115 comments

[ 2.7 ms ] story [ 171 ms ] thread
If this sets a precedent, I imagine class-action suits against Meta, reddit, et al. follow very shortly thereafter.

I remember even 7-10 years ago experiencing numerous bugs where the only reasonable explanation (to me) was that they were storing page and form state server-side and there were syncing issues with the client. Things like typing a sentence, deleting it, and then it re-appearing in weird ways as I wrote a new sentence to replace it in a comment form box. I had just kind of assumed this was par for the course with umitigated surveillance by social media companies but hadn't realized this law exists to allegedly disallow that kind of thing.

I remember even back then saying things like "if you give Facebook web access to your camera they will use that to track what you're looking at on the webpage" and sounding paranoid to my colleagues but it doesn't seem so far-fetched now. I'm sure that's a big part of why TikTok works so well too -- many people grant access to the camera because of naivete or because they want to record and upload their own videos from the mobile app. Knowing where attention is in the finest detail is probably a big advantage.

(comment deleted)
Storing form state server-side is incredibly common, and users _want_ that functionality in most cases. One of the most common sign-up frustrations is entering everything into a sign-up form, clicking submit and having some or all of that information cleared and having to re-type it.

There's no privacy concerns about storing form data temporarily to regurgitate it on reload, and it _should_ be a best practice.

Is your example not usually solved with local storage, not server storage?
> There's no privacy concerns about storing form data temporarily to regurgitate it on reload

This is obviously wrong, because it doesn't actually address privacy concerns at all. "Storing form data temporarily" says nothing about what other services/programs/people can access that data while it is stored.

And anyway, sibling comment has a very good point about local storage vs server storage.

This is actually super common functionality with a large number of analytics providers.

We talked to a company a number of years ago trying to sell us this tool that would let you play back a video of what a user did right up to getting an error on your website. Useful, but creepy.

There's many services that provide this these days, including HotJar (paid) and Microsoft Clarity (free).

Being able to see users actually use your site, combined with heatmaps and more really lets your team focus on usability issues, or help direct attention to more important features.

Things like, do users struggle to find the shopping cart button? Are they confused about how to create an account? Is it frustrating to make changes to something, etc. Engineers are really bad at understanding usability issues unless they see it for themselves.

However, it does tend to be something you review/monitor sporadically, not every day. You have to have enough samples to see if changes have had a significant impact or not.

The ones we've used have all had the ability to censor what the tool believes to be sensitive information, such as passwords, credit card numbers, etc. In our experience, these tools overzealously censor on-page text out of an abundance of caution - which is just fine. Rarely are you interested in reading the text on screen, rather, you're watching how the user interacts with the page.

It's kind of a ridiculous notion that a site operator cannot monitor how users use the site... this is not wiretapping and I assume (hope) it gets thrown out.

> It's kind of a ridiculous notion that a site operator cannot monitor how users use the site... this is not wiretapping and I assume (hope) it gets thrown out.

Putting aside how many other ways there are to determine how users use a website without needing to resort to this level of intrusion, the issue is that almost always the user isn't aware this level of monitoring of their actions is happening. Sure, it may be buried deep in some privacy policy or terms and conditions no one ever reads, but that's not exactly what I'd call informed consent. This is where regulation to at least require websites notify their uses that there's literally a recording being taken of their screen interacting with the website would be helpful.

I don't think it matters at all. There is no expectation of privacy when browsing a website (from the website operator). We can see everything you do... obviously.

Also, it's not a recording of their screen that is being taken, but rather it's mouse coordinates and keystrokes which then re-assemble a replay of the actions. Just like a video game replay.

> I don't think it matters at all. There is no expectation of privacy when browsing a website (from the website operator). We can see everything you do... obviously.

Server logs will of course tell the operator what buttons are being clicked on and which pages are being requested. But once those pages are on my computer, I disagree, I do have an expectation of privacy around my mouse movements and keystrokes on my own computer. If I choose to send those to some third party server so be it, but having those collected without consent is a problem.

As engineers we may assume this is being done regardless and accept it as a reality of the web, but I'd imagine the average person would be quite surprised to see what is a recording of their browser window reconstructed without being informed that was happening. They may rightful have that expectation of privacy here, which is being broken by these tools.

> Also, it's not a recording of their screen that is being taken, but rather it's mouse coordinates and keystrokes which then re-assemble a replay of the actions. Just like a video game replay.

It doesn't matter what method is taken to generate a video if the end result is the same as if you were recording my actual browser window.

How would this be any different if I were to design my site to use a websocket and stream mouse events and keystrokes to figure out if you are clicking a button, versus using a javascript event handler or something? In fact, a lot of your browser games operate this way (using coordinates).

There is no one single way to design a website.

The very same non-technical folks that you allege are misled here also have no clue how buttons work on a site either... it's all magic to those folks. Are we not supposed to do any logging now? How is it any different to only log when a user presses a button?

Your TV tracks what shows you watch, what buttons you press, how often you skip commercials, etc. Your smart fridge tracks how often you use the ice feature, your car tracks how often you drive aggressively, etc. No one is alleging these devices are "wiretapping"...

> How would this be any different if I were to design my site to use a websocket and stream mouse events and keystrokes to figure out if you are clicking a button, versus using a javascript event handler or something?

It shouldn't matter the collection method. The point is that you'd be collecting these keystroke and mouse events as they happen in an environment that I, the user, may believe they are not leaving my system.

> The very same non-technical folks that you allege are misled here also have no clue how buttons work on a site either... it's all magic to those folks. Are we not supposed to do any logging now?

That's a fair point. Some users will have no idea at all what data they're sending to the likes of Facebook, for example; it's just a magic box that shows them photos of their grandkids. The test here is given the average person's understanding of the products they are using, is it reasonable to assume the data being generated is not leaving your local system? I think even the average user would assume mouse movements are not being sent away to reconstruct their session on a website down to that level of granularity. You may disagree but that's the tricky issue here: where does the line of an expectation of privacy get drawn? From a technical point of view, I'd argue it's at the separation of client-side and server-side interactions where anything not needed for the functioning of the product on the client-side remains client-side. Hence, something like my mouse movements on a run of the mill website for analytics is across that line but something like mouse movements in a multiplayer video game is not.

> Your TV tracks what shows you watch, what buttons you press, how often you skip commercials, etc.Your smart fridge tracks how often you use the ice feature, your car tracks how often you drive aggressively, etc.

The point is where does this data get sent to? Admittedly I don't know exactly what data my car collects on my driving habits, but I'm pretty sure it doesn't leave the car in that it doesn't have an Onstar-like system installed in it.

If this data is used to essentially be an observer sitting over my shoulder without telling me when I don't have a reasonable expectation that it's happening then, yes, that's a violation of an expectation of privacy. The fact that all of this is legal really demonstrates how far behind laws are to the issue of data collection around usage of services and products.

It's very common to log when a button is clicked. Which means we can already reconstruct a user's session because we know what coordinates buttons have. We might miss out on the random movements and such, but that might not be a big deal if we also log the timestamp when a button was clicked.

Again, if I designed my site to use a websocket instead of event handlers - the result is the same. Are we proposing we outlaw this? Or inversely, placing in law the only accepted method of website design? That seems foolhardy to me.

Your car collects huge amounts of data about your driving habits. A Tesla, for example, might auto-report that data, but your "dumb" car also provides that data to an ODBII reader. In fact, that was the premise for those Progressive (I think) Car Insurance things they wanted you to plug into your car to "prove" you were a safe driver. Any time your car is in for service... this data can be freely read. Your insurance company will also obtain this information after an accident in some cases as well.

We use mouse/key movements for a lot of things, not just reconstructing sessions. Google's newer "I'm not a Robot" captcha's just ask you to click a single button for example. A ton of anti-fraud/abuse systems do this as well, particularly for credit card checkout forms (anti-bot measures). The ramifications of a bad decision for this suit are huge.

> Again, if I designed my site to use a websocket instead of event handlers - the result is the same. Are we proposing we outlaw this?

yes?

I can stab my knife into flesh all day, if that flesh is another human being it turns out it's outlawed.

There is no requirement that the law be applied consistently for some action. Insider Trading doesn't imply all trading is illegal. Being able to pop off fireworks doesn't imply doing so anywhere is legal.

That would then be the first law of it's kind, to mandate how a website is to operate on a technical level.

Even the existing ADA laws do not specify technical details (which is why they are abused in frivolous lawsuits to often).

The opposite actually, if the law says you cannot murder, it doesn't become legal because you used a hammer instead of a gun.

Your question is essentially "well what if I use a knife, because knives can be used for skinning, which is a legitimate use!".

It doesn't work that way.

Like I said, that would be the first law of it's kind. We have zero laws that specify how a website is operated on the technical level. Or how it's engineered or designed. Nothing exists that is comparable to what is being proposed.
That's true, I think the point is that such laws need to start getting created because the compute and personal device issue is legitimately different.
The problem with this, is the technology evolves far quicker than our laws do. The ADA law is a glaring example of this, unfortunately.
Apparently if you outlaw murder, the fact that people are constantly creating new ways to murder makes it confusing as to whether or not murder is outlawed.
No, because murder is still illegal.

In a technical setting, we can't even reliably describe how things will operate 5 years from now. Imagine a law that specified how frames were to operate... and now no one uses frames.

Just imagine a law that says "no tracking". What is tracking? How is it done? How do we know it when we see it? All of this must be defined... and these definitions are fuzzy and change rapidly.

The ADA law specifically says you must make your website accessible... but fails to specify what accessible even means in a modern setting. That's the pitfalls of trying to regulate how things are designed in a technical setting. Perhaps it's possible, but I have not yet seen a good law that made an attempt.

Docker is 9 years old, try again.

No, actually, don't. I reject everything about your premise.

"What even IS ACCESSIBILITY, OMG, you can't explain that!?!?!".

I mean ... maybe YOU can't, but plenty of people can.

No, nobody can. Not even the folks that wrote the law. Not even the folks that enforce the law (DOJ) (referencing the ADA law in regards to websites). You can go look for yourself... it's created an entire cottage industry of would-be vexatious litigants, if any of the suits actually went to court.

So no, it is not easy to define or describe. There is an incredible amount of detail that must be hammered out to make it easy for everyone to become compliant.

We can also reference the EU's GDPR, or California's CCPA/CPRA. All of which are struggling to actually clearly define what they mean. What is an essential cookie? What does it mean to sell someone's personal data? Neither are what you might actually believe...

You can reject it all you want, but that does not change the reality I'm afraid.

What you're describing is called interpretation of the law, and weirdly enough, legal systems have been doing that for the better part of 600 years.
> It's very common to log when a button is clicked. Which means we can already reconstruct a user's session because we know what coordinates buttons have. We might miss out on the random movements and such, but that might not be a big deal if we also log the timestamp when a button was clicked.

The point I was making above was that there's a difference between purely client-side events like mouse movements and keystrokes and server-side events like button clicks and page requests. This may be a trivial difference for most websites, but I have an expectation of privacy around client-side events. Collecting them without the user's consent violates that regardless of the technical mechanism of implementation of that collection.

> Your car collects huge amounts of data about your driving habits. A Tesla, for example, might auto-report that data, but your "dumb" car also provides that data to an ODBII reader. In fact, that was the premise for those Progressive (I think) Car Insurance things they wanted you to plug into your car to "prove" you were a safe driver.

Right, and the difference is that the data provided through the OBD port requires me to physically plug something in and upload it elsewhere. I have control over that data. This is different from these websites that are collecting data like my mouse movements and immediately sending it off without notification or consent.

If I were asked for consent for all the things you listed, I'd withhold it.

Sort of like how Apple gave users the ability to consent and they overwhelmingly withheld it (to the chagrin of FB).

If someone learns they're watched via cameras while in a grocery store, they may not be happy about it but they'll also generally recognize they're on _STORE PROPERTY_.

The key difference here is that this is being done on the _USERS_ property and you're acting as if they shouldn't have to right to withhold that consent.

---

Everyone accepts that an employer may look through company emails of its employees because it goes through company equipment.

These same companies then have the unadulterated gall to turn around and try and claim they have those very same rights on _OTHER PEOPLES EQUIPMENT_.

They're laying claim to other peoples compute.

The reality is you wouldn't be allowed to use the site at all then. As invisible as you might want to be, the system does need to track you and your actions to do anything useful at all. We're not talking about a blog or static site here...
If someone asks to borrow my car to run to the grocery store and they drive 100 miles away to another state, it's theft.

If I consent to have someone use my compute for the operation of their website on my device and they decide to start recording tracking information, it's theft.

There is no dichotomy here, it's possible to consent to one use and not another.

This is not obvious to the average person outside of the industry. For example, most people would expect that text typed into a form field without clicking submit is private and has not been sent to anyone. It is obvious to a software developer that secretly sending the text back to a server while the user types is easy to implement, but posting an agent to read over someone's shoulder while they write a draft which they may choose not to send at all does not become morally acceptable just because modern technology has made this more practical than hiring a PI to watch through someone's house window from a public street.
I can’t talk for the US, but in the EU under GDPR there absolutely is an expectation of privacy.
I think we are in a changepoint time where we need to think about how to make privacy serve the user. By that, I mean it's no longer acceptable to cite the legal standard, but the ethical one. If you collect data, it should be to serve the user. Additionally, any data not used operationally (keep the service running) should have either be limited by purpose ("we will not use your data to target anything to you") or via true anonymization (differential privacy).

If it's not beneficial to the user for you to have this data, you shouldn't have it.

How is it ridiculous? This seems like an argument more like because you can do it, you should do it. What if car manufacturers had similar ideas to "focus on usability issues" and recorded every driver as they're driving their car. You could even use the same argument, if you're out in public there's no expectation of privacy, and you don't own the tech in the car, you just license it. But somehow we would all consider that to be crossing a red line and to be super creepy.
It is equivalent to following someone around a store and writing down how long they look at each item on the shelves, what they pick up, what they put back, etc.
There are (multiple) companies in the US who already do this via in-store cameras and secret shopper monitoring. I know this because I've worked with them.
Such types of analytics tools are useful for certain purposes, however I do think we need some sort of regulation, or monitoring to decide where the line is, and how far any company should be able to go with this type of thing. It's a bit disconcerting because without such technical regulation, where does the line get drawn? Will be the norm transition to discreetly recording audio/video as well?
I’m probably happy to provide that information but I want to know when that happens, and not by fine print in “terms” somewhere.

My browser should render a page, then if I write an angry review and edit it to a less angry one before I submit, I expect my angry review to be logged nowhere at all.

This reminds me of days of unstable internet connections & form submissions not working randomly. In those days, I would type my comment in Notepad first and then copy, paste, and submit. Perhaps, it is time to restart that practice.
When a user goes to your website, the user is trusting you to run you run your software on their hardware. You should respect that.
A few years ago I was at a startup that integration one of these video playback services (Fullstory) into their product. At the time the PM team was all jazzed up about the idea and engineers were rushing to get it implemented. I was the only person to bring up potential privacy concerns which were immediately dismissed under the excuse that the PMs absolutely needed this level of functionality to view individual user's full sessions on the website.

Anyway, Ublock blocks Fullstory's JS from running by default so at the very least your ad-blocker is potentially saving you from this level of intrusion.

I don't think this is entirely accurate. I was at FullStory, as a director of development and founding engineer on the mobile analytics, and we were focused on our privacy-by-default initiative that blocks out user PII while still giving you PM-level information.

The founders of the company were invested in privacy and PBD, and we put a lot of effort into balancing data with privacy. One of the founders even spent a great deal of time on the initial implementation.

This work started years ago and I can say that everyone was interested in privacy, from recording/playback engineers to execs.

I didn't work on the integration directly at the time so it's certainly possible some of my details are incorrect. That said, from what I remember of the demos that were given there was the ability to set regions of pages which contained PII that were not collected but this was entirely up to us to configure. Otherwise, it was possible to watch an individual user's full session on the website.

This was years ago too so maybe it has changed since, but my issue is with the whole premise of products like Fullstory that make it possible to essentially watch your user's over their shoulder without being given proper notification that level of monitoring is occurring.

The potential is there for sure, but the company believed in giving customers the tools to ensure that PII was not recorded, including go as far as giving internal engineers tools required to scrub data permanently that was accidentally recorded.

I no longer work at FullStory, but I believe very strongly that the culture of privacy still exists.

Senior individuals at FS, myself obviously included, felt very strongly that we wanted to avoid any of the creepiness factor, and it was important to us that we felt comfortable with the technology. Discussions on privacy were paramount in all designs.

We demo’d Fullstory recently and decided not to go with it because of user privacy concerns, but there is a “private by default” setting now that masks all fields except ones you explicitly allow.
(comment deleted)
I mean, yeah, isn't this normal behavior for every major video game as well?
This is extremely widely used. I doubt it is going to go anywhere since your interactions with a website have no expectation of privacy from the website owner.
Healthcare related websites do have privacy expectations, as do law services websites, I suspect.

I wonder how many hospitals and clinics use insecure technologies to do interaction monitoring of patients and prospective patients.

I wouldn’t be surprised if some hospital got sued someday for an employee misusing interaction monitoring for personal benefit.

Heh, I could make an argument for Papa John’s being an anti-healthcare website.
One of the big caveats is that the information must be personally identifiable AND include information about the care of that person. Just my going to the website of a healthcare organization doesn't immediately identify me as a patient of that system, just that I've looked at their website. I've done some digging and I've found many health systems using google analytics, which is not HIPAA compliant. But I've found they only use this on their public pages. From what I can tell, they don't use it in their internal systems that will likely contain PHI.

All that said, given the state of IT in healthcare systems, it wouldn't surprise me if some system out there is using a non-HIPAA compliant system for handling PHI. Who? No idea.

The other part of HIPAA is that its penalties are WAY stronger than normal privacy laws. If someone knowingly obtains or discloses PHI in violation of the Privacy rule, they may face fines up to $50,000 and one year in jail. The fines and jail goes higher for more malicious violations. These penalties are enforced on the person who broke the law, not the company.

> One of the big caveats is that the information must be personally identifiable AND include information about the care of that person.

That would be pretty easy to have happen with common things like “contact us” or “ask us a question” modules loaded into websites, etc.

It's a stretch to call my mouse movements while I have a site loaded, or my unsubmitted input, interactions with a website. There wouldn't be an interaction with the website if the website weren't proactively installing software into my browser to sniff around.
It is widely used. And that's a disgusting disregard of customers' privacy.

I very much doubt that this lawsuit will go anywhere. I hope it does, though.

Privacy is really popular on HN users except when it's contrarion to not care about it
Provided it is limited to that site. I'm not sure I have a problem with this kind of situation. If they want to track clicks, data entered, movement on their site... I'm ok with that.

If it is confined to that site and declared illegal, I gotta wonder where the line is drawn exactly...

Should they be allowed to record your mouse movements while on their site and sell information about how steady or shaky your hands appear to be to health insurance or car insurance companies?
I don’t think that would involve the wiretapping lawsuit.
It's mentioned in the lawsuit
You can mention it in a lawsuit, doesn’t mean it is a violation of the law.
Cool. It involves the wiretapping lawsuit.
These smash-and-grab lawyers always way, way, way overstate things in the initial complaint. It's par for the course.

I wouldn't be surprised if Papa John's wasn't even doing any of the alleged things (I have not personally verified)... because it doesn't matter for these types of suits. The plaintiff's lawyers will conveniently ask for a settlement payout less than the estimated cost of litigation, and Papa John's will write a check to make it go away. It's how these things work.

It isn't limited to that site, quote from the "CEO of a major 'session replay' spyware company" in the filing:

> “this unique data can be used to activate custom digital experiences in the moment via an ecosystem of over 50 martech partners. With a global community of customer and partners, we are accelerating the interpretation of human behavior online and shaping a future of addictive customer experience"

> I gotta wonder where the line is drawn exactly

Violating the Federal Wiretap Act and CIPA

I’m not sure “can be” is a violation of wiretapping law is it?
That is a quote about how the information could and likely is shared; not "limited." The actual claims are in the lawsuit.
I'm happy about this, because everyone does it, and when people started tracking what you were typing in a box before you submitted it they silently crossed a line that really bothers me[*].

My browser should be working for me. Not silently giving other people information that I haven't chosen to give them yet.

*edit: and they also introduced another annoying layer of latency, and what looks like a boring textarea suddenly can't keep up with how fast I'm typing.

I find this somewhat akin to how people are monitored in grocery stores.

You better believe that studies are constantly done on shoppers using video cameras. Or heck, just managers using their own eyes to look at how shoppers behave.

K-mart just got dinged for using facial recognition to track shoppers, they claim for loss prevention.
It seems fundamentally different from a certain perspective (maybe not from the layperson's). As much as one person might think that I'm "visiting their website" I think that I'm just requesting them to serve me some information and they include with that a spying payload.
A store is a place where I expect to be monitored both by eyes and cameras.

Sending keystrokes from a form I haven’t submitted is like putting the camera inside the fitting room.

Or, it's like watching you add stuff to your shopping cart, walk around the store, then remove some items, pick different items... and finally walk to the self checkout, scan and buy the goods.
>Or, it's like watching you add stuff to your shopping cart, walk around the store, then remove some items, pick different items... and finally walk to the self checkout, scan and buy the goods.

It's their property.

A website (or app or whatever) is downloaded to my machine and then executed. So all this stuff going on behind the scenes is doing so from my property, using my resources.

Websites are absolutely someone's intellectual property. Just because I've watched a Disney movie on my phone doesn't mean I'm allowed to download Disney movies from Disney+ and start my own competing service.
>Websites are absolutely someone's intellectual property. Just because I've watched a Disney movie on my phone doesn't mean I'm allowed to download Disney movies from Disney+ and start my own competing service.

I wasn't referencing intellectual property. Re-phrased: "It's their premises."

Even that isn't the same. It's still being displayed and then rendered on my computer.

For example using an adblocker on my PC while viewing a website is perfectly legal. Same with scripts that interfere with tracking.

Now, if I go to the physical store and remove posters and cameras, I bet that will lead to some more resistance.

So what? Because websites are someone's imaginary property, they're somehow justified in literally wiretapping anyone who ever visits it? No.

Websites are just some data and code that their servers send to my user agent. Once it's in my computer, it's under my control. Executing code and rendering elements are privileges and they can be revoked in case of abuse. If it's important enough to me I'll reverse engineer the website and write my own code to do what I want with zero foreign code execution.

For security and theft prevention yes.

For market research no. The purpose is very important (which is why it's so key in legislation like GDPR)

The amazon search box is REALLY slow to type into
> when people started tracking what you were typing in a box before you submitted it they silently crossed a line that really bothers me

This week I was in a support chat with my cell provider. As usual, despite giving myself plenty of time it went longer than expected and I had to be on a work call. I typed in the box “I have another appointment starting momentarily; can we schedule a call with a rep tomorrow to pick this up then?”

I forgot to hit enter to send the message, and then was shocked when she replied to the message sitting in “draft”.

That is mildly creepy!
Maybe I am naive but I also wonder if they can hear you when you are out on hold. Is hold really just mute with Muzak?
Isn't it well known by this point that all customer support chat messages (even drafts as you type) are visible to the agent?
I don't think so. One of those things that are not surprising but also unexpected.
Negative. What would be the point of a draft?
So that the customer support rep can start working on the request before it’s been officially submitted. It’s better use of everyone’s time, while at the same time being massively surprising to the customer who finds out.
To trust a personally-created self-signed certificate in Chrome one has to type a shibboleth. There is no visible feedback from typing this string so it resembles a keylogger built into the browser.^1 Suing a website operator over logging keystrokes is a step forward, but we also need to sue to stop a browser vendor from doing the same. Whether Google violates any laws or agreements is for the reader and the courts to decide, but to me this keylogger in the browser is a dark pattern. Firefox uses a visible button.

1. https://jasonmurray.org/posts/2021/thisisunsafe/

WARNING: Make sure the risk is fully understood. Someone may be attempting to impersonate the site or steal your personal information. If trying to stop data collection and exfiltration, delegating trust of all certificates to others may result in "tech" companies, such as Google, combining personal information with metadata surreptitiously collectied over an encrypted connection so that it cannot be seen or blocked, in order to sell advertising or advertising services.

2.

In the past Google has settled suits brought against it under the Wiretap Act. Some these cases are still ongoing. Google has not gotten the decisions it wants regarding its alleged violation of wiretaping statutes. Courts have allowed them. As early as 2013, where Gmail was the basis for the complaint, a court refused to dismiss all wiretapping claims. About four months ago, Google was fined $971,000 for discovery misconduct in one of these ongoing cases.

https://epic.org/privacy/gmail/Gmail-Order-09-26-13.pdf

Google claimed Gmail users have "no expectation of privacy".

https://www.consumerwatchdog.org/resources/googlemotion06131...

Scanning people's WiFi networks

https://cdn.harvardlawreview.org/wp-content/uploads/2014/04/...

https://www.wired.com/2011/06/google-wiretap-breach/

https://www.computerworld.com/article/2489385/google-seeks-s...

https://en.wikipedia.org/wiki/Joffe_v._Google,_Inc.

Chrome, Google Analytics and Google Ad Manager

https://dockets.justia.com/docket/california/candce/5:2020cv...

https://www.plainsite.org/dockets/4a3sd8nnn/california-north...

https://fingfx.thomsonreuters.com/gfx/legaldocs/zgpomedokpd/...

I don't like it either, but case law or legislation against this will just end up with the US mandating things like cookie banners.

Eventually, building a website will be like getting approval to build a building.

Should we stop requiring approval to build buildings?
(comment deleted)
It's hard to imagine the lawyers have much confidence in this lawsuit if they're going after Papa John's instead of, say, Facebook.
The likes of Facebook would litigate this issue. Papa John's will write a check and move on... like most of us would actually, despite how wrong these drive-by bottom-feeding lawyer hit squads are.

No case law will be created here. It's very unlikely this suit will actually see the inside of a court room. Just a smash-and-grab payout and they'll move onto some other fish small enough to desire writing a check versus litigating.

It's the ADA website thing all over again...

What evidence is there that Facebook violated the same specific laws mentioned in the lawsuit?
I think a reasonable strategy would be to pick a target less able to defend itself, in order to more easily win and set a precedent to prepare for a second attack against a bigger target.
> pick a target less able to defend itself... prepare for a second attack against a bigger target...

Yeah, think that's the strategy and what is going too. Good observation.

If Papa John's could get sued over this (it's just a pizza place...) then I have no idea how Hotjar hasn't been sued into oblivion, especially considering their analytics tools don't responsibly tell the users they're being recorded.

Edit: or rather any website that uses Hotjar without informing their users clearly (basically all of them) ...

PJ's has 5,500 locations in 49 countries.

Hotjar had just $25M in revenue last report.

HotJar would have a very serious interest in litigating this issue, whereas Papa John's will have a very serious interest in writing a check to make this go away.

That's why HotJar is not the named defendant.

PJ is not "just a pizza place," it's a global brand with a massive litigious legal team that rarely writes checks "to make this go away"

https://www.prnewswire.com/news-releases/papa-john-schnatter...

Hotjar doesn't have the funds to pay a class action suit.

> The case, filed in December 2019, revolves around Mr. Schnatter's claim that he was targeted by the Defendants, which then leaked secretly-recorded private comments by Mr. Schnatter to the media – out of context to reverse their meaning – maliciously harming him and the company brand. Defendants' actions resulted in a hasty and harmful reaction by the Papa John's board of directors, forcing Mr. Schnatter out of the company he founded 34 years earlier

That is not the same. He was maliciously ran out of his company. This is a technical roadbump, one that does zero harm to PJ or their reputation either direction. They will write a check.

Thanks for quoting the whole thing, but I already read it. I actually posted a link to it.

Papa John had had over 40 lawsuits in the last 30 days. A multinational chain is not an easy target. They have a couple attorneys and a long track record of legal battles, not shrugging things off.

The point is, their attorneys cost a lot of money to actually go litigate. They will have to bring in outside council, and hire a team that actually litigates, not just advises.

It comes down to gut-wrenching, but basic math. It will cost hundreds of thousands of dollars to litigate, and the outcome is uncertain.

Writing a check for half that amount and settle this in a few months is far more desirable. Particularly for something so easy for PJ's to just remove from their site and shrug off. It's not core to their business or anything... they're not defending the right to put pepperoni on pizzas...

> Papa John had had over 40 lawsuits in the last 30 days

You mean there have been 40 complaints filed against them in 30 days. That's not surprising at all. How many of these go to court? Probably near zero... it's just the reality of lawsuits...

Yeah, I already knew that attorneys cost money

> It's not core to their business

E-commerce?!

This session replay thing is not critical to anything they do, including ecommerce. It's just another analytics thing...

Here's how it will play out... been there done that myself:

1) Tech team will be commanded to remove this analytics collection utility, and never use it again.

2) Lawyers get together and figure out a payment that makes sense without litigating and bringing on that risk.

3) Papa John's cuts a check and forgets this even happened.

There is no scenario where this sees a courtroom. No case law will be made. No arguments will even be made. The lawyers will jaw back and forth for a few months, because that's what they do, but then ultimately a demand will be made by the Plaintiff's attorneys, PJ will haggle it down a bit, ultimately pay it, and then the real Plaintiff will get a small stipend if they agree to lend their name to another copycat case... rinse and repeat.

I think people really underappreciate the usefulness of behavior analytics tools.

Remove your nostalgia of the old internet, and it was ridiculously unusable. Things like low contrast texts, really bad button placement, confusing layouts, etc.

Even if you don't personally use something like Hotjar or Crazyegg, we've spent the last several decades learning best practices specifically through these types of tools. Bootstrap or even Tailwind would not exist today without the lessons learned through constant experimentation.

While it's easy enough to steal from prior work, if you make some sort of novel tool or interface and you do not do regular user testing it's going to be a really bad experience.

I'm not saying a more privacy-conscience web can't exist here, but you would either be left with a very hard to use internet, or one that was dominated by a few big players who had the advantage of focus group testing.

I suspect we could have learned that low contrast text was bad without tools that track every single interaction. I might even say we haven't learned that lesson, despite the prevalence of such tools.
And maybe we also underappreciate apocalyptic nuclear war for the eradication of human hunger.

Just because something works to solve a problem, doesn't mean it should be used.

> Just because something works to solve a problem, doesn't mean it should be used.

Sure. I can agree on principle. But I want to call out anyone willing to throw a stone on this but then have ever complained about bad UX.

I believe myself to be a pretty security conscious person, and I hate webdev as much as the next system programmer, but even I don't see anything fundamentally wrong with what papa johns is doing here. I chose to use their website. Any interaction with the site should be assumed to be input that they are allowed to take and use how they want. If I don't want these inputs to be sent, it's my responsibility to configure my browser to 1) tell me it's happening, 2) block the site from seeing those inputs or 3) just shut everything like that off (disable js).

Browsers sandbox websites for a reason, whatever I put into the sandbox is my own responsibility, and whatever happens in that sandbox is allowed.

Low contrast text seems to be a thing of the modern internet, because it "looks better" as long as you are not trying to, you know, read it.
There used to be this concept call a "usability study", where you got five or ten people who'd never used your product in a room and watched them use your product. It didn't give the benefits of a panopticon, but it solved the problem without requiring a keystroke logger.
(comment deleted)
I started working for a company that was using this tracking technology. Struck me as an invasion of privacy, so I discontinued their of the tool. There are other solutions out there for getting useful into on sticking points, crawl depth, etc. that don't expose individual user behavior.
Browsers need an obvious visual indicator (with accessible fallback for users of assistive technology) when the browser determines that event handlers are capturing this data to be sent to a third party.

In fact, there have been studies [0][1][2] (with [0] funded twice by DARPA to the tune of $2.26 million) suggesting that mouse movements and typing patterns can be used as a form of biometric ID.

Who will be the first state to include this type of data, collected at scale, in their definition of “biometric identifiers?” For example, Illinois’ “Biometric Information Privacy Act (BIPA)” [3] currently defines biometric identifiers as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”

BIPA allows a private right of action (rather than empowering only a state Attorney General to pursue violations, like Texas’ “Capture or Use Biometric Identifier Act (CUBI)” [4]. That private right of action has led to a number of successful class-action suits against large social networks, such as Facebook [5] and TikTok [6]. My wife and I both got a >$300 check from the Facebook suit. The TikTok suit is currently being appealed.

[0]: https://phys.org/news/2013-11-iowa-state-keyboard-mouse-mobi...

[1]: https://doi.org/10.1109/SP46214.2022.9833612

[2]: https://doi.org/10.1016/j.ins.2012.02.066

[3]: https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&C...

[4]: https://statutes.capitol.texas.gov/Docs/BC/htm/BC.503.htm

[5]: https://www.facebookbipaclassaction.com

[6]: https://www.tiktokdataprivacysettlement.com