How To Spot a Phishing Email Message
FTC Wins $3.6 Million Judgement Against Payments Processor Who Helped Deceptive Telemarketers

Ringleader Digital And Others Sued For Using 'Zombie Databases" on Consumers' Mobile Devices

Advertisers and tracking companies have gone to great lengths to track consumers' Internet usage on laptop and desktop computers. 28% of mobile subscribers have smart phones. As consumers have shifted their usage to mobile devices (e.g., smart phones, PDAs), online tracking has followed.

I read the Aughenbaugh et al v. Ringleader Digital Inc et al complaint (PDF format; 1.3 MBytes) filed in California District Court. The class-action lawsuit alleged that Ringleader Digital and the other companies intentionally exploited software on mobile devices to track consumers' Internet usage, since many consumers now use mobile devices to surf the Internet instead of their laptop or desktop computer.

A prior blog post discussed how companies use "zombie cookies" to track consumers Internet usage by regenerating browser cookies that consumers deleted from the web browsers on their laptop or desktop. Because browser cookies are not as useful for tracking Internet usage on mobile devices, the companies in this lawsuit used a new tracking scheme:

"Defendants found the solution to their problem with HTML 5. A large number of hand held mobile devices, such as the iPhone, use HTML 5 software to operate the mobile browsers on these devices. The HTML 5 software contains local storage databases that allow websites to store information on these devices..."

You could call this database of consumer information a "zombie database" since consumers cannot delete the tracking database on their mobile devices, and when deleted the database recreates itself immediately. Is that what you want on your mobile device? I doubt it. Me neither.

The companies named in the lawsuit are CNN, Surfline/Wavetrack, Whitepages, Travel Channel, Accuweather, Go2 Media, Merriam-Webster, and Medialets. All of these companies operate mobile website versions of their traditional websites. All of these companies allegedly use Ringleader Digital's Time Stamp technology. With its Media Stamp (TM) product, Ringleader Digital alleged collected sensitive personal information about millions of smart phone users in this way:

"When a mobile website that uses media Stamp is accessed, Ringleader's own databases collect information from the mobile device and the Media Stamp technology assigns Plaintiff's mobile device a "unique" identifying number. Ringleader stores this number on its database and uses the HTML 5 storage databases on the users' hand held mobile devices to store the assigned "unique" identifying number."

Were you aware that your Internet usage with your smart phone was being tracked this way? Did you authorize any companies to do this tracking and/or save information to your smart phone? I'll be you didn't. This is huge also because:

"The HTML 5 database is titled RLGUID, which stands for Ringleader Global Unique ID. With a unique identifying number that is assigned to a specific mobile device, Media Stamp allows Ringleader Digital, advertisers, ad agencies and website publishers to track a user's web browsing movements across the entire Internet and not just one particular website."

Think about that and when you used your smart phone to do online banking, accessed your health records, and/or researched medical conditions online. Do you want all of this tracked? I doubt it.

If you read the online terms and conditions policies at the websites for the companies listed above, you still wouldn't know about the mobile tracking:

"CNN, Surfline, Accuweather, Go2.com, Whitepages, Merriam-Webster's and Travel Channel's privacy policies inadequately inform Plaintiffs of the extent in which they are being tracked by an unidentified third party... most of the Defendants' sites fail to address or identify Ringleader and media Stamp at all. Accuweather, Surfline, Go2,.com and CNNmoney.mobile do not even have a privacy policy on their mobile webpage."

Ringleader Digital launched in October 2010 a certification program for its Time Stamp clients. What? They weren't doing this alreadY? This new certification program sounds like too little way to late, since Ringleader started in 2005.

Plus, the certification program requires Stamp clients to provide consumers with both a mobile tracking opt-out mechanism at their website, and a link to the mobile tracking opt-out mechamism at Ringleader's website. Opt out? We've heard this sad song before.

Ringleader's approach is to automatically include all mobile users in tracking, and place the burden on consumers to opt out of the mobile tracking. We've seen this approach before in various behavioral advertising programs, and it is too easy to override consumers' opt-out choices as new Time Stamp clients join, or as mobile privacy policies change.

If Ringleader Digital and its Time Stamp clients are as customer focused as they claim, then the tracking program default should be all mobile users excluded with an opt-in mechanism. If Ringleader's program is as good as the company claims, then consumers will opt-in. Let the marketplace decide.

Back to the class-action complaint. The sensitiver personal consumer data collected:

"... Ringleader Digital, at a minimum, collected browser identifiers, session information, device type, carrier provider, IP addresses, unique device ID, carrier user ID, and web sites visited... it is unclear if they collect telephone numbers and specific names..."

According to Courthouse News Service, a second class-action lawsuit filed last week in New York State (Hillman et al v. Ringleader Digital) alleged the data collected also included:

"... gender, age, race, number of children, education level, geographic location, and household income... what the web user looked at [online] and what he/she bought, the materials he/she read, details about his/her financial situation, his/her sexual preference, his/her name, home address, e-mail address and telephone number, and even more specific information like health conditions..."

In this second class-action lawsuit, one of the affected consumers is 12 years old. So the mobile tracking of a minor allegedly broke the Children's Online Privacy Protection Act, in addition to other laws. Yes, minors use mobile devices, too.

When I read about situations like this, I wonder what illgotten consumer information collected by Ringleader Digital is also shared with mobile device apps. We've seen this abuse happen on social media sites.

When I read about situations like this, it is sad and depressing. First, there is the mobile tracking without disclosures and without obtaining consumers' consent. Second, today's mobile devices are more like personal computers than the simpler cellular phones of eight years ago. Yet, mobile devices are still marketed with the walled garden approach of celular phones from 10 years ago.

Most mobile devices are still restricted to a single telecomunications network, and to a single online store for apps. Do you shop in the physical world at a single store? I don't. Plus, the list of apps are prescreened and censored. Many mobile devices restrict which apps you can disable or uninstall.

I don't have these restrictions with my laptop/desktop, and I don't want them with my mobile device. (Many social networking websites, like Facebook, are walled gardens too, but that is another discussion.) The freedom of choice is how we consumers exercise power in the marketplace.

No matter how cool the interface is on an Apple iPhone or iPad is, giving up the power of choice in the marketplace for convenience is giving up too much.

I want the freedom to install any software I want on my mobile device; especially to manage any tracking mechanisms. That includes software like MAXA Research, which I use on my laptop to manage and delete (LSO) tracking files.

What do you think of the mobile tracking? Of the related issues? Are you happy with today's mobile devices and the restrictions?

[Correction: this blog post has been updated to list the Hillman et al v. Ringleader et al class-action lawsuit filed in New York Southern District court. The post originally mentioned a class action filed in Texas.]

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

mobile shredding services

Sounds like the next step in potential identity theft - you can never be too careful!

Bill G

George:
Terrific post.
The one thing I'm left wondering is how the installation of the database is triggered. Is it just by my visiting the site? Or is some other activity involved that involves me saying OK to something that then does the devious install?
bg

George

Bill:

Glad that you liked the post. You asked a good question. My understanding, is that the zombie databases are updated continually and automatically on each mobile device as consumers use their mobile devices. That update process is similar to how the web browser cookies file on your laptop/desktop is updated continually as you surf the web.

Remember, that your web browser stores several different tracking files called LSOs, Local Shared Objects. Cookies, DOM files, and Flash cookies are some of the LSO file types. DOM files get pretty big, too, in terms of bytes files size. I use the MAXA Research software to find, view, and delete all of these LSOs. It is impossible otherwise.

As the class-action proceeds, I am sure that more details will be revealed. Then again, a knowledgeable person may also comment further below about the mobile tracking zombie databases.

George
Editor
http://ivebeenmugged.typepad.com

George

Bill:

This blog post has more detailed information about how the tracking was performed:

http://ivebeenmugged.typepad.com/my_weblog/2010/12/hillman-ringleader.html

George
Editor
http://ivebeenmugged.typepad.com

Peter Woodfellow

Thanks for all this great information, i was worried exactly how they were tracking people, is it not possible to do a similar thing with older phones using three masts to triangulate the mobiles position?

The comments to this entry are closed.