Lawsuit Targets Mobile Advertiser Over Sneaky HTML5 Pseudo-Cookies
A New York mobile-web advertising company was hit Wednesday with a proposed class action lawsuit over its use of an HTML5 trick to track iPhone and iPad users across a number of websites, in what is believed to be the first privacy lawsuit of its kind in the mobile space.
The company, Ringleader Digital, uses HTML5’s client-side database-storage capability as a substitute for the traditional cookie tracking employed by all major online ad companies. Mobile Safari users visiting sites with Ringleader ads are assigned a unique ID number which is stored by the browser, and recalled by Ringleader whenever they revisit.
But the tracker, labeled RLDGUID, does not go away when one clears cookies from the browser. Our sister site Ars Technica reported last week that users savvy enough to find and delete the database have found it returning mysteriously with the same ID number as before — a result the lawyers suing Ringleader say they’ve reproduced.
“You can’t get rid of that database,” says Majed Nachawati, a Dallas attorney behind the Ringleader lawsuit. “You’re left with this database tracking you and your phone and your viewing habits on the net, which is a violation of federal privacy laws.”
Ringleader said it committed no wrongdoing. “To the extent that the plaintiffs are alleging that Ringleader violated any laws relating to consumers’ privacy, Ringleader intends to defend its practices vigorously,” Bob Walczak, CEO of Ringleader Digital, said in an e-mail.
The lawsuit lodged Wednesday in Los Angeles federal court also names as defendants a number of companies who’d allegedly been serving the Ringleader trackers on the mobile versions of their sites: Surfline, WhitePages.com, The Travel Channel, CNN Money, Go2 and Merriam-Webster’s dictionary site.
The lawsuit comes in the wake of a similar suit filed in July against MTV, ESPN, MySpace, Hulu, ABC, NBC and Scribd for using storage in Adobe’s Flash player to re-create cookies deleted by users of nonmobile devices, allegedly in violation of federal computer-intrusion law.
In Threat Level’s testing Thursday, the RLDGUID uncookie was still being served from The Travel Channel, Go2 and Merriam-Webster, but not the other sites named in the lawsuit. In our tests, the database entry did not reappear. It’s not known if Ringleader has changed its system’s behavior.
HTML5’s database storage is a highly touted feature designed to allow websites to locally store data on the user’s computer — a boon for offline use of a browser app.
“Please note that opting out does not stop advertisements from being served to your mobile device, rather, it prevents us from associating non–personally identifiable data with your device’s browser starting from the time you implement the opt-out utility,” reads Ringleader’s opt-out page. “It does not affect data collected prior to that time.”
- Gonzalez Accomplice Gets Probation for Selling Browser Exploit
- DNS Exploit in the Wild — Update: 2nd More Serious Exploit
- Revealed: The Internet’s Biggest Security Hole
- Hack of Google, Adobe Conducted Through Zero-Day IE Flaw
- New Web Exploit at 10000 Machines and Growing
- Hacked iPhone No Longer Just a Theory
- Vulnerabilities Allow Attacker to Impersonate Any Website