On leaving IBM, I initiated the process to roll my 401K over to my IRA. The fund manager sent the requisite forms – already filled out with my SSN, contact info and the account numbers to effect the transfer – to me via email. Naturally, I called bullshit. Unencrypted email is about as secure as a post card. One thing led to another and now my wife and I have been provided with a year of free credit monitoring protection through AllClear ID.
One would think that a credit monitoring service would be all about privacy, security and monthly fees for the upgraded service tier, and AllClearID does not disappoint in any of those categories. In particular, the basic service is good but if the marketing can be believed you might as well be naked without the Pro service, billed in easy and convenient installments of only $14.95 per month!
The second paragraph informs me that “AllClear ID may add or remove features of any of the Services at any time.” This didn’t concern me too much. Everyone reserves the right to change their service, and after all how often does that happen? Turns out, it happens several times over the course of the document. Confidence is waning. Perhaps I really do need to read this thing.
Want to come along for the ride? I’ll be your guide! Warning, you must be this tall ^ to enjoy this attraction and you are warned to step out of line if you have a weak constitution.
The first sign of trouble came in the preamble:
Just to be clear, this is a company who make their living by notifying their customers of adverse events in the customer’s credit reports.
I’ll repeat that. Their core business is a notification service.
For which they charge $180 per year.
But which is incapable of detecting and notifying you of changes to their own web site.
Incredible. And I mean that in the sense of the word that suggests AllClear ID lacks credibility. Why on Earth would somebody claim to offer state-of-the-art notification over events that affect you financially and exclude their own adhesive contract to which you are bound without having first read it and which they reserve the right to change without notice? What possible motivation could lead to that particular result?
Oh wait – it must be because it changes so often. That explains it. It isn’t that they cannot detect the change, but rather that the volume of notifications would overwhelm their call center and their customers. Right? Surely, they’d never make unfavorable changes without notice and bind you to an abusive contract, because they are in the trust business.
Next comes the “Information Collected” section. The first paragraph details all the personal information they collect about you and how they use it. There’s a lot of it and for any other businesses it would be a bit invasive. But, having worked at both a school board and at Equifax on the programs that attempt to match, dedpulicate and uniquely identify people, I know how difficult it is to distinguish between two similar looking records representing different people. This company is helping fix identity theft issues so they really do need detailed data about you to perform that service, and they need it before it is contested. I really don’t begrudge them this information or the uses they disclose for it.
Until we get to the second paragraph.
AllClear ID may also collect technical data and related information – including but not limited to technical information about your devices, system and application software, and peripherals. We may also automatically receive and record information on our server logs from your browser, which could include your IP address, cookie information, browser information, and the page you request. This information is not deemed by AllClear ID to constitute Personal Information and while AllClear ID will not use it in a way that associates such information with you, such information it may be aggregated and used. AllClear ID owns this information and may use it in any manner it deems appropriate.
I’m never quite sure of the legal effect of contract clauses with sentence fragments or broken grammar. One day maybe I’ll ask an attorney. But in the meantime, it appears AllClear ID has some industrial-strength data harvesting. It’s gathering more than enough information to uniquely fingerprint my machine, and they declare full ownership in the harvested data with no recourse to you whatsoever in how it is used or if you are damaged by it. AllClear ID may deem this information to not be personally identifiable, but that’s a statement in their own self-interest. Clearly if you clicked the link above about fingerprinting, you know that the EFF deems this information to be uniquely identifiable. And why does AllClear ID even need all that system info to deliver telephone notifications and credit reports? Perhaps some other web site which does have my details can link that machine fingerprint back to me personally. This would allow AllClear ID to back into a complete, personally identified dataset, without using their own demographic data, and which they’d own for whatever purposes they wish.
Not saying they do. Just that they could. “Trust me,” they said. What could go wrong?
A bit further is a section on “Information Use” which explains all the legitimate uses for the information they collect about you. For example:
Among other things, AllClear ID wants to help you quickly find information on our Site, leverage our tools in connection with your authorized use of our Service, and alert you to product upgrades, special offers, updated information, and other new products and services.
Wait?!?! What?!?! Their service is capable of detecting changes to their web site and notifying me after all? But before they said it was my responsibility to periodically check for changes to the contract. WTF? Oh wait – I see what’s going on. The alerts only work when there’s an opportunity for me to spend money. Here I was accusing them of multiple personality disorder what with Mr. Hyde expecting me to check the web site all the time, and Dr. Jeckyll offering to send me notifications. That’s really unfair of me since it’s clear they are acting consistently in all these cases. It’s all Mr. Hyde, it’s just that he’s a psychopath and quite charming when he wants to be.
As with the other sections so far, the “Information Use” starts out pretty standard, then veers off the rails.
AllClear ID may also use your information to develop fraud prevention and other services, which it may make available to third parties, provided that such services shall not include access by such third parties to your Personal Information. AllClear ID may also send promotional information about AllClear ID products and services, during and after any term for which you are subscribed for a Service. However, users may “opt out” of receiving such information.
In other words, my information is the basis for services that AllClearID sells to 3rd parties. Not “Personal Information” in proper case and as defined in the document, but simply “your information.” That includes all the information you gave them, plus the machine fingerprint they harvested.
But wait! There’s more! Nowhere in this document do they mention that they collect your credit report data, but they have to do so to provide the service. They must keep history of the report in order to identify the delta when a change is made. But the contract alludes only to the information that you provide. If you are skimming the document, you could be forgiven for not realizing that you gave them all-access permission to harvest your credit report and machine fingerprint, for which they charge you for the privilege, and then permission for them to use these information assets as the basis for a lucrative service they sell to 3rd parties. Fortunately, you can opt out.
Sort of. read on.
Next up is a section called ” Information Sharing and Retention” which begins with a sentence fragment, followed by broad but meaningless assurances:
Sharing Information with third parties; AllClear ID takes the privacy of our users very seriously. As a result, except as provided herein, AllClear ID will never sell, rent, or intentionally provide your Personal Information to any third parties for their marketing purposes.
Oh, thank Grid! they won’t sell, rent or intentionally provide my information to 3rd parties for marketing purposes. Other purposes, sure. So long as the 3rd parties don’t market to you. Maybe the 3rd parties resell the data to someone who markets to you, we don’t really know. If they said to their business partner something like “here’s all T.Rob’s personal information, use it any way you want just don’t contact him or let him know you have it,” that would be permitted since the 3rd party isn’t using it for marketing purposes.
The other wiggle clause is “except as provided herein.” So there are exceptions. Wonder what those are. Oh, here’s one now:
In order to use or provide the Services, we or you may also share your Personal Information with third parties.
Well, that clears it up. They won’t sell, rent or give away my info to 3rd parties unless it has something to do with running the web site, performing the notification service, gathering more data about me from credit bureaus or other brokers, or any other function of their core business. Or unless the 3rd party promises not to use it to market to me.
As a side note, it’s comforting that they don’t claim exclusive rights to my data but rather expressly permit me to share my own data. You don’t want to get stuck in a contract that restricts you from sharing your own data. This is, I believe, what happened to The Artist Formerly known As Prince and look what hell he went through because of it.
As with previous sections, the Information Sharing and Retention section goes a bit haywire toward the end (as if it wasn’t already):
Finally, unless we otherwise agree, even after the term of your subscription has expired or terminated, AllClear ID may retain your Personal Information indefinitely for the uses permitted hereby, to resolve potential disputes, to comply with official investigations or proceedings and/or enforce AllClear ID’s agreements.
The Singular Summary and Aggregate Statistical Information that AllClear ID may share aggregated personal demographic and profile data and/or anonymized or redacted data regarding users of our Service. This data also does not contain Personal Information, but may describe information regarding group usage of the Service and/or group demographic information.
The first of these I understand. They are saying that they can keep my information indefinitely. The second paragraph is unintelligible due to more sentence fragments and/or bad grammar.
Moving on to the “Accessing and Changing Your Account Information,” there’s only one paragraph so you’d think there wasn’t an opportunity to make it batshit crazy but they pull it off.
You can review the Personal Information you provide us and, unless otherwise indicated, make any desired changes to such information, or to the settings for your AllClear ID account, at any time by logging into your account on the Site and editing the information on your Profile page. You can request in writing that AllClear ID remove your Personal Information from our database and that your account be closed.
So I have the contractual right to review any of my information, and even update it – unless it happens to be marked with an indicator that says I can’t. Oh, and remember that information they have the right to keep indefinitely? Fortunately, I have the right to request that they delete it. Not that they are obligated to do so, they clearly stated above that they reserve the right to keep it indefinitely and don’t contradict that here. But I can take comfort in my right to make that request, however futile it may be.
There is absolutely no value to me in this paragraph of the contract, despite what appears to be careful crafting to make it appear so. Every single thing that looks like it offers some protection has an escape hatch. The only things Allclear ID are obligated to do here is accept my written request to delete information (not act on the request, just accept it) and to be sure to indicate on all data fields that I’m not allowed to update them. Beyond that they have no particular obligation as a result of this paragraph.
But it sure looks good, doesn’t it?
There’s a section about security which I’ll skip. Basically, it says “we try hard but it’s a hostile Internet and if you are breached, here’s a list of points between you and us where the breach probably occurred,” yadda, yadda, yadda.
The section “Framing and Linking” is interesting so I’ll reproduce it in full here:
In other words, AllClear ID creates a browser frame within which to display someone else’s web content. This doesn’t happen by accident and to be legal they will have obtained permission of the content owners before doing so. So they know exactly whose content is showing up in their frames, or at least they should. If they do not, then it doesn’t speak well to their ability to do their core job.
Using a frame to pull up some web site where your account information is displayed is a MUCH easier way to harvest the data and connect a fingerprint to an identity. The genius bit here is the magician’s redirection. With all the dire warnings about the other web site’s cookies and how AllClear ID can’t control them, you might forget to consider the fact that it’s AllClear ID’s page hosting the frame. They have complete access to whatever is displayed there.
So what’s the bottom line here? Does AllClear ID actually do any of the things their contract allows them to do and which I’ve described here? Who knows. Does anyone actually understand the contract given all the sentence fragments? Again, who knows.
Some of my most valuable personal data was exposed by a vendor who is supposed to be well trained to prevent such things. They freely admit that nothing in their system would have picked up on it, and only the intersection of a breach event with a knowledgeable customer would have caught it. Then the remedy for this situation includes a year of monitoring by a service which, when you read the fine print, their cure sounds worse than the disease.
I’m. Not. Happy.
In other words, am I being reasonable or over-critical here? I really want to know.