In Re Pharmatrak, Inc. Privacy Litigation

220 F. Supp. 2d 4 (2002)

In re PHARMATRAK, INC. PRIVACY LITIGATION

No. CIV.A.00-11672-JLT.

United States District Court, D. Massachusetts.

August 13, 2002.

*5 Seth R. Lesser, Bernstein, Litowitz, Berger & Grossman, New York City, Dennis Stewart, Alan M. Mansfield, Milberg Weiss Bershad Hynes & Lerach, San Diego, CA, Douglas G. Thompson, Finkelstein, Thompson & Loughran, Washington, DC, Stephen Moulton, Nancy F. Gans, Moulton & Gans, LLP, Boston, MA, Ann D. White, Mager & White, Jenkintown, PA, Andrew M. Gschwind, Bernstein Litowitz Berger & Grossmann, New York City, Marvin A. Miller, Miller Faucher and Cafferty LLP, Chicago, IL, Shannon P. Keniry, Finkelstein Thompson & Loughran, Washington, DC, Louis Gottlieb, Goodkind Labaton Rudoff & Sucharow, New York City, George E. Barrett, Barret Johnston & Parsley, Nashville, TN, William J. Doyle, II, Milberg Weiss Bershad Hynes & Lerach LLP, Brian J. Robbins, Robbins Umeda & Fink LLP, San Diego, CA, Bryan L. Clobes, Philadelphia, PA, Daniel W. Krasner, Wolf, Haldenstein, Adler, Freeman & Herz, New York City, Adam J. Levitt, Wolf, Haldenstein, Adler, Freeman & Herz, LLC, Chicago, IL, Michael M. Buchman, Schaumburg, IL, for Plaintiffs.

Carmela Edmunds, Dickstein, Shapiro & Morin, Washington, DC, Richard F. O'Malley, Sidley & Austin, New York City, Mark C. Laredo, Mark D. Smith, Faxon & Laredo, Matthew H. Feinberg, Matthew A. Kamholtz, Feinberg & Kamholtz, Boston, MA, James T. Ardin, Sidley & Austin, New York City, Adam J. Levitt, Wolf, Haldenstein, Adler, Freeman & Herz, LLC, Chicago, IL, Seymour Glanzer, Dickstein, Shapiro, Morin & Oshinsky, LLP, David N. Sonnenreich, The Sonnenreich Law Office, P.C., Salt Lake City, UT, Daniel S. Savrin, Bingham, Dana & Gould, Boston, MA, Dennis J. Block, H. Peter Haveles, Jr., Cadwalader, Wickersham & Taft, New York City, John J. Curtin, John J. Curtin, Jr., Bingham, McCutcheon L.L.P., Boston, MA, Paul A. Hemmersbaugh, Sidley & Austin, Washington, DC, Donald N. David, Fishbein, Badillo, Wagner & Harding, Boston, MA, Ralph T. Lenore, Holland & Knight LLP, Boston, MA, Deborah E. Barnard, Ralph T. Lepore, III, Elizabeth Marlene Mitchell, Holland & Knight LLP, Boston, MA, Frederic W. Yerman, Paul C. Llewellyn, Kay, Scholer, Fierman, Hayes & Handler, New York City, William F. Lee, David B. Bassett, Douglas J. Nash, Hale & Dorr, Boston, MA, Daniel J. Tomasch, Diana Weiss, Orrick, Herrington & Sutcliffe LLP, New York City, for Defendants.

MEMORANDUM

TAURO, District Judge.

Plaintiffs Rob Barring, Noah Blumofe, Jim Darby, Karen Gassman, Robin McClary, Harris Perlman, and Marcus Schroers ("Plaintiffs") bring this consolidated action against Pharmatrak, Inc. ("Defendant Pharmatrak")[1] and several pharmaceutical companies: Pfizer, Inc., Pharmacia Corporation, SmithKline Beecham Corporation, Glaxo Welcome, Inc., and American Home Products Corporation (the "Pharmaceutical Defendants"). The Consolidated Amended Class Action Complaint alleges that Defendants secretly intercepted and accessed Plaintiffs' personal information and Web browsing habits *6 through the use of "cookies" and other devices, in violation of state and federal law.

The Parties' cross-motions for summary judgment are now before the court.

PROCEDURAL BACKGROUND

Plaintiffs Blumofe and Gassman filed suit in this court on August 18, 2000. The remaining Plaintiffs filed complaints in the Southern District of New York. On April 18, 2001, the Judicial Panel on Multi-District Litigation issued an order transferring the six New York actions to the District of Massachusetts.

Plaintiffs filed the Amended Consolidated Class Action Complaint ("Complaint") on June 28, 2001. In December 2001, the court held a scheduling conference and authorized the Plaintiffs to examine Defendant Pharmatrak's computer servers. This limited discovery took place during December 2001 and January 2002 at Pharmatrak's former corporate headquarters in Boston, Massachusetts.

Pursuant to the court's March 26, 2002 Order, the Parties refiled motions for summary judgment. The court held a hearing on Defendants' and Plaintiffs' motions for summary judgment on July 24, 2002.

FACTUAL BACKGROUND

Plaintiffs allege that Defendants "secretly intercepted and accessed Internet users' electronic communications with various health-related and medical-related Internet Web sites and secretly accessed their computer hard drives in order to collect private information about their Web browsing habits [and] confidential health information without their knowledge, authorization, or consent."[2] Plaintiffs contend that the Pharmaceutical Defendants conspired with Plaintiff Pharmatrak to "collect and share this wrongfully obtained personal and sensitive information."[3] This activity was allegedly accomplished through the use of "web bugs," "persistent cookies," and other devices.[4]

The general principles of computers, the Internet, and the Web have been detailed elsewhere,[5] and because such facts are undisputed in this case, further elaboration is unnecessary. Analysis of the Parties' relationships in this case, however, requires a brief discussion of the specific methods by which the Parties communicated with each other, and the manner in which Defendants allegedly accessed and intercepted private information.

As stated in the Complaint, the Plaintiffs "access the Internet and communicate with other computers through use of commercial ISPs ... or through computers known as `servers' that are operated by the entity which provides their computer access, such as their employer. In each case, the ISP or the server provides the electronic communication service that allows the user's computer to connect with other computers on the Internet."[6] Plaintiffs assert that personal computers "can and sometimes do act as servers,"[7] but do *7 not allege that any of the named Plaintiffs' computers were used in such a capacity.

The Pharmaceutical Defendants hired Defendant Pharmatrak to monitor their corporate web sites and provide monthly analysis of web site traffic.[8] Pharmatrak offered its clients two relevant products: NETcompare, which was designed to monitor activity across clients' web pages, and DRUGcompare, which was designed to monitor activity across disease categories and drug product pages.[9] All of the Pharmaceutical Defendants purchased NETcompare, and Defendant Pharmacia may have licensed DRUGcompare during testing phases.[10] Pharmatrak specifically represented to the Pharmaceutical Defendants that these products did not collect "personally identifiable information."[11] Even though the Pharmaceutical Defendants may not have known precisely how Pharmatrak's software worked, Plaintiffs readily admit that "the Pharmaceutical Defendants did authorize Pharmatrak's presence upon their Web sites ...."[12]

Pharmatrak's system operated through the use of HTML programming,[13] JavaScript programming,[14] cookies,[15] and "web bugs."[16] Each of the Pharmaceutical Defendants' web pages were programmed with Pharmatrak code, which allowed Pharmatrak to monitor web site activity.[17] When a computer browser requested information from a Pharmaceutical Defendant's web page, the web page would send the requested information to the user, and the site's programming code would instruct the user's browser to contact Pharmatrak's web server and retrieve a "clear GIF" from it.[18] A clear GIF is a one pixel-by-one pixel or two pixels-by-two pixels graphic image, and is sometimes called a web bug or a "pixel tag."[19] The purpose of a clear GIF was to cause the user's computer browser to communicate directly with Pharmatrak's web server.[20] Some communications may have also included code referencing JavaApplet, a software program that runs in a user's browser, or JavaScript, an Internet programming language.[21]

Having caused the user's Internet browser to contact Pharmatrak, Pharmatrak then sent a cookie back to the browser.[22] A cookie is an electronic file "attached" to a user's computer by a computer server. Plaintiffs concede that "[c]ookies generally perform many convenient and innocuous functions."[23] Commonly, cookies are used *8 to store users' preferences and other information, which allows users to easily access and utilize personalized services on the web or to maintain an online "shopping cart."[24] Cookies also allow web sites to differentiate between users as they visit by assigning each individual browser a unique, randomly generated numeric or alphanumeric identifier.[25] If an individual browser had already visited the "Pharmatrak-enabled" website, Pharmatrak would recognize the previously placed cookie and could therefore differentiate between a repeat visit and an initial visit.[26] Pharmatrak programmed its cookies to expire after 90 days.[27] It is possible that many individual users were unaware that, in addition to their browser communicating with a Pharmaceutical Defendant's web site, it was also communicating with Pharmatrak.[28]

Plaintiffs allege that the JavaApplet used by Pharmatrak allowed Pharmatrak to monitor the length of time that a particular user viewed one of the Pharmaceutical Defendants' web pages.[29] Plaintiffs also allege that the JavaScript programming allowed Pharmatrak to "intercept the full URL[30] of the tracked Web page visited by the user," as well as "the full URL of the Web page visited by the Internet user immediately prior to the user's visit to the Pharmatrak-coded Web page. This prior Web page address is know as a `referrer URL.'"[31] According to Plaintiffs, Pharmatrak used JavaScript "to extract referring URLs from the client's history, thereby bypassing any security or privacy mechanisms put in place to control the flow of potentially sensitive data."[32] The JavaScript and JavaApplet, therefore, also caused users' computer browsers to communicate with Pharmatrak's server while they intentionally communicated with the Pharmaceutical Defendants' servers.

In a subheading on page 21 of the Complaint, Plaintiffs also assert that Pharmatrak was able to "Capture [] Personal Information Submitted by Internet Users to the Pharmaceutical Defendants' Web Sites."[33] Users submitted this information in two ways. First, an individual could use the "POST" method, and voluntarily fill out an online form in order to register with the site, or to receive mailings, a rebate, or other information. For example, an individual wishing to view the full text of articles on nytimes.com must first register with the site, a process which requires the individual to volunteer certain information.

Second, an individual using the "GET" method could perform an online search, resulting in a URL with search terms appended to it. The appended information is known as the "query string."[34] For example, a person interested in Cornell Law School could perform a search resulting in the following URL: http://search.yahoo.com/bin/search?p=cornell+law+school.[35] All of the material following the question mark (i.e.p=cornell+law+school) *9 is known as the query string, and is "rich in useful content."[36] Plaintiffs allege that Pharmatrak was able to intercept and collect detailed, specific information about individual users from the full URLs, and place the information into relational databases.[37]

Plaintiffs' computer scientist, C. Matthew Curtin, and his company, Interhack, examined Pharmatrak's servers between December 17, 2001 and January 18, 2002, pursuant to the court's Order. The examination of Pharmatrak's logs "identified hundreds of people by name."[38] Based on Curtin's analysis, Plaintiffs claim that Pharmatrak collected information which included: names, addresses, telephone numbers, dates of birth, sex, insurance status, medical conditions, education levels, and occupations.[39] Pharmatrak also collected data about email communications, including user names, email addresses, and subject lines from emails.[40] Although Plaintiffs submit no evidence that Pharmatrak collected, sorted, or assembled this information into detailed "profiles," other than the aggregate information it submitted to the Pharmaceutical Defendants, Curtin did build such profiles.[41] Curtin also asserts that it would be possible to build detailed profiles of individuals using the data collected by Pharmatrak and matching it to "another data source, such as a telephone book."[42] Again, however, there is no evidence that Pharmatrak ever attempted to do so.

In sum, Plaintiffs argue that "Pharmatrak's technology permits defendants to collect extensive, detailed information about plaintiffs and Class members."[43] In addition to the personal information discussed above, the information collected allegedly included "Web sites the Internet users were at prior to the time they went to the Pharmaceutical Defendants' Web sites, questions they asked and typed in at those prior sites, information they entered while at the Pharmaceutical Defendants' web sites, and the types of computers they were using."[44]

DISCUSSION

Under Federal Rule of Civil Procedure 56, summary judgment is appropriate "if the pleadings, depositions, answers to interrogatories, and admissions on file, together with the affidavits, if any, show that there is no genuine issue as to any material fact and that the moving party is entitled to a judgment as a matter of law."[45] Rule 56 mandates summary judgment "after adequate time for discovery and upon motion, against a party who fails to make a showing sufficient to establish the existence of an element essential to that party's case, and on which that party will bear the burden of proof at trial."[46]

The "party seeking summary judgment [must] make a preliminary showing that no genuine issue of material fact exists. Once the movant has made this showing, the nonmovant must contradict the showing by *10 pointing to specific facts demonstrating that there is, instead, a trialworthy issue."[47] The party opposing summary judgment must produce specific evidence of a material factual dispute. The First Circuit has noted that "[a] genuine issue of material fact does not spring into being simply because a litigant claims that one exists. Neither wishful thinking nor `mere promise[s] to produce admissible evidence at trial' ... nor conclusory responses unsupported by evidence ... will serve to defeat a properly focused Rule 56 motion."[48]

The Parties file cross-motions for summary judgment. "The happenstance that all parties seek summary judgment neither alters the yardstick nor empowers the trial court to resolve authentic disputes anent material facts."[49] A court considering cross-motions for summary judgment must consider "each motion separately, being careful to draw inferences against each movant in turn."[50]

Plaintiffs seek summary judgment against Defendants Pharmatrak and Glocal, and Defendants each seek summary judgment against Plaintiffs.

A. Count I — The Wiretap Act[51]

Title I of the Electronic Communication Privacy Act of 1986 ("ECPA"), Interception of Electronic Communications ("The Wiretap Act"), provides that:

Except as otherwise specifically provided in this chapter[,] any person who — (a) intentionally intercepts, endeavors to intercept, or procures any other person to intercept, any wire, oral, or electronic communication ... shall be punished as provided in subsection (4) or shall be subject to suit as provided in subsection (5).[52]

This criminal statute provides for a private right of action, and is subject the following statutory exception:

(d) It shall not be unlawful under this chapter for a person not acting under color of law to intercept a wire, oral, or electronic communication where such person is a party to the communication or where one of the parties to the communication has given prior consent to such interception unless such communication is intercepted for the purpose of committing any criminal or tortious act ....[53]

Plaintiffs argue that Defendants intentionally "intercepted plaintiffs' or Class members' electronic communications with the Web sites they visited without plaintiffs' or the Class' [sic] knowledge, authorization, or consent...."[54]

1. Pharmaceutical Defendants

After Defendants had fully briefed the issue, Plaintiffs' counsel orally informed the court at the summary judgment hearing that Plaintiffs would withdraw the Wiretap Act claim as it relates to the Pharmaceutical Defendants.[55] Count I is *11 therefore DISMISSED with regard to these defendants.

2. Pharmatrak

Plaintiffs claim that "Pharmatrak intercepted plaintiffs' transmission of their personal information to the Pharmaceutical Defendants' Web sites without the express or implied consent of either plaintiffs or the Pharmaceutical Defendants."[56] Despite the fact that the Pharmaceutical Defendants may have consented to Pharmatrak's assembly of anonymous, aggregate information, Plaintiffs insist that the web sites never consented to Pharmatrak's collection of personally identifiable information.[57] Absent this specific consent, Plaintiffs argue, the Wiretap Act's statutory exception simply does not apply.

Pharmatrak concedes that the Pharmaceutical Defendants did not consent to the collection of personally identifiable information.[58] According to Pharmatrak, however, the relevant inquiry is whether the Pharmaceutical Defendants consented to Pharmatrak's NETcompare service, i.e. the collection of data from the Pharmaceutical Defendants' web sites, regardless of how the service eventually operated.[59] It is undisputed that the Pharmaceutical Defendants contracted with Defendant Pharmatrak to obtain data regarding their web sites, and that they proceeded to have the Pharmatrak code placed on the web sites. Pharmatrak, therefore, asserts that the statutory exception for consent has been met, and that it is entitled to summary judgment on the Wiretap Act claim.

In In re DoubleClick Inc. Privacy Litigation ("DoubleClick"),[60] the Southern District of New York disposed of a multi-district consolidated class action case pursuant to Rule 12(b)(6). There, the plaintiffs alleged that DoubleClick, an Internet advertising firm, placed cookies on their computers, thereby collecting "information that Web users, including plaintiffs and the Class, consider to be personal and private, such as names, e-mail addresses, home and business addresses, telephone numbers, searches performed on the Internet, Web pages or sites visited on the Internet, and other communications and information that users would not ordinarily expect advertisers to be able to collect."[61]

The DoubleClick court found that the web sites affiliated with DoubleClick were "`parties to the communication[s]' from plaintiffs and have given sufficient consent to DoubleClick to intercept them,"[62] despite the possibility that the plaintiffs may not have known that their computers were communicating with DoubleClick, and that the affiliated Web sites may not have fully understood the mechanisms of the DoubleClick service.

Having found consent, the DoubleClick court proceeded to analyze Section 2511(2)(d)'s "criminal" or "tortious" purpose requirement, which "is to be construed narrowly."[63] The court noted that the evidence in the case suggested that DoubleClick's actions were motivated by legitimate business goals, and found an "utter lack of evidence that [DoubleClick's] intent was tortious ...."[64] Because it *12 found that DoubleClick acted with consent and without a tortious or criminal purpose, the court dismissed the plaintiffs' Wiretap Act claim.[65]

In Chance v. Avenue A. Inc.,[66] the plaintiffs alleged that Avenue A had placed cookies on their computers, thus permitting the company to surreptitiously monitor plaintiffs' electronic communications. First, addressing consent, the court held that "[i]t is implicit in the web pages' code instructing the user's computer to contact Avenue A, either directly or via DoubleClick's server, that the web pages have consented to Avenue A's interception of the communication between them and the individual user."[67] The court also found that the plaintiffs had presented no evidence that the defendants acted with a tortious or illegal purpose and, therefore, granted summary judgment on the claim to Avenue A.[68]

In the present case, Plaintiffs concede that the Pharmaceutical Defendants consented to the placement of code for Pharmatrak's NETcompare service on their web sites.[69] As was the case in DoubleClick and Avenue A, the web site Defendants (here, the Pharmaceutical Defendants) consented to the service of a web-monitoring company (Pharmatrak), and such consent precludes a claim under the Wiretap Act. The Pharmaceutical companies contracted with Pharmatrak, and authorized Pharmatrak to communicate with any users who contacted the Pharmaceutical Web sites. Despite Plaintiffs' valiant attempts to shift the inquiry, it is irrelevant for the purposes of the Wiretap Act whether the Pharmaceutical Defendants knew the precise mechanisms of Pharmatrak's service or not. It is sufficient that the Pharmaceutical Defendants were parties to communications with Plaintiffs and consented to the monitoring service provided by Defendant Pharmatrak.

Plaintiffs are also unable to demonstrate that Defendants acted with a tortious purpose. Plaintiffs have produced no evidence "`either (1) that the primary motivation, or (2) that a determinative factor in the actor [Pharmatrak's] motivation for intercepting the conversation was to commit a criminal [or] tortious ... act.'"[70] Without a showing of the requisite mens rea, Plaintiffs cannot succeed on their claim under the Wiretap Act.

Because the Pharmaceutical Defendants consented to Pharmatrak's NETcompare service, and because Plaintiffs are unable to present any evidence whatsoever of a tortious intent, Defendants are entitled to summary judgment on Count I of the Complaint.

B. Count II — Stored Communications Act[71]

Title II of the ECPA, also known as the "Stored Wire and Electronic Communications and Transactional Records Act," "aims to prevent hackers from obtaining, altering, or destroying certain stored electronic communications."[72] The statute provides:

[W]hoever — (1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceeds *13 an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished as provided by subsection (b) of this section.[73]

Plaintiffs acknowledge that § 2701 was primarily designed to provide a cause of action against computer hackers,[74] and argue that "Defendants' conduct of accessing data in plaintiffs' computers, including the content of plaintiffs' e-mails, constitutes electronic trespassing and falls squarely within the ambit of Section 2701."[75]

Defendants disagree, and claim that they are entitled to summary judgment on at least two separate grounds: (1) Plaintiffs' computers are not facilities which provide electronic communications services, an essential element of § 2701; and (2) any alleged access to "communications" was authorized.[76]

Defendants are correct that an individual Plaintiff's personal computer is not a "facility through which an electronic communication service is provided" for the purposes of § 2701. Plaintiffs find it noteworthy that "[p]ersonal computers provide consumers with the opportunity to access the Internet and send or receive electronic communications," and that "[w]ithout personal computers, most consumers would not be able to access the Internet or electronic communications." Fair enough, but without a telephone, most consumers would not be able to access telephone lines, and without televisions, most consumers would not be able to access cable television. Just as telephones and televisions are necessary devices by which consumers access particular services, personal computers are necessary devices by which consumers connect to the Internet. While it is possible for modern computers to perform server-like functions, there is no evidence that any of the Plaintiffs used their computers in this way. While computers and telephones certainly provide services in the general sense of the word, that is not enough for the purposes of the ECPA. The relevant service is Internet access, and the service is provided through ISPs or other servers, not though Plaintiffs' PCs.[77]

Even if the court were to assume that Plaintiffs' computers are "facilities" under § 2701,[78] any access to stored communications was authorized and, thus, Defendants' conduct falls under the exception from liability created by § 2701(c)(2). As was the case in DoubleClick and Avenue A, the Pharmaceutical Defendants are "users" under the ECPA.[79] The DoubleClick court noted that, "in a practical sense, Web sites are among the most active `users' of Internet access."[80] As *14 users, the Pharmaceutical Defendants could consent to Pharmatrak's interception of Plaintiffs' communications, and Plaintiffs cannot survive the motions for summary judgment "based solely on the naked allegation that defendant[s'] access was `unauthorized.'"[81]

Plaintiffs argue that this case is factually different from DoubleClick, because the Pharmaceutical Defendants did not know that Pharmatrak would collect the type and amount of personally identifiable information that it did. Even viewing this factual distinction in the light most favorable to Plaintiffs, the Pharmaceutical Defendants nonetheless authorized Pharmatrak to monitor electronic communications between the web sites and Plaintiffs. As discussed above in Part A.2, the Pharmaceutical Defendants consented to the monitoring service provided by Defendant Pharmatrak in NETcompare, even if they were unaware that the program was able to identify personal information.

In addition, the ECPA does not prohibit Pharmatrak's actions with regard to the placing of cookies on Plaintiffs' computers. Section § 2701 seeks to target communications which are in "electronic storage" incident to their transmission. This court agrees with the DoubleClick court that "Title II only protects electronic communications stored `for a limited time' in the `middle' of a transmission, i.e. when an electronic communication service temporarily stores a communication while waiting to store it."[82] Even if such cookies were covered by the ECPA, Pharmatrak created and sent the cookies, and thus any accessing of the cookies by Pharmatrak at a later date would certainly be "authorized." Because Pharmatrak's cookies fall outside the scope of § 2701, Plaintiffs' claim under that section must fail.

Finally, Plaintiffs persistently argue that the Pharmaceutical Defendants did not consent to the allegedly improper interception of personal information. If the Pharmaceutical Defendants did not consent to the alleged interception of personally identifiable information, then they could not have "intentionally access[ed] without authorization" any electronic communications. Without the necessary intent under this punitive statute, the Pharmaceutical Defendants cannot be held liable and are entitled to summary judgment.

Accordingly, all Defendants are entitled to summary judgment on Count II.

C. Count III — Computer Fraud and Abuse Act[83]

The Computer Fraud and Abuse Act (CFAA) creates a claim against:

(a) Whoever — ... (2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains ... (c) information from any protected computer if the conduct involved an interstate or foreign communication ...[84]

The CFAA limits recovery to those persons who suffer "damage or loss by reason of a violation" of the Act. Section 1030(e)(8) defines damage as "any impairment to the integrity or availability of data, a program, a system, or information, that — (A) causes loss aggregating at least $5,000 in value during any 1-year period to one or more individuals...."[85]

Plaintiffs do not allege that their computers were physically damaged in any *15 way, or that they suffered any damage resulting from the repair or replacement of their computer systems. Instead, Plaintiffs argue that their "sensible interpretation" of the CFAA allows recovery for a "cognizable `loss,'" as distinct from economic damage, for the invasion of their privacy and the "concomitant loss of control over the dissemination of their private information."[86] Plaintiffs stress that they allege both loss and damages, and that the damage threshold of $5,000 may be met by aggregating claims among individuals and over a one year period.

The CFAA does not define "loss," and the First Circuit noted in EF Cultural Travel BV, et. al. v. Explorica[87] that "[f]ew courts have endeavored to resolve the contours of damage and loss under the CFAA."[88] In that case, the First Circuit explicitly agreed with the DoubleClick court, and concluded that the statute's use of "damage or loss" indicated a Congressional desire to allow recovery for more than purely physical damage.[89] The First Circuit was careful to note, however, that it did not hold that any loss is compensable, and that "Congress could not have intended other types of loss to support recovery unless [the $5,000] threshold were met."[90]

Plaintiffs have not shown any evidence whatsoever that Defendants have caused them at least $5,000 of damage or loss. Even accepting Mr. Curtin's bald assertion that "[d]ata about people are valuable, marketable assets,"[91] Plaintiffs are unable to meet the statutory threshold. Any damage or loss under the CFAA may be aggregated across victims and across time, but only for a single act.[92] Because Plaintiffs have not shown any facts that demonstrate damage or loss of over $5,000 for any single act of the Defendants, Defendants are entitled to summary judgment on Count III.[93]

CONCLUSION

For the foregoing reasons, Defendants' Motions for Summary Judgment [Docket ##'s 139, 143, 218, and 224] are ALLOWED as to Counts I, II, and III of the Consolidated Amended Class Action Complaint, and Plaintiffs' Motion for Summary Judgment [Docket # 237] is DENIED. Defendant Pharmatrak's Motion to Dismiss [Docket # 269] is DENIED.

Having granted summary judgment on Counts I, II, and III, this court declines to retain jurisdiction over Counts IV-IX, and those counts are DISMISSED, without prejudice.

AN ORDER WILL ISSUE.

NOTES

[1] Following the practice of the Parties, the court will refer solely to Pharmatrak in reference to the activities of both Pharmatrak and Glocal Communications, Ltd. ("Glocal"), the parent company of Pharmatrak.

[2] Compl. ¶ 1.

[3] Id.

[4] Compl. ¶ 25.

[5] See Reno v. ACLU, 521 U.S. 844, 117 S. Ct. 2329, 138 L. Ed. 2d 874 (1997) (discussing the Internet); In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497, 500-505 (S.D.N.Y. 2001) (discussing the Internet, the Web, cookies, and data collection).

[6] Compl. ¶ 40. "Servers" are computers which store documents and make them available over the Internet. See DoubleClick, 154 F.Supp.2d at 501. "ISPs" are Internet Service Providers.

[7] Pls.' Mem. of Law in Supp. of Mot. for Summ. J. 5.

[8] Compl. ¶ 47.

[9] Compl. ¶ 46.

[10] See Michael Sonnenreich Dep. ("M.Sonn.Dep.") at 76:4, 84:4-8.

[11] See M. Sonn. Dep. at 93-95.

[12] Pls.' Mem. of Law. in Opp. to Defs.' Mot. for Summ. J. 6.

[13] "HTML" is "HyperText Markup Language." As discussed in the Declaration of Matthew Curtin, HTML is "electronic document definition format typically used on the web. Web browsers read HTML to determine how to render an electronic document for presentation to the user." Curtin Decl. ¶ 51.

[14] As discussed below, JavaScript is an Internet programming language.

[15] "Cookies" are electronic files, and are more fully discussed below.

[16] Compl. ¶ 49.

[17] Compl. ¶ 50.

[18] See id.

[19] Compl. ¶ 51.

[20] See id.

[21] See Pls.' Mem. of Law in Supp. of Mot. for Summ. J. 12.

[22] Compl. ¶ 55.

[23] Compl. ¶ 56. See Declaration of C. Matthew Curtin ("Curtin Decl.") ¶ 56.

[24] Compl. ¶ 56.

[25] Compl. ¶ 58.

[26] Compl. ¶ 55.

[27] See Pls.' Mem. of Law in Supp. of Mot. for Summ. J. 13 n. 8.

[28] Compl. ¶ 60.

[29] See Pls.' Mem. of Law in Supp. of Mot. for Summ. J. 13.

[30] A "URL" is a Uniform Resource Locator, which indicates the specific location of web documents on a server. Compl. ¶ 39.

[31] Id. at 14 (emphasis in original).

[32] Curtin Decl. ¶ 60.

[33] Compl. at 21.

[34] Compl. ¶ 70.

[35] See id.

[36] Pls.' Mem. of Law in Supp. of Mot. for Summ. J. 6.

[37] See id. at 7.

[38] Curtin Decl. ¶ 53.

[39] See Curtin Decl. ¶ 18.

[40] See Curtin Decl. ¶ 90.

[41] See Curtin Decl. ¶ 19.

[42] See Curtin Decl. ¶ 19.

[43] Compl. ¶ 74.

[44] Pls.' Mem. of Law. in Opp. to Defs.' Mot. for Summ. J. 4.

[45] Fed.R.Civ.P. 56(c).

[46] Celotex Corp. v. Catrett, 477 U.S. 317, 322, 106 S. Ct. 2548, 91 L. Ed. 2d 265 (1986).

[47] Blackie v. State, 75 F.3d 716, 721 (1st Cir.1996) (quotations omitted).

[48] Griggs-Ryan v. Smith, 904 F.2d 112, 115 (1st Cir.1990) (citations omitted).

[49] Id.

[50] Id.

[51] 18 U.S.C. § 2510, et seq.

[52] 18 U.S.C. § 2511(1)(a).

[53] 18 U.S.C. § 2511(2)(d).

[54] Compl. ¶ 95.

[55] Plaintiffs' counsel stated that "I don't think the plaintiffs have a claim under the wiretap statute against the pharmaceutical defendants," and indicated that Plaintiffs would withdraw the claim. Hearing Tr. 66:20-22 (July 24, 2002).

[56] Pls.' Mem. of Law in Supp. of Mot. for Summ. J. 20.

[57] See id.

[58] See Pharmatrak's Substitute Reply Mem. of Law in Supp. of Mot. for Summ. J. 8.

[59] See id. at 8-9.

[60] 154 F. Supp. 2d 497 (S.D.N.Y.2001).

[61] Id. at 503.

[62] Id. at 514, quoting 18 U.S.C. 2511(2)(d).

[63] See id. at 515-19.

[64] Id. at 519.

[65] See id.

[66] 165 F. Supp. 2d 1153 (W.D.Wash.2001).

[67] Id. at 1162.

[68] See id. at 1163.

[69] See Compl. ¶¶ 1-3.

[70] DoubleClick, 154 F.Supp.2d at 514-15, quoting United States v. Dale, 991 F.2d 819, 841-42 (D.C.Cir.1993).

[71] 18 U.S.C. § 2701, et seq.

[72] DoubleClick, 154 F.Supp.2d at 507.

[73] 18 U.S.C. § 2701(a).

[74] See Pls.' Mem. of Law in Opp'n to Defs.' Mots. for Summ. J. 27.

[75] Id. at 28.

[76] See Mem. of Law in Supp. of Def. AHP's Mot. for Summ. J. 21.

[77] See DoubleClick, 154 F.Supp.2d at 508 ("Therefore, the `service which provides to users thereof the ability to send or receive wire or electronic communications' is `Internet access.'")

[78] The court in Avenue A found it "possible to conclude that modern computers, which serve as a conduit for the web server's communication to Avenue A, are facilities under the Act." Avenue A, 165 F.Supp.2d at 1161.

[79] See DoubleClick, 154 F.Supp.2d at 509 ("Therefore, we find as a matter of law that the DoubleClick-affiliated Web sites are `users' of Internet access under the ECPA."); Avenue A, 165 F.Supp.2d at 1161 (finding that "at minimum the web site is a `user' of that communication service").

[80] DoubleClick, 154 F.Supp.2d at 509.

[81] Id.

[82] DoubleClick, 154 F.Supp.2d at 512.

[83] 18 U.S.C. § 1030.

[84] 18 U.S.C. § 1030(a)(2).

[85] 18 U.S.C. 1030(e)(8).

[86] Pls.' Mem. of Law in Opp'n to Defs.' Mot. for Summ. J. 38.

[87] 274 F.3d 577 (1st Cir.2001).

[88] Id. at 584.

[89] See id. at 585.

[90] Id.

[91] Curtin Decl. ¶ 13.

[92] See DoubleClick, 154 F.Supp.2d at 523; Avenue A, 165 F.Supp.2d at 1158. But see In re America Online, Inc., 168 F. Supp. 2d 1359, 1374-75 (S.D.Fla.2001).

[93] Even if Plaintiffs were able to establish damage or loss greater than the $5,000 statutory threshold, Plaintiffs have produced no evidence that the Pharmaceutical Defendants possessed the requisite mens rea to be held liable under the CFAA.