WhenU Breaks Its Privacy Promise

In July 2003, I noticed — and shortly notified WhenU — that WhenU’s software transmits to its servers the URLs that users visit, and that it does so every time it shows a user an ad. What’s the big deal? WhenU’s privacy policy said it wouldn’t do this: “URLs visited … are not transmitted to whenu.com or any third party server.” Many of WhenU’s software installers carry an even more explicit, but equally false, statement: “… does not track, collect or send your browsing activity anywhere.” What did WhenU do in response to my notification? Nothing, so far as I know.

Fast-forward eight months. I mentioned WhenU’s privacy violation in my FTC comments (PDF), and an FTC workshop speaker mentioned it (citing me) in his oral comments, with WhenU’s CEO and counsel present in the room. What did WhenU do? Again, nothing, so far as I know.

But this past Friday, I released to the public my new WhenU Violates Own Privacy Policy. I’ve revised my research of last summer and this spring — explaining things a bit more clearly, better tracking the duration and scope of the violation, and adding formatting to make the work easier to read. What did WhenU do? This time, finally, WhenU changed its privacy policy, to better describe its actual practice. But WhenU only made the change in some places — namely only on its web site, but not in the installer screens users look at as they decide whether or not to install WhenU software. So even today, as users install WhenU software, they are told — falsely — that WhenU doesn’t track, collect, or send their browsing activity. (screen-shots)

This is a troubling situation: For one, there’s the ten month lag between the violation first being brought to WhenU’s attention, and WhenU doing anything to even begin to address it. Then there are the thirty million users who reportedly run WhenU software. As users installed WhenU’s programs, WhenU promised not to send or track which URLs they visited. Instead, WhenU sent this information all along, and even continues sending it this very minute. Can WhenU correct the violation merely by changing its privacy policy web page?

Details, including HTTP logs and screen-shots, are in my WhenU Violates Own Privacy Policy.