Previous month:
November 2010
Next month:
January 2011

14 posts from December 2010

Trends: What You Are Reading

The most-read I've Been Mugged blog posts during 2010 were:

  1. Is Mint.com As Safe As It Says It is?
  2. A Review of Freescore.com
  3. Just Energy: A Good Deal?
  4. Experian Triple Alert Credit Monitoring Service (Product Review)
  5. Consumer Reports On Lifelock
  6. Check Scam Still Operating At Craig's List Site
  7. Shelton & White Travel Rewards: Legitimate Offer or Scam?
  8. Citi Credit Monitoring Service and Citi Identity Monitor (Product Review)
  9. The Risks Of Disclosing Your Birthday on Facebook and Other Social Networking Sites
  10. Kroll's Offering From IBM Deserves Scrutiny
  11. Product and Service Reviews
  12. Breach Notifications
  13. TrueCredit From TransUnion (Product Review)
  14. Suze Orman Identity Theft Kit Debuts
  15. Debt Collection Scams and Identity Theft: How To Avoid Both
  16. Educational Credit Management Corporation Breach Affects 3.3 Million Borrowers
  17. Dump The Porn! Spokeo Has Blown Your Cover
  18. Banks And Credit Card Issuers Increase Interest Rates On Consumer Credit Cards
  19. 7 Things You Should Stop Doing On Facebook
  20. Debix, Lifelock, and TrustedID

Readers use a variety of devices besides traditional laptop/desktop computers; iPhone, Android, iPad, iPod, BlackBerry, and Windows OS, and Palm OS smart phones. During 2009, the most-read blog posts:

  1. Is Mint.com As Safe As It Says It is?
  2. Experian Triple Alert Credit Monitoring Service (Product Review)
  3. Banks and Credit Card Issuers Increase Interest Rates on Consumer Credit Cards
  4. Citi Credit Monitoring Service and Citi Identity Monitor (Product Review)
  5. Check Scam Still Operating At Craig's List Site
  6. Suze Orman Identity Theft Kit Debuts
  7. Consumer Reports On Lifelock
  8. TrueCredit From TransUnion (Product Review)
  9. Lifelock And The Credit Monitoring Industry Struggle To Protect Consumers
  10. Debix, Lifelock, and TrustedID
  11. Judge Rules In Favor of Experian Over Lifelock
  12. Bank of New York Mellon Changes Its Offer To Its Data Breach Victims
  13. Should Mint.com Query Its Customers' Financial Information For Fraud Notification?
  14. The Good, The Bad, And The Ugly: Credit Monitoring Offers
  15. 2008 Consumer Fraud and Identity Theft Complaint Data (FTC)
  16. Bank of New York Mellon's Offer To Its Data Breach and ID-Theft Victims
  17. Equifax 3-in-1 Monitoring (Product Review)
  18. Consumers Should Know FDIC Insurance Rules To Protect Their Money
  19. Health Net Breach Exposes 1.5 Million Consumers' Medical Records
  20. The Risks Of Disclosing Your Birthday on Facebook and Other Social Networking Sites

Data supplied by Google Analytics.


Merry Christmas!

Thank you for your readership. I truly appreciate your taking the time to read blog posts and submit comments. And, I want to wish you and your family a safe, enjoyable Christmas and holiday season.

Last, since Mark Zuckerberg received a very timely Christmas gift (sorry for the pun), I thought that I'd share the video below. Enjoy!

George


Over-Sharing During The Holidays

One important thing I try to do in this blog is to remind consumers of good data security habits. A recent "Connected But Carelesss" study of 1,000 Internet users in the United States, sponsored by Symantec Norton and conducted by Javelin Research, found that many consumers are lax about the security of their information while online:

"... consumers are still somewhat cavalier and under-informed when it comes to Internet security, specifically in three areas: location-based services, mobile phone transactions, and online passwords."

Just under half (47%) of the consumer survey participants respondents said they expected their online purchases to increase between the Thanksgiving and New Year's holidays. About a third (31%) between the ages of 18-34 said they expected their social networking activity to increase during the same period.

Location-based status messages, or telling people real-time where you are via your mobile device, is a leading risky behavior when consumers share too much:

"... 15% of people surveyed knew enough about geo-location to be able to explain it... 22% who use their mobile or smartphones to connect to the Internet, admitted to giving applications on those devices permission to identify their location... 56% under the age of 35 said they update their social networking status with their location, which can inadvertently broadcast to real-world criminals that they’re not at home."

A second risky behavior is that consumers take for granted that their mobile devices are secure. While 38% of survey respondents use a mobile device or smartphone to check bank accounts and 51% post updates on social networking sites:

"... one in four people accessing the Internet this way aren’t sure, or haven’t even thought about, what’s safe mobile practice, while another 42 percent have only a “general idea” of what constitutes safe practices. In addition, 52 percent of those people accessing the Internet via their mobile devices don’t use the basic level of protection of having an access password in place..."

I have repeatedly discussed in this blog the need for strong passwords. More results from the Norton study:

  • 46% said they never change their password on their e-mail account
  • 31% said they never change their password on banking and financial accounts
  • 42% said they never change their password on social networking sites
  • 71% of survey respondents who have one password across different accounts/sites say they do so because it is easier

Identity thieves and spammers are probably happy to read these survey results. Experts advise consumers to do the following to protect your identity and financial information:

  1. Password-protect your mobile device or smart phone: add a password so nobody else can access the information in your mobile device
  2. Consider a "remote-wipe" feature for your mobile device. Norton offers a Mobile Security application for Android users to remotely lock or wipe data when their phone is lost or stolen.
  3. Think before using your personal mobile device for business. Check for your employer's mobile device policy, as some employers use remote-wipe features which will delete everything in your smart phone
  4. Think before logging in: assume that public WiFi connections are risky with communications monitored, whether you use a laptop, smart phone, or other mobile device. Avoid becoming a sidejacking victim. Never enter sensitive bank account information, debit card or social security numbers when browsing the Web via a public Wi-Fi connection
  5. Use one credit card specifically for online purchases. It makes it easier to spot any fraudulent items, and limits your liability if your card number is stolen. Don't use a debit card
  6. Update the anti-virus software on your laptop or desktop computer
  7. Change your passwords at least once every 90 days. Use strong passwords
  8. Don't use the same sign-in credentials and password for all of your online accounts and email accounts. Use different passwords. The recent Gawker breach highlighted this risk.

Happy holidays!


When User Experience, Privacy And Corporate Responsibility Intersect

In a TechCrunch article titled "Dear Facebook, Please Return Our Social Networking Space", guest author David Dalka summarized the situation today at many social networking sites:

"This conversation is about much, much more than Facebook. Linkedin reducing your ability to search your social network, Yelp reportedly using high pressure tactics to sell ads, Twitter’s promoted tweets, etc. Only you have the power to end this cycle of abuse by social networks and it is time for the web community to stand up and shout that they are sick and tired of constant terms of service changes, privacy changes, steps backward in usability that degrade our mutual experience, comfort level with the sites we use..."

I agree. It is time for consumers to stand up. I found Dalka's article most interesting because it discussed the intersection of user experience, privacy, and corporate responsibility. Dalka connects the dots between several recent changes by Facebook that are ostensibly for members' benefits:

"... there was a loud outcry when Facebook inexplicably introduced a smaller font size to its News Feed. The lack of communication from Facebook while making a significant change is sadly nothing new... I finally realized the motive for last month’s text size reduction. It appears that the smaller text size was set up to pre-condition users for the larger coverage area of ads on the screen by making the ad columns wider, thus allowing more ads to be shown above the fold and closer to your newsstream. Do they actually disrespect your personal space that much?"

Apparently, Facebook thinks that little of our needs. Dalka also observed:

"It appears that the changes in screen real estate usage are between the old Facebook profile and the new Facebook profile are significant. TechCrunch techs estimated the pixel usage changes for this purpose... what is clear is that there has been a significant reduction in your social media experiences with your friends."

Some will argue that Facebook is free. I agree with that -- you get what you pay for.

Some will argue that Facebook is a business and is entitled to do whatever to make money. True, and we consumers can take out business elsewhere. For me, that is in process. As I have written before about data mining with members' Facebook profile data, I have removed most personal content from my Facebook profile, not accepted the new Facebook profile, and reduced my time on Facebook for personal communications. I primarily use Facebook only to promote this blog.


McDonald's Loses Its McNuggets in a McBreach

McBreach is not the name of a new sandwich at the fast-food restaurant chain. On Monday, McDonald's announced a data breach had exposed the personal information of customers who had created accounts to participate in its promotions:

"McDonald’s asked Arc Worldwide, a long-time business partner, to develop and coordinate the distribution of promotional emails. Arc hired an email service provider, a standard business practice, to supervise and manage the email database. That email service provider has advised that its computer systems recently were accessed by an unauthorized third party, and that information, including information that customers provided to McDonald’s, was accessed by that unauthorized third party."

The information exposed, or stolen, included customers' name, address, phone number, birth date, and gender. Since an email provider's database was hacked, "address" included both street address and email address. McDonald's announcement did not disclose the number of affected customers.

If you have questions, consumers should read the Frequently Asked Questions page about the breach at the McDonald's website. McDonald's advised its customers:

"In the event that you are contacted by someone claiming to be from McDonald’s asking for personal or financial information, do not respond and instead immediately contact us at the number below so we can contact [law enforcement] authorities. Please remember, McDonald’s would not ask for that type of information online or through email."

This breach may be far worse than first thought. SC Magazine reported that the McDonald's breach:

"... is thought to be part of a larger security breach that may affect more than 105 companies that contract with Atlanta-based email marketing services firm Silverpop Systems."

McDonald's did not name Silverpop in its announcement, but federal investigators believe that McDonald's email campaign provider is Silverpop.

Regardless, it's probably wise for affected McDonald's customers to change the passwords on both their email accounts and their McDonald's social networking sites (e.g., McDonalds.com, 365Black.com, McDonalds.ca, mcdonaldsmom.com, mcdlive.com, monopoly.com, playatmcd.com, or meencanta.com), if these accounts use the same sign-in credentials (e.g., user ID/email, password) as the stolen Gawker customer information.


Gawker Breach Affects LinkedIn Users

On Monday December 13th, LinkedIn.com sent an email message informing me that my LinkedIn account had been disabled:

"In order to ensure that you continue to have the best experience using LinkedIn, we are constantly monitoring our site to make sure your account information is safe. We have recently disabled your account for security reasons."

I like LinkedIn as I use it heavily for business networking and job leads. However, this email didn't provide any details about the event that triggered the security action. It advised me to reset my password, which I did successfully. I would have preferred a more detailed explanation.

On Wednesday morning December 15th, LinkedIn sent a follow-up email message:

"We recently sent you a message stating that your LinkedIn password had been disabled for security reasons. (Note: If you have more than one email registered with us, you will receive more than one password reset message. You only need to act on one of them.)

This was in response to a security breach on a different site, Gawker.com, where a number of usernames and passwords were exposed. We want to make sure those leaked emails and passwords were not being used to attack any LinkedIn members.

There is no indication that your LinkedIn account has been affected, but since it shares an email with the compromised Gawker accounts, we decided to ensure its safety by asking you to reset its password."

Earlier in the week, I had briefly read about the Gawker breach, but didn't think too much about it. Then, the ZDNet U.K. website reported about the LinkedIn event. Apparently, about 1.3 million email addresses and passwords were exposed or stolen during the Gawker breach. NPR reported one consequence: identity theives used the stolen email address and passwords to hack into Twitter accounts to send out spam. I then used the Slate widget to check if I was a breach victim. I was.

The Gawker breach highlights the interconnected risks when using social networking sites:

  1. A breach at one social networking site can place all of your personal information at risk if you use the same sign-in credentials (e.g., email address and password) to submit comments at multiple social networking sites.
  2. A breach at one social networking site can place your banking and financial information at risk if you use the same sign-in credentials at both social networking sites and banking, financial, and shopping sites.
  3. A breach at one social networking site can place your email account(s) and contacts' information at risk if you use the same sign-in credentials at social networking sites and at your email provider(s).

Thankfully, I use different sign-in credentials across #1, #2, and #3. Yet, the risks from #1 can multiply quickly if you have set up automated posting at multiple social networking sites. If you are like most people, you don't remember all of the websites you have signed in to post comments at. I know that I don't remember all of the websites I have posted comments at.

It was good, proactive customer service by LinkedIn to disable my account and then explain the reason why. Youtube.com also sent a notification via email. I didn't receive any notification from Gawker. Not good. Unfortunately, Gawker's notification was trapped in my spam folder. Once I located the email, I was able to quickly access the Gawker breach FAQ page. The Gawker breach also highlights the need for consumers to practice good data security habits:

Do you practice good data security habits? Does your employer? Did you read and act on the email from LinkedIn?


The 12 Scams of Christmas (Hanukkah, and Kwanzaa)

You know the melody, but now with new words:

On the first day of Christmas, a spammer sent to me,
An I.Q. quiz that was free.

On the second day of Christmas, a spammer sent to me,
Two fake gift cards, and an I.Q. quiz that was free.

On the third day of Christmas, a spammer sent to me,
Three free iPad emails,
Two fake gift cards, and an I.Q. quiz that was free.

On the fourth day of Christmas, a spammer sent to me,
Four fake job texts, three free iPads,
Two fake gift cards, and an I.Q. quiz that was free.

On the fifth day of Christmas, a spammer sent to me,
Five smishing texts,
Four fake job texts, three free iPads,
Two fake gift cards, and an I.Q. quiz that was free.

I could go on, but you get the idea. It's the holiday season and scams abound online. If you get a Facebook status message for a free iPad or for a free $1,000 Ikea gift certificate, chances are it is a scam or phishing email to trick you into revealing sensitive personal information or bank account information. Or maybe you have received the I.Q. Quiz message on Facebook that is really a $10 monthly cellphone subscription.

It is wise to be an informed shopper so you don't get mugged or scammed. To keep you informed, the good folks at McAfee Labs have compiled a list of the 12 Scams of Christmas. A few items from the list:

"1) iPad Offer Scams -...scammers are busy distributing bogus offers for free iPads.... in the spam version of the scam consumers are asked to purchase other products and provide their credit card number to get the free iPad. Of course, victims never receive the iPad... In the social media version of the scam, users take a quiz to win a free iPad and must supply their cell phone number to receive the results. In actuality they are signed up for a cell phone scam that costs $10 a week."

"2) “Help! I’ve Been Robbed” Scam - This travel scam sends phony distress messages to family and friends requesting that money be wired or transferred so that they can get home."

"5) “Smishing” - Cybercrooks are now “smishing,” or sending phishing SMS texts. These texts appear to come from your bank or an online retailer saying that there is something wrong with an account and you have to call a number to verify your account information..."

7) Recession Scams Continue - Scammers target vulnerable consumers with recession related scams such as pay-in-advance credit schemes. McAfee Labs has seen a significant number of spam emails advertising prequalified, low-interest loans and credit cards if the recipient pays a processing fee, which goes directly into the scammer’s pocket."

To see the full list of scams, visit the McAfee Labs website.


Mind Quiz: Real Quiz or Scam?

Last Sunday, a Facebook friend sent this instant message to me:

"George, I know this is random but I wanted you to try something real quick... try this quiz and tell me what you get. i can't get over like a 105, its sad http://theiqinquiry.info/invite/tnzz"

I followed the link and arrived at this page:

Mind Quiz

Click on the image for a larger version.

For a brief moment, the quiz appealed to me as. The page had that blue color scheme familiar to the Facebook.com site. And, I thought about if I could beat my friend's IQ score. Then, I noticed this copy at the upper right portion of the page:

"Mobile content subscription sent to your cell from $9.99 to $19.99 per month."

What subscription? At that point, I had read enough. This IQ quiz was not for me. It seemed like a phishing website to trick consumers into revealing enough personal information to start an online subscription. I don't want any more charges added to my monthly cellular bill. This stuff made me wonder if it was a real "I.Q." quiz.

I immediately switched browser windows to write a return instant message to my friend, but she was already offline -- no longer on Facebook instant messaging. Gone that fast? She wasn't interested in my score? I wanted to tell her to check her cellular phone bill, as there may be some surprisingly new charges on it.

A real friend would probably have stayed online. Her rapid departure caused me to wonder if my friend's Facebook account had been hacked. A lot of scams and fake quizzes circulate on Facebook and other social networking websites. The Detroit Examiner newspaper ran a story on the Facebook I.Q. quizzes. The Facecrooks page monitors scams on Facebook. I highly recommend it so you don't get mugged on Facebook.

After some searching online, I found this post at Yahoo Answers:

"I did the 10 minute mind quiz thinking it was a normal quiz, like on facebook. Then i gave them my # and a pin code and I do not know what it did. I think it charges $10 to my phone a month. If it does how do I stop it? Please help!!!!"

The answer: call your cellular provider and tell them the charge is fraudulent.


Quantcast Settles 'Zombie Cookie' Tracking Lawsuit

I reported in July about a class action lawsuit filed in U.S. District Court in Central California against online measurement firm Quantcast Corporation and several of its affiliates for using "zombie cookies" to track consumers' online activity and for violating several computer and consumer privacy laws. The other companies named in that lawsuit were Myspace Inc., American Broadcasting Companies Inc. ESPN Inc., Hulu LLc., JibJab Media, MTV Networks, NBC Universal Inc. and Scribd Inc..

Earlier this week, Wired magazine reported that:

"... Quantcast has agreed to pay $2.4 million to settle a class action lawsuit alleging it secretly used Adobe’s ubiquitous Flash plug-in to re-create tracking cookies after users deleted them... More than $1 million of the settlement will go to fund privacy groups chosen by the plaintiffs, and 25% will go to the lawyers who filed the suit. It’s unlikely that any money will go to the class, since it essentially includes every internet user in the U.S."

In a press release, Quantcast said this about the settlement:

"We chose to settle the litigation to bring clarity and certainty to our customers and to avoid the burden and cost of further litigation."

When you've been caught -- literally and figuratively -- with your hand in the cookie jar, I guess that there's not much to say after settling a lawsuit. Congratulations to those attorneys -- Joe Malley and others -- in this suit, as the tracking likely would have continued otherwise. Thanks for advocating for consumers' online privacy.


Is Facebook Censoring Your Online Conversations?

Is Facebook Censoring Your Online Conversations?




[Editor's Note: Today's post is by guest author R. Michelle Green, the Principal for her company, Client Solutions. She is a combination geek girl, personal organizer, and career coach. She has studied what makes some individuals embrace or avoid information technology. (She’s definitely one of the former.) Michelle helps others improve their use of technology in their personal or professional life. Here's her take on Facebook's formula for displaying your status messages.]

By R. Michelle Green

Tired of hearing about Facebook Privacy and Security? Are you just happy to post to Facebook, let your friends know what you’re thinking, and see what your friends are talking about?

What if I told you there’s no guarantee that anyone sees what you post?

The hell you say?? Oh yeah -- the Top News feed is clearly edited. But Most Recent will show everything right?

Nope.

Sounds preposterous – the whole purpose of Facebook is to share posts with each other, right? Maybe originally. But it’s a business now, a big one. And with the very public statement on its sign-up page “free, and always will be,” how does it make money? Its business model is driven by focused advertising, page looks and click-throughs. Under that business model, not every post is created equal. Facebook’s Terms of Use do not promise to deliver your posts or content to your friends. The ToU speaks instead of your posting information so others (unspecified) can access that information.

I can hear you now – not delivering the posts contravenes the whole Facebook model. We’d all be up in arms if our posts and updates were not received.

But are we really checking? Who’s polling their 130 friends and saying did all of you see my post? Not me. But Thomas Weber of The Daily Beast made an effort.

In a month-long experiment with a FB newbie, two dozen interns checked to see if the newbie’s posts appeared in their feed. Their newbie varied his posts by content and type over the period as part of the experimental design. Late in October 2010, Weber posted his report on what makes a FB post worthy of disseminating. Newbies have low priority. (Some interns never saw any of newbie’s posts.) Links trump plain status updates. Photos and videos are prized. The more people comment on a post, the more likely it will be seen (and if that’s not chicken/egg, I don’t know what is). Think of it this way – they want you on the site, clicking around, looking at things, coming back, clicking again. Photos, posted links, and people with a zillion friends drive user engagement, and are therefore coin of the realm for the news feed.

This actually helped me make sense of a personal puzzle. I would look at my most recent feed, wonder about a particular friend not shown, go to their profile and see all sorts of current things that never made it to my news feed. I never checked dates/times – I just figured that other posts crowded them off my home page of presented posts. Now I know that FB’s algorithm had made a decision that my friend’s post was not one I needed to see. In a mobile device world, FB may decide to privilege the feed over the profile. “Facebook… continues to redefine ‘what's important to you’ as ‘what's important to other people,’ ” Weber concluded.

So, what might this mean for you, Gentle Reader? Don’t assume your friends all saw what you posted – some will, some won’t. If you really want someone to see what you post, tag them, or send them a message. If you want to keep up with particular friends, check their profile. Or go old school and try some synchronous face time (what a concept!!)…

Weber wasn’t the first to talk about this algorithm, only the more widely read. In April 2010, FB engineers at the F8 conference gave the best look under the hood to date, describing a formula called EdgeRank that valued the type of item posted, the age of the item, and the relationship between the poster and the friend who interacted with it. Extra credit readers can see the engineers' speech here, about 22 minutes in.

There’s another clue to the algorithm in a new feature (actually a revamped one) called Groups. Using the groups you build or are listed in, along with what they already know about your friendship circle, they can make even finer distinctions about which posts from which people to display. Recently announced FB messaging is supposed to be superior to email by filtering out messages from people who aren’t in your network (turning email about changes in your travel itinerary into de facto spam). But that’s another blog post, for another day.


Exploring The Hillman et. al. vs. RIngleader Digital et. al. Complaint

My November 12 blog post discussed several class action complaints filed against Ringleader Digital. Today's post explores the Hillman et al vs. Ringleader Digital et al complaint (Adobe PDF; 2.3 MBytes) filed in New York State, since seveal items in it are noteworthy.

First, Hillman et al included one attorney, Joe Malley, I have seen before in the Facebook, NebuAd, Adzilla, and Quantcast complaints. Facebook ultimately settled the Beacon program suit for $9.5 million. Malley has a proven track record and expertise with Internet-based privacy issues. I have referred to him as one of the Privacy Crusaders. It is good to see Malley looking out for the needs of consumers since so much online usage has shifted to mobile devices.

Second, Hillman et al included a slightly different set of defendant companies: Ringleader Digital, Accuweather, CNN, ESPN, Fox News Network, Go2 Media, Merriam-Webster, Travel Channel, and the Whitepages. (ESPN and Fox News are not listed as defendants in the Aughenbaugh et al complaint filed in California.) Hillman et al clearly explained which plaintiff consumers used which defendant companies’ websites, since not all plaintiff consumers used the same websites.

Third, Hillman et al also listed which defendant companies mentioned their relationship with Ringleader Digital in their website privacy policies. This detail is important and informative when discussing issues about lack of notice and consent (e.g., onlline privacy policies and opt-out mechanisms). While AccuWeather mentioned its relationship with Ringleader Digital in its privacy policies and provided an opt-out link, the other companies didn’t mention their relationships with Ringleader Digital.

Fourth, Hillman Et al included a 12-year-old minor who accessed the mobile websites of AccuWeather, Fox News, Go2Media, Merriam-Webster, and Whitepages. The complaint stated:

“Plaintiff and Class Member J.N., a minor, age twelve (12) years old, is a minor under, the age of thirteen (13) that visited one of the Ringleader Digital Affiliates websites within the class period and did not obtain protection from the Defendant’s act as protected by COPPA, The Children's Online Privacy Protection Act of 1998 (COPPA)...”

Fifth, Hillman et al alleged that the mobile tracking violated the mobile device manufacturers’ agreements, and cited the the relevant portions of the device manufacturers’ agreements. Sixth and perhaps most importantly, Hillman et al described in detail how the mobile tracking was allegedly performed (bold text added for emphasis):

“Defendant(s) then transmitted a program, information, code, and/or command within the Plaintiffs and Class Members’ mobile device to scan, copy and use without notice, consent, or authority, the Plaintiffs and Class Members mobile device, obtaining mobile device configuration, a practice not necessary for the placement of persistent cookies for tracking website visitors, nor an acceptable practice within the industry. While traditional advertisers access the users’ browser for online tracking, Defendants access involved areas of the Plaintiffs and Class Members’ mobile devices(s) that involved hardware and software associated with nonbrowser activity.”

To understand this requires an understanding of mobile tracking approaches:

“The first, “page tagging,” uses a small bit of JavaScript code placed on each web page to notify a third-party server when a page has been viewed by a web browser. Etags can be used in place of cookies… The server sends the user the tag, and when the user accesses the resource again their web browser sends the tag back. The server uses the tag the browser sent to decide whether to send the user the data or provide data to the browser that the data hasn't changed, and to keep using the old copy. The second... is “log file analysis”, where the log files that Web servers use to record all server transactions are also used to analyze website traffic.”

The complaint described how the tracking of mobile devices is technically more difficult since not all mobile carriers support JavaScript, and since the IP address for many mobile devices often change as the user moves physically from cellular tower to cellular tower. The tracking must combine the above web analytical data with a unique identifier for each mobile device. So (bold added for emphasis):

“Ringleader placed a globally unique identifier or “GUID,” a special type of identifier used in software applications to provide a unique reference number, into mobile devices… Because most phones don't support fully functional browsers, they also don't support the "Cookie:" header, thus not obtaining “uniqueness,” necessary to obtain “state maintenance”... They access the web through Network Address Translation at the carrier, meaning that many phones are seen by the entire web as all one IP. Some mobile devices though use the x-up-subno header which is not only a unique number to which anything may be linked, and with some carriers, the number itself directly contains most of a phone number. Unlike traditional cookies a user has no choice whatsoever here. A user can't opt-out, since it is always sent. It can't be deleted since it always stays the same. A user cannot use a block cookies tool, as they would in a browser since it is hard coded into a user’s phones software. Mobile Advertising benefits from user’s lack of knowledge of x-headers and x-up-subno.”

And:

“…Defendant(s) then configured a Unique Device Identifier erived in whole or part, from the Plaintiffs and Class Members’ mobile device properties and... Defendant Ringleader then used the Unique Device Identifier within the user’s database, to re-spawn the user’s Unique Device Identifiers (“UDID’s”) if deleted by the user, by use, in whole or part, using additional mobile device functions, bypassing Plaintiffs and Class Members privacy and security settings...”

The sensitive personal data allegedly collected:

“... details about user profiles to identify individual users and track them on an ongoing basis, across numerous websites, and tracking users when they accessed the web from different mobile devices, at home and at work. This sensitive information may include such things as users’ video viewing choices and personal characteristics such as gender, age, race, number of children, education level, geographic location, and household income, what the web user looked at and what he/she bought, the materials he/she read, details about his/her financial situation, his/her sexual preference, his/her name, home address, e-mail address and telephone number, and even more specific information like health conditions… the Plaintiffs and Class Members’ carrier transactional information which included, but not limited to, “carrier network IP,” information sought to link location with the Plaintiffs and Class Members...”

All of this is troublesome for several reasons:

  1. The program was designed on an “opt-out” basis, and consumers weren’t notified nor given an opportunity to decline (e.g., opt out of) the tracking
  2. As cellular phones become more powerful like laptop computers, tracking is easier because everyone has their own phone and phone number... the perfect unique identifier. My impression is that consumers are less likely to share their smartphone compared to traditional laptop or desktop computer
  3. The data collection was extensive and included things that I, or many consumers, would not disclose even at brick-and-mortar retail stores. This sensitive data was allegedly mapped to both each consumer’s GPS or physical location, and to a unique ID number based on the consumer’s phone number
  4. The alleged tracking included consumers’ mobile usage across all websites and not just the websites operated by the defendant companies
  5. Many parents provide their children with phones for communication and safety reasons. These parents would probably be alarmed to learn about the extensive tracking to sell products to minor children
  6. Some of the plaintiff consumers discovered the existence of the tracking database, tried to delete it, and noticed that the mobile device regenerated the tracking database:

“... Plaintiffs and Class Members that became aware that Defendant Ringleader had created a database, and deleted the databases to cease any and all tracking, had the tracking device re-spawn. The failure of Defendants to provide the user notice of its tracking mechanism within their mobile devices allowed a perpetual re-spawning, creating in effect: ‘Zombie Databases.’ ”

The alleged “zombie database’ regeneration problem is bad. The broader problem is that these types of programs – both online tracking and targeted advertising -- should be opt-in rather than opt-out. For readers who are unfamiliar with this, it is important.

Opt-out programs automatically include all consumers, whether they want to be included or not; whether they know about the program or not. Opt-out programs place the burden on consumers to learn about the program and then decline participation (usually by clicking on a button labelled "Opt-out). Prior experience has proven that it is very easy for companies to get around consumers’ prior opt-out selections, and re-include consumers when the program changes with new websites, content, privacy policies, and/or partner companies.

With opt-in based programs, consumers are not included in the program until and after they sign-up or register their membership in the program. This keeps consumers in control while minimizing the burden on consumers.

In my opinion, opt-out programs are a form of lazy corporate marketing; a way for companies to quickly force a large amount of consumer participation in weak products or services. If the targeted advertising programs are as beneficial as the companies claim, consumers will choose to participate and opt-in.