I make no secret of the fact that I distrust toolbars. I had concerns about the Upromise TurboSaver toolbar way back in 2009, when I spoke with David Coppins, then Senior VP of Upromise, now the company’s President.
Apparently, I’m not the only one who had concerns.
It was announced yesterday that last week, the FTC made a final settlement order against Upromise stemming from an FTC complaint filed in January regarding the company’s failure to adequately disclose to consumers who had installed the toolbar the scope of the data it would collect, and on top of that, the company’s poor security for the transmission of the data. The focus of the complaint was the toolbar’s “Personalized Offers” feature.
This feature, according to the FTC, collected extensive information about Upromise members’ activities and sent it to the service provider for analysis. This information included:
- The names of all websites visited
- All links clicked
- Information consumers entered into some web pages such as usernames, passwords, and search terms
- And for a period of time, data was collected from https:// “secure web pages” as well
Personalized Offers was enabled on “at least 150,000″ computers, no doubt partly because it was sometimes the default setting when you downloaded TurboSaver.
The toolbar’s privacy statement said that it might “infrequently” collect some personal information and that a filter “would remove any personally identifiable information” before transmitting it. The filter was programmed poorly and as a result, more data was collected than should have been. For example, the filter set up to avoid collecting bank account PINs would have excluded the data if the field name was “PIN” but would have collected it if the website called it a “personal ID” or “security code.”
In addition — yes, it gets worse — the info gathered, which included “in some cases credit card and financial account numbers, security codes and expiration dates, and Social Security numbers entered into web pages, including secure web pages,” was transmitted back to Upromise or whoever programmed their toolbar IN PLAIN TEXT and NOT encrypted. Anyone using a computer with the toolbar installed through an unsecured wireless network (like in a public place, such as a bookstore or coffee house) could have had their data easily intercepted. This went on until January 21, 2010, when a security researcher found out, and Upromise halted all data collection.
Upromise was ordered to contact members who, from 2005 through January 2010 had the toolbar installed and have (or had in the past) the Personalized Offer feature enabled, and to let them know that this feature resulted in the collection and transmission of certain personal information, what categories of personal info were included, and how to permanently disable Personalized Offers and uninstall the toolbar.
They were also ordered to destroy all of the information they collected, to not make misleading promises about the security or privacy of personal info they collect, and to maintain a comprehensive information security program to protect the consumers’ personal information that they collect from now on.
I hate to say, “I told you so,” but… From my November 2009 post:
“…TurboSaver is even more intrusive than I thought if members don’t opt out of the behavioral targeting [Personalized Offers]…I think the benefit to the consumer is outweighed by the amount of privacy he has to give up just to get shopping credit on those rare occasions he forgets to start shopping through Upromise’s portal.”
Again, for the one-millionth time: Toolbars are bad.