Intel is among the growing list of companies being sued for allegedly violating American wiretapping laws by running third-party code to track interactions, such as keystrokes, click events, and cursor movements, on its website.
Last week, a lawsuit [PDF] against the chip maker that was filed in February was removed from a Florida state court and shifted to a federal district court in Orlando.
The plaintiff, Holly Londers, claims she visited Intel's website approximately a dozen times in the twelve months to January 2021, and during those visits the chip maker "utilized tracking, recording, and/or 'session replay' software to contemporaneously intercept [her] use and interaction with the website, including mouse clicks and movements," and information that she input, pages visited and viewed, and dates and times of visits.
America's Supremes give Facebook nothing but heartaches: Top court won't stop '$15bn wiretap' lawsuit
The lawsuit has been brought under the 2020 Florida Security of Communications Act, which makes it a crime to intentionally intercept another person's electronic communications without prior consent.
Londers's complaint does not specify the session replay software involved but The Register understands from a conversation with one of the attorneys involved that it's believed to be Clicktale, which was acquired in 2019 by Contentsquare, a maker of similar analytics software.
As Jonathan Cherki, founder and CEO of Contentsquare, described the deal at the time, "The combination of Clicktale and Contentsquare heralds an unprecedented goldmine of digital data that enables companies to interpret and predict the impact of any digital element – including user experience, content, price, reviews and product – on visitor behavior."
Non-profit org The Markup's Blacklight web inspector warns that the Intel website contains a Clicktale script with "a session recorder, which tracks user mouse movement, clicks, taps, scrolls, or even network activity." The privacy scanner further notes that no keystroke logging was detected and that it cannot say how the session data is being used.
But other folks can
Session replay software saw increased attention from the privacy community in 2017 when researchers from Princeton's Center for Information Technology Policy published a study in which they looked at the prevalence of the seven most popular session replay services at the time – Yandex, FullStory, Hotjar, UserReplay, Smartlook, Clicktale, and SessionCam – and found their scripts being used on 482 of the Alexa top 50,000 websites.
The following year, session replay scripts were discussed at a US Federal Trade Commission event, FTC PrivCon 2018. During the session [PDF], Gunes Acar, who at the time was a postdoctoral researcher with the Princeton CITP project and is currently with the COSIC research group of KU Leuven, described the privacy risk posed by session replay services.
Google fails to neutralize lawsuit that complains Chrome's incognito mode isn't very private at all
Session replay scripts, Acar said, are no worse than any other analytics scripts until it comes to web input forms. There's risk, said Acar, that sensitive information like email addresses, credit card numbers, and passwords will get captured by these replay scripts – the Princeton researchers found replay service providers often fail to keep sensitive data safe.
However, the attorney on the Florida case who spoke with The Register said the central issue is whether website visitors gave informed consent. And he voiced optimism that the Florida cases will survive motions to dismiss because Florida's wiretapping law is a strong consumer protection statute.
Since Cohen v. Casper Sleep (2017) in New York, there have been at least two dozen such wiretapping privacy claims, mostly in California and Florida – both states with applicable privacy statutes. Those who have been sued over this include Banana Republic, Blizzard, CVS, Fandango, Foot Locker, Frontier Airlines, General Motors, Home Depot, Old Navy, Nike, Norton, Ray-Ban, T-Mobile, and WedMD, among others.
The New York case was dismissed in 2018 for failure to properly state a claim [PDF]. But most of the California and Florida cases continue to plod along and may yet make it to trial, or more likely, settlement.
These claims got a boost from the 2020 Ninth Circuit Court of Appeals decision [PDF] that refused to dismiss wiretapping claims against Facebook for tracking people even when they've logged out of the social networking service. A week ago, the US Supreme Court declined to hear Facebook's appeal to undo that decision.
The Register asked Intel and Contentsquare to comment on the wiretapping lawsuit, and both companies declined. ®