No announcement yet.

WhenU privacy report - Part1

  • Filter
  • Time
  • Show
Clear All
new posts

  • WhenU privacy report - Part1

    Richard Purcell, CEO
    A division of Three Forts, LLC

    October 2004

    Corporate Privacy Group (CPG) was asked by WhenU to investigate their statements
    concerning consumer information privacy and the non-invasive advertising software they deploy.
    The engagement is driven by continuing consumer concerns about invasive software, often
    referred to as spyware, that compromise individual control over personal computers, Internet
    services, and personal information. Corporate Privacy Group shares these concerns. We were
    pleased to investigate the WhenU privacy statements and technologies to test their commitment to
    consumer privacy.
    The term spyware lacks any precision either in definition or application. It incorporates any
    and every software program that a person might find distasteful. It has included programs designed
    to collect keystrokes, advertising applications based on individuals Web browsing, cookies applied to
    Web page visitors and auto-update programs delivering anti-virus and other security patches.
    This year, efforts have been made to clarify the confusion by detailing the specific conditions
    that are lacking in spyware applications. Those conditions, at the end of the day, include the lack of
    transparency, choice and control. In other words, spyware is characterized as sneaky, prying and
    stubborn. WhenU engaged Corporate Privacy Group to evaluate its public commitments to the
    principles of transparency, choice and control and to investigate how well their client software
    supported those principles.


    Corporate Privacy Group is headed by Richard Purcell, an internationally recognized expert in
    information privacy and consumer data protection. Mr. Purcell founded Microsofts global enterprise
    privacy practice during his 10+ year tenure with that company. As Microsofts first Chief Privacy
    Officer, he presided over the initial challenges facing technology companies in providing meaningful
    privacy protections in their products and services.
    Mr. Purcell developed one of the first enterprise privacy programs for a multi-national US
    company. He founded Microsofts privacy program during the late 90s, taking the newly-created
    CPO position in January 2000.
    Mr. Purcell served on the Federal Trade Commissions Advisory Committee on Online Access
    and Security, worked closely with the Worldwide Web Consortium (W3C) on the Platform for Privacy
    Preferences (P3P), and contributed to the adoption of P3P in Microsoft Internet Explorer version 6.
    In September, 2000, Mr. Purcell joined the Board of Directors for TRUSTe, the leading
    organization for Web privacy trustmark seals. Later, Mr. Purcell joined the Board of Directors for the
    Intl Association of Privacy Professionals. He also co-founded the Conference Boards Council of Chief
    Privacy Officers.
    Mr. Purcell left Microsoft in early 2003 in order to establish Corporate Privacy Group and
    pursue his ambition as an independent expert for information privacy. He has since worked with
    several Fortune 100 companies, developed Privacy Directions training courses, developed his
    proprietary model for privacy management called 3PTSM, and spoken on privacy at numerous

    ProStructure Consulting provide services designing, securing, and monitoring computer
    network infrastructures and servers. Founder A. Brandon Psmythe is a seven-year veteran of the
    core IT team at Intel Corporation, where he designed the network and data center connectivity that
    Intel's Pentium4 chipset was created upon. He also architected a unique and secure VPN solution
    that allowed some of Intel's tool provider's to quickly test and diagnose problems with their tools,
    without compromising any of the valuable Intellectual Property that these tools were working on.
    Irving Popevetsky, CISSP, is Chief Security consultant at ProStructure. He has eight years
    experience in IT and is a recognized expert in penetration testing, Web application security, incident
    response reporting and UNIX systems engineering.

    In approaching this engagement, both CPG and our technology cohort, ProStructure
    Consulting, were skeptical of the outcome. After all, the public debate over spyware and adware has
    been heated, contentious, and charged with anger. Going in, we knew that we were addressing
    adware, not spyware, technology. Still, we were prepared to investigate every angle of the
    companys public statements and the consistency of their technical architectures support for those
    statements. Our purpose was to discover any gaps between their statements of privacy protections
    and their technical architectures implementation of that policy.
    Over the past several years, many companies providing online advertising services have run
    into significant privacy issues. The state of the art has focused on the development of very smart
    algorithms able to determine best match between what consumers do and what they want. The
    idea is that behavior indicates interest, often referred to as behavioral targeting. Online advertising
    solutions therefore require collecting, analyzing, and testing millions of consumer records. Vast
    consumer profiles have been created based, at least partly, on personal identity and information.
    The result has been consumer anxiety over the use and security of this enormous amount of personal
    information stored by these large companies acting on behalf of the advertisers themselves.
    Not surprisingly, WhenUs model also concentrates on connecting consumer behavior and
    desirable advertising outcomes. The very large difference, though, is that their innovative solution,
    which is elegantly implemented, places the decision-processing on the individuals computer. They
    thereby avoid the vast data collection and consumer profiling fueling consumer anxiety.
    We found the WhenU software was thoughtfully designed and well-coded. Consistent with
    company statements, it focuses on showing consumers relevant ads without compromising their

    CPG pursued several areas to evaluate WhenU and its privacy promises.

    On 28 June 2004, I interviewed Mr. Avi Naider, WhenU CEO, by telephone. Avi consistently
    demonstrated a clear understanding of the company vision for delivering advertising using privacyprotecting
    client-side software. He emphasized the fundamental position that advertising must be
    contextually accurate to be effective, a position that is strongly supported by the SaveNow
    Avi emphasized the implementation strategies that are very important to the operation of the
    �� The client installation includes an executable and a directory
    �� The directory is constantly updated in small data bursts
    �� The client installation sets up several GUIDs (Globally Unique Identifiers) used to
    create the server ping for updates, to report the user machine configuration,
    and to report user geography, where available
    �� The network traffic does not include user personal information or persistent user
    �� The directory includes client-side filters used to prevent sending terms that are
    not useful or potentially embarrassing (e.g., terms for adult Web sites)
    Overall, Avi was articulate, well-informed, and even passionate about the workings and
    benefits of WhenU software. Following up, Avi forwarded a privacy evaluation report from April
    2002. At that time, the company engaged Evolution Softworks of New York City to verify their
    privacy policy and technology. We compared that privacy report to current conditions.

    The WhenU privacy statement describes its commitment to privacy in consistent and
    meaningful terms and translates that commitment to technical language that is appropriate and

    Comparing the privacy assurances from the April 02 report and today shows no material
    change between the periods. Those changes made, emphasized below using italics, are
    clarifications, not material changes.

    Statement Source April 02 Report July 04 Evaluation
    (difference highlighted in italics)

    License in BearShare
    Installer WhenU does NOT assemble personally- Identical statement
    identifiable profiles of SaveNow users
    and personally identifiable information is
    not required in order to use the
    SaveNow software

    License from Personally identifiable information Your personally identifiable information is is NOT required in order to use the software not required in order to use the software.

    License in
    BearShare Installer SaveNow does NOT transmit a full Identical statement
    history of URLS visited by the user to the servers

    License from does NOT transmit URLS As you surf the Internet, your clickstream
    visited by the user to or any data (i.e., a log of all sites you visit) is not
    third party server transmitted to WhenU or any third party

    License from does NOT track which ads does not track which ads and and offers are seen or clicked on by offers you see as an individual user all our
    individual machines analysis and tracking of ads is done in the

    As is the case with most companies, WhenU updates their privacy statement regularly in
    order to clarify their practices. We found that these changes have not been the result of technical
    changes but are due to their ongoing commitment to transparency. We provide further analysis
    below under Personal Information.