Dunstan et al v. comScore, Inc.
Filing
176
DECLARATION of Robyn Bowland regarding memorandum in opposition to motion 175 (Attachments: # 1 Exhibit A, # 2 Exhibit B, # 3 Exhibit C, # 4 Exhibit D, # 5 Exhibit E, # 6 Exhibit F, # 7 Exhibit G, # 8 Exhibit H, # 9 Exhibit I, # 10 Errata J, # 11 Exhibit K, # 12 Exhibit L, # 13 Exhibit M, # 14 Exhibit N, # 15 Exhibit O, # 16 Exhibit P, # 17 Exhibit Q, # 18 Exhibit R, # 19 Exhibit S, # 20 Exhibit T, # 21 Exhibit U, # 22 Exhibit V, # 23 Exhibit W)(Bowland, Robyn)
<![CDATA[
EXHIBIT G
Page 1
IN THE UNITED STATES DISTRICT COURT
NORTHERN DISTRICT OF ILLINOIS
EASTERN DIVISION
MIKE HARRIS and JEFF DUNSTAN,
individually and on behalf of a
class of similarly situated
individuals,
)
)
)
)
)
Plaintiffs,
)
)
-vs)
)
COMSCORE, INC., a Delaware
)
corporation,
)
)
)
Defendant.
)
__________________________________)
No. 1:11-cv-5807
Judge Holderman
Magistrate Judge
Kim
The deposition of ROBERTO TAMASSIA, Ph.D.,
called by the Plaintiffs for examination, pursuant to
notice and pursuant to the Federal Rules of Civil
Procedure for the United States District Courts
pertaining to the taking of depositions, taken before
Emily R. Pellegrino, Certified Shorthand Reporter and
Notary Public within and for the County of Cook and
State of Illinois, at 350 North LaSalle Street, 13th
Floor, Chicago, Illinois, commencing at the hour of
9:29 a.m. on the 14th day of December, A.D., 2012.
(312) 345-1414
a639eee0-d065-4e4e-9e24-2314607108c1
Page 2
1
2
3
4
5
A P P E A R A N C E S:
EDELSON MCGUIRE, LLC, By
MR. CHANDLER GIVENS and
MR. BEN THOMASSEN
350 North LaSalle Street, 13th Floor
(312) 589-6370
(312) 589-6378 (Facsimile)
cgivens@edelson.com
bthomassen@edelson.com
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
6
On behalf of the Plaintiffs;
7
8
9
10
11
QUINN, EMANUEL, URQUHART & SULLIVAN, LLP, By
MR. STEPHEN A. SWEDLOW and
MS. ROBYN M. BOWLAND
500 West Madison Street, Suite 2450
Chicago, Illinois 60661
(312) 705-7400
(312) 705-7401 (Facsimile)
stephenswedlow@quinnemanuel.com
robynbowland@quinnemanuel.com
12
and
13
14
15
16
STACK & O'CONNOR, Chtd., By
MR. PAUL F. STACK
140 South Dearborn Street, Suite 411
Chicago, Illinois 60603
(312) 782-0690
(312) 782-0936 (Facsimile)
pstack@stacklaw.com
17
and
18
19
20
21
22
23
Page 4
MR. THOMAS S. CUSHING, III
11950 Democracy Drive, Suite 600
Reston, Virginia, 20190
(703) 438-2392
(703) 438-2350 (Facsimile)
tcushing@comscore.com
On behalf of the Defendant.
ALSO PRESENT:
Mr. Amir Missaghi
24
(Witness duly sworn.)
ROBERTO TAMASSIA, Ph.D.,
called as a witness herein, having been first duly
sworn, was examined and testified as follows:
EXAMINATION
BY MR. GIVENS:
Q. Good morning, Roberto.
A. Hi.
Q. My name is Chandler Givens, this is my
colleague Ben Thomassen, and one of our law clerks
Amir Missaghi who's sitting in today.
A. Okay.
Q. I read in your expert report that you
haven't testified at deposition or trial in the past
four yours. Have you ever sat for a deposition
before?
A. I have never sat for a deposition.
Q. Okay. So I'm going to layout some ground
rules just to help you understand what's going on
here.
A. Sure.
Q. Everything you say is on the record today,
so I need you to give verbal answers. So if you nod
your head or shrug your shoulders or point a finger
Page 3
INDEX
1
2
WITNESS
EXAMINATION
3
ROBERTO TAMASSIA, Ph.D.
4
5
6
7
8
By Mr. Givens
4
EXHIBITS
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
TAMASSIA
DEPOSITION EXHIBIT
No. 1
No. 2
No. 3
No. 4
No. 5
MARKED FOR ID
4
76
79
81
83
Page 5
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
at me, she's not going to be able to pick this up.
A. Okay.
Q. So that's one. The second thing is if you
don't understand one of the questions that I'm asking
you, just ask for a clarification, that's fine. But
if you don't, then I'm going to assume you understand
the question. Your counsel Stephen might object, but
you are required to answer unless he instructs you
otherwise.
Are you on any medications, substances, or
do you have any health issues that might prevent you
from understanding the questions that I'm going to
ask you today and responding?
A. No.
(Whereupon, Tamassia Deposition
Exhibit No. 1 was marked for
identification, ERP.)
BY MR. GIVENS:
Q. Let's begin here. I'm handing you what has
been marked as Tamassia Exhibit 1 which is your
expert report. You'll be familiar with it.
A. Yes.
Q. Do you recognize this document?
A. Yes. Right.
2 (Pages 2 to 5)
*
*
*
*
(312) 345-1414
a639eee0-d065-4e4e-9e24-2314607108c1
Page 42
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
MR. SWEDLOW: Objection, vague.
You can answer.
THE WITNESS: I would like to speak about
the computer user that is identified in the ULA.
Installation process requires the users to be an
administrator of the ULA. Administrator with
computer has knowledge about installation of programs
and installation of program settings. I believe that
a user who's an administrator of a computer should be
able to understand exactly what is the meaning of, so
what is the operation of the software.
BY MR. GIVENS:
Q. So a general user then?
A. A general user who is an administrator.
Q. What do you mean by administrator?
A. Administrator is a user who has certain
privilege rights with respect to installing programs,
reviewing programs, and viewing and modifying
settings on a computer.
Q. Give me an example of an administrator.
A. I'm not sure I understand the question when
you say example of administrator. I am an example of
an administrator, for example. I don't know if that
is your question.
Page 44
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
software was installed?
MR. SWEDLOW: Can you read that question
back because I wasn't paying attention?
(Whereupon, the record was
read as requested.)
MR. SWEDLOW: I'll object as vague. There
is no "no." Do you want to rephrase that question?
MR. GIVENS: I don't want to rephrase the
question.
MR. SWEDLOW: It doesn't make any sense
then.
THE WITNESS: Can I ask clarification of the
meaning by what happens? What do you mean by what
happens?
BY MR. GIVENS:
Q. In your report you write, if a user selects
"no" when presented with a dialog box requesting
acceptance of the disclosures and ULA, the comScore
installation process does not run. During the
demonstration, did Yvonne Bigbee click no?
A. Now I can answer your question? Okay. I
asked to see both what happens when the user agrees
and accepts and when the user disagrees and does not
accept, and I saw in the administration that when the
Page 43
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Q. Can any consumer be an administrator on
their computer?
A. Are you asking whether any person or -- what
do you mean by consumer here?
Q. Any person, yes.
A. Okay. So not every person on this planet
will have the basic understanding of how a computer
works to be an administrator. So there is some basic
computer skills that are needed in order to be an
administrator. Do you want me to elaborate more on
this?
Q. I'd love for you to elaborate a little bit.
A. Well, what I can say is that computer
literacy is growing worldwide, especially in the
United States, and so a good fraction of the
population is likely to have skills of computer
administrator.
Q. Is every user who installs comScore software
an administrator?
A. Yes. The software is set up so that if the
user logged into the machine is not an administrator,
then the installation will not proceed.
Q. What happened during the demonstration when
Yvonne clicked no when she was showing you how the
Page 45
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
user does not accept does not agree, the comScore
portion of the software is not installed but the user
will still be able to install the other software that
was bundled together with the comScore software which
was the original software that the user attempted to
download.
Q. During the demonstration, was there only one
type of bundled software used?
A. Yes. In the demonstration, there was only
one type of bundled software.
Q. Let's move to the operation section of your
report.
A. Yes.
Q. The basis for this whole section is the
demonstration that was given to you at Reston,
Virginia; is that correct?
A. Yes.
Q. Can you explain a few ways that a panelist
will be able to determine that comScore software is
running on their computer?
A. Are you referring with the word "panelist"
to a user who has installed the comScore software?
Q. Yes.
A. There are various reasons, multiple reasons
12 (Pages 42 to 45)
(312) 345-1414
a639eee0-d065-4e4e-9e24-2314607108c1
Page 46
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
that will make such -- panelist as copious user to be
fully aware that the software is fine. So first of
all, this panelist has explicitly accepted the
installation such that manner is occurring. Second,
the panelist should notice that the tray area of the
task bar in the Windows operating system contains an
icon associated with the comScore software. This
provides an explicit and continuous and persistent
indication that the software is running. In
addition, whenever the user -- this panelist, this
user will look at the list of programs installed,
that the software will appear.
And then even more, if you look at what is
called the task manager, which is a display of the
so-called processes, programs running, the comScore
software is there. And if one will inspect some
settings of the machine or the so called registry,
one will see registry keys associated with the
software. The primary visual indication is in the
system, is in the tray.
Q. In the second sentence of the last full
paragraph on page four "Uninstallation" you write,
based upon my observations of the demonstration and
the documentation I reviewed, comScore software can
Page 48
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
additionally through the start menu.
Q. What methods do you use to verify that all
components of the comScore software have been removed
from the machine?
A. I asked to show me the locations within the
file system and within the registry where traces of
the installation would have been present if it were
not complete. And through the inspection, so I asked
Yvonne who showed me the registry to show me certain
folders on the computer, and there were no files that
indicated that the program still existed.
In addition, I asked about various details
of the operation of the software. And based on what
I was told, it is my opinion that no files associated
with the tracking were left in the file system.
There was a portion of my report where I mentioned
that the filtering and trackings performed in
internal memory, so there is kind of no log files, no
log files that will be part of the file system.
Q. But you never personally checked the
computer; you relied upon Yvonne Bigbee's
demonstration?
A. The screen of the computer was projected in
front of me and Yvonne did exactly what I asked her
Page 47
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
be uninstalled in manner consistent with other
Windows based software, and you go on to write,
through the add/remove function provided as a part of
the Windows operating system.
Can you explain your basis for writing in a
manner consistent with other Windows based software?
A. The Windows operating system includes
specifications for developers of applications on how
uninstallation should be performed. All applications
for the Windows operating system are expected to
provide an uninstallation program. And this
uninstallation program is the one that will be
launched when the user goes to this app within the
settings of the computer, called in operation Windows
add/remove programs and enter other things. So it is
the standard expected way. All applications are
expected to provide this functionality.
Q. In your experience, have you seen consumer
software that adds an item to a user start menu that
is an icon to uninstall software; are you familiar
with that?
A. I am perfectly familiar with what you're
saying and, yes, I have seen some software
applications that provide the uninstall functionality
Page 49
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
to do. So I considered this equivalent to myself
having inspected the files. Unless, of course, some
trick was set up to show me something else.
Q. What tool did you use to use the registry?
A. I asked Yvonne to show me the registry and
she used a standard tool called reg edit.
MR. SWEDLOW: A what?
THE WITNESS: Reg edit, R-e-g, e-d-i-t.
BY MR. GIVENS:
Q. Backing up for just a second on the same
page the third full paragraph from the bottom last
sentence you write, moreover, every user who provides
his or her e-mail address during installation of
comScore software, it sends an e-mail that includes
the ULA. What's your basis for that sentence?
A. The question I asked and the answer I
obtained.
Q. Okay. Let's move to the obfuscation
section. Can you explain to me what regular
expressions are?
A. Regular expression is a standard mechanism
for describing in a succinct way a collection of text
strings. Text string is a sequence of characters.
Regular expression can by informally viewed as text
13 (Pages 46 to 49)
(312) 345-1414
a639eee0-d065-4e4e-9e24-2314607108c1
Page 50
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
pattern. For example, a regular expression will
describe succinctly the form of a Social Security
number, of a phone number, of a ZIP code, of a
two-digit abbreviation of a state. That's it.
Q. When you write that the software uses a
computational technique called regular expressions to
check for the presence of text patterns associated
with sensitive data, who determines what those text
patterns are?
MR. SWEDLOW: In the report? Objection,
vague.
THE WITNESS: Yeah, I actually do not
understand your question about who determines.
BY MR. GIVENS:
Q. Let me ask generally. If you're using
regular expressions to detect the presence of text
pattern, who is that determines the text pattern; is
it the programmer?
A. The process for creating the regular
expression should be based on domain knowledge about
how the text patterns look like and then the
programmer will now implement this domain knowledge
in the specific program language for the regular
expressions. So someone, for example, who knows
Page 52
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
once they are discovered, the software either removes
completely the data or transforms it so that the new
output data cannot be used to reconstruct the
original data.
Q. When you say removes completely, what do you
mean?
A. Removes completely means that the output of
the transformation is the empty data set.
Q. Is the empty data set then sent to
comScore's servers?
A. There is no such concept of submitting an
empty set. The data is suppressed, is not uploaded.
Q. Once that type of sensitive information is
detected, a credit card number, a Social Security
number, a bank number, would it be technically
feasible to simply excise that information or not
collect it at all?
MR. SWEDLOW: I'll object as vague and
compound, but you can answer.
THE WITNESS: Your question, it is
hypothetical about -- so can you rephrase it again?
Can you say it to me again so I can understand?
BY MR. GIVENS:
Q. My understanding of the way the comScore
Page 51
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
about the form of the Social Security numbers will
determine how the pattern looks like. And then the
programmer will have to create what is the actual
programming specification of the regular expression.
Q. So at comScore, who is the person who
determines that?
A. I did not ask who is the person. I assumed
that they have domain experts who have this knowledge
and I know that it is the software developers under
the leadership of the CDO and the director of
technology and video technology who implement in this
programming language of regular expressions what is
this domain knowledge.
Q. When you write in your report that sensitive
data is transformed through the obfuscation process,
what do you mean by transformed?
A. What I mean is that there is a matter that
takes as input data and could use as output some
other data; that is the transformation process.
Q. So is the comScore software actively seeking
Social Security numbers, credit card numbers?
A. Yes. The software tries to identify the
presence of various types of sensitive data including
Social Security numbers and credit card numbers. And
Page 53
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
software works is that it uses regular expressions to
detect some certain information like a credit card or
Social Security number?
A. Yes.
Q. Then it collects that information and
transforms it; those are your words?
A. Yes.
Q. Would it be technically feasible to rather
than collect it and transform it, to detect it, and
not collect it at all?
A. Of course it is technically feasible to do
nothing about the information that is collected, but
comScore is in the business of actually acquiring
some type of information.
Q. Why do you think comScore transforms credit
card numbers and collects that information?
A. You're asking two questions. Can you ask
them separately?
Q. Why do you think that comScore actively
seeks credit card numbers to collect?
A. Yes. My understanding of the comScore
business is that they're the one to provide aggregate
statistical data to their customers about, for
example, the use of certain credit cards for
14 (Pages 50 to 53)
(312) 345-1414
a639eee0-d065-4e4e-9e24-2314607108c1
Page 54
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
transactions. So that's one of the reasons that they
will track credit card usage across the economy,
across the users of the software.
Q. Once the comScore software is installed on
the user's machine, is it constantly listening for
web traffic?
A. My understanding is that yes, this is the
case.
Q. When the comScore software detects
information to be collected, how much time elapses
between collection and transmission to comScore
servers?
A. I did not run timing experiments, so I
cannot answer this question.
Q. When you write in your expert report -MR. SWEDLOW: Are we on page five?
BY MR. GIVENS:
Q. Page five second full paragraph, once it is
identified sensitive data is transformed by an
obfuscation process, it aims to remove detailed
information while preserving more general information
of statistical significance. What do you mean by
general information of statistical significance?
A. General information means that this
Page 56
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
difficult to have absolute certainty of the success
of a certain program. In particular, it is
unfeasible to try the program on all possible inputs.
However, my reading of the software, the description
I was given of the techniques and methods indicates
that the obfuscation process is based on technically
sound principals and was implemented with the
appropriate tools.
Q. Look with me now at the last sentence of the
second full paragraph -A. Uh-huh.
Q. -- where you write, in addition, the
technique of cryptographic hashing is used to map
other sensitive data items to numeric values called
digests that have the following properties: (1) with
very high probability, the digests are uniquely
associated with the items; (2) it is computationally
infeasible to reconstruct the items form the digest.
What do you mean when you write it is
computationally infeasible to reconstruct the items
from the digest?
A. The meaning is that reversing the
transformation is practically impossible to do given
current computer technology.
Page 55
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
information about class of objects, a class of items.
For example, the class of days of birth that have the
same year or the class of credit card numbers that
start with the same seven digits. This is not
information about a specific credit card of the user.
It is a class of credit cards that include the credit
card of the user. That's the meaning of general
information.
The meaning of statistical significance
means that it is relevant to the type of statistical
summaries that are provided by the comScore to their
customers; for example, demographic information as
related to certain types of internet shopping habits
or user job certain brands of credit cards for
certain types of internet transactions.
Q. When you write since the data's transformed
by an obfuscation process that aims to remove
detailed information, why did you write aims to
remove rather than remove? Let me rephrase that.
Are you aware of any instances where the
software doesn't remove the detailed information?
A. The reason why I wrote the sentence with the
term aims is because it is the clear intent of the
code. And as in any programming endeavors, it is
Page 57
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Q. Would it be computationally feasible to
reconstruct the items from the digest if you were
aware of what the values associated with the digest
were?
A. The question you are asking seems to be of
the type if you already know what the value is, can
you reconstruct the value from the digest. There is
no point in reconstructing something that you already
know.
Q. Are you familiar with the concept of rainbow
tables?
A. Yes.
Q. So here you write, it's computationally
infeasible to reconstruct the items from the digest.
But comScore not only has the digest; they also have
the associated value, i.e., this is a Social Security
number; is that correct?
A. ComScore detects -- attempts to detect the
presence of Social Security numbers through regular
expressions, then Social Security numbers are
suppressed, so the transformation actually produces
no output value; it produces the empty data set. For
Social Security numbers, they do not use the
technique of cryptographic hashing.
15 (Pages 54 to 57)
(312) 345-1414
a639eee0-d065-4e4e-9e24-2314607108c1
]]>
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?
