Skip Page Banner  
Skip Navigation

History Sniffing: Updates On Current Litigation, Contributed by Walter E. Judge, Jr. and Matthew S. Borick, Downs Rachlin Martin LLC

Wednesday, November 9, 2011

In three federal lawsuits – two in New York and one in California – two Internet users have brought to the fore another chapter in the ongoing drama over Internet privacy. That new chapter is "history sniffing." The lawsuits allege that Internet advertisers, several major U.S. corporations, and a popular adult website have employed hidden links to web addresses (or URLs), in JavaScript code, that allow them to secretly access, or "sniff," the browsing histories of web surfers. Here’s how it generally works: The user’s web browser (but not the user) sees each hidden link and displays it in purple or in blue, depending on whether the user has previously visited the site accessed by the particular link.1 The history sniffing code detects these colors, and therefore can tell whether the user has visited a particular website in the past.2 The legal claims that have been raised in the three suits are nothing short of a law school exam, ranging from computer crime to wiretapping, deceptive practices to trespassing, unjust enrichment to unfair competition, and breach of contract to tortious interference.

The New York Cases

Not unexpectedly, two of the three federal "history sniffing" lawsuits immediately met with enemy fire. The defendants in Interclick and McDonald’s, the two New York class actions filed by plaintiff Sonal Bose, moved to dismiss all claims in the original complaints on a variety of grounds.3 On a broad level, the defendants in these cases contended that the allegations in the respective complaints were vague and conclusory – including on the key issue of damages – thereby falling short of the federal pleading standards established by the U.S. Supreme Court in the Twombly and Iqbal cases.4 In addition, the defendants in the McDonald’s case argued that the plaintiff lacked standing to sue them because (1) she alleged only that she "believes" she was subjected to history sniffing, and therefore failed to allege any concrete injury, and (2) she did not allege any injury that was traceable to any of the defendants’ actions.5 Rather than opposing the two motions to dismiss, however, Bose instead consolidated the two cases into one (Bose v. Interclick, Inc., et al.) and amended her complaint to beef up her claims in view of the deficiencies raised in the motions to dismiss.6 Bose also dropped her claims for violation of the federal Wiretap Act. This was not surprising because the alleged activities by the defendants did not include intercepting the contents of any electronic communications – at most, defendants merely obtained information on the identities of the communicating parties and the fact that a communication had occurred – nor did defendants’ alleged actions include intercepting any communications while they were "in transmission." The most notable revision in Bose’s amended complaint was that she substantially expanded her "Factual Allegations" section – adding more than 20 new paragraphs – in an attempt to explain how she and the other members of the proposed class supposedly have been harmed by the defendants’ alleged actions.7 The amended complaint identifies five types of harm, all of which (in the authors’ opinion) are debatable and in some cases, confusing at best. First, Bose claims that "consumers engage in value-for-value exchanges by providing their [personal] information in exchange for content and services [provided by websites]," and that the websites act as "intermediaries" between consumers and advertisers, which pay the websites for access to the personal information furnished by consumers.8 Bose further alleges that, by "engag[ing] in undisclosed and inadequately disclosed data collection from consumers [through history sniffing]," the defendants raise the price consumers must pay to obtain website contents and thereby deprive consumers of the full value of the exchange.9 What Bose appears to be claiming is that, because the defendants secretly obtain consumer information without paying the website for it, this imposes "economic costs" on consumers – presumably in the form of reduced content availability or quality.10 Second, Bose alleges that history sniffing imposes costs by diminishing the opportunities for consumers to "enter[] into value-for-value exchanges with other web publishers and third-party advertisers whose business practices better conform to consumers’ expectations."11 The theory here appears to be that, because consumers are able to choose which websites they visit, they can use their personal information as a bargaining chip to entice websites to provide better content than their competitors.12 The allegation is that history sniffing disrupts this construct. Third, Bose claims that the defendants’ secret taking of personal information "imposes costs on consumers who would otherwise have exercised their rights to utilize the economic value of their [personal] information by declining to exchange it with Defendants or any competitor – foregoing online offerings entirely."13 In other words, history sniffing makes consumers (or at least some of them) not want to surf the web at all. This assumes, of course, that the consumer knows he or she is being "sniffed." Fourth, Bose alleges that history sniffing deprives consumers of the opportunity "to market their [personal] information directly to online websites and advertisers and control the transfer of their information."14 She identifies three online services through which this can be done – " (UK)," "," and ""15 But these services only appear to help web surfers better control who can access or share their data.16 They do not create a market through which consumers can "sell" their data to third parties. Fifth, Bose claims that that the defendants "dispossessed Plaintiff and Class Members of the value of their computers and computer-related services."17 The theory behind this alleged harm is that consumers pay for computers and internet services that provide a certain level of processing and transmission speed, and that the defendants’ use of history sniffing code has hindered this performance and, in some cases, has resulted in unavailability or limited availability of services.18 In response to Bose’s amended complaint, both Interclick (a web ad-server) and the "advertiser defendants" (McDonald’s, CBS, Mazda, Microsoft, and 50 "Doe" defendants) once again moved to dismiss. As in their prior motions to dismiss, the defendants generally argued that Bose’s allegations are vague, conclusory, and speculative, that she cannot confirm that she was actually subjected to history sniffing, and that she remains unable to allege a legally viable injury.19 The advertiser defendants further argued that Bose’s amended complaint (1) contains "impermissible group pleading" by simply lumping them in with Interclick; and (2) is devoid of facts that establish standing (i.e., by connecting her to any of the advertiser defendants).20 Turning to Bose’s specific claims, federal jurisdiction in the case is predicated in part upon alleged violations of the federal Computer Fraud and Abuse Act ("CFAA").21 Both Interclick and the advertiser defendants sought to dismiss these claims on similar grounds, arguing that the plaintiff has not and cannot allege facts demonstrating that she, or the putative class she seeks to represent, meets the $5,000 statutory threshold for civil actions.22 They contended that Bose’s damage allegations "merely parrot the words of the statute" and fail to establish that a claim for "violation of the right of privacy" or "disclosure of personal information" is cognizable under the CFAA.23 The defendants further argued that Bose fails to adequately allege that she actually could have sold her browsing history to another party or that such information even has economic value.24 Finally, the defendants attacked Bose’s claim on the grounds that she cannot individually meet the required $5,000 damage threshold, nor can she aggregate damages across the entire class in order to meet the threshold because the alleged violations do not constitute a "single act."25 In addition to the foregoing, the advertiser defendants also argued that Bose does not allege that any of them accessed her computer or transmitted code to her computer without authorization, and that they cannot be held secondarily liable under the CFAA for alleged violations committed by another party (i.e., Interclick).26 As for the remaining state law claims, which include deceptive practices, trespass to chattels, unjust enrichment, implied contract, and tortious interference, the defendants generally argued that the federal court lacks jurisdiction over these claims given the nonjusticiability of the federal CFAA claim, and that the claims are conclusory and lacking in sufficient facts to meet the Twombly/Iqbal pleading standards or to establish all required elements of the various causes of action.27 In subsequent briefing on their requested dismissal,28 defendants informed the court of a new decision, issued shortly after they moved to dismiss, in a California case concerning the use of "flash cookies" to track Internet use.29 In that case, LaCourt v. Specific Media, Inc., the court dismissed claims under the CFAA and other statutes, as well as common law claims for trespass to chattels and unjust enrichment, on the grounds that the plaintiffs lacked standing because they failed to allege that they were affected by the alleged unlawful practices, that they suffered any economic injury, or that their computers were harmed.30 On August 17, 2011, four months after the defendants in Interclick moved to dismiss Bose’s consolidated amended complaint, the court issued a decision.31 The court first analyzed Bose’s CFAA count and found that she failed to state a viable claim. On the issue of impairment of Bose’s computer, the court ruled that Bose failed to make any specific allegation regarding the costs to repair or investigate the alleged impairment.32 Regarding the alleged collection of personal information, the court concluded that Bose did not plead any cognizable economic injury.33 The court also held that Bose failed to demonstrate how the code placed on her computer caused any interruption of service, and that she did not allege any costs incurred to remedy the alleged interruption.34 Finally, the court rejected the aggregation of losses or damages across all class members in order to meet the $5,000 statutory threshold, because the conduct complained of did not constitute a "single act" as to all class members.35 Turning next to Bose’s state law claims,36 the court determined that Bose sufficiently stated a claim against Interclick – but not the advertiser defendants37 – under New York Gen. Bus. Law § 349 because she pled that Interclick had engaged in a deceptive practice (i.e., by circumventing consumers’ browser privacy and security settings) that affected the consuming public,38 and because privacy violations such as those alleged constituted injuries under § 349.39 The court further held that Bose’s claim against Interclick for trespass to chattels, although of "dubious merit," was "arguably sufficient to survive a motion to dismiss."40 Bose’s claims for breach of implied contract and tortious interference with contract, however, were rejected by the court as to all defendants because Bose failed to plead that she or any class members were denied any bargained-for benefit, and because she did not plead facts sufficient to show that any contracts existed or, if they had, that defendants procured a breach.41 All of the court’s dismissals in Interclick were with prejudice, as the court determined that any efforts by Bose to replead the dismissed claims would be futile.42 Thus, all that remains in the case are Bose’s claims against Interclick for deceptive practices under New York Gen. Bus. Law § 349 and trespass to chattels. Interclick has now answered those claims and, if not resolved by the parties, the case will proceed to discovery.

The California Case

Although filed before the New York cases, the case of Pitner v. Midstream Media Int’l, N.V. has seen far less progress. Back in April 2011, not having received any proof of service of the complaint from plaintiffs, the court in Pitner issued an order to show cause as to why the case should not be dismissed for lack of prosecution.43 In response, plaintiffs advised that they attempted personal service on defendant on the island of Curacao, but the designated service address was vacant and the alternate contact location provided at the service address was not valid.44 Plaintiffs therefore requested additional time for service, which the court granted.45 However, after further efforts to locate defendant were unsuccessful, plaintiffs sought an order allowing a subpoena to be issued against defendant’s web hosting company, HostMonster, Inc., in order to obtain documents concerning defendant’s location.46 The court granted plaintiffs’ motion, and also extended the show cause order until December 12, 2011.47 It therefore remains to be seen what will happen in the Pitner case. However, in view of the court’s dismissal in LaCourt v. Specific Media, Inc. (which was filed in the same court as Pitner), as well as the dismissals by the court in Interclick, we can reasonably expect that plaintiffs will face an uphill battle.

Federal Legislative Responses to History Sniffing and Other Online Tracking Activities

In addition to the cases filed in the courts, the war against history sniffing and other online tracking practices is also being fought in Congress. Since February 2011, at least nine bills have been introduced in the House and Senate to address issues related to data collection and privacy on the web:
  • H.R. 611 – "Building Effective Strategies To Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards (BEST PRACTICES) Act" (introduced February 10, 2011);48
  • H.R. 654 – "Do Not Track Me Online Act" (introduced on February 11, 2011);49
  • S. 799 – "Commercial Privacy Bill of Rights Act of 2011" (introduced April 12, 2011);50
  • H.R. 1528 – "Consumer Privacy Protection Act of 2011" (introduced April 13, 2011);51
  • S. 913 – "Do-Not-Track Online Act of 2011" (introduced on May 9, 2011);52
  • H.R. 1895 – "Do Not Track Kids Act of 2011" (introduced May 13, 2011);53
  • S. 1151 – "Personal Data Privacy and Security Act of 2011" (introduced June 7, 2011);54
  • S. 1408 – "Data Breach Notification Act of 2011" (introduced July 22, 2011);55 and
  • S. 1535 – "Personal Data Protection and Breach Accountability Act of 2011" (introduced September 8, 2011).56
The future of this legislation and its potential impact on behavior in cyberspace remains to be seen. But it is clear that history sniffing and other online tracking practices have captured the attention of lawmakers in Washington.


So far, complaints against history sniffing have not fared well in the courts, with the primary culprit appearing to be the speculative nature of the injuries and damages that are being attributed to online tracking activity. There is, however, a chance that legislation eventually will come to the rescue. But at least for the time being, we can all expect that online advertisers will continue to monitor where we have been on the web. Walter E. Judge, Jr. is a Director, and Matthew S. Borick is a Senior Associate, with Downs Rachlin Martin PLLC in Burlington, Vermont. Both are members of the firm’s Litigation and Intellectual Property Practice Groups, and have litigated numerous cases involving intellectual property, computer crime, and consumer fraud. Both are active members of DRI and DRI’s Commercial Litigation Committee.
DisclaimerThis document and any discussions set forth herein are for informational purposes only, and should not be construed as legal advice, which has to be addressed to particular facts and circumstances involved in any given situation. Review or use of the document and any discussions does not create an attorney-client relationship with the author or publisher. To the extent that this document may contain suggested provisions, they will require modification to suit a particular transaction, jurisdiction or situation. Please consult with an attorney with the appropriate level of experience if you have any questions. Any tax information contained in the document or discussions is not intended to be used, and cannot be used, for purposes of avoiding penalties imposed under the United States Internal Revenue Code. Any opinions expressed are those of the author. The Bureau of National Affairs, Inc. and its affiliated entities do not take responsibility for the content in this document or discussions and do not make any representation or warranty as to their completeness or accuracy.©2014 The Bureau of National Affairs, Inc. All rights reserved. Bloomberg Law Reports ® is a registered trademark and service mark of The Bureau of National Affairs, Inc.

To view additional stories from Bloomberg Law® request a demo now