IT’S A FAR CRY from a shadowy figure intercepting a late night call, a listening device concealed inside a martini olive, or an exchange of bugs between Cold War-era spies. But could using AdTech software to monitor a public website visitor’s online actions amount to an illegal wiretap in Massachusetts?
The state’s highest court is considering that novel question thanks to a lawsuit brought against New England Baptist Hospital and Beth Israel Deaconess Medical Center, which claims the commonly used website trackers “intercepted” Kathleen Vita’s “wire communications” with the two institutions’ websites. The two hospitals are part of the Beth Israel Lahey Health network.
On both websites, which the Revere resident allegedly browsed for details on doctors and other health information, a pop-up alerted users with an all-too familiar notice: “We use cookies and other tools to enhance your experience on our website and to analyze our web traffic.” According to the hospitals’ brief, additional information described the scope of the data collected by the hospital and its “third party service provider.”
Since the tracking cookies can transmit a person’s information to a third-party for use in targeted advertisements, which Vita’s lawyers argue was not specifically disclosed and amounts to secret recording, they are crying violation of the Massachusetts Wiretap Act, a 1968 law offering some of the strictest privacy protections in the country.
“The stakes stretch far beyond those two institutions,” David Gacioch, an attorney for the hospitals, told the Supreme Judicial Court on Wednesday. Hospitals and business groups are decrying the lawsuit as an attempt to hold the institutions liable for millions of dollars based on a ubiquitous technology, with no actual claim that Vita’s personal information was shared with a third party like Meta Pixel or Google Analytics.
Vita’s suit is part of a national wave, they argue, which could disrupt the Legislature’s careful balancing act between protecting individual privacy and allowing legitimate organizations to conduct ordinary business with standard equipment.
“These are two among at least two dozen putative class action lawsuits that plaintiffs’ lawyers have recently commenced against Massachusetts hospitals and other organizations, seeking to weaponize the Wiretap Act to create massive liability for website owners arising from website analytics and advertising technologies (‘AdTech’) that are ubiquitous in the 2020s,” Gacioch wrote in the hospitals’ brief.
Mass General Brigham and Dana-Farber settled a similar case in 2019 for $18.4 million with no admission of wrongdoing.
The hospitals “grossly exaggerate the consequences of enforcing the MWA’s plain terms to create the hysterical misimpression that these lawsuits threaten all Massachusetts businesses,” attorney Patrick Vallely wrote for the plaintiff. “The vast majority of Massachusetts businesses that use AdTech do not violate the MWA because they do not use AdTech secretly.”
Data privacy collection is a tricky topic, with the latest version of a proposed Massachusetts Information Privacy and Security Act still in committee. Using the Wiretap Act for data privacy collection, businesses argue, is a mismatch far afield of the law’s initial intention to prevent eavesdropping.
“Whether there should be a conversation either nationally or at the state of what kind of data privacy we should be talking about – that’s an interesting conversation that’s happening in a bunch of states and at the federal level right now,” said Chris Eicher, vice president of government relations for the Greater Boston Chamber of Commerce, “but using the court and Wiretap Act really is an end-around of the legislative process.”
The Superior Court denied the hospitals’ motions to dismiss, punting to the SJC the question of whether the half-century-old wiretap law allows for civil or criminal suits based on web cookies.
SJC justices sharply questioned attorneys at oral arguments, homing in on the nature of communication and conversation in the 2020s. The court has recognized changes in technology over the years, Justice Frank Gaziano noted, finding that cell phone calls or text exchanges could be protected.
“Wiretaps used to be tapping of a wire with alligator clips and all that,” Gaziano said. “And eavesdropping was done by bugs back in the day. That’s not the day anymore. Police and other people intercept things digitally.”
The medical centers argue that communications between individuals through cell phones and texts are clearly an extension of the types of communication that the Legislature in 1968 intended to protect against secret interception. In contrast, Gacioch told the court, browsing a website barely resembles a conversation between people.
Justices drilled down into the hospital attorney’s contention that “communication” under the Wiretap Act must be “interpersonal.” Why couldn’t someone entering a search query into a website be, effectively, a conversation between the person and a business, Gaziano asked.
It is common for medical sites to provide a place to request appointments and provide additional information, Justice Elizabeth Dewar noted, “and it’s clearly what they are using instead of email” to get information about the potential patient, she said. In that case “you are communicating,” she said. “You are writing a message to a business, and you are expecting that they’re going to write back to you in particular about your issue.”
If a person went to the medical site to look up breast cancer doctors, Justice Scott Kafker said, “it’s revealing a thought process. Maybe it’s not a communication, but it’s the beginning. It’s communicating information that obviously is valuable to Beth Israel and also these third parties, right?”
While Gacioch acknowledged that asking for information and receiving information in response is “about as close as we come” to conversation, the plaintiff did not actually claim to have done that.
Gacioch compared the exchange as more akin to reviewing a catalog. Despite justices’ hypotheticals, he said, the plaintiff was seeking out only pre-existing information rather than using a built-in chat function or sending a personalized message.
“It’s like thumbing through a directory or a catalog in 1968 of content that already exists,” he said. “If someone’s sitting in a hospital waiting room, flipping through a doctors directory or a ‘Best Doctors’ Boston Magazine issue, and the surveillance camera observes that flipping through, that wouldn’t be a Wiretap Act violation. This isn’t either.”
As justices tried to pin down the limits of communication, Vallely offered a broad interpretation.
“Anytime you’re browsing and you’re clicking on links and requesting information and the website is loading successfully, the response is a communication,” the plaintiff’s attorney said.
The hospitals and business associations argue that this AdTech is so commonly used that it should fall under the “ordinary course of business” exception from the Wiretap Act.
Kafker repeatedly took issue with the characterization. A hospital’s ordinary course of business should be the health of their patients, he said. “It doesn’t seem like ordinary to me,” he said of the trackers. “It seems like they’re getting into a for-profit kind of operation.”
At the time of the lawsuit, Gacioch said, the mass.gov pop-up notices about its AdTech tracking data “were very similar” to the hospital notices. A person browsing the state’s websites, including state hospital sites, would be monitored by the same type of AdTech, he said.
The impact of finding that third party cookies constitute wiretaps would be profoundly disruptive, he said, and raises the prospect of civil and criminal suits targeting a wide range of institutions.
“We can’t decide this case based on the practical impact on others,” Wendlandt said. “And we should all check our website.”