mailing list archives
Judge awards class action status in privacy lawsuit vs. comScore
From: Erica Absetz <erica () riskbasedsecurity com>
Date: Fri, 5 Apr 2013 10:00:49 -0500
A federal court in Chicago this week granted class action status to a
lawsuit accusing comScore, one of the Internet's largest user tracking
firms, of secretly collecting and selling Social Security numbers,
credit card numbers, passwords and other personal data collected from
The court's decision paves the way for what a lawyer for the two named
plaintiffs in the case claimed could be the largest privacy case to
ever go to trial in terms of class size and potential damages.
ComScore did not respond to a request for comment.
Publicly traded comScore, a Reston Va.-based company that collects
Internet user data and sells it to more 2,000 firms for use in online
marketing and targeted advertising. The company said it monitors and
measures what people do on the Internet and then turns that
information into actionable data for its clients.
The company claims that it captures more than 1.5 trillion
user-interactions monthly, or roughly 40% of the monthly page views of
the Internet. Its clients include some of the world's largest
e-commerce sites, online retailers, advertising agencies and
ComScore uses OSSProxy software to track users. The software is
typically bundled along with free software products like screen savers
and music sharing software and is downloaded to the systems of end
users that install them.
Once installed, the software is designed to constantly collect and
send to comScore servers a wide range of data, such as the names of
every file on the computer, information entered into a web browser,
the contents of PDF files and other data.
ComScore maintains that all of the data it collects is purged of
identifying information and personal data before it's sold.
However, in August 2011, two Internet users, one from Illinois and the
other from California filed a lawsuit against Comscore alleging
various violations of the federal Stored Communication Act (SCA), the
Electronic Privacy Communication Act (ECPA) and the Computer Fraud and
Abuse Act (CFAA).
In the lawsuit, the pair accused comScore of changing security
settings and opening backdoors on end-user systems, stealing
information from word processing documents, emails and PDFs,
redirecting user traffic, and injecting data collection code into
browsers and instant messaging applications.
The lawsuit called comScore's software an intrusive surveillance tool
that monitors every keystroke and every action taken by a user on the
Internet. The suit charged that the company rifled through the iPod
playlists and web browsing histories of smartphone users.
To collect data, comScore's software modifies computer firewall
settings, redirects Internet traffic, and can be upgraded and
controlled remotely, the complaint alleged. The suit challenged
comScore's assertions that it filtered out personal information from
data sold to third parties, and of intercepting data it had no
business to access.
In a 20-page ruling on Tuesday, District Judge James Holderman of the
United States District Court for the Northern District of Illinois
granted the two plaintiffs the class action status they had been
seeking. The ruling means that any individual who downloaded and
installed comScore's tracking software on their systems after 2005 now
has a claim against the company.
"We sought certification of two classes," said Jay Edelson, the lawyer
representing the two named individuals. "The larger class consists of
essentially all of the millions of people who downloaded comScore
software since 2005. The subclass consists of a subset of the primary
class who downloaded comScore software during a specific time frame
and but were never provided a functional hyperlink to the user
agreement describing how the software worked."
The court granted class certification with regard to all of the
primary claims pertaining to violations of the SCA, ECPA and CFAA he
said. Under the SCA and ECPA each class member would be entitled to a
maximum of $1,000 in statutory damages, he said.
The judge, however, denied class action status for a third claim
relating to unjust enrichment against comScore.
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list
Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
- Judge awards class action status in privacy lawsuit vs. comScore Erica Absetz (Apr 05)