Class-Action Lawsuit Alleges Data Privacy Violations

Monday, March 14, 2011

David Navetta


Article by Nicole Friess

Privacy-related lawsuits are on the rise, and this time is the target. On March 2, 2011, two named plaintiffs filed a class-action lawsuit alleging that Amazon circumvents browser privacy settings to collect users’ personal information without permission and shares the information with third parties. A copy of the complaint can be found HERE.

Most websites use machine-readable codes that tell a browser their privacy policies - such as whether a website sends cookies and with whom the website shares personal information gained from those cookies.

Websites commonly use P3P compact policy “tokens” such as “NID” (no identified user information collected), which represent a standardized privacy expression defined in P3P specifications. Amazon uses the token “AMZN”, which the plaintiffs say is an invalid token, and Amazon knows its token does not comply with P3P standards.

The complaint alleges that the “AMZN” token is used to trick Internet Explorer into interpreting Amazon's privacy policy as compatible with users’ privacy settings. As a result, Amazon circumvents users’ privacy settings and sends cookies to users, even when cookies have been blocked to prevent websites from collecting personal information.

In addition to browser cookies, the complaint alleges that Amazon installs “flash cookies” without users’ notice or consent as an additional circumvention technique. The plaintiffs allege that Amazon’s online privacy policy deliberately misleads users by stating that flash cookies are similar to browser cookies, when they’re much larger in file size, can be accessed by other websites, and are difficult to manage or delete.

One of the plaintiffs, Ariana Del Vecchio, said that after she started using Amazon in 2008 to buy pet-care products, she began receiving advertisements via postal mail from companies with which she'd never done business. The complaint suggests that these companies obtained her personal information from Amazon’s collection and distribution tactics, even though she used strict privacy settings to restrict Amazon's access to her personal data.

The other plaintiff, Nicole Del Vecchio, said that although she blocked cookies from Amazon using Internet Explorer privacy settings, Amazon got around her settings, surreptitiously gained access to her computer, and installed flash cookies.

The class-action lawsuit represents anyone who has used Internet Explorer versions 6, 7 or 8 - with strict privacy settings - to visit and purchase products from the e-retailer. The complaint alleges violations of the CFAA and the Washington Consumer Protection Act, among others.

We can add this case to the list of those alleging insufficient transparency regarding the treatment of personal information. “Amazon claims in its privacy notice that it does not share users' information with third parties for advertising purposes and that, instead, it delivers third parties' advertisements on their behalf,” the lawsuit alleges.

“In fact, Amazon shares users' PII with third parties for those third parties' independent use and does not disclose this fact to consumers.”

Cross-posted from InfoLawGroup

Possibly Related Articles:
Legal Privacy Amazon PII Data Flash Cookies
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.