The suit alleges violations of the Electronic Communications Privacy Act, Computer Fraud and Abuse Act, California's Invasion of Privacy Act and California's Computer Crime Law, as well as aiding and abetting, civil conspiracy and unjust enrichment. It notes that NebuAd and the ISPs acted both independently and jointly to access and disclose information about the ISP subscribers that was sensitive and personally identifying. and that the intentional interception of the information was done so without the consent of the subscriber. In addition, the suit notes that the process was not in the normal course of business for the ISP but instead was used to monetize the subscriber's data for advertisement purposes.
The suit notes that ISPs are allowed to track subscriber traffic to monitor for things like viruses, spam and the overall health of their networks but that DPI is not within those rights. Further, it says that the Acceptable Use Policies that subscribers agree to do not include language that informs customers that their online communications could be sold to advertisers. The suit further notes that Deep Packet Inspection allows ISPs to tap into new revenue streams aside from the traditional subscription business model. It quotes former NebuAd CEO Bob Dykes, who resigned in September, as saying:
The ISPs have not been able to share in the ad revenue and wealth creation around the publishing side of the Internet: They see their role as a valuable and a key role in the Internet, but many of them are making no money, are regulated and see this as a way of funding their capital requirements--While things look bad for the future of NebuAd, which laid off a "significant" number of employees prior to Dykes' resignation, its woes are not a reflection of the entire DPI industry. Phorm, a company with similar technology, has been given a green light by regulators in the U.K., who found the technology to be legal.
The suit can be found here.