Zillow Session Replay Wiretapping of Website Visitors Illinois Class Action

The practice of “wiretapping” may now include wiretapping or intercepting communications on websites. The complaint for this class action alleges that Zillow Group, Inc. has had third-party vendors, such as Microsoft Corporation, embed snippets of JavaScript computer code (known as Session Replay code) on its website. This code allows it to replay visitors’ communications with the website in a way that the complaint says violates the Illinois Eavesdropping Act.

The class for this action is all natural persons in Illinois whose website communications were captured through the use of Session Replay code embedded in www.zillow.com.

When visitors come to the Zillow website, the complaint alleges, the embedded code deploys on their internet browsers to intercept and record their communications with the Zillow website, such as mouse movements, clicks, keystrokes to enter text, and pages visited. These recordings are later used to create a video replay of their behavior at Zillow’s website for the company’s analysis.

The complaint alleges, “Zillow’s directive to the Session Replay Providers to secretly deploy the Session Replay Code results in the electronic equivalent of ‘looking over the shoulder’ of each visitor to the Zillow website for the entire duration of their website interactions.” The complaint cites in particular a Microsoft Session Replay code called Clarity.

Session Replay code “goes well beyond normal analytics” in its collection of information, the complaint alleges, collecting data that visitors did not intend to give to the website, for example, when they enter information in a field but do not click Submit.

The visitor’s browser follows instructions from the Session Replay Code, the complaint claims, sending information to a third-party server. “Typically,” the complaint alleges, “the server receiving the event data is controlled by the third-party entity that wrote the Session Replay Code, rather than the owner of the website where the code is installed.”

Later, the individual visitors’ sessions can be replayed for the website owner, but the complaint claims that “a variety of highly sensitive information can be captured in event responses from website visitors, including medical conditions, credit card details, and other personal information displayed or entered on webpages.”

Session Replay providers can also create “fingerprints” for visitors, the complaint alleges, made up of things like browser settings, screen configuration, and other details that rarely change.

This can be combined with information where the visitors do identify themselves, the complaint alleges, and the provider “can then back-reference all of that user’s other web browsing across other website previously visited, including on websites where the user had intended to remain anonymous—even if the user explicitly indicated that they would like to remain anonymous by enabling private browsing.”

All this is done without obtaining the visitors’ consent or the visitors even being aware of these operations.

Article Type: Lawsuit
Topic: Privacy
Tags: Intercepting Electronic Communications, Sharing Personal Information with Third Parties, Your Privacy, wiretapping