Data Breach At Pantone.com

In an April 10, 2012 letter, X-Rite Inc. notified the State of California Attorney General of a data breach where hackers accessed a Pantone.com website server on or about February 6, 2012.The breach notice did not disclose the number of records accessed/stolen, nor the exact method the hackers used.

The breach was discovered by X-Rite management on March 23, 2012. The data accessed and stolen included the names, addresses, and credit card information of customers who bought products at the pantone.com website. X-Rite notified affected customers on April 6. In August 2007, X-Rite announced its acquisition of Pantone for about $180 million.

A copy of the breach notice is available at the State of California Attorney General website and here (Adobe PDF, 23k bytes).

Foreclosure Abuse Widespread

Last week, the San Francisco Assessor-Recorder office released the results of an audit (Adobe PDF) of about 400 home that were foreclosed on during 2009, 2010, and 2011. The audit found that about 84% of the homes had at least one violation of California foreclosure laws.

The office began the audit last Fall with Aequitas, a mortgage investigation firm, after problems surfaced in mortgage records requested by homeowners facing foreclosure. Assessor-Recorder Phil Ting said,

“When it became clear that property records were severely undermined, a red flag was raised... Those records are supposed to be filed with this office and many were simply missing or had serious inconsistencies..."

It's difficult to impossible for a homeowner to fight foreclosure when mortgage records are inaccurate or incomplete. Ting emphasized the need for state legislation to guarantee compliance with California foreclosure laws by the mortgage industry.

The register of deeds in Guildford County, North Carolina, examined 6,100 mortgage documents last year, and found signature irregularities in 4,500 (xx%). Experts see this as a clear indicator of the illegal practice of "robosigning" documents.

Seems to me it is time to both fine companies and send bankers to prison nationwide. Only then will this madness stop. Demand action from your elected officials.

CVS Caremark Agrees To Pay $20 Million To Settle With Three States For Pension Fraud Claims

CVS Caremark Corporation has agreed to pay about $20 million to settle lawsuits in three states about alleged pension system fraud. The lawsuits were filed by two whistleblowers, CVS pharmacists, and claimed that CVS resold returned drugs, changed presecription orders to increase prcies, and filed false reports about prescriptions fulfilment dates. The Los Angeles Times reported:

"... CVS Caremark will pay nearly $7 million to the California Public Employees’ Retirement System, $4 million to the state of Illinois and $3 million to the state of Florida. Other money from the settlement went to plaintiff attorneys’ fees and costs..."

In 2007, CVS Corporation merged with Caremark Rx Inc.. The combined company operates about 7,000 retail stores, and provides prescription drug management services for employers.

Crain's Chicago Business reported Michael Leonard, a partner with Chicago-based law firm Meckler Bulger Tilson Marick & Pearson LLP, which along with Los Angeles-based law firm Engstrom Lipscomb & Lack LLP represented the whistleblowers, as describing the lawsuit:

“They fought the thing tooth and nail, and denied, denied, denied, despite what the evidence was...”

California Modifies Its Data Breach Laws To Improve Notification

Loeb and Loeb LLP reports that California has modified its security breach rules to expand notification. The revised law goes into effect January 1, 2012. Notification letters to consumers must include:

• A list of the types of personal data exposed,
• The date(s) or date range of the data breach,
• A description of the data breach,
• Whether or not an investigation by law enforcement delayed the notification, and
• The toll-free phone numbers and addresses of the major credit reporting bureaus

Consumers must be notified in writing, unless law enforcement views notification as an obstacle to criminal investigations. Organizations with breaches affecting more than 500 California residents must also notify the California Attorney General's office. According to Loeb and Loeb, the organizations that must comply with Senate Bill 24:

"... any agency, person, or business that owns or licenses computerized data that includes personal information. In the event of a security breach to any California resident whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, that agency, person, or business must issue a security breach notification."

Loeb & Loeb LLP provides a variety of services for its Fortune 100 clients, including media and technology, antitrust, finance, corporate and securities, energy, and more. The firm has about 300 attorneys with offices in Los Angeles, New York, Chicago, Nashville, Washington, DC, and Beijing.

These California modifications are good, because too many breach notifications lack details. More disclosure is better since it helps breach victims judge the severity of the breach. I have read several and some states post online the breach notices received by their state judicial agency.

Former Countrywide Financial Analyst Sentenced to 18 Months of Prison And Ordered To Repay $1.8 Million

The Los Angeles office of the Federal Bureau of Investigation (FBI) and the U.S. Attorney for the Central District of California announced that a former Countrywide Home Loan employee was sentence on September 28 to 18 months of prison and ordered to pay $1.8 million in restitution to Countrywide, now a unit of Bank of America.

Rene Rebollo, 39, of Pasadena, was arrested in 2008 after an investigation discovered that he had downloaded from Countrywide databases and sold the sensitive personal and financial information of about 2.5 million consumers. Rebollo was employed as a senior financial analyst for Countrywide’s subprime mortgage division in Pasadena. He admitted that that he saved the stolen information to a personal thumb drives and distributed consumers' Social Security numbers in at least 50,000 instances.

"As a result of the data breach, Countrywide underwent considerable expenses, including notification of individuals whose information was improperly disclosed, at a cost of approximately $1.2 million, and providing free credit monitoring for those individuals at a cost of approximately $15.75 million. Countrywide has also estimated that it has expended approximately $13.4 million in civil litigation, including several class action lawsuits, arising from the data breach."

This is a classic case of insider identity theft and the costs companies can incur from a breach. The case also highlights the importance of companies, small and large, to adopt data security measures and comply with Red Flag Rules.

Lawsuit Alleges Hulu.com and KISSmetrics Used "Zombie E-Tags" To Track Consumers Without Notice And Consent

Last month, a lawsuit was filed in Central California District Court against Space Pencil and Hulu.com, alleging that the companies tracked consumers online usage without notice or consent using "Zombie Etags," a newer Internet technology. According to the complaint, consumers:

"... that accessed Hulu's website had HTTP cookies respawn via Flash shared objects, HTML 5 Local Storage, and/or cache/ETags after they had been deleted."

"Zombie ETags" refers to the latest combination of Internet technologies used to track online usage: HTML 5 local storage, and/or cached Etags. The Zombie Etags allegedly regenerate any HTML cookies the user has deleted, removing control from the user and preventing privacy. Entity Tags, also known as "Etags," are a mechanism to verify that the page components a web browser displays match the components on the web server hosting the URL or original web page.

According to the complaint (PDF - 6.3 MBytes), Space Pencil is the company doing business as KISSmetrics. Hulu.com is a popular website that streams video of television shows from ABC, CBS, Fox, NBC, and other networks and studios. This is at least the second class-action lawsuit filed against both companies.

This class-action lawsuit (Couch et al versus Space Pencil et al) was filed, in part, because the consumers:

"... accessed the Hulu website, relying on the Hulu's Terms of Service and Privacy Policy which provided assurances against unauthorized tracking..."

What makes this lawsuit a little different from prior lawsuits (e.g., "zombie cookies), is the technology and hacking allegations:

"... Internet users who accessed Hulu's website, and knowingly, without the user's knowledge or consent, "Hacked" the Plaintiffs' and Class Member's Computing Devices in order to conduct covert surveillance of Plaintiffs and Class Members online activities, using web analytics to collect and de-anonymize Plaintiffs' and Class members' online data, providing the mechanism for Hulu to conduct perpetual online tracking of its users and a method to use cross domain tracking..."

This alleged tracking technology allowed Hulu and KISSmetrics to track Hulu.com users' online usage across the Internet and beyond the Hulu.com website. The complaint referenced several working papers about tracking technologies:

• "Flash Cookies And Privacy" by Ashkan Soltani et. al, 2009
• "Respawn Redux" by Ashkan Soltani, 2011

The 2009 working paper documented the extent of company websites using Flash cookies to regenerate HTTP cookies. The 2011 working paper documented the regenerated HTTP cookies practice:

"In our follow-up study, we found that Hulu was still respawning deleted user cookies using homegrown Flash and Javascript code present on the Hulu.com site. Additionally, Hulu, Spotify, and many others were also respawning using code provided by analytics firm KISSmetrics. Hitten Shah, the founder of KISSmetrics, initially confirmed that the research surrounding respawning was correct in an interview with Ryan Singel although he later criticized the findings after a lawsuit was filed."

Both companies supposedly stopped their Zombie Etag tracking on July 29, 2011. KISSmetrics published this response to the July 2011 lawsuit. The class-action plaintiffs want the tracking software and data files removed from their computers. The sensitive personal information:

"... compiled and misappropriated included sensitive information, such as users' video viewing choices revealing personal interests, his/her sexual preference, political views, and even more specific information like health conditions, such as DEPRESSION..."

The attorneys representing the plaintiffs in this class-action lawsuit include Strange & Carpenter, and a name I recognize: the law office of Joseph Malley.

If you want to learn more, I recommend reading this Wired story.

California Amends Its Breach Notification Law

California was the first state in the nation to enact a breach notification law. The 2002 law required organizations that store records with consumer information -- both companies and government agencies -- to notify consumers when their sensitive personal information was lost or stolen. Last week, California Governor Brown signed into law SB 24. What's new about SB 24:

"Specifically, SB 24 establishes standard, core content for data breach notifications including a general description of the incident, the type of information breached, the time of the breach, and toll-free telephone numbers and addresses of the major credit reporting agencies in California.... In addition, SB 24 also requires data holders to send an electronic copy of the notification to the Attorney General, if a single breach affects more than 500 Californians."

SB 24 (Adobe PDF) goes into effect January 1, 2012.

This is good news for consumers, as other states' breach notification laws have followed California's lead. I believe it is also good because too often, consumers have no idea what to do next when they receive a breach notificaton letter. Too many don't know about the credit reporting agencies: Experian, Equifax, and TransUnion; nor the consumer's responsibility to keep their credit reports accurate; and the need to monitor their credit reports after a breach/theft.

Since writing this blog I have talked with many consumers. A breach notification letter is often a wake-up call that he/she needs to take action to protect their sensitive personal and financial information.

Moreover, the InfoLaw Group appropriate emphasized that SB 24:

"... adds California to the list of states and other jurisdictions that require some type of regulator notice in the event of certain types of data security breaches... Other states that require some form of regulator notice in some circumstances for certain kinds of entities (sometimes for a breach, and sometimes to explain why an entity has determined there was no breach) include Alaska, Arkansas, Connecticut, Hawaii, Indiana, Louisiana, Maine, Maryland, Massachusetts, Missouri, New Hampshire, New Jersey, New York, North Carolina, Puerto Rico, South Carolina, Vermont, and Virginia."

Don't see your state on this list? Write to your elected officials and demand an improved breach notification law for your state.

Sadly, only four states' governments post online the breach notifications they receive: Maryland, New Hampshire, Vermont and Wisconsin. Online postings are a good way for consumers to verify the breach notifications they receive.

Federal Reserve Board Takes Action Against Wells Fargo Including $85 Million Fine

Only July 20, the Federal Reserve Board issued a press release about its action against Wells Fargo & Company for lending and mortgage abuses. The action includes a "cease and desist" order, an $85 million civil penalty, and an order for Wells Fargo to compensate affected borrowers:

"... issued a consent cease and desist order and assessed an $85 million civil money penalty against Wells Fargo & Company of San Francisco, a registered bank holding company, and Wells Fargo Financial, Inc., of Des Moines. The order addresses allegations that Wells Fargo Financial employees steered potential prime borrowers into more costly subprime loans and separately falsified income information in mortgage applications. In addition to the civil money penalty, the order requires that Wells Fargo compensate affected borrowers."

The lending and mortgage abuses:

"Wells Fargo Financial--a once-active, non-bank subsidiary of Wells Fargo--made subprime loans that primarily refinanced existing home mortgages in which borrowers received additional money from the loan proceeds in so-called cash-out refinancing loans. The order addresses allegations that Wells Fargo Financial sales personnel steered borrowers who were potentially eligible for prime interest rate loans into loans at higher, subprime interest rates, resulting in greater costs to borrowers. The order also addresses separate allegations that Wells Fargo Financial sales personnel falsified information about borrowers' incomes to make it appear that the borrowers qualified for loans when they would not have qualified based on their actual incomes."

The amount of compensation to be paid to affected borrowers has not been set. The number of affected borrowers is estimated betweet 3,700 and 10,000. The amount of compensation will be dependent upon several factors:

"... including differences between what borrowers paid and what they should have paid in terms of origination points, interest payments, fees, and penalties."

On the same day, Wells Fargo issued a statement which read in part:

"The alleged actions committed by a relatively small group of team members are not what we stand for at Wells Fargo,” said Chairman and CEO John Stumpf. “Fair and responsible lending practices have been at the core of our culture, and they will continue to guide us as we work closely with the Federal Reserve to provide restitution to customers who may have been harmed, and to reinforce our internal controls so they further reflect Wells Fargo’s commitment to helping customers succeed financially... The Company’s agreement with the Federal Reserve does not include an admission of the allegations cited, which cover lending practices at Wells Fargo Financial between January 2004 and September 2008... Within 90 days, Wells Fargo will submit plans to the Federal Reserve that will outline its oversight of its mortgage lending practices regarding certain compliance and incentive compensation programs. In addition, Wells Fargo will develop a plan for continuing to identify and provide compensation to Wells Fargo Financial customers who may have been harmed by the practices alleged in the agreement..."

Analysis: Several States' Online Consumer Forms For Filing Phone Scams Complaints

[Editor's note: this is part three of a three-part series about telemarketing or phone scams.]

Yesterday, I described my experience with filing online complaints with the U.S. Federal Trade Commission and with the Attorney General office in the state where I live. Today, I want to share my findings about how well several states' Attorney General websites allow consumers to file online complaints about phone scams.

Remember, the the FTC Phone Fraud website instructs consumers to file complaints at both the FTC Complaint Assist website and at their state Attorney General website. After having difficult at the Massachusetts AG website, I reviewed several states' AG websites. I wanted to know if other states presented online complaint forms that made it easy (or difficult) to file complaints about phone scams.

I reviewed and compared the online complaints form for six (6) states. I chose four states (California, Florida, New York, and Texas) with large populations since that would include the probable online experience for a large percentage of the US population. I also included my home state (Massachusetts), and one state (Alabama) that does not have any laws requiring the notification of consumers affected by data breaches:

#	State AG Website	Online Complaint Form
1	Massachusetts	https://www.eform.ago.state.ma.us/ago_eforms/forms/piac_ecomplaint.action
2	California	http://ag.ca.gov/contact/complaint_form.php?cmplt=CL
3	Florida	http://myfloridalegal.com/Contact.nsf/Contact?OpenForm&Section=Economic_Crimes
4	Alabama	http://www.ago.state.al.us/consumer_form.cfm
5	New York	http://www.ag.ny.gov/bureaus/consumer_frauds/filing_a_consumer_complaint.html
6	Texas	https://www.oag.state.tx.us/forms/cpd/form.php

Remember, the FTC website linked to the National Association of Attorneys General (NAAG) website, which lists all Attorney General websites in the 50 states, plus the District of Columbia, Guam, and Puerto Rico. So, many consumers will arrive at their state's AG website with the goal to complete this specific task: file a complaint online about a phone scam. Given this specific task, I used three criteria to evaluate the AG websites:

1. Did the AG website main page present a link or button for consumers to file a complaint online, that was prominent and easy to find?
2. Did the AG website allow consumers to actually file a complaint online?
3. Did the state's online form allow for the submission of phone scams?

There are many other criteria one could use to evaluate AG websites. I chose these three criteria because they directly relate to the specific task. I looked for variations of the "File a Complaint" phrase and not necessarily the same words. My findings:

1. Many AG websites made it difficult for consumers to file complaints. 50% (3 of 6) of the websites reviewed contain a link or button on the home page that was prominent and easy-to-find. Prominent and easy means that the link/button is immediately displayed when the page loads. So, half of the websites (e.g., Florida, New York, and Texas) evaluated didn't provide a link/button.

AG websites typically present information about news releases and the services available to consumers and businesses -- all very valuable information. The lack of a "File a Complaint" link or button on the home page makes the website needlessly more difficult to use. This forces consumers to hunt for the complaint form page.

Several example highlight this forced hunt. First, the online complaint form is buried in the Florida AG website under the Consumer Protection website section. That fom location may be a logical place for frequent website visitors, attorneys, and AG office staff, but not necessarily for first-time visitors or consumers. Second, the Texas AG website has a "Report Fraud, Waste, and Abuse" link on its main page, but that link is narrowly focused on complaints about state government agencies. Consumers looking to file a complaint about a non-government organization still have to hunt for the online complaint form.

Third, the New York AG website locates its complaint forms under the Consumer Frauds Bureau and Identity Theft sections. Again, frequent visitors, attorneys, and AG office staff may know to look there, but first-time visitors won't.

When hunting for a form, there are several time-consuming strategies that consumers may use: site-search mechanism, click on various navigation links, and/or read the page content.

2. Most AG websites present interactive online complaint forms. 83% (5 of 6) of the websites reviewed present online complaint forms. The only website that didn't -- New York -- presented static forms in Adobe PDF format, which consumers must download, complete offline, and submit via surface mail.

3. Not all AG websites allow consumers to submit complaints about telemarketing/phone fraud. 60% (3 of 5) of the websites with interactive, online complaint forms allow consumers to file complaints about phone scams. (Remember, the New York AG website had PDF forms instead of interactive forms.) That is, the complaint forms are flexible enough to allow consumers to enter the data elements they may have.

In my online experience, the form in the Massachusetts AG website requires consumers to submit all of the following data elements about the phone-scammer: company name, address, city, state, ZIP Code, and phone number. With phone scams, consumers won't necessarily have all of these data elements. I didn't. The complaint form at the Texas AG website also contained the same usability problems as  the Massachusetts AG website form.

While it is a fairly simple task to add a "File a Complaint" link on the home page and to edit an online complaint forms to make more company data elements optional rather than required, there probably are backend database considerations. The online databases must contains sufficient categorization and tagging to identify phone fraud complaints as such, and not as partially completed complaints.

If you have submitted complaints at your state's AG website, what was your experience?

The State of Florida Made $63 Million in 2010 Selling Drivers' Personal Data. What About Your State?

Business Insider reported that the state of Florida sells the personal information of drivers:

"... to private investigators and research services for years with last year's sale bringing in almost $63 million. Reported by News Channel 5 in Tampa, the state sells nearly all the information on every license including birth dates and drivers license numbers."

The news report listed the price at $ .01 price per drivers record. That sounds awfully low -- too low -- given the data elements purchased and the reliable data source (e.g., the State of Florida). Do you think your personal information is worth more than a penny? I do and guess that you do, too.

The companies that purchase Florida drivers' information include some familiar names: Acxiom Information Securities Service, Inc., Choice Point, E-Funds, Explore Information Services, LexisNexis, Line Barge, Goggan, Blair, & Simpson, Inc., SC Services, ShadowSoft, TLO LLC, and West Services Inc..

The Driver Privacy Protection Act (DPPA) is Federal law enacted in 1994, long before corporate data breaches, digitized profiles, and privacy became the problems we have today. The DPPA regulates what personal information must be protected, and can (cannot) be sold by states. According to the Electronic Privacy Information Center (EPIC):

"The DPPA was passed in reaction to the a series of abuses of drivers' personal information held by government. The 1989 death of actress Rebecca Schaeffer was a prominent example of such abuse. In that case, a private investigator, hired by an obsessed fan, was able to obtain Rebecca Schaeffer's address through her California motor vehicle record. The fan used her address information to stalk and to kill her. Other incidents cited by Congress included a ring of Iowa home robbers who targeted victims by writing down the license plates of expensive cars..."

Some states have laws providing greater protections for drivers' personal information. There have been at least two class-action lawsuits for alleged DPPA violations.

Does your state sell drivers' personal information? Probably. It can be difficult to determine. Often, there is a disclosure in your state government motor vehicle registry website about the DPPA and what your state does (and does not) sell. For example, the Massachusetts RMV website:

"The DPPA restricts the disclosure of personal information, as defined in 18 U.S.C §2725. Personal information is information that identifies an individual, including name, address, driver's license number, social security number*, photograph* and medical information... The DPPA only restricts personal information. Information on vehicular accidents, driving violations and driver's status is not personal information. Also, information that does not pertain to an individual would not be considered personal information."

Like other states, only "Permitted Users" can buy this drivers personal information, and the state supposedly verifies both the purchasers' identities and whether the purchasers' usage post-sale complies with the law. So, drivers personal information is being sold. I wasn't able to find a disclosure about the annual total amount of revenues from DPPA sales.

Another example from the New York State DMV:

"You must have a DPPA permissible use to request DMV records that contain personal information. Personal information includes name, address, or Client ID Number (Driver License Number). You must certify that you have a permissible use when you request records that contain personal information... The DMV records that are frequently requested are driver abstracts, registration abstracts, title abstracts, and accident reports... The DMV normally does not provide a history of the ownership or the mileage of a vehicle... To request a vehicle ownership history, you must certify that you have a DPPA permissible use for the information... The National Driver Register (NDR) is a database maintained by the Federal government. The NDR lists: the drivers from each US state who have a driver license that is suspended or revoked, and the drivers who were convicted of a serious traffic violation like DWI or a drug-related violation. Motor vehicle bureaus in the US provide the NDR with the names of persons who lose the privilege to drive or who were convicted of serious traffic violations... You can use form NDR-1 to search the NDR. Information from the NDR must comply with the DPPA."

Another example from Texas:

"... the Driver’s Privacy Protection Act (DPPA), makes it illegal for the general public, including the media, to obtain, publish or confirm personal information about you from the state motor vehicle database. The law does provide exceptions for certain entities, such as courts and police. Texas law provides additional protection under the Motor Vehicle Records Disclosure Act, and the Public Information Act (Section 552.130)."

Personally, I don't believe that Florida (and other states) should sell drivers personal information to information brokers, regardless of the uses claimed by the data brokers. It effectively, makes the data publicly available to everyone, "permitted uses" or not.

The states' DPPA disclosures which I have read are often long, difficult to read, and at times confusing. The information could be presented far better with pages containing separate summaries, instructions, and forms for each target audience (e.g., individuals/residents, companies, state/local agencies, law enforcement/courts, etc.). When there are additional state laws providing broader protections, you almost have to be an attorney in order to reconcile the multiple laws to understand exactly what is protected and sold.

Kudos to News Channel 5 in Tampa for the good investigative journalism.

What is your opinion? Should states sell drivers personal information? Is the price Florida charged too low?

New ATM Scam Tactic: Glued Keyboards

The San Franciso Examiner reported a new ATM scam where thieves used glue to disable the "Clear," "Enter," and "Cancel" buttons on bank ATM machine keyboards. Apparently, the scam works like this:

1. A bank customer visits an ATM as they normally would. After entering their PIN on the keyboard, the customer realizes that certain keys don't work
2. The customer abandons the ATM machine without canceling the "live" transaction session, and goes inside the bank branch for assistance
3. While the customer is inside the bank branch, the thief walks up to the ATM machine and uses the "live" transaction session to drain the victim's bank account of cash

In this scam, thieves didn't have to steal your debit card and PIN. They just used a "live" ATM transaction session that the customer didn't cancel appropriately.

What consumers should do if you encounter an ATM machine with a tampered keyboard? Experts advise consumers to:

• Use the touch-screen selections to cancel your ATM transaction session. Then, go into the bank branch for assistance
• Many ATM machines have a phone for assistance. Use that phone, if you don't want to leave the ATM machine
• Use ATM machines in protected, well-lighted locations; idealy inside bank branches during normal banking hours
• Use ATM machines with controls that you are familiar with. Know both the keyboard and touch-screen options to complete (or cancel) a transaction session
• Monitor your bank accounts for fraudulent entries
• Learn how to recognize ATM machines that have been tampered
• Watch this video of a thief installing an ATM machine skimming device
• Be alert, since some thieves attach skimming devices to the ATM booth door-entry mechanisms
• If you see or encounter the thief, do not approach him/her. Instead, call local law enforcement

Have you encountered an ATM machine with a tampered keyboard? What did you do?

Privacy Crusader: Protecting Children From Tracking Kids Apps

A new class-action lawsuit highlights the privacy issues where mobile devices, gaming, and children intersect. OpenFeint, Inc. and GREE International were named in a class-action lawsuit which alleged that OpenFeint singularly and together with third-party app developers conducted unfair and deceptive business practices and privacy violations that (bold emphasis added):

"... gained unauthorized access to, and unauthorized use of, Plaintiffs’ and Class Members’ mobile devices to access, collect, monitor, and remotely store, without notice or consent, Plaintiffs’ and Class Members’ mobile device’s Unique Device Identifiers, Personally Identifiable Information, OpenFeint user account, GPS “Fine” co-ordinates, and Facebook/Twitter profiles..."

GPS fine coordinates are consumers' exact latitude and longitude (to within a few inches), as opposed to estimates of your GPS location to the nearest cellular tower. It is important for mobile device users to know whether the app tracks your precise or estimated GPS location.

UDID is the "Unique Device Identifier," a 40-digit code embedded in all mobile devices. It identifies your mobile device and when matched with your cellular phone number, allows companies to identify your mobile device, location, and app usage as uniquely you.

I don't need to explain the wealth of sensitive personal information available in Facebook profiles. Facebook members typically upload into their profiles address data, online contact information, family information, education, employment, photographs and videos, hobbies, websites of interest, television shows of interest, and with location-based check-ins the time, date, frequency, and duration of visits to various retailers.

The complaint alleged that OpenFeint violated the Computer Fraud And Abuse Act (CFAA), the Electronic Communications Privacy Act (ECPA), California's Computer Crime Law, the California Invasion of Privacy Act, and the Consumer Legal Remedies Act (CLRA).

While prior lawsuits have focused on tracking and privacy issues, this suit deserves attention because the allegedly affected mobile device users also included children -- as young as 4 years of age. The complaint describes how OpenFeint offers a huge mobil e social gaming network with at least 5,300 game applications and alleged:

"... many of the downloaded applications affiliated with Defendant OpenFeint involved the unauthorized tracking of minor children."

And:

"... OpenFeint targets minor children with free affiliated gaming applications designed and promoted as “Kid apps,” purposely including storybook tales, friendly animals, and child-like game scenarios to attract children, so that the child’s parents would be more likely to allow for the app download, relying in part on the posted children app ratings. Many of Defendant OpenFeint’s gaming applications are rated 4+, for ages four (4) and up, rated 9+ for ages nine (9) and up, and rated 12+ for ages twelve and up."

The gaming market is huge. Google/Android and Apple/iOS mobile devices are capturing a larger share of the $7.3 billion global mobile gaming market.

OpenFeint is a social gaming platform that app developers use to develop games for the Apple iPhone, iPad, iTouch and Google/Android mobile devices. The game apps typically provide users with the capability to import friends from their Facebook and Twitter profiles. Earlier this year, GREE International acquired OpenFeint for about $104 million. OpenFeint was previously known as Aurora Feint.

The suit was filed in Northern California District Court by attorneys Parisi & Havens LLP, and the Law Office of Joseph H. Malley, P.C. While reading the complaint, I recognized Malley's name, since he is often referred to as a "Privacy Crusader." Malley was involved with class-action suits against Adzilla, NebuAd, Quantcast ("zombie cookies"), Ringleader, Facebook, and Apple. In 2010, Facebook settled its suit for $9.5 million. So, Malley has plenty of experience with online privacy and tracking issues.

The complaint cited a May 2011 investigation by Cortesi about how companies collect UDID and consumer information from mobile device apps. That investigation included both encrypted and unencrypted Internet traffic for about 94 iPhone apps:

"84% of apps tested contacted one or more domains during use... Three big aggregators of UDID-related data dominate: Apple, Flurry, and OpenFeint. Each one of these companies has the vast majority of UDIDs on file, linked to a rich set of privacy-sensitive information. OpenFeint's ubiquity is one of the reasons why UDID de-anonymization using their API is so serious."

Since consumers have no way to stop apps from collecting their UDID, and if consumer data can de-anonymized, then consumers effectively have no online privacy regardless of companies' claims to anonymize the data they collect. That means companies can compile databases rich with value, and make money by selling that information to others.

So, I also read the Cortesi article about de-anonymizing the OpenFeint data. Since Cortesi was able to de-anonymize the data OpenFeint collected, it means that companies could have done so, too, and compiled databases of greater value than otherwise:

"... I was able to link roughly 30% of UDIDs to GPS co-ordinates, 20% of users to a weak identity (e.g., OpenFeint profile picture, user-chosen account name), and 10% of UDIDs directly to a Facebook profile... Although the Facebook and GPS de-anonymization issues have been repaired, we have to consider the possibility that these vulnerabilities have already been used to de-anonymize a database of UDIDs."

While much of API data leakage has been fixed by OpenFeint since the Cortesi article, the fact remains that the data leakage occurred. That makes me wonder how effective OpenFeint's quality control process really is, what other OpenFeint API data leaks haven't been found, and which other companies used their access to OpenFeint data leakage to improve their database value.

The complaint also cited several studies about consumer tracking and sensitive data collection, including the Wall Street Journal Cellphone Testing Methodology, which allegedly included several OpenFeint gaming apps. This cellphone analysis is part of the Journal's What They Know series.

Download the Hines v. OpenFeint complaint (3,782 K Bytes, Adobe PDF format).

It is good to see a focus on tracking and data collection issues related to children. Since teenage children give little or no attention to privacy issues, it is logical to assume that younger online users don't either. Young children -- ages 4 thru 8 -- are too young to read and understand the privacy and terms of use policies at websites.

I like how the complaint mentioned the various costs to consumers. One cost is the value of the stolen sensitive personal information. Another cost is the larger data downloads, since consumers typically pay monthly fees for data plans with their mobile devices. The more data captured and downloaded without notice, the greater the financial impact upon consumers.

It is important for all mobile-device users, especially parents, to research the mobile device apps they or their children want use before purchasing and downloading the apps. There are several helpful resources, including the Wall Street Journal mobile, CNet, MacWorld, and PC World websites.

What are your opinions of Open Feint and this lawsuit? What do you think of companies tracking minor children online?

Facebook And Google Claim The "Do Not Track" Bill Is Bad For The Economy

In a letter to the California legislature (PDF), several companies including Facebook and Google claim that the proposed "Do Not Track" law is bad for the California economy:

"California Senate Bill 761 would create an unnecessary, unenforceable and unconstitutional regulatory burden on Internet commerce. The bill covers an overly broad range of information, and would regulate indirectly virtually all businesses who collect, use or store information from a website. The measure would negatively affect consumers who have come to expect rich content and free services..."

The companies that signed this letter included Acxiom, Allstate, American Express, Experian, Facebook, Google, Acxiom, Reed Elsevier, Specific Media, Time Warner Cable, Yahoo, and others. The companies claim that SB 761 is unnecessary because:

"... consumers can easily opt out of the collection of data through browser tools. The four leading Internet browsers - Internet Explorer, Safari, Firefox, and Google Chrome - all provide user-friendly filtering options that block the ability of companies to collect data or track Internet use."

This is not entirely correct, as websites and companies are not required to honor the do-not-track request from the web browser. According to these companies, this is how California's economy could be harmed:

"SB 761 would create a second, conflicting set of standards to which companies would have to conform or else face class action lawsuits. This would, in turn, create significant confusion and uncertainty for investors, businesses and consumers. Online commerce would simply be unworkable if websites were forced to comply with a patchwork of privacy and notice laws. This would impose an unprecedented and arduous regulatory burden on Internet commerce. Further, a do not track requirement on the use of this data would stifle innovation..."

A patchwork quilt of laws? That is what we have today with breach notification and data security across states. If these companies can exist with a patchwork quilt of breach notification laws in one area, they can live with a patchwork quilt of laws in another area.

The bigger issue is that these companies have taken a strong stand for extensive tracking. How? These companies are content with opt-out as the program standard: consumers are always automatically included and the burden is on consumers to consistently opt-out. I have long argued in this blog for the program standard to be opt-in: consumers aren't included until the consumers chooses to register or opt-in.

Plus, I Facebook's objections to any limitations on consumer tracking is not a surprise to me, given Facebook's ties to Rapleaf, and how Facebook uses its social plugins to both deliver content and to track consumers across the Internet. When you visit a website with a facebook social plugin, Facebook captures the date and time of your visit, the web page visited, your IP address, your computer's operating system, and (if you are signed into Facebook) your Facebook user ID number. This data collection rivals what Google collects.

The letter has a "sky is falling" aspect to it. These companies operated well when the Internet had little or no tracking. They will survive regardless of the claims.

Proposed "Do Not Track" Law In California: Senate Bill 761

It's been a busy couple of weeks regarding privacy news, and unfortunately the Sony data breaches have temporarily pushed aside other important news. Since California led the way with data breach notification legislation for consumers, I definitely wanted to discuss the following news.

In February of this year, California Senator Alan Lowenthal introduced legislation (California Senate Bill 761) to provide consumers with greater protections and controls with mobile privacy. Since February, the original legislation has been amended a couple times. The latest bill revision at April 25 stated:

"... to adopt regulations that would require a covered entity, defined as a person or entity doing business in California that collects, uses, or stores online data containing covered information from a consumer in this state, to provide a consumer in California with a method to opt out of that collection, use, and storage of such information. The bill would specify that such information, includes, but is not limited to, the online activity of an individual and other personal information. The bill would subject these regulations to certain requirements, including, but not limited to, a requirement that a covered entity disclose to a consumer certain information relating to its collection, use, and storage information practices. The bill would, to the extent consistent with federal law, prohibit a covered entity from selling, sharing, or transferring a consumer's covered information. The bill would make a covered entity that willfully fails to comply with the adopted regulations liable to a consumer in a civil action..."

This bill starts to get a handle on the extensive data sharing by companies that most companies do not disclose in their website privacy and terms policies. Covered information includes consumers' online usage, including (bold text added for emphasis):

"... the Internet Web sites and content from Internet Web sites accessed; the date and hour of online access; the computer and geolocation from which online information was accessed; and the means by which online information was accessed, such as, but not limited to, a device, browser, or application... Any unique or substantially unique identifier, such as a customer number or Internet Protocol address... Personal information including, but not limited to, a name; a postal address or other location; an e-mail address or other user name; a telephone or fax number; a government-issued identification number, such as a tax identification number, a passport number, or a driver's license number; or a financial account number, or credit card or debit card number, or any required security code, access code, or password that is necessary to permit access to an individual's financial account."

That should sufficiently cover the UDID unique identifier in smart phones and mobile devices. I hope that more states pursue and adopt similar legislation. As reported in The Register UK:

"California stands to become the first US state to pass do-not-track legislation and is poised to beat any national law. The Do Not Track Me Online Act was only introduced to the US House of Representatives in Washington DC in February – that was by another Californian Democrat, Jackie Speier – and must navigate Capitol Hill's partisan log jam."

What I found most important for consumers to know:

"... the problem with do-not-track at the browser level is that there's no requirement on the web site to honor the do-not-track request."

The consumer advocacy group Consumer Watchdog sponsored the California legislation, and wrote this in an April 2011 letter Google (PDF):

"As you are aware, online commerce relies on consumer trust. Sadly, much of the current Internet business model is based on invasive and pervasive tracking of consumers’ online activities without their knowledge or control. This should not be the business model of a company whose motto is “Don’t Be Evil.” Do Not Track legislation would give consumers meaningful protection and control. It would build their confidence in the Internet – a win, win situation for business and consumer."

I agree with ConsumerWatchdog, as I have covered in this blog the pervasive and undisclosed online tracking in posts about tracking by credit reporting agencies, unannounced tracking with Fash cookies, persistent tracking with "zombie" cookies., and tracking by the advertising networks.

Police Bust Debit Card Skimming Thieves In Mountain View California

I like to acknowledge the efforts of law enforcement to fight identity theft and fraud. Earlier this month, the Santa Clara County District Attorney's Office charged Boris Tumasyan, 24, and Sarkis Sarkisyan, 23, from Glendale, California with operating a debit/credit card skimming operation.

On December 6,, a gas station employee first found the skimming device attached to a circuit board inside a gas station pump, after opening the pump to investigate an error message. To catch the thieves, local law enforcment attached an alarm to notify them when the gas station pump was opened.

"Tumasyan and Sarkisyan were arrested on December 17, 2010 after the alarm was triggered. Officers searched their van and found keys that opened the gas pump and address information for several other area gas stations. Further investigation by REACT – a Bay Area high-technology and identity theft task force – found six identical skimmers hidden inside gas pumps at five locations in Mountain View and Los Altos. REACT conducted a forensic examination of those skimmers and found over 3,600 individual credit card numbers."

Debit/credit cardholders were fortunate in that local law enforcement caught the thieves before they could retrieve and use the stolen card information. This type of crime is impossible for consumers to detect because the skimming device is installed out of sight and inside the gas station pump.

As I have written before, to avoid getting "mugged" at gas station pumps, consumer must protect their PIN. Experts advise that consumers should:

1. Pay at the pump using the "credit" option and not the "debit" option. This provides you with greater protections, liability limited to $50, and you don't use your PIN. Plus, you receive loyalty points if your credit card has a loyalty program.
2. If you want to pay using the "debit" option, don't pay at the pump. Go inside the gas station and pay at the cashier's window with your debit card. If a "signature debit" is available, use that option instead of your PIN.
3. If things look sketchy, pay with cash since that never discloses your bank account information.

What do I do? I pay with cash, especially if I am at a gas station I don't shop at regularly. It is impossible to tell if a gas station pump has been tampered with or not. I use my debit card only at my bank's ATM machines.

Congratulations to local law enforcement.

A Second Data Breach at Health Net Affects 1.9 Million Consumers

On Monday of this week, Health Net announced a data breach and the company's ongoing investigation into lost/stolen server drives from its data center in Rancho Cordova, Calif. According to the press release:

"This investigation follows notification by IBM, Health Net’s vendor responsible for managing Health Net’s IT infrastructure, that it could not locate several server drives. After a forensic analysis, Health Net has determined that personal information of some former and current Health Net members, employees and health care providers is on the drives, and may include names, addresses, health information, Social Security numbers and/or financial information."

This is interesting for several reasons. First, the Health Net press release didn't disclose either the number of lost/stolen server drives, nor the number of consumers' records lost/stolen. That's usually a bad sign that the breach is a huge one. The California Department of Managed Health Care (DMHC) issued a statement (43k bytes; PDF document) that the Health Net breach included 1.9 million current and prior Health Net customers nationwide, including:

"... more than 622,000 enrollees in Health Net products regulated by the DMHC, more than 223,000 enrolled in California Department of Insurance products, and a number enrolled in Medicare."

The DMHC is rightly concerned and conducting its own investigation. The DMHC statement also said that nine (9) Health Net server drives were missing.

Second, the above Health Net press release mentioned the name of an IT outsource vendor I recognized, IBM. I have had some direct, personal experience with an IBM breach. And IBM's involvement in the Health Net breach has a twist of irony.

After its 2007 data breach, IBM never disclosed what actions it took, if any, with the outsource vendor it hired to ship its backup computer data tapes to an off-site facility. Did IBM fire its vendor, or were specific vendor's employees disciplined or terminated? We never learned what happened. Now, to use a common expression, "the shoe is on the other foot" as IBM is the vendor involved in its client's data breach.

Third, this is the second huge data breach at Health Net. In November 2009, Health Net suffered a huge data breach. That 2009 data breach included hard drives, too, where the sensitive personal data lost/stolen included the Social Security numbers, medical records and health information dating back to 2002 of 1.5 million past and current customers in several states. During the last few months, Health Net paid fines to several states to settle the 2009 breach. Several states' attorney generals alleged that the 2009 breach violated the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), and some states' local laws.

Fourth, ABC News focused its coverage on the delayed notification. Apparently, Health Net learned about the missing server drives in February, notified the California Attorney General's office on March 4, and then notified the public on March 14. The delay in notificaton was part of the rationale for the settlement fines Health Net paid as a result of its 2009 data breach.

Fifth, the Connecticut Attorney General's office has demanded that Health Net provide identity-theft and credit protectons for 25,000 Connecticut residents affected by the data breach. In its breach announcement, Health Net has hired Debix (again) to provide two years of complimentary identity-theft and credit protection for breach victims.

Sixth, the nationwide impacts of the Health Net data breach are jsut becoming known. About 40,000 consumers in Washington state have been affected. I expect more states' regulatory agencies and/or attorney generals to issue statements about the impacts in their states.

After such a huge data breach in 2009, you'd think that the executives at Health Net would "get it," implement tightened data security, and implement both new data security policies and employee training to prevent another massive data breach. Well, another massive breach happened. As a wise person once said, actions speak louder than words.

I am hoping that the consequences for Health Net executives include much more than fines. Executives need to be fired and/or jailed. What do you think? What action, if any, should Health Net take with its outsource vendor, IBM?

Error-Filled Background Checks Make Finding a New Job Difficult

At some point during our work careers, we all look for a new job. Given the recent, ongoing economic downturn, many people are looking for work. When applying for a new job, potential employers usually perform a background check of applicants. What happens when the background check includes wrong information? The following story explains what happens.

Channel 7 News, the ABC News affiliate in San Francisco, reported the story of Patrick Chad Padilla, who applied for a security job position at a Walmart store in Sacramento, California. After the third interview, Padilla was offered the job pending a background check. Walmart withdrew the job offer when the background check turned up problematic information.

After looking at the the background check Walmart, Padilla noticed that the report contained information about Patrick Saenz Padilla, who Channel 7 News would later discover is a criminal serving time in a New Mexico prison. Despite the middle name differences, Walmart insisted on using the faulty background check and refused to offer Padilla the job.

Hello? Does anybody at Walmart use their brains?

Obviously not. Brain-dead bureaucracies operate in the private sector, and not just in government agencies.

This story is important for several reasons. First, multiple companies made errors in this story. Walmart's errors are clear. Second, Padilla applied for a job at Roseville Hyundai later and the same thing happened again. The faulty background check stopped another job offer.

Third, there are some sensible guidelines governing the proper use of background checks by companies. In at least one instance, an employer started a new policy demanded Facebook passwords from both job applicants and current employees without any suspicion of wrongdoing. (That policy has since been suspended for a 45-day review.)

Fourth Acxiom, the provider of the background check service definitely shares some of the blame for Padilla's job-search difficulties. Acxiom clearly made mistakes by combining information about two different people into a single report. From the news story, it isn't clear that Acxiom has corrected Padilla's profile information. The middle name difference should have been easy to spot, but Acxiom either missed it, or ignored it. And Padilla suffered the consequences.

This is not the first incident with an erroneous background check. In this incident in Kansas last year, the local sheriff's office helped the affected job applicant clear his name.

Background checks are necessary, as employers can't hire convicted criminals for certain jobs. A wide variety of companies use Acxiom products and services, including Sony Ericsson Mobile Communications, Urban Mapping, Blackboard, USA Swimming, Senior Checked, Windstream, and General Motors. At its mid-year 2010 conference, the National Association of Professional Background Screeners (NAPBS®) Background Screening Credentialing Council (BSCC) announced that Acxiom and several other companies had achieved compliance with its Background Screening Agency Accreditation Program (BSAAP).

Although this class-action against Acxiom was ultimately unsuccessful in the courts, it did reveal that Acxiom buys a lot of its information about consumers from various states' motor vehicle agencies.

A recent survey by The Black Book of Outsourcing rated Acxiom number one in customer satisfaction for IT outsourcing. Well, Acxiom may help its IT department customers save money, but I wonder how reliable that customer satisfaction rating is. Would consumers rate Acxiom highly? My guess is Padilla wouldn't rate Acxiom highly.

Fifth, background-check concerns are not only about Acxiom, but also apply to other companies that provide similar services. CNN Money listed some of the companies, including Rapleaf, that provide background checks based on the collection of consumer data from public records. The Wall Street Journal published a similar list of what it called "scrapers." LewRockwell.com published a similar list of companies consumers should consider removing their profile data from.

Sixth, when private companies offer products and services based on their collections of sensitive consumer information, there has to be a method to discover and correct mistakes and erroneous entries. This process exists with the major credit reporting agencies, but not with companies like Acxiom. As Channel 7 News reported:

"There's no federal or state agency that's making these companies actually clean up their records and make them accurate..."

Getting pack to Padilla's story: later, Walmart reversed itself and encourage Padilla to apply for a different job. What? Is Walmart serious? After all of the obvious mistakes and blunders, Walmart couldn't do the right thing, apologize, and simply offer the job to Padilla?

Meanwhile, Padilla had moved on to work for another company. I wouldn't work at Walmart either after this poor treatment. It signals that Walmart probably treats vendors, suppliers, and its employees just as poorly.

If this story upsets you (and I truly hope that it did upset you), I encourage you to write to your elected officials and tell them:

• Potential employers must give job applicants copies of the background check report used for the hire decision
• Consumers should not suffer the consequences for corporate mistakes and errors, especially about background checks
• Federal and state laws must require companies to correct errors in their databases containing consumer information
• Database marketing services (e.g., companies that collect data and offer products based on those databases) must provide consumers with a fast, easy-to-use, and prompt process for reviewing and correcting errors in their profile
• Corporate violators should be prohibited from the data collection and from any services/products based on that data collection

Have you been denied a new job due to an error-filled background check? Have you lost a job offer to an erroneous background check? We'd like to hear your experiences, and if you were able to correct the problem.

Apple, Mobile Device Privacy Abuses, and Data Plan Theft

Earlier this week, Apple Computer was served with another class action lawsuit alleging violations of mobile device owners' privacy. I read the complaint (PDF, 2.7 MBytes) which caught my attention for several reasons.

Nine consumers have filed this latest class-action lawsuit against Apple Computer and several other companies for the unauthorized access, use, and transmission of the mobile device owners' sensitive personal data to app developers and third-party companies. The mobile devices in question include iPhone, iPad, and iPod Touch devices. Besides Apple Computer, the complaint included several several popular brands: the New York Times, WebMD, Yelp, Quattro Wireless, NPR, and Groupon. Many smart phone users have used Groupon for its geo-based coupons. I use several of these apps on my Windows® operating system smart phone.

The complaint alleges that several app developers (Groupon, IAC, NPR, The New York Times, Pandora Media, WebMD, Yelp, Flurry Inc.) and their affiliates (Pinch Media, Medialets, Flurry Inc.):

"... gained individually, and in concert with defendant Apple, unauthorized access to, transmittal of, and use of data, which included but was not limited to the plaintiffs' and class members' UDID, obtained from the plaintiffs' and class members' mobile devices, bypassing the technical and code-based barriers intended to limit access, in addition to bypassing the plaintiffs' and class members' privacy and security settings."

UDID is the "Unique Device Identifier," a 40-digit code embedded in all mobile devices. It identifies your mobile device and when matched with your cellular phone number (or iTunes account), allows companies to identify your mobile device as uniquely you. The complaint alleges that the companies knew about this fraudulent activity and based their business model on unauthorized access and use of this personal information.

For several consumers in the class-action, they began to suspect that something was wrong when their mobile devices:

"... tended to operate more slowly and sometimes froze when loading web pages."

Consumers use a wide variety of apps. Some of the apps the consumers in the class-action downloaded from the iTunes store: Currency, WallpapersHD, Flixster, Netflix, Pandora, Shazam, Google, New York Times, Google Earth, Find iPhone, WiFi Finder, Monopoly, Sudoku2, Tetris, Scrabble, UNO, Angry Birds, Skype, Epicurious, Bank of America, eBay, GasBuddy, and Amazon.com. Obviously, only some apps compromise consumers' privacy. The point: I can imagine the consumers in the class-action probably felt "mugged" by their mobile device apps. When a few apps allegedly compromise your privacy, you become wary of downloading more apps that might do more damage.

How many apps compromise consumers' privacy? MediaPost reported:

"... researchers at the Technical University of Vienna reported that more than half of the 1,400 iPhone apps they studied collected users' device IDs... An earlier study by Bucknell University assistant director of information security and networking Eric Smith found that 68% of the most popular iPhone apps transmitted the devices' unique numbers to outside servers..."

Besides privacy abuses, another impartant issue for consumers is "data plan theft." Some people may call the defendant companies' apps "bandwidth hogs," put I prefer the term "data plan theft." Why? When apps secretly store, use, and transmit mobile device owners' sensitive personal information, the transmission consumes a portion of mobile device owners' monthly data plan limits. That is theft when the transmissions aren't authorized.

There is a direct impact and cost if you pay a monthly fee for your data plan and your data plan has a (low) limit. The cost seems easy to calculate, when you consider that most consumers check for news several times daily. The Groupon users I know, use that mobile site several times per week.

I guess that you could call the offending apps, "money sucking apps."

As a smart phone user, "data plan theft" is important to me because I pay my mobile service provider $25 monthly for about 2 gigabytes of data downloads. (I get unlimited texts so that doesn't factor into the download amount.) Mobile device owners who frequently use the above offending apps would probably incur a greater cost theft than less-frequent users.

Given the "data plan theft" issue, I can imagine the consumers in the class-action probably felt "mugged" by their mobile device apps. When a few apps allegedly compromise your privacy and consumer your data plan usage without authorization, you become wary of downloading more apps that might do more damage. All apps stores need to recognize this threat and take appropriate corrective action.

Otherwise, you could call the app stores, "data breach stores."

The complaint included an attorney's name I have seen before: Joseph Malley of Dallas. Malley, often referred to as a "Privacy Crusader," was involved with class-action suits against Adzilla, NebuAd, Quantcast ("zombie cookies"), Ringleader, and Facebook. In 2010, Facebook settled the suit for $9.5 million. For consumers who have privacy concerns, you want an attorney that is experienced with online privacy issues and technologies. Malley is the guy you want on your side.

Several related blog posts consumers may find helpful:

• How To Protect Your New Mobile Phone And Your Sensitive Data On It
• Identity Thieves Have a Hidden App For That
• When Anonymous Is Synonymous With You

Quantcast Settles 'Zombie Cookie' Tracking Lawsuit

I reported in July about a class action lawsuit filed in U.S. District Court in Central California against online measurement firm Quantcast Corporation and several of its affiliates for using "zombie cookies" to track consumers' online activity and for violating several computer and consumer privacy laws. The other companies named in that lawsuit were Myspace Inc., American Broadcasting Companies Inc. ESPN Inc., Hulu LLc., JibJab Media, MTV Networks, NBC Universal Inc. and Scribd Inc..

Earlier this week, Wired magazine reported that:

"... Quantcast has agreed to pay $2.4 million to settle a class action lawsuit alleging it secretly used Adobe’s ubiquitous Flash plug-in to re-create tracking cookies after users deleted them... More than $1 million of the settlement will go to fund privacy groups chosen by the plaintiffs, and 25% will go to the lawyers who filed the suit. It’s unlikely that any money will go to the class, since it essentially includes every internet user in the U.S."

In a press release, Quantcast said this about the settlement:

"We chose to settle the litigation to bring clarity and certainty to our customers and to avoid the burden and cost of further litigation."

When you've been caught -- literally and figuratively -- with your hand in the cookie jar, I guess that there's not much to say after settling a lawsuit. Congratulations to those attorneys -- Joe Malley and others -- in this suit, as the tracking likely would have continued otherwise. Thanks for advocating for consumers' online privacy.

Quantcast And Several Major Online Sites Sued For Alleged Use of 'Zombie' Cookies To Track Consumers Online

last week, a class-action lawsuit was filed in U.S. District Court in Central California against Quantcast Corporation and several of its affiliates for using "zombie" cookies to track consumers' online activity and for violating several computer and consumer privacy laws.

The affiliates include several major online companies and their websites you have probably used: Myspace Inc., American Broadcasting Companies Inc. ESPN Inc., Hulu LLc., JibJab Media, MTV Networks, NBC Universal Inc. and Scribd Inc.. The complaint alleges that the companies violated one or several laws:

• Computer Fraud and Abuse Act, 18 U.S.C. § 1030
• Electronic Communications Privacy Act, 18 U.S.C. § 2510
• Video Privacy Protection Act, 18 U.S.C. § 2710
• California’s Computer Crime Law, Penal Code § 502
• California's Invasion of Privacy Act, Penal Code § 630
• UCL, Business and Professional Code § 17200
• Consumer Legal Remedies Act

I've Been Mugged reviewed the complaint (PDF, 690k bytes), which alleged that several consumers:

"... were victims of unfair, deceptive, and unlawful business practices; wherein their privacy, financial interests, and computer security rights, were violated by Quantcast Corporation, and websites affiliated individually with Quantcast... by setting flash cookies on their user’s computers to use as local storage within the flash media player to back up browser cookies for the purposes of restoring them later."

The suit also alleged that the defendant companies:

"... knowingly authorized, directed, ratified, approved, acquiesced, or participated in the unfair and deceptive business practices made the basis of this class action, which included, but was not limited to, setting of an online tracking device which would allow access to, and disclosure of, personal information (“PI”), personal identifying information (“PII”), and/or sensitive indentifying information (“SII”). This information was derived from the Internet user’s online activities, including visits to non-Quantcast Flash Cookie Affiliates’ websites, accomplished covertly, without actual notice, awareness, consent or choice of the user."

This is important: the suit alleges that the companies used the Flash cookies technology to secretly track consumers' online habits and usage, to regenerate traditional web browser cookies, and to collect consumers' sensitive personal information. The companies allegedly profited from this practice and never provided the consumers with notice (in website privacy and terms policies) or opt-out mechanisms.

These "zombie" cookies are the regenerated traditional web browser cookies you usually delete. Like the zombie monsters you have seen in movies, they never seem to completely disappear; and they keep returning despite your best efforts to kill them.

The complaint also cited the problematic, vague, and misleading portions of each defendant company's website privacy or terms policy. The suit does not include all Quantcast affiliates; only those there were involved in the covert tracking and use of "zombie cookies." The suit described in detail how the covert tracking and sensitive personal information collection worked:

"... information obtained by the placement of flash cookies on the users’ computer hard drive and the use of user’s local storage within their flash media player to back up browser cookies for the purpose of restoring them later without actual notice/awareness and consent/choice of the user.."

This is important. Since the firms knew that consumers regularly deleted their browser cookies (to avoid tracking and to maintain their privacy online), the companies intentionally used the Flash cookies technology to regenerate deleted web browser cookies on consumers' personal computers without the consumers' knowledge or consent.

In this class action suit, one of the lawyers representing the consumers in the complaint is a Privacy Crusader I've written about previously: Joe Malley. Malley has much plenty of experience with online privacy, targeted ad tracking, and data collection issues as he has been involved with class actions against Facebook and its Beacon affiliates, NebuAd, and Adzilla. Earlier this year, Facebook settled the suit for $9.5 million. So, I am happy that Malley is involved with this latest suit.

In researching this latest suit, the attorneys found that:

• The leading websites regularly use Flash cookies for a variety of reasons,
• Many of of these leading websites also use Flash cookies" to regenerate web browser cookies that consumers have regularly deleted,
• To justify tracking via tailored online ads, advertisers regularly claim that consumers want online ads tailored to their interests while studies have documented otherwise

When I first wrote about the privacy and tracking issues with Flash cookies, I also spoke with with several web developers I have worked with in prior jobs. Some knew about Flash cookies but most had no idea about the extent of online tracking and data collection via the technology. If these professionals with deep Internet experience have no idea, then the average consumer or online user definitely has no idea of the technology, the privacy abuse problems, or what, if anything, to do about it.

Since I learned about the "zombie" cookie problem, I now use two software products to monitor and delete all cookie files on my home computer:

1. MAXA Cookie Manager software
2. BetterPrivacy add-on for the Firefox browser

Depending upon which web browser used, consumers may decide to download one or both of the above software products. I like the MAXA Research software since it monitors all Local Shared Objects (LSOs) on your computer: web browser cookies, Flash cookies, and DOM user data. Most web browsers have menu options to delete standard web browser cookies, but are unable to delete Flash cookies and other LSOs. The I've Been Mugged blog features a June 2010 interview with the Chief Technology Officer at MAXA Research.

Moreover, this class action suit highlights the fact that companies' website policies are often vague and lack sufficient detail for consumers to make informed decisions. Granted, many consumers don't read the privacy and terms of use policies at websites, but that is no excuse for companies to publish insufficient policies. Plus, Federal and state laws lag far behind online technologies. This makes online privacy difficult for consumers and many companies seem to take advantage of this situation.

Last, this class action suit should be a wake-up call to consumers across the Internet. Now is the time for consumers to demand accountability from websites and advertisers. If they refuse to provide accurate disclosures in their website policies, shop elsewhere. If they refuse to provide easy-to-find opt-out mechanisms for their advertising and marketing programs, shop elsewhere. If you find websites offering advertising and marketing programs with opt-in mechanisms, shop there instead.

If this "zombie" cookie situation bothers your (and I sincerely hope that it does), I encourage you to write to your elected officials and demand stronger laws requiring companies to fully disclose in their websites the tracking and technologies used by their websites, partners, and affiliates.