A new class-action lawsuit highlights the privacy issues where mobile devices, gaming, and children intersect. OpenFeint, Inc. and GREE International were named in a class-action lawsuit which alleged that OpenFeint singularly and together with third-party app developers conducted unfair and deceptive business practices and privacy violations that (bold emphasis added):
"... gained unauthorized access to, and unauthorized use of, Plaintiffs’ and Class Members’ mobile devices to access, collect, monitor, and remotely store, without notice or consent, Plaintiffs’ and Class Members’ mobile device’s Unique Device Identifiers, Personally Identifiable Information, OpenFeint user account, GPS “Fine” co-ordinates, and Facebook/Twitter profiles..."
GPS fine coordinates are consumers' exact latitude and longitude (to within a few inches), as opposed to estimates of your GPS location to the nearest cellular tower. It is important for mobile device users to know whether the app tracks your precise or estimated GPS location.
UDID is the "Unique Device Identifier," a 40-digit code embedded in all mobile devices. It identifies your mobile device and when matched with your cellular phone number, allows companies to identify your mobile device, location, and app usage as uniquely you.
I don't need to explain the wealth of sensitive personal information available in Facebook profiles. Facebook members typically upload into their profiles address data, online contact information, family information, education, employment, photographs and videos, hobbies, websites of interest, television shows of interest, and with location-based check-ins the time, date, frequency, and duration of visits to various retailers.
The complaint alleged that OpenFeint violated the Computer Fraud And Abuse Act (CFAA), the Electronic Communications Privacy Act (ECPA), California's Computer Crime Law, the California Invasion of Privacy Act, and the Consumer Legal Remedies Act (CLRA).
While prior lawsuits have focused on tracking and privacy issues, this suit deserves attention because the allegedly affected mobile device users also included children -- as young as 4 years of age. The complaint describes how OpenFeint offers a huge mobil e social gaming network with at least 5,300 game applications and alleged:
"... many of the downloaded applications affiliated with Defendant OpenFeint involved the unauthorized tracking of minor children."
"... OpenFeint targets minor children with free affiliated gaming applications designed and promoted as “Kid apps,” purposely including storybook tales, friendly animals, and child-like game scenarios to attract children, so that the child’s parents would be more likely to allow for the app download, relying in part on the posted children app ratings. Many of Defendant OpenFeint’s gaming applications are rated 4+, for ages four (4) and up, rated 9+ for ages nine (9) and up, and rated 12+ for ages twelve and up."
The gaming market is huge. Google/Android and Apple/iOS mobile devices are capturing a larger share of the $7.3 billion global mobile gaming market.
OpenFeint is a social gaming platform that app developers use to develop games for the Apple iPhone, iPad, iTouch and Google/Android mobile devices. The game apps typically provide users with the capability to import friends from their Facebook and Twitter profiles. Earlier this year, GREE International acquired OpenFeint for about $104 million. OpenFeint was previously known as Aurora Feint.
The suit was filed in Northern California District Court by attorneys Parisi & Havens LLP, and the Law Office of Joseph H. Malley, P.C. While reading the complaint, I recognized Malley's name, since he is often referred to as a "Privacy Crusader." Malley was involved with class-action suits against Adzilla, NebuAd, Quantcast ("zombie cookies"), Ringleader, Facebook, and Apple. In 2010, Facebook settled its suit for $9.5 million. So, Malley has plenty of experience with online privacy and tracking issues.
The complaint cited a May 2011 investigation by Cortesi about how companies collect UDID and consumer information from mobile device apps. That investigation included both encrypted and unencrypted Internet traffic for about 94 iPhone apps:
"84% of apps tested contacted one or more domains during use... Three big aggregators of UDID-related data dominate: Apple, Flurry, and OpenFeint. Each one of these companies has the vast majority of UDIDs on file, linked to a rich set of privacy-sensitive information. OpenFeint's ubiquity is one of the reasons why UDID de-anonymization using their API is so serious."
Since consumers have no way to stop apps from collecting their UDID, and if consumer data can de-anonymized, then consumers effectively have no online privacy regardless of companies' claims to anonymize the data they collect. That means companies can compile databases rich with value, and make money by selling that information to others.
So, I also read the Cortesi article about de-anonymizing the OpenFeint data. Since Cortesi was able to de-anonymize the data OpenFeint collected, it means that companies could have done so, too, and compiled databases of greater value than otherwise:
"... I was able to link roughly 30% of UDIDs to GPS co-ordinates, 20% of users to a weak identity (e.g., OpenFeint profile picture, user-chosen account name), and 10% of UDIDs directly to a Facebook profile... Although the Facebook and GPS de-anonymization issues have been repaired, we have to consider the possibility that these vulnerabilities have already been used to de-anonymize a database of UDIDs."
While much of API data leakage has been fixed by OpenFeint since the Cortesi article, the fact remains that the data leakage occurred. That makes me wonder how effective OpenFeint's quality control process really is, what other OpenFeint API data leaks haven't been found, and which other companies used their access to OpenFeint data leakage to improve their database value.
The complaint also cited several studies about consumer tracking and sensitive data collection, including the Wall Street Journal Cellphone Testing Methodology, which allegedly included several OpenFeint gaming apps. This cellphone analysis is part of the Journal's What They Know series.
Download the Hines v. OpenFeint complaint (3,782 K Bytes, Adobe PDF format).
I like how the complaint mentioned the various costs to consumers. One cost is the value of the stolen sensitive personal information. Another cost is the larger data downloads, since consumers typically pay monthly fees for data plans with their mobile devices. The more data captured and downloaded without notice, the greater the financial impact upon consumers.
It is important for all mobile-device users, especially parents, to research the mobile device apps they or their children want use before purchasing and downloading the apps. There are several helpful resources, including the Wall Street Journal mobile, CNet, MacWorld, and PC World websites.
What are your opinions of Open Feint and this lawsuit? What do you think of companies tracking minor children online?