Out-Law / Your Daily Need-To-Know

Advertiser exploits HTML5 to evade cookie controls on mobile devices, says lawsuit

Out-Law News | 17 Sep 2010 | 11:54 am | 3 min. read

A 'stamp' is used by a mobile advertising company to track internet users even when they delete cookies, according to a lawsuit targeting that company, Ringleader Digital.

The suit claims that Ringleader Digital makes use of a feature of the HTML5 language that is supported by the browsers of some mobile devices, including Apple's iPad and iPhone. This feature allows sites to store material on devices to better facilitate offline browsing.

A class action suit has been filed on behalf of web users claiming that Ringleader Digital stores a 'stamp' on devices using HTML5 that allows it and client companies to track users' web activity without their knowledge or consent.

"The HTML5 software contains local storage databases that allow websites to store information on these devices, which when used appropriately enhance internet browsing on mobile devices," the suit said. "Ringleader Digital found a way to exploit these databases for their own advantage."

"Ringleader Digital describes its Media Stamp as 'the mobile equivalent of an online cookie'," the suit said. "The way the Media Stamp program works is deceptively simple. When a mobile website that uses Media Stamp is accessed, Ringleader's own databases collect information from the mobile device and the Media Stamp technology assigns [the] Deivce a 'unique' identifying number."

"Ringleader stores this number on its data base and also uses the HTML5 storage databases on the users' hand held mobile device to store the assigned 'unique' identifying number," the suit said. "With a unique identifying number that is assigned to a specific mobile device, Media Stamp allows Ringleader Digital, advertisers, ad agencies and website publishers to track a user's web browsing movements across the entire internet and not just one particular website."

Ringleader Digital's own description of its Media Stamp technology backs up some of the suit's claims.

"This breakthrough technology delivers persistent (across sessions, carriers, networks, domains, etc.) and anonymous device identification," it says on its website. "As part of our open RLD platform, Media Stamp seamlessly integrates with existing digital advertising platforms to share unique ID information. This gives you the control, targeting, and analytics you need to gain real-time visibility into the management of your campaigns and creates the best possible user experience."

"Media Stamp lets you identify and track unique mobile and new media users to leverage ad-server functionality," it says.

The suit has claimed that the use of Media Stamp is a privacy violation because a "random third party, Ringleader Digital" has placed material on users' devices and is tracking users.

"[Users] have no relationship with Ringleader that would have in any way formed a basis to argue that [they] consented to the listed actions by Ringleader," it said.

"[Users']  actions are being tracked by [Ringleader Digital and the publishers] without [their] permission. If [users] cleaned their cookies folder and deleted their browser history, this would have no affect on [Ringleader's] ability to continue to track [users'] because the information necessary to track [users], the unique ID, is stored in the HTML5 databases," it said.

Advertising usually identifies users by 'cookies', small text files stored within a normal web browser. These can be controlled by browser users and can be easily blocked. The suit says no such control is possible with Ringleader Digital's technology.

"Even if [users] were to take the traditional step to block advertisers and websites from tracking their movements, Ringleader Digital's Media Stamp, as licensed and used by [the publishers] thwarted those efforts," it said.

The suit claims that even if users can find the HTML5 database and delete it, it is simply repopulated with the same identifying information. "If a database is deleted from a phone it simply recreates itself only moments later," the suit said. "This is clear evidence of [Ringleader and publishers] attempt to further thwart the efforts of mobile device users to protect their privacy."

Ringleader Digital does allow users to opt out of the identification of their device, but the lawsuit points out that device users are told very little about the process and so given little chance to realise what is happening, still less how to opt out.

The suit claims that the activity is in breach of the US Computer Fraud and Abuse Act and California's Computer Crime law.

"To the extent that the plaintiffs are alleging that Ringleader violated any laws relating to consumers' privacy, Ringleader intends to defend its practices vigorously," Ringleader Digital chief executive Bob Walczak said in a statement to Wired.com.

A separate lawsuit earlier this year argued that another technology was tracking user activity outside of the standard cookie system. So-called 'Flash cookies' allowed tracking even of those users who had refused normal cookies, even 're-spawning' normal cookie information the users had deleted, the suit claimed.