Slashdot Mirror

A lot of people have submitted the news (through ZD, from WSJ) that the DOJ and States will be asking Judge Jackson to find MS guilty of illegally protecting and extending a Windows' monopoly and of illegal business practices. The first two violations would be under of Section 2 of the Sherman Act, and the third violation for business practices under Section 1. Read the article - well researched and has a great summary of what's happening.

chocko sent us an article about Stevie Wonder's Eye Chip. Now normally a Stevie Wonder story probably wouldn't make it on Slashdot, but this is actually about him implanting a chip into his eye in order to try to gain some of his sight back. I just thought that was kinda cool. Update: 12/04 12:02 by H :Thanks to Chris Griffin for updating the story.

CitizenC sent us a funny as hell article where Novell CEO Eric Schmidt talks about having his credit card stolen. The funny part is that he blames cookies. Cookies are certainly flawed, but he goes as far as to call them one of the biggest disasters in computers and tell us that they are stored in the wrong place (what, we're gonna keep them on floppy disks?). Finally he (surprise!) plugs Novell's own digital authentication mechanism (aha! The truth comes out). Hit the link to read a little more ranting by me on the subject.

It is a given that cookies are flawed:

• Most systems store them in a readable format on your harddrive. Yeah, that kinda sucks. But if your machine isn't secure, then you've got bigger problems then just your cookies file.
• They are sent in plaintext over the internet. But thats why we have SSL when you need security. Someday all net transmissions will be encrypted anyway. (assuming nobody else from the IETF gets bothered by the FBI)
• Cookies used to be pretty well forced on netscape users, but now most browsers give you an option. And there's always junkbusters for the more paranoid.

It is given that I need state over httpd. I want shopping carts. I want net commerce. I want user preferences on websites I frequent. Maybe you don't want these things, but I do, and I don't think I'm alone on this one. There are a few ways besides cookies to do this.

• Intel would love to use a CPU ID to help us. This has so many problems that I'm just not going to go into it. But it would work.
• Webmasters could create a session and pass it in a URL with each page. This suffers from all of the same problems as cookies, except that the session ID isn't stored on your hardrive. Unless you bookmark it. Ooops. It also has the added benefit of making URLs messy, and being a huge pain in the ass for a webmaster.
• Some sort of third party big brother handling authentication. I'd much rather just have a cookie that I can turn on or off than have a third party take care of it for me. I trust me more than them.

I really thought that the 'Cookies are Evil' was dying down as people realized that while they aren't the best solution, they are as good as we're gonna get any time soon. Then to see someone who ought to know better get out and throw fire ants into the mix to plug his software, well thats just really rubs me the wrong way.

It's like telling people that the water that comes through your pipes has floride in it, so you ought to buy their brand of bottled water instead. You ever see a communist drink water, Mandrake?

aeiler writes "According to this PC Week article. Red Hat is looking to invest significant cash, engineering and marketing resources into the Mozilla project and Sendmail. "

ChrisRijk writes "According to this MacWeek article Sun has started work on a port, though time-frame is currently unknown. After Sun made StarOffice freely downloadable for anyone (1.2M downloads so far) they got 6000 calls asking for a Mac port. They also mention that Sun has doubled the number of engineers working on StarOffice. Current StarOffice ports are Solaris (x86 and SPARC), Linux (x86 only), Windows and OS/2 in several languages. "

mircea writes "This ZDNet story talks about a new chip from Intel, dubbed Timna, targeted at ultra-low-cost PCs. It is supposed to be .18 micron technology, with integrated video. There's also mention of 'appliances based on this chip, possibly running Linux'" And the 2nd page of the article mentions AMD and Cyrix (now owned by VIA), both of whom are also preparing ultra low-cost microprocessors.

barjam spotted it: "The Saint Louis Galleria informed its 170 retail tenants in a letter last week of a new policy prohibiting any in-store "signs, insignias, decals or other advertising or display devices which promote and encourage the purchase of merchandise via e-commerce." The merchants are understandably irate. See the ZDNet story. The mall is afraid that e-commerce may eventually put it out of business.

dkh2 writes "Today on ZDNet: A U.S. District Court has denied a request by Disney, InfoSeek and others to stay a preliminary injunction against their familiar green and yellow logo. The injunction orders Disney to remove the logo immediately from all broadcast and internet media and gives them 60 days to remove it from other more solid forms." And Disney/Infoseek has started to comply. You can see the change at Go.com right now.

We're rolling around the middle of the week for Comdex, and thought maybe people would like to hear some of the news. Linus was awarded person of the year by PC Magazine. Here at the Andover.net booth we've been doing Install Races - 4 PM everyday. The winner for the week gets a Herman Miller Aeron Chair. Rob and I went to the Spencer Katt party on Monday night (Thanks Tim!) and had a good time - but the Post had a funny write-up about it. We had a good time there, unlike the Caldera party that we were locked out of and had to come back later after walking three miles. Grrr - we get that as well as listening to their audience scream "E-Business" to try to get t-shirts. Which is giving everyone migraines in a two hundred mile radius. Starlady has done some general Comdex write-ups, as well as Linux Biz Expo specific stuff. Apparently, Global Media won best Linux product of show for their "streaming product". One of the funniest parts of the show was the kid who mooned Bill Gates - Gates is just out of the picture. Oh, and on another note, CowboyNeal loves his Cyberlegs.

Sorklin writes "ZDNet has a story about a ruling in the FCC that might change the pricing structure of DSL. They write: 'Many in the industry expect the FCC will rule Thursday that such rentals are no longer necessary and that the DSL providers and RBOCs can share a single line into the customer premises. If the Nov. 18 ruling goes their way, DSL providers will see about $20 dropped from their cost of delivering access.'"

Sorklin writes "ZDNet has a story about a ruling in the FCC that might change the pricing structure of DSL. They write: 'Many in the industry expect the FCC will rule Thursday that such rentals are no longer necessary and that the DSL providers and RBOCs can share a single line into the customer premises. If the Nov. 18 ruling goes their way, DSL providers will see about $20 dropped from their cost of delivering access.'"

Well, now it's official. Red Hat buys Cygnus for $674 Million. (Short story here.) I'm sure we're going to see lots of attention from the media in the following hours. What do you think?

Anonymous Coward sent it: a scathing, three-page ZDNet article that claims the AOL purchase has turned Netscape into a shadow of its former self, that morale there is low and employee turnover is high, and that the company is now mired in bureaucracy, caught between Sun and AOL managements. The article was so sad, I almost wanted to cry by the time I got to the end.

Emil S Hansen writes "ZDNet has a story about StarOffice being delayed until late 2000. The reason should be that they need some more coding done. 'Remaining efforts necessary to complete the Star Product offering relate primarily to additional coding, testing, and implementation.' But they should go into beta around spring/sommer 2000. " The original release was apparently scheduled for the end of this year, so this is fairly significant delay. However, as the article notes as well, the main competition for them, Office 2000 will not be out until roughly the same time. I should have been more clear - this is in reference to the Internet versions of both Star and Microsoft Office. Update: 11/12 04:47 by Nik. ZDNet have corrected this story. StarOffice is not delayed until late 2000, but until the second half of Sun's fiscal year 2000, which, confusingly, is the first half of the actual year 2000, which Sun had already announced as planned.

Emil S Hansen writes "ZDNet has a story about StarOffice being delayed until late 2000. The reason should be that they need some more coding done. 'Remaining efforts necessary to complete the Star Product offering relate primarily to additional coding, testing, and implementation.' But they should go into beta around spring/sommer 2000. " The original release was apparently scheduled for the end of this year, so this is fairly significant delay. However, as the article notes as well, the main competition for them, Office 2000 will not be out until roughly the same time. I should have been more clear - this is in reference to the Internet versions of both Star and Microsoft Office. Update: 11/12 04:47 by Nik. ZDNet have corrected this story. StarOffice is not delayed until late 2000, but until the second half of Sun's fiscal year 2000, which, confusingly, is the first half of the actual year 2000, which Sun had already announced as planned.

Emil S Hansen writes "ZDNet has a story about StarOffice being delayed until late 2000. The reason should be that they need some more coding done. 'Remaining efforts necessary to complete the Star Product offering relate primarily to additional coding, testing, and implementation.' But they should go into beta around spring/sommer 2000. " The original release was apparently scheduled for the end of this year, so this is fairly significant delay. However, as the article notes as well, the main competition for them, Office 2000 will not be out until roughly the same time. I should have been more clear - this is in reference to the Internet versions of both Star and Microsoft Office. Update: 11/12 04:47 by Nik. ZDNet have corrected this story. StarOffice is not delayed until late 2000, but until the second half of Sun's fiscal year 2000, which, confusingly, is the first half of the actual year 2000, which Sun had already announced as planned.

cmeans and lots and lots of others have pointed us to this MSNBC article article about yet another e-mail virus. Quote from the story: "The virus can only run if Internet Explorer 5.0 with Windows Scripting Host is installed (standard in Windows 98 and Windows 2000 installations). If security settings for Internet Zone in IE5 are set to High, the worm will not be executed. It does not run on Windows NT." ZDNet also has a story about this "Bubbleboy" virus. Update: McAfee weighs in too. (Thanks, Jade.) Consider yourself warned.

cmeans and lots and lots of others have pointed us to this MSNBC article article about yet another e-mail virus. Quote from the story: "The virus can only run if Internet Explorer 5.0 with Windows Scripting Host is installed (standard in Windows 98 and Windows 2000 installations). If security settings for Internet Zone in IE5 are set to High, the worm will not be executed. It does not run on Windows NT." ZDNet also has a story about this "Bubbleboy" virus. Update: McAfee weighs in too. (Thanks, Jade.) Consider yourself warned.

Its happened before, but with the recent MS happenings, MacWeek, MSNBC and to a certain extent Wired have written stories based largely on Slashdot comments: Specifically those that appeared on Microsoft Addresses World, Instant Legal Analysis and Microsoft==Monopoly. The mainstream media now thinks that picking a few comments from a thread on Slashdot is a story (of course they often don't properly credit or link them). More interesting is that by picking a few extreme comments, or poking fun of "Anonymous Coward" that they somehow have the pulse of Slashdot as a whole. Regardless, they are watching, its fascinating to see what they think we think.

TRUSTe, the steward of the most visible symbol on the internet, is making a tough decision today. Today, it reveals what it intends to do about its client Real Networks. At stake is whatever's left of its credibility. (Update: 11/08 02:55: Real got off on a technicality: "because the transmission of user data ... did not involve collection of data on the RealNetworks Web site, the privacy incident was outside of the scope of TRUSTe's current privacy seal program.")

Unquestionably TRUSTe is the leader in third-party privacy assurance. Its only alternative is BBBOnline, which can boast only 100 members to TRUSTe's 750. But it's having a hard time living up to its motto, "Building a web you can believe in": sometimes it's hard to know what to believe.

TRUSTe's original idea was to allow a website to display one of three icons, indicating whether its privacy policy was good, ok, or bad. There turned out to be problems with this - strangely enough, no site wanted to post an icon saying that their privacy sucked - and the icons looked too similar anyway. So they went with one icon, a "badge" that every member site posts.

All the badge means is that the site has a privacy policy, and that, as far as TRUSTe knows, they haven't violated it.

If you think this is a questionable basis for a consumer advocacy group, you're right. But the real question is how it plays out in practice. Let's take a look at TRUSTe's track record.

Round I: TRUSTe and GeoCities. In June 1998, the FTC announced - to everyone's surprise - that it and GeoCities had come to a settlement regarding violations of consumer privacy.

Everyone was surprised because this was the first anyone had heard of it. Where was TRUSTe?

Caught flat-footed, TRUSTe scrambled for a few days, then made its own announcement. It pointed out that GeoCities had begun the alleged privacy violations before applying to become a member (in April) and being accepted (in May). Therefore, TRUSTe claimed, the violations were technically not under the scope of their investigation.

But turn that around and put it another way - it was able to become a TRUSTe member even while under investigation by the FTC, and TRUSTe said nothing.

It gets worse. The FTC and GeoCities issued conflicting releases about what the settlement actually meant. The FTC said that GeoCities had "misrepresented the purposes for which it was collecting personal identifying information" (including children's). GeoCities denied the charges.

So who was right? We still don't know. Despite this being precisely the issue that TRUSTe was set up to resolve, TRUSTe refused to confirm or deny the FTC's allegations.

In a 1998 open letter, I asked whether TRUSTe's initial review of GeoCities had included any really tough questions such as "are you currently under investigation by the Federal Trade Commission?" No answer. In fact, mention of the GeoCities incident seems to have been removed from TRUSTe's website.

The organization that wanted to make the FTC obsolete was not off to a good start.

Round II: TRUSTe and Microsoft. March 1999. This was the "Global User ID" case. It turned out Microsoft had been embedding a user ID into every document you created with their software. Since they put that ID on file when you registered their software, they have been capable for years of tracking authorship of even supposedly-anonymous documents.

And don't think it's just a theoretical concern. Just weeks later, the Melissa macro virus was unleashed, and its author was tracked down using this same ID. Any technology that can lead the cops to your door is potentially dangerous technology.

TRUSTe announced that this "compromises consumer trust and privacy" (duh), but said that since the Global User ID does not, strictly speaking, involve the Microsoft.com website, it had no jurisdiction. Their conclusion: "TRUSTe has determined that Microsoft.com was in compliance with all TRUSTe principles."

In reality, Microsoft's privacy page (prominently labeled with the TRUSTe seal) also discusses online registration of software products, and notes that the "personal profile" from their software registration appears on the website and is editable from the website. And that page claims that registration is covered by the TRUSTe guidelines. For TRUSTe to claim it's not requires some Clintonesque redefinitions.

CNET's headline was exactly right: "TRUSTe Clears Microsoft on Technicality."

Round III: TRUSTe and Deja News. April 1999. Again TRUSTe is taken by surprise when a computer sleuth discovers that Deja News has been collecting data on email sent by its users. When a reader clicked on an email link in a discussion posting, the destination email address was recorded, along with the presumable topic of discussion, the sender's IP number, and if registered, the sender's personal data.

This is not what one expects when sending private email! And this clearly involved Deja's website, so there was no question of another technicality.

TRUSTe's analysis of this situation was only two paragraphs long; here's all that happened:

"TRUSTe specified certain clarifying language to be included in the privacy statement. Deja News, independent of TRUSTe, then decided to discontinue the practice of tracking IP addresses in conjunction with the mail-to feature."

In fact, the situation was resolved long before TRUSTe even bothered to issue that statement. TRUSTe's suggestion of "clarifying language" had been obviated long before by Deja's indepedent action. See ZDNet's story of May 4th, which hopes that TRUSTe "will likely issue some sort of statement...this week." But TRUSTe stayed silent for four weeks.

Round IV: TRUSTe and Microsoft (again). A wide-open security hole in Microsoft's Hotmail is breached, and for a few hours everyone's inboxes are public domain. (If you don't think this is a serious privacy violation, read the stunning anonymous tale of cracking into an enemy's email, published on Salon.com the next day.)

TRUSTe's response is to call in an independent accounting firm to talk with Hotmail's programmers and security people, look over the source code, and generally try to make sure such a problem won't happen again. This isn't a bad idea - it just wasn't much of anything that Microsoft wouldn't have done on its own. Locking the barn door after the horse is gone doesn't help the people whose privacy has been lost. Microsoft is out of pocket a few bucks for the audit, and gets more than its money's worth by being able to say that TRUSTe still gives them a clean bill of health.

How can all these incidents have passed by without punishment of any kind? It's because of what TRUSTe is actually guaranteeing. Not that any company will actually keep its data private - but that the company is not lying in its privacy assurance.

That's right. You know those privacy promises you never read, the ones that are different on every website and all seem ten pages long? What TRUSTe does is promise you that, if you had read them, you'd know your rights.

If it wanted, a company could have its lawyers dress up "we will spam your email every day and sell your name and address to anyone who asks for them" in legalese, and get a TRUSTe badge on their homepage. Would you know you were being screwed? Not unless you speak fluent lawyer.

Is the FTC such a bogeyman that we really need to sell our privacy so cheap?

When Ralph Nader was pressing the government to impose strict safety standards on the auto industry, Henry Ford II complained that they were "unreasonable, arbitrary and technically unfeasible." After the laws were enacted anyway, a decade later he conceded: "We wouldn't have [these] kinds of safety ... unless there had been a federal law."

Imagine if our only automotive safety regulations were that Detroit must abide by its lawyers' fine print!

The usual argument is that requiring an actual guarantee of privacy would stifle business. The purpose in forming TRUSTe was to keep the internet corporation-friendly, by keeping the government out. TRUSTe was well-intentioned, no question. It was a noble experiment.

But, according to some influential people and groups, it has failed.

Forrester Research studies topics related to the internet and made privacy its concern in its September 1999 report, "Privacy Wake-Up Call." Its conclusions should not be surprising:

"Most privacy policies are a joke." Forrester says corporate privacy policies are legalese set up mostly to protect the corporations.

"Few companies meet key privacy protection principles." About 10%.

"Third-party programs show little traction." Hundreds of TRUSTe licensees don't amount to much on the billion-page net.

And, "third-party privacy firms...like TRUSTe...become more of a privacy advocate for industry rather than for consumers."

(Slashdot has more on this study.)

Even the Electronic Frontier Foundation, after years of straddling the fence on the issue, has finally recognized that self-policing just doesn't work. The EFF is not just the best-recognized internet rights advocacy group; it created TRUSTe.

Yet, in an October letter to the FTC, the EFF laid down its cards:

"Creation of TRUSTe and its seal program was one such early innovation of EFF. TRUSTe was successful in several areas. ... We now must move out of this awareness-raising mode and into an action mode where real protection can be achieved. Legislation is needed in order to achieve that goal. ... we think it is time to move away from a strict self-regulation approach to protecting privacy online."

The latest nail in the coffin came on November 1, when EFF Program Director Stanton McCandlish laid out the facts on the fight-censorship mailing list:

"Our stance has basically been that industry self-reg would be worth trying, but might or might not be enough. We did the 'proof of concept' ourselves, by launching and spinning off TRUSTe. But TRUSTe was intended to be and is a separate, independent entity, and was created as an experiment. The experiment is in many ways a failure..."

(McCandlish's personal opinion is even more scathing. Follow the link to read it.)

You wouldn't know this if you read the TRUSTe website. Their homepage proudly tells you about the six-month-old Georgetown study, but makes no mention of the Forrester Research report. It tells you that the FTC supports self-regulation (based on Georgetown), but won't tell you that its own parent, the EFF, thinks the ride is over.

If TRUSTe is a consumer rights and advocacy group, why are they only feeding us the feel-good stories? Aren't consumer groups supposed to be the ones that dig up dirt and tell us about potential problems?

The money trail leads to the answer. TRUSTe isn't a consumer advocacy group. TRUSTe doesn't get its money from consumers. Its money comes from corporate sponsors, and nobody wants to bite the hand that feeds them. Besides, those corporations want the message to be one of constant calm. Concerned customers are not good for sales.

Remember the GeoCities FTC findings that TRUSTe wouldn't comment on? GeoCities had just done an IPO and millions of dollars were at stake. GeoCities' sister corporation Engage Technologies (they are both subsidiaries of CMG Industries) was a Contributing Corporate Sponsor of TRUSTe. That conflict of interest was never mentioned.

(GeoCities has since been purchased by Yahoo.)

Remember the Microsoft incidents that TRUSTe waffled on? Microsoft is not just a member, but also a Premier Corporate Sponsor of TRUSTe. That conflict of interest totals $100,000 per year.

Round V. By now you've guessed that this is leading up to the current furor over Real Networks. Real is a TRUSTe member. Do I need to mention that it's also a Contributing Corporate Sponsor?

TRUSTe said that it would render judgement on Real Networks by the end of last week. Now it's saying today.

And it's making noises like they're actually going to do something this time:

"We could take the company to court for breach of contract, since they do have an agreement with us. Or, we can forward the case to the FTC... I guarantee that the damage to the reputation of the first company that we do that to will be big."

For its own sake, it had better. We're talking about a company whose product is a Trojan Horse that secretly scans your hard drive for valuable personal data. If TRUSTe doesn't unload with both barrels, its credibility will be negative zero.

Anything TRUSTe does may have a negligable effect in any case. Corporations only understand the bottom line, and RealNetworks stock shot up 25% in the five days following the privacy debacle. With the company's market cap $1.9 billion higher than it was a week ago, how much are they really going to care about some nonprofit gnat?

We can hope. Real.com today unveiled its new website, a music portal, which investors will be watching carefully. Also happening today is a conference held by the FTC and Commerce Department for data-profilers to announce what they're going to do to protect privacy. So if TRUSTe were trying to maximize the effect of their announcement, today would be the day they'd pick. It could be that the gnat will have a nasty bite that surprises everyone.

Still - you can dress an organization up in not-for-profit clothes, but that doesn't change that it's beholden to its revenue stream. TRUSTe says we can trust them to be objective, on the theory that their revenue stream will dry up if they don't do right by consumers. So far, there doesn't seem to be much truth to that. They haven't been doing us right, but their number of contributors and members just keeps growing.

I enjoy reading about the future envisioned by people like Gibson and Stephenson, where the net is totally unregulated and a "right to privacy" is a dim memory, or a joke. That doesn't mean I want to live in that future. Europe has consumer protection laws that are, from an American perspective, astonishingly strong. Maybe we should take a look at other countries' solutions, to see if there's something we could learn.

So far, all we've learned is what fails.

- Jamie McCarthy

TRUSTe, the steward of the most visible symbol on the internet, is making a tough decision today. Today, it reveals what it intends to do about its client Real Networks. At stake is whatever's left of its credibility. (Update: 11/08 02:55: Real got off on a technicality: "because the transmission of user data ... did not involve collection of data on the RealNetworks Web site, the privacy incident was outside of the scope of TRUSTe's current privacy seal program.")

Unquestionably TRUSTe is the leader in third-party privacy assurance. Its only alternative is BBBOnline, which can boast only 100 members to TRUSTe's 750. But it's having a hard time living up to its motto, "Building a web you can believe in": sometimes it's hard to know what to believe.

TRUSTe's original idea was to allow a website to display one of three icons, indicating whether its privacy policy was good, ok, or bad. There turned out to be problems with this - strangely enough, no site wanted to post an icon saying that their privacy sucked - and the icons looked too similar anyway. So they went with one icon, a "badge" that every member site posts.

All the badge means is that the site has a privacy policy, and that, as far as TRUSTe knows, they haven't violated it.

If you think this is a questionable basis for a consumer advocacy group, you're right. But the real question is how it plays out in practice. Let's take a look at TRUSTe's track record.

Round I: TRUSTe and GeoCities. In June 1998, the FTC announced - to everyone's surprise - that it and GeoCities had come to a settlement regarding violations of consumer privacy.

Everyone was surprised because this was the first anyone had heard of it. Where was TRUSTe?

Caught flat-footed, TRUSTe scrambled for a few days, then made its own announcement. It pointed out that GeoCities had begun the alleged privacy violations before applying to become a member (in April) and being accepted (in May). Therefore, TRUSTe claimed, the violations were technically not under the scope of their investigation.

But turn that around and put it another way - it was able to become a TRUSTe member even while under investigation by the FTC, and TRUSTe said nothing.

It gets worse. The FTC and GeoCities issued conflicting releases about what the settlement actually meant. The FTC said that GeoCities had "misrepresented the purposes for which it was collecting personal identifying information" (including children's). GeoCities denied the charges.

So who was right? We still don't know. Despite this being precisely the issue that TRUSTe was set up to resolve, TRUSTe refused to confirm or deny the FTC's allegations.

In a 1998 open letter, I asked whether TRUSTe's initial review of GeoCities had included any really tough questions such as "are you currently under investigation by the Federal Trade Commission?" No answer. In fact, mention of the GeoCities incident seems to have been removed from TRUSTe's website.

The organization that wanted to make the FTC obsolete was not off to a good start.

Round II: TRUSTe and Microsoft. March 1999. This was the "Global User ID" case. It turned out Microsoft had been embedding a user ID into every document you created with their software. Since they put that ID on file when you registered their software, they have been capable for years of tracking authorship of even supposedly-anonymous documents.

And don't think it's just a theoretical concern. Just weeks later, the Melissa macro virus was unleashed, and its author was tracked down using this same ID. Any technology that can lead the cops to your door is potentially dangerous technology.

TRUSTe announced that this "compromises consumer trust and privacy" (duh), but said that since the Global User ID does not, strictly speaking, involve the Microsoft.com website, it had no jurisdiction. Their conclusion: "TRUSTe has determined that Microsoft.com was in compliance with all TRUSTe principles."

In reality, Microsoft's privacy page (prominently labeled with the TRUSTe seal) also discusses online registration of software products, and notes that the "personal profile" from their software registration appears on the website and is editable from the website. And that page claims that registration is covered by the TRUSTe guidelines. For TRUSTe to claim it's not requires some Clintonesque redefinitions.

CNET's headline was exactly right: "TRUSTe Clears Microsoft on Technicality."

Round III: TRUSTe and Deja News. April 1999. Again TRUSTe is taken by surprise when a computer sleuth discovers that Deja News has been collecting data on email sent by its users. When a reader clicked on an email link in a discussion posting, the destination email address was recorded, along with the presumable topic of discussion, the sender's IP number, and if registered, the sender's personal data.

This is not what one expects when sending private email! And this clearly involved Deja's website, so there was no question of another technicality.

TRUSTe's analysis of this situation was only two paragraphs long; here's all that happened:

"TRUSTe specified certain clarifying language to be included in the privacy statement. Deja News, independent of TRUSTe, then decided to discontinue the practice of tracking IP addresses in conjunction with the mail-to feature."

In fact, the situation was resolved long before TRUSTe even bothered to issue that statement. TRUSTe's suggestion of "clarifying language" had been obviated long before by Deja's indepedent action. See ZDNet's story of May 4th, which hopes that TRUSTe "will likely issue some sort of statement...this week." But TRUSTe stayed silent for four weeks.

Round IV: TRUSTe and Microsoft (again). A wide-open security hole in Microsoft's Hotmail is breached, and for a few hours everyone's inboxes are public domain. (If you don't think this is a serious privacy violation, read the stunning anonymous tale of cracking into an enemy's email, published on Salon.com the next day.)

TRUSTe's response is to call in an independent accounting firm to talk with Hotmail's programmers and security people, look over the source code, and generally try to make sure such a problem won't happen again. This isn't a bad idea - it just wasn't much of anything that Microsoft wouldn't have done on its own. Locking the barn door after the horse is gone doesn't help the people whose privacy has been lost. Microsoft is out of pocket a few bucks for the audit, and gets more than its money's worth by being able to say that TRUSTe still gives them a clean bill of health.

How can all these incidents have passed by without punishment of any kind? It's because of what TRUSTe is actually guaranteeing. Not that any company will actually keep its data private - but that the company is not lying in its privacy assurance.

That's right. You know those privacy promises you never read, the ones that are different on every website and all seem ten pages long? What TRUSTe does is promise you that, if you had read them, you'd know your rights.

If it wanted, a company could have its lawyers dress up "we will spam your email every day and sell your name and address to anyone who asks for them" in legalese, and get a TRUSTe badge on their homepage. Would you know you were being screwed? Not unless you speak fluent lawyer.

Is the FTC such a bogeyman that we really need to sell our privacy so cheap?

When Ralph Nader was pressing the government to impose strict safety standards on the auto industry, Henry Ford II complained that they were "unreasonable, arbitrary and technically unfeasible." After the laws were enacted anyway, a decade later he conceded: "We wouldn't have [these] kinds of safety ... unless there had been a federal law."

Imagine if our only automotive safety regulations were that Detroit must abide by its lawyers' fine print!

The usual argument is that requiring an actual guarantee of privacy would stifle business. The purpose in forming TRUSTe was to keep the internet corporation-friendly, by keeping the government out. TRUSTe was well-intentioned, no question. It was a noble experiment.

But, according to some influential people and groups, it has failed.

Forrester Research studies topics related to the internet and made privacy its concern in its September 1999 report, "Privacy Wake-Up Call." Its conclusions should not be surprising:

"Most privacy policies are a joke." Forrester says corporate privacy policies are legalese set up mostly to protect the corporations.

"Few companies meet key privacy protection principles." About 10%.

"Third-party programs show little traction." Hundreds of TRUSTe licensees don't amount to much on the billion-page net.

And, "third-party privacy firms...like TRUSTe...become more of a privacy advocate for industry rather than for consumers."

(Slashdot has more on this study.)

Even the Electronic Frontier Foundation, after years of straddling the fence on the issue, has finally recognized that self-policing just doesn't work. The EFF is not just the best-recognized internet rights advocacy group; it created TRUSTe.

Yet, in an October letter to the FTC, the EFF laid down its cards:

"Creation of TRUSTe and its seal program was one such early innovation of EFF. TRUSTe was successful in several areas. ... We now must move out of this awareness-raising mode and into an action mode where real protection can be achieved. Legislation is needed in order to achieve that goal. ... we think it is time to move away from a strict self-regulation approach to protecting privacy online."

The latest nail in the coffin came on November 1, when EFF Program Director Stanton McCandlish laid out the facts on the fight-censorship mailing list:

"Our stance has basically been that industry self-reg would be worth trying, but might or might not be enough. We did the 'proof of concept' ourselves, by launching and spinning off TRUSTe. But TRUSTe was intended to be and is a separate, independent entity, and was created as an experiment. The experiment is in many ways a failure..."

(McCandlish's personal opinion is even more scathing. Follow the link to read it.)

You wouldn't know this if you read the TRUSTe website. Their homepage proudly tells you about the six-month-old Georgetown study, but makes no mention of the Forrester Research report. It tells you that the FTC supports self-regulation (based on Georgetown), but won't tell you that its own parent, the EFF, thinks the ride is over.

If TRUSTe is a consumer rights and advocacy group, why are they only feeding us the feel-good stories? Aren't consumer groups supposed to be the ones that dig up dirt and tell us about potential problems?

The money trail leads to the answer. TRUSTe isn't a consumer advocacy group. TRUSTe doesn't get its money from consumers. Its money comes from corporate sponsors, and nobody wants to bite the hand that feeds them. Besides, those corporations want the message to be one of constant calm. Concerned customers are not good for sales.

Remember the GeoCities FTC findings that TRUSTe wouldn't comment on? GeoCities had just done an IPO and millions of dollars were at stake. GeoCities' sister corporation Engage Technologies (they are both subsidiaries of CMG Industries) was a Contributing Corporate Sponsor of TRUSTe. That conflict of interest was never mentioned.

(GeoCities has since been purchased by Yahoo.)

Remember the Microsoft incidents that TRUSTe waffled on? Microsoft is not just a member, but also a Premier Corporate Sponsor of TRUSTe. That conflict of interest totals $100,000 per year.

Round V. By now you've guessed that this is leading up to the current furor over Real Networks. Real is a TRUSTe member. Do I need to mention that it's also a Contributing Corporate Sponsor?

TRUSTe said that it would render judgement on Real Networks by the end of last week. Now it's saying today.

And it's making noises like they're actually going to do something this time:

"We could take the company to court for breach of contract, since they do have an agreement with us. Or, we can forward the case to the FTC... I guarantee that the damage to the reputation of the first company that we do that to will be big."

For its own sake, it had better. We're talking about a company whose product is a Trojan Horse that secretly scans your hard drive for valuable personal data. If TRUSTe doesn't unload with both barrels, its credibility will be negative zero.

Anything TRUSTe does may have a negligable effect in any case. Corporations only understand the bottom line, and RealNetworks stock shot up 25% in the five days following the privacy debacle. With the company's market cap $1.9 billion higher than it was a week ago, how much are they really going to care about some nonprofit gnat?

We can hope. Real.com today unveiled its new website, a music portal, which investors will be watching carefully. Also happening today is a conference held by the FTC and Commerce Department for data-profilers to announce what they're going to do to protect privacy. So if TRUSTe were trying to maximize the effect of their announcement, today would be the day they'd pick. It could be that the gnat will have a nasty bite that surprises everyone.

Still - you can dress an organization up in not-for-profit clothes, but that doesn't change that it's beholden to its revenue stream. TRUSTe says we can trust them to be objective, on the theory that their revenue stream will dry up if they don't do right by consumers. So far, there doesn't seem to be much truth to that. They haven't been doing us right, but their number of contributors and members just keeps growing.

I enjoy reading about the future envisioned by people like Gibson and Stephenson, where the net is totally unregulated and a "right to privacy" is a dim memory, or a joke. That doesn't mean I want to live in that future. Europe has consumer protection laws that are, from an American perspective, astonishingly strong. Maybe we should take a look at other countries' solutions, to see if there's something we could learn.

So far, all we've learned is what fails.

- Jamie McCarthy

TRUSTe, the steward of the most visible symbol on the internet, is making a tough decision today. Today, it reveals what it intends to do about its client Real Networks. At stake is whatever's left of its credibility. (Update: 11/08 02:55: Real got off on a technicality: "because the transmission of user data ... did not involve collection of data on the RealNetworks Web site, the privacy incident was outside of the scope of TRUSTe's current privacy seal program.")

Unquestionably TRUSTe is the leader in third-party privacy assurance. Its only alternative is BBBOnline, which can boast only 100 members to TRUSTe's 750. But it's having a hard time living up to its motto, "Building a web you can believe in": sometimes it's hard to know what to believe.

TRUSTe's original idea was to allow a website to display one of three icons, indicating whether its privacy policy was good, ok, or bad. There turned out to be problems with this - strangely enough, no site wanted to post an icon saying that their privacy sucked - and the icons looked too similar anyway. So they went with one icon, a "badge" that every member site posts.

All the badge means is that the site has a privacy policy, and that, as far as TRUSTe knows, they haven't violated it.

If you think this is a questionable basis for a consumer advocacy group, you're right. But the real question is how it plays out in practice. Let's take a look at TRUSTe's track record.

Round I: TRUSTe and GeoCities. In June 1998, the FTC announced - to everyone's surprise - that it and GeoCities had come to a settlement regarding violations of consumer privacy.

Everyone was surprised because this was the first anyone had heard of it. Where was TRUSTe?

Caught flat-footed, TRUSTe scrambled for a few days, then made its own announcement. It pointed out that GeoCities had begun the alleged privacy violations before applying to become a member (in April) and being accepted (in May). Therefore, TRUSTe claimed, the violations were technically not under the scope of their investigation.

But turn that around and put it another way - it was able to become a TRUSTe member even while under investigation by the FTC, and TRUSTe said nothing.

It gets worse. The FTC and GeoCities issued conflicting releases about what the settlement actually meant. The FTC said that GeoCities had "misrepresented the purposes for which it was collecting personal identifying information" (including children's). GeoCities denied the charges.

So who was right? We still don't know. Despite this being precisely the issue that TRUSTe was set up to resolve, TRUSTe refused to confirm or deny the FTC's allegations.

In a 1998 open letter, I asked whether TRUSTe's initial review of GeoCities had included any really tough questions such as "are you currently under investigation by the Federal Trade Commission?" No answer. In fact, mention of the GeoCities incident seems to have been removed from TRUSTe's website.

The organization that wanted to make the FTC obsolete was not off to a good start.

Round II: TRUSTe and Microsoft. March 1999. This was the "Global User ID" case. It turned out Microsoft had been embedding a user ID into every document you created with their software. Since they put that ID on file when you registered their software, they have been capable for years of tracking authorship of even supposedly-anonymous documents.

And don't think it's just a theoretical concern. Just weeks later, the Melissa macro virus was unleashed, and its author was tracked down using this same ID. Any technology that can lead the cops to your door is potentially dangerous technology.

TRUSTe announced that this "compromises consumer trust and privacy" (duh), but said that since the Global User ID does not, strictly speaking, involve the Microsoft.com website, it had no jurisdiction. Their conclusion: "TRUSTe has determined that Microsoft.com was in compliance with all TRUSTe principles."

In reality, Microsoft's privacy page (prominently labeled with the TRUSTe seal) also discusses online registration of software products, and notes that the "personal profile" from their software registration appears on the website and is editable from the website. And that page claims that registration is covered by the TRUSTe guidelines. For TRUSTe to claim it's not requires some Clintonesque redefinitions.

CNET's headline was exactly right: "TRUSTe Clears Microsoft on Technicality."

Round III: TRUSTe and Deja News. April 1999. Again TRUSTe is taken by surprise when a computer sleuth discovers that Deja News has been collecting data on email sent by its users. When a reader clicked on an email link in a discussion posting, the destination email address was recorded, along with the presumable topic of discussion, the sender's IP number, and if registered, the sender's personal data.

This is not what one expects when sending private email! And this clearly involved Deja's website, so there was no question of another technicality.

TRUSTe's analysis of this situation was only two paragraphs long; here's all that happened:

"TRUSTe specified certain clarifying language to be included in the privacy statement. Deja News, independent of TRUSTe, then decided to discontinue the practice of tracking IP addresses in conjunction with the mail-to feature."

In fact, the situation was resolved long before TRUSTe even bothered to issue that statement. TRUSTe's suggestion of "clarifying language" had been obviated long before by Deja's indepedent action. See ZDNet's story of May 4th, which hopes that TRUSTe "will likely issue some sort of statement...this week." But TRUSTe stayed silent for four weeks.

Round IV: TRUSTe and Microsoft (again). A wide-open security hole in Microsoft's Hotmail is breached, and for a few hours everyone's inboxes are public domain. (If you don't think this is a serious privacy violation, read the stunning anonymous tale of cracking into an enemy's email, published on Salon.com the next day.)

TRUSTe's response is to call in an independent accounting firm to talk with Hotmail's programmers and security people, look over the source code, and generally try to make sure such a problem won't happen again. This isn't a bad idea - it just wasn't much of anything that Microsoft wouldn't have done on its own. Locking the barn door after the horse is gone doesn't help the people whose privacy has been lost. Microsoft is out of pocket a few bucks for the audit, and gets more than its money's worth by being able to say that TRUSTe still gives them a clean bill of health.

How can all these incidents have passed by without punishment of any kind? It's because of what TRUSTe is actually guaranteeing. Not that any company will actually keep its data private - but that the company is not lying in its privacy assurance.

That's right. You know those privacy promises you never read, the ones that are different on every website and all seem ten pages long? What TRUSTe does is promise you that, if you had read them, you'd know your rights.

If it wanted, a company could have its lawyers dress up "we will spam your email every day and sell your name and address to anyone who asks for them" in legalese, and get a TRUSTe badge on their homepage. Would you know you were being screwed? Not unless you speak fluent lawyer.

Is the FTC such a bogeyman that we really need to sell our privacy so cheap?

When Ralph Nader was pressing the government to impose strict safety standards on the auto industry, Henry Ford II complained that they were "unreasonable, arbitrary and technically unfeasible." After the laws were enacted anyway, a decade later he conceded: "We wouldn't have [these] kinds of safety ... unless there had been a federal law."

Imagine if our only automotive safety regulations were that Detroit must abide by its lawyers' fine print!

The usual argument is that requiring an actual guarantee of privacy would stifle business. The purpose in forming TRUSTe was to keep the internet corporation-friendly, by keeping the government out. TRUSTe was well-intentioned, no question. It was a noble experiment.

But, according to some influential people and groups, it has failed.

Forrester Research studies topics related to the internet and made privacy its concern in its September 1999 report, "Privacy Wake-Up Call." Its conclusions should not be surprising:

"Most privacy policies are a joke." Forrester says corporate privacy policies are legalese set up mostly to protect the corporations.

"Few companies meet key privacy protection principles." About 10%.

"Third-party programs show little traction." Hundreds of TRUSTe licensees don't amount to much on the billion-page net.

And, "third-party privacy firms...like TRUSTe...become more of a privacy advocate for industry rather than for consumers."

(Slashdot has more on this study.)

Even the Electronic Frontier Foundation, after years of straddling the fence on the issue, has finally recognized that self-policing just doesn't work. The EFF is not just the best-recognized internet rights advocacy group; it created TRUSTe.

Yet, in an October letter to the FTC, the EFF laid down its cards:

"Creation of TRUSTe and its seal program was one such early innovation of EFF. TRUSTe was successful in several areas. ... We now must move out of this awareness-raising mode and into an action mode where real protection can be achieved. Legislation is needed in order to achieve that goal. ... we think it is time to move away from a strict self-regulation approach to protecting privacy online."

The latest nail in the coffin came on November 1, when EFF Program Director Stanton McCandlish laid out the facts on the fight-censorship mailing list:

"Our stance has basically been that industry self-reg would be worth trying, but might or might not be enough. We did the 'proof of concept' ourselves, by launching and spinning off TRUSTe. But TRUSTe was intended to be and is a separate, independent entity, and was created as an experiment. The experiment is in many ways a failure..."

(McCandlish's personal opinion is even more scathing. Follow the link to read it.)

You wouldn't know this if you read the TRUSTe website. Their homepage proudly tells you about the six-month-old Georgetown study, but makes no mention of the Forrester Research report. It tells you that the FTC supports self-regulation (based on Georgetown), but won't tell you that its own parent, the EFF, thinks the ride is over.

If TRUSTe is a consumer rights and advocacy group, why are they only feeding us the feel-good stories? Aren't consumer groups supposed to be the ones that dig up dirt and tell us about potential problems?

The money trail leads to the answer. TRUSTe isn't a consumer advocacy group. TRUSTe doesn't get its money from consumers. Its money comes from corporate sponsors, and nobody wants to bite the hand that feeds them. Besides, those corporations want the message to be one of constant calm. Concerned customers are not good for sales.

Remember the GeoCities FTC findings that TRUSTe wouldn't comment on? GeoCities had just done an IPO and millions of dollars were at stake. GeoCities' sister corporation Engage Technologies (they are both subsidiaries of CMG Industries) was a Contributing Corporate Sponsor of TRUSTe. That conflict of interest was never mentioned.

(GeoCities has since been purchased by Yahoo.)

Remember the Microsoft incidents that TRUSTe waffled on? Microsoft is not just a member, but also a Premier Corporate Sponsor of TRUSTe. That conflict of interest totals $100,000 per year.

Round V. By now you've guessed that this is leading up to the current furor over Real Networks. Real is a TRUSTe member. Do I need to mention that it's also a Contributing Corporate Sponsor?

TRUSTe said that it would render judgement on Real Networks by the end of last week. Now it's saying today.

And it's making noises like they're actually going to do something this time:

"We could take the company to court for breach of contract, since they do have an agreement with us. Or, we can forward the case to the FTC... I guarantee that the damage to the reputation of the first company that we do that to will be big."

For its own sake, it had better. We're talking about a company whose product is a Trojan Horse that secretly scans your hard drive for valuable personal data. If TRUSTe doesn't unload with both barrels, its credibility will be negative zero.

Anything TRUSTe does may have a negligable effect in any case. Corporations only understand the bottom line, and RealNetworks stock shot up 25% in the five days following the privacy debacle. With the company's market cap $1.9 billion higher than it was a week ago, how much are they really going to care about some nonprofit gnat?

We can hope. Real.com today unveiled its new website, a music portal, which investors will be watching carefully. Also happening today is a conference held by the FTC and Commerce Department for data-profilers to announce what they're going to do to protect privacy. So if TRUSTe were trying to maximize the effect of their announcement, today would be the day they'd pick. It could be that the gnat will have a nasty bite that surprises everyone.

Still - you can dress an organization up in not-for-profit clothes, but that doesn't change that it's beholden to its revenue stream. TRUSTe says we can trust them to be objective, on the theory that their revenue stream will dry up if they don't do right by consumers. So far, there doesn't seem to be much truth to that. They haven't been doing us right, but their number of contributors and members just keeps growing.

I enjoy reading about the future envisioned by people like Gibson and Stephenson, where the net is totally unregulated and a "right to privacy" is a dim memory, or a joke. That doesn't mean I want to live in that future. Europe has consumer protection laws that are, from an American perspective, astonishingly strong. Maybe we should take a look at other countries' solutions, to see if there's something we could learn.

So far, all we've learned is what fails.

- Jamie McCarthy

TRUSTe, the steward of the most visible symbol on the internet, is making a tough decision today. Today, it reveals what it intends to do about its client Real Networks. At stake is whatever's left of its credibility. (Update: 11/08 02:55: Real got off on a technicality: "because the transmission of user data ... did not involve collection of data on the RealNetworks Web site, the privacy incident was outside of the scope of TRUSTe's current privacy seal program.")

Unquestionably TRUSTe is the leader in third-party privacy assurance. Its only alternative is BBBOnline, which can boast only 100 members to TRUSTe's 750. But it's having a hard time living up to its motto, "Building a web you can believe in": sometimes it's hard to know what to believe.

TRUSTe's original idea was to allow a website to display one of three icons, indicating whether its privacy policy was good, ok, or bad. There turned out to be problems with this - strangely enough, no site wanted to post an icon saying that their privacy sucked - and the icons looked too similar anyway. So they went with one icon, a "badge" that every member site posts.

All the badge means is that the site has a privacy policy, and that, as far as TRUSTe knows, they haven't violated it.

If you think this is a questionable basis for a consumer advocacy group, you're right. But the real question is how it plays out in practice. Let's take a look at TRUSTe's track record.

Round I: TRUSTe and GeoCities. In June 1998, the FTC announced - to everyone's surprise - that it and GeoCities had come to a settlement regarding violations of consumer privacy.

Everyone was surprised because this was the first anyone had heard of it. Where was TRUSTe?

Caught flat-footed, TRUSTe scrambled for a few days, then made its own announcement. It pointed out that GeoCities had begun the alleged privacy violations before applying to become a member (in April) and being accepted (in May). Therefore, TRUSTe claimed, the violations were technically not under the scope of their investigation.

But turn that around and put it another way - it was able to become a TRUSTe member even while under investigation by the FTC, and TRUSTe said nothing.

It gets worse. The FTC and GeoCities issued conflicting releases about what the settlement actually meant. The FTC said that GeoCities had "misrepresented the purposes for which it was collecting personal identifying information" (including children's). GeoCities denied the charges.

So who was right? We still don't know. Despite this being precisely the issue that TRUSTe was set up to resolve, TRUSTe refused to confirm or deny the FTC's allegations.

In a 1998 open letter, I asked whether TRUSTe's initial review of GeoCities had included any really tough questions such as "are you currently under investigation by the Federal Trade Commission?" No answer. In fact, mention of the GeoCities incident seems to have been removed from TRUSTe's website.

The organization that wanted to make the FTC obsolete was not off to a good start.

Round II: TRUSTe and Microsoft. March 1999. This was the "Global User ID" case. It turned out Microsoft had been embedding a user ID into every document you created with their software. Since they put that ID on file when you registered their software, they have been capable for years of tracking authorship of even supposedly-anonymous documents.

And don't think it's just a theoretical concern. Just weeks later, the Melissa macro virus was unleashed, and its author was tracked down using this same ID. Any technology that can lead the cops to your door is potentially dangerous technology.

TRUSTe announced that this "compromises consumer trust and privacy" (duh), but said that since the Global User ID does not, strictly speaking, involve the Microsoft.com website, it had no jurisdiction. Their conclusion: "TRUSTe has determined that Microsoft.com was in compliance with all TRUSTe principles."

In reality, Microsoft's privacy page (prominently labeled with the TRUSTe seal) also discusses online registration of software products, and notes that the "personal profile" from their software registration appears on the website and is editable from the website. And that page claims that registration is covered by the TRUSTe guidelines. For TRUSTe to claim it's not requires some Clintonesque redefinitions.

CNET's headline was exactly right: "TRUSTe Clears Microsoft on Technicality."

Round III: TRUSTe and Deja News. April 1999. Again TRUSTe is taken by surprise when a computer sleuth discovers that Deja News has been collecting data on email sent by its users. When a reader clicked on an email link in a discussion posting, the destination email address was recorded, along with the presumable topic of discussion, the sender's IP number, and if registered, the sender's personal data.

This is not what one expects when sending private email! And this clearly involved Deja's website, so there was no question of another technicality.

TRUSTe's analysis of this situation was only two paragraphs long; here's all that happened:

"TRUSTe specified certain clarifying language to be included in the privacy statement. Deja News, independent of TRUSTe, then decided to discontinue the practice of tracking IP addresses in conjunction with the mail-to feature."

In fact, the situation was resolved long before TRUSTe even bothered to issue that statement. TRUSTe's suggestion of "clarifying language" had been obviated long before by Deja's indepedent action. See ZDNet's story of May 4th, which hopes that TRUSTe "will likely issue some sort of statement...this week." But TRUSTe stayed silent for four weeks.

Round IV: TRUSTe and Microsoft (again). A wide-open security hole in Microsoft's Hotmail is breached, and for a few hours everyone's inboxes are public domain. (If you don't think this is a serious privacy violation, read the stunning anonymous tale of cracking into an enemy's email, published on Salon.com the next day.)

TRUSTe's response is to call in an independent accounting firm to talk with Hotmail's programmers and security people, look over the source code, and generally try to make sure such a problem won't happen again. This isn't a bad idea - it just wasn't much of anything that Microsoft wouldn't have done on its own. Locking the barn door after the horse is gone doesn't help the people whose privacy has been lost. Microsoft is out of pocket a few bucks for the audit, and gets more than its money's worth by being able to say that TRUSTe still gives them a clean bill of health.

How can all these incidents have passed by without punishment of any kind? It's because of what TRUSTe is actually guaranteeing. Not that any company will actually keep its data private - but that the company is not lying in its privacy assurance.

That's right. You know those privacy promises you never read, the ones that are different on every website and all seem ten pages long? What TRUSTe does is promise you that, if you had read them, you'd know your rights.

If it wanted, a company could have its lawyers dress up "we will spam your email every day and sell your name and address to anyone who asks for them" in legalese, and get a TRUSTe badge on their homepage. Would you know you were being screwed? Not unless you speak fluent lawyer.

Is the FTC such a bogeyman that we really need to sell our privacy so cheap?

When Ralph Nader was pressing the government to impose strict safety standards on the auto industry, Henry Ford II complained that they were "unreasonable, arbitrary and technically unfeasible." After the laws were enacted anyway, a decade later he conceded: "We wouldn't have [these] kinds of safety ... unless there had been a federal law."

Imagine if our only automotive safety regulations were that Detroit must abide by its lawyers' fine print!

The usual argument is that requiring an actual guarantee of privacy would stifle business. The purpose in forming TRUSTe was to keep the internet corporation-friendly, by keeping the government out. TRUSTe was well-intentioned, no question. It was a noble experiment.

But, according to some influential people and groups, it has failed.

Forrester Research studies topics related to the internet and made privacy its concern in its September 1999 report, "Privacy Wake-Up Call." Its conclusions should not be surprising:

"Most privacy policies are a joke." Forrester says corporate privacy policies are legalese set up mostly to protect the corporations.

"Few companies meet key privacy protection principles." About 10%.

"Third-party programs show little traction." Hundreds of TRUSTe licensees don't amount to much on the billion-page net.

And, "third-party privacy firms...like TRUSTe...become more of a privacy advocate for industry rather than for consumers."

(Slashdot has more on this study.)

Even the Electronic Frontier Foundation, after years of straddling the fence on the issue, has finally recognized that self-policing just doesn't work. The EFF is not just the best-recognized internet rights advocacy group; it created TRUSTe.

Yet, in an October letter to the FTC, the EFF laid down its cards:

"Creation of TRUSTe and its seal program was one such early innovation of EFF. TRUSTe was successful in several areas. ... We now must move out of this awareness-raising mode and into an action mode where real protection can be achieved. Legislation is needed in order to achieve that goal. ... we think it is time to move away from a strict self-regulation approach to protecting privacy online."

The latest nail in the coffin came on November 1, when EFF Program Director Stanton McCandlish laid out the facts on the fight-censorship mailing list:

"Our stance has basically been that industry self-reg would be worth trying, but might or might not be enough. We did the 'proof of concept' ourselves, by launching and spinning off TRUSTe. But TRUSTe was intended to be and is a separate, independent entity, and was created as an experiment. The experiment is in many ways a failure..."

(McCandlish's personal opinion is even more scathing. Follow the link to read it.)

You wouldn't know this if you read the TRUSTe website. Their homepage proudly tells you about the six-month-old Georgetown study, but makes no mention of the Forrester Research report. It tells you that the FTC supports self-regulation (based on Georgetown), but won't tell you that its own parent, the EFF, thinks the ride is over.

If TRUSTe is a consumer rights and advocacy group, why are they only feeding us the feel-good stories? Aren't consumer groups supposed to be the ones that dig up dirt and tell us about potential problems?

The money trail leads to the answer. TRUSTe isn't a consumer advocacy group. TRUSTe doesn't get its money from consumers. Its money comes from corporate sponsors, and nobody wants to bite the hand that feeds them. Besides, those corporations want the message to be one of constant calm. Concerned customers are not good for sales.

Remember the GeoCities FTC findings that TRUSTe wouldn't comment on? GeoCities had just done an IPO and millions of dollars were at stake. GeoCities' sister corporation Engage Technologies (they are both subsidiaries of CMG Industries) was a Contributing Corporate Sponsor of TRUSTe. That conflict of interest was never mentioned.

(GeoCities has since been purchased by Yahoo.)

Remember the Microsoft incidents that TRUSTe waffled on? Microsoft is not just a member, but also a Premier Corporate Sponsor of TRUSTe. That conflict of interest totals $100,000 per year.

Round V. By now you've guessed that this is leading up to the current furor over Real Networks. Real is a TRUSTe member. Do I need to mention that it's also a Contributing Corporate Sponsor?

TRUSTe said that it would render judgement on Real Networks by the end of last week. Now it's saying today.

And it's making noises like they're actually going to do something this time:

"We could take the company to court for breach of contract, since they do have an agreement with us. Or, we can forward the case to the FTC... I guarantee that the damage to the reputation of the first company that we do that to will be big."

For its own sake, it had better. We're talking about a company whose product is a Trojan Horse that secretly scans your hard drive for valuable personal data. If TRUSTe doesn't unload with both barrels, its credibility will be negative zero.

Anything TRUSTe does may have a negligable effect in any case. Corporations only understand the bottom line, and RealNetworks stock shot up 25% in the five days following the privacy debacle. With the company's market cap $1.9 billion higher than it was a week ago, how much are they really going to care about some nonprofit gnat?

We can hope. Real.com today unveiled its new website, a music portal, which investors will be watching carefully. Also happening today is a conference held by the FTC and Commerce Department for data-profilers to announce what they're going to do to protect privacy. So if TRUSTe were trying to maximize the effect of their announcement, today would be the day they'd pick. It could be that the gnat will have a nasty bite that surprises everyone.

Still - you can dress an organization up in not-for-profit clothes, but that doesn't change that it's beholden to its revenue stream. TRUSTe says we can trust them to be objective, on the theory that their revenue stream will dry up if they don't do right by consumers. So far, there doesn't seem to be much truth to that. They haven't been doing us right, but their number of contributors and members just keeps growing.

I enjoy reading about the future envisioned by people like Gibson and Stephenson, where the net is totally unregulated and a "right to privacy" is a dim memory, or a joke. That doesn't mean I want to live in that future. Europe has consumer protection laws that are, from an American perspective, astonishingly strong. Maybe we should take a look at other countries' solutions, to see if there's something we could learn.

So far, all we've learned is what fails.

- Jamie McCarthy

HWeissfield writes "ZDNet has an interesting article by Jim Seymour concerning the recent advances by ASPs and how this new paradigm of software use could potentially change the way that productivity is created." (More below.)

HWeissfield continues "I saw this as an unsurprising evolution of the way that the Internet is influencing our society today, but I question whether we can really leave critical applications and reports to someone other than ourselves. It may be common to use the terminal paradigm on mainframes where computing power is grandeur and reliable connections can be made, but what about the chaotic and unpredictable mass that is the Internet? Where could Linux fit into this structure that may be prevalent in the future?"

For one thing, it may mean "instant" commercial accounting and tax software for Linux, BSD, BeOS etc. without begging companies that publish such things for ports to your favorite OS. For example, Intuit, publisher of Quicken, Quickbooks, and TurboTax, is reportedly ready to roll out cross-platform, Web-based apps big-time. If they do this - and if their competitors follow them - it'll save a lot of small businesses, from the need to maintain a Windows or Mac box in a corner to run financial software after they've switched to Linux, *BSD or BeOS as their primary OS.

This is a "must read it all the way through" article. It's deep and thoughtful and (as HWeissfield points out) it raises many questions. Care to take a crack at answering some of them?

Wonko42 writes "A new portal, DoubleTwist.com, has been opened which allows scientists and researchers free access to tons of genetic information and data. Just type in a gene sequence, and it'll spew data back at you. It'll even notify you by email when there's new information about the stuff you're studying. Very cool. "

Carnage4Life writes "Here's a ZDNet article that backs up the post by Dave Whitinger..it seems corporate IT types are tired of waiting for Navigator to catch up and may begin to abandon it... Wonder where that leaves Linux users if websites start tending to be IE enabled to perform useful tasks."

Quite a number of people have been writing to us about Dave Whitinger's column that ran on LinuxToday and was sent over here as well. Dave's contention is the browser compatibility is a crucial battle for the success of Linux - and things don't look so good. Click below to read the column, and contribute your thoughts.

By Dave Whitinger, dave@wmkt.com (Temporary E-Mail account)

Linux is quickly becoming the operating system of the future, thanks in part to the advanced type of development that we refer to as Free Software, or Open Source, as well as the rock-solid features that are present in Linux. It is the ultimate server platform.

Linux is also enjoying success as a desktop workstation. My wife, Trish, makes the perfect example of the typical desktop user.

When we became married in August of 1996, she was a complete computer illiterate, having never even used a Windows or Unix machine. I presented her with a choice:

1. I will give her a Windows computer, but will offer nothing in the way of technical support or training assistance.
2. I will give her a Linux box, and will give her complete technical support and training assistance.

A New Hope

Not knowing the difference anyway, she chose the latter, and found herself extremely happy with a rock-solid desktop.

She enjoys her Red Hat Linux 6.1 workstation. Coupled with the K Desktop Environment and various applications that I have installed for her, she's ready to go. She has her TkRat E-Mail program, Netscape Navigator, notepad text editor, licq, games, the Gimp, and a variety of other nice applications, all accessed via a friendly interface.

Finding friends in mailing lists and on-line web-based chat groups, she was happy as a clam. She would fire up her Netscape Navigator and hit any web site she wanted, and was constantly bragging to her friends about this great computer operating system that she had the privilege of using.

The Empire Strikes Back

...Until the day that Netscape Navigator, her web browser, her window to the outside world, the major purpose for using the computer, simply disappeared from her desktop while she was browsing.

Trish turned to me, confusion spread across her face, and opined, "Dave, my Netscape has simply vanished from my screen. Perhaps you have telneted in and did a kill -9 on it?"

Dave responds, "Absolutely not! Why would I do that? Let's examine the problem more closely, that the answer to this perplexing issue will reveal itself."

Upon further investigation, it turns out that Netscape apparantly did not "like" the Java code that was being incorporated into one of the websites that Trish frequents. My solution: Turn off Java.

A very important and critical issue is realized here. At this point, Trish's computer is not as powerful as all of her friends' Windows computers. If they can access certain Java-enabled pages that she cannot, she is being left out, all because she chose to use Linux.

Fade to 2 or 3 weeks later.

Trish: "Dave, this website is telling me that I cannot use their services."

Dave: "What's the URL?"

Examining the website, it turns out that it is using some special kind of plugin that is only available for Windows or Macintosh platforms. I explained to Trish that she simply will not be able to access the services on this website, until they decide to make this plugin available for Linux. A short and polite note to the webmaster later, there was nothing we could do, and the issue was closed, and Trish's computer became even less valuable to her.

Fade to 2 or 3 more weeks later.

Trish: "Dave, this website is telling me that I am using an unsupported web browser, and cannot view the pages within."

Dave: "Okay, this is starting to make me angry. The web was initially created as a completely open environment where multimedia can be viewed, regardless of your platform. It's a platform independant medium, yet here are people making platform dependant websites."

Trish: "That's great that you feel that way, but I just want to access this coupon website! All my friends say they are getting great deals, and I'm missing out! Oh, and now my netscape just froze again! Argh, (killall -9 netscape ; rm ~/.netscape/lock) again. I want a Windows computer like all my friends have."

I hung my head in shame, realizing that if she is going to be able to take full advantage of the web, she will need a Windows computer. Trish, who has used nothing but Linux for over 3 years, and is completely happy with her computer, now feels the need to switch to Windows so that she can get the same web-browsing features as her friends.

Does this sound like a big deal to you, gentle reader? If it does, than I have accomplished my mission. If it does not, read on:

In 1994, I hated Netscape Communications, Inc. The way they were embracing and extending the HTML standards was starting to become very disturbing for me. The more websites that I found that said that it uses Netscape Extensions, the more angry I became.

Then Netscape released Navigator for Linux, and everybody loved them again. They were our saviour, completing the picture of a perfect desktop for Linux users. We were all Linux users, browsing any site we wished, enjoying the satisfaction of having a great web browser for our desktop.

Then Microsoft created Internet Explorer. Then Microsoft won the "Browser War". Then webmasters began using some of the "advanced" features of Internet Explorer, shutting out Netscape users.

Problem yet? Still not convinced? Okay, let's fast forward 1 year:

Microsoft owns 99% of the web browser market share, and they control the HTTP protocol. They start adding a huge variety of features to their "Internet Information Server", their competitor to Apache, to offer advanced features to Internet Explorer clients. At this point, sites being served by Apache become useless. Then Linux becomes obsolete as a web server platform. Then Microsoft wins the war, and we're right back to square one, and proprietary technology wins again.

Return of the Jedi

On April 1st, 1998, Netscape Communications, Inc. made one final redeeming move. They released the source code to Netscape Navigator, freeing it to the Free Software community to do with as they chose.

1 and a half years later, this browser is still nowhere near completion. There is a band of rebels working feverishly on the code, trying to bring it to a usable state as quickly as possible. Plagued with problems and set-backs, Mozilla continues forward, currently at "Milestone 10". Will we see a completely usable web browser for Linux in time to save us from seeing a new monopoly for Microsoft be created?

Attention: This is the battle that could cost us the war. If we come together and push all of our might toward a Free Web Browser for Linux, we have a good chance of winning this battle. If we fail, we will lose the war. This is the issue that Microsoft wants us to overlook.

I am making a personal committment to get involved with the Mozilla project. It is the project with the most potential to become this Free Web Browser that we so desperately need. Netscape is NOT going to save us this time. Netscape has failed us, and it's time to take matters into our own hands.

If we fail, we will lose the war.

Add that to your .signature:

If we fail, we will lose the war.

And repeat it every morning to yourself:

If we fail, we will lose the war.

When you are looking over Mozilla, finding items that could use your contribution, remember:

If we fail, we will lose the war.

The truth of the matter, friends and esteemed members of the community:

If we fail, we will lose the war.

Seth Scali writes "The Electronic Signature in Global and National Commerce Act was nixed by the House of Representatives on Monday. According to the article over at ZD Net, the vote was 234 to 122-- or about 1/2 of what would be needed to pass." It needed a 2/3 majority. Most Congressmen seem to agree that we need some sort of legally binding digital signature capability, but say they don't think the current proposal offered enough security or consumer protection. Oh, well. Maybe next time.

Seth Scali writes "The Electronic Signature in Global and National Commerce Act was nixed by the House of Representatives on Monday. According to the article over at ZD Net, the vote was 234 to 122-- or about 1/2 of what would be needed to pass." It needed a 2/3 majority. Most Congressmen seem to agree that we need some sort of legally binding digital signature capability, but say they don't think the current proposal offered enough security or consumer protection. Oh, well. Maybe next time.

Can Savas writes "After Toshiba's $2.1 Billion settlement of the lawsuit on the "probably" faulty floppy controller, others have filed lawsuits against Compaq, HP, Packard Bell/NEC and eMachines. I wonder where these lawsuits are heading but I guess some will strike it rich (having suffered nothing at all to boot). These lawsuits show how unsufficient the jury system is for cases like this where the jury is likely to be clueless. If any of these manufacturers end up settling or losing the suit, then there might be some real problems for the entire industry. "

kbrown1 was the first one to write to us with the story at the NY Times that RealNetworks' has confirmed that they do monitor some user habits. RealJukeBox is the offending program, and apparently "surreptitiously monitors the listening habits and certain other activities of people who use it and continually reports this information, along with the user's identity, to RealNetworks." RealNetworks' has said that they do gather the information, but "the practice did not violate consumer privacy because the information was not being stored by RealNetworks nor distributed to other companies," according to their VP of consumer products. Other networks are picking up the news - more details should be coming.

dfay writes "An interesting article on ZDNet about who makes up the Open Source Movement. Of course, you have to accept the premise that all OSS programmers are tracked in the LSM. Still, I think the overall tone of the piece suggests that OSS developers can be taken at least as seriously as those in the 'industry'." Actually, the article mentions that lots of developers' work, including kernel hacks, don't show up in Linux Software Maps [LSMs]. Still good stuff.

Mad Browser noted that Handspring is having troubles. Massive hold times, downed computers, people getting charged multiple times for their orders. Its either a sloppy system, or a lot of demand.

Someone gave us the link to Marc Andreessen's latest company effort. He's got a good team, lotsa money, and credibility - and he wants to rule the space of "hosted applications".

hetairoi was one of the many people who wrote to us about ZDNet's coverage of "distributed coordinated attacks", a new style of denial of service attack. Rather then using just one machine, efforts are coordinated through multiple servers, making server-defense more difficult. Huh - does the Slashdot effect count? *grin*

Phluck writes "It seems that the modem tax myth might come true, the FCC is trying to decide whether ISPs should pay a fee for using the telephone network. Naturally this tax would probably be passed on to customers. Check out the whole story here on ZDNet. " Scary - I can remember when these chain mails went around.

Alowishus writes "ZDNet reports that MainSoft, a Microsoft Partner and Windows source licensee is working on a Linux version of MainWin - a product that makes the Win32 API available on Linux, thus enabling cross-platform development. A demo version is supposed to be available in a few weeks."

uncleFester writes "ZDNN appears to be reporting that Apple appears to be reversing its decision to reinstate all cancelled G4 orders, except for "a few orders" (probably machines in the production pipeline). From this latest switch, anyone wanting a G4 is going to have a hard time even knowing if they have one on order, let alone physically receiving the box."

uncleFester writes "ZDNN appears to be reporting that Apple appears to be reversing its decision to reinstate all cancelled G4 orders, except for "a few orders" (probably machines in the production pipeline). From this latest switch, anyone wanting a G4 is going to have a hard time even knowing if they have one on order, let alone physically receiving the box."

ShawnD writes "A California woman has gotten out of a $70,000 on line gambling debt by claiming that the 'loan' from Visa was illegal (California apparently frowns on loaning money for gambling). The judge agreed. See this article at ZDNN."

Jason Perlow noted a story that popped up at ZD Net talking about a new investor at LinuxMall. Sco has entered the Linux World with an investment in the web store. Its interesting to note that they talk about doing this as publicity.

Kevin Poulsen has an interesting counterpart25 writes "little ditty in ZDNet's Commentary section about Chicken Little media folks preaching some sort of approaching cyberterrorism debacle. I thought this was particularly interesting in light of the recent Jane's article flap." Meanwhile, a BBC story submitted byThe Big D tells how the "Islamic group of Hackers (Al-Sooraj wing)" participated in the recent Pakistani military coup.

Banraeth writes "This week's PC Week contains a story about the results from their hackpcweek.com security test site. They explain the object of the test, how many attempts they got, the structure of the attempts and the way someone finally got in. The article reads really well and very clearly explains the anatomy of a break-in for those of us who aren't Linux security gurus. "

Gekko and Webslacker were the first of many to tell us about the stir over at ZDNet, which is reporting on the arrival of sub $200 PCs due Q1 2000. These new desktops from Taiwan's Tatung come in eye-catching candy colors a la Apple's iMac. Tatung has opted for Rise and Cyrix K6 chips instead of Intel Pentiums, and a CD-ROM drive is an option. One wonders with the increase in the cost of DRAM how this will impact the price?

Gekko and Webslacker were the first of many to tell us about the stir over at ZDNet, which is reporting on the arrival of sub $200 PCs due Q1 2000. These new desktops from Taiwan's Tatung come in eye-catching candy colors a la Apple's iMac. Tatung has opted for Rise and Cyrix K6 chips instead of Intel Pentiums, and a CD-ROM drive is an option. One wonders with the increase in the cost of DRAM how this will impact the price?

jon pointed us to an amazing screen. Its 50 inches, its flat, and at $20k you could buy a nice car instead. And 1280x768 doesn't seem like that many pixels for that much real estate. But still... yum. If anyone at pioneer wants to ship me a demo unit I promise to play quake on it and return it in a few years...

Hal-9001 writes "I saw this link over at Ars Technica; apparently, the G4 has a bug that keeps it from running at 500 MHz or above. The story is over at MacWeek. "

Hal-9001 writes "I saw this link over at Ars Technica; apparently, the G4 has a bug that keeps it from running at 500 MHz or above. The story is over at MacWeek. "

Wonko42 writes "In his address at Internet World '99, Linus Torvalds threw some harsh words at Microsoft and Sun, criticizing Microsoft's thoughts of opening portions of Windows source and making his feelings known about Sun's restrictive new community license. He also spoke some about the future of commercial software, and dodged lots of Transmeta questions. "

rozerumn sent us linkage to another fun and exciting Dvorak column. In this weeks episode he takes on the crackers. Offers views on whats happening in the area. Flamboyant as always.