Last November, class action lawsuits were filed against multiple websites employing activity loggers: Nike (and FullStory), Lululemon (and Quantum Metric), and WebMD (and Mouseflow). The WebMD story mentions some others at the end.
According to these lawsuits, the companies running the websites, and the companies providing the logging software, are intercepting and/or recording personally identifiable information without the knowledge or consent of the viewers of the site. The lawsuits, which are filed in the state of California, allege this constitutes an illegal wiretap in violation of the California Invasion of Privacy Act (CIPA). The CIPA is an anti-wiretapping law that imposes civil and criminal penalties for recording confidential conversations, with fairly broad definitions for confidential conversations and consent.
Despite being a few months old, I had not heard about these lawsuits. Website replay logging software scripts have been around for years (here is a story from 2017). These replay loggers can record everything from where your cursor goes to what links you click on to what keys you press on the website. According to the stories, both the company hosting the website and the company who operates the logger can get enough information to fully replay a user's interaction with the website. This would be particularly violating where the user is entering a password or, as in the WebMD case above, personal information including medical information. Even if the user intended to send that information to the website in question, most users are probably not aware that it is also being sent to a third party.
(Score: 2, Insightful) by Anonymous Coward on Wednesday March 03, @08:03PM
I rarely agree with them, but this kind of logging without consent should be illegal. And burying it in a 300 page EULA doesn't qualify as consent, especially since you have to visit the site first to even get the link to it.
(Score: 4, Insightful) by Runaway1956 on Wednesday March 03, @08:17PM (7 children)
Let me repeat: Hoovering data, retaining data, reselling data, "sharing" data with "partners" - all of it should be illegal without EXPLICIT consent. Such consent should never be buried under mountains of legalese. Virtually all online "services" violate this principal. They are all in the data business.
(Score: 2) by JoeMerchant on Wednesday March 03, @08:21PM (1 child)
There are boundaries that should be respected, zero tolerance for logging of website interaction means the web becomes a static resource.
In the (highly screwed up) medical world, PHI is defined and we treat it as radioactive around logging functions - it can only enter logging functions when very specifically explicitly needed and properly handled end-to-end. Non-PHI data is fair game. De-identified data is nearly fair game with the caveat that de-identification must be done properly and appropriately for the use cases.
I know it's expecting a lot of the Wild Wild Web to do something like segregate data into multiple classes with varying rules for transit and storage, but that's really where the world should ultimately be headed.
My karma ran over your dogma.
(Score: 0) by Anonymous Coward on Wednesday March 03, @08:34PM
First, the web can be usable without JavaScript, which is the source of many client side snooping activities. And even Java doesn’t require you to snoop and log everything.
Second
Who could expect you to know about any of this, you being only a few months old?
(Score: 1, Funny) by Anonymous Coward on Wednesday March 03, @08:37PM (3 children)
Here we go again, more Cancel Culture.
(Score: 1, Touché) by Anonymous Coward on Wednesday March 03, @08:53PM (2 children)
(Score: 0) by Anonymous Coward on Wednesday March 03, @09:07PM (1 child)
(Score: 2) by DannyB on Wednesday March 03, @09:10PM
There is nothing wrong with counseling and nothing wrong with choosing who you share your money with.
I shared some money with Amazon in exchange for some nose counseling headphones.
(Score: 3, Insightful) by DannyB on Wednesday March 03, @09:07PM
Web sites should give CLEAR options
Please check one of the following options:
[_] No. Please DO NOT add me to the list of people to be excluded from being automatically enrolled in our special craptacular offer.
[x] Yes. Please DO add me to the list of people ineligible to not be excluded from not being enrolled in our special craptacular offer.
If you do not select one of the options, then default will automatically be selected for you.
Thank you for enrolling in our craptacular special offer!
