Lawsuit accuses comScore of extensive privacy violations

Computerworld - A proposed class-action lawsuit filed in federal court in Chicago on Tuesday accuses online tracking and analytics firm comScore of surreptitiously collecting Social Security numbers, credit card numbers, passwords and other data from consumer systems.

The lawsuit also accuses comScore of a wide range of other misdeeds, including changing security settings and opening backdoors on end-user systems, stealing information from word processing documents, emails and PDFs, redirecting user traffic, and injecting data collection code into browsers and IM (instant messaging) applications.

The suit was filed on behalf of two individuals, one from Illinois and the other from California, who claimed their privacy rights were violated by comScore's data collection software. It seeks an injunction against the company's practices and damages for comScore's alleged violations of the Stored Communications Act, the Computer Fraud and Abuse Act and other statutes.

"The scope and breadth of data that comScore collects from unsuspecting consumers is terrifying," the 30-page complaint alleges.

In an emailed statement, comScore spokesman Andrew Lipsman called the lawsuit meritless. "We have reviewed the lawsuit and find it to be without merit and full of factual inaccuracies," he said. "ComScore intends to aggressively defend itself against these claims."

A publicly traded company, comScore is one of the largest online audience measurement and customer tracking companies in the industry. Its 1,800 customers include numerous marquee electronic commerce sites, retailers, advertising agencies and publishers.

The company offers a range of services designed to allow its customers to track and profile Internet users for audience measurement and targeted advertising purposes.

The software that the company uses to do such tracking is typically downloaded on user systems along with free software products such as screens savers and music sharing software. In other cases, users are encouraged to download the software in exchange for a chance to enter free sweepstakes and similar incentives.

The lawsuit characterized comScore's software as intrusive surveillance tools that allowed the company to monitor every keystroke and every action taken by a user on the Internet. To collect data, comScore's software modifies a computer's firewall settings, redirects Internet traffic, and can be upgraded and controlled remotely, the complaint alleges.

The software is largely impervious to user attempts to uninstall it. And when a user does manage to delete the software it still leaves behind an untrusted "root certificate" that exposes the user to various security threats, the plaintiffs claim.

To provide its service, comScore "constantly collects, monitors, and analyzes every online move, no matter how private, of over two million persons," the suit alleges.

This is the second time in the past few days that the issue of online tracking and user profiling has come into the spotlight. A few days ago, a researcher from Stanford University released a report exposing Microsoft's use of highly persistent "supercookies" to track users on its MSN and other networks.

After the report was published, Microsoft claimed that the cookies were used inadvertently and said it had disabled them immediately.

Another recent report from researchers at the University of California at Berkeley showed how hundreds of sites are using the so-called supercookies to track users.

The recent developments are likely to add urgency to efforts by lawmakers to introduce Do Not Track legislation that would give consumers the choice of opting out of online tracking and targeted advertising.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.

Read more about Privacy in Computerworld's Privacy Topic Center.