[EDRM Editor’s Note: The opinions and positions are those of Michael Berman.]
In Vita v. New England Baptist Hosp., __ Mass __, __ N.E.3d __, 2024 WL 4558621 (Mass. Oct. 24, 2024), the court held that the Massachusetts wiretap statute does not criminalize interception of web browsing and sale of the intercepted information to third parties.
The plaintiff, Kathleen Vita, alleged that she accessed the websites of two hospitals to review public information about physicians, symptoms, and procedures. She further alleges that the hospitals “shared information regarding Vita’s browsing with third parties for advertising purposes without her consent….” She contends that this violated the Massachusetts wiretap act.
The court disagreed: “When the statute was enacted, wiretaps involved the interception of person-to-person conversations and messages using hidden electronic surveillance devices placed in people’s homes or businesses or tapping their telephone lines.” Id. at *1. The court wrote:
The Legislature crafted the statute to prohibit new and evolving technological means of secret electronic eavesdropping on such person-to-person conversations or messaging, whether they be face-to-face conversations, calls on a landline telephone, cell phone calls, text messages, Internet chats with other people, e-mail messages, or other interpersonal conversations or messaging utilizing future technology. However, Vita’s allegations do not claim the interception of person-to-person conversations or messaging of the kind clearly within the wiretap act’s ambit. The interactions here are not with another person but with a website. Nor are they personal conversations or messages being intercepted, but rather the tracking of a website user’s browsing of, and interaction with, information published on a website.
Vita v. New England Baptist Hosp., __ Mass __, __ N.E.3d __, 2024 WL 4558621, at *1 (Mass. Oct. 24, 2024).
The Vita court did not necessarily approve of the practice:
Make no mistake, the hospitals’ alleged conduct here raises serious concerns, and may indeed violate various other statutes and give rise to common-law causes of action more specifically directed at the improper handling of confidential information, particularly confidential medical information. And we do not in any way minimize the serious threat to privacy presented by the proliferation of third-party tracking of an individual’s website browsing activity for advertising purposes. These concerns, however, should be addressed to the Legislature.
Id.
The information at issue in Vita did not include private patient records or messages to nurses, doctors, or other healthcare providers. Id. at *1.
Ms. Vita alleged that the information collected – – such as URLs, page titles, browser data, the user’s IP protocol, and certain unique identifiers – – permitted third-party software providers to create “browser fingerprints” that associated a specific individual with a unique combination of web browser settings. Id. at *3. Collected information included navigation by a user, the contents of searches, filtering criteria, whether certain pages were visited, and other information. Id.
Vita alleges that the websites contained tracking software, developed by third parties, that allowed the hospitals and third parties to monitor the use of the hospitals’ websites. These third parties included Facebook and Google, each offering similar software, “Meta Pixel” and “Google Analytics,” which allowed hospitals to track user activity on their websites. The software simultaneously collected and transmitted to the third-party software providers information about the websites’ users and the users’ interactions with the websites. The third-party software providers, in turn, marketed the data to merchants and delivered targeted digital advertisements tailored to individual users. Vita’s complaints allege that this widespread targeted marketing activity is highly significant economically. According to the complaint, “Google derives a substantial portion of its revenues through individually targeted advertising,” and “Facebook derives most of its revenues from selling targeted advertising to users of its platforms, including Facebook and Instagram.”
Id. at *3.
The hospitals’ pop-up disclosure stated: “We use cookies and other tools to enhance your experience on our website and to analyze our web traffic.” The pop-up also linked to a privacy message and stated that information was “routinely” gathered “on an aggregate, anonymous basis….” The hospitals stated that the information was not shared with others. Id. at *4. The Vita court wrote:
The privacy policies also disclosed (albeit again allegedly incompletely and misleadingly) some third-party data tracking or sharing. The hospitals stated that they and their “Third Party Service Provider[s]” collected and saved “the default information customarily logged by worldwide web server software,” which included “date and time, originating IP address and domain name … , object requested, and completion status of the request.” They further disclosed that this information “may be kept for an indefinite amount of time, [and] used at any time and in any way necessary to prevent security breaches and to ensure the integrity of the data on our servers.”
Id. at *4.
After the hospitals’ motions to dismiss were denied, direct appellate review was permitted. The Massachusetts Supreme Court rejected the argument that Ms. Vita lacked standing.
It then analyzed the text of the Massachusetts wiretap act, which imposes a criminal penalty and creates a civil remedy if a defendant willfully commits an interception of any wire or oral communication. Id. at *7. The court wrote:
“Wire communication” is defined as “any communication made in whole or in part through the use of facilities for the transmission of communications by the aid of wire, cable, or other like connection between the point of origin and the point of reception.” G. L. c. 272, § 99 B 1.
Id. at *7.
Next, it explained:
We conclude that the statutory term “communication” is ambiguous as applied to the web browsing activities allegedly intercepted. Neither the plain text of the statute nor dictionary definitions make clear whether such activity amounts to “communication,” and the legislative history is concerned with a different type of surveillance. Thus, the rule of lenity must apply, thereby entitling the defendants to “the benefit of any rational doubt” in the construction of the statute….
Id.
The court stated that “communication” includes person-to-person communications, such as email, text messages, online chats, and, instant messaging.
Notably, however, Vita’s complaints do not allege communications between people in this commonsense way. The complaints repeatedly characterize the intercepted communications as being between Vita and each hospital’s website, not between Vita and hospital personnel, understandably, given that the allegedly intercepted communications consist of what would commonly be called web browsing by Vita.
Id. at *8.
The court looked to dictionary definitions of the word “communication” and considered other arguments. It found the statutory text inconclusive:
Ultimately, we cannot conclude that the wiretap act unambiguously prohibits and, indeed, criminalizes the interception of web browsing activity, because there appears to be a difference in kind and not degree between interactions on a website available to the public and private conversations in your house or on your telephone. In essence, we are not here dealing with just new means of communication, such as the difference between communicating with another person on a cell phone rather than a landline, or a text message rather than a telegraph message.
Id. at *10.
In essence, we are not here dealing with just new means of communication, such as the difference between communicating with another person on a cell phone rather than a landline, or a text message rather than a telegraph message.
Vita v. New England Baptist Hosp., __ Mass __, __ N.E.3d __, 2024 WL 4558621, at *10 (Mass. Oct. 24, 2024).
The court then turned to legislative history: “From the very beginning, the Legislature repeatedly referred to eavesdropping on private conversations and the use of covert electronic recording devices that could be placed in a home or business or used to tap a telephone.” Id. at *11. It found that the legislative history is “directed at the invasion of privacy and threat to free expression from secret surveillance of private conversations.” Id. at *11. Because the internet did not then exist, the legislative history was silent on web tracking. Id. at *12.
In sum, the legislative history is focused on the secret interception of person-to-person conversations and messaging, particularly private ones. The electronic surveillance devices, and the “frightening” future of such devices, with which the Legislature was concerned were covert recording devices that could be used to “bug” one’s home or business or tap one’s telephone line to listen in on such conversations. The Legislature also recognized that ordinary business realities needed to be considered, allowing some monitoring of even private person-to-person conversations. While the legislative history thus evinces a focus on addressing the privacy threats posed by evolving surveillance methods, it does not provide a basis for concluding that the Legislature intended that the term “communication” would itself over time extend beyond person-to-person communications, such as to encompass a human’s interactions with a website. The legislative history therefore provides no sound basis for concluding that the tracking of human-website interactions for website analytics and digital advertising purposes, via commonly employed technologies, is a “communication” under the wiretap act.
Id. at *12.
Reviewing Massachusetts case law, the court found no precedent for Ms. Vita’s more expansive definition. It distinguished federal precedent and the federal statute: “Thus, the scope of liability under the Federal law is significantly limited in a way that our wiretap act, which requires the consent of all parties to a communication, is not.” Id. at *14.
Having found the statute ambiguous, the court applied the “rule of lenity” and gave the defendant the benefit of “any rational doubt.” Id. at *14. It explained:
Activities such as entering a URL, accessing a specific webpage, clicking on links, and scrolling through a webpage are clearly not the type of person-to-person conversation or messaging unambiguously protected by the act. Similarly, the transmission of data about a user’s web browser configuration and IP address bear little resemblance to person-to-person conversation.
We also cannot deem as communications the interception of which might lead to criminal penalties the act of simply running searches on the websites or accessing information about doctors published on the websites, as alleged by Vita. These interactions with a website, as explained above, differ in material respects from person-to-person conversations and messaging. The website user is interacting with the website, not another person, and accessing publicly available data, not having a personal conversation or sending a personal message.
In analyzing whether the interception of this information constitutes a criminal violation, we must keep in mind that the statute does not distinguish medical information from other information, or hospital websites from other websites. Consequently, we must impose a common definition of communication of information for all websites. For example, would it be a criminal violation if a user browses a music or sports website, to inquire about particular songs or athletes, and the music website or sports website tracks its users, and shares that information with Internet advertisers without the user’s consent? Under this interpretation, it would appear that thousands of website owners could potentially face severe criminal and civil penalties for using tracking tools needed to support an advertising-based business model that is so common on the Internet….
Id. at *14.
The Vita court noted that there are limits on its holding:
We emphasize that Vita does not allege that her communications with a particular physician, nurse, or other medical professional were intercepted. If such communications were intercepted, these would be much different cases….
Id.
Further, it suggested other remedies may be available:
We also emphasize that the Legislature has provided other statutory and common-law causes of action to address allegedly false, misleading, or deceptive activity on the Internet, including statutory and common-law protections more directly applicable to misrepresentations or misuse of private medical information….
Id.
However, Ms. Vita had no remedy under the Massachusetts wiretap statute:
In sum, the statutory language is ambiguous, and the legislative history is not helpful regarding whether the alleged interceptions of Vita’s uses of the hospitals’ websites are interceptions of “communications” within the meaning of the wiretap act and thereby potentially subject to both civil and criminal penalties. Therefore, the rule of lenity applies, and Vita’s claims against the hospitals, which are based on the wiretap act alone, should be dismissed.
Id. at *15-16.
One Justice wrote a vigorous dissent.
Come, they told patients like the plaintiff Kathleen Vita, use our websites as a virtual space where you can share your private medical concerns, and start receiving our professional medical advice, confidentially. Then, unbeknownst to their patients, the hospitals aided third parties to record this healthcare information, allowing the third parties to create detailed portraits of the patients’ medical needs and to monetize this information for advertisements targeted to those patients. Rather than candidly disclose this arrangement, the hospitals assured patients that, on their websites, the patients’ identities and privacy would be maintained. In short, the hospitals lied.
Id. at *16, passim.
The dissent asserted that the word “communication” was not ambiguous. It also focused on the word “any” that preceded the word “communication.” Id. at *21, 23.
The dissent described certain additional facts:
Employing the websites, patients inquired about the hospitals’ ability to provide specific treatments and procedures tailored to the particular maladies with which patients were afflicted; and they received the hospitals’ responses. On these websites, patients completed forms and dispatched requests to the hospitals to book appointments with physicians specializing in the patients’ illnesses or to reserve a spot in the urgent care line, just as they might by e-mail or by telephone.
Id. at *21, 23.
The dissent’s analysis of the facts differed from the majority: “The result is a personalized exchange of information specific to the patient’s healthcare inquiries and needs. Unlike the court, the hospitals understood that their websites were a means to communicate privately with patients.” Id.at *25.
The dissent argued that, when a patient and physician discuss treatment by telephone, the discussion cannot be bugged; however:
[W]hen the hospitals create an electronic forum to allow that same information to be exchanged over the hospitals’ website, they can implant tracking code to record the discussion secretly and then sell the information to the highest bidder without recourse in the act. When a patient telephones the doctor’s office to schedule an appointment, that conversation cannot be recorded secretly by a modern surveillance device under the act; but when that same exchange occurs on a website designed to facilitate such scheduling, it bewilders the court to conclude that the act extends so far.
Id. at *17.
The dissent also disagreed with the majority’s individual-to-individual communication analysis writing: “Of course, a patient is an individual on one end of this virtual call. That individual asks for information regarding a particular disease or procedure by clicking an available hyperlink or typing in search terms. She asks to book an appointment by filling out a form on the website…. On the other end of the ‘call,’ there are also individuals. These are the employees and representatives of the hospitals…. They are the hospitals’ agents who provide the information necessary to take the unique wishes of the individual patient and to develop an algorithm to provide the responsive list of qualified physicians.” Id. at *25.
The dissent concluded:
In sum, the hospitals created websites to communicate with their patients, inviting patients to share their personal medical needs and, in turn, providing the hospitals’ responses. The hospitals assured patients that these exchanges of information would be kept confidential. Then, unbeknownst to patients, they implanted tracking code to assist third parties to record the patients’ private medical concerns, padding Facebook’s and Google’s bottom lines. The court decides that the wiretap act provides no recourse despite its prohibition on surreptitious electronic surveillance by private parties. Lamentably, the court is right about one thing; the Legislature will need to correct today’s error.
Id. at *25.
In sum, the hospitals created websites to communicate with their patients, inviting patients to share their personal medical needs and, in turn, providing the hospitals’ responses. The hospitals assured patients that these exchanges of information would be kept confidential. Then, unbeknownst to patients, they implanted tracking code to assist third parties to record the patients’ private medical concerns….
Vita v. New England Baptist Hosp., __ Mass __, __ N.E.3d __, 2024 WL 4558621, at *25 (Mass. Oct. 24, 2024), (Wendland, J. dissenting).
Vita is a lengthy decision – – 44 pages in Westlaw – – and this blog necessarily omits many of the issues.
Vita did not involve email trackers.
“A ‘bug’ included in an email message (usually in a URL for an image) will report the following to the sender: whether, when, and where the recipient read the message and any attachments; whether the recipient forwarded it; and the IP address of all computers used to read the message.” Prof. Dane S. Ciolino, New Advisory Opinion Prohibits Use of Undisclosed “Web Bugs” – Louisiana Legal Ethics (Mar. 29, 2018).[1]
Email bugs – – which are in person-to-person communications – – likely present issues that differ from Vita. See, e.g., Debra C. Weiss, Lawyers may not use ‘web bugs’ to track email sent to opposing counsel, ethics opinion says (Nov. 8, 2016).
Notes
[1] Prof. Ciolino wrote: “Worried about being tracked by a web bug in your inbox? You can easily avoid it by configuring your email client to stop automatically retrieving remote content via URLs embedded in email messages.”
Assisted by GAI and LLM Technologies per EDRM GAI and LLM Policy.
