Salon Interview with TrustE CEO Bob Lewin 59
bmc wrote to us about an interview that is currently running over at Salon.com. Salon is talking with
Bob Lewin, the CEO of TrustE. Honestly, it's depressing. There's a real dearth of legislation that will protect privacy rights [?] and even groups like TrustE have loopholes the size of Mack trucks.
Re:Caveat Empor (Score:1)
Them what's paying half their income to the government ain't free.
Why do we look at a company to protect OUR data. Protect your data yourself. If a company isn't doing well by you and your personel information then tell everybody about it and NEVER go back to that site agian. It's simple, it's free, your giving back to your community and best of all, it works.
You would probably do as well to stay off the web as to do what you're talking about. Yes, shaming people into doing right has been somewhat successful in several sensationalized cases but it doesn't seem sufficient to stem the tide.
Fox guarding the hen house (Score:1)
McDonalds to sue the dinosaurs! (Score:1)
Oh, wait, yes they do. (Score:1)
It is interesting, tho, that revocation of the trustmark is not automatic upon a compliance failure.
Let's secede the US Net space to Europe! (Score:1)
The Land of the Free - yeah, sure, unless you're a US citizen
Give me Liberty or Give me Death! Don't spam till you see the headers of their email! I regret that I have but one virtual life to give for my country (at least until I become an AC)!
Re:The Old Saying... (Score:1)
Well duh =)
Seriously. When you think about it, there's nothing TrustE can do to prevent privacy policy violations from ALL the sites certified after the initial process. And yes, most of this is TrustE's fault, or better put, a serious ethical problem with TrustE's business model.
I've a problem with the last sentence of this rant, more to follow.
TrustE is a really well-entrenched brand name.
Sure, they're the only company I've read about with the sheer temerity to implicitly rely (in their business model) on the fact that the average consumer is an absolute retard that has been hit over and over on the head with the tackhammer that is our media machine.
TrustE is in business to make money.
Well, not really. You failed to notice in the article (Because I'm sure you read it right?) that TrustE is a non-profit corporation.
TrustE makes that money selling the essentially one-time process of certifying sites' privacy policy, for hundreds to thousands of dollars a pop.
Again, in your assimilation of this article you missed an important fact: TrustE works at regular intervals to make sure companies are in accordance with their privacy policies. This statement is also misleading because, again, in the article it says that TrustE charges about $300 to $4999 to certify a company's website. Sure this is "hundreds to thousands of dollars" but it isn't a grand a sum as the phrase would elicit now is it?
TrustE relies on a QUANTITY of business to keep them afloat.
That and compliance by the very entities it is trying to police, which coincidentally are the very entities that pay the certification charges. *boggle*
Since TrustE has an enormous amount of customers(sites) they've certified, to properly police all of them (protect the integrity of their seal) would cost far more than the revenue generated from the initial process.
This statement is pure speculation, I'm sure you have no financial knowledge of how TrustE operates, because if you had and made a post with this tone not as an AC, I'm sure your affiliation with TrustE would soon end.
Thus, the certification is symbolic at best.
I agree wholeheartedly. Different logic sure, but this conclusion is apt nonetheless.
So, what have we learned?
Well, I've learned that you don't read articles very thoroughly or at all.
But by the same token, nothing beats doing business with who you know and trust, symbolic declarations of good intentions be damned.
Here, here!
I don't begrudge TrustE - they have a hell of a racket, make a TON of cash, and I'm sure in the same position I'd do the same thing.
I'm not so sure. When the issue of TrustE's inability popped up a while ago considerable criticism of their business model was hashed out here. The problem, as mentioned above, is that TrustE makes it's revenues from the companies it certifies. The implicit problem with this is that TrustE cannot effectively enforce anything unless the company under scrutiny complies with TrustE's wishes.
The bottom line is that TrustE has no proverbial leg to stand on when it comes time to enforce policy because as soon as they try, a company can simply refuse to comply, thereby kicking what support TrustE had out from under it and allowing it to hang on the rope it weaved and noose-tied for itself--witness Microsoft's refusal of a privacy policy audit in the afore-mentioned discussion of TrustE's problems.
Just my thoughts...
--
Does consumers really use the TrustE logo (Score:1)
Microsoft or AOL or DoubleClick can tell congress that privacy laws aren't neccessary, because the industry is policing itself. Regardless of how effective this policing is, big corporations can point to TrustE as "something" that the industry is already doing. But as more well publicised cases, like Real Networks and DoubleClick, come to light, hopefully it will be seen for what it is.
Re:A different kind of TRUSTe (Score:1)
He made one important point about the flexibility of a private sector solution to the problem. Another one that he is unlikely to make is the one that xant just made. Private sector solutions are open to competition. And perhaps the best form of competition initially is an organization that offers a small number of simple privacy statements and requires that you adhere to one in order to be certified. They could be:
The principal advantage to this approach is that it would limit the number of privacy statements that a person would have to read and understand. And it would limit the frequency of changes to them.
Re:McDonalds to sue the dinosaurs! (Score:1)
Umm, Sue is the name of the dinosaur. Yeah, it's a confusing name, but this page [fmnh.org] is only a few clicks away from the link you give.
--
The solution is simple (Score:1)
Oh and rememeber if you have a permanent IP (cable/DSL) address *USE* the proxy server - it obscures your identity and speeds your connection (ie. caching squid proxy)
Privacy: Judicial remediation (Score:1)
From the top down banking rejected privacy out-of-hand, the state of CA passed legislation making elections by Internet illegal and commerce people rightfully couldn't find prior law upon which to legally base privacy.
Bottomline here is that people take privacy for granted. There is an unspoken faith in the judicial system to right any wrong. US currency is based upon "In God we Trust" and little exists legally to support privacy (ala digital signitures).
The technology exists to build privacy into Internet transactions. But the cost for infrastructure development is high. Even hurdling the economics there remains the "key recovery" debates which trumps all progress in this area, anyhow.
/. really have to come up to speed on privacy if they want to have a hand in shaping the debate and final solution set.
This sucks! (Score:1)
3) that once the information is collected, they will use reasonable security to protect that information;
and
4) that they allow the consumer reasonable access to that information to modify it.
Then this little gem:
So if I were collecting consumers' e-mail addresses and then selling them to a direct-marketing company, would I still be able to get the TRUSTe symbol?
Only if you stated that to the consumer in your privacy statement.
Great! So all the company has to do is bury such a statement in boilerplate language noone will read.
Online Privacy = Private/proprietary Crypto? (Score:1)
I think Scott McNealy said it best: "You have zero privacy anyway. Get over it." [wired.com]
Rather than privacy laws/regulations being passed for the internet, I'd much rather see actions that would protect people from discrimination no matter what their online viewing habits are.
CNY (Score:1)
ignorance (Score:1)
In fact, do you work for one or more of them? :)
Many are worried, but unable (incompetent, ignorant, manipulated, take your pick depending on your level of cynicism this morning) to discover the truth. Capitalism sucks.
Would you prefer the government do it? (Score:1)
According to an old salon.com story [salon.com] referenced from the current one being discussed, "David Sobel, general counsel for the Electronic Privacy Information Center (EPIC) [epic.org], thinks that the government -- the Federal Trade Commission, to be specific -- is a more appropriate monitor for the Net."
Would that be better or worse? Technically, that is what the government is for but unfortunately, more often than not, the government goes too far. The other public sector route is a non-profit charitable organization like Epic that relies mainly on donations from private foundations and individual donors which means they have to constantly raise money to maintain their research and legal battles. When it comes down to it, I don't see how a private company could make a real profit by not catering to their members as eTrust does. I'm not saying its excusable, just that I don't think there is any 3rd party privacy/security group that could be objective and profitable.
- tokengeekgrrl
"The spirit of resistance to government is so valuable on certain occasions
what about distributed load? (Score:1)
Trust.. (Score:1)
So I sure as hell am not gonna trust a company whose skirmishing the lines of being a total waste.
They Have no backbone because they know their stupid TrustE logo means NOTHING. Screw them
I do business based on my own experience and thats it
Notice my bitter cynicism here? It happens after bein alive to long.
JA
Re:The Old Saying... (Score:1)
I work for a non-profit, and I can assure you that one of the wisest things I've heard is, "Just because the company doesn't make a profit doesn't mean that nobody does." Not having to make a profit just means that the people in charge can keep money above breakeven rather than having to dole it out to shareholders. There are dozens of ways of doing this that are perfectly legal.
Re:Sounds like ISO 900x certification (Score:1)
Of course, there's a classic Dilbert [dilbert.com] strip on this topic. The dialog goes something like:
TrustE sounds a little bit better than that (they do have some minimal requirements about their policies, apparently), but not much. It sounds, for instance, as though TrustE thinks that it's perfectly OK for a company to promise not to sell your personal information, then change its policy without notification and sell it if you come back to visit its site- even if you don't stay around for long enough to read the revised privacy policy.
Making things private. (Score:1)
You won't get anything 100% with someone's policy or word. The only 100% is when it is physically impossible to violate privacy / anonymity.
Some of the mathematical theories I have faith in suggest that 100% privacy / anonymity is unattainable, but practically speaking, things like freedom [freedom.net] and AT&T's Crowds is about as good as you'd ever want for the privacy / anonymity level provided.
Also, I'm working on an anonymity project, involving a cooperative network of computers to ambiguate the source. Many common services are possible, and their use is transparent (i.e. you can use pine, elm, kmail, netscape, or whatever you like for email). The link's in my
---
script-fu: hash bang slash bin bash
(Real) Site Privacy Policy (Score:1)
As part of the new "OpenLegal" initiative, I thought I'd try my hand at writing a privacy statement. I think this meets TRUSTe's requirements, doesn't it? (Of course, most privacy statements aren't written even in the proper quasi-legally binding form I've poorly imitated in this! ;-)
PREAMBLE
Right, the laywers made us say this, we're sorry,, don''t worry your pretty little heads about this, pleas don't read this, it doesn't say what you think it says anyways. (hypnotic message: PRESS "BACK" NOW!)
I. Introduction and Purview
1. This document governs the privacy policies of the Internet System 197.234.74.257 (the SITE) with regard to its access by one person (the VISITOR) by electronic means and the data about the VISITOR (the INFORMATION) collected hereby, but none of its mirrors, load sharing sites or routers, neither other viewers.
2. By entering within sight of this site you have indicated your agreement to these terms.
II. General Rights
1. It is our pleasure to inform you that you have no privacy rights whatsoever. As you read, personal data is being collected.
III. Information Collected
1. The SITE will endeavour to collect as much INFORMATION as may be determined profitable by the SITE.
2. These INFORMATIONs will include but not be limited to: (where "your" refers to the VISITOR) your home and work contact info, your favourite colour (or Favorite Color, in some jurisdictions) your family history, all such INFORMATION about your relatives including their schools or nursaries, principle caregivers, nannies and ages; your prom date, your IRS return form, any foreign tax return form (or lack thereof), your sexual orientation and favourite kind of coffee, your secret service file with each of the nations on the Security council and your past and future company, and the results of all of all IQ tests.
IV. Collection Means
1. The SITE will use whatever means neccessary, included but not restricted to cookies, IP fingerprinting, port mapping, indiscriminate hacking and paramilitary raids; In fact, as the VISITOR reads this a highly trained team of former SEALS and S.A.S. members is ransacking the VISITOR's (that's you) personal files and residences.
V. Use of Information
1. This site will under no circumstances refrain from selling this information to the highest bidder, including but not limited to security forces of any country or group.
VI. SECURITY
1. Due security measures will of course be taken. If they weren't, we couldn't sell the info because anyone could steal it.
VII. Accessing & Updating Information
1. The SITE sees no need to give access to the INFORMATION, as it is 100% accurate, comprehensive and personal, and the VISITOR therefore already knows it.
2. Every time the VISITOR moves his mouse, the information will be automatically updated. Therefore, the VISITOR will not need to manually modify the INFORMATION
VIII. Limitation of Liability
1. No-one's written any laws yet, so we're untouchable. We have no assets in Europe. The VISITOR is hereby sol.
_______________________
Caveat Empor (Score:1)
TrustE certification is practically worthless... (Score:2)
To the consumer that is. What difference does it make to me whether a site is TrustE certified or not? With all the loopholes and the fact that there is no standard for privacy, only internal policies for each company, it makes absolutely no difference at all to me. The certification is meaningless.
I don't want to have to read lengthy privacy statements on every site that I visit. Let alone having to reread the same info every time to make sure it hasn't changed. Who has time for that? TrustE is well aware of this and has covered its collective ass, but doesn't do anything to help me or anyone else besides the corporations who buy the certification.
Re:TrustE is TrustLess (Score:2)
And when a CEO of a company can't be forced to know something as important as this question:
"What percentage of sites get rejected?"
by giving:
"It's not a large percentage -- I'd guess 1 to 2 percent."
He's the CEO and guesses this important fact? Does he know what the hell is going on with his product? You can't trust a company who's leaders aren't involved enough to know basic operational facts.
Re:TrustE is TrustLess (Score:2)
> really cared about TrustE having some enforcement authority, they require that users re-authorize every time privacy changes.
They obviously don't. They have set the bar so low for awarding their ``Good Seal of Secret-keeping" that only one or two percent of all sites can't climb over it -- & the requirement is nothing more than to say ``We have no policy."
Sheesh. And even then, they have found themselves forced to talk to miscreants.
Mebbe we should just link cookies.txt to
Geoff
Re:TRUSTe is a scam (Score:2)
A scant few of us at Ompages.com are trying to put together an internet for the rest of us, we're no dot com, we're a real community; we're very close to putting together a virtual private network that anyone can join with a php front end that spits out config files for your platform.
Privacy cannot be guaranteed by a policy site; it must be claimed like property, and on the internet it's first come first served...If you want control over your information you must be active in your efforts to control it... there's no substitute for aggressive activism...
I have high hopes for Ompages.com to use the encrypted IP infrastructure to bring real power to individuals...
Right now there's a news posting site, a la usenet, and it's that easy to post your links, works, projects etc...
We're not whining 'why me?' we're screaming 'mine now...!' We're not brown nosing industry or any single OS, technology or government; on the contrary, we're in their faces drawing lines in the sand... please believe it...
Outta the fryin pan in into the fire...
-nate
natepuri@office.ompages.com
Re:Sounds like ISO 900x certification (Score:2)
Yes, it does. Or rather, it can.
This is taken from a comment I made on an earlier TRUSTe story on slashdot [slashdot.org]:
Jay (=
Huh? (Score:2)
In general, I trust no-one, but it is part of Truste's 'deal' that the privacy policy must be easily viewable. Says so on their website [truste.com] as well as in the Salon article.
There's a reason I have many random hotmail accounts that I use to receive activation passwords and nothing else.
They never say that they'll remove the trustmark (Score:2)
Q: What happens if my Web site fails a compliance review?
A: In the unlikely event that a site fails a compliance review or
TRUSTe has reason to believe that a site is in non-compliance with
its stated privacy practices, we will conduct an escalating
investigation. Depending on the severity of the breach, the
investigation could result in an on-site compliance review by a CPA
firm, or revocation of the site's trustmark license. After TRUSTe has
exhausted all escalation efforts, extreme violations are referred to
the appropriate law authority, which in the U.S. may include the
appropriate attorney general's office, the Federal Trade
Commission, or the Consumer Protection Agency. TRUSTe may
pursue breach of contract or trademark infringement litigation
against the site.
Re:Huh? (Score:2)
The TRUSTe seal tells you *NOTHING*, because by the time you find the seal, you're already looking at the "privacy policy".
Actually, it tells you one thing: It tells you that the company is unsure of their reputation, and would rather buy a seal than risk being judged on past behaviors.
Look at the really *good* privacy policies out there, and you'll note that most of them *don't* have TRUSTe seals. Who does? eBay and Real Networks.
Re:The Truste business model (Score:2)
Do you honestly think they'll take a seal away from a *PAYING* customer just because the customer plays fast and loose with the terms?
Remember, the customer is allowed to change the terms *AT ANY TIME WITH NO NOTIFICATION*. So, the people who said "opt-in only, we never share your address" can, every day at midnight, change the policy to "we will add all addresses we have to our master mailing list, and sell the result to a third party", ftp the list over, then change the policy back.
Tricky? Sure. But, as long as they "follow the posted policy" at any given time, TRUSTe will smile, nod, and keep taking their checks.
TrustE is TrustLess (Score:2)
"Well, we can't force consumers to read privacy statements, but in all our consumer outreach programs, we tell people: Even if you've visited this site before -- because things change -- the first thing to do is go to the privacy statement and review it to make sure there have been no changes. And we encourage licensees to put any changes up at the front. This is easier said than done -- none of us like to read pages and pages of text."
Are they kidding? Who on God's green earth would re-read the privacy policy of a web site every time they visit it??? If they really cared about TrustE having some enforcement authority, they require that users re-authorize every time privacy changes.
*sigh*
---
Bah, just let the market take care of it... (Score:2)
Here is a little thought experiement for you. Imagine a product, a widget. Now this widget comes in 2 versions. The two versions are exactly the same with the exception that with one you have to give up some personal information to buy the widget, but get $X off. You give up all rights to this information, but other than that the two products are the same in all respects. What value of X will you buy that widget? This gives you a idea of what value people place on their privacy. I imagine for most people X is around $5 or so....
Truely Sad (Score:2)
Does anyone know of any other organizations such as TrustE? I checked at EPIC.ORG and didn't notice any comments or links to TrustE. I find that signifigant. TrustE seems to just be snake-oil.
I would recommend looking at EPIC and organizations that it links to for privacy guidlines:
EPIC, EFF, www.cspr.org, etc...
Duncan Watson -Rock climbing, Encryption, privacy
PGP Fingerprint -PGP Key on www.keyserver.net
Sounds like ISO 900x certification (Score:2)
In my mind, it doesn't mean that the company is any better organized than others, but it means that their business process is in a book somewhere and they follow what's in the book. Reviewers don't care what the actual processes are, as long as there's enough documentation to prove that those processes are followed.
Sounds like TrustE is doing the same thing: Does this company have a privacy policy for web-based information? Do they follow it?
Trying to lose some karma here, let me throw this out: I think TrustE is following their charter by not coming down on Real or MSFT. Why? Their charter doesn't include non-web based information gathering. If this means that TrustE should change their charter, or start a new group for non-web-based privacy certification.
But make no mistake: All TrustE is saying is that their "approved" company has a web-based privacy policy and that they follow it. Even if that policy says that they'll sell your name and phone number to anyone that asks.
A different kind of TRUSTe (Score:2)
A stronger logo program (Score:2)
And here it is. [downside.com]
Make Space Ghost a part of your marketing program.
Re:TRUSTe is a scam (Score:2)
Re:The Old Saying... (Score:2)
TrustE is a really well-entrenched brand name.
TrustE is in business to make money.
Hopefully not too much of a focus, since they are a non-profit organization. But realistically, yes, most likely true.
TrustE makes that money selling the essentially one-time process of certifying sites' privacy policy, for hundreds to thousands of dollars a pop.
Again, hopefully not. According to their web site, it costs somewhere between $300 and $5000 per year of certification, so review of a site probably [hopefully] takes place once a year.
TrustE relies on a QUANTITY of business to keep them afloat.
Since TrustE has an enormous amount of customers(sites) they've certified, to properly police all of them (protect the integrity of their seal) would cost far more than the revenue generated from the initial process.
Thus, the certification is symbolic at best.
The cost point is probably valid. It almost certainly costs more than $5000 to hire qualified people to ensure a web site as "privacy ok" for a year. This is mistake #1, and it was made on the part of TrustE. They should charge more for their services, which are valuble enough to the consumer that they would probably offset the cost of aquiring them. (Especially if they became widespread enough that the number of major sites that had them outnumbered the sites that didn't.)
However, a second mistake was made, which was probably more dangerous. And it wasn't made by TrustE, it was made by you and me, and others. We naively assumed what TrustE ensured, without actually going to the site and reading their license agreements and requirements. By their own rules, RealJukebox was outside their jurisdiction because it's not a web page. The same thing with the Intel Pentium III ID chip. And in these cases, we have no one to blame but ourselves, for not reading the fine print, and for taking TrustE at face value as "a certification of privacy". So yes, I blame TrustE for preying on the paranoia that most users have about privacy [and probably rightly so]. And yes, I blame them for selling out to some extent, by writing a set of requirements that enabled them to leave loopholes for large companies (their primary buisness target). But mostly I blame myself for not reading those rules beforehand. Trust no one indeed. Especially not people giving you the "brief" rundown on what a company/service "does".
loopholes (Score:3)
But anyway, back to loopholes, specifically ones you could drive a Mack truck through. These can generally be dealt with fairly simply by putting a serrated metal tire-strip in front of the loophole to pop the tires of said truck. The truck then gets stuck in the entrance of the loophole, and nothing else can come through. Yeah, an awkward solution to the problem, but have you seen a kernel patch lately? Almost as much of a hack as any given service pack. Gets the job done, yeah, but it's NOT pretty.
As any other quick patch, this solution does not always work. Take for instance, when the Mack Truck gets eaten in advance by a Log Truck. I know what you're thinking, but Log Trucks are VERY cannibalistic. They feel no loyalty to other trucks. There is no evil like a Log Truck. If any foolhardy person doubts me, just take a quick stroll through the back woods of Central New York. And don't say I didn't warn you. You'll be lucky if you escape with your life. I grew up there, and even that wasn't enough. I was killed by a pack of ronin Log Trucks three years ago while hiking with a friend of mine. Now I am dead and sad.
thankyoutheend
The Old Saying... (Score:3)
Seriously. When you think about it, there's nothing TrustE can do to prevent privacy policy violations from ALL the sites certified after the initial process. And yes, most of this is TrustE's fault, or better put, a serious ethical problem with TrustE's business model.
TrustE is a really well-entrenched brand name.
TrustE is in business to make money.
TrustE makes that money selling the essentially one-time process of certifying sites' privacy policy, for hundreds to thousands of dollars a pop.
TrustE relies on a QUANTITY of business to keep them afloat.
Since TrustE has an enormous amount of customers(sites) they've certified, to properly police all of them (protect the integrity of their seal) would cost far more than the revenue generated from the initial process.
Thus, the certification is symbolic at best.
So, what have we learned?
We didn't have this problem (as much) back in the BBS days, when everything was local. You knew your friendly (or not so friendly) sys0p, and his reputation preceded him. No silly seal necessary.
Of course, I realize this is a global network now, and this "everything is local" paradigm is dead.
But by the same token, nothing beats doing business with who you know and trust, symbolic declarations of good intentions be damned.
I don't begrudge TrustE - they have a hell of a racket, make a TON of cash, and I'm sure in the same position I'd do the same thing.
The Truste business model (Score:3)
It does not, never has, never will, alleviate the need to read the actual policy at a website, word for word, before giving it a valid email address.
Truste is good for privacy policy building, its wizard is excellent for delineating exactly what you do and what you say. This is its true value add for businesses. Realize that Truste is for businesses, and not consumers, and a lot becomes clear. This is the only way this model can work--how many business would bay hundreds of dollars to get something on their site that reads {Truste Certified. This site sells email addresses}
Right. Just south of 1.
Something that would be interesting, tho, is an implementation of that web grafitti software (the controversail one that allows you to post messages connected to websites that other people with the same ware can see?) and have a real, consumer-advocacy-style group go through the big e-commerce sites and rate their privacy practices.
Bad assumption: TRUSTe is *NOT* our friend. (Score:3)
How many people naively share information with sites that have TRUSTe logos? How many people file complaints with TRUSTe instead of the FTC, or their local Attorney General?
TRUSTe works fine. You just have to remember what
they're there for: They exist to make consumers *FEEL* comfortable with privacy as it exists, and to keep people from complaining to their government.
It is not TRUSTe's policy to take action under any circumstances. These "loopholes" are not accidents; they are a *FEATURE* of the design of TRUSTe.
The purpose of TRUSTe is to waste your time so you don't complain to the FTC when a site violates its privacy.
And remember, TRUSTe has *NEVER* yanked a seal. Not once. Not even when company staff *FORMALLY AND OFFICIALLY STATED THAT VIOLATIONS OCCURRED*.
Look at eBay; they changed their policy, they started spamming, they kept spamming, they failed to delete accounts when people quit, they kept spamming... And they have a shiny TRUSTe logo.
Same goes for the BBBOnline.
Privacy/Security (Score:3)
Of course i'm also a huge proponent of full disclosure for any companies that conduct transactions over the internet. I should be able to call up Company A and get information about thier security so as to feel comfortable in doing business with them. My bank does this on thier online banking site discussing topics that the average user wouldn't have any clue regarding.
Of course
(Weak Standard) x (Weak Enforcement) = Useless (Score:3)
Q. Once it has the TRUSTe seal, have you ever kicked out a site for doing something?
No, we've come very close, but we haven't had to do it.... [A] lot of these are just misunderstandings.... [T]he resolution... may result in a change in the privacy policy, the business model, or what have you.
And later:
As their Web sites evolve, we've got to ensure that the privacy statement evolves. It's an ongoing process.
This is wrong two ways.
First, it is a weak standard. All a web site has to do to keep their TRUSTe seal forever is to perform a mea culpa after each "violation" and then change their policy. They don't even need to return to any previous state of "protection."
However, a site only needs to sell my email address to a spammer ONCE for me to have lost my privacy completely. This is what "trust" means -- we as users are dependent on the site's good behavior; we must trust them.
TRUSTe's policy of closing the privacy-policy's barn doors after the user data have escaped is entirely inadequate to the task at hand.
What is needed is a civil liability for the damage that such betrayals of trust cause.
Site Privacy Statement. ;-) (Score:3)
I. Intro and Perview
1. This document governs the privacy policies of the Internet System 197.234.74.257 (the SITE) with regard to its access by one person (the VISITOR) by electronic means and the data about the VISITOR (the INFORMATION) collected hereby, but none of its mirrors, load sharing sites or routers, neither other viewers.
2. By entering within sight of this site you have indicated your agreement to these terms.
II. General Rights
1. It is our pleasure to inform you that you have no privacy rights whatsoever. As you read, personal data is being collected.
III. Information Collected
1. The SITE will endeavour to collect as much INFORMATION as may be determined profitable by the SITE.
2. These INFORMATIONs will include but not be limited to: your home and work contact info, your family history, all such INFORMATION about your relatives including their schools or nursaries, principle caregivers, nannies and ages, your prom date, your IRS return form, any foreign tax return form (or lack thereof), your secret service file with each of the nations on the Security council and your IQ.
IV. Collection Means
1. The SITE will use whatever means neccessary, included but not restricted to cookies, IP fingerprinting, port mapping, indiscriminate hacking and paramilitary raids; In fact, as the VISITOR reads this a highly trained team of former SEALS and S.A.S. members is ransacking the VISITOR's (that's you) personal files and residences.
V. Use of Information
1. This site will under no circumstances refrain from selling this information to the highest bidder, including but not limited to security forces of any country or group.
VI. SECURITY
1. Due security measures will of course be taken. If they weren't, we couldn't sell the info because anyone could steal it.
VII. Accessing & Updating Information
1. The SITE sees no need to give access to the INFORMATION, as it is 100% accurate, comprehensive and personal, and the VISITOR therefore already knows it.
2. Every time the VISITOR moves his mouse, the information will be automatically updated. Therefore, the VISITOR will not need to manually modify the INFORMATION
VIII. Limitation of Liability
1. No-one's written any laws yet, so we're untouchable. We have no assets in Europe. The VISITOR is hereby sol.
TRUSTe is a scam (Score:5)
Some tricks they use: they claim AOL.com is covered by the TRUSTe seal until you file a complaint. they then claim only www.aol.com is covered but members.aol.com is NOT covered. This means if you visit www.aol.com to get information you are covered ... but, if you actually join and give them your personal information you are not covered!
Any web site can set up 2 sites www.example.com that has the TRUSTe scam seal and then set up a second site www2.example.com that collects the personal info and avoids the requirements of the seal. What a joke!
Other complaints where sites do have the TRUSe seal simply go unanswered (Geocities, Real Networks, New York Times, etc). this is not surprising since TRUSTe is funded by fees paid from these companies. Pople who complain don't pay anything.
Russ Smith
http://privacy.net