Class Action Tests Commercial Use of Spyware for Target Marketing

A class action lawsuit alleges that the Internet tracking and analytics firm, comScore has been using highly aggressive tactics to surreptitiously collect large amounts of personal data on individuals.  The lawsuit claims violations of the Stored Communications Act, the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act and Illinois Consumer Fraud and Deceptive Practices Act.  The plaintiffs to the lawsuit claim comScore collects information such as Social Security numbers, credit card numbers, passwords and other data from individuals' computers.  It also alleges that comScore's software will modify the computer's security settings, open backdoors, redirect Internet traffic and scan documents and emails for information.

The software from comScore is usually installed when the user downloads free software products such as screen savers or music sharing software. comScore’s privacy policy for marketscore states that its software monitors "all of the Internet behavior that occurs on the computer on which you install the application, including both your normal web browsing and the activity that you undertake during secure sessions, such as filling a shopping basket, completing an application form or checking your online accounts, which may include personal financial or health information. We make commercially viable efforts to develop automatic filters that would allow us to avoid collection of non-publicly available personally identifiable information such as UserID, password, and credit card numbers. Inadvertently, we may collect such sensitive information about our panelists; and when this happens, we will make commercially viable efforts to purge our database of such information.”

This case will be interesting to follow for a host of reasons.  comScore likely will rely on its privacy policy as a defense, claiming full disclosure and assent by the consumer to the activity monitoring; a defense to each of the claims made in the complaint.  In response, not only will the clarity and readability of the policy be challenged (a common argument), but also the circumstances surrounding the decision to install the application.   Will it be clear to the user that in his desire to get a free screen saver, he was agreeing to broad monitoring?  What about on shared computers or where a juvenile downloads the software; what measures were in place to make sure the user had authority to install the application?

Likewise, is inadvertent collection of PII ever permitted?  What efforts did comScore use to avoid collection of sensitive data?  Was the data passed back to comScore in a secure transmission (https)?  If not, are the Massachusetts privacy regulations (201 CMR 17.01, et. seq.) or Illinois Consumer Fraud and Deceptive Practices Act violated?

Indeed, the comScore solution appears to be a commercial use of spyware; a common malware that has plagued many of us.  comScore’s privacy policy goes on to say “As a participant, you agree not to: ... Attempt to defeat or circumvent our application, it being your responsibility to remove this application as instructed in this agreement or expressly by an authorized service representative.... use of third party programs to remove this application may cause instability in your system and to your Internet connection. We reserve the right to repair any of its settings that are partially removed…”  Deciding the permissibility of such a restriction in the light of the requirements Illinois Consumer Fraud and Deceptive Practices Act will guide how many of us write privacy policies and notices.

See articles regarding the lawsuit:
http://www.theregister.co.uk/2011/08/24/comscore_privacy_lawsuit/

http://www.computerworld.com/s/article/9219444/Lawsuit_accuses_comScore_of_extensive_privacy_violations

http://www.eweek.com/c/a/Security/comScore-Accused-of-Aggressive-Surreptitious-Online-Data-Collection-in-Lawsuit-759357/