Courthouse News reports on Kirch v. Embarq Management, a class-action lawsuit (pdf) claiming that Delaware-based Embarq Management and Kansas-based United Telephone “secretly installed ‘unprecedented, extraordinarily pervasive’ spyware on their broadband networks, allowing them to spy on and profile their customers for targeted online advertising.”
The type of surveillance alleged uses deep packet inspection technology, which allows an Internet Service Provider to read the contents of an e-mail or figure out what Web site a customer is visiting in order to display more targeted ads. There are numerous privacy, civil liberty, and legality questions (pdf) about this sort of surreptitious tracking of Internet users. I previously blogged about these secret surveillance programs and the privacy and civil liberty questions that surround them. In the U.S., Charter Communications, CenturyTel Inc., WOW!, Broadstripe, and Metro Provider have all used such controversial systems to track customers, according to a report (pdf) by Free Press and Public Knowledge.
The plaintiffs in Kirch v. Embarq Management claim:
The devices funneled all affected users’ Internet communications — inbound and outbound, in their entirety — to a third-party Internet advertisement-serving company, NebuAd.
NebuAd and the Defendants used the intercepted communications to monitor and profile individual users, inject advertisements into the web pages users visited, transmit code that caused undeletable tracking cookies to be installed on users’ computers, and forge the “return addresses” of user communications so their tampering would escape the detection of Users’ privacy and security controls. […]
The plaintiffs detailed the personal data that they claim was compromised:
The scope of Defendants’ indiscriminate diversion of Internet traffic to the Appliance encompassed all of its Users’ web navigation activity and other Internet transactions, such as file downloads and inbound and outbound messages—all unfiltered, in their entirety. The communicative components of User traffic diverted to the Appliance necessarily included:
- all communications protocol types, including web communications (http traffic); encrypted web communications (https traffic); e-mail communications, including web- based email communications (e.g., GMail, Hotmail, and Yahoo email account traffic); instant messages; file transfer protocol (ftp) and secure file transfer protocol (ftps) downloads; and voice-over-Internet-Protocol (VoIP) telephony communications;
- all navigation information, including Users’ search terms and the universal resource locators (URLs) identifying websites and Internet addresses accessed by Users;
- Internet Protocol (IP) addresses, which uniquely and persistently identified Users’ specific personal computers, in that Users generally leave their modems in an always-on state, causing Users’ personal computers to remain linked to unique, “sticky” IP addresses, much like static IP addresses;
- personally identifying information2 and substantive content in communications relating to personal and sensitive matters such as health events, insurance coverage, financial and e-commerce transactions, financial account status details, credit reports, political activities and interests, personal relationships and dating, job searches, and movie rental choices; privileged correspondence such as marital and attorney-client communications; and information contained in the financial records of financial institutions, of card issuers, as defined in Title 15, United States Code, Section 1602(n), and from the files of consumer reporting agencies on consumers, as defined in the Fair Credit Reporting Act, Title 15, United States Code, Section 1681, et seq.; and
- information to, from, and about children under the age of 13.
Plaintiffs allege that Embarq and United Telephone invaded their customers’ privacy, violated the Computer Fraud and Abuse Act, and violated the Electronic Communications Privacy Act (“because Defendants intentionally intercepted and endeavored to intercept Plaintiffs’ and Class Members’ electronic communications and procured NebuAd to intercept and endeavor to intercept Plaintiffs’ and Class Members’ electronic communications,” plaintiffs say). NebuAd is not listed as a defendant.