back to article Papa John's sued for 'wiretap' spying on website mouse clicks, keystrokes

Papa John's is being sued by a customer – not for its pizza but for allegedly breaking the US Wiretap Act by snooping on the way he browsed the pie-slinger's website. The titan of greasy wheels is accused of falling foul of wiretapping rules by using so-called session replay software on its website. This software records and …

  1. elDog

    Really? This is how much of the web works nowadays.

    That loverly page you're looking at is built based on initial HTML and then modifications to the DOM (Document Object Model). Each mouse movement/click can cause elements in the DOM to be activated. Each activation may need to phone home to get the proper content to display.

    Watching how long some bloke hovers his (or her) mouse over a particularly attractive part of someone's anatomy may get recorded, but "Only for improving our website and performance."

    1. ArrZarr Silver badge

      Re: Really? This is how much of the web works nowadays.

      There are different levels to it and it really depends on the goals of the tracking. Something like El Reg doesn't need complex tracking (although I really hope they aren't just throwing mud at the wall to see what sticks with all the redesigns)

      Standard GA, for example, doesn't come with button tracking by default, it just tracks which webpages people see. How people navigate between the pages isn't picked up - they may be typing URLs in directly, for example and you'd have no way of knowing.

      Then there's event tracking where you're looking at user flow. This is most useful for something like a conversion path (think basket -> order confirmation page). The page tracking will show you that 50% of people aren't getting from the card details page to the final "Are you sure?" page so there might be something wrong. This level of tracking will show that 90% of people are clicking the next button so that 40% discrepancy indicates an issue with that specific button.

      Level three is something like hotjar where the position of the user's cursor is tracked on site. This is still aggregated and you end up with a heatmap of cursor location, which is somewhat usable as a proxy for where the user is looking. This is used for specific UX issues as you can check if the Buy Now button isn't in the best spot or some important option/information isn't being found by people.

      This sounds like level 4 where sessions are recorded. Seems like it would be tricky to deal with on something getting the volume of Papa John's site but I've seen this used on very low volume, very high complexity checkouts in the automotive sector where people buy cars online going through the configurator and finance and everything. The fields were all blurred by the software but it made sense in that situation because selling a £100k car is worth a lot of effort to the manufacturer.

      1. TRT Silver badge

        Re: Really? This is how much of the web works nowadays.

        I wish they'd turn it on for the Dell Store configurator... the amount of systems that you simply can't build because of their restrictions is staggering. If you want just one hard drive it's fine... you want to put in an SSD boot drive, an NVMe drive for caching (say image editing) and a 5 disk optimised RAID on SATA for capacity storage, then you're royally screwed!

  2. John Brown (no body) Silver badge
    Thumb Up

    When the tracking hits your eye like a big pizza pie, that's a priori

    I nominate this for the sub-head of the year award!!!

    1. Auntie Dix

      Re: When the tracking hits your eye like a big pizza pie, that's a priori

      Actually, knowledge that proceeds from observations or experiences — such as tracking hitting one's eye, like a big pizza pie — that's a posteriori!


  3. Anonymous Coward
    Anonymous Coward

    You can’t always get what you want

    Decent pizza is one of these things.

    1. Michael Wojcik Silver badge

      Re: You can’t always get what you want

      You generally won't get good pizza from a chain. Their economic incentives lie elsewhere. Small shops depend on local repeat business, so they have to please customers and maintain a reputation. Chains can rely on familiarity and marketing to ensure a steady supply of occasional customers (most of whom aren't going to be very discriminating), and want to reserve capital for expansion, marketing, and other costs that don't contribute to food quality.

      We're lucky to have three independent pizza places, with significant differences in their interpretations of the subject, in the relatively low-population area where I live. And Domino's, in case anyone ever needs to be reminded why the independents are a good thing.

      (Though in fairness I think Domino's may be less terrible now than it was, say, 20 years ago? Perhaps that's just my aging senses losing their precision.)

  4. Auntie Dix
    Thumb Up

    These Italian Suits Are Fitting

    I am reminded of the 2022 class-action lawsuit of the State of Illinois against HireVue's illegal use of interviewees' biometric data.

    The consumer deserves protection. Privacy laws are extremely weak in the United States. The misuse of data that companies get away with is atrocious.

    Lawsuits like this one against Papa John's are a way of fighting back against unwanted surveillance and highlighting insufficient regulation.

    When I call a pizza joint, I do not expect or want the store to record my call, rate of breathing, manner of speech, movement of the receiver, etc.

    The same lack of creepy surveillance should be the business default on the Web.

    1. abetancort

      Re: These Italian Suits Are Fitting

      Suing can force them to record your call for liability issues with your order and quality control. Everyone recording anything should be obligated to inform the other party and seek consent. If there’s no consent they should be able to refuse dealing with you.

      1. Anonymous Coward
        Anonymous Coward

        Re: These Italian Suits Are Fitting

        Damn... somebody has some stock in Papa John's :-/. The sad part is that you're essentially stating that everyone lies without a recording which, sadly seems to be true within modern capitalism.

      2. usbac Silver badge

        Re: These Italian Suits Are Fitting

        In the US, there are 11 states that require consent by both parties to record a call (California, Delaware, Florida, Illinois, Maryland, Massachusetts, Montana, Nevada, New Hampshire, Pennsylvania, and Washington). These states are known as "two party states". There are fairly strong penalties for violating them.

        This is why you frequently hear a message like "this call may be recorded for training purposes..." when calling a business these days.

        1. Anonymous Coward
          Anonymous Coward

          Re: These Italian Suits Are Fitting

          "this call may be recorded for training purposes..."

          Whilst one hears this on almost every call, I don't think I have ever been offered an opportunity to refuse consent, or "continue without recording".

    2. TRT Silver badge

      Re: These Italian Suits Are Fitting

      If they recorded your phone call to order pizza to determine where you fall foul in the ordering process, it's usually when some very lowly paid person reads back your order and you discover that the person who doesn't want mushroom but wants extra cheese has got no cheese and extra mushroom, they've not taken the anchovies off Steve's pizza and they've put the wrong crust type on everyone's pie.

  5. This post has been deleted by its author

    1. Michael Wojcik Silver badge

      I hate to sound cheesy, but that's a bit of a saucy take!

    2. Korev Silver badge

      Yeah, they may host their own pizza boxes in their datacentres

  6. Scott Broukell

    Look that’s all very well but getting all uppity about these matters but this will simply stifle the development of modern AI and ML technologies and their commerce! /s

    Remember when you hated to even contemplate the thought of actually going to the shops in order to procure the ingredients for a pizza that you then had to cook yourself!

    Well now, with developments in modern AI and ML, very soon you won’t even have to bother with all the hassle of even visiting a fecking website any more!

    Food fulfilment factors will automatically know (probably before you even realise it yourself), from traits you exhibit in real-time and which are captured by smart devices in your home, just which flavours and toppings you want right this second!

    The items will be baked and a droid will be dispatched straight to you with all the items you enjoy and crave. This will all be timed to arrive, hot and ready to eat, at your door in the same instant that you yourself have the urge to contact your favourite food vendor! Wow, just wow!

    It’s the future, it’s here already, eat and enjoy! Eat and enjoy!

  7. GruntyMcPugh Silver badge

    Supermarkets do this to people already.

    Supermarkets watch people walk around the store, how long they linger, whether they pick items up and put them back down, which routes they take, whether they skip aisles etc etc, and then arrange the store so a customer passes through as much of it as possible in an attempt to maximise sales. So Papa Johns is doing it virtually? Meh. And while I'd like to stick it to them because I have no time for them as a business, this isn't the hill to die on.

    1. Chris 15

      Re: Supermarkets do this to people already.

      The big difference in the supermarket is that it is a public place... With no reasonable expectation of privacy.

      You could order your Pappa John's cardboard circle whilst stark naked (best to don some type of clothing when you accept the delivery though...)

      Can't do that in a supermarket

      1. martinusher Silver badge

        Re: Supermarkets do this to people already.

        >The big difference in the supermarket is that it is a public place... With no reasonable expectation of privacy.

        There has never been an expectation of privacy on the Internet. You're given the illusion because its convenient for the vendor.

        I'd guess that Papa John's really hasn't a clue what's going on. They would have contracted the site to a site building company -- its generally not cost effective to build an entire site from scratch in house -- and whatever tools the site builder uses are the ones doing the tracking. (I'm pretty sure that a pizza vendor isn't interested in that level of granular detail about their customers.)

        (For all I know it could be the CIA hiding their covert communications behind PJ's website. Order the right combination of pizza toppings -- pineapple and anchovy, say -- and it opens a direct line to Langley.)

      2. GruntyMcPugh Silver badge

        Re: Supermarkets do this to people already.

        If they were spying on peeps through their web cam, well, yeah, that would be an issue. But a web site logging what you do on the web site? I have no issue with that. I think people forget the etymology of 'logging on', and it's when we identify ourselves to a computer system, and when events in our session may be recorded.

  8. Anonymous Coward
    Anonymous Coward

    so what?

    it's their website, it's not like it's Pulling data from their PC/Phone, and you have to Go To the site.

    Every store you walk into, someone is watching, it's expected. If someone is on a website it's tracked, always, even if its just the host tracking what browser visited.

    If they want to bash a pizza place over this stupid stuff, well, maybe it could sent a president and get all social media shut down :) no websites allowed to track anything even that it was visited - no metrics for anyone lol

    Glad I'm almost dead, this world is insane.

    1. John Brown (no body) Silver badge

      Re: so what?

      It's about how much data is collected and the purposes it's collected for. Apart from the article, I've not read any deeper on this case, so can't really comment on the merits of this case or the likelihood of success. Maybe if it gets to court we'll find out a bit more about what is being collected, whether or how much is personally identifiable, and maybe have a more informed opinion on whether it's too much, a temporary analytics to drive a site redesign or if it's just "nice to have" by Papa Johns.

      It'd be interesting to know if they do this in jurisdictions with strong data and privacy protection laws. That would help inform whether what they are doing is actually necessary or just because they can

  9. Great Bu

    Information Privacy Boundaries in the Modern World

    It's a refreshing development of modern society that people couldn't care less if the world knows that they are fervent fans of donkey-based pornography but if there is a risk that the world will know that they are the sort of degenerate pervert that puts pineapple on pizza they will sue to keep it quiet....

    1. Michael Wojcik Silver badge

      Re: Information Privacy Boundaries in the Modern World

      The problem here isn't revealing I like pineapple on pizza;1 it's revealing how long I agonized over the decision, mousing over to the checkbox and away again, tormented by the tension between abject and hideous desire on the one hand, shame and fear of social rejection on the other...

      1Actually I'm pretty much indifferent to it. I'll have it if it's what's available, but I wouldn't bother ordering it.

    2. keith_w

      Re: Information Privacy Boundaries in the Modern World

      I like ham and pineapple on my pizza and I don't care who knows it, or what their opinion of me might be because of it.

  10. xyz123 Silver badge

    No-one's going to mention how this guy was ordering possible the most disgusting takeaway pizza on earth?

    and I include "this is the only meat we could get - minced dead Russian Soldier" from the pizza place in Red Square, Moscow.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like