Stanford CIS

The Adventures of Sasha Skwirl

By Stanford Center for Internet and Society on

Meet Sasha Skwirl.  Or better yet, email Sasha Skwirl, and be sure to wish her bon voyage and mazel tov!  Sasha's a 29-year-old website marketing director living here in sunny Stanford, CA.  She's a nice single Jewish girl looking for love.  She's sophisticated and financially solid, with a master's degree, a high-five-figure salary, and a daily NewYorkTimes.com addiction.  She's also pregnant with her first child - a girl - due in March, just a month after Sasha's own 30th birthday.  Ever the modern girl, Sasha plans to raise the child Miranda Hobbes-style while simultaneously casting a net for her dream man via her Yahoo! Personals ad.  Before the impending special arrival, she's going to bid at SkyAuction.com for a discount on a luxury Mexican getaway and stock up on as many baby savings and freebies as possible from CoolSavings.com.

Think about all the marketers that would love to reach Sasha, given all the demographic segments she fits into, and how inundated with popups the poor girl would be if her trusty laptop were infected with spyware.  Well, Sasha is a fake persona created precisely for this purpose - to measure what kinds of information spyware distributors collect and store and whether such behavior violates not only the spyware distributors' EULA terms but also state and federal privacy law.  Given the behavior of the spyware products we are currently researching in the Cyberlaw Clinic, we'll have no shortage of claims to pursue against our chosen defendants.  However, focusing on the data gathered will allow us the unique chance to establish some precedent for interpretation of the California Consumer Protection Against Computer Spyware Act, the California Online Privacy Protection Act of 2003, and the federal Wiretap Act (part of the Electronic Communications Privacy Act of 1986).  Click to read more about the claims that Sasha might enable us to make regarding these statutes.....No cases have yet interpreted the two recent California acts.  It is a common Internet practice, of course, that website visitors run the risk of having a cookie placed on their hard drive every time they visit a particular site (whether the cookie is placed by an advertising serving company or by the site itself so that it can recognize the individual and/or track the individual's behavior to gather anonymous market research statistics).  However, the text of both California statutes would hold the spyware distributor liable if the spyware distributor gathers personally identifiable information (i.e., full name, email address, credit card, phone number) without first obtaining permission from the individual user (such as via opting into a registration form provided directly by the spyware distributor during the spyware software installation process, as opposed to a form that people fill out on a third-party websites like a registry on Babiesrus.com).

Things get particularly interesting with regard to the Federal Wiretap Act in the spyware context.  The Wiretap Act assesses liability when any electronic communications are intercepted by a third party.  The Act's text suggests a violation would occur whether the information gathered is as innocuous as the user's IP address or country of origin or as personally invasive as the user's email address or credit card.  However, with one very narrow exception with very unique circumstances - In re Pharmatrak, Inc. - there has been no Wiretap Act liability assessed to date against third-party Internet services such as web statistics monitoring companies or advertising serving companies who gather consumer information because the website operators themselves authorized the third party's consumer data gathering.  And if one party to the communication agrees to its interception, the Wiretap Act will exempt the third party interceptor from liability.  (Otherwise, the entire web profiling business would be extinct.)  But with spyware, the website operators themselves have not given consent for the spyware distributors to track communications such as when Sasha searches for "baby strollers" on Google and is immediately indundated with baby product coupon popups.  Especially when Google has a no-popup policy.  If the consumer has consented properly to the EULA, and the information tracked by the spyware distributor conforms to what the EULA promised might happen, then the consent exemption will protect the spyware distributor from Wiretap Act liability.  The seminal case in this area was a 2001 action in which the Southern District of New York approved of DoubleClick's very business model - developing comprehensive profiles of individual web users with the consent of over 11,000 website owners who enabled the company to serve targeted ads.  However, when it is highly unlikely that a court would find that users could possibly have consented to a particular EULA, or if the spyware was installed via a stealth, "drive-by" process, then conceivably the tracking of any information about a web user's Internet behavior - such as the keywords searched and the pages visited on a site - and online/offline location (IP addresss, email address, state, etc.) would be a violation of federal law.  And the remedy would grant users a share of a spyware company's advertising profits.  A class action could take out some of these guys, or at least get them to  substantially change the specificity of their EULAs and the manner in which they obtain consent.  Though the big boys like 180 Solutions and Claria have become extremely cautious about highlighting their EULAs and privacy policies, we in the Cyberlaw Clinic know all too well that there are many small-time, but widespread, spyware distributors who do not follow adware user consent "best practices."  So this could be a very exciting area of precedent-setting for us.   Assuming, of course, at the pre-discovery level we can demonstrate sufficient reasonable belief what types of information is being gathered by our prospective spyware defendants.

In the meantime, Sasha will be engaging in her daily web adventures.  Browsing NYT.com, looking for travel and stroller deals, searching for parenting tips, trying to find the man of her dreams, maybe even checking out the Paris Hilton sex tape for a laugh.  And if our prospective spyware defendants are watching and recording it all - well, let's just say that the Cyberlaw Clinic may be able to make more than just the typical trespass, unfair business practices, and contract formation claims.

P.S., For those curious, Sasha is only loosely based on my life.  We do share the same birthday and career (well, before I left the evil world of online marketing for the good world of litigating against online marketing).  But I am not pregnant (that was just to get her on some baby newsletters where she could enter in email, address, due date and other personal information that might be interesting to track).  And my profile is on JDate, not Yahoo!

Published in: Blog