Written by: DK

Created Aug 24 2000, modified Aug 24 2000

ePeople, Inc. (http://www.epeople.com) is a for-pay technical support "marketplace," where techs (called "Providers") bid on users' technical support questions on a wide variety of computer-related topics. ePeople has a program called Marketplace Assistant. This software is a derivative of TalkBack, a product of Full Circle Software (now ePeople Inc.). (Yes, this is the same TalkBack that is installed with recent versions of Netscape Communicator.) Marketplace Assistant reads information from your computer system and uploads it to ePeople, where it is put on display for "Support Providers" (people who answer users' technical questions on ePeople) to view.

The reason I am posting this article is that I have found the security and nature of the information collected by Marketplace Assistant to be very disturbing.  I have noted the following issues with this information:

(1) The information collected includes the name and version number of all of the software currently running on the computer.

(2) The information collected includes the network name of the computer and the name of the registered user for the Windows operating system, and the network username of the current user on the computer.

(3) The information collected includes the MAC address of any Ethernet card(s) installed on the computer, and the Intel ProcessorID of the computer's CPU, if available.

 - Of the above three points, the information in points 2 and 3 is available to *any* "Service Provider" who views the user's question. The information in point 1 is available only to the Service provider whom the user chooses to help them.

 - The information collected in point 2 is a potential security hazard, as it could be used to access the user's computer for malicious reasons.

 - The information in point 3, as well as the user's registered name from point 2, constitutes "personally identifiable" information and is therefore a serious privacy concern. In particular, the MAC address and the Intel ProcessorID can be obtained via programs embedded on Internet web sites.

 - When the user runs Marketplace Assistant and transmits the above information to ePeople, the personally identifiable information in point 3 has been *clearly associated* with all of the other information collected from the user's system, including their name, the potentially hazardous information in point 2, the information on what software the user is running in point 1, and information on the manufacturer and model of their computer system and it's components. Except for the information in point 1, all of this information and it's association with the personally identifiable information in point 3 can be viewed, copied, and distributed by *any* ePeople Service Provider.

 - ePeople Service Providers are *not* in any way employees of ePeople. They are considered Independent Contractors. *Any* person with a computer, a valid e-mail address, and an Internet connection may sign up to be a Service Provider by filling out a series of online forms. As soon as these forms have been filled out and a confirmation number e-mailed *automatically* to the provided e-mail address is entered on the site, this person has access to all of the Service Provider features, *including the information collected about ePeople users by Marketplace Assistant*. There is no "human" evaluation of a potential Service Provider. The signup process is completely automated, and the only information that is verified is the e-mail address, by means of an emailed confirmation number which must be entered to activate a Service Provider account. There is also no way to "ban" a certain person from signing up again after their account has been cancelled or disabled. Thus, even if a pe!
rson was caught distributing the information they have access to and their account was removed, they could simply sign up for another account, and within a minute or two they would once again have access to the users' sensitive information.

 - ePeople's Terms of Service and Marketplace Assistant Terms of Service are vague and possibly misleading when it comes to the collection and use of this data:

(A) On information collected: ePeople's Marketplace Assistant Terms of Service reads:

"All information collected by the Marketplace Assistant Client is used only for the purposes of diagnosing and solving end-user problems, and will not contain any sensitive information such as web sites visited, e-mail messages, e-mail addresses sent to, passwords, profiles, etc. This information is used by ePeople Support Providers for diagnostic purposes only and will not be shared with third parties."

Although the information listed under the "such as" clause is in fact not collected, the information under points 1, 2, and 3 above could certainly be considered "sensitive" information. In addition, the Marketplace Assistant Terms of Service does not specify what information is collected. This information is present on a document entitled "About Marketplace Assistant", but is not linked to from the Terms of Service page. The only link to this document from the user section of the site is a small text link on the page where the user asks a question.

(B) On ePeople's responsibility for the protection of the information collected: Again, the Marketplace Assistant Terms of Service reads:

"All information collected by the Marketplace Assistant Client is used only for the purposes of diagnosing and solving end-user problems, and will not contain any sensitive information such as web sites visited, e-mail messages, e-mail addresses sent to, passwords, profiles, etc. This information is used by ePeople Support Providers for diagnostic purposes only and will not be shared with third parties."

Of particular concern here is the last sentence. ePeople is assuring the user that the Support Providers who view their information will use it for diagnostic purposes only, and will not distribute it to any third party. However, as I outlined before, ePeople does not have the authority or even the means to control how the ePeople Support Providers use this information. Even more disturbingly, they admit to this fact in another section of the Marketplace Assistant Terms of Service:

"You are solely responsible for the content of your transmissions through Software. ePeople has no obligation to monitor any User's or Provider's use of the Software. However, ePeople reserves the right to take any action with respect to Software that we deem necessary or appropriate at our sole discretion if we believe you or your transmissions may create liability for ePeople."

In other words, despite their claims in the first quote above, ePeople states here that they have *no obligation* to monitor how a Service Provider obtains or uses the information collected by Marketplace Assistant. This point is further underscored in ePeople's Terms of Service:

"Our site acts as a venue for Users to obtain answers from Support Providers. ePeople provides the infrastructure to facilitate this sharing of information. However, we are not involved in the actual Transactions between Users and Support Providers. We are not involved in any way in the creation of the content of the information or digital goods that are shared between Users and Support Providers. Although we reserve the right to review and remove any content posted on the site, we are not obligated to do so, and we do not endorse, warrant, or guarantee its quality or accuracy. As a result, we have no control over the quality, accuracy, or legality of the content. YOU AGREE THAT YOUR USE OF THE  EPEOPLE SERVICES AND YOUR RELIANCE ON ANY QUESTIONS, ANSWERS, INFORMATION OR OTHER MATERIALS RECEIVED THROUGH THE WEB SITE WILL BE AT YOUR OWN RISK."

Although, at first glance, this seems to pertain to the User's use of the answers or technical advice the Provider gives them, reading it carefully shows that it also frees ePeople of any responsibility regarding the use of information on the Provider's part as well. This "information" includes that data collected by Marketplace Assistant.

This data from Marketplace Assistant would also fall under the following clause of the Terms of Service:

"License Grant to Information:
You agree that we and other Members you interact with may freely use and distribute any information ("Information") you provide in connection with a service or technical support Transaction ("Transaction") initiated or completed through the ePeople Web Site, without any further obligation to you. By providing Information, you grant us and each other Member in the interaction a non-exclusive, worldwide, perpetual, irrevocable, royalty-free license, with rights to sublicense, to use, reproduce, edit, modify, prepare works derived from, perform, display, distribute, sell and otherwise exploit your Information in any form, media or technology, whether now known or hereafter developed, and to distribute the Information and any derivatives of it through multiple tiers of distribution. We will use your personally identifiable Information only in compliance with our Privacy Statement."

Even worse than the previous two clauses, this clause is actually giving the Service Providers the right to do almost *anything* they want with *any* information given by the Users. Note the last sentence: "We will use your personally identifiable Information only in compliance with our Privacy Statement." Although this limits ePeople's use of the information to what is allowed by the Privacy Statement, it does *not* place any limits on other Member's uses of the information. Nor are Service Providers required to agree to abide by ePeople's privacy policy, nor are there any provisions in the Agreement for Support Providers (which they must accept before their accounts are activated) on how they may use information provided by users, except for the paragraphs and clauses quoted above. (Note: In the terms of the Terms of Service, the word "Member" refers to both Users and Support Providers.)

So, what it comes down to is this: ePeople's Marketplace Assistant collects personally identifiable and potentially hazardous information and makes it publicly available to anyone who signs up as a "Provider" at ePeople. ePeople's Terms of Service and Marketplace Assistant Terms of Service are vague about the type of information the software collects, and misleading when it comes to ePeople's responsibility to protect the privacy of Marketplace Assistant users. If you must use ePeople for asking technical support questions, I recommend that you do *not* download or use Marketplace Assistant.
 
 

References:
ePeople Home Page: http://www.epeople.com
ePeople Terms of Service: http://www.epeople.com/static.jsp?left=terms_nav.jsp&right=terms.html&notheme=1
ePeople Marketplace Assistant Terms of Service: http://www.epeople.com/static.jsp?left=terms_nav.jsp&right=ma_terms.html&notheme=1
"About Marketplace Assistant": http://www.epeople.com/static.jsp?left=ma_nav.jsp&right=ma_about.html