Compliance Management, Threat Intelligence, Privacy

Spy software company’s data reuse deemed unethical

CIOs typically have the role of a sheepdog, not a wolf, and shepherding the data entrusted is to most, considered a sacred trust relationship.

If you're a CIO or IT manager who hears the “big picture” changing to include repurposing of personally identifiable content, red flags should go up. Of course the argument for repurposing data is one of revenue and the rights of the shareholders to earn as much as possible. While nobody enjoys cutting potential profit, this article might help you take the high road by detailing some of the land mines one company's actions incurred.

Particularly if the personal content in question comes from children or if you partner with dot-gov and dot-mil entities.

Echometrix: Sanctioned by the state of New York 

Reports about Echometrix, the New York company formerly known as SearchHelp, Inc. tell this cautionary tale:

NEW YORK, NY (September 15, 2010) – Attorney General Andrew M. Cuomo today announced a settlement that stops the software company Echometrix from gathering information from children's private online conversations and offering it to paying marketers.

Echometrix is a New York-based software company that sells parental internet monitoring software which allows parents and guardians to keep track of what their children do on the internet. 

Under the settlement, Echometrix has agreed that it will not analyze or share with third parties any private communications, information, or online activity to which they have access.  Echometrix will also pay a $100,000 penalty to the state of New York.  Echometrix, which cooperated with the Attorney General's office, ceased offering the Pulse product after the Attorney General commenced his investigation.

Reasonable person theory

I'm going to depart midway through this quote from the state of New York and ask the question: Really?!? What part of that single opening sentence in AG Cuomo's announcement didn't raise flags for the executive leadership of Echometrix?

Or was it simply revenue? Was the reported $5000 - $25,000 per seat cost to people who wanted to monitor Pulse simply enough to cloud their judgment?

Either way, this privacy based issue ended with the termination of the CEO just two weeks ago, along with an FTC complaint leading to a New York investigation by the Attorney General of New York culminating in cessation of their leading business segment and damaged reputation for their FamilySafe filtering software.

Selling spyware: Echometrix and ethical landmines

Continuing the details of the key issue the state of New York had with this repurposing content practice:

In June 2009, Echometrix began offering a program to companies called Pulse that used its internet monitoring software to secretly collect and analyze portions of children's private online instant messaging conversations.  Pulse was marketed as a way for third-party companies to get insight into what children privately said about products and services. Echometrix did not disclose to parents and guardians that its internet monitoring programs were collecting and analyzing children's conversations for marketing purposes. 

"Echometrix sells software that protects children by gathering information for parents about what their kids are doing online, but at the same time it was marketing its data to outside companies without its customer's knowledge," said Attorney General Cuomo.  "This settlement prevents Echometrix from using the guise of children's safety to undermine children's privacy.  As my office works to ensure that the internet is a safe place for children, we encourage all parents and guardians to maintain an active interest in what their children are doing online." 

Department of Defense: Don't tread on me

If you're doing something objectionable with children's data, selling your solution through DoD resources just compounds the problem: these people meet a much higher bar than other retailers might.

Apparently one email dated the day after the announcement on Oct. 13, shows that the agreement between the DOD-run Army Air Force Exchange (AAFES) and Echometrix lasted less than 24 hours after the announcement was made public:

I was forwarded the attached complaint submitted to the FTC by EPIC. It is very unfortunate that you did not inform me of this issue. Our customers' privacy and security is very important to us, and we trust our Mall Partners to maintain the security of our customers.

I have removed your site, and it will stay offline until this matter with EPIC and the FTC is resolved.

Matthey McCoy
Manager, Exchange Online Mall

As listed in the chronology at the bottom, Watchdog group EPIC had filed their FTC complaint a few weeks prior. When EPIC filed a Freedom of Information Act (FOIA) request on the same day as the Echometrix press release, it had the tactical effect of officially notifying AAFES of the Federal Trade Commission complaint. At this point the AAFES staff promptly severed ties as the email indicates.

Moral: Morality in business

As leaders become more senior inside a company, our vision shifts from tactical to strategic. Questions and ethical lines between privacy and profitability may blur, particularly when it comes to businesses previously trusted with content filtering. The morals of this story are simple.

  1. First, if you're sitting in on a meeting which talks about repurposing or remarketing data from kids, it really shouldn't go farther than that meeting, period. CIOs, you've now got the detailed ammunition you may need to take moral steps back onto the high ground if any questionable use of personal data comes up.
  2. Spyware isn't spyware if the owner of the system intentionally installs it, but since parents may not have known for what their children's data was being used, the reuse of the data for consumer research was blocked on several fronts.
  3. EULA and opt-in/opt-out policies are not big enough to hide behind. Research for this article shows that the trend for the past 10 years is always on the side of the consumer.
  4. Finally, as to answering potential lost revenue, the high ground is there for a reason: By taking it, decision-makers can all sleep well at night for doing the proper thing. Doing something wrong to make money is what cybercriminals do – not what CIOs do.

The part of this which tells me how large the problem of repurposed data is that the now-departed CEO of Echometrix used to be the chairman of Citicorp Information Management Services, listed as one of the largest resellers of marketing intelligence.

As for what the monitored 7-21-year-olds might think, YPulse blogger Anastasia Goodstein put it this way:

I wonder if parents realize that PULSE is monitoring the instant message conversations of about 150,000 teens using the FamilySafe software THEY installed for the purpose of selling this data.

Even if identities are masked, this feels like it takes passive data mining to a whole new level

Reverse chronology

Disclaimer: In a previous article on this topic, I discussed the finer points of whether this approach is spyware, comparing the teeth of a wolf and a sheepdog with the intent demonstrated. While the parental control aspect is more like a sheepdog, the repurposing of personally identifiable data has been found to exceed the reasonable expectations of the general public. The industry term for malware which collects this information is “spyware."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.