For those of you who follow my postings, you are aware of my obsession with matters involving the unauthorized or even illegal use of customer proprietary data. This has ranged from items on the attempt last year by OnStar to get info on me even if I did not subscribe to the service but had their transceiver in my car, to rants against Microsoft (News - Alert), Google, most recently Facebook, and a host of others.
I guess the good news is that regulators here in the U.S. and in Europe are concerned. In fact, they are more than concerned they are busy being vigilant and are not amused.
I is thus with some degree of satisfaction that I read a press release this week from the U.S. Federal Trade Commission (FTC (News - Alert)). They had me at the title, Tracking Software Company Settles FTC Charges That it Deceived Consumers and Failed to Safeguard Sensitive Data it Collected. It seems that the FTC had a pending action against Boston-based Compete, Inc., a supplier of business intelligence based on the collection of personal information with its web tracking data, for not just failing to notify customers of how their data would be used but also failing to honor promises it made to protect the data that it collected. The announcement of the proposed settlement was enlightening and satisfying:
The proposed settlement order requires Compete and its clients to fully disclose the information they collect and get consumers’ express consent before they collect consumers’ data in the future. In addition, the settlement bars misrepresentations about the company’s privacy and data security practices and requires that it implement a comprehensive information security program with independent third-party audits every two years for 20 years.
The gist of this is as follows:
According to the FTC, Compete:
- Got consumers to download its “Panel” tracking software
- Told consumers that by joining the “Panel” they could win rewards while sharing their opinions about products and services
- Allegedly promised consumers who installed another type of its software-- the Compete Toolbar (from compete.com)-- could have “instant access” to data about the websites they visited.
- Licensed its web-tracking software to other companies, including Upromise who settled similar FTC charges earlier this year.
The description of what happened after a customer installed the software is pretty typical. The tracking component operated in the background collecting info on consumers’ online activity. The depth of data captured alone is a bit disturbing since it included not just websites visited but usernames, passwords, and search terms, and also some sensitive information such as credit card and financial account information, security codes and expiration dates, and Social Security Numbers.
What got the FTC chagrined were several alleged practices which included: false and deceptive assurances that personal information would be removed from collected data so third-parties could not associate the data with an individual. In fact, the FTC quotes Compete as saying:
- “All data is stripped of personally identifiable information before it is transmitted to our servers;” and
- “We take reasonable security measures to protect against unauthorized access to or unauthorized alteration, disclosure or destruction of personal information.”
What investigators found was that these assurances rang hollow. According to the FTC:
“Compete failed to remove personal data before transmitting it; failed to provide reasonable and appropriate data security; transmitted sensitive information from secure websites in readable text; failed to design and implement reasonable safeguards to protect consumers’ data; and failed to use readily available measures to mitigate the risk to consumers’ data.”
The picture embedded below is not just a nice representation of my own perception of where we are on issues surrounding personal data, but should also serve as a warning.
Edited by Rich Steeves