Interclick: History-Sniffing Doesn't Violate Computer Fraud Law
A "history-sniffing" lawsuit should be dismissed because the technology did not cause $5,000 worth of damage to Web users, behavioral targeting company Interclick argues in its latest bid to dismiss a potential class-action lawsuit.
The company argues that New York resident Sonal Bose, who sued in December, should not be able to proceed with her allegations that the company violated the federal Computer Fraud and Abuse Act, since the statute only allows private individuals to sue if they have suffered at least $5,000 in losses.
Bose originally alleged that Interclick violated federal wiretap laws, but withdrew that allegation last month, shortly after Interclick asked the court to dismiss her lawsuit. At the same time, Bose filed an amended complaint that focuses on the federal computer fraud claim, as well as several counts alleging violations of New York state laws.
Bose's claims stem from a report published last year by researchers at the University of California, San Diego, about history-sniffing techniques that enable companies to discover what other Web sites users visited. The technology relies on exploiting a vulnerability in browsers and can reveal users' Web histories regardless of their privacy settings.
The researchers named 46 Web sites where history-sniffing technology was being deployed. In at least some cases, the ad company Interclick reportedly used the technology without the publishers' knowledge.
Bose said in her complaint that she believes she was subject to history-sniffing by Interclick, based on reports about Interclick's activities, its role as "a major online ad network," and the existence on her computer of an Interclick.com Flash cookie. Interclick, which denies wrongdoing, says that Bose has not alleged any solid facts to show that it tracked her history.
Dozens of pending online privacy lawsuits allege violations of the computer fraud law, but whether the Web users will be able to prevail on that theory remains unclear.
The computer fraud law, a federal anti-hacking measure, makes it unlawful to access people's computers without authorization. The statute allows individuals to bring private lawsuits, but only if they can show $5,000 in damages.
Because Bose is attempting to bring a class-action, she argues that the $5,000 can be spread out among all of the affected Web users. She asserts that Interclick's alleged collection of the data deprived her (and other Web users) of the opportunity to decide whether to share that information.
Interclick counters that its alleged data collection did not prevent Bose from attempting to leverage the same information. "Even if there was a market for plaintiff to sell such information, nothing Interclick is alleged to have done deprived plaintiff of the ability to 'sell' her 'personal information' to anyone who would pay for it," the company argues in a motion filed last week.
One factor in Interclick's favor is that this lawsuit was filed in the Southern District of New York -- the same court where, 10 years ago, a judge threw out one of the first online privacy lawsuits. That case concerned a potential class-action against DoubleClick, stemming from its behavioral targeting efforts. U.S. District Court Judge Naomi Reice Buchwald ruled that DoubleClick's collection of online data didn't violate the federal computer fraud statute because it did not cause $5,000 worth of damage. "Demographic information is constantly collected on all consumers by marketers, mail-order catalogues and retailers," Buchwald wrote. "However, we are unaware of any court that has held the value of this collected information constitutes damage to consumers or unjust enrichment to collectors."
Since then, however, some Web users have had more success in privacy cases.
For instance, plaintiffs recently convinced a federal judge in Montana to allow them to proceed with computer fraud allegations against the Internet service provider Bresnan Communications. That case stems from Bresnan's arrangement with defunct behavioral targeting company NebuAd, which partnered with ISPs to glean data about users' Web activity which would then be used to serve them targeted ads. NebuAd shut down in the face of congressional scrutiny, but not before conducting tests with six different ISPs in 2007 and 2008.
The judge presiding over the Bresnan Communications litigation ruled that the Web users sufficiently alleged $5,000 worth of damage based on their assertion that Bresnan allowed NebuAd to install an appliance that changed users' security features. The users "contend they were forced to mitigate Bresnan's invasive actions by expending time, money and resources to investigate and repair their personal computer's diminished performance," the judge wrote.