New Monitoring Service “SafetyWeb” Has Some Privacy, Safety Problems

The new monitoring service SafetyWeb raises some serious questions about its compliance with the Child Online Privacy Protection Act. There’s also some potential safety problems with how it could be misused.

The service’s description is rather simple. You enter an email address, and then the service scours the web (and presumably, its own built up database) and builds up an online profile based on the social networks that person has joined. In this way it appears similar to the service that Rapleaf used to offer.  The service then promises to monitor the actions of the targeted person on those social networks and report those actions to you.

When I tried it with one of my email addresses, it found several social network services I have joined.  It did not find all of them. Only on one of those did I join with that email address, so they must have had some way to figure out the rest were me. None of them were false positives where they identified someone else as me — but my name is rather unique.

COPPA

The Child Online Privacy Protection Act (COPPA) seeks to protect children’s privacy online. Safetyweb appears to address their compliance with COPPA with this simple note in their Privacy Policy:

Our Policy Towards Children

The Site is not directed to persons under 18. If a parent or guardian becomes aware that his or her child has provided us with personally identifiable information without their consent, he or she should contact us by email at: info@safetyweb.com.

This seems to go against the spirit, if not the letter, of COPPA.  COPPA applies to:

the operator of any website or online service directed to children that collects personal information from children or the operator of a website or online service that has actual knowledge that it is collecting personal information from a child

They are collecting children’s information — the “parent” that signs up tells them the child’s email address, name and age. Their website is not “directed at children” but they are given “actual knowledge” that they are collecting children’s data. They even have the “parent” check a box that states:  “I certify that I’m the Parent of this child.”

Perhaps they think that they are not collecting personal information from a child, since they get it from the parent.  But the entire point of the service is to monitor what the child does online — to go and collect that information from the child’s online profiles and present it to the “parent.”

They need to double check that their service is COPPA compliant, because it appears that they are covered by COPPA. A simple statement that their website is not “directed to persons under 18″  does not change the fact that this is a commercial service whose stated purpose is to collect information from children and to sell it to people who “certify” that they are the parents of that child.

The FTC appears to be taking a serious tone on the mixed issue of children’s online safety and privacy.  They recently denied the application of a non-profit to become a COPPA “safe harbor” — meaning a service that would monitor and certify websites for compliance with COPPA. Their denial letter took strong umbrage at the fact that the non-profit itself did not follow COPPA  — even though it did not have to:

The Commission feels strongly that any organization – including a non-profit organization – to which it grants safe harbor status should itself comply with COPPA when interacting with children online. In the case of i-SAFE, which promotes itself as a leader in educating children on Internet safety, the failure to provide COPPA protections is particularly troubling. This failure also would undermine i-SAFE’s authority to enforce other website operators’ compliance with COPPA.

Safetyweb’s cavalier attitude towards COPPA indeed does not inspire confidence in them as purveyor of a legitimate parental monitoring service.

Safety / Stalkerware

The other major problem with the service is how they handle the safety issue.  How do they know anything about the relationship of the person ordering the monitoring and the one being monitored? I never completed my transaction above, but they were about to allow me to order the monitoring of a target their service reported as being 35.  All they appeared to require was that the person doing the ordering check a box agreeing to the terms and conditions, as well as another box that certified they were the parent of the child.

The FTC recently acted against a provider of stalkerware.  Key to that case was that the simple fact that inappropriate uses were against the terms of service should not insulate the provider of the service from liability.

Safetyweb should also take note of the New Hampshire case Remsburg v. Docusearch. Liam Youens paid 150 dollars to Docusearch for several pieces of personal information about Amy Boyer.  He had maintained a website where he documented how he was stalking her.  With this information, Youens tracked her down, killed her, and committed suicide.  A New Hampshire court said Docusearch had a duty to exercise reasonable care that they did not cause harm when selling this information:

The threats posed by stalking and identity theft lead us to conclude that the risk of criminal misconduct is sufficiently foreseeable so that an investigator has a duty to exercise reasonable care in disclosing a third person’s personal information to a client. And we so hold. This is especially true when, as in this case, the investigator does not know the client or the client’s purpose in seeking the information.

One Benefit

There’s a benefit of widespread knowledge of the existence of this service. It lets people know their online profiles can be monitored and mined. What we’re seeing here is the consumer facing side of something that is surely going on behind the scenes — starting with an email address, marketers and other data mining companies can compile extensive profiles of individuals.  Perhaps this awareness will lead to some outrage, and support for regulation.

Safetyweb has hired a leading expert in children’s online safety and privacy issues. They should be able to adequately address these issues.

Posted: June 15, 2010 in:

FTC Settles Key Stalkerware Case [UPDATED]

The FTC and  Cyberspy, the purveyor of the Remotespy stalkerware program, recently settled a case over the sale and distribution of that spyware program. [UPDATE: The FTC press release is here].  The settlement limits the Trojan-like features of the software, and forbids Cyberspy from training its users in how to use the software to infect other people’s PCs. Importantly, the settlement also forces Cyberspy to disable the monitoring in all current installations. However,  Remotespy will be able to keep selling the modified software.  The settlement is available from the court website, and has not yet been posted to the FTC’s page on the case. [UPDATE: The settlement is now available on the FTC website.]

Previous marketing for the Remotespy stalkerware program

Previous marketing for the Remotespy stalkerware program

The FTC filed the case in 2008 following a complaint from EPIC.  The EPIC complaint detailed several practices by providers of stalkerware, including Cyberspy. The complaint noted that:

these companies promote illegal surveillance targets; promote the use of “Trojan Horse” email attacks; and fail to warn their customers of the legal risks of the improper use of this software.

The FTC followed up on that complaint, and investigated Cyberspy. In it’s filing, the FTC alleged that Cyberspy engaged in several unfair and deceptive trade practices:

  • Unfair Sale of Spyware
  • Unfair Collection and Disclosure of Consumer’s Personal Information
  • Providing the Means and Instrumentalities to Install Spyware and Access Consumer’s Personal Information
  • Providing the Means and Instrumentalities to Engage in Deception

Cyberspy provided the Remotespy program via its website. There were several indications that the software was not a legitimate monitoring tool, but was instead a harmful and malicious product. The Remotespy program functioned as a keylogger, making a record of every key typed. It also regularly took screenshots of the victim’s PC. Cyberspy taught users how to disguise the software as an innocuous email to be sent to the victim.  One the software was installed, the victim received no notice of it. The software sent the captured information — without encryption — from the victim’s machine to Cyberspy’s servers.  The purchaser could then log in to Cyberspy’s website and view the information. Cyberspy would organize the information for the snoop, including identifying websites, and which username/password pairs the victim used to access those sites.

The settlement prohibits several key activities. Cyberspy can no longer teach the purchaser about disguising the software.  This includes counseling them how to the hide the executable as an innocuous image, or in a word file, as well as barring Cyberspy from recommending the use of an anonymous email service. Further, the software can no longer function as a Trojan horse unless the purchaser shows they have administrative access to the machine.  Without administrative access, the software has to function more like a normal program:  showing a splash screen upon installation and installing desktop and task bar icons. These must have branding and naming similar to that used to sell the software.  The purchaser must also receive notices that only a computer owner or one with permission may use the program. These notices should come on the Remotespy website, when the software is purchased, and when the remote deployment is configured.  Cyberspy also has to control more tightly the reinstallation of its product — apparently the FTC believed that Cyberspy wasn’t enforcing its licenses, and was allowing more victimization.  Cyberspy will also have to encrypt, or otherwise render unreadable, the data that it collects.  Previous versions of the software transmitted this sensitive information without any encryption.  Lastly, Cyberspy and its affiliates can no longer sell old versions of the software, and existing installations must be disabled.

Some matters still remain.  The software is still being marketed as being able to “spy” — which is not how a legitimate monitoring tool would be marketed. The software still organizes the data in a way that would be useful to someone engaged in sniffing passwords. The order is silent in how the software interacts with anti-spyware and firewalls.  A legitimate user of a computer thus would have no way of knowing whether Remotespy is on their machine, or be guaranteed that an anti-spyware tool would block it.

Posted: May 10, 2010 in: