Class Action Lawsuit Alleges Casper Mattresses ‘Wiretaps’ Website Users to Collect Addresses, Other Personal Details [UPDATE]

Online mattress retailer Casper Sleep Inc. is one of two defendants in a five-count proposed class action lawsuit in which the plaintiff alleges the company, with co-defendant NaviStone, Inc., effectively wiretaps visitors to Casper.com. This is done, the suit claims, by logging “keystrokes, mouse clicks and other electronic communications in real time” with the goal of gathering personally identifiable information to “de-anonymize” potential customers. According to the 21-page complaint, the defendants’ alleged online wiretapping enables the companies to “immediately, automatically, and secretly” track a website user regardless of whether the individual ultimately buys a mattress.

“By doing so,” the complaint claims, “[the defendants] have violated Title I of the Electronic Communications Privacy Act of 1986 … also known as the ‘Wiretap Act,’ which prohibits the intentional interception of wire, oral, and electronic communications unless specifically authorized by a court order.”

The lawsuit seeks statutory damages including, but not limited to, $10,000 per class member.

What does the plaintiff allege?

The plaintiff, a New York consumer, claims he has visited Casper.com on several occasions within the past six months without ever buying a mattress. During each visit to Casper’s website, the plaintiff charges, his communications, unbeknownst to him, were unlawfully captured and redirected in real time to NaviStone—a data broker that specializes in developing marketing technology with which to track website visitor behavior—who then supposedly used the man’s online movements to “attempt to learn his identity, postal address,” and other personally identifiable details. 

Tell me a little more about NaviStone.

NaviStone is a firm that partners with online retailers who, to capture consumers’ behavior, agree to allow the data broker to insert a small snippet of computer code into their websites. The complaint refers to this code as a “back door” that NaviStone boasts enables retailers to unearth a wealth of new marketing data.

Though at the surface level NaviStone’s consumer data-capturing offerings may seem like a must-have for any business looking for a leg up on competitors, the complaint paints a darker picture about the capabilities the data firm’s technology.

“As currently deployed, NaviStone’s remote code functions as a wiretap. That is, when connecting to a website that runs this remote code from NaviStone, a visitor’s IP address and other [personally identifiable information] is sent to NaviStone in real-time. NaviStone’s code will then continue to spy on the visitor as he or she browses the website, capturing and redirecting the visitor’s keystrokes, mouse clicks and other electronic communications to NaviStone. This real-time interception and transmission of visitors’ electronic communications begins as soon as the visitor loads casper.com into their web browser. The intercepted communications include, among other things, information typed on forms located on casper.com, regardless of whether the user completes the form or clicks ‘Submit.’ NaviStone then uses this information to attempt to de-anonymize website visitors.”

Once NaviStone captures a consumer’s data and browsing habits, the case continues, that information then gets stored in a back-end database. From here, NaviStone, in partnership with hundreds of e-commerce websites, allegedly attempts to match elements of intercepted data with real-life records of consumers.

How does NaviStone allegedly do this undetected?

Citing a June 2017 expose published by tech news outlet Gizmodo, the lawsuit alleges NaviStone obfuscates the supposed wiretapping codes on its clients’ websites through “dummy domains” as a way to conceal its activities. According to Gizmodo, NaviStone’s data capturing is powerful enough to even “send postcards to the homes of anonymous website shoppers within a day or two of their visit.”

“NaviStone’s wiretaps are engaged as soon as the visitor arrives at casper.com. By merely loading the main page on casper.com, with no other action, the visitor is connected to NaviStone’s wiretaps, which begin to intercept and monitor their communications,” the complaint reads.

The complaint includes the below screenshots of Casper’s website alongside Google Chrome’s Developer Tools Network View, which displays incoming and outgoing transmissions. The lawsuit claims that when Casper.com is loaded in a web browser, the site automatically retrieves a file on an ostensibly unrelated domain allegedly owned by NaviStone (http://code.murdoog.com/onetag... highlighted in the top image below) hosted on a remote server that contains computer code written in JavaScript.

This code is effectively obfuscated, the case says, as it “lacks comments, explanations, proper indenting, or intelligible names for variables.”

Once the code in the file is executed, the case says, no further action is needed from the website user, Casper or NaviStone to capture browsing data.

People buy mattresses on the Internet?

Do they ever. Despite being roughly four years old, Casper, the complaint says, has blossomed into the country’s leading mattress manufacturer and retailer. According to the lawsuit, a June 2017 New York Times report pegged Casper’s value at $750 million, with the company having reportedly rejected a $1 billion buyout offer from Target two months later.

Who does this lawsuit seek to include?

The proposed class named by the lawsuit includes all consumers nationwide whose electronic communications were intercepted through the use of NaviStone’s alleged wiretaps on Casper.com.

The full complaint can be read below.