Moosejaw, a retail company specializing in outdoor garb, is being sued for “wiretapping” computers of its website visitors.

Brought by California plaintiff Jeremiah Revitch, the complaint, authored by L. Timothy Fisher of the boutique Bursor & Fisher, alleges Moosejaw and fellow defendant NaviStone Inc., a data broker, violated California privacy law when they “secretly embedded” computer code on Moosejaw.com “to de-anonymize and identify” people visiting the website.

These “wiretaps,” the plaintiff claims, “observe visitors' keystrokes, mouse clicks and other electronic communications in real time” to gather personally identifying information on anonymous users and unveil their addresses, names and information on browsing habits, regardless of whether a purchase is made.

According to the complaint, NaviStone requests e-commerce partners such as Moosejaw add a line of code to their websites that creates a “back door” for the data broker to execute its own remote code that “functions as a wiretap” by allowing PII such as IP addresses be sent to NaviStone. The complaint also claims the code “scans the visitor's computer for data files that could reveal the visitor's identity.”

The code will “spy on the visitor as he or she browses the website” and redirect collected information to NaviStone. “This real-time interception and transmission of visitors' electronic communications begins as soon as the visitor loads Moosejaw.com into their web browser,” according to the complaint. “NaviStone then uses this information to attempt to de-anonymize website visitors.”

David Bertoni of Brann & Isaacson, counsel for for NaviStone, said the factual allegations in the complaint didn't match up to the company's cyber-practices.

“Most of what is stated in the complaint is totally false,” Bertoni said in an email. “For example, NaviStone does not log keystrokes, does not collect form field information, does not scan anyone's devices, and does not create a backdoor to collect personally identifiable information. NaviStone has faced this same law firm four times for claims of wiretapping, and all of those frivolous claims were dismissed with prejudice.”

NaviStone's actions were documented in 2017 by Gizmodo, which reported that the company was nabbing data on users filling out info on websites provided by companies such as Quicken Loans and Acurian Health regardless of whether a user clicked “submit.” Ryan Calo, a law professor at University of Washington, told Gizmodo that sending their info regardless of whether they clicked was a clear violation of user expectation, and that could violate unfair and deceptive practices law.

NaviStone and Moosejaw, Fisher notes in the complaint, “intended to commit tortious acts including disclosures of the intercepted information” by embedding the backdoor code on Moosejaw.com, which in addition to violating California's Invasion of Privacy also renders them out of bounds with privacy rights granted by the California Constitution, as well as California Consumers Legal Remedies Act and Unfair Competition Law.

“None of these actions was undertaken in the ordinary course of business. On the contrary, these actions are contrary to the legitimate expectations of website visitors, and are contrary to established industry norms,” Fisher adds.

The Moosejaw litigation isn't Bursor & Fisher's first foray into a privacy suit. The firm was appointed by Judge Richard Seeborg as interim class counsel in a nationwide class action against Facebook over the company's alleged collection of user call and text history via apps without consent. The firm also represented plaintiffs in a suit against Hearst Communications, alleging the media company violated Michigan privacy law by selling subscriber information without consent.

Fisher is joined by colleagues Joel D. Smith and Frederik Klorczyk III, neither of whom responded to requests for comment. Partner Scott Bursor is also listed in the complaint.

Read the complaint:

|