Kirch v. EMBARQ Mgmt. Co.

• Citation: 702 F.3d 1245
• Decision Date: 28 December 2012
• Docket Number: No. 11–3275.,11–3275.
• Parties: Kathleen KIRCH; Terry Kirch, individually and on behalf of themselves and all others similarly situated, Plaintiffs–Appellants, v. EMBARQ MANAGEMENT CO., a Delaware corporation; United Telephone Company of Eastern Kansas, a Delaware corporation, Defendants–Appellees, and Doe Defendants 1–5, Defendants.
• Court: United States Courts of Appeals. United States Court of Appeals (10th Circuit)

702 F.3d 1245

Kathleen KIRCH; Terry Kirch, individually and on behalf of themselves and all others similarly situated, Plaintiffs–Appellants,

v.EMBARQ MANAGEMENT CO., a Delaware corporation; United Telephone Company of Eastern Kansas, a Delaware corporation, Defendants–Appellees,andDoe Defendants 1–5, Defendants.

No. 11–3275.

United States Court of Appeals,Tenth Circuit.

Dec. 28, 2012.

Rahul Ravipudi, Panish, Shea & Boyle, LLP, (Paul A. Traina, Steven J. Lipscomb, Engstrom, Lipscomb & Lack, with him on the briefs), Los Angeles, CA, for Plaintiffs–Appellants.

Matthew E. Price, Jenner & Block, LLP, Washington, D.C., (David A. Handzo, Jenner & Block LLP and J. Emmett Logan, Stinson Morrison Hecker LLP, Kansas City, MO, with him on the brief), for Defendants–Appellees.

Before MURPHY, HARTZ, and HOLMES, Circuit Judges.

HARTZ, Circuit Judge.

Plaintiffs Kathleen and Terry Kirch appeal the district court's grant of summary judgment in favor of Defendants United Telephone Company of Eastern Kansas and Embarq Management Company (collectively “Embarq”) on the Kirches' claim that Embarq intercepted their Internet communications in violation of the Electronic Communications Privacy Act of 1986 (ECPA), Pub. L. No. 99–508, 100 Stat. 1848. Embarq is an Internet service provider (ISP). The alleged interceptions occurred when Embarq authorized NebuAd, Inc., an online advertising company, to conduct a technology test for directing online advertising to the users most likely to be interested in the ads. Exercising jurisdiction under 28 U.S.C. § 1291, we affirm the district court's judgment. Although NebuAd acquired various information about Embarq users during the course of the technology test, Embarq cannot be liable as an aider and abettor. And it was undisputed that Embarq's access to that information was no different from its access to any other data flowing over its network. Because this access was only in the ordinary course of providing Internet services as an ISP, this access did not constitute an interception within the meaning of the statute.

I. STATUTORY FRAMEWORK

The ECPA prohibits the interception of “electronic communication,” 18 U.S.C. § 2511(1), and imposes criminal and civil liability, see id. §§ 2511(4) (criminal penalties); § 2520 (civil liability for damages). Traffic on the Internet is electronic communication. See id. § 2510(12) (defining electronic communication as “any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system”).

The statute defines intercept as “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.” Id. § 2510(4) (emphasis added). No “interception,” and hence no violation of the ECPA, occurs if the contents of a communication are acquired in the ordinary course of business of an ISP because the Act's definition of electronic, mechanical, or other device excludes “any telephone or telegraph instrument, equipment or facility, or any component thereof ... (ii) being used by a provider of wire or electronic communication service in the ordinary course of its business....” Id. § 2510(5)(a); see Hall v. EarthLink Network, Inc., 396 F.3d 500, 503–05 (2d Cir.2005). An interception to which a party to the communication consents also is not prohibited. See id. § 2511(2)(d) (“It shall not be unlawful under this chapter for a person ... to intercept a wire, oral, or electronic communication ... where one of the parties to the communication has given prior consent to such interception....”)

The ECPA imposes civil liability on those who unlawfully intercept electronic communications. It states:

Except as provided in section 2511(2)(a)(ii) [relating to the Foreign Intelligence Surveillance Act of 1978], any person whose wire, oral or electronic communication is intercepted, disclosed, or intentionally used in violation of this chapter may in a civil action recover from the person or entity, other than the United States, which engaged in that violation such relief as may be appropriate.

18 U.S.C. § 2520(a) (emphasis added). This language does not encompass aiders or abettors. The only persons liable are those who engaged in “that violation.” And the natural reading of “that violation” is the “intercept [ion], disclos[ure], or intentional[ ] use[ ] ... in violation of [the statute].” In other words, “the person or entity ... which engaged in that violation” is the person or entity that “intercepted, disclosed, or intentionally used” the communication. The provision includes no aiding-and-abetting language. As the Supreme Court has said:

Congress has not enacted a general civil aiding and abetting statute.... Thus, when Congress enacts a statute under which a person may sue and recover damages from a private defendant for the defendant's violation of some statutory norm, there is no general presumption that the plaintiff may also sue aiders and abettors.Cent. Bank of Denver, N.A. v. First Interstate Bank of Denver, N.A., 511 U.S. 164, 182, 114 S.Ct. 1439, 128 L.Ed.2d 119 (1994).

Any temptation to read the statute as imposing aider-and-abettor liability is overcome by the illuminating statutory history of the civil-liability provision. The 1968 predecessor to the ECPA imposed both criminal and civil liability for those who procured an interception. The criminal provision, codified as 18 U.S.C. § 2511(1)(a) (1968), held responsible “any person who ... willfully intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire or oral communication.” Pub. L. No. 90–351, Title III § 802, 82 Stat. 197, 213 (1968) (emphasis added). (Later paragraphs made it a crime to willfully disclose or use unlawfully intercepted communications. See18 U.S.C. § 2511(1)(c), (d) (1968).) Similarly, the civil-liability provision stated: “Any person whose wire or oral communication is intercepted, disclosed, or used in violation of this chapter shall ... have a civil cause of action against any person who intercepts, discloses, or uses, or procures any other person to intercept, disclose, or use such communications.” Id., 82 Stat. at 223 (emphasis added) (enacting former 18 U.S.C. § 2520). When the ECPA was enacted in 1986, the criminal provision was changed only to replace “willfully” by “intentionally” and to add “electronic” communications to “wire” and “oral” ones. See18 U.S.C. § 2511(1)(a). But the civil provision was altered in additional ways, including deletion of the “procures” clause. We presume that this deletion was intended to change the statute's meaning. See Stone v. INS, 514 U.S. 386, 397, 115 S.Ct. 1537, 131 L.Ed.2d 465 (1995); Antonin Scalia & Bryan A. Garner, Reading Law: The Interpretation of Legal Texts § 40 (2012) (“If the legislature amends or reenacts a provision other than by way of a consolidating statute or restyling project, a significant change in language is presumed to entail a change in meaning.”). Accordingly, almost all courts to address the issue have held that § 2520 does not impose civil liability on aiders or abettors. See Peavy v. WFAA–TV, Inc., 221 F.3d 158, 169 (5th Cir.2000); Council on Am.–Islamic Relations Action Network, Inc. v. Gaubatz, No. 09–02030, 891 F.Supp.2d 13, 23–24, 2012 WL 4054141, at *8 (D.D.C. Sept. 17, 2012) (collecting cases). But see Lonegan v. Hasty, 436 F.Supp.2d 419, 427–28 (E.D.N.Y.2006).

II. THE TECHNOLOGY TEST

In November 2007 Embarq entered into an agreement with NebuAd to conduct a test of what is referred to as the NebuAd System. The physical components of the system were an Ultra Transparent Appliance (UTA) and remote servers (apparently in California) hosted by NebuAd. The system's purported purpose was to “allow[ ] for placement of optimized advertisement on Trial customers' internet browser screens.” Aplt. App., Vol. I at 92. The test began in mid-December 2007 and ended in March 2008. Under the agreement the UTA was installed in Embarq's network in Gardner, Kansas, where the Kirches were customers of Embarq. Embarq's Gardner users were connected to the UTA, which was connected to the rest of Embarq's network. According to the Kirches, the Internet traffic that passed through the UTA was sent to the NebuAd servers in its system. NebuAd used the UTA to track what websites an Embarq user visited, and to deliver online advertising thought likely to interest users who visited those websites.

Embarq asserts that the NebuAd System collected only information about customer requests for highly trafficked commercial websites, and obtained only three pieces of information about such requests: the requested Uniform Resource Locator (URL, known in common parlance as a web page's “address”), the “referer URL” (the last URL visited before the request), and an advertising network cookie.¹ Because cookies are typically encrypted, the NebuAd System did not extract any information from them. Users' computers were assigned identification numbers based on these cookies, and the information about past Internet usage was associated with a user's computer only through this number. The Kirches contend, however, that the UTA “intercepted and analyzed” all Internet traffic from affected customers, id. at 61, not only their requests for highly trafficked commercial websites.

III. PROCEEDINGS IN DISTRICT COURT

The Kirches sued Embarq in the United States District Court for the District of Kansas on behalf of themselves and other Embarq customers. They asserted four claims arising out of the NebuAd test: unlawful interception of communications in violation of the ECPA; accessing plaintiffs' computers without authorization, in violation of the Computer Fraud and Abuse Act, see18 U.S.C. § 1030(a), (g); invasion of privacy under Kansas state law; and trespass to chattels under Kansas state...