Dynatrace's 'Spyware' Secretly Observes Website Users' Interactions: Complaint
“Spyware” from software monitoring company Dynatrace “wiretaps” electronic communications of “thousands” of website visitors, secretly observing and recording their “keystrokes, mouse clicks, data entry, and other electronic communications, in real time,” alleged a class action Wednesday (docket 1:23-cv-11673) in U.S. District Court for Massachusetts in Boston.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Plaintiff Alyssa Gary of Southwick, Massachusetts, visited Ulta Beauty’s website in December to buy cosmetic products, said the complaint. During the visit, her keystrokes, mouse clicks and other electronic communications “were intercepted in real time and disclosed” to Dynatrace “through the wiretap,” it said. The wiretap also captured Gary’s IP address, geolocation and information about her device, it said. The “capturing, recording, and redirection” of her website interactions began when she accessed the Ulta site, “before any purported disclosures were made.” She was unaware her interactions were being “intercepted” and did not give consent for them to be, it said.
Plaintiff Marla Defoort of Montclair, California, also visited Ulta’s website in December and was unaware her website interactions were being disclosed to Dynatrace, the complaint said. She, too, hadn't given consent to the company to record her movements and information, it said.
Most website owners don’t disclose the use of session replay spyware on their websites “out of fear of creeping out website visitors and suppressing website traffic,” said the complaint. Disclosures in privacy policies are “pointless” because “by the time anyone would see such a disclosure, the spyware has already been deployed,” it said.
Dynatrace’s session replay software also allows it to track in real time the amount of time spent on websites, the geographic locations of visitors and other details about visitors, the complaint said. Session replay software allows Dynatrace to break down website interactions into individual website visits and to include page or view loads, third-party consent requests and service requests, it said.
The software links user sessions with website visitors’ identities when they log in to a site or just browse, the complaint said. Dynatrace can get an overview of a specific visitor’s browsing patterns based on the person's unique ID user tag and see average user experience score, such as whether the person was frustrated or satisfied, in addition to frequency of visits, the complaint said. The company “may view video-like recordings” of users’ sessions, capturing and storing “exactly what a Website Visitor sees on their screen,” along with their clicks, scrolls and other input, it said.
Technology like Dynatrace’s session replay software is intrusive and “dangerous,” said the complaint, citing a 2017 Princeton University study in which researchers found that session recording technologies were collecting sensitive user information such as passwords and credit card numbers, the complaint said. Session recording technologies “can leave users vulnerable to data leaks and the harms resulting therefrom,” it said.
Plaintiffs charge Dynatrace with violating the Massachusetts Wiretapping Statute and the California Invasion of Privacy Act, plus various state privacy codes. They seek compensatory, statutory and punitive damages; prejudgment interest; an order of restitution; injunctive relief; and attorneys’ fees and legal costs. Dynatrace didn't comment.