December 5, 2011

Failure to Plead Loss Causation in Class Action Suit Against Amazon Leads to Dismissal

Judge Robert S. Lasnik from the Washington Western District Court granted last week Amazon’s motion to dismiss in the class action suit Del Vecchio et al v., Inc. Plaintiffs may now file an amended complaint within 30 days.

Plaintiffs alleged that Amazon, the famous online retailer, placed browser cookies on their computers against their wishes, by “exploiting” a shortcoming in Microsoft’s Internet Explorer browser s cookie filtering function, and that Defendant intentionally published a “gibberish” website policy to deceive Plaintiff’s browser into accepting Defendant’s cookies despite their filter settings.

Plaintiff also alleged that Amazon retooled flash cookies so that they would behave as traditional browser cookies in order to be accepted by Plaintiff’s browser, and that the online retailer used the personal information thus gathered and also shared it with third parties, despite the terms of its Privacy Notice.

Plaintiffs claimed being injured by Amazon’s misappropriation of their personal information, in which they have economic and property interests, and also damage to and consumption of their Computer Assets, leading to economic harms, including “devaluation of personal information, [and] loss of the economic value of the information as an asset” and diminution of the performance and value of their computer resources.

However, Judge Lasnik granted Amazon’s motion to dismiss as Plaintiffs failled to plead plausible losses.

Diminished Performance of Plaintiff’s Computer

Plaintiffs alleged that, by transferring cookies to Plaintiff’s computers, it thus diminished their  performance and constituted an interruption in service, but Judge Lasnik considered it merely “naked assertions.”

Monetary Value of Personal Information

The Computer Fraud and Abuse Act (“CFAA”) punishes unauthorized access to a protected computer, and provides for a civil remedy ”unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period.” Therefore, the issue of the value of the loss (more or less than $5,000) was one of the questions presented to the court.

According to Judge Lasnik’s order, the facts of the case cannot allow the Court “to reasonably infer that those losses plausibly occurred in this case, let alone that they totaled $5,000.” Plaintiffs argued, for example, that by acquiring their personal information, they were thus deprived ‘”of the opportunity to exchange their valuable information,” but such deprivation is “entirely speculative” according to Judge Lasnik.  However, Judge Lasnik did not shun entirely the idea that personal data may have value, as he adds: “[w]hile it may be theoretically possible that Plaintiffs’ information could lose value as a result of its collection and use by Defendant, Plaintiffs do not plead any facts from which the Court can reasonably infer that such devaluation occurred in this case.”

The issue of proving the value of personal dat is quite interesting…  How could one measure the value of one’s personal information? Is the personal information of a gold or platinum card member more valuable than those of a basic member?  Should sites like Klout, which uses algorithms to grade one’s reputation on several social media sites, be introduced as evidence? It will be interesting to read Plaintiff’s amended complaint in the next weeks.

March 10, 2011

Class Action Suit Claims Amazon Circumvented Privacy Settings

A suit was filed last week in the U.S. District Court for the Western District of Washington by two clients of The complaint, which is seeking class-action status, states that the retailer has been taking the personal information of its site’s visitors that it was not entitled to take, by misusing privacy-protection software installed on the user’s computers. The complaint also alleges that shares personal identifiable information (PII) with other parties in spite of its privacy policy stating that it does not share a user’s information with third parties.

According to the complaint, circumvented the privacy filters of Microsoft Internet web browser (IE) “by spoofing IE into categorizing as more privacy-protective than it actually is.”  Plaintiffs used IE to restrict the ability of the websites visited to collect their PII. IE reads both a site’s full P3P policies, which describe the site privacy practices, and the compact P3P policy, describing the use of browser cookies. Both consist of three-character and four-character tokens summarizing a website's privacy policy. Based on this information, the browser then allows or restricts the site to store cookies on the user’s computer.

The complaint alleges that “Amazon knowingly published an invalid P3P Compact Policy and did so intentionally to exploit IE’s default privacy settings” and cites a report written by four Carnegie Mellon University researchers, Pedro Giovanni Leon, Lorrie Faith Cranor, Aleecia M. McDonald, and Robert McGuire, “Token Attempt: The Misrepresentation of Website Privacy Policies through the Misuse of P3P Compact Policy Tokens” which detailes how, because of an IE loophole, invalid Compact Policies may lead to cookies not being blocked by IE’s default cookie settings.

Plaintiffs are seeking relief under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, claiming that Amazon violated the Act as it knowingly and with intent to defraud, accessed plaintiff’s protected computers without authorization, or exceeding authorized access. It also seeks relief under the Washington State Consumer Protection Act, RCW § 19.86.010 et seq., which prohibits unfair and deceptive acts or practices, and relief under common law, claiming trespass to chattels. 

October 19, 2010

Recent Class Action Highlights Risk of Using Mobile Tracking “Cookies”

A class action lawsuit was filed on September 16, 2010, alleging that the lead defendant, Ringleader Digital, Inc., and several website operators utilizing Ringleader Digital’s technology have violated the plaintiffs’ privacy rights by illegally tracking individual’s mobile internet activity without their permission. This appears to be the first class action lawsuit involving tracking of mobile devices’ internet activity and is very similar to the series of class action lawsuits filed over the last few months focusing on “Flash cookies" (including Valdez v. Quantcast Corp., White v. Clearspring Technologies, Inc. and La Court v. Specific Media, Inc.), as covered by the Wall Street Journal and the New York Times.  (The Flash cookie cases were also covered in the Privacy and Information Security Committee’s July-August and September Updates, materials for which are available to committee members here)

 A main point of contention is Ringleader Digital’s use of HTML5.  HTML5 is a next-generation open standard currently under development by the World Wide Web Consortium, but it has already been adopted by companies such as Apple instead of Adobe Flash on its iPhone, iPod and iPad products.  The HTML5 standard provides website operators the ability to locally store information on a user’s computer or mobile device.  The local storage feature provides benefits, such as allowing users to use website features offline, but also allows a website operator to implement “cookie” functionality because large amounts of data regarding a user’s internet history can be stored. 

The complaint alleges that Ringleader Digital developed technology, known as Media Stamp™, utilizing HTML5 local storage databases to create the mobile equivalent of a third-party online cookie.  The complaint also alleges that the Media Stamp technology assigns users a unique identifying number and allows Ringleader Digital, advertisers, ad agencies and website publishers to create a local HTML5 database to track a mobile device’s internet activities over multiple websites. 

            The lawsuit relies on similar legal bases as the Flash cookie lawsuits.  The main thrust of all claims is that Ringleader Digital and the other defendants violated privacy laws by tracking a mobile device’s internet activity with no disclosure that it was doing so and without authorization.  The plaintiffs also allege that the tracking databases created by the defendants would be recreated even after the plaintiffs deliberately tried to remove them, which is similar to the “re-spawning” or “zombie” aspect of Flash cookies. 

The claims asserted include violations of the federal Computer Fraud and Abuse Act (18 U.S.C. § 1030) and the following California laws: Computer Crime Law (Cal. Penal Code § 502), Consumer Legal Remedies Act (Cal. Civil Code § 1750), Unfair Competition Law (Cal. Bus. & Prof. Code §17200), Invasion of Privacy Act (Cal. Penal Code § 630), common law trespass to personal property, and unjust enrichment.  

A copy of the complaint is available here.

October 14, 2007

Authorized computer access by departing employee not CFAA violation

A departing employee, who copied proprietary files while still having full access to his employer's protected computer databases did not access information “without authorization” or otherwise "exceed authorized access" under the Computer Fraud and Abuse Act (CFAA). Diamond Power Int’l, Inc. v. Davidson, No. 1:04-cv-1708, 2007 U.S. Dist. LEXIS 73032 (N.D. Ga. Oct. 1, 2007). The court granted summary judgment to the defendant on the CFAA claims, but let stand other related trade secret and contract claims based upon the employee’s forwarding of confidential company information to his new employer. The court found that the employee could not be liable under the CFAA because there was no dispute that he was authorized to initially access the company computers and that his level of authorized access included permission to obtain the specific data in question. The court, in reaching its conclusion, recognized a split in the circuits as to the interpretation of this aspect of the CFAA. Nevertheless, the court rejected the plaintiff's argument, based upon the Seventh Circuit opinion in International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418 (7th Cir 2006), that an employee exceeds his authorized access when he obtains company information for an allegedly improper purpose.


September 9, 2007

Authorized Computer Access By Employee Not CFAA Violation, Despite Intent To Misuse Information

A departing employee, who copied client files while still having full access to his employer's computers, did not "exceed authorized access" under the Computer Fraud and Abuse Act (CFAA), despite the defendant's improper use of the files and alleged breach of company policy.  Brett Senior & Assoc. v. Fitzgerald, No.06-1412, 2007 U.S. Dist. LEXIS 50833 (E.D. Pa. July 13, 2007). The court granted summary judgment to the defendant on the CFAA and related state claims, but let stand the breach of fiduciary duty claim for the plaintiff's telephone solicitation of clients while he was still in the plaintiff's employ. The court found that the defendant could not be liable under the CFAA because there was no allegation that the defendant lacked authority or "exceeded authorized access" to view any information in the plaintiff's computer system. The court rejected the plaintiff's argument, based upon the Seventh Circuit opinion in International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418 (7th Cir 2006), that an employee exceeds his authorized access when he obtains company information for an allegedly improper purpose.



September 7, 2007

Allegation that payment processing software installed "spyware" states claim under federal and New Jersey Computer Fraud Statutes

An allegation that payment processing software installed unauthorized "spyware" on the purchaser's server that diverted confidential customer data to the software developer makes out a claim under the federal and New Jersey computer fraud statutes. Slim CD, Inc. v. Heartland Payment Systems, Inc., No. 3:06cv2256, 2007 U.S. Dist. LEXIS 62536 (D. N.J. Aug. 24, 2007). The district court declined to dismiss the software purchaser's claims under the New Jersey statute, rejecting the developer's argument that the statute required a showing of how the developer had used the diverted information for its own benefit. The court also ruled that the purchaser had properly alleged damages in excess of $5,000 within one year under the federal computer fraud statute.