Dunstan et al v. comScore, Inc.

Filing 323

MEMORANDUM by Jeff Dunstan, Mike Harris in support of motion for partial summary judgment 321 (Redacted) (Balabanian, Rafey)

Download PDF
IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF ILLINOIS, EASTERN DIVISION MIKE HARRIS and JEFF DUNSTAN, individually and on behalf of a class of similarly situated individuals, Plaintiffs, v. Case No. 1:11–cv–5807 Hon. James F. Holderman Magistrate Judge Young B. Kim COMSCORE, INC., a Delaware corporation, Defendant. PLAINTIFFS’ MEMORANDUM OF LAW IN SUPPORT OF THEIR MOTION FOR PARTIAL SUMMARY JUDGMENT TABLE OF CONTENTS I. INTRODUCTION .............................................................................................................1 II. STATEMENT OF UNDISPUTED FACTS .....................................................................2 A. Class Members Downloaded and Installed Bundled Versions of OSSProxy as Part of comScore’s TAP Recruitment Scheme. ...........................3 B. If Enforceable, the ULA’s Terms and Conditions Define the Nature and Scope of Any Class Member’s Consent to Collection by OSSProxy. ...............................................................................................................5 1. 2. C. The ULA’s terms and conditions limited who (if anyone) had rights to collect data from panelists, while its preamble named possible downstream users of the collected and anonymized data ............................7 The ULA’s terms and conditions limited any authorized collection to collection performed by specific means. ..................................................8 OSSProxy’s Design and Actual Data Collection Practices Differ Fundamentally From the Data Collection Guaranteed by the ULA.................9 1. comScore—rather than any program Sponsor—collected data from panelists via OSSProxy, packaged it, and generated revenue from it.. .................................................................................................................9 2. Although it could have, comScore did not program OSSProxy to automatically filter CPII. .............................................................................9 a. Even comScore agrees that “fuzzification” is not filtering ............10 b. comScore ....................11 III. ARGUMENT ....................................................................................................................13 A. B. III. Under the ULA comScore Relies Upon to Establish Consent, It Had No Right to Access Plaintiffs’ Computers or Communications.......................15 To the Extent They Agreed to be Bound by the ULA’s Terms and Conditions, Plaintiffs Only Authorized Collection Performed by Software that Included and Employed Automatic CPII-Filtering Functionality.........................................................................................................17 CONCLUSION ................................................................................................................21 i TABLE OF AUTHORITIES UNITED STATES CIRCUIT COURT OF APPEALS CASES: Atl. Mut. Ins. Co. v. Metron Eng’g and Const. Co., 83 F.3d 897 (7th Cir. 1996) .........................16 Desnick v. Am. Broad. Cos., 44 F.3d 1345 (7th Cir. 1995) .....................................4, 16, 17, 18, 20 Doe v. Smith, 429 F.3d 706 (7th Cir. 2005). ....................................................................................2 Griggs-Ryan v. Smith, 904 F.2d 112 (1st Cir. 1990) .....................................................................14 Harris v. comScore, Inc., No. 13-8007 (7th Cir. Apr. 16, 2013) ...................................................19 In re Pharmatrak, Inc., 329 F.3d 9 (1st Cir. 2003) ........................................................................14 Lloyd v. Kull, 329 F.2d 168 (7th Cir. 1964)...................................................................................17 Theofel v. Farey-Jones, 359 F.3d 1066 (9th Cir. 2003) .............................................................4, 14 United States v. Footman, 215 F.3d 145 (1st Cir. 2000) ...............................................................14 Williams v. Poulos, 11 F.3d 271 (1st Cir. 1993) ............................................................................14 UNITED STATES DISTRICT COURT CASES: Easterling v. Kopp, No. 04-cv-615, 2005 WL 1630006 (E.D. Wis. July 7, 2005) ........................15 Thrasher-Lyon v. CCS Commercial, LLC, No. 11-cv-04473, 2012 WL 3835089 (N.D. Ill. Sept. 4, 2012) ............................................15 United States v. Blas, 90-CR-162, 1990 WL 265179 (E.D. Wis. Dec. 4, 1990) .....................20, 21 Valentine v. WideOpen W. Fin., LLC, 288 F.R.D. 407 (N.D. Ill. 2012) ..........................................2 STATUTES: 18 U.S.C. § 1030 ...................................................................................................................1, 2, 13 18 U.S.C. § 2701 ....................................................................................................................1, 2, 13 18 U.S.C. § 2511 ....................................................................................................................1, 2, 13 Fed. R. Civ. P. 56 ...........................................................................................................................14 ii MISCELLANEOUS: Filter Definition, Merriam-Webster, http://www.merriam-webster.com/dictionary/filter (last visited Feb. 20, 2014) ................................................................................................18 McAfee Web Protection, McAfee, http://www.mcafee.com/us/resources/data-sheets/ds-webprotection.pdf (last visited Feb. 20, 2014) ........................................................................19 Restatement (Second) of Torts............................................................................................... passim Vyacheslav Zakorzhevsky, Bundled software – grey market with dirty rules, Kaspersky Lab: Security Analyst Summit 2013, available at http://media.kaspersky.com/en/Events/Presentations/Vyacheslav%20Zakorzhevsky_ Bundled%20software%20-%20grey%20market%20with%20dirty%20rules.pdf (last accessed Feb. 20, 2014) .......................................................................................................3 iii I. INTRODUCTION comScore, Inc.’s (“comScore”) liability in this matter turns on whether it obtained consent to collect data from Class members’ computers through its tracking software, OSSProxy, and if it did, whether comScore’s data collection exceeded the scope of the consent obtained. The Court has recognized as much—noting that, because “consent” or “authorization”1 is central to their claims, “[P]laintiffs need prove only one incident of OSSProxy exceeding the scope of the consent to establish violations of the ECPA, the SCA, and the CFAA.” (Dkt. 186 at 11.) In this case, both Parties agree that every issue of consent turns on the “terms and conditions” of the User License Agreement (the “ULA”) that accompanies OSSProxy’s installation and operation. comScore’s position is that because each Class member accepted the ULA’s terms and conditions during OSSProxy’s installation, those terms control and show that OSSProxy’s operation was authorized. (See Dkt. 175 at 7, 11.) As set forth in their Memorandum in Support of Class Certification (Dkt. 154 at 16), Plaintiffs Mike Harris and Jeff Dunstan (“Plaintiffs”) do not dispute that they, along with each and every class member, clicked “accept” when presented with OSSProxy’s “Downloading Statement”—which asked that users read and agree to the ULA’s terms and conditions. That said, the issue of whether the ULA was actually binding on them (and the Class)—e.g., whether OSSProxy’s “installation process uniformly fail[ed] to obtain . . . assent to the ULA”—is a question for another day and not one taken up in this motion.2 (Dkt. 154 at 30.) 1 Throughout this brief, Plaintiffs use the terms “authorization” and “consent” interchangeably, without limitation—i.e., in line with the language of the Stored Communications Act (“SCA”), Electronic Communications Privacy Act (“ECPA”), and Computer Fraud and Abuse Act (“CFAA”). Likewise, rather than repeatedly referring to comScore’s “access” and/or “interception” of Plaintiffs’ communications (i.e., in line with the SCA, ECPA, or both), Plaintiffs here use the broader term “collection” to reference comScore’s alleged access to their computers and access and interception (or attempted access and interception) of their communications through OSSProxy. 2 Indeed, this threshold question is particularly apt for Subclass members, who were never 1 Rather, Plaintiffs’ motion establishes that even if the premise of comScore’s position is correct and the ULA is binding on Plaintiffs and the Class, comScore’s data collection was still unlawful. That point is demonstrated in two ways. First, if enforceable, the ULA granted limited rights to enumerated parties, but did not grant comScore any rights to collect data from the Class. Second, even if the ULA did grant comScore some right to collect data, comScore’s collection still lacked authorization because the invasion comScore effectuated (i.e., through OSSProxy) was fundamentally different from the invasion supposedly authorized by the ULA’s terms and conditions. All told, the ULA didn’t grant comScore any data collection rights, but even if it did, those rights were limited to collection using means that comScore never employed. Plaintiffs are therefore entitled to summary judgment on the issues of consent and authorization. Given the facts not in dispute, Plaintiffs seek partial summary judgment on the central issue of consent now—prior to the Parties engaging in expert discovery on the issue—so as to preserve the Court’s and the Parties’ resources by significantly narrowing the issues for expert testimony and discovery, future summary judgment briefing, and trial. Because Plaintiffs are entitled to summary judgment on the authorization elements and consent defenses for their claims under the SCA, ECPA, and CFAA3, their Motion should be granted. II. STATEMENT OF UNDISPUTED FACTS By now, the Court is well aware of comScore’s business model. comScore generates revenue by mining data from consumers across the world and then analyzing, repackaging, and selling it. (Plaintiffs’ Local Rule 56.1 Statement of Undisputed Material Facts (“SOF”) ¶ 11.) presented with a functional hyperlink to the ULA and therefore can’t be bound by it. (See Dkt. 31 at 4–5.) 3 Both the CFAA and the SCA place the burden on Plaintiffs to establish that comScore’s access occurred without, or in excess of, authorization. See 18 U.S.C. § 1030(a); 18 U.S.C. § 2701(a). The ECPA, on the other hand, puts the burden on comScore to prove the defense of consent. See 18 U.S.C. § 2511(2)(d); see also Valentine v. WideOpen W. Fin., LLC., 288 F.R.D. 407 (N.D. Ill. 2012) reconsideration denied, No. 09 C 7653, 2013 WL 5423846 (N.D. Ill. Sept. 27, 2013); Doe v. Smith, 429 F.3d 706, 709 (7th Cir. 2005). 2 While it acquires consumer data from a number of sources, comScore’s reputation stems mainly from its online panel of consumers that—thanks to OSSProxy’s constant monitoring— continually feeds comScore with data about consumers’ online activity (e.g., who is shopping where, what credit cards they are using, what is being purchased, what online ads are being clicked on, etc.). (Id. ¶¶ 6, 44–46.) comScore isn’t shy about the size and scope of its panel—it boasts that OSSProxy captures “over 1.5 Trillion [online] interactions . . . monthly; equal to almost 40% of the monthly page views of the entire internet.” (Id. ¶ 12.) A. Class Members Downloaded and Installed Bundled Versions of OSSProxy as Part of comScore’s TAP Recruitment Scheme. The entire Class was recruited to comScore’s online panel via comScore’s “third party application provider” program (the “TAP program”). (Id. ¶¶ 15, 20–21, 76–77.) Rather than recruiting consumers to voluntarily sign up for its panel directly—as it does for its “affiliate network” recruitment program4—comScore’s TAP program requires that consumers download free applications (generally termed “freeware,” such as screensavers, music programs, games, etc.) that have been “bundled” with OSSProxy.5 (Id. ¶¶ 13–15, 22, 25.) comScore does not 4 Unlike its TAP recruitment model, comScore’s affiliate program is far less likley to result in unitentional installations of OSSProxy. Through the affiliate model, comScore pays partners to post Internet advertisements to increase traffic to comScore’s panel websites (such as www.permissionresearch.com), where consumers can sign up for a panel directly. (SOF ¶¶ 13–14.) There, consumers are required to provide substantial personal information up front (such as their name, address, age, gender, and email address) before downloading and installing OSSProxy. (Id. ¶ 14.) And even though the sites are still “branded” and utilize program sponsors (similar to the TAP program), there’s no element of surprise attendant to the downloading process. 5 Many authorities take issue with the practice of “bundling”—i.e. offering bundled software along with free/trial programs—as a threshold matter because it (i) is not detected by most antivirus vendors, (ii) operates in the same manner as recognized “malicious” programs, and is, as such, (iii) fundamentally “based on deception.” See Vyacheslav Zakorzhevsky, Bundled software – grey market with dirty rules, Kaspersky Lab: Security Analyst Summit 2013, available at http://media.kaspersky.com/en/Events/Presentations/Vyacheslav%20Zakorzhevsky_Bundled%20software %20-%20grey%20market%20with%20dirty%20rules.pdf (last accessed Feb. 20, 2014). How these issues operate with respect to bundled versions of OSSProxy will be a specific focus of expert discovery, and— should this motion be denied—will be a key issue at trial in determining the existence and scope of any consent given. 3 require its TAP partners to warn or otherwise disclose that OSSProxy is bundled with freeware before a consumer downloads it—indeed, comScore’s own expert witness stated that he’d be “surprised” if such disclosures were ever made. (Id. ¶ 23.) To install OSSProxy through comScore’s TAP program, a user must initialize a bundled freeware’s installation process and then click past the installation window for OSSProxy. (Id. ¶¶ 21–22, 24–25.) This process (Id. ¶ 18.) To ensure the rapid and continuous installation of OSSProxy by consumers, Id. ¶ 16.) Historically, “TAP panelists” of comScore’s panel. (Id. ¶ 17.) (Id. ¶ 19.) Looking forward, many aspects of comScore’s TAP recruitment model have drawn criticism among privacy experts and will be a key focus of expert testimony.6 For the purposes of this motion, two aspects of the process are especially relevant: The Downloading Statement. Over the course of a TAP bundle’s installation, every TAP panelist (and every Class member) was presented with the Downloading Statement. (Id. ¶¶ 20– 6 Likewise, expert testimony will show that several aspects of the TAP installation process were designed to—as one antivirus vendor described to comScore S0082285_Confidential--Attorney’s Eyes Only.docx, attached to the Declaration of Benjamin S. Thomassen (“Thomassen Decl.”) as Exhibit 29.) Expert evaluation of the overall process will demonstrate the deceptive nature of comScore’s TAP recruitment scheme and support Plaintiffs’ view that—in light of that deceit—any consent obtained from Class members was vitiated. See Theofel v. Farey-Jones, 359 F.3d 1066, 1073–75 (9th Cir. 2003); see also Desnick v. Am. Broad. Cos., 44 F.3d 1345, 1351–53 (7th Cir. 1995). 4 21, 24, 25.) The Downloading Statement contained (i) an abbreviated summary of the terms and conditions attendant to the download and use of OSSProxy and (ii) a hyperlink to the ULA containing the full terms and conditions.7 (Id. ¶¶ 21, 24, 29.) The Downloading Statement also stated that a “branded” version of OSSProxy (“RelevantKnowledge” for most Class members) was presented “in order to provide” the freeware, and that OSSProxy was “provided by” a named program “Sponsor” (“TMRG, Inc.” sponsored RelevantKnowledge). (Id. ¶¶ 9, 27, 36.) The ULA. Following a short preamble, the hyperlinked-to ULA explained that “[b]efore joining [the panel] . . . and installing our application, you must review and agree to the terms and conditions below and provide and obtain consent to this agreement from anyone who will be using the computers on which you install the application.” (Id. ¶ 37; Dkt. 156-9, attached to the Thomassen Decl. and cited herein as Ex. 4.) The ULA’s terms and conditions set out that “[the] Agreement constitutes the entire agreement between sponsor and you with respect to the subject matter contained in the Agreement” and explained that “[the] agreement shall not create any rights or remedies in any parties other than the parties to the agreement and no person shall assert any rights as a third party beneficiary under this agreement.” (SOF ¶ 43, Ex. 4 at 7.) Consistent with those restrictions, the terms and conditions encouraged users to contact the Sponsor’s “Privacy Office” at specific postal and/or email addresses (e.g., privacy@tmrginc.com or support@tmrginc.com) with questions about OSSProxy or its terms and conditions. (SOF ¶ 42.) B. If Enforceable, the ULA’s Terms and Conditions Define the Nature and Scope of Any Class Member’s Consent to Collection by OSSProxy. Assuming arguendo that the Class members validly consented to the ULA, then every issue regarding their consent flows from the ULA’s “terms and conditions.” That’s because: (i) 7 Every Class member was presented with a Downloading Statement prior As the Court knows, members of the Subclass did not receive a functional hyperlink. (SOF ¶ 32.) 5 to the installation of OSSProxy, (Id. ¶ 24); (ii) Each Downloading Statement explained that “[b]y clicking Accept you acknowledge that . . . you have read, agreed to . . . the terms and conditions of the Privacy Statement and User License Agreement,” (Id. ¶¶ 29, 31 (emphasis added)); (iii) Each Downloading Statement provided an active hyperlink labeled Privacy Statement and User License Agreement that, once clicked on, directed Class members to the ULA, (Id. ¶¶ 29–30);8 (iv) The linked-to ULA contained a section header containing the words “PRIVACY POLICY & USER LICENSE AGREEMENT,” under which the ULA explained that “Before joining our program, enjoying the benefits of this program, and installing our application, you must review and agree to the terms and conditions below and provide and obtain consent to this agreement from anyone who will be using the computers on which you install this application,” (Id. ¶ 37 (emphasis added)); and (v) The “terms and conditions” section of the ULA explained, inter alia: a. “What information [would be] collected,” (e.g., what data would be collected wholesale versus data that was subject to “automatic[] filter[ing]”) (Ex. 4 at 2–3; SOF ¶¶ 39–40;); b. “How . . . the information [would be] collected,” (e.g., the methods through which data was collected by OSSProxy, what collected data would be transmitted, and to whom that data would be sent) (Ex. 4 at 3–4; SOF ¶ 40); c. “How . . . the collected information [would be] used,” (e.g., how the collected data would be used to create “Market Research Reports” after “automatically filter[ing]” certain data) (Ex. 4 at 4; SOF ¶ 40); and d. “How . . . the information [would be] secured,” (e.g., how employees exposed to collected data would be “contractually restricted on their use and access to personally identifiable information,” and how panelists could “access, modify, and/or request deletion” of certain data”) (Ex. 4 at 4–5; SOF ¶ 40). Per its own express and limiting language, the ULA’s terms and conditions were the only place where panelists could have authorized OSSProxy’s data collection. (SOF ¶ 43.) And per that 8 Excepting, as explained above, members of the Subclass, who did not receive a link. (SOF ¶ 32.) 6 same language, the agreed-to data collection (i.e., what was consented to) extended only to specific parties and permitted only the conduct described. (Id.) 1. The ULA’s terms and conditions limited who (if anyone) had rights to collect data from panelists, while its preamble named possible downstream users of the collected and anonymized data. The ULA’s terms and conditions were unequivocal about the parties authorized to collect data from panelists. The terms and conditions made clear that “[t]his Agreement constitutes the entire agreement between sponsor and you” and identified the program Sponsor by name (e.g., TMRG, Inc., for RelevantKnowledge). (Ex. 4 at 7–8; SOF ¶¶ 36, 43 (emphasis added).) Throughout, the terms and conditions made consistent use of personal pronouns to reference the program Sponsor—stating, for example, “[o]nce you install our application,” “[w]e may use the information we monitor,” and that if users had “any questions . . . [about] our practices” the Sponsor’s “Privacy Office” should be contacted. (Ex. 4 at 7–8; SOF ¶ 42.) Indeed, the Sponsor is the only entity named in the ULA’s terms and conditions, which additionally limited any rights granted to the named parties: “[t]his agreement shall not create any rights or remedies in any parties other than the parties to the agreement and no person shall assert any rights as a third party beneficiary under this agreement.” (Ex. 4 at 7; SOF ¶¶ 38, 43.) It’s true that other parties were mentioned in the ULA’s preamble (i.e., the short portion appearing before the identified “terms and conditions” that panelists were asked to review and assent to). (SOF ¶ 38.) There, and after explaining that panelists’ data would be “passively collected and used as a part of anonymous research reports,” the preamble mentioned downstream users of panelists’ then-anonymized data. (Ex. 4 at 2; SOF ¶ 38.) comScore was mentioned as a user “of the information you contribute.” (SOF ¶ 38.) Further downstream from comScore, the New York Times, the Wall Street Journal, and CNN were also identified as users of the data. (Id.) The preamble flagged that “the data [would also be] extensively used by the 7 largest Internet services companies and scores of Fortune 500 companies[.]” (Id.) Throughout the preamble, none of these “users” of collected data were referenced by a personal pronoun; instead, each was always identified by name and none appeared in the ULA’s terms and conditions. (Id.) 2. The ULA’s terms and conditions limited any authorized collection to collection performed by specific means. In addition to explaining who would collect data through OSSProxy, the ULA’s terms and conditions described how collection would occur. (Ex. 4 at 3–4; SOF ¶ 40.) Specifically, and rather than providing for unlimited monitoring by OSSProxy, the terms and conditions sought authorization for particular data collection practices. The most significant restriction on OSSProxy’s collection was the promise of “commercially viable efforts to automatically filter confidential personally identifiable information [from collection,] such as UserID, password, credit card numbers, and account numbers.” (Ex. 4 at 4; SOF ¶ 39 (emphasis added.)). With respect to the data that the ULA identified for collection, the commitment to collect data subject to automatic filtering of confidential personally identifiable information (“CPII”) was the ULA’s only commitment to safeguard panelists’ privacy that was programmed into OSSProxy itself. (See Ex. 4.) All other privacy protections came from post-collection promises, such as the Sponsor’s commitment to (i) “purge our database of [inadvertently collected CPII] information;” (ii) give panelists the ability to “access, modify, and/or request deletion of the personally identifiable profile information submitted by [panelists] as a part of this program;” and (iii) ensure that all data collected was anonymized before being used in “Market Research Reports” and distributed/sold to downstream users of that data.9 (Id. at 3–4.) 9 Though these post-collection protections are not the subject of the instant motion, it is not at all clear that comScore’s data practices conformed to these provisions of the ULA either. Regarding the promise to “purge our database” of [inadvertently collected CPII], 8 All told, the ULA’s terms and conditions established that the panelists consented to be monitored (if at all) only through a specific type of data collection—by software programmed to automatically filter CPII. C. OSSProxy’s Design and Actual Data Collection Practices Differ Fundamentally From the Data Collection Guaranteed by the ULA. Although not disclosed to consumers before (or even after) the ULA’s terms and conditions were presented to them, the Sponsors had no role in the actual collection of data through OSSProxy. And the software itself—while programmed with the ability to automatically “filter” data before collecting it—was not programmed to automatically filter any CPII, but was designed instead to target and collect all of it. (SOF ¶¶ 47–53.) 1. comScore—rather than any program Sponsor—collected data from panelists via OSSProxy, packaged it, and generated revenue from it. comScore—not any program Sponsor—is the only entity that collected panelist data through OSSProxy. (Id. ¶¶ 70–71.) comScore alone designed OSSProxy. (Id. ¶ 67.) comScore alone distributed OSSProxy to panelists, caused it to be installed and configured on panelists’ computers, and actively maintained the software (e.g., by facilitating communications between its own servers and all installed iterations of OSSProxy). (Id. ¶¶ 68–69.) And of course, all data collected from panelists through OSSProxy went directly to comScore, after which comScore analyzed, packaged, and sold it through its various commercial products. (Id. ¶¶ 11, 70–71.) 2. Although it could have, comScore did not program OSSProxy to automatically filter CPII. The undisputed facts also show that comScore did not program OSSProxy to (Id. ¶ 63.) 9 automatically filter any CPII—even though, by its design, OSSProxy was programmed to automatically filter other data from collection. (SOF ¶¶ 47–53.) As a result, and assuming arguendo that comScore had some authority to collect data, its undisclosed collection practices—where CPII was in fact targeted for collection—were inconsistent with the collection practices authorized by the ULA’s terms and conditions. That OSSProxy did not automatically filter CPII is demonstrated in at least two ways. a. Even comScore agrees that “fuzzification” is not filtering. Rather than automatically filter CPII from its targeted collection, comScore collected it all (while attempting to “fuzzify” some) of it. (Id.) The Court will recall comScore’s “fuzzification” process—through it, comScore programmed OSSProxy (using both programming hard-coded into the software itself, and external, regularly-updated “rule files”) to (i) capture all CPII inputted by panelists (e.g., credit card numbers or passwords inputted into webpages during secure browsing sessions); (ii) identify it as CPII (e.g., by recognizing certain field names or patterns of data); (iii) obfuscate some of it; and (iv) transmit the “fuzzified” CPII to comScore’s servers for processing, analysis, and eventual sale. (Id. ¶¶ 50, 53; Dkt. 154 at 13–14.) No one at comScore—not even its own proffered expert, Dr. Tamassia—describes the “fuzzification” process as “filtering.” (SOF ¶¶ 51–53.) And comScore first pointed out this difference during class discovery when its Chief Technology Officer and Rule 30(b)(6) designee admitted that “filtering and fuzzifying are two different things.” (Id. ¶ 51.) The distinction makes sense, because OSSProxy is in fact programmed to automatically “filter” some data from its collection processes—it just isn’t programmed to filter CPII. For example, comScore (Id. ¶ 48.) Likewise, comScore programmed OSSProxy to automatically filter (i.e., 10 exclude or exempt from collection) certain web content (“page data”) accessed and viewed by panelists through web browsers—including, for example, page data from “dot-edu” (.edu) sites. (Id. ¶ 49). comScore took this action not because the ULA’s terms and conditions represented that such data would be filtered from collection, but because it doesn’t “want to collect” that data, has “no need for” it, and it is “not part of [comScore’s] business model.” (Id. ¶ 52.) CPII, on the other hand—and far from being filtered, excluded, or exempted—is explicitly targeted for OSSProxy’s collection. Indeed, analysis of CPII collected from panelists (e.g., social security numbers, credit card numbers, etc.) is key to the utility and value of comScore’s data analytics products. (Id. at ¶ 53.) b. comScore Even though it first identified the difference between filtering and fuzzifying, and even though comScore still believes that its (publicly undisclosed) fuzzification logic is a suitable analogue to “filtering.” But even if that were true, comScore doesn’t even fuzzify as promised. That fact is demonstrated in at least three ways. First, comScore uses (but does not publicly disclose) Id. ¶¶ 54–56.)10 10 From a technical (CS0096108_Confidential--Attorney’s Eyes Only.docx, attached to the Thomassen Declaration as Exhibit 30.) 11 Id. ¶¶ 55–57.) Second, comScore (Id. ¶¶ 39; 54–57.) For example (Id. ¶¶ 39, 57–59.) Third, comScore (Id. ¶¶ 58–59.) With this information, (Id. ¶¶ 58–62.) a known minor, Facebook.com “About” page she set that webpage’s security settings to 11 Given these collection practices, it’s unsurprising that comScore’s Director of Software Engineering, Steven Chase, testified that, to his knowledge, though “UserID” is the ULA’s first enumerated example of CPII. (Id. ¶¶ 39, 64.) 12 “private,” so as to hide certain information—including her birth year—from the public’s view.12 (Id. ¶ 61–62.) (Id. ¶¶ 59, 61.) All told, comScore’s fuzzification of CPII is less of an automatic process triggered whenever CPII is detected, and more of a conditional one that comScore employs when CPII is detected Given that functionality, fuzzification differs sharply from the ULA’s promised “automatic CPII filtering.” Ultimately, the ULA’s terms and conditions, which comScore insists are binding, provide for a very specific type of data collection: collection by the Sponsors using software that would make commercially viable efforts to automatically filter CPII from collection. In reality, the collection that took place was nothing like that described in the ULA. Instead, comScore did the collecting, and it did so using software that made no effort to filter CPII (though it did filter information less useful and valuable to comScore), and in some cases As such, Plaintiffs never consented to the collection that actually occurred. III. ARGUMENT Because the undisputed facts show that comScore had no right to collect data from Class members’ computers, Plaintiffs and the Class are entitled to partial summary judgment on the 12 A user’s Facebook_ID or Facebook Username, when added after the “www.facebook.com/” prefix, leads to that user’s personal Facebook page (e.g., entering “www.facebook 13 “authorization” element of their SCA and CFAA claims, and comScore’s “consent” defense under the ECPA.13 See 18 U.S.C. §§ 2701(a), 1030(a), 2511(2)(d). “A party claiming relief may move, with or without supporting affidavits, for summary judgment on all or part of the claim . . . at any time after . . . 20 days have passed from commencement of the action.” Fed. R. Civ. P. 56(a)(1). Summary judgment is proper “if the pleadings, the discovery and disclosure materials on file, and any affidavits show that there is no genuine issue as to any material fact and that the movant is entitled to judgment as a matter of law.” Fed. R. Civ. P. 56(c)(2). Plaintiffs are entitled to partial summary judgment on the central issue in this case— whether they consented to comScore’s collection of their data through OSSProxy. For each of their claims, the issues of consent and authorization are interpreted in light of the common law, especially the common law of trespass. Theofel, 359 F.3d at 1072–33. “Consent may be explicit or implied, but it must be actual consent rather than constructive consent . . . and should not be casually inferred.” In re Pharmatrak, Inc., 329 F.3d 9, 20 (1st Cir. 2003) (citing Williams v. Poulos, 11 F.3d 271, 281–82 (1st Cir. 1993); United States v. Footman, 215 F.3d 145, 155 (1st Cir. 2000); and quoting Griggs-Ryan v. Smith, 904 F.2d 112, 117 (1st Cir. 1990)) (internal quotations omitted). Here, the undisputed facts show that comScore lacked consent for two reasons. First, comScore had no authorization to collect data from Plaintiffs’ computers. The ULA’s terms and conditions granted collection rights to, if anyone at all, only the Sponsors, while comScore had no such rights. Second, any collection rights granted by the ULA’s terms and conditions authorized only a specific type of collection performed by software that automatically filtered CPII—a practice that was different from what comScore actually utilized. From either 13 comScore did not raise “consent” as a defense in its Answer to the Second Amended Complaint. Thus, to the extent it has not waived it outright, Plaintiffs are still entitled to summary judgment on it. 14 perspective, comScore had no consent to collect data from Plaintiffs’ computers using OSSProxy, and Plaintiffs are entitled to summary judgment on the issues of consent and authorization for each of their claims. A. Under the ULA comScore Relies Upon to Establish Consent, It Had No Right to Access Plaintiffs’ Computers or Communications. comScore has repeatedly asserted that the ULA governs OSSProxy’s operation, and that Plaintiffs consented to the collection provided under the ULA. (See Dkts. 15, 42-1, 175, 243, 302-1.) By its own text, however, the ULA gave comScore no right to access Plaintiffs’ computers and communications, and instead limited any such right exclusively to the Sponsors. It is hornbook law that consent may be limited to particular activities performed by particular individuals. See Restatement (Second) of Torts (hereinafter “Restatement”) §§ 52, 892A. Thus, when an individual grants license to another to invade his interests or property, and an unauthorized individual invades instead, the invading individual has acted without consent and may be held liable as the law sees fit. See Restatement §§ 892A, 892B; Thrasher-Lyon v. CCS Commercial, LLC, No. 11-cv-04473, 2012 WL 3835089, at *5 (N.D. Ill. Sept. 4, 2012) (consent to receive calls from one person did not constitute consent to receive telemarketing calls from another); Easterling v. Kopp, No. 04-cv-615, 2005 WL 1630006, at *3 (E.D. Wis. July 7, 2005) aff’d, 168 F. App’x 100 (7th Cir. 2006) (holding that in fourth amendment context, an individual could limit consent to search to a particular person). And in cases like this, where a contract defines the scope of access, its terms define and limit the consent conferred. (See Dkt. 186 at 10.) Here, the ULA, through its specifically identified “terms and conditions,” defined any consent granted by Plaintiffs. (See Dkt. 186 at 10.) The ULA strictly limited any collection rights to the Sponsors by enumerating the types of collection the Sponsors could undertake. (See Ex. 4.) 15 In contrast, the ULA never identified comScore as a party that would monitor or collect panelists’ data. (Ex. 4; SOF ¶ 38.) In fact, the ULA’s “terms and conditions” didn’t mention comScore at all. (Ex. 4; SOF ¶ 38.) Rather, comScore was only referenced in the ULA’s nonbinding preamble. (SOF ¶ 38); see Atl. Mut. Ins. Co. v. Metron Eng’g and Const. Co., 83 F.3d 897, 900 (7th Cir. 1996) (“[I]ntroductory language or recitals are not binding obligations unless so referred to in the operative portion of the instrument as to show a design that they should form a part of it.”). In the preamble, comScore was identified as one of several downstream users of the data “contribute[d]” by panelists—i.e., along with other entities described as “extensive[] use[rs]” of that same data. (SOF ¶ 38.) These clearly drawn distinctions between the Sponsors and comScore, along with the ULA’s express limitation of collection rights to those parties specifically enumerated, (see Ex. 4 at 7 (“Third Party Rights” and “ENTIRE AGREEMENT” clauses limiting rights to panelists and Sponsors)), confirmed that Plaintiffs consented to, at most, the Sponsors’ collection, and never agreed to any such activity by comScore.14 In reality, however, it was comScore who operated OSSProxy. (SOF ¶¶ 69–71.) The Sponsors had no role in accessing panelists’ computers and communications, profiting from it, or deploying, updating, or maintaining OSSProxy. (Id. ¶¶ 67–71.) Thus, while Plaintiffs consented to one type of conduct (access and interception by the Sponsors), another (access and interception by comScore), occurred—undermining Plaintiffs’ rights in their computers and private communications. (See Section II.B.1, supra.) See Desnick, 44 F.3d at 1352 (explaining that a party’s misrepresentation regarding its identity to enter private property vitiates consent). Accordingly, Plaintiffs never entered into any agreement with comScore, much less an 14 16 agreement to authorize its highly invasive tracking. And, therefore, comScore’s access to and interception of Plaintiffs’ communications occurred without authorization. See Restatement § 52, cmt. a, Ill. 1 (“A consents to an operation to be performed by B, a surgeon, whom A knows and in whom he has great confidence. After A is under a general anesthetic, the hospital substitutes C, another surgeon of equal skill. C performs the operation. C is subject to liability to A.”); Restatement § 892A, cmt. e (“[O]ne who consents that another may walk across his land does not, without more, consent that . . . a third person may walk across it along with the other.”). Since Plaintiffs never authorized comScore to access their computers, their communications, or their personal information, they are entitled to summary judgment on the consent and authorization elements of their claims. B. To the Extent They Agreed to be Bound by the ULA’s Terms and Conditions, Plaintiffs Only Authorized Collection Performed by Software that Included and Employed Automatic CPII-Filtering Functionality. Even if the ULA had given comScore some form of collection rights, its terms and conditions established that Plaintiffs only authorized collection using automatic CPII-filtering. Plaintiffs never consented to the collection that actually occurred, which comScore performed without any CPII-filtering mechanisms. For consent to be effective, it “must be to the actor’s conduct or to substantially the same conduct, rather than to the invasion that results from it.” Restatement § 892A, cmt. e.; accord Lloyd v. Kull, 329 F.2d 168, 170 (7th Cir. 1964) (holding that physician’s removal of nonthreatening mole exceeded plaintiff’s consent to “such operations as may be deemed necessary or advisable in [her] diagnosis or treatment”). Thus, where the conduct performed is not substantially the same as the conduct consented to, there is no consent. See Desnick, 44 F.3d at 1345; see also Restatement § 892A, cmt. e (“Consent to an invasion by particular conduct is not 17 consent to the same invasion by entirely different conduct.”). As the Seventh Circuit has explained, “[i]f a homeowner opens his door to a purported meter reader who is in fact nothing of the sort—just a busybody curious about the interior of the home—the homeowner’s consent to his entry is not a defense to a suit for trespass.” Desnick, 44 F.3d at 1352. Accordingly, in cases involving the invasion of property interests, like this one, the key question is whether the specific conduct that occurred was of the nature agreed to. See id. at 1352–53 (Defendants who posed as clinic patients for investigative purposes did not trespass, because their entry was not “an invasion . . . of any of the specific interests that the tort of trespass seeks to protect.”); see also Restatement §§ 892A, 892B. Here, the ULA’s terms and conditions, if enforceable at all, defined the conduct Plaintiffs authorized: data collection using software programmed to automatically filter CPII—nothing more and nothing else. (SOF ¶ 39; see also Dkt. 186 at 10 (“The scope of plaintiffs’ consent here is determined by that identical [installation] process, the ULA, and the Downloading Statement.”).) In its actual invasion of Plaintiffs’ computers and communications, however, comScore lacked consent for two reasons. First, as shown supra, Section II.C.2.a., fuzzifying is substantially different from filtering, and Plaintiffs never consented to—indeed, never even knew about—collection by software that merely fuzzified (rather than filtered) their CPII. Even though the ULA’s terms and conditions said that the collection software would “make commercially viable efforts to automatically filter [CPII],” OSSProxy didn’t filter CPII at all. Instead, OSSProxy collected all CPII, attempted to obfuscate some of it, and transmitted it to comScore’s servers (in both fuzzified and plaintext form). (SOF ¶¶ 44, 50–53.) Any commonsense understanding of the term “filter” is irreconcilable with OSSProxy’s “collect everything, sort it out later” fuzzification programming. In the online and software 18 contexts, Merriam-Webster defines “filter” as “software for sorting or blocking access to certain online material.”15 Common usages of “filter”—both online and off—are in line with MerriamWebster’s “blocking” definition. Major antivirus companies (Norton, McAfee, etc.) sell “web filtering” software that allows administrators (or parents) to permit or deny access to selected websites, or categories of websites.16 Internet-based email applications commonly let users “filter” emails from pre-identified senders or that contain certain textual content, which prevents such emails from ever reaching a user’s inbox. Spam filters work the same way. In the nonsoftware context, vacuum filters block dust and debris from escaping into the air, and coffee filters block grounds from dripping into freshly brewed coffee. The list goes on. OSSProxy’s fuzzification mechanism, by contrast, didn’t block or exclude any CPII from collection. Instead, OSSProxy was programmed to target CPII for collection before trying to obfuscate some of it. While comScore writes the difference off as “lawyers’ semantic quibbles,” (see comScore’s Petition for Leave to Appeal Class Certification Order Pursuant to Fed. R. Civ. P. 23(f), Harris v. comScore, Inc., No. 13-8007, Dkt. 1 at 15 n.11 (7th Cir. Apr. 16, 2013)), it forgets that its own (non-lawyer) witness first identified the difference between filtering and fuzzification. (SOF ¶ 51.) Not only that, OSSProxy does employ filtering mechanisms (Id. ¶¶ 47– 49, 52 (emphasis added.)) comScore simply didn’t program OSSProxy to apply those mechanisms to prevent collection of CPII (and thereby protect panelists’ privacy and conform with the ULA). Instead, the filters only operated to exclude data comScore couldn’t monetize, while allowing OSSProxy to collect all CPII and monetize as much as possible. 15 Filter Definition, Merriam-Webster, http://www.merriam-webster.com/dictionary/filter (last visited Feb. 20, 2014). 16 See, e.g., McAfee Web Protection, McAfee, http://www.mcafee.com/us/resources/data-sheets/dsweb-protection.pdf (last visited Feb. 20, 2014). 19 These substantial differences explain the admission by comScore’s Chief Technology Officer and Rule 30(b)(6) designee, that “filtering and fuzzifying are two different things.” (Id. ¶ 51.) Plaintiffs and the Class consented the to the former, not the latter. Second, and as shown supra, Section II.C.2.b., even if fuzzifying were substantially the same as filtering, comScore programmed OSSProxy to The ULA’s promise of “automatic CPII filtering” was given with only one qualification: that “commercially viable efforts” would be made to do it.17 (Id. ¶ 39.) The ULA did not explain, however, that filtering (or fuzzification, as it turned out) would be additionally limited by (Ex. 4; SOF ¶¶ 55–57.) Worse still, not only did comScore know (SOF at ¶¶ 57–58.) As a result of this departure from the ULA’s terms, comScore All told, the difference between what was promised and what occurred goes to the nature of comScore’s invasion itself, and what was consented to (if anything) was “entirely different” from what took place. Like the “busybody” in Judge Posner’s Desnick opinion, comScore’s entry 17 comScore cannot plausibly assert that automatic filtering of CPII would not have been “commercially viable,” as it demonstrated the capacity to employ filtering technology in a commercially viable manner with regard to other types of data. (SOF ¶¶ 47–49.) 18 It is irrelevant whether or not comScore’s conduct was different from any consented to, thereby creating liability, regardless of the conduct’s effects. See Restatement § 892A, cmt. e. 20 into Plaintiffs’ computers (via software programmed not to automatically filter CPII) is a trespass, even if Plaintiffs consented to an entry pursuant to the ULA (which only permitted software programmed to automatically filter CPII). See Desnick, 44 F.3d at 1352–53; see also United States v. Blas, No. 90-CR-162, 1990 WL 265179, at *21–22 (E.D. Wis. Dec. 4, 1990) (consent to “look at” pager did not constitute consent to activate it). Here, the difference between the actual conduct and the conduct assented to was significant—the ULA provided for collection by software that did one thing (collect certain data, while filtering CPII) but comScore did something substantially different (collect all data, while In essence, comScore was permitted to take “a few stones,” and instead hoped to make off with “large boulders.” See Restatement § 892A, ill. 1; see also id. at cmt. e (“Consent to an invasion by particular conduct is not consent to the same invasion by entirely different conduct.”). Plaintiffs cannot be said to have consented to comScore’s conduct, and therefore, Plaintiffs are entitled to partial summary judgment on the issues of consent and authorization. IV. CONCLUSION For the foregoing reasons, Plaintiffs Mike Harris and Jeff Dunstan respectfully request that the Court grant their Motion for Partial Summary Judgment, and award such other and further relief as it deems equitable and just. Respectfully submitted, MIKE HARRIS and JEFF DUNSTAN, individually and on behalf of a class of similarly situated individuals, Dated: February 20, 2014 By: s/ Rafey S. Balabanian One of Plaintiffs’ Attorneys Jay Edelson jedelson@edelson.com Rafey S. Balabanian 21 rbalabanian@edelson.com Chandler R. Givens cgivens@edelson.com Benjamin S. Thomassen bthomassen@edelson.com EDELSON PC 350 North LaSalle Street, Suite 1300 Chicago, Illinois 60654 Tel: 312.589.6370 Fax: 312.589.6378 Attorneys for Plaintiffs, the Class, and the Subclass 22 CERTIFICATE OF SERVICE I, Rafey S. Balabanian, an attorney, hereby certify that on February 20, 2014, I served the above and foregoing Plaintiffs’ Memorandum of Law in Support of their Motion for Partial Summary Judgment, by causing true and accurate copies of such paper to be filed and transmitted to all counsel of record via the Court’s CM/ECF electronic filing system. s/ Rafey S. Balabanian 23

Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.


Why Is My Information Online?