Computers, Privacy & the Constitution

"Safarigate" and Challenges to Protecting Browser Privacy Settings

-- By KristenLovin - 19 Jul 2012

On February 17, the Wall Street Journal announced that Google purposefully circumvented Safari’s privacy settings, allowing it to “track[] the Web-browsing habits of people who intended for that kind of monitoring to be blocked.” In response, Matthew Sobel filed a class action against Google, alleging violation of the Wiretap Act, the SECA, and the CFAA. While this suit may garner attention for the plaintiff’s lawyer, its ability to serve as any real punitive measure is doubtful.

Problematic Legal Theories

Article III Standing

Sobel may have difficulty establishing Article III standing. In La Court v. Specific Media, the Central District of California denied standing to users whose personal information was collected through the use of tracking cookies. Persuasive to the court was the idea that collection of personal information foreclosed no user from a “value-for-value exchange” and an S.D.N.Y. finding that “website visitors do not suffer a cognizable ‘economic loss’ from the collection of their data.” These assumptions are questionable; still, a court could apply this same line of reasoning here.

SECA: Cookies are not “Electronic Storage”

Further, Google’s use of cookies may insulate it from SECA liability. In re DoubleClick held that cookies are not in “electronic storage,” and are thus not covered by the SECA. According to the court, the SECA was meant to protect electronic communications that are stored temporarily while they are in the process of delivery; cookies, by contrast, are stored indefinitely and therefore are not covered under the act. Because Google’s cookies expire in 12-24 hours, Google may be able to distinguish this case. However, this seems unlikely as In re Doubleclick requires that plaintiffs allege the accessed storage is “temporary.” Soble has not done this.

Wiretap Act: “+1” Clicks Provide Consent

Finally, Google may also avoid Wiretap Act liability by raising consent as a defense. Unlike most third-party cookies, Google’s cookie is only installed after a user clicks the “+1” button on a Google Ad. The “+1” button is Google’s equivalent of the Facebook “like,” and Google+ users will recognize this as a means of associating voluntarily submitted preferences with their profile. Accordingly, such “surrounding circumstances” could conceivably be enough to “convincingly show that the party knew about and consented to the interception,” thus evading liability under the Wiretap Act. Berry v. Funk.

Right to Privacy?

Even more problematic than the legal theories, though, is that the complaint seems animated by some background assumption of a right to privacy in the web browsing space. Default browser policies toward third-party cookies (which, by the way, most users are oblivious to) are a long way off from the traditional chalk circles that dominate 4th Amendment jurisprudence. If we get into a discussion about hard drives and SRAM arrays, it may be possible to say that cookies have a physical dimension. However, their amenability to 4th Amendment protection ends here. When users say they want their browsing history to remain private, they aren’t saying they want to protect individual files on their personal computers from outside access. Rather, they are saying they want the information contained in these files to not be discovered by others. Caselaw analogizing computers to closed containers also provide little help in extending a right to privacy to third-party cookies. Courts have generally held that a reasonable expectation of privacy extends to electronic files stored on personal computers. See, e.g., United States v. Andrus; United States v. Heckenkamp. However, this expectation ends when a person shares that information in some way, such as connecting to a military network or posting information to an electronic bulletin board. Not only do third-party cookies share information across a network, they are not even files created personally by the user. Rather, cookies are simply helper files that websites use to store information the websites themselves generate. One website does not have access to another’s cookie and a user can manually destroy any cookies at any time. Whether it is because the contents of Google’s cookies were communicated across the internet or because Sobel never owned this information in the first place, an expectation of privacy hardly seems reasonable in this case.

Remaining Recourse?

Thus, if neither federal statutes nor the 4th Amendment can do much to assert browser privacy preferences, what recourse do users have? In this particular case, the answer is simple: don’t click the “+1” button. Or, better yet: don’t use Safari. Switching to Firefox and installing security add-ons, for example, provides a user with much more robust privacy protection than Apple’s half-hearted “no third-party cookies by default” policy. Add-ons like Ghostery will alert the user when they detect plug-ins and invisible cookies; Do Not Track will instruct websites not to install tracking cookies; AdBlock Plus will prevent social networks from transmitting information about users after they leave the site; and the list goes on.

There are also a number of other proactive measures that users can take: in-private browsing prevents cookies from being saved after the browsing session ends; proxy servers obscure a user’s IP address from the websites he visits; logging out of social networking sites prevent those sites from tracking the browsing he does from other sites. Many resources are available to users who wish to take control of their browsing privacy. Few, however, utilize them.

In this context, the impulse to run to the courts at each new “breach” of “privacy” on the internet seems misplaced. The burden of safeguarding personal information should rest with the user, not the Constitution. Many internet users are oblivious to the eavesdropping that happens while they surf, and education could go a long way towards curbing the information flow. It may be the case that we cannot completely prevent discovery of our web browsing behavior, but we can at least use measures like browser settings to shape how it is done. Much like the incantations the 4th Amendment requires for government search, users can tell companies that they cannot collect web browsing history without taking certain steps. This does not protect the underlying information, but it at least gives some voice to an otherwise powerless mass.


Webs Webs

r2 - 11 Jan 2013 - 21:48:54 - IanSullivan
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM