TRUSTe Decides Its Own Fate Today

TRUSTe, the steward of the most visible symbol on the internet, is making a tough decision today. Today, it reveals what it intends to do about its client Real Networks. At stake is whatever's left of its credibility. (Update: 11/08 02:55: Real got off on a technicality: "because the transmission of user data ... did not involve collection of data on the RealNetworks Web site, the privacy incident was outside of the scope of TRUSTe's current privacy seal program.")

Unquestionably TRUSTe is the leader in third-party privacy assurance. Its only alternative is BBBOnline, which can boast only 100 members to TRUSTe's 750. But it's having a hard time living up to its motto, "Building a web you can believe in": sometimes it's hard to know what to believe.

TRUSTe's original idea was to allow a website to display one of three icons, indicating whether its privacy policy was good, ok, or bad. There turned out to be problems with this - strangely enough, no site wanted to post an icon saying that their privacy sucked - and the icons looked too similar anyway. So they went with one icon, a "badge" that every member site posts.

All the badge means is that the site has a privacy policy, and that, as far as TRUSTe knows, they haven't violated it.

If you think this is a questionable basis for a consumer advocacy group, you're right. But the real question is how it plays out in practice. Let's take a look at TRUSTe's track record.

Round I: TRUSTe and GeoCities. In June 1998, the FTC announced - to everyone's surprise - that it and GeoCities had come to a settlement regarding violations of consumer privacy.

Everyone was surprised because this was the first anyone had heard of it. Where was TRUSTe?

Caught flat-footed, TRUSTe scrambled for a few days, then made its own announcement. It pointed out that GeoCities had begun the alleged privacy violations before applying to become a member (in April) and being accepted (in May). Therefore, TRUSTe claimed, the violations were technically not under the scope of their investigation.

But turn that around and put it another way - it was able to become a TRUSTe member even while under investigation by the FTC, and TRUSTe said nothing.

It gets worse. The FTC and GeoCities issued conflicting releases about what the settlement actually meant. The FTC said that GeoCities had "misrepresented the purposes for which it was collecting personal identifying information" (including children's). GeoCities denied the charges.

So who was right? We still don't know. Despite this being precisely the issue that TRUSTe was set up to resolve, TRUSTe refused to confirm or deny the FTC's allegations.

In a 1998 open letter, I asked whether TRUSTe's initial review of GeoCities had included any really tough questions such as "are you currently under investigation by the Federal Trade Commission?" No answer. In fact, mention of the GeoCities incident seems to have been removed from TRUSTe's website.

The organization that wanted to make the FTC obsolete was not off to a good start.

Round II: TRUSTe and Microsoft. March 1999. This was the "Global User ID" case. It turned out Microsoft had been embedding a user ID into every document you created with their software. Since they put that ID on file when you registered their software, they have been capable for years of tracking authorship of even supposedly-anonymous documents.

And don't think it's just a theoretical concern. Just weeks later, the Melissa macro virus was unleashed, and its author was tracked down using this same ID. Any technology that can lead the cops to your door is potentially dangerous technology.

TRUSTe announced that this "compromises consumer trust and privacy" (duh), but said that since the Global User ID does not, strictly speaking, involve the Microsoft.com website, it had no jurisdiction. Their conclusion: "TRUSTe has determined that Microsoft.com was in compliance with all TRUSTe principles."

In reality, Microsoft's privacy page (prominently labeled with the TRUSTe seal) also discusses online registration of software products, and notes that the "personal profile" from their software registration appears on the website and is editable from the website. And that page claims that registration is covered by the TRUSTe guidelines. For TRUSTe to claim it's not requires some Clintonesque redefinitions.

CNET's headline was exactly right: "TRUSTe Clears Microsoft on Technicality."

Round III: TRUSTe and Deja News. April 1999. Again TRUSTe is taken by surprise when a computer sleuth discovers that Deja News has been collecting data on email sent by its users. When a reader clicked on an email link in a discussion posting, the destination email address was recorded, along with the presumable topic of discussion, the sender's IP number, and if registered, the sender's personal data.

This is not what one expects when sending private email! And this clearly involved Deja's website, so there was no question of another technicality.

TRUSTe's analysis of this situation was only two paragraphs long; here's all that happened:

"TRUSTe specified certain clarifying language to be included in the privacy statement. Deja News, independent of TRUSTe, then decided to discontinue the practice of tracking IP addresses in conjunction with the mail-to feature."

In fact, the situation was resolved long before TRUSTe even bothered to issue that statement. TRUSTe's suggestion of "clarifying language" had been obviated long before by Deja's indepedent action. See ZDNet's story of May 4th, which hopes that TRUSTe "will likely issue some sort of statement...this week." But TRUSTe stayed silent for four weeks.

Round IV: TRUSTe and Microsoft (again). A wide-open security hole in Microsoft's Hotmail is breached, and for a few hours everyone's inboxes are public domain. (If you don't think this is a serious privacy violation, read the stunning anonymous tale of cracking into an enemy's email, published on Salon.com the next day.)

TRUSTe's response is to call in an independent accounting firm to talk with Hotmail's programmers and security people, look over the source code, and generally try to make sure such a problem won't happen again. This isn't a bad idea - it just wasn't much of anything that Microsoft wouldn't have done on its own. Locking the barn door after the horse is gone doesn't help the people whose privacy has been lost. Microsoft is out of pocket a few bucks for the audit, and gets more than its money's worth by being able to say that TRUSTe still gives them a clean bill of health.

How can all these incidents have passed by without punishment of any kind? It's because of what TRUSTe is actually guaranteeing. Not that any company will actually keep its data private - but that the company is not lying in its privacy assurance.

That's right. You know those privacy promises you never read, the ones that are different on every website and all seem ten pages long? What TRUSTe does is promise you that, if you had read them, you'd know your rights.

If it wanted, a company could have its lawyers dress up "we will spam your email every day and sell your name and address to anyone who asks for them" in legalese, and get a TRUSTe badge on their homepage. Would you know you were being screwed? Not unless you speak fluent lawyer.

Is the FTC such a bogeyman that we really need to sell our privacy so cheap?

When Ralph Nader was pressing the government to impose strict safety standards on the auto industry, Henry Ford II complained that they were "unreasonable, arbitrary and technically unfeasible." After the laws were enacted anyway, a decade later he conceded: "We wouldn't have [these] kinds of safety ... unless there had been a federal law."

Imagine if our only automotive safety regulations were that Detroit must abide by its lawyers' fine print!

The usual argument is that requiring an actual guarantee of privacy would stifle business. The purpose in forming TRUSTe was to keep the internet corporation-friendly, by keeping the government out. TRUSTe was well-intentioned, no question. It was a noble experiment.

But, according to some influential people and groups, it has failed.

Forrester Research studies topics related to the internet and made privacy its concern in its September 1999 report, "Privacy Wake-Up Call." Its conclusions should not be surprising:

"Most privacy policies are a joke." Forrester says corporate privacy policies are legalese set up mostly to protect the corporations.

"Few companies meet key privacy protection principles." About 10%.

"Third-party programs show little traction." Hundreds of TRUSTe licensees don't amount to much on the billion-page net.

And, "third-party privacy firms...like TRUSTe...become more of a privacy advocate for industry rather than for consumers."

(Slashdot has more on this study.)

Even the Electronic Frontier Foundation, after years of straddling the fence on the issue, has finally recognized that self-policing just doesn't work. The EFF is not just the best-recognized internet rights advocacy group; it created TRUSTe.

Yet, in an October letter to the FTC, the EFF laid down its cards:

"Creation of TRUSTe and its seal program was one such early innovation of EFF. TRUSTe was successful in several areas. ... We now must move out of this awareness-raising mode and into an action mode where real protection can be achieved. Legislation is needed in order to achieve that goal. ... we think it is time to move away from a strict self-regulation approach to protecting privacy online."

The latest nail in the coffin came on November 1, when EFF Program Director Stanton McCandlish laid out the facts on the fight-censorship mailing list:

"Our stance has basically been that industry self-reg would be worth trying, but might or might not be enough. We did the 'proof of concept' ourselves, by launching and spinning off TRUSTe. But TRUSTe was intended to be and is a separate, independent entity, and was created as an experiment. The experiment is in many ways a failure..."

(McCandlish's personal opinion is even more scathing. Follow the link to read it.)

You wouldn't know this if you read the TRUSTe website. Their homepage proudly tells you about the six-month-old Georgetown study, but makes no mention of the Forrester Research report. It tells you that the FTC supports self-regulation (based on Georgetown), but won't tell you that its own parent, the EFF, thinks the ride is over.

If TRUSTe is a consumer rights and advocacy group, why are they only feeding us the feel-good stories? Aren't consumer groups supposed to be the ones that dig up dirt and tell us about potential problems?

The money trail leads to the answer. TRUSTe isn't a consumer advocacy group. TRUSTe doesn't get its money from consumers. Its money comes from corporate sponsors, and nobody wants to bite the hand that feeds them. Besides, those corporations want the message to be one of constant calm. Concerned customers are not good for sales.

Remember the GeoCities FTC findings that TRUSTe wouldn't comment on? GeoCities had just done an IPO and millions of dollars were at stake. GeoCities' sister corporation Engage Technologies (they are both subsidiaries of CMG Industries) was a Contributing Corporate Sponsor of TRUSTe. That conflict of interest was never mentioned.

(GeoCities has since been purchased by Yahoo.)

Remember the Microsoft incidents that TRUSTe waffled on? Microsoft is not just a member, but also a Premier Corporate Sponsor of TRUSTe. That conflict of interest totals $100,000 per year.

Round V. By now you've guessed that this is leading up to the current furor over Real Networks. Real is a TRUSTe member. Do I need to mention that it's also a Contributing Corporate Sponsor?

TRUSTe said that it would render judgement on Real Networks by the end of last week. Now it's saying today.

And it's making noises like they're actually going to do something this time:

"We could take the company to court for breach of contract, since they do have an agreement with us. Or, we can forward the case to the FTC... I guarantee that the damage to the reputation of the first company that we do that to will be big."

For its own sake, it had better. We're talking about a company whose product is a Trojan Horse that secretly scans your hard drive for valuable personal data. If TRUSTe doesn't unload with both barrels, its credibility will be negative zero.

Anything TRUSTe does may have a negligable effect in any case. Corporations only understand the bottom line, and RealNetworks stock shot up 25% in the five days following the privacy debacle. With the company's market cap $1.9 billion higher than it was a week ago, how much are they really going to care about some nonprofit gnat?

We can hope. Real.com today unveiled its new website, a music portal, which investors will be watching carefully. Also happening today is a conference held by the FTC and Commerce Department for data-profilers to announce what they're going to do to protect privacy. So if TRUSTe were trying to maximize the effect of their announcement, today would be the day they'd pick. It could be that the gnat will have a nasty bite that surprises everyone.

Still - you can dress an organization up in not-for-profit clothes, but that doesn't change that it's beholden to its revenue stream. TRUSTe says we can trust them to be objective, on the theory that their revenue stream will dry up if they don't do right by consumers. So far, there doesn't seem to be much truth to that. They haven't been doing us right, but their number of contributors and members just keeps growing.

I enjoy reading about the future envisioned by people like Gibson and Stephenson, where the net is totally unregulated and a "right to privacy" is a dim memory, or a joke. That doesn't mean I want to live in that future. Europe has consumer protection laws that are, from an American perspective, astonishingly strong. Maybe we should take a look at other countries' solutions, to see if there's something we could learn.

So far, all we've learned is what fails.

- Jamie McCarthy