Dunstan et al v. comScore, Inc.
Filing
156
DECLARATION of Jay Edelson regarding memorandum in support of motion 154 (Attachments: # 1 Exhibit A, # 2 Exhibit B, # 3 Exhibit C, # 4 Exhibit D, # 5 Exhibit E, # 6 Exhibit F, # 7 Exhibit G, # 8 Exhibit H, # 9 Exhibit I, # 10 Exhibit J, # 11 Exhibit K, # 12 Exhibit L, # 13 Exhibit M, # 14 Exhibit N, # 15 Exhibit O, # 16 Exhibit P, # 17 Exhibit Q, # 18 Exhibit R, # 19 Exhibit s, # 20 Exhibit t)(Thomassen, Benjamin)
<![CDATA[
EXHIBIT L
HARRIS & DUSTAN v. COMSCORE, INC.
September 12, 2012
YVONNE BIGBEE
Page 1
IN THE UNITED STATES DISTRICT COURT
FOR THE NORTHERN DISTRICT OF ILLINOIS, EASTERN DIVISION
______________________________
MIKE HARRIS and JEFF DUNSTAN,
individually and on behalf of
a class of similarly situated
individuals,
vs.
Plaintiffs,
x
:
:
:
:
:
:
:
:
:
:
x
COMSCORE, INC., a Delaware
corporation,
Case No. 1:11-5807
Hon. James F. Holderman
Defendant.
______________________________
Wednesday, September 12, 2012
Reston, Virginia
DEPOSITION OF:
YVONNE BIGBEE,
a witness, called for oral examination by counsel for
plaintiffs in the above-captioned matter, pursuant to
Notice and agreement of the parties as to time and date,
held at the offices of ComScore, Inc., 11950 Democracy
Drive, Suite 600, Reston, Virginia 20191, beginning at
approximately 9:30 o'clock, a.m., before Patricia Klepp,
RMR, a court reporter and Notary Public in and for the
Commonwealth of Virginia, when were present on behalf of
the respective parties:
CAROL J. THOMAS STENOTYPE REPORTING SERVICES, INC.
www.carolthomasreporting.com
800-322-9221
HARRIS & DUSTAN v. COMSCORE, INC.
September 12, 2012
YVONNE BIGBEE
Page 40
1
2
3
4
Q.
Sure.
So can you explain to me what you mean
by "collection confirmation"?
A.
To -- they make sure that our software is
collecting the data as expected --
5
Q.
Okay.
6
A.
-- into our system.
7
Q.
And so to the extent you know, can you explain
8
to me how they would confirm that it is collecting the
9
data it's supposed to be collecting?
10
A.
They would mimic panelists' behavior.
So they
11
would use a popular browser such as IE, Internet
12
Explorer, to surf to CNN.com, for example, and click on
13
a few articles to make sure that the URL is collected
14
properly.
15
Or they would conduct a mystery shop on
16
Amazon.com., for example, where they would put something
17
in the basket as a user to make sure that comScore
18
software is collecting the data properly and
19
fuzzification is in place.
20
21
22
Q.
Okay.
And so can you tell me what you mean by
"fuzzification"?
A.
It's a system that we have in place to look
CAROL J. THOMAS STENOTYPE REPORTING SERVICES, INC.
www.carolthomasreporting.com
800-322-9221
HARRIS & DUSTAN v. COMSCORE, INC.
September 12, 2012
YVONNE BIGBEE
Page 41
1
for patterns in the data, to make sure that we either X
2
out or hash any data that we deem to be sensitive to the
3
user.
4
Q.
Okay.
Before we get too far away for it, you
5
talked about collecting information -- I know you're
6
just using an example -- on Amazon.com.
7
8
9
In that example, what sort of information
would be collected by comScore software?
A.
Products viewed.
So if I went and looked at
10
The Hunger Games book, for example, we would collect the
11
product, the book name, we would collect the items in
12
your shopping cart, so ...
13
14
Q.
Do you understand the difference between page
data and post data?
15
A.
Yes.
16
Q.
Can you explain that difference to me?
17
A.
Page data is the content as it appears on the
18
page to the user, most commonly in the form of HTML.
19
Post data is when the user submits data,
20
oftentimes they enter themselves, to the destination web
21
server.
22
Q.
So would that be -- in the Amazon process you
CAROL J. THOMAS STENOTYPE REPORTING SERVICES, INC.
www.carolthomasreporting.com
800-322-9221
HARRIS & DUSTAN v. COMSCORE, INC.
September 12, 2012
YVONNE BIGBEE
Page 44
1
A.
2
3
MR. SWEDLOW:
Objection.
BY MR. THOMASSEN:
4
5
Can you repeat the question?
Q.
Give me an example of HTML information that
OSSProxy would not capture.
6
A.
Information from dot-edu sites, university
7
sites; information from a personal Google mail contact,
8
we don't collect that.
9
10
Q.
information on dot-edu sites, page data information?
11
12
Let me start over.
Why would comScore not
collect HTML page data information from dot-edu sites?
13
14
So the -- why would comScore not collect
A.
It's not part of our business model to collect
activities from universities --
15
Q.
Okay.
16
A.
-- student activities.
17
Q.
And so then you talked about personal Google
18
mail.
That's a -- that would be a dot-com site; right?
19
A.
Yes.
20
Q.
Why would comScore not collect all the HTML
21
22
information on a Google.com e-mail site?
A.
Because we don't want to collect personal
CAROL J. THOMAS STENOTYPE REPORTING SERVICES, INC.
www.carolthomasreporting.com
800-322-9221
HARRIS & DUSTAN v. COMSCORE, INC.
September 12, 2012
YVONNE BIGBEE
Page 56
1
collect it, or is it programmed to not collect it?
2
A.
It's programmed not to collect it.
3
Q.
I understand.
How about things on --
4
regarding the same HTTPS/HTML post data, are things like
5
user names collected by comScore software?
6
A.
It's fuzzified before collection.
7
Q.
So -- and we will talk more about
8
fuzzification in just a few minutes, but user names are
9
collected in some form by the software?
10
MR. SWEDLOW:
11
answered.
12
I'll object as asked and
in the answer.
13
14
I ask you not to say the word fuzzified
MR. THOMASSEN:
I understand what she's
saying.
15
MR. SWEDLOW:
16
as asked and answered.
17
Well, then I'm going to object
BY MR. THOMASSEN:
18
Q.
You can answer.
19
A.
Can you repeat the question?
20
Q.
Sure.
21
22
I asked you whether user names were
collected, and you said, well, they're fuzzified.
Is that fuzzified information still sent up to
CAROL J. THOMAS STENOTYPE REPORTING SERVICES, INC.
www.carolthomasreporting.com
800-322-9221
HARRIS & DUSTAN v. COMSCORE, INC.
September 12, 2012
YVONNE BIGBEE
Page 57
1
comScore server?
2
A.
Yes.
3
Q.
Okay.
4
How about things like passwords, same
process?
5
A.
Same process.
6
Q.
Credit card numbers?
7
A.
Fuzzification is applied.
8
Q.
And then the fuzzified information --
9
A.
Fuzzified data is sent up.
10
Q.
Right.
11
A.
Same process.
12
And Social Security numbers?
MR. THOMASSEN:
Okay.
This would be actually
13
a good place for me to take a break, mostly because
14
I have to use the restroom.
15
MR. SWEDLOW:
16
(Whereupon, a recess was taken.)
17
MR. THOMASSEN:
18
19
I object.
Back on.
BY MR. THOMASSEN:
Q.
Before we move on, is it accurate to say that
20
all HTTP and HTTPS page data is collected unless
21
specified by a rule file to not collect it?
22
A.
No.
Everything is dictated in the rules file
CAROL J. THOMAS STENOTYPE REPORTING SERVICES, INC.
www.carolthomasreporting.com
800-322-9221
HARRIS & DUSTAN v. COMSCORE, INC.
September 12, 2012
YVONNE BIGBEE
Page 59
1
look for patterns in the data that could be sensitive,
2
and we either hash the data or X out enough of the
3
string where it is no longer personally identifiable.
4
5
Q.
So you talked about two things there, hashing
and then X-ing out.
Those are different things?
6
A.
Yes.
7
Q.
Can you describe what hashing is?
8
A.
It is -- hashing is -- there's a mathematical
9
formula, where we take the string itself and apply this
10
algorithm to it, and then the outcome is an 18-digit
11
long string of numbers that kind of represents an
12
original string, but it's completely different.
13
14
Q.
I understand.
Is there one hashing formula
that applies to all data that is hashed?
15
A.
Yes.
16
Q.
Okay.
17
18
Now, what about X-ing out; what is
that?
A.
Where we actually take the string; instead of
19
applying the hashing algorithm, we just replace the
20
digits with X.
21
Q.
Is that the same thing as zeroing?
22
A.
Yes, same concept.
CAROL J. THOMAS STENOTYPE REPORTING SERVICES, INC.
www.carolthomasreporting.com
800-322-9221
HARRIS & DUSTAN v. COMSCORE, INC.
September 12, 2012
YVONNE BIGBEE
Page 60
1
2
Q.
So would you say that hashing is synonymous
with fuzzification?
3
A.
No.
4
Q.
So how is hashing different than
5
fuzzification?
6
A.
Hashing is just one form of fuzzification.
7
Q.
So if I were to say this string has been
8
hashed, would I also be saying that this string has been
9
fuzzified?
10
A.
Yes.
11
Q.
Okay.
12
And X-ing out, that is also a form of
fuzzification?
13
A.
Yes.
14
Q.
So let's take a credit card number, for
15
example.
They are 14 digits long, I think?
16
A.
Sixteen.
17
Q.
Sixteen digits long?
18
Are credit card numbers
ever X-ed out?
19
A.
Yes.
20
Q.
How many of the credit card numbers would be
21
22
X-ed out?
A.
We -- I believe we keep the first six or
CAROL J. THOMAS STENOTYPE REPORTING SERVICES, INC.
www.carolthomasreporting.com
800-322-9221
HARRIS & DUSTAN v. COMSCORE, INC.
September 12, 2012
YVONNE BIGBEE
Page 65
1
Q.
Okay.
2
A.
-- that checks for fuzzification.
3
Q.
Any other ways?
4
A.
We have the QA test team, that every release
5
cycle, we go through a regression test script.
6
Q.
Can you tell me what that means?
7
A.
They -- it's a test plan that the test team
8
will execute against features of our software to make
9
sure that it's functioning properly, to make sure that
10
fuzzification is applied correctly, to make sure that
11
the upgrade mechanism is working properly.
12
13
So those would be on -- as part of the test
plan.
14
Q.
Okay.
15
A.
Those are the two that I can think of at the
16
moment.
17
Q.
Okay.
Any other ways?
You mentioned a while ago that comScore
18
fuzzifies what it considers to be sensitive information;
19
is that right?
20
A.
Correct.
21
Q.
How does comScore determine what is or is not
22
sensitive information?
CAROL J. THOMAS STENOTYPE REPORTING SERVICES, INC.
www.carolthomasreporting.com
800-322-9221
HARRIS & DUSTAN v. COMSCORE, INC.
September 12, 2012
YVONNE BIGBEE
Page 66
1
A.
We look for patterns in the data.
So in the
2
example of a 16-digit consecutive numeric number, we
3
assume that that's a credit card number.
4
Q.
5
Okay.
Let me ask this a different way.
How is the determination made at the outset
6
that information should be fuzzified?
7
comScore fuzzifies credit card numbers; at some point,
8
it was determined that credit card numbers are something
9
that should be fuzzified.
10
11
12
13
So, for example,
How is that determination
made?
A.
It is made on the user's machine, while our
software is running.
Q.
Okay.
Let me -- I'm trying to find out how
14
comScore determines that things like names, e-mails,
15
dates of birth, credit card numbers, Social Security
16
numbers are sensitive information that should be
17
fuzzified.
18
19
20
MR. SWEDLOW:
And I'm going to provide you a
an instruction.
To the extent that comScore makes that
21
decision based upon the advice of counsel,
22
including that guy over there, who's your in-house
CAROL J. THOMAS STENOTYPE REPORTING SERVICES, INC.
www.carolthomasreporting.com
800-322-9221
HARRIS & DUSTAN v. COMSCORE, INC.
September 12, 2012
YVONNE BIGBEE
Page 67
1
counsel, I'm going to instruct you not to answer,
2
because that communication and the product of that
3
communication is protected from disclosure.
4
I want you to answer the question, but I want
5
you to understand my instruction.
6
Are you okay with what I'm saying?
7
MR. THOMASSEN:
8
9
A.
I think I'm not going to answer it, based
on --
10
11
Yes.
MR. SWEDLOW:
A.
What I just said?
-- attorney-client privilege.
12
MR. SWEDLOW:
13
So I'll just make the statement that the
14
determination of what is sensitive and what isn't
15
sensitive includes the attorney advice.
16
17
18
Yes.
MR. THOMASSEN:
Okay.
BY MR. THOMASSEN:
Q.
How does -- so you mentioned that the Mystery
19
Shopper program is one way that comScore determines that
20
it's properly fuzzifying information that should be
21
fuzzified; right?
22
A.
Correct.
CAROL J. THOMAS STENOTYPE REPORTING SERVICES, INC.
www.carolthomasreporting.com
800-322-9221
HARRIS & DUSTAN v. COMSCORE, INC.
September 12, 2012
YVONNE BIGBEE
Page 68
1
Q.
What happens when the Mystery Shopper program
2
determines that information is not properly being
3
fuzzified?
4
A.
They will report the incident to the QA team
5
to reproduce.
6
make a rules change to update our fuzzification logic to
7
enhance the new pattern.
Then the QA team will, when possible,
8
Q.
How is fuzzification logic updated?
9
A.
By a rules file.
10
Q.
And those are rules files that are referenced
11
by the OSSProxy software?
12
A.
Yes.
13
Q.
Okay.
14
15
16
17
18
At what point is a JIRA ticket opened
about a problem like we're discussing now?
A.
A JIRA ticket is logged when a code change is
required by the development team.
Q.
So who would initially open a JIRA ticket, if
that's the right word?
19
A.
For this particular incident?
20
Q.
Yes.
21
A.
Most of the time, it would be done by the QA
22
team, after reproducing the problem.
CAROL J. THOMAS STENOTYPE REPORTING SERVICES, INC.
www.carolthomasreporting.com
800-322-9221
HARRIS & DUSTAN v. COMSCORE, INC.
September 12, 2012
YVONNE BIGBEE
Page 72
1
Q.
2
Good guess.
Do you know what -- let me ask you this.
Does
3
comScore ever fuzzify specific categories of information
4
for some panelists but not for others?
5
A.
No.
6
Q.
The information is either fuzzified for
7
everyone or fuzzified for no one?
8
A.
I believe so.
9
Q.
Okay.
10
Do you know, within this fuzzification
context, what a black list is?
11
A.
Yes.
12
Q.
What is a black list?
13
A.
The black list is the name of the rules file
14
that we just discussed, where we can upload specific
15
rules to apply new fuzzification logic.
16
17
Q.
Where does the -- so does the black list
reside in comScore servers?
18
A.
Yes.
19
Q.
Is the black list referenced every single time
20
information is collected by OSSProxy?
21
A.
Yes, when it's page data and post data.
22
Q.
So if I fill out a form on a website and hit
CAROL J. THOMAS STENOTYPE REPORTING SERVICES, INC.
www.carolthomasreporting.com
800-322-9221
HARRIS & DUSTAN v. COMSCORE, INC.
September 12, 2012
YVONNE BIGBEE
Page 73
1
send, and that information is transmitted to the -- I
2
don't know what to call it -- to the website, to the
3
external servers, before comScore determines whether to
4
collect the information from that page, the blacklist
5
rule is referenced?
6
A.
Yes.
7
Q.
Okay.
8
Is there also a copy of the black list
on users' computers?
9
A.
It's in memory of the user's computer.
10
Q.
What do you mean, it's in memory?
11
A.
When OSSProxy runs, it obtains the rules
12
files, and it holds all the rules files in its allocated
13
memory on the computer's machine.
14
15
Q.
Is there ever an instance where OSSProxy would
be running but using an out-of-date black list?
16
A.
If you don't have access to the internet, then
17
we wouldn't be able to update a fresh, new set, but at
18
that point, you wouldn't be surfing.
19
Q.
Right.
20
A.
So if you have an active internet connection,
21
our software should be able to obtain the most updated
22
list.
CAROL J. THOMAS STENOTYPE REPORTING SERVICES, INC.
www.carolthomasreporting.com
800-322-9221
]]>
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?
