Focusing public attention on emerging privacy and civil liberties issues

Echometrix

Top News

  • California Enacts Comprehensive Student Privacy Law: California has passed the "Student Online Personal Information Protection Act," a comprehensive student privacy law. Among other provisions, the new law: (1) prohibits K-12 mobile and online service operators from using student information to target advertisements to students; (2) prohibits online service providers from creating K-12 student profiles for commercial purposes; and (3) forbids companies from selling student information. The law also requires K-12 mobile and online service operators to establish security measures and to delete student information at the request of a school or district. California also passed a law requiring schools that outsource student records to include privacy in contracts, and a law governing school social media monitoring programs. The Student Online Personal Information Protection Act incorporates many proposals EPIC outlined in the Student Privacy Bill of Rights. For more information, see EPIC: Student Privacy, EPIC: EPIC v. Education Dept., and EPIC: Echometrix. (Oct. 2, 2014)
  • Federal Trade Commission Acts Late and Ineffectively on EPIC Complaint Regarding Echometrix: The Federal Trade Commission announced a settlement of its charges against Echometrix, over one year after EPIC filed a complaint in this matter. Echometrix is a software company that sold "parental control software" that collected data on children using the Internet for marketing purposes. Under the settlement with the Agency, Echometrix agreed not to share any data and to destroy the information it had collected in its marketing database, but was not required to pay any fines. EPIC's complaint to the Agency highlighted several aspects of Echometrix products that threatened consumer privacy, and alleged that Echometrix had engaged in unfair and deceptive trade practices and violated the Children's Online Privacy Protection Act. In contrast to the Federal Trade Commission, the Defense Department quickly canceled a contract with Echometrix following EPIC's complaint, and the New York Attorney General filed charges against the company, which resulted in Echometrix paying a $100,000 penalty to the state of New York. For more information, see EPIC: Echometrix. (Nov. 30, 2010)
  • Echometrix to Pay $100,000 Fine and Stop Unfair Practices in Settlement with NY AG: The New York Attorney General announced a settlement in a case against Echometrix, a software company that sold “Parental control software” that collected data on kids using the Internet for marketing purposes. EPIC filed a complaint with the FTC in 2009 alleging that Echometrix had engaged in unfair and deceptive trade practices and violated the Children's Online Privacy Protection Act. EPIC's complaint highlighted several aspects of Echometrix products that threatened consumer privacy. Documents obtained by EPIC, pursuant to a Freedom of Information Act request, revealed that the Defense Department canceled a contract with Echometrix following the EPIC FTC complaint. Under the settlement with the New York Attorney General's Office, Echometrix will pay a $100,000 penalty to the state of New York, and has agreed not to "analyze or share with third parties any private communications, information, or online activity to which they have access." For more information, see EPIC - Echometrix. (Sep. 17, 2010)
  • Defense Department Pulls Parental Control Software Product Following EPIC Complaint: Documents obtained by EPIC, pursuant to a Freedom of Information Act (FOIA) request, revealed the Defense Department canceled a contract with Echometrix, following an EPIC complaint to the Federal Trade Commission earlier this year. According to the documents obtained by EPIC, the Army and Air Force Exchange Service pulled My Military Sentry, which collects data for marketing purposes, from its online store: “The collection of AAFES customer information (personal or otherwise) for any other purpose than to provide quality customer service is prohibited . . . . Giving our customers the ability to opt out does not address this issue.” For more information, see EPIC: In re Echometrix. (Dec. 4, 2009)
  • EPIC to FTC: "Parental Control" Software Firm Gathers Data for Marketing: EPIC filed a complaint with the Federal Trade Commission against Echometrix, the developer of parental control software that monitors children’s online activity. Echometrix analyzes the information collected from children and sells the data to third parties for market-intelligence research. The EPIC complaint alleges that Echometrix engages in unfair and deceptive trade practices by representing that the software protects children online while simultaneously collecting and disclosing information about children's online activity. The complaint further alleges that Echometrix’s practices violate the Children’s Online Privacy Protection Act by collecting and disclosing information from children under the age of 13. The EPIC complaint asks the FTC to stop these practices, seek compensation for victims, and ensure that Echometrix’s collection and disclosure practices comply with COPPA. For more information on the Children’s Online Privacy Protection Act, see EPIC COPPA. (Sep. 29, 2009)

Background

In 2004, SearchHelp, Inc., now Echometrix, Inc., announced the launch of parental control software products that allow parents to monitor their children’s online activities remotely. Echometrix develops FamilySafe and Sentry Parental Control products. These software products offer real-time alerts to parents when their children have encountered suspicious and potentially dangerous online material in chat rooms and instant message conversations, and allow parents to control, block, and filter their children’s computers.

sentry features.JPG

In 2009, Echometrix launched PULSE, which is described as “a proprietary software engine that reads digital content from multiple sources across the web, including: instant messages (“IM”), blogs, social environment communities, forums, and chat rooms.” PULSE analyzes the data and provides market research intelligence about children to firms. Echometrix licenses the PULSE software for a fee.

pulse.JPG

EPIC conducted an in-depth study of these products and recognized several significant flaws with regard to consumer privacy protection. EPIC found that Echometrix (1) fails to fully disclose its information collection and disclosure practices on its websites; (2) collects sensitive information from children and simultaneously discloses it to third parties for marketing purposes; and (3) fails to warn users of the dangers of misusing the products.

EPIC filed a complaint to the FTC alleging that Echometrix engages in unfair and deceptive trade practices and also violates the Children's Online Privacy Protection Act (COPPA). The complaint asked the FTC to conduct an investigation into Echometrix’s products, enjoin its unfair and deceptive practices, and seek damages for aggrieved individuals. Further, EPIC requested that the FTC enjoin Echometrix from offering these products until the company verifiably establishes that its data collection, use, and disclosure practices comply with the FTC Act, COPPA, and other applicable federal laws.

EPIC's FTC Complaint

EPIC’s FTC complaint highlights several aspects of Echometrix products that threaten consumer privacy. The most significant allegations that the complaint makes include: (1) Echometrix collects personal information from children and discloses it to third parties for market intelligence purposes, in violation of COPPA; (2) the FamilySafe parental control software website does not have an easily accessible link to a privacy policy that describes how information is collected and used; (3) Sentry Parental Control’s privacy policy is not easily accessible and is incomplete; and (4) Echometrix’s website provides an incomplete privacy policy, which does not fully disclose how children’s information is used and offers contradictory information as to what kind of information is collected.

First, EPIC’s complaint states that the practice of surreptitiously collecting sensitive information from children and simultaneously disclosing this information to third parties for marketing purposes is unfair. These claims cause a substantial harm, not outweighed by any countervailing benefits, which consumers cannot reasonably avoid. In Sentry Parental Control’s privacy policy, which is not readily accessible, SearchHelp, Inc. (now Echometrix) claims that information collected from children is not disclosed to third parties. However, Echometrix’s other brand of products, PULSE, boasts of offering unfiltered online conversations and of having access to the teenage market in real-time by capturing instant message conversations, chat room conversations, and blog posts.

Second, EPIC’s complaint states that the privacy policy on Echometrix’s FamilySafe products website is not readily identifiable, and thus is in violation of COPPA. FamilySafe Solutions markets the “webwatcher” software via their websites. The marketing fails to disclose how information is being collected and used and fails to warn consumers of the dangers of using this product. In fact, the familysafesolutions.net webpage has no privacy policy that describes how information is collected and used.

Third, EPIC’s complaint states that the privacy policy on Echometrix’s Sentry Parental Controls website is unclear and inaccessible in violation of COPPA. Access to the Sentry Parental Controls’ privacy policy is only achieved through multiple steps - it is displayed only after clicking the SUPPORT heading, then the POLICIES link, and finally PRIVACY POLICY. The privacy policy allows parents to “delete” their child’s account, but admits that all of the child’s information may not be deleted from Sentry’s records. Further, Sentry’s privacy policy does not fully explain exactly how or for what purposes children’s information is being used. The policy explains that SearchHelp “receives and records information on our server logs from your child’s browser and chat clients, including IP address, SearchHelp cookie information, and the page requested,” using the information “to customize the advertising and content you see, fulfill your requests for products and services, improve our services, contact you, conduct research, and provide anonymous reporting for internal and external clients.” The policy does not make clear that information is sold to outside marketers or what kind of research is conducted, and does not make clear what kind of information is included.

Finally, EPIC’s complaint states that Echometrix’s own website does not fully or clearly disclose how information is collected and shared. The Echometrix website has a short privacy policy displayed on its webpage, which asserts that it is in full compliance with COPPA. The policy alleges that the company “NEVER has and NEVER will collect, distribute or sell personal information as defined by COPPA.” Further, according to Echometrix, “under no circumstances does Pulse identify nor expose in any way the source of any digital content.” Nowhere on the Echometrix website did EPIC find a disclaimer that warns users of the legal consequences of misusing the software or of illegal surveillance, nor was there any information regarding how the data collected from children is actually used. Additionally, Pulse boasts that it delivers unfiltered conversations and content and allows clients to view "how many conversations are taking place and where on the web they came from." By collecting IM chat names from children through Sentry products, Echometrix is collecting personal information in violation of COPPA, as chat names are tied to unique email addresses. Because collection of e-mail addresses triggers the COPPA requirements, Echometrix must provide notice as to what kind and how this information is being used or disclosed and must obtain verifiable parental consent before use of this information. EPIC alleges Echometrix has failed to comply with these standards.

EPIC's complaint describes the harm from Echometrix’s online data collection - harm that is experienced by the millions of children and teenagers in the United States who are not aware they are being monitored. The harm is also experienced by parents who unwittingly subject their children’s private information to third parties for marketing purposes. The deployer of the software is also harmed - in this case, a licensor of the PULSE software who is exposed to legal risks by using the software as advertised. Parental control software, if used for its narrow purposes as advertised, is not inherently deceptive. However, risks come with the company’s failure to disclose their practices concerning information collection, disclosure, and use.

FTC Authority to Act

The FTC's primary enforcement authority with regards to privacy is derived from 15 U.S.C. § 45, commonly known as section 5 of the Federal Trade Commission Act (FTCA). Section 5 of the FTCA allows the FTC to investigate "unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce." This law provides a legal basis for the FTC to regulate business activities that threaten consumer privacy.

The FTC has the authority to enforce the Children’s Online Privacy Protection Act (COPPA) under 15 U.S.C. §§ 6501-06. The FTC has used this enforcement authority to prosecute fourteen COPPA violators. Although many FTC COPPA cases concern violations by website operators, the FTC has also successfully penalized the “information collection practices of [one] online service in connection with a software product.”

Legal Documents

Echometrix Policies and Practices

News Stories and Blog Items