ISPs Duck Class Claims of Targeted Ad Spyware

     (CN) - A class failed to show that two Internet providers secretly installed spyware on their broadband networks to facilitate targeted online advertising, the 10th Circuit ruled.
     Kathleen and Terry Kirch sued Embarq Management and United Telephone Co. of Eastern Kansas for violation of the Electronic Communications Privacy Act (ECPA) in 2010.
     Doing business as CenturyLink, the Delaware-based companies faced claims that they funneled Internet users' communications to a third-party advertiser NebuAd. The spyware, which was tied to users' Internet Service Provider (ISP) addresses, left undeletable tracking cookies and could not be detected through individual privacy or security settings, according to the complaint.
     NebuAd monitored and profiled individual users - eavesdropping on their email and search histories - to send targeted advertising on webpages that the users visited, according to the complaint
     But Embarq and United countered that it did not have access to user profiles or data collected by NebuAd. They also said that the Kirches consented to any alleged interception by agreeing to its privacy policy. Any acquired user communications would have occurred only in the ordinary course of ISP business activities, the providers said.
     They insist that NebuAd had not intercepted users' communications because the limited information acquired about their Internet communications did not include the contents of those communications.
     A Kansas City federal judge granted the providers summary judgment in 2011, ruling that the companies had not intercepted the Kirches' communications.
     The court also rejected an argument that the providers could be liable on a theory of aiding and abetting NebuAd, ruling that the Kirches had consented to any interception by agreeing to the terms of their providers' privacy policy.
     The 10th Circuit affirmed last week.
     "Like the district court, we need not address whether NebuAd intercepted any of the Kirches' electronic communications," Judge Harris Hartz wrote for a three-member panel. "Because the ECPA creates no aiding-and-abetting civil liability, Embarq is liable only if it itself intercepted those communications."
     NebuAd did not give ISPS access to information different from its ordinary access to data flowing over its network, the 10th Circuit ruled.
     Though NebuAd may have violated the statute, the ISPs could not be held responsible as an aider and abettor, according to the ruling
     "Although NebuAd acquired various information about Embarq users during the course of the technology test, Embarq cannot be liable as an aider and abettor," Hartz wrote. "It was undisputed that Embarq's access to that information was no different from its access to any other data flowing over its network. Because this access was only in the ordinary course of providing Internet services as an ISP, this access did not constitute an interception within the meaning of the statute."
     The privacy statute "defines intercept as 'the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device,'" the ruling states. "No 'interception,' and hence no violation of the ECPA, occurs if the contents of a communication are acquired in the ordinary course of business of an ISP because the Act's definition of electronic, mechanical, or other device excludes 'any telephone or telegraph instrument, equipment or facility, or any component thereof ... (ii) being used by a provider of wire or electronic communication service in the ordinary course of its business."
     CenturyLink told Congress that the NebuAd test affected 26,000 subscribers in Kansas and 6 million across the country, the Kirches said.