If You Think “Neuromarketing” Sounds Creepy, Wait Till You See This Privacy Policy

Neuromarketing company Neurofocus has gained some attention lately:

Get ready for neuromarketing: Advertising just got creepier

NeuroFocus is touting the next frontier of advertising: Neuromarketing. And you thought something as mundane as Web cookies were creepy.

This gadget, dubbed the Mynd, looks like your typical EEG headset, but this one is designed to monitor consumers’ “deep subconscious responses” to gauge the reaction to advertising and other media content.

The company’s CEO claims their technology allows a company to gain “critical knowledge and insights into how consumers perceive their brands, products, packaging, in-store marketing, and advertising at the deep subconscious level in real time.”

So what does their privacy policy for their research subjects say?

While this privacy policy states standards for maintenance of data, and while efforts will be made to meet the said standards, NeuroFocus is not in a position to guarantee compliance with these standards. There may be factors beyond NeuroFocus’ control that may result in non-compliance. (Examples include but are not limited to, 3rd party attacks, hacking, or loss of data do to storage or hosting outages) Consequently, NeuroFocus offers no warranties or representations as regards maintenance or non-disclosure of data.

Significantly, this “no warranties or representations” comes after several headlines and statements such

Privacy is paramount


NeuroFocus, Inc. takes your right to privacy seriously, and wants you to feel comfortable using this web site.

I wonder if they gauged consumers’ deep subconscious reactions to that.

Posted: March 22, 2011 in:

Privacy Report Word Cloud Fun

The Federal Trade Commission (FTC) and Commerce Department have each recently released reports and requests for comments on consumer privacy issues. Much attention is expected to be paid to the similarities and differences between the reports. The FTC has a consumer protection and law enforcement mission, while Commerce’s mission is  “to foster, promote, and develop the foreign and domestic commerce” of the United States. To contribute to the discussion, I’ve prepared these word clouds of the Executive Summaries of each of the reports.

The FTC’s December 2010 Report, Protecting Consumer Privacy in an Era of Rapid Change:

Commerce’s report, Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework

The differences are striking. The subject matter — privacy, data and information — is the same. But the FTC seems particularly concerned with consumers (and “consumer”), companies and practices. Commerce’s report appears to be more about policy, and commercial concerns. The data subjects — consumers –  the ones with an interest in the data, are barely visible in the Commerce report word cloud. I can’t find them there.

UPDATE: At the suggestion of a reader, I’ve created two new ones. These are meant to tease out the differences more. As suggested, I’ve removed the large common words (“privacy” “data” and “information”). I’ve also collapsed the words “consumers” and “consumer” together.

The FTC’s Report

The Commerce Report

Consumers are now visible in the Commerce report, but the differences in  focus — Commercial vs. Consumers — is made clearer. It appears as if the FTC is concerned with consumers and companies’ practices.  While Commerce approaches this from the point of view of commercial policy.

Posted: December 16, 2010 in:

Misleading On Interactive Advertising

The Federal Trade Commission has posted the comments in their ongoing review of the Child Online Privacy Protection Act (COPPA). The act provides privacy rules that, among other things, require parental consent for the collection of data from children or from users of online services directed at children.

One particular statement stands out. The Interactive Advertising Bureau comments (pdf) included this description of their members’ activities:

The delivery of online advertisements involves no more “contact” with an individual by a network advertiser than the advertising department of a city newspaper has with its subscribers as a result of including inserts tailored for locals residing in particular suburban neighborhoods.

Their goal is trying to make sure that their data collection and use practices do not qualify as an online service that collects personal information under COPPA.

They are misleading the Federal Trade Commission. Interactive advertisers tout abilities to track and contact consumers throughout the web. They build profiles based on this tracking and augment these profiles with data from other sources.

Here’s how IAB member AudienceScience describes their capability:

The Audience Gateway for Advertisers Enables Marketers To:

  • Engage with customers based on their behaviors and interests
  • Reach target audiences wherever they go across the Web
  • Send prospects relevant messages based on where they are in the buy cycle

Here’s how IAB member Google describes their retargeting techniques:

After driving traffic to your site with search ads, you can then remarket to those users who reach your site by showing them tailored ads on sites throughout the Google Content Network.

Here’s an example of how it works. Let’s say you’re a basketball team with tickets that you want to sell. You can put a piece of code on the tickets page of your website, which will let you later show relevant ticket ads (such as last minute discounts) to everyone who has visited that page, as they subsequently browse sites in the Google Content Network. In addition to your own site, you can also remarket to users who visited your YouTube brand channel or clicked your YouTube homepage ad.

You can also run a number of remarketing campaigns at the same time. For example, you could offer discount game tickets to users who’ve previously visited your tickets page, advertise VIP hospitality packages to users who clicked on your “How to get to the arena” page, and advertise a sale on team merchandise to users who previously visited your YouTube brand channel.

IAB Member OwnerIQ describes its abilities as:

OwnerIQ enables advertisers to target consumers based on what they own, what they have expressed an interest in owning (“Intenders”)… or both!

[W]e use our proprietary MostIQ Advertising Platform to reach consumers who have the appropriate Ownership Signals as they travel the web — on over 250,000 web sites, with creative designed to appeal to the Target Segments.

Their retargeting page explains, using a neat graphic, the 4 steps:

  1. Shoppers visit your site
  2. They leave your site and travel the web
  3. OwnerIQ identifies your prospect and presents them your message
  4. Your prospect is brought back to your site

IAB member Criteo also has a retargeting product:

Retargeting allows you to find your previous website visitors across the Internet and display relevant banners to lead them back to your website to complete their transaction. Bringing ready-to-buy users back to your website after they have left should be a key part of your customer acquisition and conversion strategy.

This is not contact like your newspaper delivery targeting your neighborhood.

Posted: July 15, 2010 in:

New Monitoring Service “SafetyWeb” Has Some Privacy, Safety Problems

The new monitoring service SafetyWeb raises some serious questions about its compliance with the Child Online Privacy Protection Act. There’s also some potential safety problems with how it could be misused.

The service’s description is rather simple. You enter an email address, and then the service scours the web (and presumably, its own built up database) and builds up an online profile based on the social networks that person has joined. In this way it appears similar to the service that Rapleaf used to offer.  The service then promises to monitor the actions of the targeted person on those social networks and report those actions to you.

When I tried it with one of my email addresses, it found several social network services I have joined.  It did not find all of them. Only on one of those did I join with that email address, so they must have had some way to figure out the rest were me. None of them were false positives where they identified someone else as me — but my name is rather unique.


The Child Online Privacy Protection Act (COPPA) seeks to protect children’s privacy online. Safetyweb appears to address their compliance with COPPA with this simple note in their Privacy Policy:

Our Policy Towards Children

The Site is not directed to persons under 18. If a parent or guardian becomes aware that his or her child has provided us with personally identifiable information without their consent, he or she should contact us by email at: info@safetyweb.com.

This seems to go against the spirit, if not the letter, of COPPA.  COPPA applies to:

the operator of any website or online service directed to children that collects personal information from children or the operator of a website or online service that has actual knowledge that it is collecting personal information from a child

They are collecting children’s information — the “parent” that signs up tells them the child’s email address, name and age. Their website is not “directed at children” but they are given “actual knowledge” that they are collecting children’s data. They even have the “parent” check a box that states:  “I certify that I’m the Parent of this child.”

Perhaps they think that they are not collecting personal information from a child, since they get it from the parent.  But the entire point of the service is to monitor what the child does online — to go and collect that information from the child’s online profiles and present it to the “parent.”

They need to double check that their service is COPPA compliant, because it appears that they are covered by COPPA. A simple statement that their website is not “directed to persons under 18″  does not change the fact that this is a commercial service whose stated purpose is to collect information from children and to sell it to people who “certify” that they are the parents of that child.

The FTC appears to be taking a serious tone on the mixed issue of children’s online safety and privacy.  They recently denied the application of a non-profit to become a COPPA “safe harbor” — meaning a service that would monitor and certify websites for compliance with COPPA. Their denial letter took strong umbrage at the fact that the non-profit itself did not follow COPPA  — even though it did not have to:

The Commission feels strongly that any organization – including a non-profit organization – to which it grants safe harbor status should itself comply with COPPA when interacting with children online. In the case of i-SAFE, which promotes itself as a leader in educating children on Internet safety, the failure to provide COPPA protections is particularly troubling. This failure also would undermine i-SAFE’s authority to enforce other website operators’ compliance with COPPA.

Safetyweb’s cavalier attitude towards COPPA indeed does not inspire confidence in them as purveyor of a legitimate parental monitoring service.

Safety / Stalkerware

The other major problem with the service is how they handle the safety issue.  How do they know anything about the relationship of the person ordering the monitoring and the one being monitored? I never completed my transaction above, but they were about to allow me to order the monitoring of a target their service reported as being 35.  All they appeared to require was that the person doing the ordering check a box agreeing to the terms and conditions, as well as another box that certified they were the parent of the child.

The FTC recently acted against a provider of stalkerware.  Key to that case was that the simple fact that inappropriate uses were against the terms of service should not insulate the provider of the service from liability.

Safetyweb should also take note of the New Hampshire case Remsburg v. Docusearch. Liam Youens paid 150 dollars to Docusearch for several pieces of personal information about Amy Boyer.  He had maintained a website where he documented how he was stalking her.  With this information, Youens tracked her down, killed her, and committed suicide.  A New Hampshire court said Docusearch had a duty to exercise reasonable care that they did not cause harm when selling this information:

The threats posed by stalking and identity theft lead us to conclude that the risk of criminal misconduct is sufficiently foreseeable so that an investigator has a duty to exercise reasonable care in disclosing a third person’s personal information to a client. And we so hold. This is especially true when, as in this case, the investigator does not know the client or the client’s purpose in seeking the information.

One Benefit

There’s a benefit of widespread knowledge of the existence of this service. It lets people know their online profiles can be monitored and mined. What we’re seeing here is the consumer facing side of something that is surely going on behind the scenes — starting with an email address, marketers and other data mining companies can compile extensive profiles of individuals.  Perhaps this awareness will lead to some outrage, and support for regulation.

Safetyweb has hired a leading expert in children’s online safety and privacy issues. They should be able to adequately address these issues.

Posted: June 15, 2010 in:

FTC Settles Key Stalkerware Case [UPDATED]

The FTC and  Cyberspy, the purveyor of the Remotespy stalkerware program, recently settled a case over the sale and distribution of that spyware program. [UPDATE: The FTC press release is here].  The settlement limits the Trojan-like features of the software, and forbids Cyberspy from training its users in how to use the software to infect other people’s PCs. Importantly, the settlement also forces Cyberspy to disable the monitoring in all current installations. However,  Remotespy will be able to keep selling the modified software.  The settlement is available from the court website, and has not yet been posted to the FTC’s page on the case. [UPDATE: The settlement is now available on the FTC website.]

Previous marketing for the Remotespy stalkerware program

Previous marketing for the Remotespy stalkerware program

The FTC filed the case in 2008 following a complaint from EPIC.  The EPIC complaint detailed several practices by providers of stalkerware, including Cyberspy. The complaint noted that:

these companies promote illegal surveillance targets; promote the use of “Trojan Horse” email attacks; and fail to warn their customers of the legal risks of the improper use of this software.

The FTC followed up on that complaint, and investigated Cyberspy. In it’s filing, the FTC alleged that Cyberspy engaged in several unfair and deceptive trade practices:

  • Unfair Sale of Spyware
  • Unfair Collection and Disclosure of Consumer’s Personal Information
  • Providing the Means and Instrumentalities to Install Spyware and Access Consumer’s Personal Information
  • Providing the Means and Instrumentalities to Engage in Deception

Cyberspy provided the Remotespy program via its website. There were several indications that the software was not a legitimate monitoring tool, but was instead a harmful and malicious product. The Remotespy program functioned as a keylogger, making a record of every key typed. It also regularly took screenshots of the victim’s PC. Cyberspy taught users how to disguise the software as an innocuous email to be sent to the victim.  One the software was installed, the victim received no notice of it. The software sent the captured information — without encryption — from the victim’s machine to Cyberspy’s servers.  The purchaser could then log in to Cyberspy’s website and view the information. Cyberspy would organize the information for the snoop, including identifying websites, and which username/password pairs the victim used to access those sites.

The settlement prohibits several key activities. Cyberspy can no longer teach the purchaser about disguising the software.  This includes counseling them how to the hide the executable as an innocuous image, or in a word file, as well as barring Cyberspy from recommending the use of an anonymous email service. Further, the software can no longer function as a Trojan horse unless the purchaser shows they have administrative access to the machine.  Without administrative access, the software has to function more like a normal program:  showing a splash screen upon installation and installing desktop and task bar icons. These must have branding and naming similar to that used to sell the software.  The purchaser must also receive notices that only a computer owner or one with permission may use the program. These notices should come on the Remotespy website, when the software is purchased, and when the remote deployment is configured.  Cyberspy also has to control more tightly the reinstallation of its product — apparently the FTC believed that Cyberspy wasn’t enforcing its licenses, and was allowing more victimization.  Cyberspy will also have to encrypt, or otherwise render unreadable, the data that it collects.  Previous versions of the software transmitted this sensitive information without any encryption.  Lastly, Cyberspy and its affiliates can no longer sell old versions of the software, and existing installations must be disabled.

Some matters still remain.  The software is still being marketed as being able to “spy” — which is not how a legitimate monitoring tool would be marketed. The software still organizes the data in a way that would be useful to someone engaged in sniffing passwords. The order is silent in how the software interacts with anti-spyware and firewalls.  A legitimate user of a computer thus would have no way of knowing whether Remotespy is on their machine, or be guaranteed that an anti-spyware tool would block it.

Posted: May 10, 2010 in:

FTC Budget Justification Requests More Privacy, Security, New Media Staff

The Federal Trade Commission’s Fiscal Year 2011 budget request asked Congress for 40 additional Full-Time Equivalent (FTE) staff.  Several of these would be in the area of privacy, data security, and new media:

2 FTE for data security enforcement and rulemakings related to data security, breach notice and consumer access to information in certain databases, and other opportunities to provide greater clarity regarding data security principles.

2 FTE to protect consumers in the mobile  marketplace and new media by addressing the privacy, security, and other risks of consumer harms associated with these new technologies.

3 FTE for the FTC Regional Offices to respond to  growing law enforcement challenges in fraud targeting vulnerable Americans and financial services fraud, and provide outreach to close information gaps in the areas of new media, privacy, and health, including 1 FTE for Spanish-speakers to combat illegal practices targeting Hispanic consumers.

2 FTE for economic analysis and support of the Consumer Protection area, including the FACTA study, advertising to children, and consumer financial services.

1 FTE for General Counsel for litigation and legal counsel to cover the rapidly increasing workload on privacy and information security issues.

Posted: February 10, 2010 in:

Let’s Not Close Our Eyes In A Changing Media Environment

The FCC has issued two major Notices of Inquiry. One asks several questions about the Future of Media, and begins:

The objective of this review is to assess whether all Americans have access to vibrant, diverse sources of news and information that will enable them to enrich their lives, their communities and our democracy. The Future of Media project will produce a report providing a clear, precise assessment of the current media landscape, analyze policy options and, as appropriate, make policy recommendations to the FCC, other government entities, and other parties.

Another asks about “Empowering Parents and Protecting Children in an Evolving Media Landscape“:

The evolving electronic media landscape presents parents with both tremendous opportunities and critical challenges. On the one hand, electronic media technologies present many benefits for children, such as offering an almost unlimited potential for educational avenues and providing the technological literacy needed to compete in a global economy. On the other hand, the technological developments that produce these benefits also present risks for children. With this Notice of Inquiry (“NOI”), we seek to develop a record that will help us answer the question of how to empower parents to help their children take advantage of these opportunities, while at the same time protecting children from the risks inherent in use of these platforms.

Both of these will lead to reports to the public which reflect the information the FCC has gathered.

This is apparently too much for Ken Ferree, who blogs at the Progress and Freedom Foundation (PFF), concerning the first inquiry:

The problem is that the very act of initiating such an inquiry will chill protected speech; government inquiries into what is and is not working in the area of news, information, and media is itself an affront to the First Amendment. And it is no answer that the Commission has embarked on this journey with beneficent motives, it has no power to derogate from the protections of the First Amendment in the name of what one group of bureaucrats may think are important government interests.

Further, some of the PFF staff promise to  “question this ‘questioning‘” that the FCC is engaging in when it asks about about “empowering parents.”

Why stop there? Maybe we should forbid the FCC and the rest of the government from watching TV, listening to the radio, going online, or reading newspapers as well.

Posted: February 6, 2010 in:

Homeland Security Privacy Assessments: Online for a Limited Time Only?

In a Federal Register notice, the Homeland Security Privacy office announces the publication — for a limited time — of four Privacy Impact Assessments:

SUMMARY: The Privacy Office of the Department of Homeland Security is
making available four Privacy Impact Assessments on various programs
and systems in the Department. These assessments were approved and
published on the Privacy Office’s Web site between January 1, 2009, and
March 31, 2009.

DATES: The Privacy Impact Assessments will be available on the DHS Web
site until July 6, 2009, after which they may be obtained by contacting
the DHS Privacy Office (contact information below).

(emphasis added).

Why the time limitation? Why can’t the DHS website provide an archive of Privacy Impact Assessments?  More government information online means more information is easily accessible. During the campaign some discussed the potential for a more machine readable government:

But the big part of this is a commitment to making data about the government (as well as government data) publicly available in standard machine readable formats. The promise isn’t just the naive promise that government websites will work better and reveal more. It is the really powerful promise to feed the data necessary for the Sunlights and the Maplights of the world to make government work better. Atomize (or RSS-ify) government data (votes, contributions, Members of Congress’s calendars) and you enable the rest of us to make clear the economy of influence that is Washington.

This is the stuff of the “naive promise” of websites that reveal more. But at least  it is a start. And it is a start towards government reports on their privacy impacts being online, indexed by search engines, and easily found by individuals.

Posted: May 5, 2009 in:

Simple Minded Regional Prejudices in a Supreme Court Opinion

Today the Supreme Court released its opinion (pdf) in FCC v. Fox Television Studios. The case concerns the FCC’s change in 2004 to enforce a ban on even single uses of profanity on the air. More background on the case is here. The opinion contains this amazing quote (page 24) provided by Justice Scalia:

We doubt, to begin with, that small-town broadcasters run a heightened risk of liability for indecent utterances. In programming that they originate, their down-home local guests probably employ vulgarity less than big-city folks; and small-town stations generally cannot afford or cannot attract foul-mouthed glitteratae from Hollywood.

This is a basic culture war salvo of the sort you might find from Rush Limbaugh or a random right wing blogger.  And there it is, in a Supreme Court opinion, provided by the Harvard educated judge from New York city, with no citations to outside sources or to facts in the record of the case.

Posted: April 28, 2009 in:

DOJ Stalking Report Estimates Hundreds of Thousands of Electronic Privacy Invasions

The Department of Justice, Bureau of Justice Statistics last week reported on its survey: “Stalking Victimization in the United States.” The survey was composed of 65,000 responses, and led to a total estimate of 5.8 million victims: 3.4 million stalking, and 2.4 million for harassment. The study covers victimization occurring mostly in 2005: the responses were collected during the first half of 2006, and inquired about events in the previous 12 months. Of these 5.4 million victims, two hundred thousand were victimized by identity theft.

Significantly, the survey also showed that 23% of victims suffered some form of cyberstalking, and 6% suffered electronic monitoring such as spyware, bugging or video surveillance.

The estimated 138 thousand victims of spyware were probably victimized by the type of stalker spyware that EPIC complained to the FTC about.  I doubt that stalkers are writing their own software or using vulnerability scripts. I also suspect that the numbers have gone up in the 3 — now entering 4 — years since 2005.  The FTC has only now begun to look at stalker spyware, and the only previous action on it was DOJ’s prosecution of Loverspy.

I’m not surprised by the numbers showing cyberstalking using email, IM, or blogs. But I do find it interesting that 8.8% of  victims had Internet sites created about them. I suspect the cyberstalking numbers have also only increased — blog usage and providers are proliferating, and so are the ways that one can make a website about another. I’ve worked with two individuals who had false online dating profiles created, one repeatedly. In these and in other cases of cyberstalking, it’s important that lawyers representing them be aware of the victimization, can present it to the court in a manner that aids their case, and can craft remedies that address the victimization.

Posted: January 23, 2009 in: