Be clear about what you collect

Twenty years ago nobody told their third grade classmates they wanted to go into web analytics when they grew up.  But unlike cowboys and dinosaur wranglers, the analytics business is booming.  Information about consumer behavior can offer companies helpful insights to boost web traffic and sales.  But as a recent FTC settlement suggests, it’s wise to be transparent about your practices and take reasonable and appropriate measures to keep sensitive information secure.

Compete, Inc., is a market research company that develops and sells analytical reports about consumers’ online behavior.  How did Compete compile the data it was selling?  The FTC’s complaint focused on the operation of two of the company’s products:  the Compete Toolbar, which consumers installed to get “instant access” to information about sites (like how popular the sites are) and the Consumer Input Panel, which invited people to sign up to be eligible for rewards while telling companies what they thought about their products.  Compete offered the Toolbar and the Consumer Input Panel directly to consumers to install on their own, but also licensed its software so that other companies could incorporate the technology into their own toolbars and reward programs.  Either way, the information ultimately went to Compete.  By 2011, Compete had gathered data about more than four million consumers.

So what did Compete tell people — and not tell people — about what was going on?  When consumers installed the Toolbar, they were prompted either to leave enabled or disable a feature called Community Share.  As Compete explained, “By joining Community Share, the web pages you visit will be anonymously pooled with the Compete community to provide site trust rankings and analytics.”  When people signed up for the Consumer Input Panel, here’s what Compete said: “[W]e measure your behavior as well as your opinions. Consumer Input utilizes a piece of software stored on your computer that anonymously transmits aspects of your Internet browsing behavior so that we can understand the sites, products and services you interact with.”

But according to the complaint, Compete collected a lot more than just browsing behavior or URLs.  The FTC says that Compete’s Toolbar, the Consumer Input Panel, and third-party software incorporating Compete’s technology captured a lot of information consumers communicated on secure web pages, like credit card numbers, account numbers, security codes and expiration dates, user names, passwords, search terms, and Social Security numbers.  Furthermore, the complaint charged that the information was transmitted to Compete’s servers in clear readable text.  All this occurred in the background as consumers used the internet.  Without special software and technical expertise, there was no way people would have known just how much info was being collected.

The FTC also raised concerns about what consumers were told about the extent to which personal data was stripped out.  For example, as Compete promised in its privacy policy, “All data is stripped of personally identifiable information before it is transmitted to our servers. Our data collection techniques have been designed to purge personally identifiable information wherever we find it.”  In FAQs about the Consumer Input Panel, Compete told people that some personal info could inadvertently slip by, but promised to “make every commercially viable effort to purge our databases of any personally identifiable information.” But according to the FTC, Compete’s filters were too narrow and improperly structured to avoid collecting personal data.  For instance, a filter would screen out personal identification numbers for financial accounts only if the site used the field name “PIN.”  But what if that field was labeled “personal ID” or “security code”?  The filter wouldn’t catch it.  In addition, the FTC charged that Compete failed to use a simple, commonly used algorithm to screen out credit card numbers.

The complaint also alleged that despite promises in its privacy policy, Compete engaged in practices that, when taken together, failed to provide reasonable and appropriate security for the consumer information it collected and transmitted.  According to the FTC, Compete sent sensitive info from secure web pages — including account numbers and security codes — in clear readable text over the Internet, failed to implement reasonable safeguards to control the risks to customer information, and failed to use readily available, low-cost measures to assess and address the risk that the software would collect sensitive consumer data it wasn’t authorized to gather.

Next:  More about the proposed Compete settlement

 

1 Comment

>> Leave a Comment | Comment Policy

Thanks for this well-written article explaining the key issues, failures, and steps.

Leave A Comment

Don't use this blog to report fraud or deceptive practices. To file a complaint with the Federal Trade Commission, please use the FTC Complaint Assistant.

PRIVACY ACT STATEMENT: It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act and the Federal Information Security Management Act authorize this information collection for purposes of managing online comments. Comments and user names are part of our public records system, and user names are also part of our computer user records system. We may routinely use these records as described in our Privacy Act system notices. For more information on how we handle information that we collect, please read our privacy policy.