Search Results : UPromise

Apr 042012
 

Following a public comment period, the Federal Trade Commission has approved a final order settling charges that Upromise, Inc., a membership reward service aimed at consumers trying to save money for college used a web-browser toolbar to collect consumers’ personal information without adequately disclosing the extent of the information it was collecting.

The settlement order will require Upromise to clearly disclose its data collection practices and obtain consumers’ consent before installing or re-enabling any such toolbar products, and to notify consumers how to disable the data collection tool on their computers. The settlement also will bar misrepresentations about the extent to which the company maintains the privacy and security of consumers’ personal information, and require the company to establish a comprehensive information security program and to obtain biennial independent security assessments for the next 20 years.

The Commission vote to approve the final order with Upromise was 4-0. The order can be found on the FTC’s website and as a link to this press release, and public comment can be found here.

Source: Federal Trade Commission

(Previous coverage on PogoWasRight.org)

Jan 052012
 

From the FTC, a settlement in a case previously mentioned on PogoWasRight.org after a researcher reported problems with Upromise’s toolbar:

A membership reward service aimed at consumers trying to save money for college has agreed to settle FTC charges and will be barred from its allegedly deceptive practice of using a web-browser toolbar to collect consumers’ personal information without adequately disclosing the extent of the information it is collecting.

The settlement with Upromise Inc. is part of the FTC’s ongoing efforts to make sure that companies live up to the promises they make about privacy and data security. The settlement order will require Upromise to clearly disclose its data collection practices and obtain consumers’ consent before installing or re-enabling any such toolbar products, and to notify consumers how to uninstall the toolbars already on their computers. The settlement also will bar misrepresentations about the extent to which the company maintains the privacy and security of consumers’ personal information, and require the company to establish a comprehensive information security program and to obtain biennial independent security assessments for the next 20 years.

Upromise offers consumers a membership service that allows them to save money for college. When consumers buy goods or services from Upromise partner merchants, they receive rebates that are placed into consumers’ college saving accounts. In its complaint against Upromise, the FTC alleged that to allow consumers to identify and select merchants that would provide rebates, Upromise’s website offered a “TurboSaver Toolbar” download that would highlight partner merchants in consumers’ search results. When downloading the toolbar, consumers saw a message that encouraged them to enable the “Personalized Offers” feature of the Toolbar, which Upromise allegedly claimed would collect information about the websites they visited “to provide college savings opportunities tailored to you.”

The FTC alleges the Toolbar with the “Personalized Offers” feature enabled collected and transmitted, in clear text, the names of all websites consumers visited and which links they clicked on, as well as information they entered into some webpages, such as search terms, user names, and passwords. In some cases, the information collected included credit card and financial account numbers, user names and passwords used to access secured websites, security codes and expiration dates, and any Social Security numbers consumers entered into the webpages. The Toolbar transmitted consumers’ information without encryption.

According to the FTC, while Upromise’s toolbar was collecting and transmitting the data, its privacy statement claimed, “We understand the need for our customers’ personal information to remain secure and private and have implemented policies and procedures designed to safeguard your information.” Upromise also said it was “proud of the innovations we have made to protect your data and personal identity,” and that “Upromise automatically encrypts your sensitive information in transit from your computer to ours.”

The Upromise TurboSaver Privacy Statement allegedly stated that the Toolbar would collect and transmit information about websites consumers visited, and that “infrequently” the collection might “inadvertently” collect a “name, address, email address or similar information,” but that any personally identifying information would be removed before the data was transmitted.

According to the FTC complaint, Upromise’s failure to disclose the extent of information collected by the Toolbar, and its claims that it encrypted consumer data and took reasonable measures to protect data from unauthorized access, were deceptive and violated federal law. The FTC also charged that Upromise’s failure to take reasonable and appropriate measures to protect consumers’ data was an unfair practice.

The proposed settlement order requires Upromise to destroy the data collected through the Personalized Offers feature of the Toolbar, and to provide clear and prominent disclosures to consumers and receive their affirmative consent before installing any similar product. The disclosures must be made prior to installation and be separate from any user license agreement. The company also must notify consumers who had the Personalized Offer feature enabled, informing them as to the type of information collected, and how to disable the feature and uninstall the Toolbar.

The settlement order also prohibits Upromise from misrepresenting privacy and security practices and requires the company to establish and maintain a comprehensive information security program and to obtain biennial, independent, third-party audits for 20 years.

Background and additional files on this case can be found on the FTC’s site.

Once again, the FTC has protected consumers, and I commend them. I have only done a first read-through of the consent order, but there’s one condition I might have added to it: that the company be required to disclose to affected consumers the names and contact information for all third parties or associates to which it sold or transmitted the users’ personally identifiable information. Without that information, users have no idea whom to contact to request that their data be deleted, no?

Jan 232010
 

Larry Seltzer writes:

Privacy researcher and Harvard Business School Professor Ben Edelman has written a report on the practices of the Upromise Toolbar, called TurboSaver by the company.

Upromise is a membership system through which you can earn money for college savings by buying items from certain vendors through Upromise. The toolbar facilitates this in your browser and tracks user behavior.

Edelman found, by logging packets as he used the software, that the TurboSaver logs your behavior and data in excruciating detail, then transmits all that detail to a third party (Compete Inc.) for analysis. The Upromise license (click the nearby image for a full-size view of what users see) does not disclose accurately what the toolbar does.

Read more on PC Mag.

Less than 24 hours after Edelman posted his findings Upromise responded:

Upromise has announced that they moved immediately to address the privacy problems identified by Ben Edelman yesterday in their toolbar, TurboSaver.

[...]

They say they have disabled the functionality identified by Edelman and are working with Compete, the vendor who received and analyzed the data sent by the toolbar, to address the situation.

Oct 222012
 

From the FTC:

A web analytics company has agreed to settle Federal Trade Commission charges that it violated federal law by using its web-tracking software that collected personal data without disclosing the extent of the information that it was collecting. The company, Compete Inc., also allegedly failed to honor promises it made to protect the personal data it collected.

Compete is a company that uses tracking software to collect data on the browsing behavior of millions of consumers, then uses the data to generate reports, which it sells to clients who want to improve their website traffic and sales.

The proposed settlement will require that Compete obtain consumers’ express consent before collecting any data from Compete software downloaded onto consumers’ computers, that the company delete or anonymize the use of the consumer data it already has collected, and that it provide directions to consumers for uninstalling its software.

According to the FTC, Compete got consumers to download its tracking software in several ways, including by urging them to join a “Consumer Input Panel” that was promoted using ads that pointed consumers to Compete’s website, www.consumerinput.com. Compete told consumers that by joining the “Panel” they could win rewards while sharing their opinions about products and services, the FTC alleged.  The company also allegedly promised that consumers who installed another type of its software– the Compete Toolbar (from compete.com)– could have “instant access” to data about the websites they visited.

Compete also licensed its web-tracking software to other companies, the FTC alleged.  Upromise, which licensed Compete’s web-tracking software, settled similar FTC charges earlier this year.

Once installed, the Compete tracking component operated in the background, automatically collecting information about consumers’ online activity.  It captured information consumers entered into websites, including consumers’ usernames, passwords, and search terms, and also some sensitive information such as credit card and financial account information, security codes and expiration dates, and Social Security Numbers, according to the FTC.

The FTC charged that several of Compete’s business practices were unfair or deceptive and violated the law.  For example, the company failed to disclose to consumers that it would collect detailed information such as information they provided in making purchases, not just “the web pages you visit.”

In addition, the FTC alleged that Compete made false and deceptive assurances to consumers that their personal information would be removed from the data it collected.  The company made statements such as:

  • “All data is stripped of personally identifiable information before it is transmitted to our servers;” and
  • “We take reasonable security measures to protect against unauthorized access to or unauthorized alteration, disclosure or destruction of personal information.”

Despite these assurances, the FTC charged that Compete failed to remove personal data before transmitting it; failed to provide reasonable and appropriate data security; transmitted sensitive information from secure websites in readable text; failed to design and implement reasonable safeguards to protect consumers’ data; and failed to use readily available measures to mitigate the risk to consumers’ data.

The proposed settlement order requires Compete and its clients to fully disclose the information they collect and get consumers’ express consent before they collect consumers’ data in the future.  In addition, the settlement bars misrepresentations about the company’s privacy and data security practices and requires that it implement a comprehensive information security program with independent third-party audits every  two years for 20 years.

The Commission vote to accept the consent agreement package containing the proposed consent order for public comment was 4-0-1, with Commissioner J. Thomas Rosch abstaining.  The FTC will publish a description of the consent agreement package in the Federal Register shortly.  The agreement will be subject to public comment for 30 days, beginning today and continuing through November 19, 2012, after which the Commission will decide whether to make the proposed consent order final.  Interested parties can submit written comments electronically or in paper form by following the instructions in the “Invitation To Comment” part of the “Supplementary Information” sectionhttps://ftcpublic.commentworks.com/ftc/competeincconsent. Comments in paper form should be mailed or delivered to:  Federal Trade Commission, Office of the Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580.  The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.