Suit alleges Disney, other top sites spied on users

A lawsuit filed in federal court last week alleges that a group of well-known Web sites, including those owned by Disney, Warner Bros. Records, and Demand Media, broke the law by secretly tracking the Web movements of their users, including children.

Attorneys representing a group of minors and their parents filed the suit Tuesday in the U.S. District Court for the Central District of California, records show. The suit alleges that Clearspring Technologies, a software company that creates widgets and also offers a way to serve ads via widgets, is at the center of the wrongdoing.

Web site operators such as Disney, Playlist.com, and SodaHead are "Clearspring Flash Cookie Affiliates," the plaintiffs allege in their suit. Clearspring set "Flash cookies on (affiliate site) users' computers...online tracking device(s) which would allow access to and disclosure of Internet users' online activities."

The Web sites working with Clearspring knew users weren't just tracked at sites owned by affiliates, but were followed without their knowledge wherever they went online, the defendants wrote in their suit.

Clearspring and Disney representatives were not immediately available for comment Saturday. A representative for Warner Music Group, parent company of Warner Bros. Records, declined to comment.

A similar lawsuit was filed last month against Clearspring rival Quantcast, as well as a host of that company's clients, including ABC and NBC. The same law firms that filed that suit--Parisi & Havens, and the Law Office of Joseph Malley--were responsible for filing the recent complaint.

All the news lately about Web privacy--or the lack thereof--is enough to make anyone paranoid about logging on. The Wall Street Journal recently published an expose on Web privacy and concluded that "one of the fastest-growing businesses on the Internet...is the business of spying on Internet users." And we've seen controversies over privacy at Google and at Facebook. While Congress is looking into improving privacy protections for Web users, it would seem some people are going to take up the issue in court.

The suit against Clearspring was filed one year after researchers from UC Berkeley issued a report on how more than half of the Internet's best known Web sites use Adobe's Flash technology to surreptitiously gather information about their users, according to a story in Wired.com.

"Flash Cookies" are not affected when users try to remove traditional cookies with their browser's privacy controls.

"What's even sneakier," Wired.com reporter Ryan Singel wrote then, is "several services even use the surreptitious data storage to reinstate traditional cookies that a user deleted, which is called 're-spawning,'" This means that a user may kill a cookie, but some technologies will bring it back to life by assigning that cookie's unique ID to a new cookie.

The report from the Berkeley researchers named two companies that reinstate cookies: QuantCast and Clearspring.

Clearspring makes the ubiquitous AddThis tool, which enables users to share links via e-mail or social-networking sites. According to the report from Berkeley, Clearspring has resurrected cookies for AOL.com, Answers.com, and Mapquest.com.

The kind of information Clearspring and its affiliates gathered was personal and far reaching, the plaintiffs wrote in their complaint. They allege the data was obtained by tracking users as they moved "across numerous Web sites, even spotting and tracking users when they accessed the Web from different computers, at home and at work.

"The sensitive information may include such things as users' video-viewing choices and personal characteristics," the plaintiffs continued, "such as gender, age, race, number of children, education level, geographic location, and household income."

In addition, the information Clearspring and its affiliates obtained may have included the materials a user viewed, purchased, or read, according to the filing. The data could reveal details about a person's financial situation, sexual preference, name, home, and e-mail addresses and telephone numbers. Perhaps one of the most disturbing charges that plaintiffs make is that health information could also be acquired by these companies.

Below, plaintiff's lawyers describe how information was allegedly taken from a person suffering from depression.

Among the laws that were allegedly violated by Clearspring and the other defendants are the Computer Fraud and Abuse Act, California's Computer Crime law, and that state's Invasion of Privacy Act.

The plaintiffs are seeking class-action status and have asked for unspecified damages.

Correction: An earlier version of this story incorrectly stated the date of a report issued by UC Berkeley researchers. The correct date was Aug. 10, 2009.