ECPA Probably Doesn’t Cover AOL Search Query Posting
Federal privacy law probably doesn’t cover posting of search query data on the Internet by an AOL Research team (WID Aug 8 p6), lawyers and Hill staff told us. The AOL posting “may violate” the Electronic Communications Privacy Act (ECPA) as well as AOL’s own privacy policy, Electronic Frontier Foundation (EFF) Activist Derek Slater said on the group’s blog, but we had trouble finding others to agree with him.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
ECPA, a 1986 amendment to the Wiretap Act, expanded that law to new forms of communications, raising legal hurdles to tap them. But courts have disagreed -- even between panels and judges sitting en banc on the same court -- on how far the law extends into cyberspace on matters like “transient” e-mail storage (WID Aug 15/05 p1). AOL, which offered a deep apology for the mistaken posting, sees no connection, it said. “Based on our review so far, we don’t believe that there are any ECPA implications,” an AOL spokesman told us.
A staffer for Senate Judiciary Ranking Member Leahy (D- Vt.) voiced doubt that ECPA is “directly on point here,” but said the incident raises privacy concerns Leahy wants aired in Congress. Leahy, the author of ECPA, last year introduced a bill with Sen. Sununu (R-N.H.) adding transient e-mail storage to technologies covered by wiretap law (WID April 29/05 p4). But that bill was introduced in response to a specific court decision later overturned en banc, the staffer said; a bill to cover search queries “may be an ultimate fix down the road” but not before a “dialog” among Congress, industry and privacy advocates.
Leahy said in a statement the AOL incident “raises serious questions about the protections in place” for Internet users, “particularly when our personal electronic data [are] retained for longer periods of time.” He added: “We must address these privacy concerns head on, because once we lose these protections they are hard to win back.”
It’s “at least plausible” that ECPA could cover the AOL disclosure, but if so it’s “uncharted territory,” U. of Minn. law Prof. Bill McGeveran told us. The fact that affected users were AOL customers searching through AOL client software may tip the scales toward applicability, “but there would be a lot of questions,” such as whether search queries count as “stored communications” in the first place, the Berkman Center fellow said.
The question of whether the search data release violated AOL’s own privacy policy should be answered before delving into ECPA’s murky waters, Ohio State U. law Prof. Peter Swire told us. If so, the FTC would handle the matter as deceptive trade practice, he said. The former OMB privacy counsel said the release probably didn’t violate ECPA, which deals more with govt. access to data than commercial collection and release. McGeveran had another interpretation of ECPA’s ostensible nonapplication to commercial activities, noting that ISPs and database managers have obligations under the statute.
The incident probably won’t affect DoJ’s bid to subpoena search queries to defend the Child Online Protection Act in court (WID Jan 20 p4), most experts said. “It wasn’t a corporate decision to do this,” so the company wasn’t implying that search data can be distributed to 3rd parties with no concern, Swire said. The company reacted to the posting as it would in a breach, McGeveran said.
But Progress & Freedom Foundation Senior Fellow Patrick Ross told us AOL has given DoJ “some pretty serious ammunition” not only to force search engine compliance in the case, but also to press Congress for lengthy data retention mandates. “When one of the search entries is ‘how to kill your wife,’ I think all of us instinctively want authorities to find out who that person is,” although the phrase might indicate research for a novel -- the situation with Ross’s mother, a novelist, he said. But “it still needs to be established what the benefits would be of retaining this data in an open-ended way,” the Leahy staffer said.
Regardless of statutory interpretation, AOL made an easily avoidable mistake, Electronic Privacy Information Center Exec. Dir. Marc Rotenberg told us. “I don’t think there are many Internet users saying ‘Keep individually identifying information about me,'” Rotenberg said. Password-based accounts and session cookies pose little risk to users, but AOL’s log activity is unnecessary for user convenience and raises the risk that information will be hacked, he said. DoubleClick’s early business model, leaving users unidentified and limiting cookies to sessions, “made a lot of sense,” he added.
The incident “shows how hard it is to anonymize search data,” Swire said, either because a unique ID is tied to the query or the query itself reveals personal details: “The forensic job will often by easy.” The Leahy staffer said there was “probably a way to manipulate that data” to trace queries to individual users, and AOL might not have conveyed that situation adequately to customers.