Nobles v. Google, Inc. et al
Filing
1
CLASS ACTION COMPLAINT against Google, Inc., Pointroll, Inc. ( Filing fee $ 350, receipt number 44611009082). DEMAND FOR JURY TRIAL. Filed byZetha Nobles. (far, COURT STAFF) (Filed on 7/10/2012) (Additional attachment(s) added on 7/12/2012: # 1 part two, # 2 Civil Cover Sheet) (far, COURT STAFF).
<![CDATA[
I'
.'(
1
2
3
4
'-.~
REGINA D TERRELL, ESQ.
THE TE
LL LAW GROUP
Post Offic Box 13315, PMB #148
Oakland, alifornia 94661
Tele{'hon : (510) 237-9700
Facsimile: (510) 237-4616
Email: R iet2 aol.com
~
r
JUL 7 ·
AI
0 2012
cL£JHAAo
NORTHeR~ 0 DISTArl£ktNG
U.s.
UNITED STATES DISTRICT COURT
3f:fAcNro;6~B~Ar
5
6
w
D
8
ZETHA OBLES, individually and on behalf) CASE NO.:
of all othe s similarly situated,
~
10
Plaintiff,
11
14
GOOGLE INC., a Delaware Corporation and ~
POINTR LL, INC., a Delaware Corporation )
)
Defendants.
)
17
DEMAND FOR JURY TRIAL
~
15
~
C12-03589
)
) CLASS ACTION COMPLAINT
)
~
v.
12
13
Q
ORN!A • \
NORTHERN DISTRICT OF CALIFORNIA
7
9
Jl ~
l.....c::,Q
)
)
------4-------------------------)
18
CLASS ACTION COMPLAINT
19
"
PI intiff Zetha Nobles ("Plaintiff'), by and through her attorney brings this action on
20
behalf of erself and all others similarly situated against Google, Inc. and PointRoll, Inc.
21
Plaintiff's allegations as to herself and her own actions, as set forth herein, are based upon her
22
informati n and belief and personal knowledge, and all other allegations are based upon
23
informati n and belief pursuant to the investigations of counsel. This Court has subject matter
24
jurisdictio pursuant to the Class Action Fairness Act of2005, 28 U.S.C. § 1332 (d) as set forth
25
below.
26
I. NATURE OF THE ACTION
27
28
1.
Plaintiff brings this consumer Class Action lawsuit pursuant to Federal Rules of
Civil Pro edure 23(a), (b)(l), (b)(2), and (b)(3), on behalf of herself and a proposed class of
CLASS ACTION COMPLAINT
1
i
1
2
similarly ituated Individuals, (hereinafter referred to as the "Class Members"), who were
victims o unfair, deceptive, and unlawful business practices; wherein their privacy, financial
3
interests,
d security rights were violated by Defendant Google, Inc. (hereinafter referred to
4
5
individua ly as "Google"), and Defendant PointRoll, Inc. (hereinafter referred to individually as
6
"PointRo 1" and collectively with Google as "Defendants"), that acted individually, and in
7
concert, t gain unauthorized access, use, and retention of Plaintiffs and Class members' data
8
contained within their computing devices, which includes computers and mobile electronic
9
10
11
12
13
devices u ed for communication, internet, and multimedia capabilities (hereinafter referred to
collective y as "Computing Devices").
2.
This Class Action lawsuit is brought by Plaintiff and Class Members who had
their Co puting Devices accessed without notice or consent, by circumventing their privacy
14
settings i order to obtain personally identifiable information, including that of minor children,
15
16
17
18
19
including but not limited to, settling tracking mechanisms within their computing devices for
subseque t online tracking by Defendants.
Defendants acted individually, and jointly, and knowing authorized, directed,
ratified, a proved, acquiesced in, or participated in conduct made the basis of this Class Action.
20
Defendan s used Plaintiffs and Class Members' Computing Devices to access, retain, and
21
22
disclose p rsonal information ("PI"), personally identifiable information ("PII"), and/or sensitive
23
identifiab e information ("SII") derived from Plaintiffs and Class Members' Computing Device
24
while the browsed online or wirelessly. Defendants accomplished this covertly, without actual
25
notice, a areness, or consent and choice, and which information Defendants obtained
26
27
deceptive y, for purposes which included Defendants' commercial gain and nefarious purposes.
28
CLASS ACTION COMPLAINT
2
f
1
2
4.
Defendants acted individually, and jointly, with entities involved in whole, or
part, with advertising networks, data exchanges, traffic measurement service providers, and
3
marketin and analytic service providers that develop and service websites (hereinafter referred
4
ely as "Google Affiliates").
5
Each Google Affiliate committed acts made the basis of this action, individually
6
7
8
, both intentionally and negligently, in whole or part, acting as a direct or contributory
party tot e action made the basis of this action. Pending discovery of the Google Affiliates'
9
and involvement at the various stages of the acts complained of, and made the bases
10
plaint, Plaintiff will amend the complaint to include such parties.
11
12
13
6.
Defendants individually, and in concert with Google Affiliates, have been
systemati ally engaged in and facilitated a covert operation of surveillance of Class Members
14
and the :D llowing violations:
15
1)
Violations ofthe Computer Fraud and Abuse Act, 18 U.S.C. § 1030;
17
2)
Violations ofthe Electronic Communications Privacy Act, 18 U.S.C. §
18
2510 et seq.;
16
19
3)
Violations of California Computer Crime Law, Penal Code § 502;
4)
Violations of California's Invasion Of Privacy Act, California Penal
20
21
22
Code§ 630 et seq.;
23
5)
24
Professions Code § 17200 et seq.;
25
6)
Violations of California Unfair Competition Law, Business and
Violations of California Consumers Legal Remedies Act, Civil Code §
26
27
1750 et seq.;
28
CLASS ACTION COMPLAINT
3
1
7)
2
Violations of California Customer Records Act, Cal. Civ. Code §
1798.80 et seq.;
3
8)
Conversion;
5
9)
Trespass to Personal Property I Chattels; and
6
10)
Unjust Enrichment.
4
7
8
II.
7.
JURISDICTION AND VENUE
This Court has diversity jurisdiction in this case under a Class Action Fairness
9
Act, 28 U.S.C. § 1332(d)(2). This complaint states claims on behalf of a national class of
10
11
consumer who are minimally diverse from Defendants. The amount in controversy exceeds $5
12
million, e elusive of interest and costs. The class consists of more than one hundred members.
13
8.
This Court also has federal question jurisdiction under 28 U.S. C. § 13 31 as this
14
action ari s in part under a federal statute, the Computer Fraud and Abuse Act.
15
16
17
18
19
9.
This Court has supplemental jurisdiction with respect to the pendent state law
claims un er 28 U.S.C. § 1367.
10
This Court has personal jurisdiction over Defendants because some ofthe acts
alleged he ein were committed in the state of California and because Defendants are registered to
20
do busine s in this state and systematically and continuously conduct business here.
21
22
11
Venue is proper in this Court under 28 U.S.C. § 1391 because Google is a
23
corporati
24
in, was di ected from, and/or emanated from this District.
25
12
headquartered in this District and/or because Defendants' improper conduct occurred
INTRADISTRICT ASSIGNMENT: Pursuant to Civil Local Rule 3-2(e), this
26
case shall be assigned to the San Jose Division as it arises from Santa Clara County where
27
28
CLASS ACTION COMPLAINT
4
f
1
2
Defendan Google is headquartered and where the actions alleged as the basis of this claim took
place.
3
III.
PARTIES
4
5
Plaintiff is an individual who owns and uses Apple's Safari and Microsoft's
13
6
Internet E~plorer ("IE") browsers that were protected by default privacy settings and/or higher
7
privacy st ttings to restrict the ability of websites that use persistent browser cookies in collecting
8
users' PI, PII, and SII.
9
14.
Plaintiff Zetha Nobles is a resident of Oakland, Alameda County, California.
1' .
On information and belief, Plaintiff Zetha Nobles incorporates all allegations
10
11
12
13
14
within this complaint.
H.
At all relevant times herein, Villegas owned Computing Devices, including a
personal~ omputer with IE and a mobile device which had Apple's Safari browser, and used the
15
16
17
Computi1 g Devices, and on one or more occasions during the class period, in the city of
residence and accessed the following websites reportedly associated with Defendants:
18
a.
http://allrecipes.com/
b.
http://www. businessweek.com/
c.
http://www.cbsnews.com/
22
d.
http://www.foodnetwork.com/
23
e.
http://www.huffingtonpost.com/
24
f.
http://www.meriam-webster.com/
g.
http://www. washingtonpost.com/
19
20
21
25
26
1 ~.
Defendants, acting in concert individually and jointly, gained unauthorized acces
27
28
to, and u~authorized use ofNobles' Computing Device data.
CLAS
ACTION COMPLAINT
5
1
2
18
Defendant Google, Inc. is a publicly traded Delaware corporation headquartered
at 1600 Alnphitheatre Parkway, Mountain View, California 94043 (Santa Clara County,
3
California11. Google does business throughout the United States.
4
5
6
7
8
19
Google is the owner and operator of the website located at
htto://wwlv.Goo2:le.com, as well as a provider of advertising services through doubleclick.net.
20
Defendant PointRoll, Inc. is a publicly traded Delaware corporation
headquart red at 7950 Jones Branch Drive, McLean, Virginia 22102. PointRoll does business
9
10
11
throughou the United States.
21
PointRoll, a rich media advertising company, entered into a contract with
12
Defendan Google, a California Corporation, and the acts made the basis of this action emanated
13
to and fro jn the Defendant Google's servers located in Mountain View, California.
14
22
PointRoll is the owner and operator of the website located at
15
16
17
18
19
htto://wwlv.Pointroll.com, and provides digital marketing solutions and technology for rich
media can paigns in interactive advertising,
23
On February 17, 2012, Jonathan Mayer, a Stanford researcher, published a study,
"Web Pol'cy- Do Not Track, Measurement, Privacy," ("Mayer Study") which "found that a
20
PointRoll rookie helper script circumvents Safari's cookie blocking." In a blog post, PointRoll
21
22
23
said it "co~ducted a limited test within the Safari browser to determine the effectiveness of our
mobile ad ,"but claims it does not currently use the technique mentioned in Mayer's report.
24
25
IV.
GENERAL ALLEGATIONS
I.
A Brief Overview
24
On October 13,2011, Defendant Google signed a consent order with the FTC
26
27
28
which bar ed it from making misrepresentations regarding its privacy policies, required the
CLASS ~CTION COMPLAINT
6
f
1
2
implemen ation of a comprehensive privacy program, and the retention of an independent thirdparty profl~ssional to access its privacy controls.
3
25
On October 19,2011, the World Wide Web Consortium ("W3C"), the main
4
5
internatio ~al standards organization for the World Wide Web, announced that Google was one o
6
its sponsors for the W3C Organization Sponsor Program, a program to enhance the W3C's
7
capacity tp support the deployment of web standards:
8
9
10
11
"W3C has been a cornerstone component of the World Wide
Web's evolution and Google is pleased to be able to support and
participate in its process," said Vint Cerf, Chieflnternet Evangelist
at Google and an Internet pioneer.
W3C, "Vv 3C Welcomes Google as First Gold Sponsor, Adobe Backs Initiative Supporting W3C
12
Mission 't Silver Level," (last accessed February 21, 2012), available online at:
13
14
15
16
17
htto://wv.w_.w3.ond2011/09/soonsor-or.html.
2<.
During this week of October 13-19, 2011, while Defendant Google was agreeing
to new p ivacy constraints and accepting accolades, it was also circumventing the privacy
settings c n Computing Devices for billions of Internet users, intentionally ignoring a cornerstom
18
component of the World Wide Web's evolution: Platform for Privacy Preferences ("P3P").
19
On February 17, 2012, a research study by Jonathan Mayer, revealed Defendants
20
21
Google and PointRoll were circumventing and exploiting the Safari browser in order to place
22
diagnost'c tools to track Safari browser users' activity. A research study by Microsoft confirmec
23
the same exploits for users of Internet Explorer.
24
2$.
While the Mayer Study can be credited with revealing the Defendants' recent
25
26
activitie , a past study by Professor Lorrie Faith Cranor of Carnegie Mellon University first
27
revealed these practices by some entities in September 2010 in a study titled "Token Attempt:
28
CLASS ACTION COMPLAINT
7
1
2
The Misrepresentation of Website Privacy Policies through the Misuse ofP3P Compact Policy
Tokens."
3
2S.
Google's Senior Vice President of Communications Policy, Rachel Whetstone,
4
5
issued as atement, noting in part in response to its practice, "that it is impractical to comply with
6
Microsof 's request while providing modem web functionality." GreekWire.com, Todd Bishop,
7
"Google: Microsoft's IE gotcha based on outdated, little-used privacy protocol," (last accessed
8
February 21, 20 12), available online: http://www. IZeekwire.com/20 12/fmo!Zle-microsofts-gotcha
9
10
based-ou dated-littleused-orivacv-nrotocol.
3b.
11
Interestingly enough, the privacy setting protections not afforded Internet users
12
involved with Defendants, claimed by Google to be archaic and impractical, are at the same tim
13
sought bty Defendant Google: it uses a valid P3P syntax for its advertising sites.
14
1.
An analysis using "Fiddler 2," a Web Debugging Proxy which logs all HTTP(S)
15
16
traffic b~>tween your computer and the Internet, (last accessed on: February 22, 2012) online:
17
http://fi dler2.com/fiddler2/, revealed the following: P3P Header is present: policy ref=
18
htto://www.!Zoo!Zleadservices.com/oa1Zead/o3o.xml, CP= "NOI DEV PSA PSD IVA PVD OTP
19
OTR I1' D OTC" compact policy token is present. Date: Wednesday, 22 February, 2012 11:41: 2
20
GMT.
21
22
32.
P3P provides protection like a fortress around one's Computing Devices.
23
Defenc ants' actions have unleashed a "Trojan Horse" of entities armed with every conceivabl~
24
trackin~
25
tool into Plaintiffs and Class Members' Computing Devices. Due to the amount of
third-p~rties
associated with Defendants, the task to identify and delete all tracking tools
26
27
impler~ented
will be a Herculean task. As such, analysis of each "cookie" that now exists in e ch
28
CL SS ACTION COMPLAINT
8
1
2
ofPlainti fs and Class Members' Computing Devices is needed, requiring a "toxic cookie
cleanup."
3
3 .
Plaintiff and Class Members do require the use of authorized cookies; thus they
4
5
cannot m rely push one button and delete all tracking devices. As such, since the identifying of
6
entities a sociated with each cookie residing within the Plaintiffs and Class Members'
7
Computi g Devices are unknown, but at least some include Defendants' cookies, an analysis of
8
each coo ie is required and appropriate detection required. An estimate of such a requirement is
9
10
in excess often thousand dollars ($10,000) per Plaintiff and Class Member.
11
Background: Web Browser's Incorporation ofP3P for Cookie Filtering
12
P3P, the Platform for Privacy Preferences, provides a language and process that
13
websites an use to post their privacy policies in a machine-readable form - that is, a form that
14
can be pr cessed by software such as web browsers. A website can post a full P3P policy,
15
16
describi g a variety of its privacy practices, or a "Compact Policy," describing its uses of
17
18
19
In 2001, Microsoft released version 6 of its market-leading Internet browser
software Internet Explorer ("IE6"), and included in it the capabilities to process websites' P3P
20
Compac Policies. IE6 processed websites' Compact Policies automatically and, based on
21
22
privacy ettings that Microsoft set by default and that users could adjust, automatically allowed
23
or restri ted websites' storage of cookies on users' computers.
24
25
36.
Before P3P, a privacy-conscious Internet user who wanted to learn about
websites cookie practices had only one choice - to read the privacy policy of every website
26
27
28
visited
and to do so often, given that many websites advised users to "check back regularly to
view up ates to this policy."
CLAS
ACTION COMPLAINT
9
1
3 .
This approach to managing cookies raised problems for users:
2
a.
It is effectively impossible for a user to take the time to read the privacy
3
policy of very website visited - and to do so continually to stay abreast of changes.
4
b.
5
It is challenging for a user to try to interpret websites' privacy policies
6
because, ven among websites with substantially similar privacy practices, each website
7
describes its practices in different ways and with varying levels of detail.
8
c.
It is difficult for a user to determine which details of a website's privacy
9
10
policy ap ly to which parts of the website, since a website's privacy practices may vary from
11
page top ge, such as a home page where the user signs up to use the website, a shopping-cart
12
page whe e the user's purchase selections are listed, or a checkout page where the user provides
13
credit car and shipping information.
14
d.
It is impossible for a user to read a website's privacy policy "manually"
15
16
without a tually visiting the website, which means the user has to visit a website and receive
17
whatever ookies the website delivers before the user has the chance to learn what the site's
18
practices
19
e.
38.
The advent ofP3P helped address these issues, as follows:
20
a.
P3P provided a common language and syntax that websites could use to
21
22
provide
23
Policies. ee "The Platform for Privacy Preferences 1.1 (P3P 1.1) Specification, W3C Working
24
Group No e, Nov. 2006, available at http://www.w3.org/TR/P3P11 (last accessed on February
25
achine-readable versions of their privacy policies, including cookie-specific Compact
21, 2012).
26
27
28
b.
P3P privacy statements could be quickly read by the user's web browser
each time he user directed the browser to access a web page.
CLASS ACTION COMPLAINT
10
1
2
c.
P3P permitted websites to offer granular privacy policies, tailored to the
unique c okie practices of specific web pages within a website.
3
d.
P3P-enabled web browsers could alert users to a websites' privacy
4
5
practices before the user actually communicated with, and received cookies from, the website,
6
and coul automatically filter and restrict cookies based on the users' privacy settings, includin
7
default rivacy settings.
8
9.
In a world in which websites automatically and non-transparently examine a
9
user's e ery online movement, IE6 gave users the ability to have their computers automatically
10
11
examin the abbreviated privacy information that websites choose to disclose in their Compact
12
Policies Subsequent versions of IE gave users the same or better capabilities. IE assessed
13
website ' cookie policies for users before the users even visited and acquired cookies from
14
website . In addition, in response to the users' privacy settings, IE could take certain actions in
15
to the P3P information it acquired, such as accept, reject, or restrict the cookies that
16
17
transmitted to users.
18
0.
19
throu
Compact Policies, such as those that IE enabled users to assess automatically
their web browser, are expressed as a series of codes, called "tokens," each of which
20
represe ts a standardized privacy expression defined in the P3P specification. For example, in
21
22
23
24
25
CP= "NOI DSP COR NID ADMa OPTa OUR NOR"
The" ID" token means that no identified user information is collected by the web pages to
which he Compact Policy applies or, if it is collected, it is anonymized in a way that cannot
26
reason bly be reversed to reveal the user's identity; and the "OUR" token means that identifie
27
28
CL SS ACTION COMPLAINT
11
1
user infmmation is shared only with an agent whose use of the information is restricted to the
2
purposes stated by the website. Likewise, the other tokens have predetermined meanings.
3
4 .
Under IE's default privacy settings, a website's unsatisfactory P3P Compact
4
Policy c2 n lead to several consequences. IE allows or limits cookies in different ways, dependin
5
on the st tements in the Compact Policy and whether the web entity offering the policy is a first
6
7
party (a Nebsite that the user explicitly chooses to visit) or a third party (such as entities that
8
display l dvertisements on a first-party website). For example, if a first-party website's Compact
9
Policy sates that the website shares user PII without user consent, IE downgrades the website's
10
"persistt nt" cookie to a "session" cookie- i.e., one that expires at the end of the user's browser
11
sesswn.
12
13
14
2.
collect heir information; the release of IE6 prompted many websites to implement P3P Compact
15
16
17
Persistent cookies serve as an important device for websites to identify users anc
Policie
so they could continue to set persistent cookies on the computers of users who adoptee
IE6.
18
III.
Defendants' Misuse of P3P
19
43.
On February 17, 2012, Jonathan Mayer, a Stanford researcher published a stud',
20
"Web
21
22
23
24
25
26
27
intenti
olicy- Do Not Track, Measurement, Privacy" that revealed the Defendants were
nally circumventing Safari privacy features. Microsoft researchers also completed a st1 dy
that sh~wed similar circumvention.
A. The Mayer Study
Apple's Safari web browser is configured to block third-party
cookies by default. We identified four advertising companies that
unexpectedly place trackable cookies in Safari. Google and
Vibrant Media intentionally circumvent Safari's privacy feature.
28
1
C ASS ACTION COMPLAINT
Media Innovation Group and PointRoll serve scripts that appear to
be derived from circumvention example code ....
1
2
5
Some companies track the cookies generated by the websites you
visit, so they can gather and sell information about your web
activity. Safari is the first browser that blocks these tracking
cookies by default, better protecting your privacy. Safari accepts
6
cookies only from their current domain ....
3
4
7
8
9
10
11
12
13
14
15
16
17
18
These allowances in the Safari cookie blocking policy enable three
potentially undesirable behaviors by advertising networks,
analytics services, social widgets, and other 'third-party websites.'
If a company operates both a first-party website and a third-party
website from the same domain, visitors to the first-party website
will be open to cookie-based tracking by the third-party service ....
Separating first-party websites from third-party services improves
security: interactions between google.com content and other
websites could introduce vulnerabilities. The domain separation
also benefits user privacy: Google associates user account
information with google.com cookies. By serving its third-party
services from other domains, Google ensures it will not receive
google.com cookies, and therefore will not be able to trivially
identify user activities on other websites.
"Web Pt>licy" (last accessed on: February 21, 2012), available online at:
19
20
21
22
23
24
25
http://w boolicv.org/20 12/02117/safari-trackers/.
:J. Microsoft Study
When the IE team heard the Google had bypassed user privacy
settings on Safari, we asked ourselves a simple question: is Google
circumventing the privacy preferences of Internet Explorer users
too? We've discovered the answer is yes: Google is employing
similar methods to get around the default privacy protections in IE
and track IE users with cookies ....
26
27
28
We've found that Google bypasses the P3P Privacy Protection
feature in IE. The result is similar to the recent reports of Google' s
circumvention of privacy protections in Apple's Safari Web
13
CLPSS ACTION COMPLAINT
1
browser, even though the actual bypass mechanism Google uses is
different. ...
2
3
Google secretly developed a way to circumvent default privacy
settings established by a ... competitor, Apple ... [and] Google then
used the workaround to drop ad-tracking cookies on the Safari
users, which is exactly the sort of practice that Apple was trying to
prevent. Third-party cookies are a common mechanism used to
track what people do online. Safari protects its users from being
tracked this way by a default user setting that blocks third-party
cookies ....
4
5
6
7
8
9
By default, IE blocks third-party cookies unless the site presents a
P3P Compact Policy Statement indicating how the site will use the
cookie and that the site's use does not include tracking the user.
Google's P3P policy causes Internet Explorer to accept Google's
cookies even though the policy does not state Google's intent.
10
11
12
13
P3P, an official recommendation of the W3C Web standards body,
is a Web technology that all browsers and sites can support. Sites
use P3P to describe how they intend to use cookies and user
information. By supporting P3P, browsers can block or allow
cookies to honor user privacy preferences with respect to the site's
stated intentions ....
14
15
16
17
18
Technically, Google utilizes a nuance in the P3P specification that
has the effect of bypassing user preferences about cookies. The
P3P specification (in attempt to leave room for future advances in
privacy policies) states that browsers should ignore any undefined
policies they encounter. Google sends a P3P policy that fails to
inform the browser about Google's use of cookies and user
information. Google's P3P policy is actually a statement that it is
not a P3P policy. It's intended for humans to read even though P3P
policies are designed for browsers to "read."
19
20
21
22
23
24
25
"Google Bypassing User Privacy Settings" (last accessed on February 21, 2012) online at:
26
htto :/lbl< 12:s.msdn.com/b/ie/archi ve/20 12/02/20/google-bypassing-user-ori vacv -settings.asox
27
28
~ 4.
Defendant Google did not refute the findings, and although individuals had set
their pri acy settings to their preferences, knowingly circumvented users' preferences:
CLAS
ACTION COMPLAINT
14
1
"Microsoft uses a 'self-declaration' protocol (known as 'P3P')
dating from 2002 under which Microsoft asks websites to represent
their privacy practices in machine-readable form. It is well known
- including by Microsoft- that it is impractical to comply with
Microsoft's request while providing modern web functionality. We
have been open about our approach, as have many other websites."
Google's Senior Vice President of Communications and Policy,
Rachel Whetstone.
2
3
4
5
6
7
1'.
8
9
Harm
A. "Tox c Cookies" Reouire a "Toxic Cookie Cleanup"
10
4 .
Defendants have left tracking mechanisms and files within Plaintiffs and Class
11
Memben' Computing Devices. Like a toxic oil spill in the Gulf of Mexico causing loss and/or
12
13
damage to the area residents, embedded "toxic cookies" now require a "toxic cookie cleanup."
4p.
14
15
Plaintiff and Class Members demand that Defendants return their Computing
Devices o the state that existed prior to any and all activity implemented by Defendants and
16
Google
~~ffiliates.
Such a demand is premised on the fact that although Defendants have ceased
17
18
setting tl e cookies, Defendants may still continue their tracking practices using such tracking
19
mechani ms. Plaintiffs and Class Members' Computing Devices are at risk, and Plaintiff and
20
Class M mbers do not desire to accept such a risk.
21
47.
Defendants' actions have caused harm to the Plaintiff and Class Members,
22
includin~,
but not limited to, the following:
23
24
25
26
27
a.
Loss due to costs associated with requiring Computing Device
forensics to investigate, locate, and delete any and all tracking
nechanisms located within Plaintiffs and Class Members' Computing
Devices without removing authorized cache storage cookies;
28
b.
Impairment of the Computing Devices;
CLA S ACTION COMPLAINT
15
1
c.
Loss due to "interception of internet service";
2
d.
Use of bandwidth to set Defendants' tracking mechanisms;
e.
Use of bandwidth for ad "calls" and ad insertion; and
f.
Loss due to the collection, storage, use, and sale of the Plaintiffs and
3
4
5
Class Members' personal information.
6
4
Plaintiff and Class members use their Computing Devices' cache to store and use
data, inc
ding, but not limited to, files of interest, website passwords, and bookmarks. Plaintiff
and Clas
Members do not want to use the Computing Devices' software to delete their entire
7
8
9
10
11
cache bu
only that data within their hardware associated with Defendants and Google Affiliates.
12
, though, requires accessing the Plaintiffs and Class Members' hard drive to examine
13
every data file.
14
Cleaning software provides the cache deletion mechanisms that delete the brows
15
16
17
cache.
is purges all ETag values. The cost for cleaning is quite low if a user merely runs the
cached letion of all browsers; however, Plaintiff and Class Members do not desire to delete all
18
Plaintiffs and Class Members' concerns relate to data remanence, or the residu 1
19
20
represe tation of data that remains even after attempts have been made to remove or erase the
21
is residue may result from data being left intact by a nominal file deletion operation, b
22
23
24
ting the storage media that does not remove data previously written to the media, or
throug physical properties of the storage medium that allow previously written data to be
25
26
51.
It is a misconception about deleting computer files that by simply pressing the
27
delete utton, emptying the "Recycle Bin," or even formatting the drive that it deletes all files.
28
16
CL SS ACTION COMPLAINT
1
Informaf on still remains on the hard disk drive ("HDD"). Formatting the HDD also does not
2
erase hid~en files. The data is not permanently erased and formatting still leaves unused parts of
3
the HDD and the swap file holding data.
4
5
5 J.
When information is written to a drive, the location of the information is stored ir
6
a file tha resembles a table of contents for a book. On computers running DOS and Windows
7
operatin systems, the File Allocation Table ("FAT") or the Master File Table ("MFT") holds
8
this info mation. When a file is deleted, the FAT or MFT is updated to tell the computer the
9
10
space on the HDD is available; however, the actual data is not deleted until it is overwritten wit
11
new dat . This is the reason why computer forensic software is able to recover data. Using
12
software undelete tools, files that were accidentally or otherwise deleted can be restored.
13
3.
The U.S. Department of Defense 5220.22-M standard for disk-sanitization is the
14
most rig oro us data wipe procedure. This wiping standard requires seven passes, with each pass
15
16
17
18
19
formed pf three different data wipes. The HDD is rewritten and covered with random patterns.
With ea~h wipe, the deleted data becomes harder to piece back together.
4.
The most effective and efficient way to clean a computer would be to
indiscri ~inately erase ALL tracking files on the computer which would include cookies, flash
20
cookies HTML5 storage, etc. To go through and erase solely the Defendants' related files wou d
21
22
take ex ra time and would bear the risk of not eliminating all of the potential threats. Plaintiff and
23
Class !\ embers desire to have their Computing Devices restored to the state the hardware existed
24
in befo e Defendants' activities without deleting any of their cache data.
25
B. Loss and/or Damal!e in Excess of$5,000.00 ("CFAA")
26
27
28
55.
Plaintiff and Class Members have suffered loss and/or damages that exceed fiv1
thousru d dollars ($5,000.00) in order to mitigate Defendants' invasive actions by expending
CL!SS ACTION COMPLAINT
17
1
2
time, morey, and resources, to investigate and repair their Computing Devices, a conduct
violation s defined in the Computer Fraud and Abuse Act ("CF AA"), Title 18, United States
3
Code, Se< tion 1030. The CF AA defines "damage" as "any impairment to the integrity or
4
5
availabili y of data, a program, a system, or information." 18 U.S.C. § 1030(e)(8). Under the
6
CFAA, "loss" is treated differently from "damage," and is defined as "any reasonable cost to any
7
victim, including the cost of responding to an offense, conducting a damage assessment, and
8
restoring he data, program, system, or information to its condition prior to the offense, and any
9
10
revenue 1pst, cost incurred, or other consequential damages incurred because of interruption of
11
service." 18 U.S.C. § 1030(e)(l1). Accordingly, Plaintiff must claim economic loss or damages
12
in an am< unt aggregating at least $5,000 in value during any 1-year period to one or more
13
individuds. See 18 U.S.C. § 1030(c)(4)(A)(i)(I).
14
5 ~.
Plaintiffs and Class Members' economic loss involves costs to obtain a complet~
15
16
forensic< xamination of their Computing Devices. Estimates for such services exceed thirty-five
17
(35) hou sat a cost of three hundred and fifty dollars ($350.00) per hour, or exceeding a total
18
cost ofhvelve thousand two hundred and fifty dollars ($12,250.00) per device:
19
20
21
22
23
24
25
26
"A complete examination of a single 80 GB hard drive can have
over 18,000,000 pages of electronic information and may take
between 15 to 3 5 hours or more to examine, depending on the size
and types of media. A reasonable quote can be obtained prior to
the investigation's start. This time could increase or decrease,
depending upon the type [of] operating system used, the type of
data contained within, and the size and amount of data in question.
Computer forensic investigations have an unusually high return on
investment. The total computer forensic price can average from
$250 to $350 an hour."
New Yo k Computer Forensics Services, "Computer Forensics Frequently Asked Questions"
27
(last ace ~ssed February 21, 20 12), available online at:
28
httn ://W'~W .newvorkcomnuterforensics.com/learn/forensics faw. ohn
CLAS~
ACTION COMPLAINT
18
1
2
3
5'.
The average costs of Computing Devices range from one hundred and fifty dollan
($150.00) to fifteen hundred dollars ($1,500.00). Plaintiff and Class Members use such devices
to conduc both personal and commercial business. Any interference of any kind to such devices
4
5
would int~rfere with their personal enjoyment and/or commercial use. Plaintiff and Class
6
Members were harmed due to any delay in use once the Defendants' actions became known, and
7
delay in t me to investigate and repair any loss and/or damage. Moreover, Plaintiffs and Class
8
Member~' loss shall include the purchase of a new Computing Device's hardware and operating
9
10
11
system.
5
Plaintiff and Class Members purchased Computing Devices with consideration o
12
costs, sp1 ed, and security features. The cost of the hardware and software necessary for the
13
security eatures were factored into the total price of the Computing Devices; thus a specific sun
14
was allo1 ated to the cost of including the security features. As such, Defendants' circumvention
15
of Plaint ff s and Class Members' Computing Devices rendered such hardware and software
16
17
18
19
20
protections purchased within the Computing Devices worthless.
5~.
Native Security Software was provided to Plaintiff and Class Members within
their Co nputing Devices when purchased for use on a trial basis, with generally an average sixtv
(60) day trial period. Common Native Security Software is a Norton or McAfee product. Once
21
the trial Jeriod expired, the Plaintiff and Class Members downloaded software or purchased such
22
23
at an ele tronics retailer. Security Software costs average approximately seventy five dollars
24
($75.00) to one hundred and fifty dollars ($150.00) per Computing Device to provide continued
25
security !Protection. Such Security Software purchased was rendered worthless due to
26
Defend~:~ts' activities made the basis of this action.
27
28
CLASS ACTION COMPLAINT
19
Defendants' harm to Plaintiff and Class Members involves a loss that includes the
1
2
purchase fan HDD, transferring of files, and re-installation of an operating system. Hidden file
3
actually store data long after deleted and can be recovered by experts. As an
4
to clearing all cache and cookies, a user would need to purchase a brand new HDD,
5
indows, and have their authorized data from the hard drive transferred to a new HDD.
6
reinstall
7
A retail p ice for this would average one hundred dollars ($1 00.00) for the HDD and
8
approxim tely $150-$250 for the operation oftransferring the files, installing Windows, etc., or
9
about $3 0-$350 total at a market price.
10
Defendants' harm to Plaintiff and Class Members involves paying a computer
11
12
technici
13
to spend hours and hours reading every single cookie file, cache file, etc., though this
efficient. Regardless, a technician could spend approximately ten ( 10) to twenty (20)
14
g through each and every cookie file. If a Computing Device has 18,000,000 cookies,
15
ke substantial time on a Computing Device that has a lot of cookies to view each one
16
17
individua ly. A technician shall have to indiscriminately read every line of every file of cache
18
and anal
19
e it, and delete Defendants' tracking files.
Plaintiff and Class Members that have their HDD/cache removed, but want to stil
20
use the i ected hard drive must extract all the authorized data, and that would require additional
21
22
costs for hat process. Data transfer could be as much as $250. Plaintiff and Class Members mus
23
purchase brand new HDD and all of their data (music, documents, etc.) must be transferred to
24
the new DD. Plaintiffs and Class Members' loss includes a cost of about $350 for the HDD
25
and the s rvice. However, programs cannot be transferred. For example, if Microsoft Office is
26
installed n the old HDD, it has to be manually re-installed on the new HDD. This applies to all
27
28
applicati ns. Typically, that is the user's responsibility. Most computer technicians will notre-
CLASS ACTION COMPLAINT
20
1
2
install all of the programs for the user. It would be plausible to say that re-installing an average
user's apJlications would take another three to four hours and thus cost an extra $400. Market
3
cost to buy a new HDD and have all of a user's program and files transferred to it, so that they
4
5
6
were made whole and in the same shape that they were in before, would cost approximately
$750.
7
8
6 .
The issue is not that the cost is higher to delete the hidden files than the cost of a
total replc cement, i.e. buying a brand new computer; it's that a person's data is invaluable to
9
them. lnd viduals have years' worth of research, bookmarks, and cache on their hard drive; thus
10
11
user data s invaluable if lost.
12
C.
13
U tauthorized Use of Bandwidth ("Bandwidth Ho2s")
6~.
Defendants' activities of circumventing Plaintiffs and Class Members'
14
Computir g Devices and using such to conduct tracking required bandwidth. The problem is that
15
16
17
18
19
the bandv idth used to complete Defendants' objectives had not been purchased by Defendants,
but rather by the Plaintiff and Class Members.
6:;.
Defendants caused an economic harm to the Plaintiff and Class Members that is
actual, no r1-speculative, sum certain, tangible, and scientifically documented, and that was
20
incurred l y the unauthorized use of their Computing Devices' bandwidth; in that:
21
22
a.
Plaintiff and Class Members purchased a monthly limited bandwidth
23
data plan for their Computing Device from their provider.
24
b.
25
Plaintiff and Class Members then accessed websites, "expecting" and
agreeing to limited bandwidth consumption required and necessary to
26
27
in eract with the websites.
28
CLASS ACTION COMPLAINT
21
1
c.
2
However, Defendants then redirected Plaintiffs and Class Members'
Computing Devices to access their tracking mechanism and had HTTP
3
c okies set after they have been deleted, and such was not "expected"
4
5
the user, not required to interact with the website, not agreed upon
6
the user, and not necessary to operate the Computing Devices.
7
d.
Defendants then made "calls" directing Plaintiffs and Class Members'
8
Computing Devices to third parties for marketing purposes, thereby
9
d pleting the purchased and linked bandwidth data plans of the
10
11
P aintiff and Class Members, and such was not "expected" by the user,
12
n t required to interact with the website, not agreed upon by the user,
13
d not necessary to operate the Computing Devices.
14
Bandwidth is the amount of data that can be transmitted across a channel in a set
15
16
amount
time. Any transmission of information on the internet includes bandwidth. Similar to
17
panies, such as power or water, the "pipeline" is a substantial capital expenditure, an
18
usage controls the pricing model. Hosting providers charge users for bandwidth
19
eir upstream provider charges them and so forth until it reaches the "back bone
20
provider ." Retail providers purchase it from wholesalers to sell to its consumers.
21
Bandwidth to the Computing Device is like gasoline to a motor vehicle. Without
22
23
it, the de ice is inoperable. Defendants require bandwidth to conduct their tracking activities
24
made the basis of this action. However, the bandwidth used is that of the Plaintiff and Class
25
Member . Like an individual that fills up their car's gas tank to find it empty because their
26
27
neighbor drove their car without permission, Plaintiff and Class Members pay monthly
28
CLAS
ACTION COMPLAINT
22
1
2
3
bandwidt use fees for their own use and not by Defendants to conduct their tracking business.
efendants' perspective, reducing their own bandwidth usages reduces their own costs
Defendants' unauthorized interception and use of Plaintiffs and Class Members'
4
5
electroni communications, include, but are not limited to, the following:
6
a.
7
communications after Plaintiff and Class Members visited the websites
8
Interception of the Plaintiffs and Class Members' electronic
a d then used their Computing Devices to limit access for tracking;
9
i eluding, but not limited to, deleting cookies and implementing
10
11
echanisms to limit re-spawning made the basis of this action;
Use of the Plaintiffs and Class Members' bandwidth by Defendants to
12
b.
13
install their tracking mechanisms within their Computing Devices;
14
c.
Use of the Plaintiffs and Class Members' bandwidth by Defendants to
15
activate, use, and monitor their online activities;
16
Use of the Plaintiffs and Class Members' bandwidth by Defendants to
17
d.
18
add tracking mechanisms;
19
e.
20
Use of the Plaintiffs and Class Members' bandwidth by Defendants to
provide access to, and use by Google affiliates of their Computing
21
22
evices;
Use of the Plaintiffs and Class Members' bandwidth by Defendants to
23
f.
24
conduct advertising procedures, including, but not limited to, "calls" to
25
t ird party web analytic vendors, advertising networks, and their
26
ffiliates.
27
28
CLASS ACTION COMPLAINT
23
1
2
6~.
The technology behind the World Wide Web is the Hypertext Transfer Protocol
(HTTP) ahd it does not make any distinction as to the types of links; thus, all links are
3
functiona ly equal. Resources may be located on any server at any location. When a website is
4
5
visited, tl e browser first downloads the textual content in the form of an HTML document. The
6
downloac ed HTML document may call for other HTML files, images, scripts and/or style sheet
7
files to b processed. These files may contain tags which supply the URLs that allow images to
8
display on the page. The HTML code generally does not specify a server, meaning that the web
9
10
browser hould use the same server as the parent code. It also permits absolute URLs that refer t
11
images hosted on other servers. Once the application has stored the data, it will attempt to send
12
informat on back to affiliated servers. In most cases this is done every time a user opens and
13
closes a Jrowser. The data is continually tracked. A website that enables tracking does not take
14
just one :sample; it will record every use of the website for the life of that website on a user's
15
16
17
18
19
computer and the user's information is sent automatically at a user's bandwidth expense.
~
0.
Ads consume vast amounts of bandwidth, which results in slowing a user's
internet connection by using their bandwidth and diminishing the Computing Devices' battery
life in o der to retrieve advertisements. Web analytics devour more bandwidth than ads by
20
accessir g bandwidth to download and run ad script; thus Plaintiff and Class Members that did
21
22
23
24
25
not access ads on a website still had the Defendants use their bandwidth for its tracking:
When you're probing, you're using a user's battery and data when
they don't know about it, but it's a faster way to build up data
cause you're not waiting for the user to check in a few times a day.
You're pinging in 100 times a day ....
26
27
28
Yarrow Jay "Everything You Need to Know About How Phones are Stalking You Everywher "
(last ac essed February 21, 2012) available online at: http://www.businessinsider.com/skvhoo~
ceo-20 l-4#ixzz1PTSN01oa
CLA S ACTION COMPLAINT
24
1
2
71.
Advertisers are now using the Internet as their primary ad-delivery pipe,
continual y uploading and downloading data from networks, causing substantial bandwidth use.
3
Ads that
ere hidden in content or bundled used substantial bandwidth, as did updates. Web
4
5
analytics ctivities delayed Plaintiffs and Class Members' movement on websites, and used
6
their ban width to carry out Defendants' activities.
7
7 .
Web analytic vendor and ad networks use ad content, such as streaming video an
8
audio, th t requires excessive use of Plaintiffs and Class Members' bandwidth. This is due in
9
10
part tot
fact that there was no incentive to reduce the ad size used because they could directly
11
pass cos s for bandwidth and ad delivery content to Plaintiff and Class Members, without the
12
Plaintiff nd Class Members having any notice. For example, while Plaintiff and Class Member
13
were br wsing a website, at the same time web analytic vendors and ad networks were silently
14
harvesti g personal data and sending it to remote servers using Plaintiffs and Class Members'
15
16
17
18
19
Defendants' use of Plaintiffs and Class Members' bandwidth for their data
mining ctivities is similar in nature to a practice called "hot linking," wherein one server uses
erver's bandwidth to send data. While it slows down the server, it also allows
20
bandwi th costs to be transferred to another server. Defendants' data mining activities produce
21
22
similar nauthorized bandwidth use. While only tech savvy individuals are aware that their
23
Compu ing Devices are used as a server without their knowledge or consent, fewer individuals
24
are aw e of the extent that web analytic vendors and ad networks make "calls" to third parties
25
and of e amount of user's bandwidth used when a user merely accesses a site.
26
27
28
Excluding the amount of bandwidth that the Plaintiff and Class Members use,
amoun necessary to operate their computer, the amount expected by the user's interaction wit
CL SS ACTION COMPLAINT
25
e
1
2
the websi e, and that of which was agreed upon by the user, Defendants' unauthorized data
mining activities caused substantial bandwidth use to the Plaintiff and Class Members that
3
resulted i ~ actual out of pocket expenditures. Defendants' activities include, but are not limited
4
5
to, the fol owing:
6
a.
7
websites and tracking mechanisms set on their Computing Devices;
8
b.
Transmittal of and access to Plaintiffs and Class Members' accessed
Loading of ads first before content, bundling ads, and ads with
9
excessive bandwidth;
10
Use of Software Development Kits ("SDKs"), and their functions
11
c.
12
within Plaintiffs and Class Members' Computing Devices';
13
d.
Harvesting of Plaintiffs and Class Members' Computing Devices'
e.
Harvesting of Plaintiffs and Class Members' PI, PII, and SII;
17
f.
"Background" activities including "data mining";
18
g.
"Push notifications" of content to user's Computing Devices; and
h.
Re-direction of Plaintiffs and Class Members' Computing Devices to
14
d~ta;
15
16
19
20
make "calls" to Defendants and Google Affiliates for marketing
21
22
1 urposes.
23
' 5.
24
25
The amount of bandwidth use on Computing Devices can be measured directly l y
analyzir g the logged traffic use, which varies generally between 0 bytes and about 500k bytes
per sess on. The traffic use, whether expected by the user or not, is part of the normal operation
26
of the Computing Device. Website traffic analysis shows the majority of the traffic is tracking
27
28
code in ~gration and the directing of traffic to third party servers. The traffic to third parties for
CLA S ACTION COMPLAINT
26
1
2
marketin~ purposes is not required nor authorized by the user; moreover, the user is never
prompte1 to allow it or notified that it has occurred.
3
7fJ.
The basic nature of HTTP is a challenge-response protocol. For each request,
4
5
6
there is r ecessarily a response. Conventional technical usage would refer to the challengeresponse pair as a single "call".
7~.
7
8
In HTTP/1.0, an HTTP request requires a new TCP/IP connection to be initiated
and then tom down after the response. This causes a significant amount of bandwidth to be
9
wasted coing the "bookkeeping" for each TCP/IP session. The excessive bandwidth use is
10
11
related t l defining how to issue multiple requests and receive responses using a single TCP/IP
12
connecti~m. Websites must be able to open essentially only a limited amount of connections,
13
whateve the designated "simultaneous network connections" setting is to the server for the
14
entire
se~sion.
15
'8.
16
Although memory is technically any form of electronic storage, it is used most
17
often to 'dentify fast, temporary forms of storage. If a user'sComputing Device's CPU had to
18
constan y access the HDD to retrieve every piece of data it needs, it would operate very slowly.
19
'9.
The cache increases transfer performance. A part of the increase similarly come!
20
from th< possibility that multiple small transfers will combine into one large block. The main
21
22
perform~nce gain occurs because the same datum will be read from cache multiple times, or th1 t
23
written ~ata will soon be read. A cache's sole purpose is to reduce accesses to the underlying
24
slower ~to rage.
25
0.
CPUs need quick and easy access to large amounts of data in order to maximize
26
their pe formance. If the CPU cannot get to the data it needs, it literally stops and waits for the
27
28
data to
~e
processed.
CLA: S ACTION COMPLAINT
27
1
81.
2
Defendants' services must interface with, and draw bandwidth from, Plaintiff's
and Class Members' Computing Devices' limited bandwidth data plan in order to complete its
3
tracking ractices. Like a "bad" neighbor that sneaks over in the dead of night to plug in an
4
extensior cord into their neighbor's electrical outlet to "suck out" kilowatts, Defendants were
5
6
"hogging' the Plaintiff's and Class Members' purchased and limited bandwidth plan, and not
7
reimburs ng Plaintiff and Class Members for using their limited data plan. The economic harm i
8
actual, n n-speculative, out of pocket, sum certain, and scientifically documented:
9
"If consumers perceive that rich media ads and other marketing
activities affecting their consumption of bandwidth, and that they
are paying to watch ads, it could [] affect mobile advertising."
10
11
12
13
Chantal ~"'ode, "T-Mobile's new pricing reflects concern over growing bandwidth use" (last
accessed February 21, 2012) available online at:http://mobilemarketer.com/cms/news/carrier-
14
15
network /10014.html
v.
16
Plaintiff brings this action pursuant to Fed. R. Civ. P. 23(a), and (b)(1), (b)(2)
17
18
CLASS ALLEGATIONS
and/or ( J )(3) on behalf of herself and the following class:
19
All persons residing in the United States who possessed a
20
Computing Device which had a Safari or IE browser that had
21
22
Defendants circumvent their Computing Devices' privacy
23
preferences ("Class").
24
B.
The Class Period is defined as the time period applicable under the claims to be
25
26
certifie .
27
28
CLFSS ACTION COMPLAINT
28
1
2
Excluded from the Class are Defendants, their assigns, and successors, legal
84.
representa ives, and any entity in which Defendants have a controlling interest. Also excluded is
3
the judge t whom this case is assigned and the judge's immediate family.
4
5
6
7
8
Plaintiff reserves the right to revise this definition of the Class based on facts
85.
learned as litigation progresses.
The Class consists of millions of individual and other entities, making joinder
86
impractic 1.
9
87
The claims of Plaintiff are typical of the claims of all other members of the Class.
88
Plaintiff will fairly and adequately represent the interests of the Class. Plaintiff
10
11
12
has retain d counsel with substantial experience in prosecuting complex litigation and class
13
actions, i eluding privacy cases. Plaintiff and her counsel are committed to vigorously
14
g this action on behalf of the Class and have the financial resources to do so. Neither
15
Plaintiff
r her counsel any interests adverse to those of the Class.
16
Absent a class action, most Class Members would find the cost of litigating their
17
18
claims to e prohibitive and would have no effective remedy. The class treatment of common
19
questions of law and fact is also superior to multiple individual actions or piecemeal litigation in
20
serves the resources of the courts and the litigants and promotes consistency and
21
22
efficienc of adjudication.
Defendants have acted and failed to act on grounds generally applicable to
23
24
25
Plaintiff nd the Class, requiring the Court's imposition of uniform relief to ensure compatible
standards of conduct toward the Class.
26
9 .
The factual and legal bases of Defendants' liability to Plaintiff and to the other
27
28
Class Me hers are the same, resulting in injury to Plaintiff and all of the other Class Members.
CLASS ACTION COMPLAINT
29
1
2
Plaintiff ar d the other Class Members have all suffered harm and damages as a result of the
Defendant ' wrongful conduct.
3
92.
There are many questions of law and fact common to Plaintiff and the Class, and
4
5
6
those ques ions predominate over any questions that may affect only individual Class Members.
Common , nd predominant questions for the Class include, but are not limited to, the following:
a. What was the extent of Defendants' business practice of circumventin~
7
8
users' Computing Device security settings to transmit, access, collect
9
monitor, and remotely store users' data?
10
11
b. What information did Defendants collect from their business practices o
12
circumventing users' Computing Device security settings to transmit
13
access, collect, monitor, and remotely store users' data, and what did the)
14
do with that information?
15
c. Whether users, by virtue of visiting websites with Defendants' trackin~
16
17
mechanisms, had pre-consented to the operation of Defendants' busines
18
practices of circumventing users' Computing Device security settings t<
19
transmit, access, collect, monitor, and remotely store users' data;
20
d. Was there adequate notice, or any notice, of the operation of Defendants
21
business practices of circumventing users' Computing Device securit
22
23
settings to transmit, access, collect, monitor, and remotely store users' dat
24
provided to Plaintiff and Class Members?
25
e. Was there reasonable opportunity to decline the operation of Defendant: '
26
business practices of circumventing users' Computing Device securi
27
28
CLAS
ACTION COMPLAINT
30
1
settings to transmit, access, collect, monitor, and remotely store users' dat
2
provided to Plaintiff and Class Members?
3
f.
Did Defendants' business practices of circumventing users' Computin
4
Device security settings to transmit, access, collect, monitor, and remotel
5
store users' data disclose, intercept, and transmit PI, PII or SII?
6
7
g. Whether Defendants' devised and deployed a scheme or artifice to de frau
8
or conceal from Plaintiff and the Class Members Defendants' ability to
9
and practice of, circumventing users' Computing Device security setting
10
to transmit, access, collect, monitor, and remotely store users' data, fo
11
12
their own benefit, personal information, and tracking data from Plaintiff
13
and the Class members' personal Computing Devices via the ability t
14
track their data on their Computing Device;
15
h. Whether Defendants engaged in the deceptive acts and practices i
16
connection with their undisclosed and systemic practice of circumventin
17
18
users' Computing Device security settings to transmit, access, collect
19
monitor, and remotely store users' data on Plaintiffs and the Clas
20
Members' personal Computing Devices and using that data to track an
21
profile Plaintiffs and the Class Members' Internet activities and persona
22
habits, proclivities.
23
24
25
1.
Did
the
implementation
of Defendants'
business
practices
o
circumventing users' Computing Device security settings to transmit
26
access, collect, monitor, and remotely store users' data violate th
27
28
Computer Fraud and Abuse Act, 18 U.S.C. § 1030?
CLASS ACTION COMPLAINT
31
1
2
J.
Did
the
implementation
of Defendants'
business
practices
oJ
circumventing users' Computing Device security settings to transmit
3
access, collect, monitor, and remotely store users' data violate the
4
5
6
7
8
Electronic Communications Privacy Act, 18 U.S.C. § 2510 et seq.
k. Did
the
implementation
of
Defendants'
business
practices
o1
circumventing users' Computing Device security settings to transmit
access, collect, monitor, and remotely store users' data violate
th~
9
California's Computer Crime Law, Penal Code§ 502?
10
11
1. Did
the
implementation
of Defendants'
business
practices
o
12
circumventing users' Computing Device security settings to transmit
13
access, collect, monitor, and remotely store users' data violate
th~
14
California Invasion ofPrivacy Act, Penal Code§ 630 et seq.?
15
16
m. Did
the
implementation
of
Defendants'
business
practices
o
17
circumventing users' Computing Device security settings to transmit
18
access, collect, monitor, and remotely store users' data violate the
19
Consumers Legal Remedies Act, ("CLRA") California Civil Code § 175C
20
et seq.?
21
22
n. Did
the
implementation
of
Defendants'
business
practices
o
23
circumventing users' Computing Device security settings to transmit
24
access, collect, monitor, and remotely store users' data violate the Unfai
25
Competition, California Business and Professions Code§ 17200 et seq.?
26
o. Did
the
implementation
of
Defendants'
business
practices
o
27
28
circumventing users' Computing Device security settings to transmit
CLASS ACTION COMPLAINT
32
1
access, collect, monitor, and remotely store users' data violate th
2
California Customer Records Act, Cal. Civ. Code§ 1798.80 et seq.?
3
p. Did
the
implementation
of
Defendants'
business
practices
o
4
circumventing users' Computing Device security settings to transmit
5
6
access, collect, monitor, and remotely store users' data involve
7
Conversion?
8
q. Did
the
implementation
of
Defendants'
business
practices
9
circumventing users' Computing Device security settings to transmit
10
11
access, collect, monitor, and remotely store users' data involve a Trespas
12
to Personal Property I Chattels?
13
r.
14
Did
the
implementation
of
Defendants'
business
practices
o
circumventing users' Computing Device security settings to transmit
15
access, collect, monitor, and remotely store users' data result in Unjus
16
Enrichment?
17
18
s. Are any of the Defendants liable under a theory of aiding and abetting on
19
or more of the remaining Defendants for violations of the statutes liste
20
herein?
21
t.
22
Are the Defendants liable under a theory of civil conspiracy for violation
of the statutes listed herein?
23
24
u. Are the Defendants liable under a theory of unjust enrichment fo
25
violations of the statutes listed herein?
26
v. Whether Defendants participated in and/or committed or are responsibl
27
for violation oflaw(s) complained ofherein;
28
CLASS
CTION COMPLAINT
33
w. Are Class Members entitled to damages as a result of the implementatio
1
of Defendants' conduct, and, if so, what is the measure of those damages?
2
3
x. Whether Plaintiff and Class Members have sustained damages as a resul
4
of Defendants' conduct, and, if so, what is the appropriate measure o
5
damages;
6
y. Whether Plaintiff and Class members are entitled to declaratory andlo
7
injunctive relief to enjoin the unlawful conduct alleged herein; and
8
9
z. Whether Plaintiff and Class Members are entitled to punitive damages
10
and, if so, in what amount?
11
The questions of law and fact common to the Class predominate over any
12
9
13
question
14
methods or the fair and efficient adjudication of this controversy.
affecting only individual members and a class action is superior to all other available
15
16
17
9 .
Based on the foregoing allegations, Plaintiffs legal theories for relief include
those set forth below.
VI.
18
19
CAUSES OF ACTION
FIRST CAUSE OF ACTION
(Violations of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030)
20
21
5.
Plaintiff incorporates by reference and realleges all paragraphs previously allege
22
23
24
25
26
27
28
herein.
6.
Plaintiffs and the Class Members' Computing Devices are computers used in
affectin interstate commerce and communication and are therefore "protected computers" as
defined in the Computer Fraud and Abuse Act (the "CFAA"), 18 U.S.C. § 1030(e)(2).
97.
Defendants violated the CFAA, 18 U.S.C. § 1030(a)(4) in that they knowingly
and wi h intent to defraud, accessed the protected Computing Devices of Plaintiff and the Clas
34
CL SS ACTION COMPLAINT
1
2
Members
ithout authorization, or exceeding authorized access, and by means of such conduct,
furthered t e intended fraud and obtained things of value.
3
As described above, Defendants published an invalid P3P Compact Policy to
98.
4
5
transmit fa se information to Plaintiffs and Class Members' browsers and to thereby
6
surreptitio sly gain access to and place persistent cookies onto their Computing Devices.
7
8
Defendants acted without authorization or exceeding authorization in that Plaintif
and the Cl ss Members did not give Defendants permission or consent to place persistent cookie
9
on their C mputing Devices. In fact, they reasonably believed that Safari and IE would block
10
11
such cooki s from being placed on their Computing Devices or downgrade such cookies to the
12
status of se sion cookies.
13
10 .
Defendants' conduct was done knowingly and with intent to defraud in that
14
Defendant created and used an invalid P3P Compact Policy for the purpose of circumventing
15
16
17
18
19
the cookie- lltering functions of Plaintiffs and the Class Members' browsers and because they
had no legi imate purpose for using an invalid P3P Compact Policy.
101.
Through Defendants' conduct it was able to further their intended fraud of placing
persistent ookies on Plaintiffs and Class Members' Computing Devices and using such cookies
20
to collect
d maintain Plaintiffs and Class Members' PI, PII and SII, and to share that
21
22
informatio with third parties without the knowledge, consent, or authorization of Plaintiff and
23
Class Me bers.
24
25
As a direct and proximate result of Defendants' conduct, Plaintiff and Class
Members ave suffered harms and losses that include those described above.
26
27
28
CLASS
CTION COMPLAINT
35
103.
1
2
Defendants' unlawful access to Plaintiffs and Class Members' Computing
Devices t ough the use of invalid P3P Compact Policies constituted a single act that resulted in
3
an aggrega ed loss to Plaintiff and the Class Members of at least $5,000 within a one-year period.
4
Therefore, Plaintiff and the Class Members are entitled to compensatory damages.
5
In addition, Defendants' unlawful access to Plaintiffs and Class Members'
6
7
Computin Devices has caused Plaintiff and Class Members irreparable injury.
8
Unless restrained and enjoined, Defendant will continue to commit such acts.
9
10
Plaintiffs nd Class Members' remedy at law is not adequate to compensate them for these
11
inflicted, i minent, threatened, and continuing injuries, entitling Plaintiff and the Class
12
Members t remedies including injunctive relief as provided by 18 U.S.C. § 1030(g).
13
SECOND CAUSE OF ACTION
(Violation of the Electronic Communications Privacy Act
18 U.S.C. § et seq.)
14
15
10
17
18
Plaintiff incorporates by reference and realleges all paragraphs previously alleged
10
16
Plaintiff asserts this claim against each and every Defendant named herein in this
herein.
19
complaint n behalf of herself and the Class.
20
21
10
The Electronic Communications Privacy Act of 1986, 18 U.S.C. § 2510 et seq.,
22
("ECP A") regulates wire and electronic communications interception and interception of oral
23
communic tions, and makes it unlawful for a person to "willfully intercept, endeavor to
24
intercept, r procure any other person to intercept or endeavor to intercept, any wire, oral, or
25
electronic ommunication," within the meaning of 18 U.S.C. § 2511(1).
26
27
28
CLASS ACTION COMPLAINT
36
1
Defendants violated 18 U.S.C. § 2511 by intentionally acquiring and/or
2
g, by device or otherwise, Plaintiffs and Class Members' electronic communications,
3
without
owledge, consent or authorization.
4
111.
5
At all relevant times, Defendants engaged in business practices of intercepting the
6
Plaintiffs and Class Members' electronic communications, which included endeavoring to
7
intercept
8
e transmission of a user's Computing Devices' activities and interactions between the
user and i s contact online from within their Computing Devices. Once the Defendants obtained
9
the data, t ey used such to aggregate Computing Device data of the Plaintiff and Class Members
10
11
as they us d their Computing Devices.
The contents of data transmissions from and to Plaintiffs and Class Members'
12
13
Computi g Devices constitute "electronic communications" within the meaning of 18 U.S.C. §
14
2510.
15
11 3.
16
Plaintiff and Class Members are "person[s] whose ... electronic communication i
17
intercepte ... or intentionally used in violation of this chapter" within the meaning of 18 U.S.C.
18
§ 2520.
19
Defendants violated 18 U.S.C. § 2511(1)(a) by intentionally intercepting,
20
g to intercept, or procuring any other person to intercept or endeavor to intercept
21
22
23
24
25
Plaintiff and Class Members' electronic communications.
Defendants violated 18 U.S.C. § 2511(a)(c) by intentionally disclosing, or
endeavori g to disclose, to any other person the contents of Plaintiffs and Class Members'
electronic communications, knowing or having reason to know that the information was obtaine
26
through t e interception of Plaintiffs and Class Members' electronic communications.
27
28
CLASS ACTION COMPLAINT
37
1
2
Defendants violated 18 U.S.C. § 2511(1)(d) by intentionally using, or
116
endeavorin to use, the contents of Plaintiffs and Class Members' electronic communications,
3
knowing o having reason to know that the information was obtained through the interception of
4
5
6
7
Plaintiffs nd Class Members' electronic communications.
11
Defendants' intentional interception of these electronic communications without
Plaintiffs r Class Members' knowledge, consent, or authorization was undertaken without a
8
facially va id court order or certification.
9
10
11
Defendants intentionally used such electronic communications, with knowledge,
11
or having
12
interceptio , for an unlawful purpose.
13
ason to know, that the electronic communications were obtained through
11 .
Defendants unlawfully accessed and used, and voluntarily disclosed, the contents
14
of the inte cepted communications to enhance their profitability and revenue through advertising.
15
16
17
18
19
This disci sure was not necessary for the operation of Defendants' system or to protect
Defendant ' rights or property.
12 .
ECPA, 18 U.S.C. § 2520(a) provides a civil cause of action to "any person whose
wire, oral, or electronic communication is intercepted, disclosed, or intentionally used" in
20
violation f the ECP A.
21
Defendants are liable directly and/or vicariously for this cause of action. Plaintiff
22
23
and Class
embers therefore seek remedy as provided for by 18 U.S.C. § 2520, including such
24
prelimina
and other equitable or declaratory relief as may be appropriate, damages consistent
25
with subs ction (c) of that section to be proven at trial, punitive damages to be proven at trial,
26
27
and reaso able attorneys' fees and other litigation costs reasonably incurred.
28
CLASS ACTION COMPLAINT
38
12 .
1
2
Plaintiff and Class Members have additionally suffered loss by reason of these
violations, including, without limitation, violation of the right of privacy.
3
12 .
Plaintiff and the Class Members, pursuant to 18 U.S.C. § 2520, are entitled to
4
5
preliminar , equitable, and declaratory relief, in addition to statutory damages of the greater of
6
$10,000 o $100 a day for each day of violation, actual and punitive damages, reasonable
7
attorneys' ees, and Defendants' profits obtained from the above-described violations. Unless
8
nd enjoined, Defendants will continue to commit such acts. Plaintiffs remedy at law
9
is not ade uate to compensate for these inflicted and threatened injuries, entitling Plaintiff to
10
11
remedies i eluding injunctive relief as provided by 18 U.S.C. 2510.
THIRD CAUSE OF ACTION
(Violations of Cal. Penal Code 502
The California Computer Crime Law ("CCCL"))
12
13
14
12
16
17
18
Plaintiff incorporates by reference and realleges all paragraphs previously alleged
12
15
Defendants violated Cal. Penal Code § 502(c)(2) by knowingly and without
herein.
permissio accessing, taking, and using Plaintiffs and the Class Members' Computing Devices.
19
Defendants accessed, copied, used, made use of, interfered with, and/or altered,
20
21
data belo
ing to Plaintiff and Class Members: ( 1) in and from the state of California; (2) in the
22
home stat s of the Plaintiff and the Class Members; and (3) in the states in which the servers that
23
provided ervices and communication links between Plaintiff and Class Members and the
24
websites
ith which they interacted were located.
25
Cal. Penal Code § 5020) states: "For purposes of bringing a civil or a criminal
26
27
28
action un er this section, a person who causes, by any means, the access of a computer,
computer ystem, or computer network in one jurisdiction from another jurisdiction is deemed to
CLASS ACTION COMPLAINT
39
1
2
have pen onally accessed the computer, computer system, or computer network in each
j urisdicti tm."
3
1 8.
Defendants have violated California Penal Code§ 502(c)(l) by knowingly and
4
5
6
7
8
without J ermission altering, accessing, and making use of Plaintiffs and Class Members'
Computi g Devices and using the data in order to execute a scheme to defraud consumers.
1~9.
Defendants have violated California Penal Code§ 502 (c)(6) by knowingly and
without 1 ermission providing, or assisting in providing, a means of accessing Plaintiffs and
9
Class M~ mbers' Computing Devices, computer system and/or computer network.
10
11
150.
Defendants have violated California Penal Code§ 502(c)(7) by knowingly and
12
without ermission accessing, or causing to be accessed, Plaintiffs and Class Members'
13
compute system, and/or computer network.
14
1~ 1.
Pursuant to California Penal Code § 502(b )(1 0) a "Computer contaminant" mean~
15
16
"any set pf computer instructions that are designed to ... record, or transmit information within
17
compute , computer system, or computer network without the intent or permission of the owner
18
of the in ormation."
19
132.
Defendant have violated California Penal Code§ 502(c)(8) by knowingly and
20
without bermission introducing a computer contaminant into the transactions between Plaintiff
21
22
23
24
25
and the lr.lass Members and websites; specifically, web page interactions that propagate a
harvesti g software placed there by Defendants.
133.
As a direct and proximate result of Defendants' unlawful conduct within the
meaning of California Penal Code § 502, Defendants have caused loss to Plaintiff and the Class
26
Membe s in an amount to be proven at trial. Plaintiff and the Class Members are also entitled tc
27
28
recover heir reasonable attorneys' fees pursuant to California Penal Code§ 502(e).
CLAS~ ACTION COMPLAINT
40
]]>
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?
