FTC Reminds Upromise to do what you Promise in action involving collection and transmission of data.

The FTC reached a settlement with Upromise, an online rewards program that adds small amounts of money to the users account after items are purchased from partners of Upromise.  http://www.ftc.gov/os/caselist/1023116/index.shtm Upromise asked customers to download a toolbar that would help them locate participating merchants in the rebate program. The users were told that by enabling the “Personalized Offers” portion of the toolbar, they would receive offers tailored to their needs.  When enabled, Upromise was able to collect extensive information about consumers’ online activities and transmit it to a third-party for analysis. Upromise collected the names of all websites visited, all links clicked, and information that consumers entered into some web pages such as usernames, passwords, and search terms, including secure sites.  The associated data that Upromise collected were transmitted in unencrypted form, despite a company statement that said it would encrypt all confidential data while in transmission.

The FTC found the clear text transmission of the collected data to not only be a violation of Upromise’s statements that it would use Secured Socket Layer to transmit sensitive data, but that doing so also violated the company’s representation that it would employ reasonable security procedures.

The FTC also found false Upromise’s statement that “By enabling the Personalized Offers feature, information about the web sites you visit will be collected. This information is used to provide college savings opportunities tailored to you.”  When in fact, the information Upromise collected was much more extensive by collecting information consumers provided in secure sessions “when interacting with third-party websites, shopping carts, and online accounts – such as credit card and financial account numbers, security codes and expiration dates, and Social Security numbers.”

Under the settlement, Upromise, which is owned by Sallie Mae, agreed to erase any data it previously collected through the Personalized Offers feature, provide clear disclosure policies and receive consent from consumers before they install any similar product. In addition, Upromise must notify those users who had enabled the feature, and alert them of any data that was collected and instructions on how to remove the feature and toolbar.  Upromise also agreed to the FTC’s standard biennial audit for a period of 20 years.

It comes as no surprise that the FTC is pursuing a company that has failed to implement specific security requirements promised in a user agreement.  Nor is it surprising that the FTC found that sending sensitive information over the internet in clear text is an unreasonable security practice.  The FTC’s complaint that the policy was not specific enough as to the activities that the tool would monitor and the data collected provides new insight into what the FTC deems unacceptable. To avoid FTC scrutiny, companies should employ user friendly privacy policies written to enable a lay person to make informed decisions.  Playing hide the ball, not updating your policies to reflect changes in the product, or having overly complex policies written in legalese should be avoided.


Posted by Ron Raether
Data Security
January 12, 2012