“We cannot conclude with any confidence that the Legislature intended ‘communication’ to extend so broadly as to criminalize the interception of web browsing and other such interactions,” Justice Scott Kafker wrote for the majority.
In a 5-1 ruling, the Supreme Judicial Court concluded that browsing histories gleaned from people looking up the names of doctors or health information on websites for Beth Israel Deaconess Medical Center and New England Baptist Hospital do not qualify as “communications” under the 1968 law.
Two major Boston hospitals that tracked and then sold the “browser fingerprints” of people using their websites were wrong to do so, the state’s highest court ruled Thursday, but they did not violate the state’s criminal wiretap statute.
Kafker added that “the interactions here are not with another person but with a website. Nor are they personal conversations or messages being intercepted, but rather the tracking of a website user’s browsing of, and interaction with, information published on a website.”
While the actions by the two hospitals were not criminal, they weren’t appropriate, the majority found. Whether to make monetizing “browser fingerprints” a crime is a decision for the Legislature, not the court, it said.
Advertisement
“Make no mistake, the hospitals’ alleged conduct here raises serious concerns, and may indeed violate various other statutes,” Kafker wrote. “And we do not in any way minimize the serious threat to privacy presented by the proliferation of third-party tracking of an individual’s website browsing activity for advertising purposes. These concerns, however, should be addressed to the Legislature.”
The websites at issue are not the patient portals that provide personal test results and medical histories, the court said. Instead, Kathleen Vita alleged in court papers that she looked up specific doctors and sought information about her husband’s medical conditions from the two hospitals’ main websites. She later learned that the hospitals had installed tracking software called AdTech, according to court records.
In court papers, the hospitals said they alerted website users about the use of “cookies and other tools to enhance your experience on our website and to analyze our web traffic” and made it clear what their data collection policies were.
“We are gratified with the Supreme Judicial Court’s decision in this case,” said a spokesperson for Beth Israel Lahey Health, the corporate parent of both hospitals. “We remain committed to appropriately protecting the privacy of all our patients. If the Legislature chooses to provide clearer and consistent rules of the road for all organizations to follow in this area going forward, we would welcome such action.”
Advertisement
In her 46-page dissent, Justice Dalila A. Wendlandt said the current law can readily encompass “browser fingerprints.” The hospitals promised users that interactions with the websites would be kept private but then turned around and monetized the data, she wrote.
“In short, the hospitals lied,” she wrote. “Unbeknownst to patients, they implanted tracking code to assist third parties to record the patients’ private medical concerns, padding Facebook’s and Google’s bottom lines.”
John R. Ellement can be reached at john.ellement@globe.com. Follow him @JREbosglobe.
Two Boston hospitals did not violate law when they tracked website use, SJC rules
