Salon Interview with TrustE CEO Bob Lewin

bmc wrote to us about an interview that is currently running over at Salon.com. Salon is talking with Bob Lewin, the CEO of TrustE. Honestly, it's depressing. There's a real dearth of legislation that will protect privacy rights ^[?] and even groups like TrustE have loopholes the size of Mack trucks.

loopholes

I can't think of really anything regarding law or policy where there aren't loopholes. It seems the more precise we try and be with language, the more vunerable we are. If you're clever enough, you can stab someone to death on a street corner and not go to jail for more than two weeks. Not that two weeks of cellblock loving isn't punishment enough, mind you, but it's still getting off relatively easy. In some countries you have to perform the duties of the person you killed. Now, that's pretty damn nice if you happen to kill, say, the king or president or taco bell manager, but it rarely works that way. Usually you end up killing a prostitute or a mime, the latter for reasons which should be obvious. And should be legal I might add. I'd like you to point out FIVE people who aren't French who like mimes. I certainly haven't met them. I'm sure we'd all accept that if I haven't met someone, they don't exist.

But anyway, back to loopholes, specifically ones you could drive a Mack truck through. These can generally be dealt with fairly simply by putting a serrated metal tire-strip in front of the loophole to pop the tires of said truck. The truck then gets stuck in the entrance of the loophole, and nothing else can come through. Yeah, an awkward solution to the problem, but have you seen a kernel patch lately? Almost as much of a hack as any given service pack. Gets the job done, yeah, but it's NOT pretty.

As any other quick patch, this solution does not always work. Take for instance, when the Mack Truck gets eaten in advance by a Log Truck. I know what you're thinking, but Log Trucks are VERY cannibalistic. They feel no loyalty to other trucks. There is no evil like a Log Truck. If any foolhardy person doubts me, just take a quick stroll through the back woods of Central New York. And don't say I didn't warn you. You'll be lucky if you escape with your life. I grew up there, and even that wasn't enough. I was killed by a pack of ronin Log Trucks three years ago while hiking with a friend of mine. Now I am dead and sad.

thankyoutheend

The Old Saying...

[dougman]

"Trust Noone".

Seriously. When you think about it, there's nothing TrustE can do to prevent privacy policy violations from ALL the sites certified after the initial process. And yes, most of this is TrustE's fault, or better put, a serious ethical problem with TrustE's business model.

TrustE is a really well-entrenched brand name.

TrustE is in business to make money.

TrustE makes that money selling the essentially one-time process of certifying sites' privacy policy, for hundreds to thousands of dollars a pop.

TrustE relies on a QUANTITY of business to keep them afloat.

Since TrustE has an enormous amount of customers(sites) they've certified, to properly police all of them (protect the integrity of their seal) would cost far more than the revenue generated from the initial process.

Thus, the certification is symbolic at best.

So, what have we learned?

We didn't have this problem (as much) back in the BBS days, when everything was local. You knew your friendly (or not so friendly) sys0p, and his reputation preceded him. No silly seal necessary.

Of course, I realize this is a global network now, and this "everything is local" paradigm is dead.

But by the same token, nothing beats doing business with who you know and trust, symbolic declarations of good intentions be damned.

I don't begrudge TrustE - they have a hell of a racket, make a TON of cash, and I'm sure in the same position I'd do the same thing.

The Truste business model

[griffjon]

I don't understand how this is surprising ANYONE. The only thing truste 'does' for the end user is to say that the company follows the privacy policy it lays out and allows exits at required locations (you can't be forced to give your email address before reading the privacy policy, for example)

It does not, never has, never will, alleviate the need to read the actual policy at a website, word for word, before giving it a valid email address.

Truste is good for privacy policy building, its wizard is excellent for delineating exactly what you do and what you say. This is its true value add for businesses. Realize that Truste is for businesses, and not consumers, and a lot becomes clear. This is the only way this model can work--how many business would bay hundreds of dollars to get something on their site that reads {Truste Certified. This site sells email addresses}

Right. Just south of 1.

Something that would be interesting, tho, is an implementation of that web grafitti software (the controversail one that allows you to post messages connected to websites that other people with the same ware can see?) and have a real, consumer-advocacy-style group go through the big e-commerce sites and rate their privacy practices.

Bad assumption: TRUSTe is *NOT* our friend.

[seebs]

It's not that TRUSTe's model is flawed. TRUSTe's model is perfect.

How many people naively share information with sites that have TRUSTe logos? How many people file complaints with TRUSTe instead of the FTC, or their local Attorney General?

TRUSTe works fine. You just have to remember what
they're there for: They exist to make consumers *FEEL* comfortable with privacy as it exists, and to keep people from complaining to their government.

It is not TRUSTe's policy to take action under any circumstances. These "loopholes" are not accidents; they are a *FEATURE* of the design of TRUSTe.

The purpose of TRUSTe is to waste your time so you don't complain to the FTC when a site violates its privacy.

And remember, TRUSTe has *NEVER* yanked a seal. Not once. Not even when company staff *FORMALLY AND OFFICIALLY STATED THAT VIOLATIONS OCCURRED*.
Look at eBay; they changed their policy, they started spamming, they kept spamming, they failed to delete accounts when people quit, they kept spamming... And they have a shiny TRUSTe logo.

Same goes for the BBBOnline.

Privacy/Security

[tweek]

It's stories like this that make me beg for a real 3rd party privacy/security group to certify companies. You've got companies that are storing Customer Priviliged Information(credit card numbers and the like) on the same server as the web server with no protection. You've got a licensed TrustE members who lull you with this big pretty seal that your information is safe. I swear we need some legislative reform that holds a company liable for NOT protecting your information enough. If I found out a company had stored my credit card number (which I explicitly ask sites I shop with not to preserve) in an unsecure fashion and it became stolen, I want some form of legal recourse. I really think there needs to be more liablity and responsibility on internet based companies.

Of course i'm also a huge proponent of full disclosure for any companies that conduct transactions over the internet. I should be able to call up Company A and get information about thier security so as to feel comfortable in doing business with them. My bank does this on thier online banking site discussing topics that the average user wouldn't have any clue regarding.

Of course

(Weak Standard) x (Weak Enforcement) = Useless

[renard]

I quote from the interview:

Q. Once it has the TRUSTe seal, have you ever kicked out a site for doing something?

No, we've come very close, but we haven't had to do it.... [A] lot of these are just misunderstandings.... [T]he resolution... may result in a change in the privacy policy, the business model, or what have you.

And later:

As their Web sites evolve, we've got to ensure that the privacy statement evolves. It's an ongoing process.

This is wrong two ways.

First, it is a weak standard. All a web site has to do to keep their TRUSTe seal forever is to perform a mea culpa after each "violation" and then change their policy. They don't even need to return to any previous state of "protection."

However, a site only needs to sell my email address to a spammer ONCE for me to have lost my privacy completely. This is what "trust" means -- we as users are dependent on the site's good behavior; we must trust them.

TRUSTe's policy of closing the privacy-policy's barn doors after the user data have escaped is entirely inadequate to the task at hand.

What is needed is a civil liability for the damage that such betrayals of trust cause.

Site Privacy Statement. ;-)

[Quintus]

As part of the new "OpenLegal" initiative, I thought I'd try my hand at writing a privacy statement. I think this meets TRUSTe's requirements, doesn't it? (Of course, most privacy statements aren't written even in the proper quasi-legally binding form I've poorly imitated in this! ;-)

I. Intro and Perview

1. This document governs the privacy policies of the Internet System 197.234.74.257 (the SITE) with regard to its access by one person (the VISITOR) by electronic means and the data about the VISITOR (the INFORMATION) collected hereby, but none of its mirrors, load sharing sites or routers, neither other viewers.

2. By entering within sight of this site you have indicated your agreement to these terms.

II. General Rights

1. It is our pleasure to inform you that you have no privacy rights whatsoever. As you read, personal data is being collected.

III. Information Collected

1. The SITE will endeavour to collect as much INFORMATION as may be determined profitable by the SITE.

2. These INFORMATIONs will include but not be limited to: your home and work contact info, your family history, all such INFORMATION about your relatives including their schools or nursaries, principle caregivers, nannies and ages, your prom date, your IRS return form, any foreign tax return form (or lack thereof), your secret service file with each of the nations on the Security council and your IQ.

IV. Collection Means

1. The SITE will use whatever means neccessary, included but not restricted to cookies, IP fingerprinting, port mapping, indiscriminate hacking and paramilitary raids; In fact, as the VISITOR reads this a highly trained team of former SEALS and S.A.S. members is ransacking the VISITOR's (that's you) personal files and residences.

V. Use of Information

1. This site will under no circumstances refrain from selling this information to the highest bidder, including but not limited to security forces of any country or group.

VI. SECURITY

1. Due security measures will of course be taken. If they weren't, we couldn't sell the info because anyone could steal it.

VII. Accessing & Updating Information

1. The SITE sees no need to give access to the INFORMATION, as it is 100% accurate, comprehensive and personal, and the VISITOR therefore already knows it.

2. Every time the VISITOR moves his mouse, the information will be automatically updated. Therefore, the VISITOR will not need to manually modify the INFORMATION

VIII. Limitation of Liability

1. No-one's written any laws yet, so we're untouchable. We have no assets in Europe. The VISITOR is hereby sol.

TRUSTe is a scam

[russ-smith]

I have filed numerous TRUSTe complaints. they have not resolved any of them.

Some tricks they use: they claim AOL.com is covered by the TRUSTe seal until you file a complaint. they then claim only www.aol.com is covered but members.aol.com is NOT covered. This means if you visit www.aol.com to get information you are covered ... but, if you actually join and give them your personal information you are not covered!

Any web site can set up 2 sites www.example.com that has the TRUSTe scam seal and then set up a second site www2.example.com that collects the personal info and avoids the requirements of the seal. What a joke!

Other complaints where sites do have the TRUSe seal simply go unanswered (Geocities, Real Networks, New York Times, etc). this is not surprising since TRUSTe is funded by fees paid from these companies. Pople who complain don't pay anything.

Russ Smith
http://privacy.net