Valid Corporate Email Or Phishing Email?
90 Second Security Update From Sophos

Exploring The Hillman et. al. vs. RIngleader Digital et. al. Complaint

My November 12 blog post discussed several class action complaints filed against Ringleader Digital. Today's post explores the Hillman et al vs. Ringleader Digital et al complaint (Adobe PDF; 2.3 MBytes) filed in New York State, since seveal items in it are noteworthy.

First, Hillman et al included one attorney, Joe Malley, I have seen before in the Facebook, NebuAd, Adzilla, and Quantcast complaints. Facebook ultimately settled the Beacon program suit for $9.5 million. Malley has a proven track record and expertise with Internet-based privacy issues. I have referred to him as one of the Privacy Crusaders. It is good to see Malley looking out for the needs of consumers since so much online usage has shifted to mobile devices.

Second, Hillman et al included a slightly different set of defendant companies: Ringleader Digital, Accuweather, CNN, ESPN, Fox News Network, Go2 Media, Merriam-Webster, Travel Channel, and the Whitepages. (ESPN and Fox News are not listed as defendants in the Aughenbaugh et al complaint filed in California.) Hillman et al clearly explained which plaintiff consumers used which defendant companies’ websites, since not all plaintiff consumers used the same websites.

Third, Hillman et al also listed which defendant companies mentioned their relationship with Ringleader Digital in their website privacy policies. This detail is important and informative when discussing issues about lack of notice and consent (e.g., onlline privacy policies and opt-out mechanisms). While AccuWeather mentioned its relationship with Ringleader Digital in its privacy policies and provided an opt-out link, the other companies didn’t mention their relationships with Ringleader Digital.

Fourth, Hillman Et al included a 12-year-old minor who accessed the mobile websites of AccuWeather, Fox News, Go2Media, Merriam-Webster, and Whitepages. The complaint stated:

“Plaintiff and Class Member J.N., a minor, age twelve (12) years old, is a minor under, the age of thirteen (13) that visited one of the Ringleader Digital Affiliates websites within the class period and did not obtain protection from the Defendant’s act as protected by COPPA, The Children's Online Privacy Protection Act of 1998 (COPPA)...”

Fifth, Hillman et al alleged that the mobile tracking violated the mobile device manufacturers’ agreements, and cited the the relevant portions of the device manufacturers’ agreements. Sixth and perhaps most importantly, Hillman et al described in detail how the mobile tracking was allegedly performed (bold text added for emphasis):

“Defendant(s) then transmitted a program, information, code, and/or command within the Plaintiffs and Class Members’ mobile device to scan, copy and use without notice, consent, or authority, the Plaintiffs and Class Members mobile device, obtaining mobile device configuration, a practice not necessary for the placement of persistent cookies for tracking website visitors, nor an acceptable practice within the industry. While traditional advertisers access the users’ browser for online tracking, Defendants access involved areas of the Plaintiffs and Class Members’ mobile devices(s) that involved hardware and software associated with nonbrowser activity.”

To understand this requires an understanding of mobile tracking approaches:

“The first, “page tagging,” uses a small bit of JavaScript code placed on each web page to notify a third-party server when a page has been viewed by a web browser. Etags can be used in place of cookies… The server sends the user the tag, and when the user accesses the resource again their web browser sends the tag back. The server uses the tag the browser sent to decide whether to send the user the data or provide data to the browser that the data hasn't changed, and to keep using the old copy. The second... is “log file analysis”, where the log files that Web servers use to record all server transactions are also used to analyze website traffic.”

The complaint described how the tracking of mobile devices is technically more difficult since not all mobile carriers support JavaScript, and since the IP address for many mobile devices often change as the user moves physically from cellular tower to cellular tower. The tracking must combine the above web analytical data with a unique identifier for each mobile device. So (bold added for emphasis):

“Ringleader placed a globally unique identifier or “GUID,” a special type of identifier used in software applications to provide a unique reference number, into mobile devices… Because most phones don't support fully functional browsers, they also don't support the "Cookie:" header, thus not obtaining “uniqueness,” necessary to obtain “state maintenance”... They access the web through Network Address Translation at the carrier, meaning that many phones are seen by the entire web as all one IP. Some mobile devices though use the x-up-subno header which is not only a unique number to which anything may be linked, and with some carriers, the number itself directly contains most of a phone number. Unlike traditional cookies a user has no choice whatsoever here. A user can't opt-out, since it is always sent. It can't be deleted since it always stays the same. A user cannot use a block cookies tool, as they would in a browser since it is hard coded into a user’s phones software. Mobile Advertising benefits from user’s lack of knowledge of x-headers and x-up-subno.”

And:

“…Defendant(s) then configured a Unique Device Identifier erived in whole or part, from the Plaintiffs and Class Members’ mobile device properties and... Defendant Ringleader then used the Unique Device Identifier within the user’s database, to re-spawn the user’s Unique Device Identifiers (“UDID’s”) if deleted by the user, by use, in whole or part, using additional mobile device functions, bypassing Plaintiffs and Class Members privacy and security settings...”

The sensitive personal data allegedly collected:

“... details about user profiles to identify individual users and track them on an ongoing basis, across numerous websites, and tracking users when they accessed the web from different mobile devices, at home and at work. This sensitive information may include such things as users’ video viewing choices and personal characteristics such as gender, age, race, number of children, education level, geographic location, and household income, what the web user looked at and what he/she bought, the materials he/she read, details about his/her financial situation, his/her sexual preference, his/her name, home address, e-mail address and telephone number, and even more specific information like health conditions… the Plaintiffs and Class Members’ carrier transactional information which included, but not limited to, “carrier network IP,” information sought to link location with the Plaintiffs and Class Members...”

All of this is troublesome for several reasons:

  1. The program was designed on an “opt-out” basis, and consumers weren’t notified nor given an opportunity to decline (e.g., opt out of) the tracking
  2. As cellular phones become more powerful like laptop computers, tracking is easier because everyone has their own phone and phone number... the perfect unique identifier. My impression is that consumers are less likely to share their smartphone compared to traditional laptop or desktop computer
  3. The data collection was extensive and included things that I, or many consumers, would not disclose even at brick-and-mortar retail stores. This sensitive data was allegedly mapped to both each consumer’s GPS or physical location, and to a unique ID number based on the consumer’s phone number
  4. The alleged tracking included consumers’ mobile usage across all websites and not just the websites operated by the defendant companies
  5. Many parents provide their children with phones for communication and safety reasons. These parents would probably be alarmed to learn about the extensive tracking to sell products to minor children
  6. Some of the plaintiff consumers discovered the existence of the tracking database, tried to delete it, and noticed that the mobile device regenerated the tracking database:

“... Plaintiffs and Class Members that became aware that Defendant Ringleader had created a database, and deleted the databases to cease any and all tracking, had the tracking device re-spawn. The failure of Defendants to provide the user notice of its tracking mechanism within their mobile devices allowed a perpetual re-spawning, creating in effect: ‘Zombie Databases.’ ”

The alleged “zombie database’ regeneration problem is bad. The broader problem is that these types of programs – both online tracking and targeted advertising -- should be opt-in rather than opt-out. For readers who are unfamiliar with this, it is important.

Opt-out programs automatically include all consumers, whether they want to be included or not; whether they know about the program or not. Opt-out programs place the burden on consumers to learn about the program and then decline participation (usually by clicking on a button labelled "Opt-out). Prior experience has proven that it is very easy for companies to get around consumers’ prior opt-out selections, and re-include consumers when the program changes with new websites, content, privacy policies, and/or partner companies.

With opt-in based programs, consumers are not included in the program until and after they sign-up or register their membership in the program. This keeps consumers in control while minimizing the burden on consumers.

In my opinion, opt-out programs are a form of lazy corporate marketing; a way for companies to quickly force a large amount of consumer participation in weak products or services. If the targeted advertising programs are as beneficial as the companies claim, consumers will choose to participate and opt-in.

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.