Internet Privacy: Do You Know Who's Collecting Information About You?

While savvy users of the Internet may be aware of the multitude of ways that personal information can be monitored and collected on the Web, most users are likely oblivious to the information trail they leave behind. How many readers of this publication, a population plainly concerned with privacy issues, have read the privacy policies of their favorite Web sites? If you have not, you may be surprised to learn about the amount of information collected by even the most popular and mainstream sites. For example, when a user requests and views a Web page from Yahoo!, that request is logged on Yahoo!'s servers with information including the IP address of the computer that requested the page. Even if information is not purposely collected, just about everything a person does on the Web is stored somewhere for at least some period of time.

Web surfers may take some comfort in the fact that the information they leave behind often does not itself contain their names or other personal identifying information. What the information often does contain, however, is their IP addresses. An IP address is a unique address assigned to every computer on the Internet. An Internet Service Provider can easily determine the name of a customer from an IP address used during a particular time period. As a result, finding the identity of users on the Web is often just a subpoena away.

Fundamentally, one question is what, if anything, sets information on the Web apart from other types of information, such as personal diaries and anonymously authored articles, in which people have an expectation of privacy or anonymity? It is not uncommon, even in non-Web situations, for information expected to remain private or anonymous to be revealed as a result of a subpoena or other legal process. One important distinction, however, is that in such a non-Web situation, an individual is typically aware of the documents and records he or she is creating. In contrast, on the Web, enormous amounts of private information may be collected about an individual without that person having any clue at all.

It could be argued that, whether the average person realizes it or not, the Web is a public place in which users have no reasonable expectation of privacy. As a result, a person should have no greater expectation of privacy when surfing the Web than he or she has when shopping at the mall. In the latter case, for example, the stores the person enters, the products he or she examines or purchases, and the books and magazines he or she peruses are all open to public view. There can, therefore, be little reasonable expectation of privacy. This analogy, however, undoubtedly breaks down, for example, if a person were aware that he or she was being followed around the mall and information about his or her activities was being recorded. That certainly would raise privacy concerns, or at least alter the person's behavior. What sets it apart from non-Web situations is the very fact that surfing the Web is typically done in private. A user has no way of observing what information regarding his or her Web-based activities is being collected and is unaware that the information is being collected.

The degree to which various information collection methods on the Web gives rise to privacy concerns is subjective, but likely based on consideration of 1) the purpose of the data collection, 2) whether informed user consent is first required, and 3) the perceived trustworthiness of the entity doing the collection.

At one extreme, it would be difficult to complain about data collection when the purpose is to benefit the user; the user is fully informed that the data collection will occur and consents to it; and the user trusts that the entity collecting the data will not use the information other than for the agreed purpose. For example, some search engines collect a history of Web sites visited by a user in order to provide search results that are more relevant to a user's interests ' a clear benefit to the user. If the company providing the search engine informs the user that such information will be collected, the user consents to its collection, and the user trusts that the company will not use it for other purposes, the user will have little cause to complain.

At another extreme is the collection of data for a purpose that may benefit the entity collecting it, but is of no discernible benefit to the user, and which is collected by an untrustworthy entity without the user's knowledge or consent. For example, so-called spyware companies often collect Web surfing data for the purpose of serving pop-up advertisements to users; they do so by downloading software to a user's computer without the user's knowledge or consent and are often companies that are unknown to the user and that the user has no reason to trust. This scenario presents obvious privacy concerns to many users.

Information about surfers' Web-based activities is collected in a variety of different ways. In order to address Web privacy in a comprehensive manner, each must be understood. Three important ways, addressed below, are 1) targeted Web monitoring, 2) tracking cookies and associated databases, and 3) spyware/adware. For each, this article describes the types of information collected, identifies the privacy concerns that have been raised, and provides an overview of how courts and lawmakers have addressed those concerns.

Targeted Web Monitoring

Targeted Web monitoring, as used in this article, refers to the collection of information directed at specific users, as opposed to, for example, all users visiting a particular Web site. Such monitoring has been used for clearly legitimate purposes such as identifying copyright infringers and those involved in child solicitation and child pornography. It has also been used in a host of other situations, such as in defamation cases, where the balance of privacy concerns of the Web user against the rights of an allegedly injured party is more debatable. In all cases, however, the target had no doubt believed or assumed that his or her online activities were being conducted anonymously and that his or her true identity would not be, or could not be, revealed.

The process of obtaining the identity of a user is relatively straightforward, albeit subject to some important restrictions. First, the target's IP address is obtained. For example, in the case of an illegally copied music or motion picture file, such as one made available over a so-called peer-to-peer ('P2P') file-sharing network, the IP address of the file's source can be obtained by downloading the file and using an evidence-gathering software program that extracts IP addresses. See, e.g., Paramount Pictures Corp. v. Davis, 234 F.R.D. 102, 105 (E.D. Pa. 2005). In the case of someone using an Internet chat room to solicit children, the IP address of the target can be obtained from the company providing the chat room, based on the target's screen name. Once the target's IP address is known, widely available services can be used to identify the Internet Service Provider that owns the address. Then, a subpoena is issued to the Internet Service Provider for the identity of the customer that was assigned the target's IP address during the relevant time period.

In private actions, a John Doe action is usually filed to provide authority for the subpoena. In law enforcement cases, an administrative or grand jury subpoena is often used. (Several attempts to use the subpoena provisions of the Digital Millennium Copyright Act for pre-litigation subpoenas in file-sharing cases have been unsuccessful. See, e.g., In re Charter Communications, Inc., Subpoena Enforcement Matter, 393 F.3d 771 (8th Cir. 2005); Recording Industry Assoc. of Am., Inc. v. Verizon Internet Servs., Inc., 351 F.3d 1229 (D.C. Cir. 2003); In re Subpoena to Univ. of N. Carolina at Chapel Hill, 367 F. Supp. 2d 945 (M.D.N.C. 2005).)

ISPs and their customers have argued that such subpoenas should be quashed on First Amendment grounds and, in criminal cases, Fourth Amendment grounds.

The First Amendment argument is that a user's Web-based activities constitute protected anonymous speech, and that such protection is violated when an ISP reveals the name of a user. Courts have considered the following five factors in determining whether First Amendment protections trump the interests of the requesting party: '1) whether the plaintiffs have made a concrete showing of a prima facie claim of actionable harm; 2) the specificity of the discovery request; 3) the absence of alternative means to obtain the subpoenaed information; 4) a central need to obtain the subpoenaed information to advance the claim; and 5) the party's expectation of privacy.' See Elektra Entm't Group, Inc. v. Does 1-9, No. 04 Civ. 2289 (RWS), 2004 WL 2095581, at *4 (S.D.N.Y. 2004); Sony Music Entm't Inc. v. Does 1-40, 326 F. Supp. 2d 556, 564-65 (S.D.N.Y. 2004). This analysis has had varying results, depending on the underlying claim.

Courts have consistently held that the rights of copyright owners prevail when it comes to copyright infringement allegations, particularly where the owners have made concrete showings that the anonymous parties have engaged in acts of infringement. See, e.g., Elektra Entm't, 2004 WL 2095581, at *4; Sony Music, 326 F. Supp. 2d at 567; Virgin Records Am., Inc. v. John Does 1-35, No. 05-1918, 2006 WL 1028956 (D.D.C. Apr. 18, 2006); UMG Recordings, Inc. v. Does 1-4, No. 06-0652, 2006 WL 1343597 (N.D. Cal. Mar. 6, 2006); Disney Enters., Inc. v. Farmer, No. 1:05-CV-103, __ F.Supp.2d __, 2006 WL 962577, at *2-3 (E.D. Tenn. Apr. 10, 2006); Paramount Pictures Corp. v. Davis, 234 F.R.D. at 106-07. In so doing, courts have concluded that users have only a minimal expectation of privacy in identifying information held by ISPs, often noting ISP privacy guidelines that state that the ISP will comply with subpoenas seeking identifying information. Elektra Entm't, 2004 WL 2095581, at *5; Sony Music, 326 F. Supp. 2d at 559, 562.

For other claims, including those for defamation, breach of employment or confidentiality agreements, breach of fiduciary duty, misappropriation of trade secrets, trademark infringement, and interference with business relations, the results have been mixed. See, e.g., In re Subpoena Duces Tecum to Am. Online, Inc., No. 40570, 2000 WL 1210372 at *1 (Va. Cir. Ct. Jan. 31, 2000), rev'd on other grounds, Am. Online, Inc. v. Anonymous Publicly Traded Co., 542 S.E.2d 377 (Va. 2001) (claims for defamation and breach of fiduciary duties and contractual duties ' motion to quash subpoena seeking names of AOL subscribers associated with e-mail addresses denied); Doe v. 2TheMart.com, Inc., 140 F. Supp. 2d 1088, 1097-98 (W.D. Wash 2001) (shareholder derivative suit ' motion to quash granted); Dendrite Int'l, Inc. v. Doe No. 3, 342 N.J. Super. 134, 146 (2001) (claims for breaches of contract, defamation, and misappropriation of trade secrets ' motion for expedited discovery denied); Columbia Ins. Co. v. seescandy.com, 185 F.R.D. 573 (N.D. Cal. 1999) (trademark infringement ' discovery request to ascertain identities allowed); Alvis Coatings, Inc. v. John Does One Through Ten, No. 3L94 CV 374-H, 2004 WL 2904405 (W.D.N.C. Dec. 2, 2004) (claims under Lanham Act, unfair and deceptive trade practices, unfair competition, tortious interference with business relations, and defamation ' motion to quash denied); see also Freedman v. Am. Online, Inc., 412 F. Supp. 2d 174 (D. Conn. 2005) (court refuses to dismiss claim that revealing plaintiff's identity violated his rights under the First Amendment and Connecticut Constitution).

The Fourth Amendment argument typically arises when the target of a criminal investigation claims that a subpoena to an ISP, seeking the name associated with an IP address, is in some way improper and violates the individual's Fourth Amendment protection against unreasonable searches. Such arguments have been routinely rejected on the basis that a defendant cannot have a reasonable expectation of privacy in his ISP account information and therefore lacks standing to challenge a search of his ISP. See, e.g., United States v. Hambrick, 55 F. Supp. 2d 504, 509 (W.D. Va. 1999) (holding that the defendant had no 'reasonable expectation of privacy' in the information stored by his ISP, but commenting that '[u]nder the [Electronic Commu-nications Privacy Act] ECPA, Internet Service Providers are civilly liable when they reveal subscriber information or the contents of stored communications to the government without first requiring a warrant, court order, or subpoena,' and that '[t]his is a powerful deterrent protecting privacy in the online world.'); State of Washington v. Kaufman, No. 32007-0-II, 2005 WL 2746676, at *3 (Wash. Ct. App. Oct. 25, 2005). While most of the reported criminal cases involve child solicitation or child pornography, there has been at least one recent case involving an investigation under the USA PATRIOT Act. In that case, the FBI sought subscriber information from ISPs relating to an investigation 'to protect against international terrorism or clandestine intelligence activities.' See Doe I v. Gonzales, __ F.3d __, Nos. 05-0570-CV(L), 05-4896-CV(CON), 2006 WL 1409351 (2d Cir. May 23, 2006).

The point here, in both the civil and criminal contexts, is that an Internet user's illusion of anonymity and privacy may be easily shattered.

Tracking Cookies and Associated Databases

Many popular Web sites use cookies to collect information about their users, which in turn is uploaded and stored on the Web sites' server computers. As one court explained, '[a] cookie is a piece of information sent by a web server to a web browser [such as Microsoft's Internet Explorer] that the browser software is expected to save and to send back whenever the browser makes additional requests of the server (such as when the user visits additional webpages at the same or related sites) ' Cookies are widely used on the [I]nternet by reputable websites [and] often store user preferences, login and registration information, or information related to an online 'shopping cart.' Cookies may also contain unique identifiers that allow a website to differentiate among users.' In re Pharmatrak, Inc. Privacy Litig., 329 F.3d 9, 14 (1st Cir. 2003) (emphasis added).

One particularly instructive case describing the use of cookies to collect user information is In re Doubleclick Inc., Privacy Litig., 154 F. Supp. 2d 497 (S.D.N.Y. 2001). In that case, a group of Internet users brought a class action suit against DoubleClick, a leading Internet advertising company. Id. at 500. As explained by the court, DoubleClick builds 'detailed profiles of Internet users' by collecting information based on each user's computer's 'Web activity,' and then uses those profiles to target its clients' advertisements to particular users. Id. at 502. With respect to DoubleClick's use of 'cookies,' the plaintiffs had alleged that DoubleClick placed 'cookies' on their hard drives that:

collect 'information that Web users, including plaintiffs and the Class, consider to be personal and private, such as names, e-mail addresses, home and business addresses, telephone numbers, searches performed on the Internet, Web pages or sites visited on the Internet and other communications and information that users would not ordinarily expect advertisers to be able to collect.' Id. at 503 (emphasis added).

That information is then uploaded, aggregated, and compiled to build the demographic profiles of the users. Id. at 505. Interestingly, for present purposes, the court stated that 'virtually all plaintiffs [were] unaware that the cookies exist, that these cookies have identification numbers, that DoubleClick accesses these identification numbers, and that these numbers are critical to DoubleClick's operation.' Id. at 513.

Clearly, any user that signs up for an account with a Web site must realize that account information for the user is stored on the Web site's computers, as well as information for requested services requiring stored data, such as e-mail, picture hosting, dating profiles, financial account tracking, etc. The extent to which a user may be aware of other information that may be stored about him or her by a Web site depends on how clearly the Web site advises the user about the data collection and the manner in which the user consents to the collection.

Several lawsuits have been filed by Web users claiming that the use of cookies and the collection of surfing information violated their rights. The rulings in those cases turned on whether there was adequate consent to the information collection. For example, in Pharmatrak, the First Circuit considered whether Pharmatrak violated the Electronic Communications Privacy Act ('ECPA') when it collected personal information concerning a small number of users of various pharmaceutical company Web sites. The personal information included 'names, addresses, telephone numbers, email addresses, dates of birth, genders, insurance statuses, education levels, occupations, medical conditions, medications, and reasons for visiting the particular website.' Pharmatrak, 329 F.3d at 15. The pharmaceutical companies were customers of a service provided by Pharmatrak, but were assured that no personal user information whatsoever would be collected by Pharmatrak's service. The First Circuit held that the ECPA claim against Pharmatrak should not have been dismissed by the lower court, because, among other reasons, neither the pharmaceutical companies nor the visitors to their Web sites had consented to the collection of the personal information.

In contrast, in DoubleClick, the Southern District of New York dismissed an ECPA claim against DoubleClick, finding that the Web sites using DoubleClick's services had consented to the collection of user data.

Spyware/Adware

The aspect of Web privacy that has received perhaps the most attention is spyware or adware. It has been the subject of both numerous lawsuits and state and federal legislation. Spyware is basically software that surreptitiously collects information regarding some aspect of a computer's use, whether that is the keys a user presses on the keyboard or the Web sites visited by a user. Adware is a type of spyware that uses the collected information to display targeted advertisements, often in pop-up or pop-under windows. Spyware/adware is downloaded without the user's knowledge or consent and, once downloaded, is often designed to be extremely difficult to remove. Sotelo v. Directrevenue, LLC, 384 F. Supp. 2d 1219, 1230 (N.D. Ill. 2005) (court recognizing that '[m]any companies and computer users consider pop-up advertisements and Spyware an Internet scourge').

As one court explained, spyware allows companies that employ it 'to track a computer user's web browsing behavior in order to deliver targeted advertisements to that computer. For example, if a computer with Spyware views music-related Internet sites, Spyware sends a signal of the computer user's activity back to [the spyware company], which then targets the computer with advertisements from music-related companies that have paid for access to the computer via Spyware.' Sotelo, 384 F. Supp. 2d at 1223.

While the type of information collected by adware may be similar to that collected by reputable Web sites, the lack of notice to users of the data collection and the difficulty in disabling adware sets it far apart from its reputable counterparts.

Several legal avenues have been pursued to attack spyware.

First, there have been a number of private suits by users against spyware companies. In Sotelo, for example, the plaintiff in a class action suit alleged that DirectRevenue and other companies had caused 'spyware' to be downloaded to his computer 'without his consent' and that the spyware 'tracked [his] Internet use, invaded his privacy, and caused substantial damage to his computer.' Sotelo, 384 F. Supp. 2d at 1222. DirectRevenue argued that the plaintiff had in fact consented to installation of its software, based on its End User License Agreement ('EULA'), which informed users that software 'will be installed, computer use will be monitored, and the computer will receive targeted advertisements.' Id. at 1223, 1236. Plaintiff countered that DirectRevenue installs spyware in ways that avoid showing the EULA to users and that he, in fact, never saw the EULA. On defendants' motion to dismiss, plaintiff's claims for the following survived: trespass to personal property/chattels, violation of the Illinois Consumer Fraud and Deceptive Practices Act, negligence, and violation of the Illinois' Computer Crime Prevention Law. Certain of those claims were against not only DirectRevenue, but also companies that supplied advertisements that were displayed through DirectRevenue's alleged spyware ' thus supporting claims against a wide range of defendants in spyware cases.

Second, there have been suits by government agencies. In Federal Trade Commission v. Seismic Entertainment Productions, for example, the Federal Trade Commission sought an injunction against a spyware company, contending that the company's marketing practices constitute 'unfair practices affecting commerce.' Federal Trade Commission v. Seismic Entertainment Productions, No. Civ. 04-377-JD, 2004 WL 2403124, at *1 (D.N.H. Oct. 21, 2004). The FTC explained that the defendants have downloaded and installed spyware and other programs on users' computers 'without the computer user's knowledge or consent,' '[t]he defendants' actions have caused affected computers to slow, malfunction, or crash,' and '[c]onsumers whose computers have been affected by the defendant's activities have spent considerable time, and in some cases money, to fix the problems caused by the defendants.' Id. at 2. The court granted the injunction, noting that 'consumers have experienced substantial injury without countervailing benefits.' Id. at 3.

Third, while existing federal and state statutes (including the Computer Fraud and Abuse Act ('CFAA'), Electronic Communications Privacy Act ('ECPA'), the Federal Trade Commi-ssion Act ('FTCA'), state consumer fraud and deceptive trade practices laws, and computer tampering laws) and common law claims (such as trespass to personal property/chattels, negligence, and invasion of privacy) have been used against spyware companies, numerous states have recently enacted, or are considering, legislation that tackles spyware head-on. Given the ubiquitous nature of the Internet, it would certainly make sense to have a national policy set on this important issue, but absent such a policy, state anti-spyware legislation fills an important void.

The California Consumer Protection Against Computer Spyware Act is illustrative. Among other things, the Act makes it a violation to '[c]ollect, through intentionally deceptive means, personally identifiable information that ' includes all or substantially all of the Web sites visited by an authorized user, other than Web sites of the provider of the software, if the computer software was installed in a manner designed to conceal from all authorized users of the computer the fact that the software is being installed.' Cal. Bus. & Prof. Code '22947.2(b) (West 2006). The statute excludes from the definition of 'authorized user' a person or entity 'that has obtained authorization to use the computer solely through the use of an end user license agreement,' contemplating and cutting off possible chicanery with EULAs. The Utah Spyware Control Act, while narrower in some respects than the California Act, similarly includes within its definition of 'spyware,' software installed on a computer without 'obtain[ing] the consent of the user,' that 'monitors the computer's usage,' such as 'the Internet websites accessed by a user.' Utah Code Ann. '13-40-102 (West 2006).

At press time, no reported cases have applied these statutes, so it remains to be seen how effective they will be against spyware companies.

Conclusion

A comprehensive Internet privacy policy, if one could be devised, would address privacy issues raised by each of the three information-collection methods discussed above. Two hurdles, though, must be cleared by any such policy.

The first is how to deal with a medium that is, on the one hand, inherently public and keeps records, at least temporarily, of just about every activity that occurs, while, on the other hand, people using it believe they are acting anonymously and are unaware that their actions are being recorded. Certainly, educating Internet users would help, but the popular view of the Internet as generally anonymous is part of its power and utility ' it enables people to seek information and exchange ideas that they might not do otherwise. Still, though, a completely anonymous Web would not be a good thing; it would enable people to engage in activities, ranging from copyright infringement to child solicitation, that are obviously bad.

The second, which is almost a taboo subject, is how to balance the needs of legitimate Web advertising against the privacy rights of Web users. Adverti-sing revenues are a sustaining force behind many popular and useful Web sites, and advertisers want to put their advertisements in front of the people who are most likely to be interested in their products and services. Targeting ads, however, requires collecting and storing information about individual users' interests. It is not clear how users feel about this. If, for example, Yahoo! displayed a message to users entering its Web site that, unless they disable cookies in their Web browser, information regarding the Web sites they visit may be collected and used for the purpose of delivering targeted advertisements, how many of the users would disable cookies? Still, reputable Web sites, such as Yahoo!, make that information readily available to anyone interested, and users, too, have a responsibility to inform themselves of issues that are important to them.

There are plainly no easy solutions addressing all aspects of Web privacy. However, an understanding of the various ways in which privacy issues on the Web arise is an essential first step.

Kenneth L. Stein is a partner in the Intellectual Property Practice at Jenner & Block LLP and is based in the firm's New York office. He concentrates in patent, trade secret, and copyright litigation. His practice also includes patent opinions, licensing, and intellectual property counseling. Stein can be reached at 212-891-1615 or [email protected]. The author thanks Angelina Nguyen and Sami J. Valkonen, both associates in Jenner & Block's New York office, for their valuable assistance in preparing this article.

While savvy users of the Internet may be aware of the multitude of ways that personal information can be monitored and collected on the Web, most users are likely oblivious to the information trail they leave behind. How many readers of this publication, a population plainly concerned with privacy issues, have read the privacy policies of their favorite Web sites? If you have not, you may be surprised to learn about the amount of information collected by even the most popular and mainstream sites. For example, when a user requests and views a Web page from Yahoo!, that request is logged on Yahoo!'s servers with information including the IP address of the computer that requested the page. Even if information is not purposely collected, just about everything a person does on the Web is stored somewhere for at least some period of time.

Web surfers may take some comfort in the fact that the information they leave behind often does not itself contain their names or other personal identifying information. What the information often does contain, however, is their IP addresses. An IP address is a unique address assigned to every computer on the Internet. An Internet Service Provider can easily determine the name of a customer from an IP address used during a particular time period. As a result, finding the identity of users on the Web is often just a subpoena away.

Fundamentally, one question is what, if anything, sets information on the Web apart from other types of information, such as personal diaries and anonymously authored articles, in which people have an expectation of privacy or anonymity? It is not uncommon, even in non-Web situations, for information expected to remain private or anonymous to be revealed as a result of a subpoena or other legal process. One important distinction, however, is that in such a non-Web situation, an individual is typically aware of the documents and records he or she is creating. In contrast, on the Web, enormous amounts of private information may be collected about an individual without that person having any clue at all.

It could be argued that, whether the average person realizes it or not, the Web is a public place in which users have no reasonable expectation of privacy. As a result, a person should have no greater expectation of privacy when surfing the Web than he or she has when shopping at the mall. In the latter case, for example, the stores the person enters, the products he or she examines or purchases, and the books and magazines he or she peruses are all open to public view. There can, therefore, be little reasonable expectation of privacy. This analogy, however, undoubtedly breaks down, for example, if a person were aware that he or she was being followed around the mall and information about his or her activities was being recorded. That certainly would raise privacy concerns, or at least alter the person's behavior. What sets it apart from non-Web situations is the very fact that surfing the Web is typically done in private. A user has no way of observing what information regarding his or her Web-based activities is being collected and is unaware that the information is being collected.

The degree to which various information collection methods on the Web gives rise to privacy concerns is subjective, but likely based on consideration of 1) the purpose of the data collection, 2) whether informed user consent is first required, and 3) the perceived trustworthiness of the entity doing the collection.

At one extreme, it would be difficult to complain about data collection when the purpose is to benefit the user; the user is fully informed that the data collection will occur and consents to it; and the user trusts that the entity collecting the data will not use the information other than for the agreed purpose. For example, some search engines collect a history of Web sites visited by a user in order to provide search results that are more relevant to a user's interests ' a clear benefit to the user. If the company providing the search engine informs the user that such information will be collected, the user consents to its collection, and the user trusts that the company will not use it for other purposes, the user will have little cause to complain.

At another extreme is the collection of data for a purpose that may benefit the entity collecting it, but is of no discernible benefit to the user, and which is collected by an untrustworthy entity without the user's knowledge or consent. For example, so-called spyware companies often collect Web surfing data for the purpose of serving pop-up advertisements to users; they do so by downloading software to a user's computer without the user's knowledge or consent and are often companies that are unknown to the user and that the user has no reason to trust. This scenario presents obvious privacy concerns to many users.

Information about surfers' Web-based activities is collected in a variety of different ways. In order to address Web privacy in a comprehensive manner, each must be understood. Three important ways, addressed below, are 1) targeted Web monitoring, 2) tracking cookies and associated databases, and 3) spyware/adware. For each, this article describes the types of information collected, identifies the privacy concerns that have been raised, and provides an overview of how courts and lawmakers have addressed those concerns.

Targeted Web Monitoring

Targeted Web monitoring, as used in this article, refers to the collection of information directed at specific users, as opposed to, for example, all users visiting a particular Web site. Such monitoring has been used for clearly legitimate purposes such as identifying copyright infringers and those involved in child solicitation and child pornography. It has also been used in a host of other situations, such as in defamation cases, where the balance of privacy concerns of the Web user against the rights of an allegedly injured party is more debatable. In all cases, however, the target had no doubt believed or assumed that his or her online activities were being conducted anonymously and that his or her true identity would not be, or could not be, revealed.

The process of obtaining the identity of a user is relatively straightforward, albeit subject to some important restrictions. First, the target's IP address is obtained. For example, in the case of an illegally copied music or motion picture file, such as one made available over a so-called peer-to-peer ('P2P') file-sharing network, the IP address of the file's source can be obtained by downloading the file and using an evidence-gathering software program that extracts IP addresses. See, e.g. , Paramount Pictures Corp. v. Davis , 234 F.R.D. 102, 105 (E.D. Pa. 2005). In the case of someone using an Internet chat room to solicit children, the IP address of the target can be obtained from the company providing the chat room, based on the target's screen name. Once the target's IP address is known, widely available services can be used to identify the Internet Service Provider that owns the address. Then, a subpoena is issued to the Internet Service Provider for the identity of the customer that was assigned the target's IP address during the relevant time period.

In private actions, a John Doe action is usually filed to provide authority for the subpoena. In law enforcement cases, an administrative or grand jury subpoena is often used. (Several attempts to use the subpoena provisions of the Digital Millennium Copyright Act for pre-litigation subpoenas in file-sharing cases have been unsuccessful. See, e.g., In re Charter Communications, Inc., Subpoena Enforcement Matter, 393 F.3d 771 (8th Cir. 2005); Recording Industry Assoc. of Am., Inc. v. Verizon Internet Servs., Inc. , 351 F.3d 1229 (D.C. Cir. 2003); In re Subpoena to Univ. of N. Carolina at Chapel Hill, 367 F. Supp. 2d 945 (M.D.N.C. 2005).)

ISPs and their customers have argued that such subpoenas should be quashed on First Amendment grounds and, in criminal cases, Fourth Amendment grounds.

The First Amendment argument is that a user's Web-based activities constitute protected anonymous speech, and that such protection is violated when an ISP reveals the name of a user. Courts have considered the following five factors in determining whether First Amendment protections trump the interests of the requesting party: '1) whether the plaintiffs have made a concrete showing of a prima facie claim of actionable harm; 2) the specificity of the discovery request; 3) the absence of alternative means to obtain the subpoenaed information; 4) a central need to obtain the subpoenaed information to advance the claim; and 5) the party's expectation of privacy.' See Elektra Entm't Group, Inc. v. Does 1-9, No. 04 Civ. 2289 (RWS), 2004 WL 2095581, at *4 (S.D.N.Y. 2004); Sony Music Entm't Inc. v. Does 1-40 , 326 F. Supp. 2d 556, 564-65 (S.D.N.Y. 2004). This analysis has had varying results, depending on the underlying claim.

Courts have consistently held that the rights of copyright owners prevail when it comes to copyright infringement allegations, particularly where the owners have made concrete showings that the anonymous parties have engaged in acts of infringement. See, e.g., Elektra Entm't, 2004 WL 2095581, at *4; Sony Music, 326 F. Supp. 2d at 567; Virgin Records Am., Inc. v. John Does 1-35, No. 05-1918, 2006 WL 1028956 (D.D.C. Apr. 18, 2006); UMG Recordings, Inc. v. Does 1-4, No. 06-0652, 2006 WL 1343597 (N.D. Cal. Mar. 6, 2006); Disney Enters., Inc. v. Farmer , No. 1:05-CV-103, __ F.Supp.2d __, 2006 WL 962577, at *2-3 (E.D. Tenn. Apr. 10, 2006); Paramount Pictures Corp. v. Davis , 234 F.R.D. at 106-07. In so doing, courts have concluded that users have only a minimal expectation of privacy in identifying information held by ISPs, often noting ISP privacy guidelines that state that the ISP will comply with subpoenas seeking identifying information. Elektra Entm't, 2004 WL 2095581, at *5; Sony Music, 326 F. Supp. 2d at 559, 562.

For other claims, including those for defamation, breach of employment or confidentiality agreements, breach of fiduciary duty, misappropriation of trade secrets, trademark infringement, and interference with business relations, the results have been mixed. See, e.g., In re Subpoena Duces Tecum to Am. Online, Inc., No. 40570, 2000 WL 1210372 at *1 (Va. Cir. Ct. Jan. 31, 2000), rev'd on other grounds, Am. Online, Inc. v. Anonymous Publicly Traded Co. , 542 S.E.2d 377 (Va. 2001) (claims for defamation and breach of fiduciary duties and contractual duties ' motion to quash subpoena seeking names of AOL subscribers associated with e-mail addresses denied); Doe v. 2TheMart.com, Inc., 140 F. Supp. 2d 1088, 1097-98 (W.D. Wash 2001) (shareholder derivative suit ' motion to quash granted); Dendrite Int'l, Inc. v. Doe No. 3 , 342 N.J. Super. 134, 146 (2001) (claims for breaches of contract, defamation, and misappropriation of trade secrets ' motion for expedited discovery denied); Columbia Ins. Co. v. seescandy.com, 185 F.R.D. 573 (N.D. Cal. 1999) (trademark infringement ' discovery request to ascertain identities allowed); Alvis Coatings, Inc. v. John Does One Through Ten, No. 3L94 CV 374-H, 2004 WL 2904405 (W.D.N.C. Dec. 2, 2004) (claims under Lanham Act, unfair and deceptive trade practices, unfair competition, tortious interference with business relations, and defamation ' motion to quash denied); see also Freedman v. Am. Online, Inc., 412 F. Supp. 2d 174 (D. Conn. 2005) (court refuses to dismiss claim that revealing plaintiff's identity violated his rights under the First Amendment and Connecticut Constitution).

The Fourth Amendment argument typically arises when the target of a criminal investigation claims that a subpoena to an ISP, seeking the name associated with an IP address, is in some way improper and violates the individual's Fourth Amendment protection against unreasonable searches. Such arguments have been routinely rejected on the basis that a defendant cannot have a reasonable expectation of privacy in his ISP account information and therefore lacks standing to challenge a search of his ISP. See, e.g., United States v. Hambrick , 55 F. Supp. 2d 504, 509 (W.D. Va. 1999) (holding that the defendant had no 'reasonable expectation of privacy' in the information stored by his ISP, but commenting that '[u]nder the [Electronic Commu-nications Privacy Act] ECPA, Internet Service Providers are civilly liable when they reveal subscriber information or the contents of stored communications to the government without first requiring a warrant, court order, or subpoena,' and that '[t]his is a powerful deterrent protecting privacy in the online world.'); State of Washington v. Kaufman, No. 32007-0-II, 2005 WL 2746676, at *3 (Wash. Ct. App. Oct. 25, 2005). While most of the reported criminal cases involve child solicitation or child pornography, there has been at least one recent case involving an investigation under the USA PATRIOT Act. In that case, the FBI sought subscriber information from ISPs relating to an investigation 'to protect against international terrorism or clandestine intelligence activities.' See Doe I v. Gonzales , __ F.3d __, Nos. 05-0570-CV(L), 05-4896-CV(CON), 2006 WL 1409351 (2d Cir. May 23, 2006).

The point here, in both the civil and criminal contexts, is that an Internet user's illusion of anonymity and privacy may be easily shattered.

Tracking Cookies and Associated Databases

Many popular Web sites use cookies to collect information about their users, which in turn is uploaded and stored on the Web sites' server computers. As one court explained, '[a] cookie is a piece of information sent by a web server to a web browser [such as Microsoft's Internet Explorer] that the browser software is expected to save and to send back whenever the browser makes additional requests of the server (such as when the user visits additional webpages at the same or related sites) ' Cookies are widely used on the [I]nternet by reputable websites [and] often store user preferences, login and registration information, or information related to an online 'shopping cart.' Cookies may also contain unique identifiers that allow a website to differentiate among users.' In re Pharmatrak, Inc. Privacy Litig., 329 F.3d 9, 14 (1st Cir. 2003) (emphasis added).

One particularly instructive case describing the use of cookies to collect user information is In re Doubleclick Inc., Privacy Litig., 154 F. Supp. 2d 497 (S.D.N.Y. 2001). In that case, a group of Internet users brought a class action suit against DoubleClick, a leading Internet advertising company. Id. at 500. As explained by the court, DoubleClick builds 'detailed profiles of Internet users' by collecting information based on each user's computer's 'Web activity,' and then uses those profiles to target its clients' advertisements to particular users. Id. at 502. With respect to DoubleClick's use of 'cookies,' the plaintiffs had alleged that DoubleClick placed 'cookies' on their hard drives that:

collect 'information that Web users, including plaintiffs and the Class, consider to be personal and private, such as names, e-mail addresses, home and business addresses, telephone numbers, searches performed on the Internet, Web pages or sites visited on the Internet and other communications and information that users would not ordinarily expect advertisers to be able to collect.' Id. at 503 (emphasis added).

That information is then uploaded, aggregated, and compiled to build the demographic profiles of the users. Id. at 505. Interestingly, for present purposes, the court stated that 'virtually all plaintiffs [were] unaware that the cookies exist, that these cookies have identification numbers, that DoubleClick accesses these identification numbers, and that these numbers are critical to DoubleClick's operation.' Id. at 513.

Clearly, any user that signs up for an account with a Web site must realize that account information for the user is stored on the Web site's computers, as well as information for requested services requiring stored data, such as e-mail, picture hosting, dating profiles, financial account tracking, etc. The extent to which a user may be aware of other information that may be stored about him or her by a Web site depends on how clearly the Web site advises the user about the data collection and the manner in which the user consents to the collection.

Several lawsuits have been filed by Web users claiming that the use of cookies and the collection of surfing information violated their rights. The rulings in those cases turned on whether there was adequate consent to the information collection. For example, in Pharmatrak, the First Circuit considered whether Pharmatrak violated the Electronic Communications Privacy Act ('ECPA') when it collected personal information concerning a small number of users of various pharmaceutical company Web sites. The personal information included 'names, addresses, telephone numbers, email addresses, dates of birth, genders, insurance statuses, education levels, occupations, medical conditions, medications, and reasons for visiting the particular website.' Pharmatrak, 329 F.3d at 15. The pharmaceutical companies were customers of a service provided by Pharmatrak, but were assured that no personal user information whatsoever would be collected by Pharmatrak's service. The First Circuit held that the ECPA claim against Pharmatrak should not have been dismissed by the lower court, because, among other reasons, neither the pharmaceutical companies nor the visitors to their Web sites had consented to the collection of the personal information.

In contrast, in DoubleClick, the Southern District of New York dismissed an ECPA claim against DoubleClick, finding that the Web sites using DoubleClick's services had consented to the collection of user data.

Spyware/Adware

The aspect of Web privacy that has received perhaps the most attention is spyware or adware. It has been the subject of both numerous lawsuits and state and federal legislation. Spyware is basically software that surreptitiously collects information regarding some aspect of a computer's use, whether that is the keys a user presses on the keyboard or the Web sites visited by a user. Adware is a type of spyware that uses the collected information to display targeted advertisements, often in pop-up or pop-under windows. Spyware/adware is downloaded without the user's knowledge or consent and, once downloaded, is often designed to be extremely difficult to remove. Sotelo v. Directrevenue, LLC , 384 F. Supp. 2d 1219, 1230 (N.D. Ill. 2005) (court recognizing that '[m]any companies and computer users consider pop-up advertisements and Spyware an Internet scourge').

As one court explained, spyware allows companies that employ it 'to track a computer user's web browsing behavior in order to deliver targeted advertisements to that computer. For example, if a computer with Spyware views music-related Internet sites, Spyware sends a signal of the computer user's activity back to [the spyware company], which then targets the computer with advertisements from music-related companies that have paid for access to the computer via Spyware.' Sotelo, 384 F. Supp. 2d at 1223.

While the type of information collected by adware may be similar to that collected by reputable Web sites, the lack of notice to users of the data collection and the difficulty in disabling adware sets it far apart from its reputable counterparts.

Several legal avenues have been pursued to attack spyware.

First, there have been a number of private suits by users against spyware companies. In Sotelo, for example, the plaintiff in a class action suit alleged that DirectRevenue and other companies had caused 'spyware' to be downloaded to his computer 'without his consent' and that the spyware 'tracked [his] Internet use, invaded his privacy, and caused substantial damage to his computer.' Sotelo, 384 F. Supp. 2d at 1222. DirectRevenue argued that the plaintiff had in fact consented to installation of its software, based on its End User License Agreement ('EULA'), which informed users that software 'will be installed, computer use will be monitored, and the computer will receive targeted advertisements.' Id. at 1223, 1236. Plaintiff countered that DirectRevenue installs spyware in ways that avoid showing the EULA to users and that he, in fact, never saw the EULA. On defendants' motion to dismiss, plaintiff's claims for the following survived: trespass to personal property/chattels, violation of the Illinois Consumer Fraud and Deceptive Practices Act, negligence, and violation of the Illinois' Computer Crime Prevention Law. Certain of those claims were against not only DirectRevenue, but also companies that supplied advertisements that were displayed through DirectRevenue's alleged spyware ' thus supporting claims against a wide range of defendants in spyware cases.

Second, there have been suits by government agencies. In Federal Trade Commission v. Seismic Entertainment Productions, for example, the Federal Trade Commission sought an injunction against a spyware company, contending that the company's marketing practices constitute 'unfair practices affecting commerce.' Federal Trade Commission v. Seismic Entertainment Productions, No. Civ. 04-377-JD, 2004 WL 2403124, at *1 (D.N.H. Oct. 21, 2004). The FTC explained that the defendants have downloaded and installed spyware and other programs on users' computers 'without the computer user's knowledge or consent,' '[t]he defendants' actions have caused affected computers to slow, malfunction, or crash,' and '[c]onsumers whose computers have been affected by the defendant's activities have spent considerable time, and in some cases money, to fix the problems caused by the defendants.' Id. at 2. The court granted the injunction, noting that 'consumers have experienced substantial injury without countervailing benefits.' Id. at 3.

Third, while existing federal and state statutes (including the Computer Fraud and Abuse Act ('CFAA'), Electronic Communications Privacy Act ('ECPA'), the Federal Trade Commi-ssion Act ('FTCA'), state consumer fraud and deceptive trade practices laws, and computer tampering laws) and common law claims (such as trespass to personal property/chattels, negligence, and invasion of privacy) have been used against spyware companies, numerous states have recently enacted, or are considering, legislation that tackles spyware head-on. Given the ubiquitous nature of the Internet, it would certainly make sense to have a national policy set on this important issue, but absent such a policy, state anti-spyware legislation fills an important void.

The California Consumer Protection Against Computer Spyware Act is illustrative. Among other things, the Act makes it a violation to '[c]ollect, through intentionally deceptive means, personally identifiable information that ' includes all or substantially all of the Web sites visited by an authorized user, other than Web sites of the provider of the software, if the computer software was installed in a manner designed to conceal from all authorized users of the computer the fact that the software is being installed.' Cal. Bus. & Prof. Code '22947.2(b) (West 2006). The statute excludes from the definition of 'authorized user' a person or entity 'that has obtained authorization to use the computer solely through the use of an end user license agreement,' contemplating and cutting off possible chicanery with EULAs. The Utah Spyware Control Act, while narrower in some respects than the California Act, similarly includes within its definition of 'spyware,' software installed on a computer without 'obtain[ing] the consent of the user,' that 'monitors the computer's usage,' such as 'the Internet websites accessed by a user.' Utah Code Ann. '13-40-102 (West 2006).

At press time, no reported cases have applied these statutes, so it remains to be seen how effective they will be against spyware companies.

Conclusion

A comprehensive Internet privacy policy, if one could be devised, would address privacy issues raised by each of the three information-collection methods discussed above. Two hurdles, though, must be cleared by any such policy.

The first is how to deal with a medium that is, on the one hand, inherently public and keeps records, at least temporarily, of just about every activity that occurs, while, on the other hand, people using it believe they are acting anonymously and are unaware that their actions are being recorded. Certainly, educating Internet users would help, but the popular view of the Internet as generally anonymous is part of its power and utility ' it enables people to seek information and exchange ideas that they might not do otherwise. Still, though, a completely anonymous Web would not be a good thing; it would enable people to engage in activities, ranging from copyright infringement to child solicitation, that are obviously bad.

The second, which is almost a taboo subject, is how to balance the needs of legitimate Web advertising against the privacy rights of Web users. Adverti-sing revenues are a sustaining force behind many popular and useful Web sites, and advertisers want to put their advertisements in front of the people who are most likely to be interested in their products and services. Targeting ads, however, requires collecting and storing information about individual users' interests. It is not clear how users feel about this. If, for example, Yahoo! displayed a message to users entering its Web site that, unless they disable cookies in their Web browser, information regarding the Web sites they visit may be collected and used for the purpose of delivering targeted advertisements, how many of the users would disable cookies? Still, reputable Web sites, such as Yahoo!, make that information readily available to anyone interested, and users, too, have a responsibility to inform themselves of issues that are important to them.

There are plainly no easy solutions addressing all aspects of Web privacy. However, an understanding of the various ways in which privacy issues on the Web arise is an essential first step.

Kenneth L. Stein is a partner in the Intellectual Property Practice at Jenner & Block LLP and is based in the firm's New York office. He concentrates in patent, trade secret, and copyright litigation. His practice also includes patent opinions, licensing, and intellectual property counseling. Stein can be reached at 212-891-1615 or [email protected]. The author thanks Angelina Nguyen and Sami J. Valkonen, both associates in Jenner & Block's New York office, for their valuable assistance in preparing this article.