Recently, BWCU became aware of information about a business practice that could affect Internet banking users. Considering the potential privacy and security impacts, we felt obligated to share this information with you.

There are organizations on the Internet that offer 'free services' such as Internet acceleration or email virus scanning. Some of those organizations have 'privacy policies' that are so loosely defined as to allow them to harvest and share information that is universally considered to be personal and highly sensitive by Internet users. Such organizations ask unwitting end users to configure their browsers to cause all web traffic, including highly sensitive encrypted secure traffic to be decrypted, pass through that organization's servers to be harvested and then continue on to its intended destination. Hence, information that is thought by the end user to be inaccessible to everyone except the intended recipient is collected, and according to liberal privacy policies, may be shared by the intermediaries with unnamed third parties. We believe such organizations may rely upon the fact that many inexperienced Internet users don't understand the ramifications of such a situation (referred to in information security circles as a 'man-in-the-middle' exploits), or that they will carelessly click through acceptance terms without reading the fine print of the privacy policy. In our opinion, this dangerous situation is made worse by the fact that end users' efforts to uninstall such software on their computers has been designed so that it will often fail, leaving what amounts to a back door by the organization to usurp what are supposed to be private communications in the future.

Consider one company which we believe follows this sort of business model. This company installs its own trusted root certificates, so that it can intercept secure (SSL) connections made by the end user machine.

The privacy policy of this company states:

"... monitors all of your Internet behavior, including both the normal web browsing you perform, and also the activity you may have through secure sessions, such as when filling a shopping basket or filling out an application form that may contain personal financial and health information...

... We monitor the Internet connections of our users so we can not only accurately and anonymously model the browsing habits of Internet users, but also their shopping, registration, and other interactions as well...

... In addition to the monitoring of your Internet behavior, we may also combine the information that you provide us with information such as credit or prescription information that we obtain from third parties such as consumer preference reporting companies, credit reporting agencies, and prescription benefits managers....

... There are some limited cases in which we share personally identifiable information with third parties. Specifically, we provide personally identifiable information to third parties for the purpose of conducting the secure and confidential matches discussed more fully above...."

Simply stated, these companies can collect and share information intercepted from secure pages (pages that begin with ‘https’ or have the SSL lock in the lower right-hand corner of the webpage). Pages that are commonly secure include online banking (Net-24), private information that you would fill out when paying for something purchased online (name, address, credit card number), medical information, and anything else entered on these secure pages. Although some companies that offer Internet acceleration or email virus scanning do not collect information off of secure pages, please be aware that these companies do exist and take steps to protect yourself and your private information. Those Internet companies that use technologies to intercept encrypted communications have full access to the end users' personal information and have publicly stated that they can share users' information with third parties.

We want to clarify that BWCU does not offer these services, or cooperate with any company that does. We are making this information public to ensure that your private information is secure.