Home / Blogs

Disclosing Unique User IDs in URLs Doesn't Violate ECPA - In re Zynga/Facebook

Venkat Balasubramani

In separate lawsuits, plaintiffs alleged Facebook and Zynga violated the Stored Communications Act (in Zynga's case, also the Wiretap Act). The crux of plaintiffs' allegations was that when a Facebook user clicked on an ad or a link, the HTTP request sent by the browser included the user's Facebook ID and the address of the webpage the user was viewing when he or she clicked the link. An end user's request to play Farmville would result in the transmission of similar information to third parties.

The district court dismissed the claims on the basis that anyone who received the information was an "intended recipient" and thus these disclosures were excluded from the reach of the statute. (Previous post on the case here: "Facebook and Zynga Privacy Litigation Dismissed With Prejudice”.)

On appeal, the court tackles a foundational issue: is the information disclosed by Facebook or Zynga the "content" — the "substance, meaning, or purport" — of the communication. The ECPA distinguishes between a message's content and "record" information, which includes the name, address, "subscriber number or identity" of a subscriber (what we usually call metadata). According to the court, this distinction indicates that the statutory concept of "content" doesn't encompass a user ID or the page from which the end user initiated the request. The court says this conclusion is bolstered by the fact that ECPA's amendments to the Wiretap Act expressly excluded the identity of the parties or the existence of a communication (these previously could be considered content).

Plaintiffs argued that the Facebook IDs can be used to uncover personal information, but the court says this doesn't change the analysis. Plaintiffs also argued that the record information and content information may overlap in some instances (citing to In re Pharmatrak). The court distinguishes Pharmatrak because, in that case, the users communicated with a website by entering their personal information into a form, and this information was then accessed by third parties. Finally, plaintiffs tried to rely on Fourth Amendment cases where disclosure of a URL would result in disclosure of contents of a communication. The court says that its job is to construe the relatively clear statutory language, and the scope of privacy under the Fourth Amendment is not illuminating to this.

* * *

The real bombshell is that in a memorandum disposition, the court reverses the breach of contract and fraud claims against Facebook! So what the court taketh away in a detailed opinion, it gives back in a breezy memo.

As tortuous as the ECPA analysis usually is, the court's conclusion that Facebook's IDs and the web pages or links in question are not "content" is common sensical. LinkedIn was able to defeat a similar lawsuit. (See Low v. LinkedIn.) Although I don't recall if the court delved into it in Gaos, contrast this result with the one in Gaos v. Google, where Google lost a motion to dismiss, and (recently) settled a search referral case for $8.5 million.

Plaintiffs' argument that knowing the identity of the Facebook user plus the identity of the web page in question could divulge contents has a superficial appeal. Undoubtedly, the URL often provides some clue into the substance of a webpage in question, and the thought of anyone having access to the full list of URLs we've accessed is not comforting. However, even if this somehow amounts to an argument that it could result in disclosure of the "content" under the ECPA, it would be a tough sell to make this argument work on a class-wide basis in this context.

Including user IDs in URLs was a short-lived practice that Facebook (and others) fixed when they were advised of it. Presumably, plaintiffs won't continue to try to litigate their breach of contract claims, which would be comical from a damages standpoint. In any event, as with the cookie lawsuits of the early 2000s, the court makes quick work of this genre of claims.

Case citation: In re: Zynga & Facebook Privacy Litigation, Nos. 11-18044; 12-15619 (9th Cir. May 8, 2014)

By Venkat Balasubramani, Tech-Internet Lawyer at Focal PLLC. Follow Venkat on Twitter here.

Related topics: Law, Privacy

 
   

Don't miss a thing – get the Weekly Wrap delivered to your inbox.

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

Cybersecurity

Sponsored by Verisign

IP Addressing

Sponsored by Avenue4 LLC

DNS Security

Sponsored by Afilias

Mobile Internet

Sponsored by Afilias Mobile & Web Services

Promoted Posts

Buying or Selling IPv4 Addresses?

Discover ACCELR/8, a transformative IPv4 market solution developed by industry veterans Marc Lindsey and Janine Goodman that enables organizations buying or selling blocks as small as /20s. more»

Industry Updates – Sponsored Posts

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Why the Record Number of Reverse Domain Name Hijacking UDRP Filings in 2016?

2016 U.S. Election: An Internet Forecast

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

US Court Grants DCA Trust's Motion for Preliminary Injunction on .Africa gTLD

Protect Your Privacy - Opt Out of Public DNS Data Collection

Introducing Verisign Public DNS: A Free Recursive DNS Service That Respects Your Privacy

Verisign Named to the Online Trust Alliance's 2015 Honor Roll

Afilias Supports the CrypTech Project - Ambitious Hardware Encryption Effort to Protect User Privacy

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

Verisign Named to the OTA's 2014 Online Trust Honor Roll

MarkMonitor Named a Top Trusted Website in OTA's 2013 Online Trust Honor Roll

INTA 2013: Gearing Up for Dallas

Thomson Reuters to Acquire MarkMonitor

Neustar Names Becky Burr as its Chief Privacy Officer

Afilias Says "No" to SOPA

Minds + Machines to Announce New .brand gTLD Pricing at INTA

.CO Recognized Alongside Industry Giants in Trademark Industry Awards

Verisign and Coalition for ICANN Transparency, Inc. ("CFIT") Resolve Litigation

MarkMonitor to Co-Chair International Anti-Counterfeiting Coalition Spring Conference