It is nearly impossible to remain anonymous online

In Privacy laws and cyber-security the term Personally Identifiable Information (PII) is used to refer to information that can be used to identify, locate or contact an individual. This can be your name, phone number, social security number, address or other information that can be combined to identify you. PII is a legal term more than a technical term.

There is other information that can be used to guess who you are: The time between each keystroke when you type, how long you take reading a page before you take another action, other sites you have visited, what parts of the site you visit, data you add to a form without submitting, can all allow a computer algorithm to guess if it is you. These odd bits of data may not seem like much, but they can be surprisingly accurate at combining web browsing to get to identifying an individual.

On Nov. 28, 2017, a proposed class action lawsuit was filed against Casper Mattress and NaviStone alleging violations of the U.S. Wiretap Act. Casper Mattress’ web site runs software from NaviStone. NaviStone says their software lets clients “Reach your previously unidentifiable website visitors.”

It seems NaviStone is using javascript to send data back every time a form on their client’s site is changed. They receive all the data about what was typed in the form even if the data was changed before the form was submitted or if the user never submitted the form. The privacy violations rest on whether there is an expectation that they only time data about you is collected is when you submit a form.

NaviStone software is not only used by Casper Mattress, Quicken Loans also uses the software and is being sued in a separate suit. Wayfair and Road Scholar used NaviStone software at one point, but have stated that they stopped using the software.

This is an interesting case, since it appears to rest on the public’s perception on when data is sent to a web site. Very technical users would understand that javascript can be used to track when you type in a form and does not require a submit. They would not be surprised by this software and what it is able to do. Some regular web site users would expect that a submit is required to send data to the server and might be shocked. Other website users would have know idea when the data is sent.

It is interesting to see if the expectation of privacy that is incorrect is enough for a claim of wiretapping. When I am on the web I assume I am writing on a board in the town square that everyone can see.