• by Wendy Davis  @wendyndavis, March 4, 2011

Amazon has been hit with a potential class-action lawsuit for allegedly circumventing the privacy settings of Internet Explorer users.

"For years, Amazon has been taking visitors' personal information that it was not entitled to take," Nicole Del Vecchio and Ariana Del Vecchio allege in their complaint against the online retailer, which was filed this week in U.S. District Court in Seattle. Their lawsuit alleges that Amazon got around the privacy filters built into Internet Explorer by "spoofing" the browser into classifying Amazon as offering more privacy protections than it did.

The Del Vecchios accuse Amazon of violating several laws, including a federal computer fraud law and a Washington state consumer protection law.

The lawsuit comes several months after researchers at Carnegie-Mellon published a study concluding that many Web sites thwart users' privacy settings by providing erroneous information to Microsoft's Internet Explorer. That browser enables users to automatically reject certain cookies, including tracking cookies.

To accomplish this, the browser relies on Web site operators to provide accurate "compact policies" -- or codes that provide information about their privacy policies to the browser. But, the report stated, many sites using compact policies "are misrepresenting their privacy practices, thus misleading users and rendering privacy protection tools ineffective."

The Del Vecchios allege in their lawsuit that Amazon was among the companies to use defective compact polices. Rather than using a readable code, Amazon's compact policy was "gibberish," the complaint alleges. "Amazon knowingly published an invalid ... compact policy and did so intending to exploit IE's interpretation that would treat it as a valid," the lawsuit states.

The complaint alao alleges that had Amazon provided accurate information, some Explorer users would not have received Amazon's persistent cookie. "Amazon used those persistent cookies to identify and track IE users and collect personal information from them, including when those users were visiting other Web sites on which Amazon served online advertisements," the lawsuit alleges.

But even if Amazon's compact policy was erroneous, it's not clear that the company violated consumer protection laws, says Justin Brookman, director of the Consumer Privacy Project for the digital rights group Center for Democracy & Technology.

"It's not your classic deceptive practices case, where a consumer is duped," he says. At the same time, he says it's plausible that a court would interpret that using a defective compact policy is a deceptive practice, especially if the correct information would have resulted in cookies being blocked.

In addition to the claim that Amazon's compact policy was defective, the Del Vecchios allege that Amazon circumvented their privacy settings by placing Flash cookies on their computers for tracking purposes. Flash cookies were originally designed to allow sites to remember users' preferences for Flash-based applications, like online video players, but some sites also use them to store the same type of information that is normally found on HTTP cookies.

Flash cookies are stored in a different place in the browser than HTTP cookies, which make Flash cookies harder to delete or block. When Explorer users configure their browser to block all cookies, the browser only blocks HTTP cookies. Ariana Del Vecchio also alleges that Amazon shared her personal information with outside companies, in violation of its stated privacy policy. She says that after she purchased pet supplies at Amazon, she began receiving ads in the postal mail from outside pet stores.