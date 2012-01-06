Jan 6 Upromise, a program that gives back a percentage of its members' spending for college savings, is designed to make saving for college easier. But the program may have made it easier for thieves to steal a user's identity, according to the Federal Trade Commission.

On Thursday, Upromise was charged with deceptive trade practices by the FTC for recording users' personal and financial data and then transmitting that information without their knowledge. A proposed settlement of those allegations was also announced on Thursday.

The FTC said Upromise, which is owned by student lender Sallie Mae, offered a toolbar for web users that recorded credit card numbers, bank account numbers, security codes, expiration dates - everything needed for identity theft - in addition to cataloging the websites they visited. The software converted information entered by users on secure websites into text that could be easily intercepted by crooks.

"All the measures that banks or other websites had taken to say we have a secure connection with you were basically undone," said Ruth Yodaiken, an attorney in the FTC's Division of Privacy and Identity Protection.

She said the technology to capture the information is readily available at little or no cost to anyone with the inclination to collect the data. The FTC did not accuse Upromise of intentionally trying to collect this information, but rather of not taking enough safeguards.

Beyond just exposing users' personal and financial information, Yodaiken said, Upromise wasn't upfront about the information that was collected. "We alleged in the complaint a lot more data was gathered than consumers were told was gathered."

Upromise's software allegedly collected the information for two years, ending in 2010 when a security researcher uncovered the practice, the FTC said. At least 150,000 users signed up for the toolbar with the promise that they would receive personalized offers. Nothing in the information provided to them when they downloaded the toolbar indicated that their personal information would be recorded. Upromise claims it has about 10 million members.

Participants in the program already allow Upromise to learn a lot about them. When you sign up, you register credit cards, debit cards and loyalty cards. Details of your transactions are recorded so you can be rewarded with a percentage of your spending that can then be put in a 529 college savings account.

The company agreed to destroy the data collected by the toolbar software as part of the settlement, which includes no financial penalties but carries a potential $16,000 per violation fine for any future infraction. Upromise also will have notify all those who used the toolbar about the potential of their personal information being exposed, and tell them how to remove the software if they still have it on their computers. In addition, Upromise agreed to submit to a third-party review of its security practices every other year for 20 years.

Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse, said the settlement mirrors the FTC's agreement in November to resolve charges leveled against social networking giant Facebook that users' privacy wishes were ignored.

Upromise officials said the problem was unintentional, affected only a small percentage of users and was quickly fixed after they were made aware of it.

"Two years ago, we learned that an issue with a vendor's software created the potential for inadvertent data access which could have affected approximately 1 percent of our members," Upromise spokeswoman Debby Hohler said in a statement emailed to Reuters. "Our members' privacy is extremely important to us, and we took immediate action to resolve the issue. There was no evidence of any misuse of data. We have fully cooperated with the FTC and have addressed their concerns."

FTC officials said she they could not comment on whether any of the information was misused since that information was not included in the complaint lodged against Upromise.

Upromise is required under the proposed settlement to disclose information about data collection more clearly and prominently in the future - and require that users agree to those terms before they download and use any similar product.

Yokainen, the FTC attorney, said collecting lots of user data in and of itself isn't a problem. In fact, she said, it can be a good thing for consumers, who stand to get a richer and more personalized online experience.

But, fellow FTC attorney Katrina Blodgett added, companies must be upfront with their customers about the information that's being gathered. "When companies collect this information that can be used in really useful ways, they just need to tell consumers the truth about what they're doing."

---

The author is a Reuters contributor. The opinions expressed are his own. (Editing by Jilian Mincer and Beth Pinsker Gladstone)