Hot Topics
Application Security AppSec Cyberlaw Cybersecurity Featured Security Boulevard (Original) Spotlight 

Is Facebook a “Party” to Capture of Offline Activity?

Avatar photo by Mark Rasch on April 20, 2021

Facebook uses tracking plug-ins; bits of code that the consumer is unaware of, to track the behavior of users when they log out of the social media site, and which tells Facebook what websites their subscribers are visiting and what they are doing when they are not using Facebook. Using cookies, Facebook, like other sites, captures the URLs from which users are referred to Facebook, and where they go. Facebook then sells this information about its subscribers for profit.

Imagine if you visited Walgreens, and in the shopping bag was a GPS device that let Walgreens know when you visited the Ace hardware store, the pet food shop, the AIDS clinic or the local weed dispensary, and then Walgreens sold that data.

On March 22, 2021, the U.S. Supreme Court declined to weigh in on a split between federal courts on whether the use of such plug-ins and cookies violates the federal wiretap law, or whether, as some courts have held, Facebook is a “party” to the “communication” between the host computer and the referring and referral computers, such that the social media behemoth can effectively give consent to the tracking.

The United States Court of Appeals for the Ninth Circuit (which includes California, where Facebook is headquartered) held that Facebook was not a “party” to the handoff, and therefore could not give consent. The refusal of the high court to weigh in means that the Facebook tracking litigation can proceed – for now.

Parallel Communications

The federal wiretap statute, 18 U.S.C. 2511(1)(a)-(e) makes it a crime to “intercept” an “electronic communication” without the consent of at least one “party” to the communication, unless there is a warrant permitting such interception. Under the Facebook scenario, when a person visits a website, their browser sends a “GET” request to the domain’s server, which resolves the request and transmits code so that a pretty picture of the domain shows up in the user’s browser. However, if that person is a Facebook subscriber, even if they are not logged in to Facebook, if the domain has a Facebook plug-in, the GET request is copied by the user’s browser, and an identical GET request is sent through Facebook.

As infosec people, we would call this a “man in the middle” attack – the user’s direct request is rerouted, injecting Facebook in the middle, so that Facebook can “intercept” (acquire the contents of) the GET request, and thereby know what websites any Facebook subscriber has visited. Easy peasy lemon squeezy.

Putting aside the privacy aspects of this process for a moment, does this action violate the unlawful interception-without-consent-of-a-party statute, or is the GET request, really made by Facebook, count as a “party” to the communication? A federal Court in the Third Circuit had previously held that, when advertisers sent duplicate GET requests (by copying the users’ GET requests) and then received the contents of the URLs that the users were simultaneously receiving, there were effectively two separate channels created – one from the domain to the user, which was not “intercepted,” and a separate one between the advertiser and the domain, which was not “intercepted” since the advertiser was a “party” to that communication. A federal Court in the Seventh Circuit effectively reached the same conclusion.

On the other hand, (there’s always an “other hand,”) a Federal Court in the First Circuit held that, despite the fact that there were two identical and parallel channels created, the effect of creating the second channel was to “intercept” (acquire the contents of) the first channel between the customer and the domain they were visiting, and to redirect traffic intended for the user to the advertiser, despite the fact that the user ultimately ended up with the same data. In a related case, the Seventh Circuit held that an employee who copied and forwarded all of his company’s emails to his inbox had “intercepted” those emails, even though he created a separate channel, and the recipients’ emails made it to their own respective inboxes unscathed.

The Ninth Circuit adopted the latter rationale, noting that, “Permitting an entity to engage in the unauthorized duplication and forwarding of unknowing users’ information would render permissible the most common methods of intrusion, allowing the exception to swallow the rule.”

Old Wine – New Bottles

The real problem here is the fact that Congress, in passing and amending the wiretap statute, did what Congress often does – takes an old law and extends it to a new circumstance with new technology. “Eavesdropping” originally meant dropping down from the overhang of a roof (eaves) to observe and/or overhear the intimate activities of residents. When the new-fangled telephone was invented and then adopted, party lines and alligator clips allowed unintended listeners to invade others’ private communications; the Constitutional provisions against unlawful “search and seizure” didn’t apply, since nothing was “seized” or “searched” when you simply listened in. So, Congress extended the provisions of eavesdropping to include the “interception in transmission” of phone calls (as distinguished from, say, listening to a recorded inbound message on an answering machine.)

When email became more ubiquitous, the statute was amended again (and new statutes like the Stored Communications Act and Electronic Communications Privacy Act enacted), using analogies like the postal service, and distinguishing between the equivalent of reading someone’s mail as it travelled through the postal system (interception in transmission), in the mailbox (interception in incidental storage), or reading the opened mail as it sits on the countertop. In other words, the interception of an “email” is similar to the “interception” of a phone call in 1965.

But it matters what analogy you use. In the wiretap statute, if you used the analogy of a nefarious actor in a wiring closet with alligator clips “listening in” on a call, you might reach one conclusion. But TCP/IP doesn’t work the same way plain old telephone service (POTS) did. Packets don’t just go to the recipient. They can be routed, copied, fragmented, recomposed, redirected, etc. without loss, and accomplish what happened with Facebook here – the creation of a separate channel which mirrors the first one, but does not technically “intercept” communications on the first channel.

The Current State of the Communications Law

With the Supreme Court essentially punting, we are left with a split in the circuit courts on whether capturing data from consumers in this way – by setting up a separate channel, mirroring what the consumer does and then using that data for purposes other than connecting the consumer to the content – violates the wiretap law. Indeed, there are broader issues related to any packet capture or data capture under the wiretap law.

The best thing for companies to do, for now, considering the circuit split, is to have counsel review any data capture plans – even technical ones – to determine whether it might be considered an “interception” by a Court, and take steps to ensure that, even if the entity is not a “party,” that the consumer has otherwise given consent to the “interception.” Or we could wait for Congress. On the other hand …

Recent Articles By Author
Avatar photo More from Mark Rasch
Mark Rasch , , , ,
Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark