DOD nixes vendor of online monitoring software over privacy concerns

Computerworld - EchoMetrix Inc., a vendor of parental control software that is already under fire for alleged violations of an online children's privacy law, has been suspended from selling its products on a U.S. Department of Defense shopping portal because of privacy concerns.

The action was taken in late October, barely three weeks after EchoMetrix began listing its Internet monitoring products for sale through the U.S. Army and Air Force Exchange Service's (AAFES) Exchange Online Mall. However, news of the suspension surfaced only this week after the Electronic Privacy Information Center (EPIC) obtained documents relating to the incident via a Freedom of Information Act request it had filed with the Defense Department.

The documents show that the AAFES removed EchoMetrix's My Military Sentry Parental Controls product from its Web site because of concerns EPIC raised that customer information was being surreptitiously collected and sold to third parties by EchoMetrix.

An AAFES spokeswoman confirmed the suspension today and said that it had resulted from the privacy concerns raised by EPIC.

"To the best of our knowledge, no military personnel signed up for the service during the approximately three weeks it was available," the spokeswoman said. She added that Exchange Online Mall personnel are monitoring the situation and "will make a decision on how to proceed after further review."

Syosset, N.Y.-based EchoMetrix sells a range of parental control software designed to monitor children's activity on the Internet and to alert parents when a child encounters questionable material. The My Military Sentry product that was pulled from the AAFES Web site is identical to a civilian version of the product called Sentry.

The company, in an e-mailed statement, firmly maintained that it does not collect any information that violates children's privacy laws.

In September, EPIC, a Washington-based privacy advocacy group, filed a complaint against EchoMetrix with the Federal Trade Commission. EPIC claimed that EchoMetrix was violating the provisions of the Children's Online Privacy Protection Act (COPPA) by collecting personally identifiable information about children and their browsing habits and online chats.

EPIC claimed that EchoMetrix used the information to deliver targeted advertising to children and also sold that information to third-party marketers. In its complaint, EPIC pointed to a separate service offered by EchoMetrix called Pulse, which analyzes data gathered from multiple sources including instant messages, blogs and chat rooms. The information is sold as market research intelligence to marketing companies, the EPIC complaint said.

"Pulse boasts of offering unfiltered online conversations and of having access to the teenage market in real-time by capturing instant message conversations, chat room conversations, and blog posts," EPIC claimed.

EchoMetrix's marketing promotes "illegal surveillance" of children, EPIC said in its FTC complaint. EPIC further stated that EchoMetrix's privacy policies were not clearly spelled out and offered no easy way for customers to opt out of such tracking.

In an e-mailed statement, EchoMetrix denied the allegations. "EchoMetrix does not collect personally identifiable information or expose the source of any digital content," the statement said. "The company has never and will never collect, distribute or sell personal information as defined by COPPA."

Kimberly Nguyen, a lawyer for EPIC, said the group's main concern is with the collection of personal data on children. "According to COPPA, companies can't collect personal data from children" without parental consent, which is precisely what EchoMetrix is doing, Nguyen claimed. "They are violating federal statutes" by their actions, as well as violating FTC rules governing the disclosure of privacy policies, Nguyen said.

The FTC has not responded to EPIC's complaint against EchoMetrix.

Read more about Security in Computerworld's Security Topic Center.