Dunstan et al v. comScore, Inc.

Filing 176

DECLARATION of Robyn Bowland regarding memorandum in opposition to motion 175 (Attachments: # 1 Exhibit A, # 2 Exhibit B, # 3 Exhibit C, # 4 Exhibit D, # 5 Exhibit E, # 6 Exhibit F, # 7 Exhibit G, # 8 Exhibit H, # 9 Exhibit I, # 10 Errata J, # 11 Exhibit K, # 12 Exhibit L, # 13 Exhibit M, # 14 Exhibit N, # 15 Exhibit O, # 16 Exhibit P, # 17 Exhibit Q, # 18 Exhibit R, # 19 Exhibit S, # 20 Exhibit T, # 21 Exhibit U, # 22 Exhibit V, # 23 Exhibit W)(Bowland, Robyn)

Download PDF
EXHIBIT L HARRIS & DUSTAN v. COMSCORE, INC. September 12, 2012 YVONNE BIGBEE Page 1 IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF ILLINOIS, EASTERN DIVISION ______________________________ MIKE HARRIS and JEFF DUNSTAN, individually and on behalf of a class of similarly situated individuals, Plaintiffs, x : : : : : : : : : : x vs. COMSCORE, INC., a Delaware corporation, Case No. 1:11-5807 Hon. James F. Holderman Defendant. ______________________________ Wednesday, September 12, 2012 Reston, Virginia DEPOSITION OF: YVONNE BIGBEE, a witness, called for oral examination by counsel for plaintiffs in the above-captioned matter, pursuant to Notice and agreement of the parties as to time and date, held at the offices of ComScore, Inc., 11950 Democracy Drive, Suite 600, Reston, Virginia 20191, beginning at approximately 9:30 o'clock, a.m., before Patricia Klepp, RMR, a court reporter and Notary Public in and for the Commonwealth of Virginia, when were present on behalf of the respective parties: CAROL J. THOMAS STENOTYPE REPORTING SERVICES, INC. 800-322-9221 www.carolthomasreporting.com 5c6af110-4717-49d1-9eb4-e891379fc139 HARRIS & DUSTAN v. COMSCORE, INC. September 12, 2012 YVONNE BIGBEE Page 2 1 APPEARANCE OF COUNSEL: 2 For the Plaintiffs: 3 EDELSON McGUIRE, LLC 4 BY: BEN THOMASSEN, ESQUIRE 5 CHANDLER R. GIVENS, ESQUIRE 6 350 North LaSalle, Suite 1300 7 Chicago, Illinois 60654 8 (312) 589-6370 9 E-Mail: bthomassen@edelson.com 10 cgivens@edelson.com 11 For the Defendant: 12 QUINN, EMANUEL, URQUHART & SULLIVAN, LLP 13 BY: STEPHEN A. SWEDLOW, ESQUIRE 14 ROBYN M. BOWLAND, ESQUIRE 15 500 West Madison Street, Suite 2450 16 Chicago, Illinois 60661 17 (312) 705-7400 18 E-Mail: stephenswedlow@quinnemanuel.com 19 robynbowland@quinnemanuel.com 20 --continued-21 22 Page 4 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 I-N-D-E-X Witness: Page: YVONNE BIGBEE Examination by Mr. Thomassen 5 Lunch recess 112 Examination by Mr. Thomassen (resumed) 113 -0Exhibits: (Included in transcript) Page: Deposition Exhibit No. 1 77 Deposition Exhibit No. 2 96 Deposition Exhibit No. 3 100 Deposition Exhibit No. 4 107 Deposition Exhibit No. 5 113 Deposition Exhibit No. 6 116 Deposition Exhibit No. 7 120 Deposition Exhibit No. 8 122 Deposition Exhibit No. 9 126 Deposition Exhibit No. 10 128 Deposition Exhibit No. 11 130 Deposition Exhibit No. 12 132 Deposition Exhibit No. 13 135 Deposition Exhibit No. 14 141 Page 3 1 APPEARANCE OF COUNSEL: (cont) 2 For the Defendant: 3 THOMAS S. CUSHING III, ESQUIRE 4 Deputy General Counsel and Privacy Officer 5 comScore, Inc. 6 11950 Democracy Drive, Suite 600 7 Reston, Virginia 20190-5624 8 (703) 438-2000 9 E-Mail: tcushing@comscore.com 10 -011 12 13 14 15 16 17 18 19 20 21 22 Page 5 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 PROCEEDINGS Thereupon, YVONNE BIGBEE, a witness, was called for examination by counsel for the plaintiffs, and after having first been duly sworn by the Notary Public, was examined and testified as follows: EXAMINATION BY COUNSEL FOR PLAINTIFFS BY MR. THOMASSEN: Q. Good morning. A. Good morning. Q. The record should reflect that this is the oral deposition of Yvonne Bigbee, taken pursuant to notice, in the Dunstan v. comScore matter, Case No. 11-CV-5807 in the Northern District of Illinois. Now, you've just been sworn in. Is this your first deposition? A. Yes, it is. Q. Okay. Before we get started, I'll go over a few ground rules that will help us today. The first and most important is that you have to give verbal answers to all my questions, and the 2 (Pages 2 to 5) CAROL J. THOMAS STENOTYPE REPORTING SERVICES, INC. 800-322-9221 www.carolthomasreporting.com 5c6af110-4717-49d1-9eb4-e891379fc139 HARRIS & DUSTAN v. COMSCORE, INC. September 12, 2012 YVONNE BIGBEE Page 54 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 HTTPS post data? A. No. We exclude sites such as edu, for example. Q. Okay. Excluding site-specific information, such as dot-edu, does comScore collect all HTTPS post data for dot-com sites, for example? A. No. It depends on the rule, so I don't want to say all. Q. Is there an instance where there's HTTPS data from one web page that a panelist viewed where comScore would capture some, but not all, of the post data from that page? A. Yes. Q. Can you give me an example? A. It depends on the MIME type of the post data. Q. Okay. A. So if it's not a MIME type text<slash><star>, for example, we would not collect the post data. Q. Is that an example -- do you have an example -- and I might just be running close to my limits of understanding, here, but the -- was that an example of HTTPS -- let me start over. Page 56 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 collect it, or is it programmed to not collect it? A. It's programmed not to collect it. Q. I understand. How about things on -regarding the same HTTPS/HTML post data, are things like user names collected by comScore software? A. It's fuzzified before collection. Q. So -- and we will talk more about fuzzification in just a few minutes, but user names are collected in some form by the software? MR. SWEDLOW: I'll object as asked and answered. I ask you not to say the word fuzzified in the answer. MR. THOMASSEN: I understand what she's saying. MR. SWEDLOW: Well, then I'm going to object as asked and answered. BY MR. THOMASSEN: Q. You can answer. A. Can you repeat the question? Q. Sure. I asked you whether user names were collected, and you said, well, they're fuzzified. Is that fuzzified information still sent up to Page 55 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 Can you give me an example of HTTPS/HTML post data where some, but not all, of the data is collected? A. (Pause.) Okay. If you were online taking an online survey, depending on how their survey is rendered, if the URL of the survey is included in our collection rule, if the response of the page is text<slash><star>, and if a user does type in, yes, I'm a Democrat, yes, I will be voting in this election, accept, enter, that data will be sent up -Q. Okay. A. -- if it is because it was in the form of HTML and the URL is -- matches our rule. However, on the same web page, visible to the user, there could be background calls that is coded on the web page, invisible to the user, but just internal to that survey web post, to kind of serve as an internal ping, hey, I'm version XXX, here's the time stamp of the machine, for example. And that, if that was sent up via an application/json call, we would not collect that. Q. Is it not collected because the software can't Page 57 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 comScore server? A. Yes. Q. Okay. How about things like passwords, same process? A. Same process. Q. Credit card numbers? A. Fuzzification is applied. Q. And then the fuzzified information -A. Fuzzified data is sent up. Q. Right. And Social Security numbers? A. Same process. MR. THOMASSEN: Okay. This would be actually a good place for me to take a break, mostly because I have to use the restroom. MR. SWEDLOW: I object. (Whereupon, a recess was taken.) MR. THOMASSEN: Back on. BY MR. THOMASSEN: Q. Before we move on, is it accurate to say that all HTTP and HTTPS page data is collected unless specified by a rule file to not collect it? A. No. Everything is dictated in the rules file 15 (Pages 54 to 57) CAROL J. THOMAS STENOTYPE REPORTING SERVICES, INC. 800-322-9221 www.carolthomasreporting.com 5c6af110-4717-49d1-9eb4-e891379fc139 HARRIS & DUSTAN v. COMSCORE, INC. September 12, 2012 YVONNE BIGBEE Page 58 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 on what to collect. Q. Okay. A. So there's not a blanket collect everything that's written in the code. Q. So is it right that for any -- when collecting page data from any given HTTP or HTTPS page, whether or not a particular piece of data is collected is dependent on a rule file? A. Yes. Q. And the rule file will tell comScore software to either collect all of the data, some of the data or none of the data? A. Yes. Q. All right. So I want to talk for a while about fuzzification, which we brought up earlier. Can you -- you mentioned earlier, but can you generally describe for me now what fuzzification involves? A. Sure. There are two types of fuzzification. One is page data fuzzification, and the second is post data fuzzification. The general idea behind fuzzification is, we Page 60 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 Q. So would you say that hashing is synonymous with fuzzification? A. No. Q. So how is hashing different than fuzzification? A. Hashing is just one form of fuzzification. Q. So if I were to say this string has been hashed, would I also be saying that this string has been fuzzified? A. Yes. Q. Okay. And X-ing out, that is also a form of fuzzification? A. Yes. Q. So let's take a credit card number, for example. They are 14 digits long, I think? A. Sixteen. Q. Sixteen digits long? Are credit card numbers ever X-ed out? A. Yes. Q. How many of the credit card numbers would be X-ed out? A. We -- I believe we keep the first six or Page 59 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 look for patterns in the data that could be sensitive, and we either hash the data or X out enough of the string where it is no longer personally identifiable. Q. So you talked about two things there, hashing and then X-ing out. Those are different things? A. Yes. Q. Can you describe what hashing is? A. It is -- hashing is -- there's a mathematical formula, where we take the string itself and apply this algorithm to it, and then the outcome is an 18-digit long string of numbers that kind of represents an original string, but it's completely different. Q. I understand. Is there one hashing formula that applies to all data that is hashed? A. Yes. Q. Okay. Now, what about X-ing out; what is that? A. Where we actually take the string; instead of applying the hashing algorithm, we just replace the digits with X. Q. Is that the same thing as zeroing? A. Yes, same concept. Page 61 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 seven. I don't -- it's either six or seven, I'm not exactly sure, and the rest of the 16 digits after the sixth or seventh digits are X-ed out. Q. Okay. And after a portion of the credit card number is X-ed out, is that value then sent to comScore? A. Yes. Q. So that X-ed out value, I'll call it, is not additionally hashed? A. No. Q. Okay. Is there one -- I'm going to call it a zeroing formula, that applies to all credit card numbers, for example? MR. SWEDLOW: Are you talking about hashing? MR. THOMASSEN: No, I'm talking about zeroing or X-ing. MR. SWEDLOW: Oh, X-ing, right. A. If it's a 16-digit number, we assume that it's a credit card number. The same logic would apply to that 16-digit number. BY MR. THOMASSEN: Q. Is it correct to say that all 16-digit credit card numbers collected by comScore are X-ed out as 16 (Pages 58 to 61) CAROL J. THOMAS STENOTYPE REPORTING SERVICES, INC. 800-322-9221 www.carolthomasreporting.com 5c6af110-4717-49d1-9eb4-e891379fc139 HARRIS & DUSTAN v. COMSCORE, INC. September 12, 2012 YVONNE BIGBEE Page 62 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 opposed to hashed? A. I believe so, if it's a credit card number. Q. Okay. A. Some account numbers could be 16 digits. Q. Okay. How about, if you know, things like user names? Are they hashed or zeroed? A. User names are hashed. Q. And that, to your knowledge, applies for all user names? A. In the post data, yes. Q. In the post data. How about Social Security numbers? A. Social Security numbers should be X-ed out. Q. Do you know what -- how many digits of a Social Security number would be X-ed out, if you know? A. That one I'm not familiar. Q. That's fine. How about e-mail addresses? A. I believe that is hashed, but I'm not 100 percent sure. Q. Okay. How about things like street addresses? A. I do not believe that one is hashed. Q. Or zeroed? Page 64 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 BY MR. THOMASSEN: Q. How about encryption? Is that -- does comScore ever encrypt post data? A. During transmission, yes. Q. Is encryption a separate process from fuzzification? A. Yes. Q. So it is not correct to say that if information is encrypted, it's also considered fuzzified? MR. SWEDLOW: Can you read that back? (Whereupon, the court reporter read the requested portion of the proceedings.) A. Correct. BY MR. THOMASSEN: Q. So it's -- so the words encryption and fuzzified are not used interchangeably; they mean different things? A. Yes. Q. Okay. How does comScore determine whether or not it's properly fuzzifying information? A. We have the Mystery Shop program -- Page 63 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 A. Or zeroed. Q. So it's not -- you do not believe street addresses are fuzzified, in other words? A. Correct. Q. How about names -- how about first names? Sorry. A. If it's in the post data, it is hashed. Q. And I'm assuming last names as well? A. Yes. Q. How about date of birth? A. I'm not sure. Q. Bank account numbers? A. I know it's fuzzified. I don't know if we hash or zero; I'm not 100 percent sure. Q. That's fair. How about routing numbers, if you know? A. I don't. Q. That's fine. A. It depends on the pattern. Q. Mm hmm. (Whereupon, a discussion was held off the record.) Page 65 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 Q. Okay. A. -- that checks for fuzzification. Q. Any other ways? A. We have the QA test team, that every release cycle, we go through a regression test script. Q. Can you tell me what that means? A. They -- it's a test plan that the test team will execute against features of our software to make sure that it's functioning properly, to make sure that fuzzification is applied correctly, to make sure that the upgrade mechanism is working properly. So those would be on -- as part of the test plan. Q. Okay. Any other ways? A. Those are the two that I can think of at the moment. Q. Okay. You mentioned a while ago that comScore fuzzifies what it considers to be sensitive information; is that right? A. Correct. Q. How does comScore determine what is or is not sensitive information? 17 (Pages 62 to 65) CAROL J. THOMAS STENOTYPE REPORTING SERVICES, INC. 800-322-9221 www.carolthomasreporting.com 5c6af110-4717-49d1-9eb4-e891379fc139 HARRIS & DUSTAN v. COMSCORE, INC. September 12, 2012 YVONNE BIGBEE Page 66 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 A. We look for patterns in the data. So in the example of a 16-digit consecutive numeric number, we assume that that's a credit card number. Q. Okay. Let me ask this a different way. How is the determination made at the outset that information should be fuzzified? So, for example, comScore fuzzifies credit card numbers; at some point, it was determined that credit card numbers are something that should be fuzzified. How is that determination made? A. It is made on the user's machine, while our software is running. Q. Okay. Let me -- I'm trying to find out how comScore determines that things like names, e-mails, dates of birth, credit card numbers, Social Security numbers are sensitive information that should be fuzzified. MR. SWEDLOW: And I'm going to provide you a an instruction. To the extent that comScore makes that decision based upon the advice of counsel, including that guy over there, who's your in-house Page 68 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 Q. What happens when the Mystery Shopper program determines that information is not properly being fuzzified? A. They will report the incident to the QA team to reproduce. Then the QA team will, when possible, make a rules change to update our fuzzification logic to enhance the new pattern. Q. How is fuzzification logic updated? A. By a rules file. Q. And those are rules files that are referenced by the OSSProxy software? A. Yes. Q. Okay. At what point is a JIRA ticket opened about a problem like we're discussing now? A. A JIRA ticket is logged when a code change is required by the development team. Q. So who would initially open a JIRA ticket, if that's the right word? A. For this particular incident? Q. Yes. A. Most of the time, it would be done by the QA team, after reproducing the problem. Page 67 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 counsel, I'm going to instruct you not to answer, because that communication and the product of that communication is protected from disclosure. I want you to answer the question, but I want you to understand my instruction. Are you okay with what I'm saying? MR. THOMASSEN: Yes. A. I think I'm not going to answer it, based on -MR. SWEDLOW: What I just said? A. -- attorney-client privilege. MR. SWEDLOW: Yes. So I'll just make the statement that the determination of what is sensitive and what isn't sensitive includes the attorney advice. MR. THOMASSEN: Okay. BY MR. THOMASSEN: Q. How does -- so you mentioned that the Mystery Shopper program is one way that comScore determines that it's properly fuzzifying information that should be fuzzified; right? A. Correct. Page 69 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 Q. So the Mystery Shopper program team, for lack of a better term, would not open the JIRA ticket -A. Correct. Q. -- in this instance. A. Correct. I'm not aware of Mystery Shoppers opening tickets in JIRA projects. Q. Do you know about how long, on average, it takes -- in an instance like this, where the Mystery Shopper program identifies that information is not being properly fuzzified, how long does it take for the rule file to be changed? A. The rules file can be updated at any time. Are you asking me how long from discovery? Can you be more specific? I don't understand what you're asking. Q. That's exactly what I'm asking, how long -from the moment the problem is discovered till the moment the problem is solved by updating the rules file, how much time passes, on average? MR. SWEDLOW: I'll object, but if you have an -- on average -A. I don't know; it depends. It's a case-by-case; I don't know. 18 (Pages 66 to 69) CAROL J. THOMAS STENOTYPE REPORTING SERVICES, INC. 800-322-9221 www.carolthomasreporting.com 5c6af110-4717-49d1-9eb4-e891379fc139

Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.


Why Is My Information Online?