Back to top

    FTC Complaint Filed Over AskEraser: “Unfair & Deceptive”

    Photo adapted from one by Hans Engel Some felt Ask.com won the privacy oneupmanship that went on last year when it rolled out Ask Eraser, a tool promising to stop recording any information about someone doing a search. But questions quickly came up, including whether the tool helped at all, considering that query data was […]

    AskEraser
    Photo adapted
    from one by Hans
    Engel

    Some felt Ask.com won the
    privacy oneupmanship
    that went on last year when it rolled out
    Ask Eraser, a tool
    promising to stop recording any information about someone doing a search. But
    questions quickly came up, including whether the tool helped at all, considering
    that query data was still being sent to Ask’s paid listings partner, Google. A
    privacy group complained
    to Ask last month, and now Wired reports that it and others have filed a formal
    complaint with the US government.


    Ask.com’s Privacy Tool Tracks Users, Groups Tell Feds
    covers how the
    Electronic Privacy Information Center along with
    other groups such as Center For Digital Democracy and Consumer Action have asked
    the US Federal Trade Commission to rule on whether Ask is using unfair and
    deceptive trade practices in marketing its tool. From a summary on the EPIC home
    page (they’ve yet to post a standalone press release):

    EPIC and five other groups filed a complaint with the Federal Trade
    Commission alleging that Ask.com is engaging in unfair and deceptive trade
    practices with the representations concerning AskEraser, a search service that
    purports to protect privacy. Among the critical points highlighted by the
    consumer privacy coalition:

    (1) users must accept an AskEraser cookie and disable a genuine privacy
    feature in browsers that block cookies
    (2) the AskEraser cookie is a unique persistent identifier that makes it easy
    for Ask.com, its business partners, and the government to track the activities
    of AskEraser users; and
    (3) Ask.com will disable the search delete feature — the central purpose of
    the Ask Eraser service — without notice to the user.

    The complaint follows a December letter (pdf) to Ask.com describing these
    security and privacy problems.

    The actual complaint can be found
    here (PDF),
    and the initial letter to Ask
    here (PDF).

    On the first issue, it seems difficult to fault Ask that in order to ensure
    someone wants their search history to be immediately deleted, they need to know
    who that person is —
    ironically through a cookie
    . As long as Ask is actually deleting the
    information within minutes or hours as advertised, that seems pretty acceptable.

    In particular, privacy groups have pushed for data destruction as a way to
    ensure privacy. What’s not kept can’t be leaked. Unless there’s a real paranoia
    that a few hours’ worth of searches would slip out, it seems like Ask ought to be
    praised rather than battered.

    Saying that Ask is disabling a "genuine privacy feature" goes a bit far. In
    particular, the complaint says:

    A typical privacy feature in a software browser is the option not to accept
    a cookie. Ask.com requires users to disable this privacy feature so that the
    AskEraser cookie will be stored on the user’s computer.

    To my knowledge, few people block all cookies. But let’s say you did. Then
    when you went to Ask, while your computer wouldn’t be tagged, your IP address
    (which some groups find sensitive enough) would still be logged. And if you’re
    in a corporate environment, you might have the same IP address all the time.
    Enabling AskEraser is supposed to delete your IP address — and last time I
    looked, a good browser would allow you to selectively allow a cookie from a
    particular site, if you wanted.

    As for the second item — scary, the government can track you! Yes, they can
    track that you (or at least a computer with a particular cookie) has requested
    that data be regularly destroyed. But as I said, as long as that data is indeed
    being destroyed, no harm, no foul.

    Unfortunately, Ask’s problem is that the data might NOT be destroyed. That’s
    where point three comes in. If there’s an error — or if there’s a legal request
    — Ask might switch AskEraser back on. Ask
    discloses this
    in its FAQ, so I’m not sure the FTC will find that the company is being
    deceptive. Perhaps Ask could be clearer. AskEraser users might have AskEraser
    turned off if there’s a legal request AND that legal request prevents Ask from
    informing the user. It’s hard to fault a company as deceptive if there’s a legal
    compulsion forcing it to do something.

    Far more worrying to me are other points not itemized in the summary but
    which come up in the complaint — in particular the third-party sharing.
    From the
    AskEraser FAQ:

    What about data collected by third-party partners?
    When enabled, AskEraser will delete your search activity from Ask.com servers.
    We cannot delete your search activity from the servers of third-party
    companies that receive your search queries to provide you with certain aspects
    of our search results (for example, current weather conditions, stock market
    summaries, etc.), sponsored search results and other product features.

    The complaint says about this:

    a) AskEraser does not prevent or regulate the collection and use of
    searches conducted on Ask.com by third-party advertising companies, which may
    use a third-party cookie to gather information about the Ask.com user.
    Therefore, information gathered on one site may be used for targeted
    advertising on another site. A limited and rather burdensome option exists to
    prevent certain advertising companies from using their cookies to obtain
    search results. To achieve this, the user has to go to another site and
    individually select and disable the companies that the user does not want to
    receive advertising from. This option is not reasonable given that AskEraser
    purports to protect the user’s privacy upon simply clicking and enabling the
    AskEraser function.

    b) Ask.com also shares information with third-party service providers. In
    spite of AskEraser being enabled, the user’s search queries are kept on the
    servers of third-party companies.

    Those third parties include Google,
    as we and
    others
    have noted.

    Ask.com Puts a Bet on Privacy
    from the New York Times had this comment on
    that from Ask:

    Ask.com relies on Google to deliver many of the ads that appear next to its
    search results. Under an agreement between the two companies, Ask.com will
    continue to pass query information on to Google. Mr. Leeds acknowledged that
    AskEraser cannot promise complete anonymity, but said it would greatly
    increase privacy protections for users who want them, as Google is
    contractually constrained in what it can do with that information. A Google
    spokesman said the company uses the information to place relevant ads and to
    fight certain online scams.

    That’s a far bigger issue, and I’m surprised EPIC didn’t lead with that,
    rather than the three other points that are easy to take apart. Someone engaging
    AskEraser probably does not understand or expect that their query and IP
    address, along with perhaps a unique cookie ID, is flowing over to Google so
    that Ask can retrieve ads. And they are not reasonably expecting they have to go
    to Google or another partner to try and delete information there (if they can —
    they probably can’t).

    That’s the big flaw with AskEraser. The complaint also notes that those using
    the Ask toolbar won’t get AskEraser protection, even if enabled. On that point,
    I think the FAQ is clear enough.

    In terms of demands, the complaint wants AskEraser removed entirely and that
    if it returns, that Ask find another way to implement it. In particular, it
    wants opt-in cookies. The thought seems to be that anyone coming to Ask should
    always be asked if they want a cookie, so that perhaps people are more aware
    they’ll get a cookie when they install AskEraser. It also demands that all
    search data be destroyed. All. Not just those of AskEraser users (virtually all
    of whom should have the data already removed, if the system works as promised).
    And going back before AskEraser existed, to boot. Seems extreme, especially when
    Ask has already pledged
    to destroy data more than 18 months old for everyone.

    Overall, while I may seem critical of EPIC and gang for being extreme, if not
    picky, on some points, make no mistake — I applaud them for pushing on the issue
    if only for the third party sharing. That’s a serious concern, a serious flaw in
    what searchers may think they’re getting — but don’t get — in terms of privacy
    protection.


    Contributing authors are invited to create content for Search Engine Land and are chosen for their expertise and contribution to the search community. Our contributors work under the oversight of the editorial staff and contributions are checked for quality and relevance to our readers. Search Engine Land is owned by Semrush. Contributor was not asked to make any direct or indirect mentions of Semrush. The opinions they express are their own.


    About the Author

    Danny Sullivan
    Danny Sullivan was a journalist and analyst who covered the digital and search marketing space from 1996 through 2017. He was also a cofounder of Third Door Media, which publishes Search Engine Land and MarTech, and produces the SMX: Search Marketing Expo and MarTech events. He retired from journalism and Third Door Media in June 2017. You can learn more about him on his personal site & blog He can also be found on Facebook and Twitter.