Consumer Cases
In re: Echometrix
Background
In 2004, SearchHelp, Inc., now Echometrix, Inc., announced the launch of parental control software products that allow parents to monitor their children’s online activities remotely. Echometrix develops FamilySafe and Sentry Parental Control products. These software products offer real-time alerts to parents when their children have encountered suspicious and potentially dangerous online material in chat rooms and instant message conversations, and allow parents to control, block, and filter their children’s computers.
In 2009, Echometrix launched PULSE, which is described as “a proprietary software engine that reads digital content from multiple sources across the web, including: instant messages (“IM”), blogs, social environment communities, forums, and chat rooms.” PULSE analyzes the data and provides market research intelligence about children to firms. Echometrix licenses the PULSE software for a fee.
EPIC conducted an in-depth study of these products and recognized several significant flaws with regard to consumer privacy protection. EPIC found that Echometrix (1) fails to fully disclose its information collection and disclosure practices on its websites; (2) collects sensitive information from children and simultaneously discloses it to third parties for marketing purposes; and (3) fails to warn users of the dangers of misusing the products.
EPIC filed a complaint to the FTC alleging that Echometrix engages in unfair and deceptive trade practices and also violates the Children’s Online Privacy Protection Act (COPPA). The complaint asked the FTC to conduct an investigation into Echometrix’s products, enjoin its unfair and deceptive practices, and seek damages for aggrieved individuals. Further, EPIC requested that the FTC enjoin Echometrix from offering these products until the company verifiably establishes that its data collection, use, and disclosure practices comply with the FTC Act, COPPA, and other applicable federal laws.
EPIC’s FTC Complaint
EPIC’s FTC complaint highlights several aspects of Echometrix products that threaten consumer privacy. The most significant allegations that the complaint makes include: (1) Echometrix collects personal information from children and discloses it to third parties for market intelligence purposes, in violation of COPPA; (2) the FamilySafe parental control software website does not have an easily accessible link to a privacy policy that describes how information is collected and used; (3) Sentry Parental Control’s privacy policy is not easily accessible and is incomplete; and (4) Echometrix’s website provides an incomplete privacy policy, which does not fully disclose how children’s information is used and offers contradictory information as to what kind of information is collected.
First, EPIC’s complaint states that the practice of surreptitiously collecting sensitive information from children and simultaneously disclosing this information to third parties for marketing purposes is unfair. These claims cause a substantial harm, not outweighed by any countervailing benefits, which consumers cannot reasonably avoid. In Sentry Parental Control’s privacy policy, which is not readily accessible, SearchHelp, Inc. (now Echometrix) claims that information collected from children is not disclosed to third parties. However, Echometrix’s other brand of products, PULSE, boasts of offering unfiltered online conversations and of having access to the teenage market in real-time by capturing instant message conversations, chat room conversations, and blog posts.
Second, EPIC’s complaint states that the privacy policy on Echometrix’s FamilySafe products website is not readily identifiable, and thus is in violation of COPPA. FamilySafe Solutions markets the “webwatcher” software via their websites. The marketing fails to disclose how information is being collected and used and fails to warn consumers of the dangers of using this product. In fact, the familysafesolutions.net webpage has no privacy policy that describes how information is collected and used.
Third, EPIC’s complaint states that the privacy policy on Echometrix’s Sentry Parental Controls website is unclear and inaccessible in violation of COPPA. Access to the Sentry Parental Controls’ privacy policy is only achieved through multiple steps – it is displayed only after clicking the SUPPORT heading, then the POLICIES link, and finally PRIVACY POLICY. The privacy policy allows parents to “delete” their child’s account, but admits that all of the child’s information may not be deleted from Sentry’s records. Further, Sentry’s privacy policy does not fully explain exactly how or for what purposes children’s information is being used. The policy explains that SearchHelp “receives and records information on our server logs from your child’s browser and chat clients, including IP address, SearchHelp cookie information, and the page requested,” using the information “to customize the advertising and content you see, fulfill your requests for products and services, improve our services, contact you, conduct research, and provide anonymous reporting for internal and external clients.” The policy does not make clear that information is sold to outside marketers or what kind of research is conducted, and does not make clear what kind of information is included.
Finally, EPIC’s complaint states that Echometrix’s own website does not fully or clearly disclose how information is collected and shared. The Echometrix website has a short privacy policy displayed on its webpage, which asserts that it is in full compliance with COPPA. The policy alleges that the company “NEVER has and NEVER will collect, distribute or sell personal information as defined by COPPA.” Further, according to Echometrix, “under no circumstances does Pulse identify nor expose in any way the source of any digital content.” Nowhere on the Echometrix website did EPIC find a disclaimer that warns users of the legal consequences of misusing the software or of illegal surveillance, nor was there any information regarding how the data collected from children is actually used. Additionally, Pulse boasts that it delivers unfiltered conversations and content and allows clients to view “how many conversations are taking place and where on the web they came from.” By collecting IM chat names from children through Sentry products, Echometrix is collecting personal information in violation of COPPA, as chat names are tied to unique email addresses. Because collection of e-mail addresses triggers the COPPA requirements, Echometrix must provide notice as to what kind and how this information is being used or disclosed and must obtain verifiable parental consent before use of this information. EPIC alleges Echometrix has failed to comply with these standards.
EPIC’s complaint describes the harm from Echometrix’s online data collection – harm that is experienced by the millions of children and teenagers in the United States who are not aware they are being monitored. The harm is also experienced by parents who unwittingly subject their children’s private information to third parties for marketing purposes. The deployer of the software is also harmed – in this case, a licensor of the PULSE software who is exposed to legal risks by using the software as advertised. Parental control software, if used for its narrow purposes as advertised, is not inherently deceptive. However, risks come with the company’s failure to disclose their practices concerning information collection, disclosure, and use.
FTC Authority to Act
The FTC’s primary enforcement authority with regards to privacy is derived from 15 U.S.C. § 45, commonly known as section 5 of the Federal Trade Commission Act (FTCA). Section 5 of the FTCA allows the FTC to investigate “unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce.” This law provides a legal basis for the FTC to regulate business activities that threaten consumer privacy.
The FTC has the authority to enforce the Children’s Online Privacy Protection Act (COPPA) under 15 U.S.C. §§ 6501-06. The FTC has used this enforcement authority to prosecute fourteen COPPA violators. Although many FTC COPPA cases concern violations by website operators, the FTC has also successfully penalized the “information collection practices of [one] online service in connection with a software product.”
Legal Documents
- EPIC’s Complaint to the FTC (pdf) (September 25, 2009)
Echometrix Policies and Practices
- Echometrix Privacy Policy:
- Sentry Parental Controls Privacy Policy (Section on Children):
News Stories and Blog Items
- Brian Tarran, Privacy Group Logs FTC Complaint over Echometrix, Research (September 30, 2009).
- Wendy Davis, Company Allegedly Uses Monitoring Software to Collect Data from Children, MediaPost (September 29, 2009).
- Deborah Yao, Web-Monitoring Software Gathers Data on Kid Chats, ABC News (September 4, 2009).
Support Our Work
EPIC's work is funded by the support of individuals like you, who allow us to continue to protect privacy, open government, and democratic values in the information age.
Donate