last week, a class-action lawsuit was filed in U.S. District Court in Central California against Quantcast Corporation and several of its affiliates for using "zombie" cookies to track consumers' online activity and for violating several computer and consumer privacy laws.
The affiliates include several major online companies and their websites you have probably used: Myspace Inc., American Broadcasting Companies Inc. ESPN Inc., Hulu LLc., JibJab Media, MTV Networks, NBC Universal Inc. and Scribd Inc.. The complaint alleges that the companies violated one or several laws:
- Computer Fraud and Abuse Act, 18 U.S.C. § 1030
- Electronic Communications Privacy Act, 18 U.S.C. § 2510
- Video Privacy Protection Act, 18 U.S.C. § 2710
- California’s Computer Crime Law, Penal Code § 502
- California's Invasion of Privacy Act, Penal Code § 630
- UCL, Business and Professional Code § 17200
- Consumer Legal Remedies Act
I've Been Mugged reviewed the complaint (PDF, 690k bytes), which alleged that several consumers:
"... were victims of unfair, deceptive, and unlawful business practices; wherein their privacy, financial interests, and computer security rights, were violated by Quantcast Corporation, and websites affiliated individually with Quantcast... by setting flash cookies on their user’s computers to use as local storage within the flash media player to back up browser cookies for the purposes of restoring them later."
The suit also alleged that the defendant companies:
"... knowingly authorized, directed, ratified, approved, acquiesced, or participated in the unfair and deceptive business practices made the basis of this class action, which included, but was not limited to, setting of an online tracking device which would allow access to, and disclosure of, personal information (“PI”), personal identifying information (“PII”), and/or sensitive indentifying information (“SII”). This information was derived from the Internet user’s online activities, including visits to non-Quantcast Flash Cookie Affiliates’ websites, accomplished covertly, without actual notice, awareness, consent or choice of the user."
This is important: the suit alleges that the companies used the Flash cookies technology to secretly track consumers' online habits and usage, to regenerate traditional web browser cookies, and to collect consumers' sensitive personal information. The companies allegedly profited from this practice and never provided the consumers with notice (in website privacy and terms policies) or opt-out mechanisms.
These "zombie" cookies are the regenerated traditional web browser cookies you usually delete. Like the zombie monsters you have seen in movies, they never seem to completely disappear; and they keep returning despite your best efforts to kill them.
The complaint also cited the problematic, vague, and misleading portions of each defendant company's website privacy or terms policy. The suit does not include all Quantcast affiliates; only those there were involved in the covert tracking and use of "zombie cookies." The suit described in detail how the covert tracking and sensitive personal information collection worked:
"... information obtained by the placement of flash cookies on the users’ computer hard drive and the use of user’s local storage within their flash media player to back up browser cookies for the purpose of restoring them later without actual notice/awareness and consent/choice of the user.."
This is important. Since the firms knew that consumers regularly deleted their browser cookies (to avoid tracking and to maintain their privacy online), the companies intentionally used the Flash cookies technology to regenerate deleted web browser cookies on consumers' personal computers without the consumers' knowledge or consent.
In this class action suit, one of the lawyers representing the consumers in the complaint is a Privacy Crusader I've written about previously: Joe Malley. Malley has much plenty of experience with online privacy, targeted ad tracking, and data collection issues as he has been involved with class actions against Facebook and its Beacon affiliates, NebuAd, and Adzilla. Earlier this year, Facebook settled the suit for $9.5 million. So, I am happy that Malley is involved with this latest suit.
In researching this latest suit, the attorneys found that:
- The leading websites regularly use Flash cookies for a variety of reasons,
- Many of of these leading websites also use Flash cookies" to regenerate web browser cookies that consumers have regularly deleted,
- To justify tracking via tailored online ads, advertisers regularly claim that consumers want online ads tailored to their interests while studies have documented otherwise
When I first wrote about the privacy and tracking issues with Flash cookies, I also spoke with with several web developers I have worked with in prior jobs. Some knew about Flash cookies but most had no idea about the extent of online tracking and data collection via the technology. If these professionals with deep Internet experience have no idea, then the average consumer or online user definitely has no idea of the technology, the privacy abuse problems, or what, if anything, to do about it.
Since I learned about the "zombie" cookie problem, I now use two software products to monitor and delete all cookie files on my home computer:
Depending upon which web browser used, consumers may decide to download one or both of the above software products. I like the MAXA Research software since it monitors all Local Shared Objects (LSOs) on your computer: web browser cookies, Flash cookies, and DOM user data. Most web browsers have menu options to delete standard web browser cookies, but are unable to delete Flash cookies and other LSOs. The I've Been Mugged blog features a June 2010 interview with the Chief Technology Officer at MAXA Research.
Last, this class action suit should be a wake-up call to consumers across the Internet. Now is the time for consumers to demand accountability from websites and advertisers. If they refuse to provide accurate disclosures in their website policies, shop elsewhere. If they refuse to provide easy-to-find opt-out mechanisms for their advertising and marketing programs, shop elsewhere. If you find websites offering advertising and marketing programs with opt-in mechanisms, shop there instead.
If this "zombie" cookie situation bothers your (and I sincerely hope that it does), I encourage you to write to your elected officials and demand stronger laws requiring companies to fully disclose in their websites the tracking and technologies used by their websites, partners, and affiliates.