If You Think “Neuromarketing” Sounds Creepy, Wait Till You See This Privacy Policy

Neuromarketing company Neurofocus has gained some attention lately:

Get ready for neuromarketing: Advertising just got creepier

NeuroFocus is touting the next frontier of advertising: Neuromarketing. And you thought something as mundane as Web cookies were creepy.

This gadget, dubbed the Mynd, looks like your typical EEG headset, but this one is designed to monitor consumers’ “deep subconscious responses” to gauge the reaction to advertising and other media content.

The company’s CEO claims their technology allows a company to gain “critical knowledge and insights into how consumers perceive their brands, products, packaging, in-store marketing, and advertising at the deep subconscious level in real time.”

So what does their privacy policy for their research subjects say?

NO GUARANTEES
While this privacy policy states standards for maintenance of data, and while efforts will be made to meet the said standards, NeuroFocus is not in a position to guarantee compliance with these standards. There may be factors beyond NeuroFocus’ control that may result in non-compliance. (Examples include but are not limited to, 3rd party attacks, hacking, or loss of data do to storage or hosting outages) Consequently, NeuroFocus offers no warranties or representations as regards maintenance or non-disclosure of data.

Significantly, this “no warranties or representations” comes after several headlines and statements such

Privacy is paramount

and

NeuroFocus, Inc. takes your right to privacy seriously, and wants you to feel comfortable using this web site.

I wonder if they gauged consumers’ deep subconscious reactions to that.

Posted: March 22, 2011 in:

Will the FTC Enforce MySpace’s Security Promises?

Recently, Wired revealed a bug in MySpace’s user account security:

A backdoor in MySpace’s architecture allows anyone who’s interested to see the photographs of some users with private profiles — including those under 16 — despite assurances from MySpace that those pictures can only be seen by people on a user’s friends list. Info about the backdoor has been circulating on message boards for months.

The flaw exposes MySpace users who set their profiles to “private” — the default setting for users under 16 — even though MySpace’s account settings page tells users, “Only the people you select will be able to view your full profile and photos.”

A specially constructed URL will display the images, even to those not logged in to MySpace.

In a followup article, it is noted that “MySpace Quietly Fixes Bug that Gave Voyeurs Access to Teens’ Private Photos“:

Barely 24 hours after my story hit the front door of Wired.com, MySpace has, without comment, closed the backdoor, and the websites that were exploiting it are no longer delivering private photos. That seems to leave just two possibilities:

1. MySpace didn’t know this was going on before.

2. MySpace knew about it, but didn’t take action until the press noticed.

From a privacy activist’s perspective though, the question is: what will the Federal Trade Commission do about it? What can they do?

The FTC has the power to prosecute “unfair and deceptive trade practices.” This doctrine has developed to mean they have a role in enforcing privacy promises:

Enforcing Privacy Promises: Section 5 of the FTC Act

A key part of the Commission’s privacy program is making sure companies keep the promises they make to consumers about privacy, including the precautions they take to secure consumers’ personal information. To respond to consumers’ concerns about privacy, many Web sites post privacy policies that describe how consumers’ personal information is collected, used, shared, and secured. Indeed, almost all the top 100 commercial sites now post privacy policies. Using its authority under Section 5 of the FTC Act, which prohibits unfair or deceptive practices, the Commission has brought a number of cases to enforce the promises in privacy statements, including promises about the security of consumers’ personal information.

It looks like MySpace was promising privacy. And it looks like that promise wasn’t being kept. The FTC has gone after poor security promises before. A listing of their privacy cases includes a few examples:

  • Company Failed to Use Reasonable Security Measures to Protect Consumers’ Data
  • Agency Says Company Failed to Protect Sensitive Customer Data
  • Tens of Millions of Consumer Credit and Debit Card Numbers Compromised
  • Agency Says Lax Security Compromised Thousands of Credit and Debit Cards
  • Security Flaws Allowed Hackers to Access Consumers’ Credit Card Information

But these cases all have harms that involve credit card or other such personal information of a financial type. MySpace involved pictures. Will the FTC recognize MySpace’s breach of image security as a harm?

FTC action in this case would send a clear message to social networking operators to respect security and protect the privacy of the data which users are entrusting to them. That data may not be “sensitive” in the financial sense. But it is “sensitive” in that it is deeply personal.

Posted: January 20, 2008 in: