Upromise offers users a service where they can save for college by getting rebates when they buy merchandise from participating retailers. But as the FTC charged in a recent law enforcement settlement, when it comes to consumer privacy and data security, the college savings membership program may want to consider a refresher course.
To participate in Upromise, users downloaded the Upromise TurboSaver Toolbar, designed by a service provider hired by Upromise. Once in place, the Toolbar modified users’ browsers to highlight results from Upromise member merchants. According to the FTC’s complaint, how the Toolbar’s optional "personalized offers" feature worked is where things went wrong.
That feature — which in some cases was the default setting because of a box Upromise pre-checked — modified the Toolbar to provide targeted offers based on a user’s online behavior. While Upromise told users that the personalized offers feature collected information "about sites you visit" for the purpose of providing "college savings opportunities tailored to you," the FTC says the company failed to disclose the full extent of what was going on.
According to the complaint, the feature collected a ton of other information, including the names of all sites people visited and which links they clicked on, as well as information they entered on some pages — like search terms, user names, and passwords. What’s more, in some cases, Upromise’s toolbar collected and transmitted credit card and account numbers, expiration dates and security codes, user names and passwords for access to secure sites, and any Social Security numbers people entered on those pages.
Failing to tell people the full extent of what Upromise collected was a deceptive practice, charged the FTC. The complaint also alleges that Upromise falsely told people their data would be encrypted when it actually was transmitted in clear, readable text.
In addition, according to the FTC, Upromise’s claim that it took reasonable security measures to prevent unauthorized access to consumer’s data was false. The complaint alleges that Upromise engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information it collected and maintained. Among other things, Upromise:
- transmitted sensitive information from secure web pages, like financial account numbers and security codes, in clear readable text;
- didn’t use readily available, low-cost measures to assess and address the risks to people’s information;
- failed to ensure that employees responsible for the information collection program received adequate guidance and training; and
- failed to take adequate steps to ensure that its service provider used reasonable and appropriate measures to protect information.
The complaint also charges that Upromise’s failure to use reasonable and appropriate measures to protect consumer information — like credit card and financial account numbers, security codes and expiration dates, and Social Security numbers that consumers entered into other websites — was an unfair practice under the FTC Act. How so? Tools for capturing data in transit — like over unsecured wireless networks at the neighborhood coffee shop or other public places — are commonly available, making it easier for bad guys to intercept clear-text data while it’s being sent. That opens the door for misuse, including unauthorized charges and identity theft.
Next: Practical pointers from the Upromise settlement