Privacy advocate and researcher Ben Edelman has found that Upromise savings, a service that collects commissions from participating merchants for its members’ college savings accounts, scrapes personal information, including credit card numbers, from transactions and transmits it to a Boston area shopper-metrics firm with no encryption. Neither the Upromise installation nor its privacy policy informs a user that the data collection is going on.

According to its web site, Upromise members get 1-25 percent discounts on eligible purchases from 600 online retailers, eight percent discounts at more than 8,000 restaurants “…when you pay with a registered credit or debit card.” and 1-3 percent discount at registered grocery or drug stores, also if they pay with a registered card.

Upromise, owned by Sally Mae, is the biggest private source of college funding contributions in the U.S., having deposited $450 million to members’ college savings accounts.

Edelman writes:

“The install sequence does link to Upromise’s privacy policy. But this page also fails to admit the detailed tracking Upromise performs. Indeed, the privacy policy promises that Personalized Offers data collection will be ‘anonymous’ — when in fact the transmissions include email addresses and credit card numbers. The privacy policy then claims that any collection of personal information is ‘inadvertent’ and that such information is collected only ‘potentially.’ But I found that the information transmissions described above were standard and ongoing.”

“…Upromise’s install screen euphemistically mentions that its ‘service provider may use non-personally identifiable information about your online activity.’ This admission appears below a lengthy EULA, under a heading irrelevantly labeled ‘Personalized Offers’ — doing little to draw users’ attention to the serious implications of Personalized Offers.”

Edelman traced the flow of the user’s data:

“…transmissions flow to the consumerinput.com domain. Whois reports that this domain is registered to Boston, MA traffic-monitoring service Compete, Inc. Compete’s site promises clients access to ‘detailed behavioral data,’ and Compete says more than 2 million U.S. Internet users ‘have given [Compete] permission to analyze the web pages they visit.’