Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
The Internet Your Rights Online

TRUSTe and RealNetworks Wrap-Up 58

Posted by jamie from the case-closed-until-next-time dept.
After last week's TRUSTe story, I spoke with TRUSTe's Dave Steer about my concerns with the organization. A slightly clearer picture of TRUSTe's role emerged, but few of my concerns were allayed. Click for more.

First, the week's news in brief. There has been a class-action lawsuit filed against RealNetworks. Then there were two lawsuits - no, make that three lawsuits. Their stock faltered, then rallied, and is now about 40% above the day the privacy news broke.

Strangely, TRUSTe removed its press release "TRUSTe and Real Networks Announce A Pilot Software Privacy Program" from its News page on Saturday, along with one other, replacing them with an older one. There's no indication this has anything to do with the bad press of the last week.

Dave Steer had written a rebuttal to last week's story, but it is unfortunately still not available. If and when the rebuttal is published, we'll update this story with a link to it.

Now for the issues at hand. In our conversation, Dave wanted to make two key points. The first is that TRUSTe is not a "consumer advocacy group," the phrase I've been using. The second is that their press release regarding RealNetworks was a landmark decision, a culmination of six months' worth of their realizing that they have to move in a new direction.

If TRUSTe is not a consumer advocacy group, that raises the question of what it is. I didn't get a very clear answer from Dave on this. Its website says:

"The TRUSTe program was designed expressly to ensure that your privacy is protected through open disclosure and to empower you to make informed choices."

The "you" and "your" means you - the consumer. TRUSTe claims it was designed to empower and protect you.

But it's not going to do this by punishing corporations for privacy transgressions. TRUSTe is all carrot and no stick. The carrot is that, after a corporation has been caught breaking the rules, it can restore its damaged reputation by cooperating with TRUSTe: issuing a press release, taking some simple steps to improve the situation, etc.

This is a fault that's built into the way TRUSTe was set up: a design problem. There are some questions of poor implementation as well. After the March 1999 revelation of Microsoft's secret GUIDs (user-tracking technology that can lead the cops to your door), TRUSTe went to them and asked for action. Not punishment of any kind - all they asked for was an audit.

And according to Dave, "Microsoft said no."

How could Microsoft make TRUSTe back down? The poor implementation is that TRUSTe's contract with Microsoft, and with RealNetworks, and presumably with all its 750+ licensees, makes a distinction between privacy violations that take place over the web, and others. Companies that steal consumers' privacy through non-web-related technology are not covered under paragraph 5A of the TRUSTe License Agreement.

Paragraph 5C, however, allows TRUSTe to break the agreement and void the trustmark, for any reason. If it had wanted to pressure Microsoft, this would have been the threat to make: terminating the contract, and going public with a condemnation.

But that wasn't TRUSTe's goal. Although it claims:

"...licensees agree to cooperate with all TRUSTe reviews and inquiries. If we cannot reach a satisfactory resolution ... [this] could result in a Web site compliance review by a CPA firm, revocation of the trustmark, termination from the TRUSTe program, breach of contract proceedings, or referral to the appropriate federal authority."

...it will never take these steps. Microsoft refused to cooperate because the carrot wasn't big enough - so TRUSTe offered them a bigger carrot. RealNetworks scanned its users' hard drives for private personal data, uploaded it to their servers, and blatantly lied about it. Short of actually stealing our credit card numbers and running up a tab at the Sharper Image, it is hard to imagine a more serious violation of privacy. Yet TRUSTe went to them hat in hand, asking to be allowed to collaborate.

Those contracts that give TRUSTe no authority over non-web privacy violations? That's not a bug - that's a feature. Even when it has the right to take serious action, a right TRUSTe grants itself in paragraph 5C, it chooses not to use it. Design problem.

Corporate invasion of personal privacy is not a win-win situation. This is a war in which TRUSTe will often have to take sides. Learning that it backed down from Microsoft and had to haggle over even the audit it wanted to impose was an eye-opener. Chris Larsen, the CEO of E-Loan who revealed the behind-the-scenes haggling, described his company as "very concerned" about TRUSTe's inability to address the issue.

In fact, I never would have heard about that if not for the Slashdot comment where Seth Finkelstein called attention to it. It's not confidence-inspiring that TRUSTe has refused to allow any negative information on its homepage, in its press releases, or in its statements of findings. The constant comforting message leaves me uncomfortable.

Dave's second point was that this collaboration - on a new program which will cover non-web as well as web violations of privacy - heralds an important new direction in TRUSTe's history. Now that they have enough licensees to pay the bills, they are not beholden to any of their sponsors, and can start to take a harder line. And they can renegotiate their contracts to fix the web/non-web distinction.

I'd like to believe that's true. But the heads of TRUSTe surely know that, if they ever started condemning corporations' privacy violations instead of collaborating with them, renewals on their contracts would dry up. Corporations love to enter agreements with organizations which give them good press. Organizations that give bad press get ignored at best.

TRUSTe's reputation for lax enforcement is surely part of the reason they now have 750 licensees. It would be a very different story if the carrot ever got replaced by the stick.

I could be wrong. But TRUSTe's actions support this view even if its words don't. RealNetworks needed to be slapped, hard - but now it's up to the lawsuits to give the company a reality check.

Sure, TRUSTe may have helped RealNetworks figure out the proper reaction in this case. But it has 750 other licensees that all got the message loud and clear: whatever you do, TRUSTe will not chastise you. There is no incentive to do the right thing. By its actions, TRUSTe encourages corporations to violate privacy when they think they can get away with it. This will happen again - and it will be the same story each time.

And it may happen sooner rather than later. The most frightening thing I've heard all week was Dave Steer's offhand comment that programs like RealJukebox are probably more common than we think. That makes it all the more ironic that TRUSTe is unwilling to put consumers' interests first.
This discussion has been archived. No new comments can be posted.

TRUSTe and RealNetworks Wrap-Up More

TRUSTe and RealNetworks Wrap-Up

Comments Filter:
  • TRUSTe's policy is: "If you feed the bears enough, they'll leave you alone."

    If I'm currect in this, then we're in serious trouble. If you feed an animal, what are the odds of it wandering off and finding it's own food? Ok, so translate that into the computer industry...

  • I didn't doubt that they'd pull something like this. It's a real cool deal if you can get into it. Think I'll set one of these up, I'll never have to actually do anything bad. What a world we live in when you can get paid real money to cover up serious breaches of trust.

  • Paper Tigers (Score:4)

    by OneThreeSeven ( 101738 ) on Tuesday November 16, 1999 @06:53AM (#1528750)
    Does anyone think TRUSTe could exist without Microsoft, RealNetworks, and any of their other "licensees." You, the consumer, are not TRUSTe's customer. Microsoft is TRUSTe's customer, and you don't go trashing your customers. What you do is publish nice reports about how collaborative they are.

    Lets assume TRUSTe did pull the trustmark (nice word!) from Microsoft. Does anyone here think it hurts Microsoft more that it hurst TRUSTe?

  • What all of this Obviously proves is that Truste is a joke, and a tool of whatever large corperation who wishes to "feed" it.

    My company was actually considering using their program to reassure our customers of our good intentions. Now We'd never use them, as it might make us look as though we disregard the rights of our users as much as Microsoft & Real Networks.

    The EFF needs to try again, but this time give the organization some TEETH, and independence enough to not be scared to use them.
  • Does anyone know how far and deep Real's drive scans went? Do they still do it? What do they collect? Is my GNU/Linux box now vulnerable?

    Where and for what do I sue?

    I'm mad as hell, and I'm not going to take closed source software anymore!

  • Distasteful mess (Score:4)

    by Kaa ( 21510 ) on Tuesday November 16, 1999 @07:03AM (#1528755) Homepage
    It already has been said on Slashdot and I'll say it again: TRUSTe has no credibility left whatsoever. They may have had good intentions at the beginning, but right now the whole thing degenerated into a fig leaf for whatever the corporations want to do. TRUSTe right now is actually doing harm, since it provides the corporations with a convenient cover allowing them to state (with a straight face) that their privacy policies are OK, are being followed, and Joe Q. Random has nothing to worry about.

    I think that this is about time everybody with privacy concerns and some decency left start to distance themselves from TRUSTe as quickly as possible (simple translation: run in the opposite direction. Fast.) The whole affair starts to generate a very ugly taste and more and more looks like TRUSTe was selling PR cover for money while pretending to be on the lookout for consumers' interests.

    IMHO the best solution for this mess is for TRUSTe to die, quicky. I don't insist on the death being painful.

    Kaa
  • TRUSTe's policy is: "If you feed the bears enough, they'll leave you alone."

    Unfortunately, no. It's worse than this. TRUSTe's policy is: "If you let the bear eat what they want, they'll throw some scraps to us" (us being TRUSTe).

    Kaa
  • Teeth and independence are not enough. They need to be structured so that they gain by revealing privacy violations, and loose by concealing them. Even that probably wouldn't be enough for long. Regulatory committees regularly become captive of the industries that they are supposed to regulate. This is because even if the organization gains by honest regulation, the people that the organization is composed of may gain by being friendly with those whom they regulate. What does the ex-chairman of the Fed do? He works for a bank. etc.

    This is a real problem in system design, and I haven't yet encountered a pattern that can be used to solve it.

    Once you solve this one, you need to keep it sufficiently balanced that the committee doesn't start inventing crimes to blame on those that it regulates. That has happened in various times during history also. A fine balencing act.
  • I had been thinking about looking into signing up our Company with TRUSTe, but this puts me off the idea altogether.

    TRUSTe appears to be a paper tiger whose certification is essentially meaningless. But worse, I suspect that clueful users will now begin to suspect any TRUSTe client as possibly using TRUSTe as a shield for nefarious activities. Why would a site boast about a certification from a powerless certifying group? It's sort of like having a diploma on the wall from a mail-order diploma mill. That doesn't by itself prove sleazy practices, but it's sure a strong indicator.

    In short, the TRUSTe symbol may now have more negative connotations for a Web site than positive ones.

  • TRUSTe has no teeth. Did anyone expect them to be some kind of enforcers of privacy? I certainly never thought so. Basically TRUSTe membership is like getting a `Top 5% of the web' sticker for your web page. Woo woo. Until these two articles, I never thought for a second TRUSTe was anything other than a convention to emulate some sense of privacy. If you trusted RealNetworks enough to give them valid information, then YOU did the trusting in RealNetworks. TRUSTe had nothing to do with that deal.

    Now, I'm all for a serious group that asks members of the commercial world to join it in a serious effort to maintain some level of privacy for customers. But the overall problem I see is that no one would join if they actually had to submit to some third party group telling them what information they could and could not gather from their customers and how to manage it. Any ideas? I have a few but I'm not going to clutter up my post with incoherant ramblings. (Damn, messed that last bit up allready I guess.)


    Bad Mojo
  • One of the things I find particularly disturbing is that you can't even file your complaints with TRUSTe without them asking for your identity. There is no need for them to know exactly who I am when I point them to a site having the TRUSTe stamp and blatantly violating users rights (e.g. hotmail).

  • Sigh (Score:2)

    by CormacJ ( 64984 )
    To my mind, Truste doesn't have any credibility any more. If your credit card company was as lax as this about credit violations you wouldn't sign up to them.
    They have become another mindless piece of web page logo that should be ignored.
    If they had wanted to get credibilty with the public they would have used the stick with the first transgressor, (a stick the size of a giant redwood preferably) and they used this as an example of what would happen in future. In corporate terms its easier to use a threat than use the stick, but for threats to work, people need to know you'll use the stick.
    Time after time Truste has been shown violations and time after time nothing much ahs been done about it. If they had hit the first transgressor hard, Microsoft may not have said "No" so easily.
    Today if you are a software manufacturer with a trustmark and your software copies off all documents marked "business futures" and emails them back for you to use in the stock market, Truste will come after you.
    You'll look at the history, you'll see Realnetworks, you'll see microsoft, etc, where really nothing happened, and you'll follow thier line and say "No"
    Its time that Truste was disbanded, because to the public that know its history it has no credibility, and to the software industry it has no power.
  • Seriously, if TrustE is not going to be biting the hands that feed them, then why are we listening to them? Because they spent much of their money building "brand recognition" on the web (making them the "most visible symbol on the internet" [truste.org]?)

    What we need is a real consumer-privacy watchdog. Not one that says "we make sure that if companies violate you privacy, they tell you first", but one that conducts active research -- if I can catch violations of a privacy statement by using a Hotmail account created solely for online registrations, so can an advocacy group.

    I'm talking about the online-privacy equivalent of the Web Standards Project [webstandards.org]. They publish a credo of "thou shalt nots" and rate everything an "internet business" does.

    For example:

    If they have a website that requires registration, what do they do with that information?

    If they produce "internet-enabled" products, what exactly does the product transmit over the network? How is that information used? (Yet another good reason reverse engineering needs to remain legal, and not just for "interoperability".)

    In the case of GUIDs, do their products create any kind of identifier that can trace a created file or document back to the originating product?

    If any kind of authentication is used to allow users access to the product (like a personal-finances program), how easy is it to circumvent the authentication? Is the information accessible without authentication?

    This group should also put some work into informing people as to what their rights should be online, and helping them fight for it. ("If you use RealNetworks products, write to them at this address and tell them how you feel about the GUID issue"...)

    Jay (=
    (The question is, who pays the bills for a group like this?)
  • Let's take a look at the business model for TrustE briefly. You, as a company, write them a check every year to proove to consumers that you are a good and worthy company. Then, the theory goes that if you violate somebody's privacy, they are supposed to ask you to stop sending them checks and remove that little certification graphic from your pages.

    TrustE's dependeancy on amiable relationships and paychecks from the companies they are supposed to monitor makes it impossible for them to do what they are supposed to be doing, protecting consumer privacy rights. It's akin to calling up the police because some Mafia guy is beating on you, and it turns out the police won't show up because they are on the take!

    To have an effective watchdog of on-line privacy, it must be a non-profit organization or a government agency. I much prefer the forme to the latter of these. Perhaps the EFF, EPIC, or the ACLU, could start up a program of certification like TrustE. Certification of a site or application would be rigorous and free. I'd be happy to write any of these organizations a check if they did this!

    ---

  • What I would like to see is an organization that has a contractual obligation to revoke its endorsement of any company found to violate the public's trust. Individual consumers should be able to donate money to the organization. In return they get the assurance that any site they visit with the TRUSTe logo really is following good privacy guidelines. If some company is found to violate the guidelines, then TRUSTe must revoke its endorsement or face lawsuits by the individuals. This way the companies are obligated to stay honest, and TRUSTe is obligated to stay honest or face lawsuits. -Nathan Whitehead
  • 1) How do we best publicize the contradiction that exists in the TRUSTe service mark to the end that TRUSTe becomes a pariah? Should we forward this story to the major news services? They might well be interested in an organization whose actions run counter to its stated purpose.

    and

    2) Has anybody sued TRUSTe yet for misrepresentation?
  • Without a stick, all these schemes will never work. Self-regulation means, the strong ones (big corporations) will regulate themselves the way they like, and the customer will get only the privacy the corporations leaves them.

    Here in Austria, we have some - compared to the US - strong laws about privacy protection (including the right to get information about the data stored, and the right to correct errors), but with quite small fines and difficult to execute.
    Most corporations (and gouvernement agencies, they are even worse) still do what they like.

    Privacy for customers will only become a serious concern, when violations become are real threat to even big companies. Before that happens, all those policies and rules are just marketing babble.

    Servus,


    johi
  • That wouldn't change any thing. Ultimately, the obligation needs to be enforced by somebody, and if TrustE and the company they are dealing with don't want to follow that obligation they don't have too.

    ---

  • Over on the Consumer Reports [consumerreports.org] site they are running a thing about e-commerce. Well, one of the things they mention is that the consumers should be looking for the trust-e logo. Apparently they are under the mistaken assumption that Trust-e means anything.

    I have been wanting to write them a letter as soon as I read this small article, but apparently only members of the CR website can send them email - otherwise you have to send them snail mail.

    Now, this leads me to a question - a few months ago someplace somewhere someone put up a note or newsitem or something that talked about somebody and their policy on their website. The trust-e logo was showing up on www.thewebsite.com but they were violating the privacy over on blah.thewebsite.com. Trust-e's response, if I remember correctly was "well, www.thewebsite.com is the site that is licensed, so we don't care about blah.thewebsite.com" or something to that effect. Now I can't find this story or whatever it was. Anyone elese remember this or did I dream it?
  • Note that they also ignored eBay's recent spam and privacy abuses.
  • After having read this article, well written and researched article too JAMIE!!!!, I was reminded of when I looked into TrustE for our own company. And then I remembered why I rejected it.

    First Item I wwanted to know was who funded this group, where were their revenues coming from, and were the sources the kind that would inspire trust. Then I looked at the Board of Trustees. Imagine my surprise when I find quite a few similarities in the list of sponsors and the BoD. It was an impressive list, but not what I would expect from a group that said it's position in the industry was to be a watchdog, whistle blower, etc.

    But I continued to read.

    The opinion I formed, and this is opinion only, is that TrustE was create as a marketing tool to create the aura of trust for each "member/Licensee". But did this aura equate real trust? If TrustE has fallen short on it's promise to take action in cases such as REAL NETOWRKS, what would public opinion be?.

    But I cannot help feeling what I digested left me with more questions, than conclusions. We wanted to be a trusted organization. But TrustE as the governing body left me feeling a little cold within the warm fuzzy of the literature.

    Some of the tougher questions were: 1.If someone real look at TrustE's organizational structure would they trust it?

    2. What if the TrustE's handling of a violation were consider weak or worse ineffective?

    3. Would our customers feel safe with the mark?
    Would they trust my company more?

    4. Would a scandle within TrustE decrease consumer confidence in our services?

    We did not pursue a relationship with TrustE at that time because of these types of questions. Could it change, with time who knows. But the current course of event does not impart confidence.

    The Problem is within this question: Can a group that monitors privacy violations be effective when the watched are the keepers themselves?

    If the REAL NETWORKS case is the rule and not the exception....... Well come to your own conclusion.
  • Perhaps the EFF, EPIC, or the ACLU, could start up a program of certification like TrustE

    The EFF did start up the TrustE program! See here [truste.org].

    Regards, Ralph.

  • I have to say, I work for a company whose website is certified by TRUSTe, and when the certification was explained to us, we were told simply that this meant that TRUSTe had read and reviewed our privacy policy to be certain that it met Online Privacy Alliance (OPA) guidelines, did some "ghost shopper" calls to our customer service team to be sure we followed our policy, and periodically checked in to make sure we were still upholding it. We were never told that they would be able to punish and/or threaten our site. What may be at issue here is the public's misinterpretation of what TRUSTe's "trustmark" actually represents. If you go to www.TRUSTe.org, and check out "How we protect your privacy", there is nothing in there about checking the strength of the security of the site, simply that the site discloses what it's security measures are.
  • Sterno's point is still well taken, however. TRUSTe was the brainchild of Fena (of the EFF) and Jennings (of Portland Software), but now it's a seperate agency which depends in large measure on companies which it's supposed to be policing. Note that Microsoft is listed as one of their "premiere corporate sponsors" [truste.org] on their homepage.

    What I think Sterno meant is that we need an organization which will not be beholden to the very organizations it's supposed to be watching. I don't know that the EFF would be a good fit to fill these shoes, or EPIC, or the ACLU, but TRUSTe certainly doesn't seem to be cutting the mustard.

  • Still no substantive response from TrustE or Microsoft about my "watchdog complaint #2363" [slashdot.org] filed a month ago. It was against Microsoft for sending spam to an address that had opted-out of all mailings.

    TrustE is worse than useless. Perhaps an certification agency could help to ensure privacy, but right now TrustE is standing in the way.

  • This whole situation is appalling. Trust-e is clearly beholden to its corporate patrons, and is defrauding the consumer by pretending to act in their best interest.

    I happen to be a Consumer Reports online customer, and I'm going to complain loud and clear, and point them to this article. Maybe they'll raise a stink if they knew. They should know better.

    Rich
  • Actually, random people off the street can email CR as well. Go to this page. [consumerreports.org]

    I encourage everyone else to send in your (rational, calm, concise) comments about CR recommending Trust-E.

  • Ah, I didn't know that TrustE has an association with the EFF. But yeah, my general point was that whoever does this needs to be in a position to say screw the corporations if it has to.

    Ralph Nader maybe? :)

    ---

  • It would be nice to have a "tick" mark on sites that have some sort of standard, but I believe that, like in security, doing something badly is worse than not doing it at all, as the consumer then [wrongly] trusts it.

    So, if you don't trust truste, the next time you see a site that you need to register for, and it has the trustee mark, email a nice note to the webmaster, saying that you'd love to register, but that the trustee mark in its current state is a *deterrant* rather than a attraction to the site, and you will not register until either a) the trustee mark means something, or b) they stop endorsing it.

    If enough people did this, then trustee would either disappear, or start to actually mean something.

    --
  • This is not really new. It's the same problem the Better Business Bureau has had for all of its existence - they will never apply meaningful pressure against anyone who is a member, because that would be biting the hand that feeds them.

    What results is a sham that's only a little better than an outright protection racket. The inherent conflict of interest prevent even gross violations of guidelines from showing up on the records of those willing to pay for the protection. Sad but true. Os how is it big news that this problem has found its way to the net.

    Why don't we talk about something important like stamping out spam?
  • There is a business model very similar to TrustE that already exists: the public accounting/auditing industry. Companies pay their auditor to give an opinion of how their financial statements comply with generally accepted accounting proceedures. This opinion is published in the annual report with the finanacial statements. An unfavorable opinion (or an opinion with exceptions) will decimate the companies stock, so it is a pretty big stick.

    The same arguements you present have been leveled against the accounting firms (lack of objectivity), but the process has been in place for a long time, and no one has come up with a better solution. Generally, it seems to work ok, and many times auditors will force companies to take action behind the scenes in order to avoid an unfavorable opinion.

    I think such a model could work, but the company or companies (not TrustE, they are toast) would have to be willing to remove their endorsement for infractions, and web browsers would have to care more about thier privacy, using only companies which had their privacy policies "audited".

  • I was just surfing to look at truste.org when I saw a list of their sponsors on their home page. Lo and behold, Real Networks is a "contributing corporate sponsor." This has to lower TrustE's credibility...

    Rajiv Varma
  • This is a very simple problem. Everyone has watched Microsoft thumb their noses at the consumer time and time again, and now that thought process has moved itself into the mainstream, stronger than ever before. It has never been easier for companies to pry into your private life, and we make it easy for them to do that by using their products. It seems to me that now, more than ever before, companies do not care about the consumer. When companies like Ask Jeeves can get stinking rich off of a crappy useless web site, then they have to ask themselves what they gain by paying attention to us "little people." Microsoft keeps on giving us "features" we don't want, and yet they continue to pat themselves on the back. Executives are seeing money rolling in the door, and no punishment comes for doing the wrong thing (Real's stock shot up 40% since this issue, MS's stock continues to go up after the judge's ruling). Why is this? It's becuase the stock market is making the money for these people, not us. Product sales are a small percentage of profits (has Amazon made a profit yet??), whereas stock prices continue to soar. We matter not at all in the corporate world, and as such we are seeing the problems like with Real, and we will continue to see these problems until we stand up and do something about it.

  • I followed the instructions [truste.org] on the TRUSTe site and filed a complaint. If enough people do this, then *maybe* they'll start taking themselves seriously. The ball is in their court. They need to take their mission seriously before they'll get any respect from the public or their licensees.
  • Is it just me, or is the inherent conflict of interest of TrustE as obvious as balls on a tall dog?

    The people who display the TrustE graphic are the same people who pay TrustE. How many of us can turn down the cynicism dial far enough to blindly accept that TrustE can/will do things that will have serious negative impact on their bottom line?

    Never trust anyone who can make more money screwing you than they can by protecting your interests. It's just that simple, and it makes the furor over TrustE's lack of credibility seem to be pretty pointless. "Oh no! They're acting in their own best interests and not ours!" Duhhhh...

    The ugly side effect of this whole debacle is that TrustE has now cast an evil shadow over every web site that provides a privacy policy. People will now view every privacy policy as a disclaimer that site owners use to avoid liability for violating consumer privacy.

  • Except for the fact that their whole purpose of existence is TO act in our best interests. If they aren't doing that, then what is the point? Why the point is to make corporations feel good. Yet their site claims to act in our interests to protect our privacy. Seems obvious to me then that they are lying to us, and as such are a Bad Thing(tm). It would be no different than if the your doctor started acting in his best interests and not yours. Some doctors do act like that, but the majority of them are then sued for malpractice. Cynicism has nothing to do with it.
  • To have an effective watchdog of on-line privacy, it must be a non-profit organization or a government agency

    Trust-e claims to be non-profit. i don't think non-profit will get you anywhere if you're funded by corporations and not consumers, as Consumer Reports is.

  • Okay, I sent CU my comments. Here they are if anyone is interested:

    Thank you for your article about e-commerce. It was very insightful and helpful!

    However, there is a glaring problem with it. In the article, you mention that consumers should look for the Trust-e symbol.

    Based on Trust-e's track record, consumers should do nothing of the sort. They should instead chuckle and giggle at the web site operators who paid them money for the symbol. The symbol does not even hold as much clout as the Better Homes and Gardens symbol which, if I remember correctly, your organization had fun with about 10 years ago in the pages of CR.

    Here are two links to articles which are currently appearing on Slashdot.org:

    http://slashdot.org/article.pl?sid=99/11/05/1021 214

    http://slashdot.org/article.pl?sid=99/11/12/1144 210&mode=thread

    I could point you towards more articles, however I think your network would get overloaded. :)

    At any rate, I hope you will find these two articles informative and will be moved towards changing the article to remove the Trust-e comment from it. I think to have it there otherwise just leads consumers who do value their privacy into a dark and murky world of actually having it invaded.

    Thank you for your time.
    Randy Rathbun
  • Jamie writes in the intro to this article:
    > A slightly clearer picture of TRUSTe's role emerged,
    > but few of my concerns were allayed.

    I had to laugh when I saw the phrase "clearer picture of TRUSTe's role". For me, it's because I've gotten a clearer picture of TRUSTe real role that I'm concerned in the furst place.

    Notandi Sunt Tibi Mores: By your actions shall you be judged.

    TRUSTe's role is simple: Take money in from companies with a vested interest in violating your privacy, then turn out a false illusion of security to suckers^H^H^H^H^H^H^Hcustomers that their information won't be shared. Trusting folks like that is like sending your name to a spammer's remove list.

    The TRUSTe mark is a mark of untrustworthiness - as others have pointed out, it's flawed by design - all it can mean is one of two things.

    Either:

    I will sell your name to the highest bidder, but I buried the policy that says so in a font of microscopic size twelve levels down in my site, but the policy is available, and by God, we are following it, selling your name just as we promised. TRUSTe has verified that we follow our policies.
    Or:

    I will install trojans on your hard drive, but as long as they don't communicate their information back to me through port 80, we're off the hook. If it ain't that, we're paying TRUSTe good money to help us find another technicality that'll allow us to keep the mark up there for the rubes^H^H^H^H^Hcustomers who are still deluded enough to think we're ethical.

    Some have called for TRUSTe to die and be replaced by something else. By what, pray tell? No monolitic "seal of approval" organization can have de facto trustworthiness - it's not in the nature of the 'net to place its trust in centralized institutions.

    It is, however, in the nature of the 'net to sniff out BS, and expose it wherever it may lie. That sniffing has caught M$ out with umpteen egregious violations, the EBay spamming fiasco, the RealTrojans, and countless other folks, be they TRUSTe members or not.

    Caveat Emptor. I know which companies I still trust. I know which companies I don't. And I know which companies I never will. Ironically, the ones I trust, more often than not, don't have the TRUSTe logo on them. And over the past year, I have to admit that the more "clear a picture I have of TRUSTe's role" I get, the less I trust the sites which bear it.

    When I see a TRUSTe logo, I immediately think "Your reputation was so shoddy you had to pay these weasels for good PR insurance in the event that you get caught with your hand in the privacy cookie jar? Puh-leeze!" Can I possibly be the only one who thinks this way?

    Final word:
    If you have pull at your company, consider withdrawing from the TRUSTe program. Declare your privacy policy up front and stand by it. Why would you want to dilute the trust you've built up by associating with a group whose sole function it is to defend egregious violators of customers' privacy.

  • Some of the comments made by TRUSTe about the RealNetworks incident (not to mention the Microsoft GUID) were to the effect of "well, it doesn't involve their web site, so it's outside our jurisdiction".

    But that's not necessarily true.

    From Schedule A [truste.org] of the TRUSTe license agreement, rev 5.0 (I wonder what the history of changes are):

    "1. TRUSTe Program. The TRUSTe Program (the "Program") is intended to promote fair information practices with regard to the collection of Personally Identifiable Information and Third Party Personally Identifiable Information at Web sites in order to promote the Internet as a trustworthy environment for conducting business, education, communication and entertainment activities. [emphasis mine] Without detracting from the foregoing, the Program may be made applicable to online facilities and services that are similar to an Internet Web site. "

    Now, one could make an argument that this may not apply to MS Word's GUID (although it's internet-enabled, the GUID is not necessarily a byproduct of that functionality) it would, in my opinion, most definitely apply to RealPlayer.

    TRUSTe appears to reserve for itself a broader mandate than "just verifying web sites". But apparently it chooses not to pursue it.

    Jay (=
  • You are, of course, entitled to your own opinion. There are some of us who feel that the casual passing around of data that we consider private to be an issue. If you don't feel it's an issue, you're welcome to feel that way. We'll just have to agree to disagree.


    ...phil
  • As far as I'm concerned, Truste has lost all credibility on this. They made no move to censure, publicly denounce or even chastise the Real for such a blatant abuse of privacy laws. The overall view seems clear: consumers cannot rely on a 3rd party watchdog to police the marketplace. The BBBOnline has tried to make inroads on the privacy issues, but as someone pointed out above, their agreements have no teeth.

    Any site worth visiting posts their privacy policy. It's up to intelligent consumers/users to examine them and protest when there are holes and/or violations. The best response users can give is to refuse to use a product/website that will pass your data around without telling you or leaves open-ended loopholes in the privacy laws. It's also up to the 10% who know and care about these issues to continue to point out the flaws to the media and anyone who will listen.

    I have been asked to examine Truste for my company and I have flat out refused to consider them for our privacy needs based on their refusal to deal with Real in a sensible manner. Sure the press release looks good on the wires, but if all they're going to do is cash our check, why bother?

    As we get closer to medical records online we need to see stronger privacy policies, opt-out strategies and anonymous cookies available to the general public. I believe most companies WANT to protect their user's data, it's in their best interest for the life of their business. However, there are those few companies who decided that their marketing research or possible business deals with another vender take precedence and try something sneaky. These are the companies who need to be reprimanded and pushed out of the marketplace. Truste made it seem they were the ones who could do it, they've obviously failed.

  • If I may interject a fact into the feeding frenzy, GUID's are not "user tracking technology" as jamie states.

    A GUID is a "Global Unique IDentifier" produced on demand by Microsoft dev products when the developer needs a name for a new COM service, ActiveX widget, or other application element that is guaranteed to be unique. This GUID is used to index the service/widget/whatever against a "local server" string in the registry, which identifies the path to the local machine's copy of that widget/service/whatever.

    If we did not have GUIDs, there would exist a possibility of duplication and systemic failures for no good reason other than lack or originality. You can easily imagine hundreds of widgets shipping with the "unique and clever" names "foo" or "myId" or "37337". Get two of those widgets on the same machine and things break.

    The GUID is generated by a satellite app to MS Dev products, but anybody can generate one. The most reliable means is to take the hardware id of the local Ethernet card (supposedly already unique) and add some random cruft on either end. This makes it probabalistically guaranteed that you will never see the same GUID twice, and hence guarantee that your program will encounter no conflicts. Very slick.

    Now certainly a GUID could be used to track a person or a machine, just as it can be used to uniquely identify an ActiveX control. However, that is not their primary function. When Microsoft used GUID's, it did so during the Windows registration process so that the client machine itself could save them the trouble of inventing a unique key to reference the registered information. This was the easy way out of a problem, but clearly somebody didn't consider the privacy ramifications. Or, if you choose to be conspiratorial, the evil MS employees knew it all along.

    The misuse of GUIDs does not deprecate their extreme usefulness when applied responsibly.

    -konstant
  • If I'm not mistaken, the GUID referenced is a GUID assigned to a Windows installation, and embedded in Office documents, which, in turn, can be used, and has been used, to track down the documents' authors.

    The machine GUID is one of the reasons MS won't endorse the practice of cloning Windows NT disks to do mass installs.

    I should mention that my knowledge of this issue is very superficial, and relies mostly on /. postings.
  • Ya know, though, it is decidedly not in a physician's best interests to make referrals to the undertaker. The sawbones makes more money if you keep coming back.

    I am not suggesting that TrustE didn't begin with nobler goals in mind, but there is an inherent and inescapable conflict of interest there: TrustE's survival vs. their stated mission. It's an old adage: Don't bite the hand that feeds you.

  • Remember, TRUSTe originally certified ONLY that you did what you said you'd do. So I thought about having the following privacy policy for my consulting company:

    We OWN your info, sucker. We reserve all rights, including those that haven't been thought of or invented yet, to anything that might make a buck. Finders keepers losers weepers. It's ours, ours, ours, and we'll do anything we damn please with it. We'll sell it to your worst enemy, post it to alt.sex.voyeurs, or put you on a I-love-spam list if we feel like it. And if you don't like that, tough.

    And guess what? By having this policy, you've given your "informed consent" to it, according to TRUSTe! Why? Because we have this policy and we told you we have it, and again if you don't like it, tough! Isn't self-regulation grand? You wouldn't want the evil government bureaucrats interfering with your free-market right to consent, would you?

    It's CHOICE! That is, we tell you we choose to do whatever we damn please, and you can choose to take it or leave it. Privacy is not a right but a preference, and we prefer you don't have any. So support TRUSTe!

    Needless to say, you can be absolutely, positively, completely, sure that we'll comply with this policy. Just trust us.

    It wasn't worth paying few hundred dollars to TRUSTe to try to go through with it, but it was a very tempting idea :-).

  • I just finished an article for University about the role of user and offer profiles within E-Commerce. Of course, I also had to look at TrustE for this (it was only a marginal topic, though).

    It's a culture difference.

    In the anglo-saxon world, especially in the US, people in general hate the idea of government intervention. It is common belief that the market will regulate itself, without any direct influence by the state.

    Self-regulation is something people are much more comfortable with, so TrustE is something quite typically American.

    That self-regulation of consumer profiling does not work however is more than evident, this only being yet another example. Nevertheless, there are little to no laws in the US that regulate their citizen's privacy.

    The authors Choi, Stahl, Whinston (The Economics of Electronic Commerce) state that "Privacy is nothing but a myth" today. You can trade, buy and analyze consumer data with multitudes of sources and it is possible to (not exact quote) "create a detailed profile about practically anyone".

    This is by no means meant as US-bashing. While we have a few strong laws that regulate consumer privacy in many European countries, I don't claim that they work as well as they are intended. (It is just interesting that we voters in Germany ask the government to regulate privacy and happily accept laws about it.)

    You basically have little possibility to enforce these laws as a consumer since you rarely are in the position to find out if and where your privacy was breached before it is too late.

    And some companies just don't care. There are German companies collecting user data that are not located in Germany themselves, only to avoid the local laws regarding privacy...

    ------------------
  • It's like radio or TV. You think that they make Futurama or whatever show for you, but they make it for the advertisers. You're just there so they'll have someone to advertise to.
  • Even if Slashdot readers like you and me never trusted TRUSTe, I'm sure a lot of lusers did, and it's not fair to them. Also, think about the point of an auditing organization: not to get lots of companies to sign up, but to do a meaningful job. If consumers insist on being protected by a trustworthy organization, then the money will be there, and the businesses will sign up. A few companies would sign up, going for Ben 'n Jerry's-style responsibility, and no doubt they would be financially rewarded.

Slashdot Top Deals

On the eighth day, God created FORTRAN.

Close