privacy – Page 2 – Ben Edelman

May 24, 2004December 2, 2023

WhenU Breaks Its Privacy Promise

In July 2003, I noticed — and shortly notified WhenU — that WhenU’s software transmits to its servers the URLs that users visit, and that it does so every time it shows a user an ad. What’s the big deal? WhenU’s privacy policy said it wouldn’t do this: “URLs visited … are not transmitted to whenu.com or any third party server.” Many of WhenU’s software installers carry an even more explicit, but equally false, statement: “… does not track, collect or send your browsing activity anywhere.” What did WhenU do in response to my notification? Nothing, so far as I know.

Fast-forward eight months. I mentioned WhenU’s privacy violation in my FTC comments (PDF), and an FTC workshop speaker mentioned it (citing me) in his oral comments, with WhenU’s CEO and counsel present in the room. What did WhenU do? Again, nothing, so far as I know.

But this past Friday, I released to the public my new WhenU Violates Own Privacy Policy. I’ve revised my research of last summer and this spring — explaining things a bit more clearly, better tracking the duration and scope of the violation, and adding formatting to make the work easier to read. What did WhenU do? This time, finally, WhenU changed its privacy policy, to better describe its actual practice. But WhenU only made the change in some places — namely only on its web site, but not in the installer screens users look at as they decide whether or not to install WhenU software. So even today, as users install WhenU software, they are told — falsely — that WhenU doesn’t track, collect, or send their browsing activity. (screen-shots)

This is a troubling situation: For one, there’s the ten month lag between the violation first being brought to WhenU’s attention, and WhenU doing anything to even begin to address it. Then there are the thirty million users who reportedly run WhenU software. As users installed WhenU’s programs, WhenU promised not to send or track which URLs they visited. Instead, WhenU sent this information all along, and even continues sending it this very minute. Can WhenU correct the violation merely by changing its privacy policy web page?

Details, including HTTP logs and screen-shots, are in my WhenU Violates Own Privacy Policy.

March 17, 2004December 2, 2023

Methods and Effects of Spyware

Methods and Effects of Spyware (PDF) is my written response to the FTC‘s call for comments (PDF), leading up to their April 19 workshop on spyware. In this document, I explain how spyware works, including presenting specific personal information transmitted by both Gator and WhenU. (The WhenU transmissions are particularly notable because these transmissions seem to violate WhenU’s own privacy policy.) Other sections of the document discuss installation methods of spyware (with special consideration of the technical methods used in drive-by downloads), frequency of advertisement display, and performance and security effects of spyware.

I hope to attend the FTC’s April workshop, and I would be particularly pleased to hear from others who will be there or who have comments on this issue.

October 12, 2000December 2, 2023

Privacy & Security Violations at Buy.com

In October 2000, I noticed that buy.com‘s product return system allowed any Internet user to view prepaid UPS return labels intended for use by some 45,000+ Buy.com customers. Labels included customers’ names, addresses, and phone numbers. Buy.com has since fixed the problem, replacing the information with an error message, but I kept a sample of the data that was temporarily publicly accessible. See coverage of the story in major media.