FTC smacks down security sloppiness by web analytics company Compete

Filed Under: Law & order, Privacy

The US Federal Trade Commission (FTC) has settled with Massachussets-based web analytics company Compete, Inc.

Part of the smackdown was an accusation of outright dodginess, to wit that:

Respondent failed to disclose that its products would also collect and transmit much more extensive information about the Internet behavior that occurs on consumers' computers, and information consumers provided in secure sessions when interacting with third-party websites, shopping carts, and online accounts – such as credit card and financial account numbers, security codes and expiration dates, and Social Security numbers consumers entered into such web pages.

But a refreshing part of the settlement is that the FTC didn't just concern itself with the fact that the company did the wrong thing. It also took issue with the fact that Compete didn't do the right thing.

The complaint details a number of behaviours that the FTC considered unacceptable simply by having the security bar set too low, such as:

  • Making substandard efforts to detect and filter out personally identifiable information (PII), which would have avoided its collection in the first place.
  • Not bothering to use encryption when sending user data back to Compete's servers.

Note that Compete doesn't just make use of a browser toolbar, but also operates what it calls a Consumer Input Panel. Joining the panel involves installing software on your computer to give the company a much more intimate view of what you get up to online:

Voluntarily installing snoopware on your computer is a big ask, but Compete has a page to explain the benefits:

[Y]ou'll not only have the opportunity to express yourself about the products and services that are part of your day-to-day life, you'll also influence decisions that may affect millions of other consumers.

You'll have to make your own mind up whether those benefits are sufficient. The FTC didn't think so, saying:

Respondent's failure to employ reasonable and appropriate measures to protect consumer information... caused or was likely to cause substantial injury to consumers that was not offset by countervailing benefits to consumers or competition and was not reasonably avoidable by consumers. This practice was, and is, an unfair act or practice.

As part of the settlement, Compete has agreed not to do it again, and to subject itself to a security audit every two years for the next 20 years.

What do you think? Is that a stiff enough penalty? Is agreeing to the sort of audit that lots of other companies do voluntarily really any sort of punishment?

Have your say in the comments below...

, , , , ,

You might like

5 Responses to FTC smacks down security sloppiness by web analytics company Compete

  1. Tony · 1045 days ago

    Well done to the FTC for setting a precedent that companies must not do the wrong thing and absolutely should do the right thing.

    Although, audits only once every two years? That's seems overly relaxed. I'd be much more comfortable knowing that had to submit to monthly audits for the first 6 months, quarterly audits for the following 6 quarters and then annually.

  2. Snert · 1045 days ago

    I applaud the FTC! SIc 'em!
    I agree with Tony's schedule of audits, but they should 've smacked those rascals with a hefty fine, too.

  3. decay · 1044 days ago

    Since Massachussets prides itself in its 2010 law "MGL 93H 201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH," and Compete Inc is a Massachussets based company, I am surprised that I have not heard anything about this case regarding this law.

    Granted, the details of the law state it is for the protection of Personally Identifiable Information of residents of Massachussets (nothing about residents of other states), but Compete's program should certainly have used the mandates of this law as the lowest threshold by which to comply, and they certainly failed at that.

    Regardless of the FTC's findings, or even due to its findings, if even a single Massacussets resident was a "victim" here, then Compete Inc. was in breach of MGL 93H 201 CMR 17.00. And by "victim" I am referring to any consumer of the Compete Inc software in question as mentioned in the FTC link "has settled with" at the top of this article.

    Massachussets Attorney General...WHERE ARE YOU??? If Compete Inc can skate on this one, then is a precedent being set for the rest of us?

  4. Vito · 1044 days ago

    Fines and penalties are nonsense. They don't stop criminal behavior, and they only transfer monetary resources to an already bloated and wasteful bureaucracy.

    The most meaningful measures are those that encourage companies to do the right things, not those that punish them for doing the wrong things. Punishment is just revenge. It's infantile, and not a fitting purpose for government.

    I'm going to float a radical idea here...so take it for whatever worth your imagination might let it have. (If you have no imagination, it won't be worth much.) If what we really want is a government that genuinely protects us from harm, then perhaps we need to change our entire concept of what we call "government" to something that is proactively focused on creating conditions we want, rather than reacting to conditions we don't want. In other words, change its focus to one that rewards people for doing the right thing, rather than punishing them for doing the wrong thing, after the harm has already been done. That's a revolutionary idea.

    As human civilization evolves, it's clear that the very paradigm of what we call "society" is changing into one that is increasingly dependent on information as property. It seems to me that the paradigm of what we call "government" must change accordingly.

  5. Jack Wilborn · 1044 days ago

    No! Jail for upper management or whomever created (I.e. designer). A message needs to be sent.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog