Photo adapted from one by Hans Engel
Some felt Ask.com won the privacy oneupmanship that went on last year when it rolled out Ask Eraser, a tool promising to stop recording any information about someone doing a search. But questions quickly came up, including whether the tool helped at all, considering that query data was still being sent to Ask’s paid listings partner, Google. A privacy group complained to Ask last month, and now Wired reports that it and others have filed a formal complaint with the US government.
Ask.com’s Privacy Tool Tracks Users, Groups Tell Feds covers how the Electronic Privacy Information Center along with other groups such as Center For Digital Democracy and Consumer Action have asked the US Federal Trade Commission to rule on whether Ask is using unfair and deceptive trade practices in marketing its tool. From a summary on the EPIC home page (they’ve yet to post a standalone press release):
EPIC and five other groups filed a complaint with the Federal Trade Commission alleging that Ask.com is engaging in unfair and deceptive trade practices with the representations concerning AskEraser, a search service that purports to protect privacy. Among the critical points highlighted by the consumer privacy coalition:
(1) users must accept an AskEraser cookie and disable a genuine privacy feature in browsers that block cookies
(2) the AskEraser cookie is a unique persistent identifier that makes it easy for Ask.com, its business partners, and the government to track the activities of AskEraser users; and
(3) Ask.com will disable the search delete feature — the central purpose of the Ask Eraser service — without notice to the user.
The complaint follows a December letter (pdf) to Ask.com describing these security and privacy problems.
On the first issue, it seems difficult to fault Ask that in order to ensure someone wants their search history to be immediately deleted, they need to know who that person is — ironically through a cookie. As long as Ask is actually deleting the information within minutes or hours as advertised, that seems pretty acceptable.
In particular, privacy groups have pushed for data destruction as a way to ensure privacy. What’s not kept can’t be leaked. Unless there’s a real paranoia that a few hours’ worth of searches would slip out, it seems like Ask ought to be praised rather than battered.
Saying that Ask is disabling a "genuine privacy feature" goes a bit far. In particular, the complaint says:
A typical privacy feature in a software browser is the option not to accept a cookie. Ask.com requires users to disable this privacy feature so that the AskEraser cookie will be stored on the user’s computer.
To my knowledge, few people block all cookies. But let’s say you did. Then when you went to Ask, while your computer wouldn’t be tagged, your IP address (which some groups find sensitive enough) would still be logged. And if you’re in a corporate environment, you might have the same IP address all the time. Enabling AskEraser is supposed to delete your IP address — and last time I looked, a good browser would allow you to selectively allow a cookie from a particular site, if you wanted.
As for the second item — scary, the government can track you! Yes, they can track that you (or at least a computer with a particular cookie) has requested that data be regularly destroyed. But as I said, as long as that data is indeed being destroyed, no harm, no foul.
Unfortunately, Ask’s problem is that the data might NOT be destroyed. That’s where point three comes in. If there’s an error — or if there’s a legal request – Ask might switch AskEraser back on. Ask discloses this in its FAQ, so I’m not sure the FTC will find that the company is being deceptive. Perhaps Ask could be clearer. AskEraser users might have AskEraser turned off if there’s a legal request AND that legal request prevents Ask from informing the user. It’s hard to fault a company as deceptive if there’s a legal compulsion forcing it to do something.
Far more worrying to me are other points not itemized in the summary but which come up in the complaint — in particular the third-party sharing. From the AskEraser FAQ:
What about data collected by third-party partners?
When enabled, AskEraser will delete your search activity from Ask.com servers. We cannot delete your search activity from the servers of third-party companies that receive your search queries to provide you with certain aspects of our search results (for example, current weather conditions, stock market summaries, etc.), sponsored search results and other product features.
The complaint says about this:
a) AskEraser does not prevent or regulate the collection and use of searches conducted on Ask.com by third-party advertising companies, which may use a third-party cookie to gather information about the Ask.com user. Therefore, information gathered on one site may be used for targeted advertising on another site. A limited and rather burdensome option exists to prevent certain advertising companies from using their cookies to obtain search results. To achieve this, the user has to go to another site and individually select and disable the companies that the user does not want to receive advertising from. This option is not reasonable given that AskEraser purports to protect the user’s privacy upon simply clicking and enabling the AskEraser function.
b) Ask.com also shares information with third-party service providers. In spite of AskEraser being enabled, the user’s search queries are kept on the servers of third-party companies.
Ask.com relies on Google to deliver many of the ads that appear next to its search results. Under an agreement between the two companies, Ask.com will continue to pass query information on to Google. Mr. Leeds acknowledged that AskEraser cannot promise complete anonymity, but said it would greatly increase privacy protections for users who want them, as Google is contractually constrained in what it can do with that information. A Google spokesman said the company uses the information to place relevant ads and to fight certain online scams.
That’s a far bigger issue, and I’m surprised EPIC didn’t lead with that, rather than the three other points that are easy to take apart. Someone engaging AskEraser probably does not understand or expect that their query and IP address, along with perhaps a unique cookie ID, is flowing over to Google so that Ask can retrieve ads. And they are not reasonably expecting they have to go to Google or another partner to try and delete information there (if they can – they probably can’t).
That’s the big flaw with AskEraser. The complaint also notes that those using the Ask toolbar won’t get AskEraser protection, even if enabled. On that point, I think the FAQ is clear enough.
In terms of demands, the complaint wants AskEraser removed entirely and that if it returns, that Ask find another way to implement it. In particular, it wants opt-in cookies. The thought seems to be that anyone coming to Ask should always be asked if they want a cookie, so that perhaps people are more aware they’ll get a cookie when they install AskEraser. It also demands that all search data be destroyed. All. Not just those of AskEraser users (virtually all of whom should have the data already removed, if the system works as promised). And going back before AskEraser existed, to boot. Seems extreme, especially when Ask has already pledged to destroy data more than 18 months old for everyone.
Overall, while I may seem critical of EPIC and gang for being extreme, if not picky, on some points, make no mistake — I applaud them for pushing on the issue if only for the third party sharing. That’s a serious concern, a serious flaw in what searchers may think they’re getting — but don’t get — in terms of privacy protection.