Internet audience tracking and analytics firm comScore is being accused of surreptitiously collecting Social Security numbers, credit card information and passwords from consumers.
The company is also accused of using its data collection software to tamper with user systems and stealing information from saved documents, according to a proposed class-action lawsuit filed in the United States District Court, Northern District of Illinois on Aug. 23. Filed on the behalf of two people, one from Illinois and one from California, the lawsuit claimed comScore allegedly violated the Stored Communications Act, the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act and Illinois Consumer Fraud and Deceptive Practices Act.
The privacy violations include comScore allegedly changing security settings on the user’s firewall and opening backdoors, redirecting user traffic online, and injecting data collection code into browsers and instant messaging applications without user permission, according to court documents.
The plaintiff claimed the software could monitor keystrokes and every action taken online as well as scanning all saved documents, emails and PDF files on the user’s computer in order to transmit the data gleaned from the files. The software may even scan visible files belonging to other users on the same network.
“The scope and breadth of data that comScore collects from unsuspecting consumers is terrifying,” the lawsuit said.
An online audience measurement and customer tracking company, comScore bundles its tool with free products such as screensavers and music-sharing software or with chances to enter sweepstakes and other incentives. Once the tracking software has been installed, comScore collects information from the participants and distributes it to its client roster of approximately 1,800 customers including e-commerce sites, retailers, advertising agencies and publishers. The comScore statistics are frequently used by news outlets to discuss online behavior and Website analytics.
One of comScore’s Websites warns users that the software monitors all Internet activity, including filling a shopping basket, completing an application form or checking online accounts. The fact that it is monitoring keystrokes and all online activity means it would be easy for someone at comScore, or someone who hacked comScore’s data, to grab sensitive consumer information.
The software is distributed under various names such as RelevantKnowledge, OpinionSpy, PremierOpinion, OpinionSquare, PermissionResearch and MarketScore, according to the lawsuit. It is often embedded in free screensavers, games and other applications without proper notice, so users aren’t even aware they are sending data to comScore, according to the lawsuit.
The software is difficult to uninstall, and even after the user manages to remove it, an untrusted “root certificate” is left behind that potentially exposes the user to online security threats, the plaintiffs said. comScore’s software can also be updated and controlled remotely without user intervention, the plaintiffs said.
comScore “constantly collects, monitors and analyzes every online move, no matter how private, of over two million persons,” the suit said.
comScore spokesman Andrew Lipsman called the lawsuit meritless. “We have reviewed the lawsuit and find it to be without merit and full of factual inaccuracies,” he said. “comScore intends to aggressively defend itself against these claims.”
Privacy advocates have grown more concerned about data collection, and there’s a lot of interest among Congressional lawmakers to give Internet users more control over what kind of data is being collected and how to opt-out of tracking.
On its Website, comScore claimed to try to filter out confidential and personally identifiable information from the data or purge it from the database if such data was “inadvertently” stored. The company claimed to “make commercially viable efforts” to clean the data.