Amazon is the target of a class action lawsuit that alleges the e-retailer violated consumers’ privacy by installing unauthorized cookies that gave it access to consumers’ personal information.
The suit, filed this week in U.S. District Court in Seattle by two named plaintiffs, says Amazon in 2008 knowingly used fake codes to communicate its privacy policy to Microsoft’s Internet Explorer web browser, which led the browser to accept cookies that would it otherwise would have blocked when consumers chose certain privacy settings.
The suit alleges that Amazon benefitted from the unauthorized cookies because the cookies provided Amazon with information that allowed it to customize the browsing experience to consumers’ tastes, which resulted in the affected consumers making more purchases from Amazon. The suit claims that Amazon shared this browsing information with other companies for advertising purposes, which violates Amazon’s stated privacy policy.
Amazon declined to comment on the lawsuit. The attorney for the two plaintiffs did not immediately respond to a request for comment.
Amazon exploited a loophole that exists in Microsoft’s Internet Explorer web browser versions 6.0, 7.0 and 8.0, according to claims in the suit.
Those versions of Internet Explorer rely on web sites to communicate their privacy policies using a series of codes, known as a compact policy. Internet Explorer compares what those codes communicate against the privacy settings consumers have set in their browser preferences. If what the web site wants to do exceeds what the consumer says is okay, Internet Explorer blocks the site from installing cookies on that computer.
The problem is codes that don’t communicate a site’s privacy policy properly get past Internet Explorer’s filters, which only looks for codes that it deems unsatisfactory to the consumer’s settings. Useless codes—or what the lawsuit calls “gibberish”—are accepted. The lawsuit says Amazon used useless codes to bypass the Internet Explorer filters and install cookies on the computers of consumers who didn’t want them.
“Amazon knowingly published an invalid P3P Compact Policy and did so intending to exploit IE’s interpretation that would treat it as valid,” the complaint says. P3P is shorthand for the Platform for Privacy Preferences Project, which established and promoted compact tokens as a way to communicate privacy preferences in 2002.
Nearly 57% of Internet users worldwide use some version of Internet Explorer as their browser, according to NetApplications, a company that tracks browser market share. Internet Explorer is the only major web browser that uses compact policies to communicate privacy policies. Compact policies are technically voluntary. But if a web site does not communicate one, it will automatically be blocked from installing cookies on Internet Explorer users’ computers, says Lorrie Faith Cranor, a Carnegie Mellon University associate professor of computer science and engineering who researches online privacy and usability issues.
Cranor co-authored a paper last fall that presented evidence that Amazon and other e-retailers used the loophole, and her research appears to have stirred up public interest. She is not a party to the lawsuit but the paper she co-authored is cited in the complaint and she says she received a copy of the court filing from the plaintiffs’ attorney.
Cranor says she received calls from several attorneys seeking information about the report’s findings after it was published and that she’s long suspected a lawsuit over compact policy violations would be filed. She says that when the rules surrounding compact policies were created nearly 10 years ago, many web companies had questions about whether those rules would be legally enforceable. She says attention to the question faded over time because no other major browser adopted the compact policy standard.
Cranor says she’s confident her report findings show that Amazon did violate compact policy regulations, and that experts should be able to show that Amazon installed unauthorized cookies on consumers’ computers. She notes that it is up to the court to decide whether Amazon materially benefitted from the information the cookies provided. “I think our report clearly demonstrates that Amazon took direct action to circumvent Microsoft,” she says.
The suit also alleges Amazon used data stored in Flash cookies to recreate Amazon browser cookies a consumer may have deleted. Flash cookies are a storage mechanism that is included with Adobe Flash Player and is designed to remember Flash settings, and these cookies are hard for the average computer user to find and delete, Cranor says. She adds that a computer expert should be able to see if Amazon used Flash cookies data.
The suit also alleges that Amazon shared one of the plaintiff’s personally identifiable information with other companies in direct violation of what Amazon claims in its privacy notice. Plaintiff Ariana Del Vecchio claims she received numerous advertisements in the mail from pet supply companies that she had never done business with after she purchased pet products on Amazon.com.
Cranor says her examinations show that Amazon no longer uses the compact policy code that purportedly tricked Internet Explorer into allowing unauthorized cookies. Amazon is No. 1 in Internet Retailer’s Top 500 Guide.