Letters Blogatory

The Blog of International Judicial Assistance
By Ted Folkman

Case of the Day: Vita v. New England Baptist

New England Baptist Hospital

The case of the day is Vita v. New England Baptist Hospital (Mass. 2024). It’s not really a Letters Blogatory case, but it’s super interesting anyway. It involves the Massachusetts Wiretap Act, a law that forbids the secret recording of communications. I have served as arbitrator on cases that have raised claims under the Act that ask how the Act applies, or doesn’t apply, to modern technologies, so I have an interest in the statute. The statute, which is basically a criminal statute that also creates a private civil cause of action, is long, and I am not going to reprint it. There are many issues that can arise under it, but the issue that occupied the court in today’s decision is whether the information the hospital and third-party vendors gather about a person’s use of hospital websites—the publicly available websites, not the “patient portals” that hospitals these days use for confidential communications with patients—constitutes “communications” that are within the statute’s scope.

The court’s conclusion was that the information the plaintiff provided to the websites (her IP address, the URL she visited, the date and time of the visit, technical data about her browser and device configurations, and “unique identifiers used by third-party software providers to track individuals across the website”) were not, or at least not unambiguously, within the scope of the statutory term “communication,” and thus that the statute had to be construed to exclude them. Decisions of the Supreme Judicial Court are most often unanimous, but this one (the opinion of the court was by Justice Kafker) drew a dissent from Justice Wendlandt.

One problem with the decision is that the statute only applies to secret interceptions of communications. Suppose I put a tape recorder on the table and press the “record” button. You might not know what a tape recorder is or how it works, and so you may not know that you are being recorded. But a reasonable person would know. And the test for whether a recording is being made secretly is objective, not subjective. See Commonwealth v. Rivera, 445 Mass. 119 (2005).1You have to look at the concurring opinions of Justices Cowin and Cordy to see this; their concurrences represent the views of a majority of the court, even though the opinion of the court decided the case on other grounds. Today, I think you can say something similar about web servers. You may not know that when you enter a URL in the address bar of your browser, your computer sends an HTTP request to the server that the URL identifies, or that the server creates a log file that has a line for every HTTP request received, which likely includes your IP address, the date and time of the request, the URL requested, and information about your “user agent” (including the browser that you use, your operating system, and maybe some other information. Here is an example from the Letters Blogatory HTTP server log (I’ve replaced the real IP address with a fake one):

192.0.2.0 - - [27/Oct/2024:22:18:09 -0400] "GET /2014/10/29/case-day-drc-v-honduras/ HTTP/1.1" 200 33148 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36"

This is true even if the website operator isn’t doing anything to track your visits or to try to learn anything about you. (Here at Letters Blogatory, for example, I don’t use Google Analytics or any other analytics software to try to track your visists). Would a reasonable person know, in 2024, that web servers create these log files? I think probably so, even if many people never think about it. Of course, the hospitals were not just creating routine log files but were using special analytics software to learn about their visitors. And they were sharing the data with third parties like Facebook. But I am not sure that a reasonable person in 2024 could think that when one computer sends a request to another computer, the second computer doesn’t log data about the IP address, the URL, etc.

But the court didn’t decide the case on those grounds. Instead, it asked whether the information the servers recorded were “communications” by the user. The statute applies only to interceptions of communications, and not to the recording or even the secret recording of other kinds of information.

I’d like to consider the issue functionally. I’ve gotten interested in metaphors between new and old technologies ever since delving into the problem of service of process by email under the Service Convention, where the question is whether the term “postal channels” includes email. What are the natural metaphors here?

In the pre-internet age, a person trying to learn about the hospital’s staff, the care it provides, etc., might have gone to the library and looked up information about the hospital in a reference book. A private detective interested in what you were doing might ask the librarian to see the slip you used to retrieve the reference book, or might just sit next to you in the reading room and look over your shoulder. Has the detective intercepted a communication? I think everyone would say no.

The court reasoned along these lines. You don’t really communicate with a website when you look up information on it, any more than you communicate with a book you take out of the library. Of course, you may be inadvertently disclosing information about your interests and concerns to anyone who is watching. But that is not what the statute aims to forbid.2You could make the problem harder by considering websites that mimic human communication, e.g., chatbots, or today, AI chatbots. But that’s not what was at issue in the case.

You might say that the library case is different that the website case because the statute requires that an “interception” be done via an “interception device,” that is, “any device or apparatus which is capable of transmitting, receiving, amplifying, or recording a wire or oral communication,” with exceptions. The web server is arguably an “interception device,” because it records data that comes to it over the wire, whereas a slip you hand to a librarian is clearly not an “interception device.” But remember, the case is about whether or not the user has made a “communication,” so drawing this distinction doesn’t make much difference. If the web server records data that is not a “communication,” then by definition it is not an “interception device.”

For these reasons, I tend to agree with the court that any effort to criminalize the collection of data on a website as alleged in today’s case is for the legislature and not the courts.

Image credit: Swampyank (CC BY-SA)

  • 1
    You have to look at the concurring opinions of Justices Cowin and Cordy to see this; their concurrences represent the views of a majority of the court, even though the opinion of the court decided the case on other grounds.
  • 2
    You could make the problem harder by considering websites that mimic human communication, e.g., chatbots, or today, AI chatbots. But that’s not what was at issue in the case.
Ted Folkman

Leave a Reply

Your email address will not be published. Required fields are marked *

Thank you for commenting! By submitting a comment, you agree that we can retain your name, your email address, your IP address, and the text of your comment, in order to publish your name and comment on Letters Blogatory, to allow our antispam software to operate, and to ensure compliance with our rules against impersonating other commenters.