patmmccann
commented
3 months ago Generally all of these cases are third parties wiretapping the publisher to consumer interaction. The publisher cannot wiretap themselves still feels like a reasonable interpretation, particularly in say European countries, where the publisher may be receiving affirmative consent to process personal data. That being said, many times prebid.js is hosted or run by a third party and not by the publisher themselves. I suggest we put all these functions behind explicit opt-ins.
Type of issue
Bug
Description
The idImportLibrary module is designed to scrape form fields on
changeandblurevents, meaning they will pull data from those fields without an active user action to submit it.This runs afoul of some pretty uncertain legal ground around intercepting communications, wiretapping and keystroke monitoring. I'm not a lawyer, but as I understand the issue this can definitely get you a publisher using this technology in court--even if the publisher might win the case.
Notable iterations on this concern in courts include the Fullstory case and the underlying legal argument against many session replay services.
Some of these cases have been dismissed, but not on the argument that the activity was legal, but on the argument that the person bringing the case lacked jurisdiction, making this activity very legally unclear. The legal definitions at issue here are not fully resolved in case law as far as I can find, which means while this activity may not be wiretapping, it also seems like it isn't not wiretapping, which seems a pretty dubious place to be. While this is more of a US law concern than anywhere else it raises serious concerns about the legality of using this module in the US at least and the appropriateness of hosting this module within the prebid project.
I would argue that this module should be removed on ethical grounds alone, as scraping user inputs without an active submission is functionally misleading the user to what is occurring in those fields but even if we do not feel we need to remove it from this repository, the documentation should be updated to make it clear what is occurring here so that publishers who choose to leverage the module can make more informed choices about the accompanying legal risk.