automatically collects all of its users Internet communications, or that the UTA was going to monitor (without limitation) its customers’ email, newsgroups, chat, IP audio and video, web space content,” that is, “virtually all of its users’ Internet communications.” Id. at 25. Plaintiffs’ characterization of the information collected by the NebuAd device flagrantly misrepresents the summary judgment record. In point of fact, Plaintiffs did not dispute that the NebuAd System observed certain URLs but did not read customers’ email, view secure financial transactions, gain access to instant 42

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 52

messages, eavesdrop on voice-over-internet communications, or otherwise monitor “virtually all” of users’ Internet communications. App. 276 ¶ 24; App. 278 ¶ 35; App. 62-63; App. 556-57; App. 460, 462. Nor did the NebuAd System observe the content of the webpage associated with a given URL. App. 278 ¶ 36; App. 62; App. 557-58 ¶ 36; App. 460 (Plaintiffs’ expert testifies that NebuAd “skipped the body of what is going to be rendered in the browser,” that is, the webpage itself). Likewise, it was undisputed that NebuAd’s profiles were linked solely to anonymized identification numbers, App. 278-79 ¶¶ 38-39, 48; App. 62-63; that the NebuAd System was designed so that the data collected and used by the NebuAd System could not be linked back to any identifiable individual, App. 279 ¶ 41; App. 63; and that there was no evidence that NebuAd had failed to achieve that objective. App. 279 ¶ 42; App. 63. The disclosure that “Embarq may use information such as the websites you visit or online searches that you conduct to deliver or facilitate the delivery of targeted advertisements,” App. 282 ¶ 62; App. 65; App. 338, was broad enough to encompass the activity conducted by NebuAd. Because Plaintiffs consented to the disclosure of de-identified information to third parties and to the use of information concerning the websites they visited by third parties involved in providing Embarq service, and because Embarq specifically disclosed that Plaintiffs’ web-browsing behavior could be used to

43

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 53

serve advertising targeted to their interests, Embarq cannot be held to have violated the Wiretap Act. IV. THE NEBUAD TEST WAS CONDUCTED IN THE ORDINARY COURSE OF EMBARQ’S BUSINESS. Embarq argued before the District Court that it was independently entitled to summary judgment because the NebuAd test was performed in the “ordinary course of its business,” 18 U.S.C. § 2510(5)(a)(ii), a statutory phrase this Court has interpreted to mean with a “legitimate business purpose.” James, 591 F.2d at 58182. The District Court decided not to address that argument in light of its holding in favor of Embarq on Embarq’s two other defenses. However, it noted that “this defense also appears to have merit, as plaintiffs have admitted that Embarq conducted the NebuAd test to further legitimate business purpose and that behavioral advertising is a widespread business and is commonplace on the Internet.” Order at 18 n.42. Although the District Court did not ultimately decide the issue, this Court “may affirm the district court's grant of summary judgment on any ground adequately supported by the record.” Mauerhan v. Wagner Corp., 649 F.3d 1180, 1184 (10th Cir. 2011) (internal quotation marks omitted). A. The Wiretap Act Does Not Prohibit the Interception of Communications by an Internet Service Provider For a Legitimate Business Purpose.

The Wiretap Act defines “intercept” to require “the use of any electronic, mechanical, or other device.” 18 U.S.C. § 2510(4) (emphasis added). The phrase 44

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 54

“electronic, mechanical, or other device” is specifically defined to mean “any device or apparatus which can be used to intercept a[n] … electronic communication . . . other than any telephone or telegraph instrument, equipment or facility, or any component thereof” that is “being used by a provider of wire or electronic communication service in the ordinary course of its business.” Id. § 2510(5)(a)(ii) (emphasis added); Hall v. EarthLink Network, Inc., 396 F.3d 500, 504 (2d Cir. 2005) (confirming that “the ordinary course of business exception would . . . apply to an ISP using any equipment or facility,” not “only to an ISP using a telephone or telegraph.”). This Court has held that activities fall within the “ordinary course of … business” when they further a “legitimate business purpose.” James, 591 F.2d at 581-82 (internal quotation marks omitted). In James, the Tenth Circuit held that a business’s installation of a telephone monitoring device fell within the “ordinary course of business,” and thus outside the scope of the Wiretap Act, because the monitoring was done for a “legitimate business purpose” – namely, “concern by management over abusive language used by irate customers when called upon to pay their bills, coupled with the possible need to give further training and supervision to employees dealing with the public” – and because “the installation was not surreptitious.” Id.

45

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 55

This Court’s interpretation of the “ordinary course of business” exception makes sense, particularly when viewed in light of the Wiretap Act’s purpose. “The major purpose of [the Wiretap Act] is to combat organized crime.” S. Rep. No. 901097, at 70 (1968), reprinted in 1968 U.S.C.C.A.N. 2112, 2157. Congress therefore authorized law enforcement agencies to engage in broad surveillance activities. At the same time, it expressed concern over “[c]ommercial and employer-labor espionage,” betrayal of trade secrets, revelation of labor and management plans, and the danger that “[e]very spoken word relating to each man’s personal, marital, religious, political, or commercial concerns can be intercepted by an unseen auditor and turned against a speaker to the auditor’s advantage.” Id. at 67, reprinted in 1968 U.S.C.C.A.N. at 2154. Such activities obviously fall outside any legitimate business purpose. Other circuits also have interpreted the phrase “in the ordinary course of its business” to include activities that further a “legitimate business purpose.” Adams v. City of Battle Creek, 250 F.3d 980, 983-84 (6th Cir. 2001) (quotation marks omitted); Arias v. Mut. Cent. Alarm Serv., Inc., 202 F.3d 553, 558-59 (2d Cir. 2000). Whether the device is used surreptitiously is an important element in that analysis, 202 F.3d at 558-59, though courts disagree about whether notice is necessary for the “ordinary course” exception to apply. Compare Adams, 250 F.3d at 984 (use must be “(1) for a legitimate business purpose, (2) routine and (3) with 46

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 56

notice”), with Arias, 202 F.3d at 559 (use must be supported by “[l]egitimate business reasons,” and “[w]hether notice is required depends on the nature of the asserted business justification”). It is clear, however, that neither full and complete notice nor consent is necessary. As Judge Posner has explained, “If there is actual notice, . . . there will normally be implied consent. . . . So if the ‘ordinary course’ exclusion required proof of notice, it would have no function in the statute because there is a separate statutory exclusion for cases in which one party to the communication has consented to the interception.” Amati, 176 F.3d at 955 (internal citations omitted); see also Arias, 202 F.3d at 559 (“Given the existence of [a] distinct consent exception, we hold that it is a misreading of [the Wiretap Act] to import wholesale a consent requirement into the ordinary course of business analysis”); Adams, 250 F.3d at 984. B. Embarq’s Conduct of the NebuAd Test Was For a Legitimate Business Purpose, Not Surreptitious, and in the Ordinary Course of Its Business.

It is undisputed that Embarq hoped to further two legitimate business objectives in conducting the NebuAd test. First, Embarq sought to enhance its subscribers’ online experience, and marketing studies show that Internet users prefer to receive advertisements targeted to their interests. App. 283 ¶¶ 66-67; App. 66. Second, Embarq sought to increase the revenues it earned from online 47

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 57

advertising. App. 283 ¶ 68; App. 66. Additionally, the NebuAd test was not conducted surreptitiously. Embarq disclosed the methods the test would employ in its Privacy Policy and gave users the opportunity to opt out. See supra Part III. It is undisputed that Embarq followed the prevailing industry practice in disclosing its relationship with NebuAd in its Privacy Policy, and in offering its subscribers the opportunity to opt out of targeted advertising rather than requiring them to opt in. App. 281 ¶¶ 54-55; App. 64. Plaintiffs do not dispute that these were legitimate business purposes. Online behavioral advertising is a massive business populated by leading American technology companies such as Google, Yahoo, Microsoft, and AOL. App. 283 ¶ 70; App. 66. The information obtained by NebuAd was comparable to the information used by other advertising networks to build user profiles and serve behaviorally targeted advertisements. App. 283 ¶ 72; App. 66; App. 562. These other networks also build interest profiles based on the URLs visited by users. Id. Indeed, in at least two respects NebuAd used less information than competitor advertising networks. First, some other advertising networks link their profiles with personally identifiable information they obtain from their network partners. App. 284 ¶ 74; App. 67. By contrast, the NebuAd System did not associate any personally identifiable information with its profiles. App. 278-79 ¶¶ 38-39, 41, 48; App. 62-63. Second, Google’s Gmail service actually scans the 48

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 58

content of users’ emails and delivers advertising targeted to key words in those emails. App. 284 ¶ 75; App. 67. The NebuAd System, by contrast, did not observe the content of users’ emails. App. 276 ¶ 24, 277 ¶ 28; App. 61; App. 55657. Embarq also took steps to ensure the protection of its users’ privacy. Embarq relied on presentations by NebuAd executives discussing the privacy precautions taken by NebuAd, as well as on NebuAd’s representation that it had assembled and worked closely with a Privacy Council of leading independent experts on Internet privacy. App. 284 ¶¶ 76-77; App. 67. NebuAd in turn had obtained an independent privacy analysis which stated that NebuAd had “established industry-leading privacy controls and practices to protect consumer privacy and safeguard personal information” and “rank[ed] among the most privacy conscious vendors we have worked with in the online advertising industry.” App. 284 ¶ 78; App. 67. It is certainly legitimate for an ISP to attempt to supplement its revenue stream from an activity – online advertising – that is pervasive on the Internet. And the fact that NebuAd employed a relatively new technology for serving Internet advertisements does not make the “ordinary course of business” exception any less applicable. NebuAd’s model was simply a new variation on the wellestablished theme of building “detailed profiles of Internet users and using them to 49

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 59

target … advertisements.” DoubleClick, 154 F. Supp. 2d at 502 (footnote omitted); id. at 503; Toys R Us, 2001 WL 34517252, at *1-2; App. 283 ¶ 72; App. 66; App. 562. Indeed, for many years Embarq had gained some revenue from online targeted advertising, App. 283 ¶ 69; App. 66; App. 561, and at least one other ISP had built its entire business model around the concept of serving users targeted advertisements based upon the URLs they visited. App. 283-84 ¶ 73; App. 67. Moreover, the phrase “ordinary course of business” should not be interpreted to stifle innovation or to cover only those business practices existent in 1968, when the Wiretap Act was first drafted. Rather, Congress intended for the Act’s language to be flexible enough to adapt to changing technologies. Price v. Turner, 260 F.3d 1144, 1148 (9th Cir. 2001) (noting that Congress’s goal in the Wiretap Act was to strike a balance between privacy and “the goal of ensuring that the telecommunications industry was not hindered in the rapid development and deployment of the new services and technologies that continue to benefit and revolutionize society” (quoting H.R. Rep. No. 103-827, 10, 17-18, 30 (1994), reprinted in 1994 U.S.C.C.A.N. 3489, 3490, 3497-98, 3510)). And, as Plaintiffs’ expert witness has acknowledged, technology and business models on the Internet are “constantly evolving and changing.” App. 467.

50

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 60

Indeed, the need to accommodate such change explains why courts have interpreted the “ordinary course of business” as referring to a “legitimate business purpose,” see, e.g., James, 591 F.2d at 582 (emphasis added), rather than as referring to whatever course of business happened to be widespread at the time the statute was enacted. The legitimacy of Embarq’s business purpose is underscored by the fact that targeted advertising improves subscribers’ experience of the Internet. Marketing studies show that users are irritated by irrelevant advertisements, and prefer to receive advertisements tailored to their interests. App. 283 ¶ 66; App. 66. To account for the possibility that some subscribers may prefer otherwise, Embarq disclosed the NebuAd test in its privacy policy and gave its subscribers the opportunity to opt out, which accorded with industry standards. See supra Part III; App. 281 ¶¶ 54-55; App. 64. Indeed, according to the Code of Conduct promulgated in December 2008 by the Network Advertising Initiative – an association of advertising networks, data exchanges, and marketing analytics services providers committed to building and reinforcing responsible business and data management standards and practices –online advertisers may rely upon optout consent for the collection and use of any non-personally identifiable information. App. 281 ¶ 56; App. 64; App. 559.

51

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 61

This case in no way approaches the core concerns of the Wiretap Act, namely industrial espionage, the theft of trade secrets, or the risk that “personal, marital, religious, political, or commercial concerns can be intercepted by an unseen auditor and turned against a speaker to the auditor’s advantage.” S. Rep. 90-1097 at 67, reprinted in 1968 U.S.C.C.A.N. at 2154. No human being ever observed the raw data collected by NebuAd, App. 280 ¶ 47; App. 63; that data was deleted from NebuAd’s computers in a matter of microseconds, or certainly in a matter of seconds, App. 280 ¶ 46; App. 63; and NebuAd took pains to de-identify its user profiles, so that no profile could ever be linked to any identifiable individual, App. 279 ¶¶ 41-42; App. 63. Instead, the NebuAd test on Embarq’s network involved nothing more than employing an existing technology (deep packet inspection) in a new way to accomplish a legitimate business purpose (improving the customer experience and increasing revenues), with every effort made to safeguard the users’ privacy (by de-identifying user profiles and immediately deleting raw data), while informing users (via the privacy policy) about the test and giving them a chance to opt-out in accordance with industry standards. The “ordinary course of business” exception to the Wiretap Act exists to protect precisely this kind of activity.

52

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 62

C.

Plaintiffs Fail to Address the “Ordinary Course of Business” Defense.

Plaintiffs present no argument whatsoever that these facts fail to satisfy the “ordinary course of business” defense. Instead, they inexplicably focus on an entirely different defense, the “necessary incident” defense, and cite to an entirely different statute, the Stored Communication Act, that is not even at issue in this case. See Br. 26, 28 (citing 18 U.S.C. § 2702(b)(5)).8 Embarq has never invoked the “necessary incident” defense, and thus it is irrelevant whether or not the NebuAd test was necessary to Embarq’s service. Cf. Br. 27-28. Underscoring the inaptness of their argument, Plaintiffs cite to a case that specifically distinguishes between the “ordinary course of business” defense and the “necessary incident” defense, and then ignore what that case has to say about the former. See Berry v. Funk, 146 F.3d 1003, 1009-10 (D.C. Cir. 1998) (holding that the “ordinary course of business” defense is satisfied so long as actions are justified by a “valid business purpose,” but finding no such purpose in the monitoring of telephone calls in violation of applicable employer guidelines) (quotation marks omitted).

The Wiretap Act contains a “necessary incident” defense that applies only to an “operator of a switchboard, or an officer, employee, or agent of a provider of wire or electronic communication service,” but not to the communication service provider itself. 18 U.S.C. § 2511(2)(a)(i). Embarq does not rely in any way on the “necessary incident” defense. 53

8

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 63

Moreover, Plaintiffs focus on a defense that is not at issue, while ignoring the defense that Embarq does raise, even though Embarq pointed out that Plaintiffs made the same error in briefing before the District Court. App. 580-82. This Court should not permit them to make new arguments in their reply brief, given that Plaintiffs were on notice of their mistaken understanding of Embarq’s “ordinary course of business” defense, yet nonetheless did little more than cut-andpaste their misguided argument into their brief before this Court without even attempting to address their misunderstanding. Compare App. 84-85 with Br. 2628; Carpenter v. Boeing Co., 456 F.3d 1183, 1198 n.2 (10th Cir. 2006) (“[W]e particularly frown on the making of new arguments in a party’s reply brief.”). In short, to satisfy the “ordinary course of business” defense, all that matters is whether the NebuAd test furthered a legitimate business purpose. James, 591 F.2d at 581-82. Embarq has shown that the NebuAd test did further such a purpose, and Plaintiffs have no answer.

54

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 64

CONCLUSION For the foregoing reasons, the decision of the District Court should be affirmed. ORAL ARGUMENT STATEMENT Embarq respectfully requests oral argument. The case concerns a technical subject matter, and oral argument may assist the Court’s understanding of the facts.

Dated: March 26, 2012

Respectfully submitted, /s/ David A. Handzo David A. Handzo Matthew E. Price JENNER & BLOCK LLP 1099 New York Ave. NW Suite 900\ Washington, DC 20001 Phone: (202) 639-6000 Fax: (202) 639-6066 Email: dhandzo@jenner.com mprice@jenner.com J. Emmett Logan STINSON MORRISON HECKER LLP 1201 Walnut, Suite 2900 Kansas City, MO 64106 Phone: (816) 691-2745 Email: elogan@stinson.com

55

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 65

CERTIFICATE OF COMPLIANCE Pursuant to Fed. R. App. P. 32(a)(7), I certify that this brief complies with the type-volume limitations of Fed. R. App. P. 32(a)(7)(B) because it contains 12,608 words, excluding the parts of the briefs exempted by Fed. R. App. P. 32(a)(7)(B)(iii).

/s/ David A. Handzo David A. Handzo JENNER & BLOCK LLP 1099 New York Ave. NW Suite 900\ Washington, DC 20001 Phone: (202) 639-6000 Fax: (202) 639-6066 Email: dhandzo@jenner.com

56

Appellate Case: 11-3275

Document: 01018817236

Date Filed: 03/26/2012

Page: 66

CERTIFICATE OF SERVICE I hereby certify that on March 26, 2012, I caused the foregoing Appellees’ Brief to be served via CM/ECF and UPS to: Steven John Lipscomb 10100 Santa Monica Boulevard, 12th Floor Los Angeles, CA 90067 Email: slipscomb@elllaw.com Rahul Ravipudi Panish, Shea & Boyle 11111 Santa Monica Blvd., Suite 700 Los Angeles, CA 90025-3301 Email: ravipudi@psblaw.com Glenn Allen Stockton Stockton Law Office 952 East Lincoln Lane Gardner, KS 66030 Email: glenn@stocktonlaw.com Paul A. Traina Engstrom, Lipscomb & Lack 10100 Santa Monica Boulevard, 12th Floor Los Angeles, CA 90067 Email: ptraina@elllaw.com

/s/ David A. Handzo

57

Master your semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master your semester with Scribd & The New York Times

Cancel anytime.