Dunstan et al v. comScore, Inc.
Filing
176
DECLARATION of Robyn Bowland regarding memorandum in opposition to motion 175 (Attachments: # 1 Exhibit A, # 2 Exhibit B, # 3 Exhibit C, # 4 Exhibit D, # 5 Exhibit E, # 6 Exhibit F, # 7 Exhibit G, # 8 Exhibit H, # 9 Exhibit I, # 10 Errata J, # 11 Exhibit K, # 12 Exhibit L, # 13 Exhibit M, # 14 Exhibit N, # 15 Exhibit O, # 16 Exhibit P, # 17 Exhibit Q, # 18 Exhibit R, # 19 Exhibit S, # 20 Exhibit T, # 21 Exhibit U, # 22 Exhibit V, # 23 Exhibit W)(Bowland, Robyn)
<![CDATA[
EXHIBIT L
HARRIS & DUSTAN v. COMSCORE, INC.
September 12, 2012
YVONNE BIGBEE
Page 1
IN THE UNITED STATES DISTRICT COURT
FOR THE NORTHERN DISTRICT OF ILLINOIS, EASTERN DIVISION
______________________________
MIKE HARRIS and JEFF DUNSTAN,
individually and on behalf of
a class of similarly situated
individuals,
Plaintiffs,
x
:
:
:
:
:
:
:
:
:
:
x
vs.
COMSCORE, INC., a Delaware
corporation,
Case No. 1:11-5807
Hon. James F. Holderman
Defendant.
______________________________
Wednesday, September 12, 2012
Reston, Virginia
DEPOSITION OF:
YVONNE BIGBEE,
a witness, called for oral examination by counsel for
plaintiffs in the above-captioned matter, pursuant to
Notice and agreement of the parties as to time and date,
held at the offices of ComScore, Inc., 11950 Democracy
Drive, Suite 600, Reston, Virginia 20191, beginning at
approximately 9:30 o'clock, a.m., before Patricia Klepp,
RMR, a court reporter and Notary Public in and for the
Commonwealth of Virginia, when were present on behalf of
the respective parties:
CAROL J. THOMAS STENOTYPE REPORTING SERVICES, INC.
800-322-9221
www.carolthomasreporting.com
5c6af110-4717-49d1-9eb4-e891379fc139
HARRIS & DUSTAN v. COMSCORE, INC.
September 12, 2012
YVONNE BIGBEE
Page 2
1 APPEARANCE OF COUNSEL:
2
For the Plaintiffs:
3
EDELSON McGUIRE, LLC
4
BY: BEN THOMASSEN, ESQUIRE
5
CHANDLER R. GIVENS, ESQUIRE
6
350 North LaSalle, Suite 1300
7
Chicago, Illinois 60654
8
(312) 589-6370
9
E-Mail: bthomassen@edelson.com
10
cgivens@edelson.com
11
For the Defendant:
12
QUINN, EMANUEL, URQUHART & SULLIVAN, LLP
13
BY: STEPHEN A. SWEDLOW, ESQUIRE
14
ROBYN M. BOWLAND, ESQUIRE
15
500 West Madison Street, Suite 2450
16
Chicago, Illinois 60661
17
(312) 705-7400
18
E-Mail: stephenswedlow@quinnemanuel.com
19
robynbowland@quinnemanuel.com
20
--continued-21
22
Page 4
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
I-N-D-E-X
Witness:
Page:
YVONNE BIGBEE
Examination by Mr. Thomassen
5
Lunch recess
112
Examination by Mr. Thomassen (resumed) 113
-0Exhibits: (Included in transcript)
Page:
Deposition Exhibit No. 1
77
Deposition Exhibit No. 2
96
Deposition Exhibit No. 3
100
Deposition Exhibit No. 4
107
Deposition Exhibit No. 5
113
Deposition Exhibit No. 6
116
Deposition Exhibit No. 7
120
Deposition Exhibit No. 8
122
Deposition Exhibit No. 9
126
Deposition Exhibit No. 10
128
Deposition Exhibit No. 11
130
Deposition Exhibit No. 12
132
Deposition Exhibit No. 13
135
Deposition Exhibit No. 14
141
Page 3
1 APPEARANCE OF COUNSEL: (cont)
2
For the Defendant:
3
THOMAS S. CUSHING III, ESQUIRE
4
Deputy General Counsel and Privacy Officer
5
comScore, Inc.
6
11950 Democracy Drive, Suite 600
7
Reston, Virginia 20190-5624
8
(703) 438-2000
9
E-Mail: tcushing@comscore.com
10
-011
12
13
14
15
16
17
18
19
20
21
22
Page 5
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
PROCEEDINGS
Thereupon,
YVONNE BIGBEE,
a witness, was called for examination by counsel for the
plaintiffs, and after having first been duly sworn by
the Notary Public, was examined and testified as
follows:
EXAMINATION BY COUNSEL FOR PLAINTIFFS
BY MR. THOMASSEN:
Q. Good morning.
A. Good morning.
Q. The record should reflect that this is the
oral deposition of Yvonne Bigbee, taken pursuant to
notice, in the Dunstan v. comScore matter, Case
No. 11-CV-5807 in the Northern District of Illinois.
Now, you've just been sworn in. Is this your
first deposition?
A. Yes, it is.
Q. Okay. Before we get started, I'll go over a
few ground rules that will help us today.
The first and most important is that you have
to give verbal answers to all my questions, and the
2 (Pages 2 to 5)
CAROL J. THOMAS STENOTYPE REPORTING SERVICES, INC.
800-322-9221
www.carolthomasreporting.com
5c6af110-4717-49d1-9eb4-e891379fc139
HARRIS & DUSTAN v. COMSCORE, INC.
September 12, 2012
YVONNE BIGBEE
Page 54
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
HTTPS post data?
A. No. We exclude sites such as edu, for
example.
Q. Okay. Excluding site-specific information,
such as dot-edu, does comScore collect all HTTPS post
data for dot-com sites, for example?
A. No. It depends on the rule, so I don't want
to say all.
Q. Is there an instance where there's HTTPS data
from one web page that a panelist viewed where comScore
would capture some, but not all, of the post data from
that page?
A. Yes.
Q. Can you give me an example?
A. It depends on the MIME type of the post data.
Q. Okay.
A. So if it's not a MIME type text<slash><star>,
for example, we would not collect the post data.
Q. Is that an example -- do you have an
example -- and I might just be running close to my
limits of understanding, here, but the -- was that an
example of HTTPS -- let me start over.
Page 56
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
collect it, or is it programmed to not collect it?
A. It's programmed not to collect it.
Q. I understand. How about things on -regarding the same HTTPS/HTML post data, are things like
user names collected by comScore software?
A. It's fuzzified before collection.
Q. So -- and we will talk more about
fuzzification in just a few minutes, but user names are
collected in some form by the software?
MR. SWEDLOW: I'll object as asked and
answered. I ask you not to say the word fuzzified
in the answer.
MR. THOMASSEN: I understand what she's
saying.
MR. SWEDLOW: Well, then I'm going to object
as asked and answered.
BY MR. THOMASSEN:
Q. You can answer.
A. Can you repeat the question?
Q. Sure. I asked you whether user names were
collected, and you said, well, they're fuzzified.
Is that fuzzified information still sent up to
Page 55
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Can you give me an example of HTTPS/HTML post
data where some, but not all, of the data is collected?
A. (Pause.)
Okay. If you were online taking an online
survey, depending on how their survey is rendered, if
the URL of the survey is included in our collection
rule, if the response of the page is text<slash><star>,
and if a user does type in, yes, I'm a Democrat, yes, I
will be voting in this election, accept, enter, that
data will be sent up -Q. Okay.
A. -- if it is because it was in the form of HTML
and the URL is -- matches our rule.
However, on the same web page, visible to the
user, there could be background calls that is coded on
the web page, invisible to the user, but just internal
to that survey web post, to kind of serve as an internal
ping, hey, I'm version XXX, here's the time stamp of the
machine, for example.
And that, if that was sent up via an
application/json call, we would not collect that.
Q. Is it not collected because the software can't
Page 57
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
comScore server?
A. Yes.
Q. Okay. How about things like passwords, same
process?
A. Same process.
Q. Credit card numbers?
A. Fuzzification is applied.
Q. And then the fuzzified information -A. Fuzzified data is sent up.
Q. Right. And Social Security numbers?
A. Same process.
MR. THOMASSEN: Okay. This would be actually
a good place for me to take a break, mostly because
I have to use the restroom.
MR. SWEDLOW: I object.
(Whereupon, a recess was taken.)
MR. THOMASSEN: Back on.
BY MR. THOMASSEN:
Q. Before we move on, is it accurate to say that
all HTTP and HTTPS page data is collected unless
specified by a rule file to not collect it?
A. No. Everything is dictated in the rules file
15 (Pages 54 to 57)
CAROL J. THOMAS STENOTYPE REPORTING SERVICES, INC.
800-322-9221
www.carolthomasreporting.com
5c6af110-4717-49d1-9eb4-e891379fc139
HARRIS & DUSTAN v. COMSCORE, INC.
September 12, 2012
YVONNE BIGBEE
Page 58
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
on what to collect.
Q. Okay.
A. So there's not a blanket collect everything
that's written in the code.
Q. So is it right that for any -- when collecting
page data from any given HTTP or HTTPS page, whether or
not a particular piece of data is collected is dependent
on a rule file?
A. Yes.
Q. And the rule file will tell comScore software
to either collect all of the data, some of the data or
none of the data?
A. Yes.
Q. All right. So I want to talk for a while
about fuzzification, which we brought up earlier.
Can you -- you mentioned earlier, but can you
generally describe for me now what fuzzification
involves?
A. Sure. There are two types of fuzzification.
One is page data fuzzification, and the second is post
data fuzzification.
The general idea behind fuzzification is, we
Page 60
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Q. So would you say that hashing is synonymous
with fuzzification?
A. No.
Q. So how is hashing different than
fuzzification?
A. Hashing is just one form of fuzzification.
Q. So if I were to say this string has been
hashed, would I also be saying that this string has been
fuzzified?
A. Yes.
Q. Okay. And X-ing out, that is also a form of
fuzzification?
A. Yes.
Q. So let's take a credit card number, for
example. They are 14 digits long, I think?
A. Sixteen.
Q. Sixteen digits long? Are credit card numbers
ever X-ed out?
A. Yes.
Q. How many of the credit card numbers would be
X-ed out?
A. We -- I believe we keep the first six or
Page 59
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
look for patterns in the data that could be sensitive,
and we either hash the data or X out enough of the
string where it is no longer personally identifiable.
Q. So you talked about two things there, hashing
and then X-ing out. Those are different things?
A. Yes.
Q. Can you describe what hashing is?
A. It is -- hashing is -- there's a mathematical
formula, where we take the string itself and apply this
algorithm to it, and then the outcome is an 18-digit
long string of numbers that kind of represents an
original string, but it's completely different.
Q. I understand. Is there one hashing formula
that applies to all data that is hashed?
A. Yes.
Q. Okay. Now, what about X-ing out; what is
that?
A. Where we actually take the string; instead of
applying the hashing algorithm, we just replace the
digits with X.
Q. Is that the same thing as zeroing?
A. Yes, same concept.
Page 61
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
seven. I don't -- it's either six or seven, I'm not
exactly sure, and the rest of the 16 digits after the
sixth or seventh digits are X-ed out.
Q. Okay. And after a portion of the credit card
number is X-ed out, is that value then sent to comScore?
A. Yes.
Q. So that X-ed out value, I'll call it, is not
additionally hashed?
A. No.
Q. Okay. Is there one -- I'm going to call it a
zeroing formula, that applies to all credit card
numbers, for example?
MR. SWEDLOW: Are you talking about hashing?
MR. THOMASSEN: No, I'm talking about zeroing
or X-ing.
MR. SWEDLOW: Oh, X-ing, right.
A. If it's a 16-digit number, we assume that it's
a credit card number. The same logic would apply to
that 16-digit number.
BY MR. THOMASSEN:
Q. Is it correct to say that all 16-digit credit
card numbers collected by comScore are X-ed out as
16 (Pages 58 to 61)
CAROL J. THOMAS STENOTYPE REPORTING SERVICES, INC.
800-322-9221
www.carolthomasreporting.com
5c6af110-4717-49d1-9eb4-e891379fc139
HARRIS & DUSTAN v. COMSCORE, INC.
September 12, 2012
YVONNE BIGBEE
Page 62
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
opposed to hashed?
A. I believe so, if it's a credit card number.
Q. Okay.
A. Some account numbers could be 16 digits.
Q. Okay. How about, if you know, things like
user names? Are they hashed or zeroed?
A. User names are hashed.
Q. And that, to your knowledge, applies for all
user names?
A. In the post data, yes.
Q. In the post data. How about Social Security
numbers?
A. Social Security numbers should be X-ed out.
Q. Do you know what -- how many digits of a
Social Security number would be X-ed out, if you know?
A. That one I'm not familiar.
Q. That's fine. How about e-mail addresses?
A. I believe that is hashed, but I'm not
100 percent sure.
Q. Okay. How about things like street addresses?
A. I do not believe that one is hashed.
Q. Or zeroed?
Page 64
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
BY MR. THOMASSEN:
Q. How about encryption? Is that -- does
comScore ever encrypt post data?
A. During transmission, yes.
Q. Is encryption a separate process from
fuzzification?
A. Yes.
Q. So it is not correct to say that if
information is encrypted, it's also considered
fuzzified?
MR. SWEDLOW: Can you read that back?
(Whereupon, the court reporter read the
requested portion of the proceedings.)
A. Correct.
BY MR. THOMASSEN:
Q. So it's -- so the words encryption and
fuzzified are not used interchangeably; they mean
different things?
A. Yes.
Q. Okay. How does comScore determine whether or
not it's properly fuzzifying information?
A. We have the Mystery Shop program --
Page 63
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
A. Or zeroed.
Q. So it's not -- you do not believe street
addresses are fuzzified, in other words?
A. Correct.
Q. How about names -- how about first names?
Sorry.
A. If it's in the post data, it is hashed.
Q. And I'm assuming last names as well?
A. Yes.
Q. How about date of birth?
A. I'm not sure.
Q. Bank account numbers?
A. I know it's fuzzified. I don't know if we
hash or zero; I'm not 100 percent sure.
Q. That's fair. How about routing numbers, if
you know?
A. I don't.
Q. That's fine.
A. It depends on the pattern.
Q. Mm hmm.
(Whereupon, a discussion was held off the
record.)
Page 65
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Q. Okay.
A. -- that checks for fuzzification.
Q. Any other ways?
A. We have the QA test team, that every release
cycle, we go through a regression test script.
Q. Can you tell me what that means?
A. They -- it's a test plan that the test team
will execute against features of our software to make
sure that it's functioning properly, to make sure that
fuzzification is applied correctly, to make sure that
the upgrade mechanism is working properly.
So those would be on -- as part of the test
plan.
Q. Okay. Any other ways?
A. Those are the two that I can think of at the
moment.
Q. Okay. You mentioned a while ago that comScore
fuzzifies what it considers to be sensitive information;
is that right?
A. Correct.
Q. How does comScore determine what is or is not
sensitive information?
17 (Pages 62 to 65)
CAROL J. THOMAS STENOTYPE REPORTING SERVICES, INC.
800-322-9221
www.carolthomasreporting.com
5c6af110-4717-49d1-9eb4-e891379fc139
HARRIS & DUSTAN v. COMSCORE, INC.
September 12, 2012
YVONNE BIGBEE
Page 66
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
A. We look for patterns in the data. So in the
example of a 16-digit consecutive numeric number, we
assume that that's a credit card number.
Q. Okay. Let me ask this a different way.
How is the determination made at the outset
that information should be fuzzified? So, for example,
comScore fuzzifies credit card numbers; at some point,
it was determined that credit card numbers are something
that should be fuzzified. How is that determination
made?
A. It is made on the user's machine, while our
software is running.
Q. Okay. Let me -- I'm trying to find out how
comScore determines that things like names, e-mails,
dates of birth, credit card numbers, Social Security
numbers are sensitive information that should be
fuzzified.
MR. SWEDLOW: And I'm going to provide you a
an instruction.
To the extent that comScore makes that
decision based upon the advice of counsel,
including that guy over there, who's your in-house
Page 68
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Q. What happens when the Mystery Shopper program
determines that information is not properly being
fuzzified?
A. They will report the incident to the QA team
to reproduce. Then the QA team will, when possible,
make a rules change to update our fuzzification logic to
enhance the new pattern.
Q. How is fuzzification logic updated?
A. By a rules file.
Q. And those are rules files that are referenced
by the OSSProxy software?
A. Yes.
Q. Okay. At what point is a JIRA ticket opened
about a problem like we're discussing now?
A. A JIRA ticket is logged when a code change is
required by the development team.
Q. So who would initially open a JIRA ticket, if
that's the right word?
A. For this particular incident?
Q. Yes.
A. Most of the time, it would be done by the QA
team, after reproducing the problem.
Page 67
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
counsel, I'm going to instruct you not to answer,
because that communication and the product of that
communication is protected from disclosure.
I want you to answer the question, but I want
you to understand my instruction.
Are you okay with what I'm saying?
MR. THOMASSEN: Yes.
A. I think I'm not going to answer it, based
on -MR. SWEDLOW: What I just said?
A. -- attorney-client privilege.
MR. SWEDLOW: Yes.
So I'll just make the statement that the
determination of what is sensitive and what isn't
sensitive includes the attorney advice.
MR. THOMASSEN: Okay.
BY MR. THOMASSEN:
Q. How does -- so you mentioned that the Mystery
Shopper program is one way that comScore determines that
it's properly fuzzifying information that should be
fuzzified; right?
A. Correct.
Page 69
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Q. So the Mystery Shopper program team, for lack
of a better term, would not open the JIRA ticket -A. Correct.
Q. -- in this instance.
A. Correct. I'm not aware of Mystery Shoppers
opening tickets in JIRA projects.
Q. Do you know about how long, on average, it
takes -- in an instance like this, where the Mystery
Shopper program identifies that information is not being
properly fuzzified, how long does it take for the rule
file to be changed?
A. The rules file can be updated at any time.
Are you asking me how long from discovery? Can you be
more specific? I don't understand what you're asking.
Q. That's exactly what I'm asking, how long -from the moment the problem is discovered till the
moment the problem is solved by updating the rules file,
how much time passes, on average?
MR. SWEDLOW: I'll object, but if you have
an -- on average -A. I don't know; it depends. It's a
case-by-case; I don't know.
18 (Pages 66 to 69)
CAROL J. THOMAS STENOTYPE REPORTING SERVICES, INC.
800-322-9221
www.carolthomasreporting.com
5c6af110-4717-49d1-9eb4-e891379fc139
]]>
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?
