Homepage Sophos newsroom
Register as BUSINESS Register as PR AGENCY Register as JOURNALIST

FTC smacks down security sloppiness by web analytics company Compete

Announcement posted by Sophos 29 Oct 2012

Blog post by Paul Ducklin, Sophos

The US Federal Trade Commission (FTC) has settled withMassachussets-based web analytics company Compete, Inc.

Part of the smackdown was an accusation of outright dodginess, to wit that:

Respondent failed to disclose that its products would also collect and transmit much more extensive information about the Internet behavior that occurs on consumers' computers, and information consumers provided in secure sessions when interacting with third-party websites, shopping carts, and online accounts – such as credit card and financial account numbers, security codes and expiration dates, and Social Security numbers consumers entered into such web pages.

But a refreshing part of the settlement is that the FTC didn't just concern itself with the fact that the company did the wrong thing. It also took issue with the fact that Compete didn't do the right thing.

The complaint details a number of behaviours that the FTC considered unacceptable simply by having the security bar set too low, such as:

  • Making substandard efforts to detect and filter out personally identifiable information (PII), which would have avoided its collection in the first place.
  • Not bothering to use encryption when sending user data back to Compete's servers.

Note that Compete doesn't just make use of a browser toolbar, but also operates what it calls a Consumer Input Panel. Joining the panel involves installing software on your computer to give the company a much more intimate view of what you get up to online:

Voluntarily installing snoopware on your computer is a big ask, but Compete has a page to explain the benefits:

[Y]ou'll not only have the opportunity to express yourself about the products and services that are part of your day-to-day life, you'll also influence decisions that may affect millions of other consumers.

You'll have to make your own mind up whether those benefits are sufficient. The FTC didn't think so, saying:

Respondent's failure to employ reasonable and appropriate measures to protect consumer information... caused or was likely to cause substantial injury to consumers that was not offset by countervailing benefits to consumers or competition and was not reasonably avoidable by consumers. This practice was, and is, an unfair act or practice.

As part of the settlement, Compete has agreed not to do it again, and to subject itself to a security audit every two years for the next 20 years.

What do you think? Is that a stiff enough penalty? Is agreeing to the sort of audit that lots of other companies do voluntarily really any sort of punishment?