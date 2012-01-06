Jan 6 Upromise, a program that gives back a
percentage of its members' spending for college savings, is
designed to make saving for college easier. But the program may
have made it easier for thieves to steal a user's identity,
according to the Federal Trade Commission.
On Thursday, Upromise was charged with deceptive trade
practices by the FTC for recording users' personal and
financial data and then transmitting that information without
their knowledge. A proposed settlement of those allegations was
also announced on Thursday.
The FTC said Upromise, which is owned by student lender
Sallie Mae, offered a toolbar for web users that recorded
credit card numbers, bank account numbers, security codes,
expiration dates - everything needed for identity theft - in
addition to cataloging the websites they visited. The software
converted information entered by users on secure websites into
text that could be easily intercepted by crooks.
"All the measures that banks or other websites had taken to
say we have a secure connection with you were basically
undone," said Ruth Yodaiken, an attorney in the FTC's Division
of Privacy and Identity Protection.
She said the technology to capture the information is
readily available at little or no cost to anyone with the
inclination to collect the data. The FTC did not accuse
Upromise of intentionally trying to collect this information,
but rather of not taking enough safeguards.
Beyond just exposing users' personal and financial
information, Yodaiken said, Upromise wasn't upfront about the
information that was collected. "We alleged in the complaint a
lot more data was gathered than consumers were told was
gathered."
Upromise's software allegedly collected the information for
two years, ending in 2010 when a security researcher uncovered
the practice, the FTC said. At least 150,000 users signed up
for the toolbar with the promise that they would receive
personalized offers. Nothing in the information provided to
them when they downloaded the toolbar indicated that their
personal information would be recorded. Upromise claims it has
about 10 million members.
Participants in the program already allow Upromise to learn
a lot about them. When you sign up, you register credit cards,
debit cards and loyalty cards. Details of your transactions are
recorded so you can be rewarded with a percentage of your
spending that can then be put in a 529 college savings
account.
The company agreed to destroy the data collected by the
toolbar software as part of the settlement, which includes no
financial penalties but carries a potential $16,000 per
violation fine for any future infraction. Upromise also will
have notify all those who used the toolbar about the potential
of their personal information being exposed, and tell them how
to remove the software if they still have it on their
computers. In addition, Upromise agreed to submit to a
third-party review of its security practices every other year
for 20 years.
Paul Stephens, director of policy and advocacy for the
Privacy Rights Clearinghouse, said the settlement mirrors the
FTC's agreement in November to resolve charges leveled against
social networking giant Facebook that users' privacy wishes
were ignored.
Upromise officials said the problem was unintentional,
affected only a small percentage of users and was quickly fixed
after they were made aware of it.
"Two years ago, we learned that an issue with a vendor's
software created the potential for inadvertent data access
which could have affected approximately 1 percent of our
members," Upromise spokeswoman Debby Hohler said in a statement
emailed to Reuters. "Our members' privacy is extremely
important to us, and we took immediate action to resolve the
issue. There was no evidence of any misuse of data. We have
fully cooperated with the FTC and have addressed their
concerns."
FTC officials said she they could not comment on whether
any of the information was misused since that information was
not included in the complaint lodged against Upromise.
Upromise is required under the proposed settlement to
disclose information about data collection more clearly and
prominently in the future - and require that users agree to
those terms before they download and use any similar
product.
Yokainen, the FTC attorney, said collecting lots of user
data in and of itself isn't a problem. In fact, she said, it
can be a good thing for consumers, who stand to get a richer
and more personalized online experience.
But, fellow FTC attorney Katrina Blodgett added, companies
must be upfront with their customers about the information
that's being gathered. "When companies collect this information
that can be used in really useful ways, they just need to tell
consumers the truth about what they're doing."
---
The author is a Reuters contributor. The opinions expressed
are his own.
(Editing by Jilian Mincer and Beth Pinsker Gladstone)