TRUSTe Decides Its Own Fate Today

TRUSTe, the steward of the most visible symbol on the internet, is making a tough decision today. Today, it reveals what it intends to do about its client Real Networks. At stake is whatever's left of its credibility. (Update: 11/08 02:55: Real got off on a technicality: "because the transmission of user data ... did not involve collection of data on the RealNetworks Web site, the privacy incident was outside of the scope of TRUSTe's current privacy seal program.")

Unquestionably TRUSTe is the leader in third-party privacy assurance. Its only alternative is BBBOnline, which can boast only 100 members to TRUSTe's 750. But it's having a hard time living up to its motto, "Building a web you can believe in": sometimes it's hard to know what to believe.

TRUSTe's original idea was to allow a website to display one of three icons, indicating whether its privacy policy was good, ok, or bad. There turned out to be problems with this - strangely enough, no site wanted to post an icon saying that their privacy sucked - and the icons looked too similar anyway. So they went with one icon, a "badge" that every member site posts.

All the badge means is that the site has a privacy policy, and that, as far as TRUSTe knows, they haven't violated it.

If you think this is a questionable basis for a consumer advocacy group, you're right. But the real question is how it plays out in practice. Let's take a look at TRUSTe's track record.

Round I: TRUSTe and GeoCities. In June 1998, the FTC announced - to everyone's surprise - that it and GeoCities had come to a settlement regarding violations of consumer privacy.

Everyone was surprised because this was the first anyone had heard of it. Where was TRUSTe?

Caught flat-footed, TRUSTe scrambled for a few days, then made its own announcement. It pointed out that GeoCities had begun the alleged privacy violations before applying to become a member (in April) and being accepted (in May). Therefore, TRUSTe claimed, the violations were technically not under the scope of their investigation.

But turn that around and put it another way - it was able to become a TRUSTe member even while under investigation by the FTC, and TRUSTe said nothing.

It gets worse. The FTC and GeoCities issued conflicting releases about what the settlement actually meant. The FTC said that GeoCities had "misrepresented the purposes for which it was collecting personal identifying information" (including children's). GeoCities denied the charges.

So who was right? We still don't know. Despite this being precisely the issue that TRUSTe was set up to resolve, TRUSTe refused to confirm or deny the FTC's allegations.

In a 1998 open letter, I asked whether TRUSTe's initial review of GeoCities had included any really tough questions such as "are you currently under investigation by the Federal Trade Commission?" No answer. In fact, mention of the GeoCities incident seems to have been removed from TRUSTe's website.

The organization that wanted to make the FTC obsolete was not off to a good start.

Round II: TRUSTe and Microsoft. March 1999. This was the "Global User ID" case. It turned out Microsoft had been embedding a user ID into every document you created with their software. Since they put that ID on file when you registered their software, they have been capable for years of tracking authorship of even supposedly-anonymous documents.

And don't think it's just a theoretical concern. Just weeks later, the Melissa macro virus was unleashed, and its author was tracked down using this same ID. Any technology that can lead the cops to your door is potentially dangerous technology.

TRUSTe announced that this "compromises consumer trust and privacy" (duh), but said that since the Global User ID does not, strictly speaking, involve the Microsoft.com website, it had no jurisdiction. Their conclusion: "TRUSTe has determined that Microsoft.com was in compliance with all TRUSTe principles."

In reality, Microsoft's privacy page (prominently labeled with the TRUSTe seal) also discusses online registration of software products, and notes that the "personal profile" from their software registration appears on the website and is editable from the website. And that page claims that registration is covered by the TRUSTe guidelines. For TRUSTe to claim it's not requires some Clintonesque redefinitions.

CNET's headline was exactly right: "TRUSTe Clears Microsoft on Technicality."

Round III: TRUSTe and Deja News. April 1999. Again TRUSTe is taken by surprise when a computer sleuth discovers that Deja News has been collecting data on email sent by its users. When a reader clicked on an email link in a discussion posting, the destination email address was recorded, along with the presumable topic of discussion, the sender's IP number, and if registered, the sender's personal data.

This is not what one expects when sending private email! And this clearly involved Deja's website, so there was no question of another technicality.

TRUSTe's analysis of this situation was only two paragraphs long; here's all that happened:

"TRUSTe specified certain clarifying language to be included in the privacy statement. Deja News, independent of TRUSTe, then decided to discontinue the practice of tracking IP addresses in conjunction with the mail-to feature."

In fact, the situation was resolved long before TRUSTe even bothered to issue that statement. TRUSTe's suggestion of "clarifying language" had been obviated long before by Deja's indepedent action. See ZDNet's story of May 4th, which hopes that TRUSTe "will likely issue some sort of statement...this week." But TRUSTe stayed silent for four weeks.

Round IV: TRUSTe and Microsoft (again). A wide-open security hole in Microsoft's Hotmail is breached, and for a few hours everyone's inboxes are public domain. (If you don't think this is a serious privacy violation, read the stunning anonymous tale of cracking into an enemy's email, published on Salon.com the next day.)

TRUSTe's response is to call in an independent accounting firm to talk with Hotmail's programmers and security people, look over the source code, and generally try to make sure such a problem won't happen again. This isn't a bad idea - it just wasn't much of anything that Microsoft wouldn't have done on its own. Locking the barn door after the horse is gone doesn't help the people whose privacy has been lost. Microsoft is out of pocket a few bucks for the audit, and gets more than its money's worth by being able to say that TRUSTe still gives them a clean bill of health.

How can all these incidents have passed by without punishment of any kind? It's because of what TRUSTe is actually guaranteeing. Not that any company will actually keep its data private - but that the company is not lying in its privacy assurance.

That's right. You know those privacy promises you never read, the ones that are different on every website and all seem ten pages long? What TRUSTe does is promise you that, if you had read them, you'd know your rights.

If it wanted, a company could have its lawyers dress up "we will spam your email every day and sell your name and address to anyone who asks for them" in legalese, and get a TRUSTe badge on their homepage. Would you know you were being screwed? Not unless you speak fluent lawyer.

Is the FTC such a bogeyman that we really need to sell our privacy so cheap?

When Ralph Nader was pressing the government to impose strict safety standards on the auto industry, Henry Ford II complained that they were "unreasonable, arbitrary and technically unfeasible." After the laws were enacted anyway, a decade later he conceded: "We wouldn't have [these] kinds of safety ... unless there had been a federal law."

Imagine if our only automotive safety regulations were that Detroit must abide by its lawyers' fine print!

The usual argument is that requiring an actual guarantee of privacy would stifle business. The purpose in forming TRUSTe was to keep the internet corporation-friendly, by keeping the government out. TRUSTe was well-intentioned, no question. It was a noble experiment.

But, according to some influential people and groups, it has failed.

Forrester Research studies topics related to the internet and made privacy its concern in its September 1999 report, "Privacy Wake-Up Call." Its conclusions should not be surprising:

"Most privacy policies are a joke." Forrester says corporate privacy policies are legalese set up mostly to protect the corporations.

"Few companies meet key privacy protection principles." About 10%.

"Third-party programs show little traction." Hundreds of TRUSTe licensees don't amount to much on the billion-page net.

And, "third-party privacy firms...like TRUSTe...become more of a privacy advocate for industry rather than for consumers."

(Slashdot has more on this study.)

Even the Electronic Frontier Foundation, after years of straddling the fence on the issue, has finally recognized that self-policing just doesn't work. The EFF is not just the best-recognized internet rights advocacy group; it created TRUSTe.

Yet, in an October letter to the FTC, the EFF laid down its cards:

"Creation of TRUSTe and its seal program was one such early innovation of EFF. TRUSTe was successful in several areas. ... We now must move out of this awareness-raising mode and into an action mode where real protection can be achieved. Legislation is needed in order to achieve that goal. ... we think it is time to move away from a strict self-regulation approach to protecting privacy online."

The latest nail in the coffin came on November 1, when EFF Program Director Stanton McCandlish laid out the facts on the fight-censorship mailing list:

"Our stance has basically been that industry self-reg would be worth trying, but might or might not be enough. We did the 'proof of concept' ourselves, by launching and spinning off TRUSTe. But TRUSTe was intended to be and is a separate, independent entity, and was created as an experiment. The experiment is in many ways a failure..."

(McCandlish's personal opinion is even more scathing. Follow the link to read it.)

You wouldn't know this if you read the TRUSTe website. Their homepage proudly tells you about the six-month-old Georgetown study, but makes no mention of the Forrester Research report. It tells you that the FTC supports self-regulation (based on Georgetown), but won't tell you that its own parent, the EFF, thinks the ride is over.

If TRUSTe is a consumer rights and advocacy group, why are they only feeding us the feel-good stories? Aren't consumer groups supposed to be the ones that dig up dirt and tell us about potential problems?

The money trail leads to the answer. TRUSTe isn't a consumer advocacy group. TRUSTe doesn't get its money from consumers. Its money comes from corporate sponsors, and nobody wants to bite the hand that feeds them. Besides, those corporations want the message to be one of constant calm. Concerned customers are not good for sales.

Remember the GeoCities FTC findings that TRUSTe wouldn't comment on? GeoCities had just done an IPO and millions of dollars were at stake. GeoCities' sister corporation Engage Technologies (they are both subsidiaries of CMG Industries) was a Contributing Corporate Sponsor of TRUSTe. That conflict of interest was never mentioned.

(GeoCities has since been purchased by Yahoo.)

Remember the Microsoft incidents that TRUSTe waffled on? Microsoft is not just a member, but also a Premier Corporate Sponsor of TRUSTe. That conflict of interest totals $100,000 per year.

Round V. By now you've guessed that this is leading up to the current furor over Real Networks. Real is a TRUSTe member. Do I need to mention that it's also a Contributing Corporate Sponsor?

TRUSTe said that it would render judgement on Real Networks by the end of last week. Now it's saying today.

And it's making noises like they're actually going to do something this time:

"We could take the company to court for breach of contract, since they do have an agreement with us. Or, we can forward the case to the FTC... I guarantee that the damage to the reputation of the first company that we do that to will be big."

For its own sake, it had better. We're talking about a company whose product is a Trojan Horse that secretly scans your hard drive for valuable personal data. If TRUSTe doesn't unload with both barrels, its credibility will be negative zero.

Anything TRUSTe does may have a negligable effect in any case. Corporations only understand the bottom line, and RealNetworks stock shot up 25% in the five days following the privacy debacle. With the company's market cap $1.9 billion higher than it was a week ago, how much are they really going to care about some nonprofit gnat?

We can hope. Real.com today unveiled its new website, a music portal, which investors will be watching carefully. Also happening today is a conference held by the FTC and Commerce Department for data-profilers to announce what they're going to do to protect privacy. So if TRUSTe were trying to maximize the effect of their announcement, today would be the day they'd pick. It could be that the gnat will have a nasty bite that surprises everyone.

Still - you can dress an organization up in not-for-profit clothes, but that doesn't change that it's beholden to its revenue stream. TRUSTe says we can trust them to be objective, on the theory that their revenue stream will dry up if they don't do right by consumers. So far, there doesn't seem to be much truth to that. They haven't been doing us right, but their number of contributors and members just keeps growing.

I enjoy reading about the future envisioned by people like Gibson and Stephenson, where the net is totally unregulated and a "right to privacy" is a dim memory, or a joke. That doesn't mean I want to live in that future. Europe has consumer protection laws that are, from an American perspective, astonishingly strong. Maybe we should take a look at other countries' solutions, to see if there's something we could learn.

So far, all we've learned is what fails.

- Jamie McCarthy

He's dead, Jim

[Kaa]

Really. TRUSTe has no credibility left. I really don't care what they decide about RealNetworks, and I doubt that many other people do.

It may have been a good idea at the start, but right now their situation would make a good case study titled "The loss of virtue and the disadvantages of being a corporate whore".

Kaa

Re:He's dead, Jim

[Terra+Native]

You hit it dead on man... They're just sucking Satan's pecker.

Privacy Rape and TRUSTe Approval

[Kintanon]

I'd say our online privacy is about to get raped hard by TRUSTe and Real Networks. I don't trust TRUSTe as far as I can spit them. Just because they have labeled themselves as non-profit doesn't mean they don't need money. TRUSTe is still out to get sponsors and make enough money to pay its employees, because of this it would be a very bad idea for them to actually take action against a company who violated a policy. Most likely it will just be an extortion case, TRUSTe will quietly hint to Real Networks that if they are willing to cough up a couple hundred grand in 'donations' they can be TRUSTe approved by tommorow. Nothing will change....

Kintanon

Change the revenue stream

[Brian+Knotts]

It seems to me that privacy is a pretty desirable thing among most Internet users. And, it's clear that an organization is most accountable to the people who fund it. So, why not have an organization somewhat like the AAA (American Automobile Association), that is funded (at least primarily) directly by the users? I'm guessing a lot of people would be willing to spend $25 per year for an organization of this type.

If this sounds stupid, please excuse...it's pretty early in the morning right now. :-/

--
Interested in XFMail? New XFMail home page

Re:Change the revenue stream

[aallan]

So, why not have an organization somewhat like the AAA (American Automobile Association), that is funded (at least primarily) directly by the users?

But unlike Triple-A, what exactly could this organization do? Presumably they'd spring into action if your privacy was violated? Sue the offending site? I doubt that $25 a year would cover the cost, especially if the site was located in Outer Mongolia or the like. Which court system would you be able to sue them in anyway? Your country of origin, maybe not, depends on your own countries laws. Their country, maybe not, depends on their countries laws. Neither? Possibily! Both? Unlikely!

Self regulation is a bust, companies will always go with the bottom line, and I doubt that a few law suits against the worst offenders would discourage the bulk of them (you can't sue everyone, especially if your using a court system other than the American one).

IMHO the only solution is to pro-active, don't use products or services from companies that don't respect your privacy. If enough people do this, that will affect they're bottom line.

--

Re:Change the revenue stream

[plunge]

Not that I'm implying it's a good or bad thing, but there are plenty of regulatory agencies out there that operate off consumer money- via taxes. The fees are usually a bit over 25$ a year though... :)

Re:Change the revenue stream

[Kaa]

There is EFF (Electronic Frontier Foundation) which is pretty much what you want. It's an open question as to how effective it is, though. Plus some people think that it got in bed with the Washington Congress/lobbying types and thus not so trustworthy any more.

Kaa

Re:Change the revenue stream

[Brian+Knotts]

Well, I certainly don't claim to have all the answers. I was just suggesting that a user-funded organization may be somewhat more effective than an industry-funded one.

What I picture as a somewhat effective "International Internet Users Association:"

• Reasonable yearly fees: ~US$25-50/year
• Not primarily legal oriented; more of a "there are a lot of us, so you'd be wise to deal with us fairly" sort of thing
• User fees would fund arbitrators/negotiators who would help resolve conflicts
• Member benefits to encourage membership would probably include an email address and access to the association's database of vendor data

It might not work, but then again, it might be better than what we have.

I still don't think legislation is the answer, partially because the Internet is super-national; it exists beyond traditional national boundaries.

--
Interested in XFMail? New XFMail home page

Re:Change the revenue stream

[NatePuri]

We at ompages.com seek to do precisely that. Privacy is essentially a private matter. That means that the person in control of one's privacy is not some corporation with some policy. Rather, it should be the individual internet user.

The software and technology to secure privacy on the internet should be within the physical possession of the person seeking to retain privacy. One cannot give away personal information and expect the recipient to be trusted without some legal privilege to do so.

Re:Change the revenue stream

It'd pretty much be Slashdot with well-funded investigative journalism, centered on privacy and other issues near and dear. Hey, that could work!

Re:Change the revenue stream

[e-gold]

(The message below was posted to the fight-censorship mailing
list. I'll check out ompages.com now, sounds interesting.)

+++++++++++++++++++++++++++++++++

Nice analysis on Slashdot, Jamie. I'd only add my opinion that
just because TRUSTe has demonstrated over and over they're
not trustworthy does NOT mean that the executive, legislative,
or even judicial branches of the US government have suddenly
become more trustworthy. IMO, it's negative-zero vs negative-
zero. :(

The problem here is a bad funding-model. Whether it's giant
corporations or suspiciously-wealthy Buddhists, if individual
privacy is desired you're going to see better results if you use
individual funding. The top-rated comment, titled "Change the
revenue stream" by Brian Knotts (bknotts@europa.com) says
it pretty well, IMO. "Follow the money" is at least as true now
as it was in Nixon's day. I agree with Michael that whoever is
reading the info@truste.org mail should update that resume,
and I'm sorry (though not surprised) to hear RealNetworks'
stock (like M$ stock) went up instead of down today.

The advent of instantly-settled bearer payment media should
make individual-funding revenue models easier to implement.
See http://webfunds.org/download/zip_README.html for more
about one bearer payment* method, there are others too.
JMR

* My company is (somewhat tangentially) involved with the
DigiGold folks, although the Webfunds wallet is open-source
and supports any type of payment it can.

Re:Change the revenue stream

[ralphclark]

especially if the site was located in Outer Mongolia or the like. Which court system would you be able to sue them in anyway? Your country of origin, maybe not, depends on your own countries laws. Their country, maybe not, depends on their countries laws. Neither? Possibily! Both?

In a hundred years, a united world will look back and remember the birth of the internet as the beginning of the end of the nation-state. Given the massive changes we have seen in the past 12 years, and the massive economic forces involved (the lure of truly global markets, the problems with tax collection from cross-border trades), it's even possible some of us may see this conglomeration happen in our lifetimes.

Consciousness is not what it thinks it is
Thought exists only as an abstraction

TRUSTe has paved the way for gov't privacy mandate

Once upon a time in the land of Silicon Valley, all were libertarians.

The government was an impediment, we would police ourselves!

Except we didn't.

The TRUSTe emblem on a web site is less than meaningless. It doesn't assure users of anything at all - its an empty, useless web consortium that is more concerned with generating good PR than getting involved, even remotely, with the protection of privacy.

Now its just a joke, and privacy violations are flagrant and numerous.

Unfortunately, the web industry cannot police itself with regards to privacy. Its going to take an outside agency with no vested interest...namely Uncle Sam.

Too bad, really, they had a chance to demonstrate that industry could monitor itself effectively, but the ended up making the case for big government throught their ineffectiveness.

Regulation

[Kaa]

I enjoy reading about the future envisioned by people like Gibson and Stephenson, where the net is totally unregulated and a "right to privacy" is a dim memory, or a joke. That doesn't mean I want to live in that future. Europe has consumer protection laws that are, from an American perspective, astonishingly strong. Maybe we should take a look at other countries' solutions, to see if there's something we could learn.

Well, to start with my reading of Gibson and Stephenson is a bit different than yours. The right to privacy as in "He looked at my email! Call the cops and let's file a complaint at the friendly Cybercrimes Court" doesn't exist for sure. However, the privacy in the cyberpunk world is completely in the hands of the individual. Basically, if you care enough about anonymity and have sufficient skills, you will make yourself anonymous. If you don't care or not smart enough, other people, if they care, can look at your data.
That's not so bad a future to live in (it's not that hard to learn to use encryption). I certainly don't want the cops to jump in any time somebody does a port scan.

Yes, Europe has strong consumer protection laws, but all they do is reassert the power of the political structure (government) over private entities. I am much more worried, Gibson's future nonwithstanding about the government power, than about the power of corporations. For example, I am quite confident of my abilities to thwart, mislead and generally disrupt the attempts of corporations to collect personal data about myself, unless I implicitly or explicitly agree (credit history is an intrusion of privacy but is a useful thing to have). However if a goverment, in the name of protecting the consumers, makes it a crime to, say, spoof personal data on the net, or much worse, establishes a registry of net users (mandatory ICQ, anyone?), it will make my life much harder and more unpleasant.

So I do have huge misgivings about the heavy and not particularly bright hand of government messing with the workings of the net.

Kaa

Re:Regulation

[plunge]

How do you see corporations being reined in though? Europe is certainly not a good general example- their laws make their economies too brittle and stagnant, and their idea of government regulation may be too overbearing. But supposed watchdogs like TrusTe obviously aren't much good at this sort of thing. And the press? The giant media/home appliance conglomerates? No help there either. Corporations can make your life hell. I'm in favor of having a government sponsored industry of competing watchdogs. They would get to feed off corporate crime settlement money and compete for government subsidies (set by standard, not subject to politics), but there have to be several, so that its a working market. No direct government buerracracy, just true muckrakers who are free from corporate kowtows.

Re:Regulation

So what you're basically saying is that "if you're good enough, and smart enough, and constantly keep ahead of the corporations, you just MIGHT have some privacy"? Gibson's writings are called dystopian for a reason, and the fact that the individual has so little power unless they have extraordinary gifts is not exactly laudable. Even the unintelligent have some basic right to privacy; the idea that those without extraordinary mental, societal and educational gifts have the same basic rights as everybody else is fundamental to modern western civilization. It would of course be better if some non-governmental solution was found. It would appear, however, that there may be none.

Re:Regulation

[Kaa]

How do you see corporations being reined in though?

To repeat one of my fav ideas, giving individuals copyright over their personal data would go a looong way towards solving the problem.

I'm in favor of having a government sponsored industry of competing watchdogs. They would get to feed off corporate crime settlement money and compete for government subsidies

I am not sure. They would probably have too much power and would end up blackmailing the industry. "Well, guys, you can plea bargain for some minor infractions and pay only $5m, or we can come in with a full-blown audit which (just the audit) will cost you around $10m. So how about making a reasonable choice?"

I think IRS had a kind of a similar system (people got bonuses for catching tax offenders) and it certainly didn't work very well.

Kaa

Re:Regulation

[plunge]

To repeat one of my fav ideas, giving individuals copyright over their personal data would go a looong way towards solving the problem.
Sounds good- what's the downside- I don't know much about copyright law- isn't that going to be tricky deciding what's yours and what's others? I'm all for me owning everything about me, from DNA to my slashdot comments.

They would probably have too much power and would end up blackmailing the industry.
But since there would be competing watchdog groups, they could easily call each other out on such things. The IRS is so incompetant because there's no alternative- it's their way or the highway. Not so if there'a market that serves people's need for privacy. Unfortunately, it's clear it would be a big enough market to hold enough watchdogs to make it a useful market.

Re:Regulation

To repeat one of my fav ideas, giving individuals copyright over their personal data would go a looong way towards solving the problem.

Again, involving the government. A public, accountable foundation seems to me quite desirable. Despite the many shortcomings of the existing democratic system, it at the very least provides a small but tangible opportunity for citizen input and reaction.

AC

Re:Regulation

[Kaa]

Again, involving the government.

Not the government. The legal system. There is a fairly big difference in Western countries.

Kaa

Re:Regulation

Not the government. The legal system. There is a fairly big difference in Western countries.

The decisions on both how the legal system is set up and what issues it is entitled to deal with are to a large extent the legislative and executive branches' decision. Enforcement as well is the prerogative of the government -- one nowadays overtly challenged by unaccountable corporate interests that favor myths such as "self" or "market" regulation and the passing of laws without any measurable backing.

The government really isn't limited to just one or two branches, with the judiciary standing out as an independent, clear headed entity. It is the whole of the political arena, of which the judiciary has been a key participant for the past 200 years. That the Supreme Court would sometimes go against the legislative or executive direction on a given decision takes nothing away from the fact that they are part of the government, and is mere testimony to the individual judges' own ideological beliefs.

AC

Re:Regulation

[cjs]

Yes, Europe has strong consumer protection laws, but all they do is reassert the power of the political structure (government) over private entities. I am much more worried, Gibson's future nonwithstanding about the government power, than about the power of corporations.

I feel just the opposite way. Governments at least have some responsibility to the populace, and this is enforced through the elections and the political pressure that can be brought to bear against them by advocacy groups and individuals. Corporations, on the other hand, don't give a damn; their responsibility is only to their stockholders, who generally care about nothing but making money.

I've just moved from Canada to the US, and I'm amazed at how much worse off I am in the US in terms of privacy. There's a lot of tracking of individuals going on in the US, and much of that is driven not by the government (though they do their share, e.g., mandatory placement of SSNs on drivers licenses), but by corporations. The US has slowly been building a national identity system (based on Social Security Numbers) for a couple of decades now, and much of that is driven by corporations. (It's not only perfectly legal, but perfectly usual in the US for a corporation that has no tax-related relationship with you at all to refuse you service unless you supply an SSN.)

Sure, governments can and do abuse their power. But in democracies they are, to some degree, responsible to the people. Corporations never are.

Also, I'd like to note that this fear of government is a particularly American fear. (Perhaps some of it comes from those same Republican party politicians who, during the Regan years, more than doubled the size of the US government.) There are a lot of countries in the world that have had `big govenment' that do quite well, and do a much better job of protecting their citizens' rights and privacy.

cjs

Re:Regulation

[bnenning]

Of course corporations are responsible to the people. They can only make money by selling to consumers who are willing to pay for their product. (Well, also by lobbying for corporate welfare, but that's back to government.) It's relatively easy to avoid dealing with a corporation you don't like. It's not so easy to tell the IRS you disagree with your tax bill.

Incentives

[dynarion]

TRUSTe's incentives are clearly bass-ackwards. The Consumer's Union model, where the evaluating organization takes no money from the evaluated, is clearly more ... trustworthy. All I can ask is, who in their right mind ever expected this to work?

"the most visible symbol on the internet"?

I thought that was Lara Croft's butt.

I've never even HEARD of TRUSTe, much less given them any credibility. Have I been living under a rock or something?

Re:"the most visible symbol on the internet"?

[Tridus]

No TRUSTe sort of had a moment in the spotlight a few years ago, and then essentially fell off the users radar. For some reason the average user doesn't care about privacy, I don't understand why.

But if you haven't been around for a long time, its understandable that you wouldn't know about TRUSTe, I had forgotten about them until I saw the article.

Truste was dead earlier this year

[DocJohn]

I wrote an article in March after the Microsoft fiasco illustrating Trust-e's bumbling inability to actually make good on its promise to consumers. It's just a feel-good whitewash organization for the industry to grab on to and say, "See, we care about your privacy."

Actions speak louder than words, and Trust-e's inaction speaks volumes.

Article link.

TRUSTe and privacy

[chandler]

To use a Larry Wall-ism, this will be all over the map. I apologize up front.
Trust TRUSTe? Hah! No way! No, seriously, this real flap needs to be resolved, but there also needs to be another privacy service like TRUSTe - something more widespread, that does a large variety of verification services for a varying cost. It's sad to say that TRUSTe did not live up to it's expectations, and the RealNetworks incidents themselves are even more sad. Gov't regulation? Maybe, but keep in mind that these people happen to believe in "Security, er, Privacy through Obscurity", so they'll simply give the illusion of privacy. I think that an organization that lists its members and gives an overview of the privacy measures, sort of like a BBB for internet privacy, would be a Good Thing.

McCarthyism

[Hrunting]

Let's begin by playing devil's advocate, and then we'll see what erupts.

Any technology that can lead the cops to your door is potentially dangerous technology.

It's this idea that has completely shackled law enforcement when it has come to dealing with computer crimes. The idea that people should be allowed to be completely anonymous in everything that they do is completely unparalleled in the real world. I, for one, am very happy that some method of accountability was unknowingly in Microsoft's products so that they could track down the author of the Melissa virus. People can and should have an identity on the Internet, and while that identity should be protected, it shouldn't be removed because people are afraid that law enforcement will be able to find you.

I also don't think that TRUSTe is as important an organization as it is made out to be in this article. It may shock some members of the Slashdot community, but I had never heard of TRUSTe until the Hotmail debacle, and even then, I didn't stop using Hotmail, nor did I start regulating my product usage by the TRUSTe symbol. I'm sure many others haven't, either.

I really think people are beginning to accept the fact that the growth of the Internet has resulted in a certain lack of online privacy. One may lament it and one may try and fight it, but the idea of a completely open but anonymous society is contradictory. Where there is a data stream, there is a way. People may have a right to certain information privacy, but they don't have a right to anonymity, and the only rights they have to what information a product sends back about itself are market rights. Somehow, I don't think Real Networks is going under because they sent back UIDs from their product. In fact, I'm happy they can track their software.

The constant attacks against companies that engage in marketing devices, information gathering schemes, and content labeling is akin to McCarthy's (Joe, not Jamie) crusade against Communists. Anything that doesn't fit into the ideal is suspect. Guess what? Direct marketers have been using these tools for decades and, *gasp* people have been able to go through your trash for even longer.

I say the Internet needs to start strengthening itself around responsibility. Protecting one's rights is important, but a certain accountability is expected with those rights. So far, I see very little accountability, both on the part of the commercial organizations with their rampant use of undocumented 'features' and with individuals who try to both use and separate their lives from the system. As with all things in life, the middle ground is where I think the answer is. Rampant positioning on either extreme just ruffles feathers and leads to no solutions at all.

Re:McCarthyism

[I_redwolf]

You sir have obviously never attempted anything illegal. What about the users of HOTMAIL who lets say for instance are transferring credit card numbers through email? or passwords? Or love letters to their girlfriends or things of that nature that are private. What about RealNetworks scanning your hd? Yeah thats cool with you as well . There isn't a middle ground in this issue. Its one or the other. Either you want privacy or you don't?

More than half the users on the internet aren't even aware about their privacy. If you ask your every day joe schome computer user. He's most likely to say "but isn't this private; only my girlfriend can read this letter right?" I don't wanna have to be the one to say no, It isn't private, a major corporation with an idle employee is also reading your email right now. Oh btw if they feel disgruntled and you have a couple credit card numbers in that email expect to be making calls to your credit card company soon.
This is what it all boils down to.

Lets look at it from an everday joe schome user situation. And a joe schome is gonna believe whatever TRUSTe has to say especially if its backed by major corporations.

McCarthyism? I have no clue what it has to do with this at all. Senator Joe McCarthy blamed people in Congress for being communist he didn't blame the actual communist. We aren't blaming the major corporations for doing what we know they will do. We are blaming TRUSTe for being an advocate for it all and pulling the wool over the consumers eye.

Re:McCarthyism

[Kaa]

Let's begin by playing devil's advocate, and then we'll see what erupts.

I trust your asbestos underwear is in good order...

The idea that people should be allowed to be completely anonymous in everything that they do is completely unparalleled in the real world.

Not everything they do, but some things they do, and that is completely reasonable in the real world. When I walk on a street in a big city, buy myself a cup of coffee, ogle the girls walking by -- I am completely anonymous. And think back to the XIX century -- that's when the basis for all the current laws on privacy and anonymity was being formulated. It was quite easy to be anonymous in those time.

People may have a right to certain information privacy, but they don't have a right to anonymity, and the only rights they have to what information a product sends back about itself are market rights.

Well, we have a serious philosophical disagreement here and it looks to be quite basic (as in, not solvable on Slashdot). I strongly believe in the rights to both privacy and anonymity. I would also argue that in better world, people would have copyright over their own personal info.

Somehow, I don't think Real Networks is going under because they sent back UIDs from their product. In fact, I'm happy they can track their software.

I am glad you are happy. You will probably be even happier to know that RealNetworks tracked not only their own software, but also all the tracks that you've listened to on the RealPlayer, all the music CDs that you've inserted into the CD-ROM drive, and a bunch of other stuff that I don't rememeber right now.

people have been able to go through your trash for even longer.

I don't think you understand the issue. Sure, for a long time anybody who had a lot of time and money was able to collect much info about you. But it was not cost-effective. Now the cost to collect, organize and process massive amounts of personal data is minimal -- it became cost-effective to go through you trash, and much more besides. This is the crucial difference, not whether information gathering was possible in the past.

So far, I see very little accountability ...[snip!] ... with individuals who try to both use and separate their lives from the system.

And, pray tell, why should I not separate my life from the system? I, actually, have stong objections to my life being tightly entwined with the system -- see, I don't trust the system at all (and I have my reasons). You have an implicit assumption that the 'system' is beneficial and, for all its warts, is trying to do the right thing. I am unwilling to make this assumption. My goals and values are likely to be different from the system's goal and values. I am perfectly willing to take responsibility for my own actions, but this is not the same thing as being under pressure from the 'system' for being different.

Kaa

Re:McCarthyism

Online privacy should be a choice left to the individual. If one wishes to remain anonymous, that wish should be respected. I don't see people walking down the street with their names, social security numbers, addresses, telephone numbers, credit card numbers, etc. hanging off of their backs with convenenient tear-off strips allowing others to take this information with them for their own use. But you assert the internet should perform an equivalent function? Today's clue: When it's warm, dark, and quiet, you really should consider the possibility that your head is up your ass.

Re:McCarthyism

While accountability is important, privacy is more important. I say this because it's been proven time and time again that if you give any organization the rights to collect personal information on individuals, they will do so with or without their knowledge and use it in any way they see fit. This may have some positive results such as the discovery of the origins of the Melissa virus, as you stated, however.. for the majority of effects of such situations are not positive.
I think strict guidelines need to be set up as well as a system for punishing corporations that abuse their rights to collect personal information. Surely many of us would agree that the collection of information to provide us with a better service is a positive thing, but I'm also sure that none of us would like it if say your personal medical info was eletronically transmitted without your consent to your employer.
Accountability is good, but the fact of the matter is, you can't trust the industry to police itself, nor can we trust the government to properly regulate it's own use of personal info. Only a set of laws defining what information can be collected and how it can be used, will serve to help the public. It should then be up to the public as to what information they want to release to these organizations. We need privacy, not corporate or government scrutiny of our personal information.
It's interesting you chose to mention telemarketing and the direct marketing industry in general. Are you saying that just because direct marketers have been doing the same thing for years, that it's ok? I don't think so. In fact I believe that this industry needs to be more heavily regulated as well. I believe there was a report on one of the major tv networks just the other night that said direct marketing scams bilked americans out of about $40 billion in the past year alone! Someone needs to put a stop to all of it and soon.

Re:McCarthyism

[laci]

I'm glad the parent article made it to level 2 (so that I could read it :-), despite some moderator labeling it "Troll". The article's author clearly described his/her opinion, it was logical (not that I necessarily agree with everything, but (s)he had good points). Labeling it troll is ridiculous. I can only hope that by meta-moderatoration that guy will never moderate again.

--Laci

Re:McCarthyism

[Steve+B]

It's this idea that has completely shackled law enforcement when it has come to dealing with computer crimes.

No, what has shackled law enforcement is the fact that it has chosen to piss away its own credibility. Most people a generation or two ago had the highest respect for police officers, G-Men, etc -- but not any more, after a long list of dirty deeds (COINTELPRO, MOVE, Ruby Ridge, Waco, Filegate, etc ad nauseam) has come to light.

Attempting to point the spotlight at citizen skepticism toward the government is a blame-the-victim scam.
/.

Re:McCarthyism

[Fastolfe]

I think the media has had more to do with this change in respect than anything else.

There will always be abuses. There have always been abuses. Fortunately, abuse occurs very infrequently, despite what the mass media would like us to think. There's no news like bad news.

I for one trust my local law enforcement implicitely. If they fuck up, I have faith that they will either learn from their mistakes or their own internal reviews will see to it that such a mistake doesn't happen again. I most certainly wouldn't *deny* my law enforcement technology on the basis that it *could* be abused. The system has always worked on compromise. The gains outweigh the drawbacks. If a cop abuses his status and does something wrong, take HIM to court. Don't hamper law enforcement entirely. If we got rid of every power law enforcement had that was theoretically capable of being abused, our law enforcement would have no power at all. Don't fight the technology. Fight those that would abuse it. Request checks and balances and means to make people accountable for their actions.

Re:McCarthyism

[Fastolfe]

It is respected. You CHOOSE to put your personal information online. If that information is used in ways you don't approve of, that's your own fault for not checking to be sure how it would have been used in the first place.

If you don't want your Internet activity tracked back to your computer like your telephone activity is tracked back to your telephone number, go somewhere else and use a public terminal like you'd use a public telephone.

Re:McCarthyism

[joshamania]

Thank you /. for making Meta Moderating available. This user comment is an exremely rational and valid viewpoint, and whoever the moderator who labeled it 'Troll' is, should be relieved of his or her duties.

I happen to agree with the viewpoint of the author of this comment, and I also believe that anonymity, unlike privacy, is not a right. Why does everyone have to equate anonymity to privacy? If one is in the privacy of one's own home, one is not necessarily anonymous.

Public interaction has never been anonymous, and comparing buying a cup of coffee to spouting political opinions is apples and oranges. Sure one can walk down the street and harm no one and no one will take notice, but as soon as others are affected by an anonymous stroll in the park, I assure you that anonymity is out the door. You can go ahead and make your case about how you should be able to steal other's credit card numbers and passwords and pass them around to the world anonymously, but I and every other rational person on this planet is going to want to find out who you are.

One may remain anonymous as long as one is not infringing on others rights, but after the point of infringement, people are going to want an identity to point to. Even if one's name is on a list, with one's address and other such information, one will retain anonymity because no one else will care until they are bothered.

And for all you anonymous cowards out there, you can be sure that no one is going to try to find out who you are, until you do something stupid. As soon as someone posts a threat to kill the President as AC, the Secret Service will be banging down Andover's doors with a warrant insisting to find out who exactly posted the offending message. And they will find out. (please note, all you echelon operators, that this note is in no way, shape or form, a threat upon the President of the United States! :) ).

Stanton McCandlish, TRUSTe, libel lawsuit threats

[Seth+Finkelstein]

Ah, how far Stanton has come! Two years ago, he was threatening me with TRUSTe's attorneys:

"You're stepping very close to defamation, Mr. Finkelstein, and may have even crossed the line.

EFF wouldn't do anything about it, but I cannot vouch for the patience of the TRUSTe organization's attorneys. Proceed with caution, eh?" ...

"Again, please take this warning seriously. You are knowingly or negligently making provably false statements about TRUSTe with intent to harm their reputation. That's libel. You can get sued for that. Don't go there. TRUSTe's legal resources are better spent making sure participant compies adhere to their contracts, and I'm sure you have better things to do with your time & money."

Stanton McCandlish, Program Director, Electronic Frontier Foundation, on the fight-censorship list, Mon, 11 Aug 1997

I never did get a public apology, even after TRUSTe's failure.

the best course of action for them may be

they should expel real networks immediately and do a review of their other customers as well.

I deny it no more, Open Source privacy advocates..

..are right.

If the source code to anything isn't available, the program is -- from a securiyt stand point -- suspect.

I paid lip service about this before, but now I'm going to take more closed-source programs seriously before installing them.

How did Real ID individuals?

Is there a patch, or can I just edit/delete a data file every once in a while?

Two thoughts

[jd]

First, TRUSTe is proof positive that industry self-regulation is suicide for the consumer. If an industry can set the standards, run the watchdog, and ensure that everything "matches up a-ok", how can anyone ever fail a test?

Secondly, negative zero is the same as positive zero, is the same as zero squared, is the same as zero multiplied by infiniy. I understand the point being made, but if a point's worth making, it's worth making without being dressed up to look more than it really is.

Re:Two thoughts

[jjoyce]

He typed up the piece on a 1's complement machine. :)

--

Re:Two thoughts

[vectro]

Erhm, actually zero multiplied by infinity is not neccessarily zero. It depends on the limits involved in the zero and in the infinity. For example, the limit as x goes to infinity of 1/x * x^2 is zero times infinity, but it is equal to infinity. Conversely, the limit as x goes to infinity of 1/(x^2)*x is zero times infinity, but it is equal to zero.

There is today's offtopic math lesson.

Re:Two thoughts

Actually, there are high levels of math where the difference between positive zero and negative zero becomes important. I don't personally understand it, but that's why I'm not a Math/Physics double major with a focus on Cryptography and Chaos Mathematics. (my college roommate was, & the late night discussions got REALLY wierd)

TRUSTe badge is a good warning sign

Whenever I read the term privacy statement on a web site, I mentaly look over to my firewall and think about any recent changed I did with its configuration, and if they are good enough.

If I read the term TRUSTe, however, I usually can not resist, but opening the firewall's configuration files, and do a quick check if there might be a hole in some rules. I then continue to check if the http/html filters are also in place, and if they do what they are expected to do.

Currently, it is completely up to a user to care about his or her privacy. Everything else is multi-mega-$$$ BS, dumped on us to keep us calm, and prepare us for acting as a good prey when it comes to the next marketing attack. Remember the movie "Mars Attacks!" (no, I don't think Bill G. is an alien :-)). But it's the same mechanism here. Innocently we say hello, and the big guys zap us with their ray guns, say sorry, and are invited for another round "It was just a misunderstanding". Ok, next round, and they zap us again with their ray guns, shouting "Sorry!" afterwards. TRUSTe is earth's equivalent of the martians...

Re:TRUSTe badge is a good warning sign

[Black+Parrot]

Perhaps we should take the TRUSTe badge to mean this site has something to hide, or they wouldn't be hiding behind TRUSTe ?

--
It's October 6th. Where's W2K? Over the horizon again, eh?

Meaningless Kitemark

[Evil+Greeb]

What do these 'approved site' kitemarks actually mean to the average consumer? I've never heard of TRUSTe (I know I'm probably in the minority here on Slashdot), but what about your average websurfer? And do they actually acknowledge it? After all, Micros oft innovate and create great technology, they wouldn't violate my privacy, would they? (This isn't my express opinion, btw).

On another note, if Mr. bad Hacker puts up an internet site with a large grey box and a popup java/javascript window saying 'you need xyz plugin to make this site rock! get it from here', how many people would actually click through and be presented with a netscape-plugin-lookalike page, maybe even submit some personal details (for updates to this great product) and download a trojan?

And how easy is it to fake one of these icons? If you were a porno site, it would make an ideal badge to those consumers worried about paying $2 for a background check.

The thing is, most people using the Internet are far too trusting, send personal data in the clear, and believe anything. They don't need a TRUSTe badge to help them do that.

The real solution

[sjames]

TRUSTe's main problem is that it's 'service' isn't what people want or even what is implied. The article correctly points out that you can sacn someone's hard drive and sell all the data you mine to the highest bidder and get the TRUSTe seal as long as you bury a description of what you do somewhere in a 10-100 page legalese document that can be downloaded from your site.

What is really needed is a definition of various levels of privacy ranging from active violation to absolute (and protected) anonymity. Then, allow a company to display a simple icon with a rating from 0-10 (10 being the best) which links to a page describing, in plain english (spanish, german, etc) what that means. Naturally, no campany will proudly display a 0, but hopefully, if a site displays a 10, the consumer can feel absolutely confident.

The advantage to that system is that there is a lot less room for weasel words and technicalities. BTW, a 10 should include all logs going directly to /dev/null, ssl, and don't even ask who you are or where you're coming in from. In other words, very rare but possable.

Re:The real solution

[Big+Jojo]

Folk forget that the original "eTrust" (not "Trusty" as they call it now) was pretty close to that. As I recall:

• One eTrust logo meant that the site would never share your data;
• Another mean that they'd do whatever the heck they wanted;
• There was some intermediate one too

Part of getting watered down to become the "Trusty" service we know and loathe was removing all levels except the useless one.

What moron thought that was useful for consumers?

The hard issue is that corporations want pure reward, with no responsibility or risk. And they just don't know how to protect data once they've collected it ... and it's too easy for any little team to start collecting that data, and big companies don't have that much control over the hundreds of teams that can represent them on the web by putting a site up. Control would restrict "innovation" (keyword cross-reference: "theft") and that's clearly bad, right?

Given that corporate incentives are exclusively to abuse private data, there is really no way that self-regulation can ever work.

Re:The real solution

[Trickster+Coyote]

As you point out, a drawback of this is that no website would post a negative rating on their pages. So in effect pages you view would seem to either be highly rated or unrated. Another thing is that often these logos/ratings end up in some far corner of a page where you don't end up scrolling to, or you jump into the website on a page where the logo isn't displayed.

Could perhaps a rating system be made to operate through a browser plug-in. The plug-in would match the URL with a (regualarly updated) database stored on your computer and display the rating on the title bar or status bar. It could also provide a link that you could click on that would bring up a pop up window giving details.

This way, not only would you have assurance that a site has good privacy practices (as opposed to policies) but you would also be warned if a company doesn't and not just assume that it is unrated.

Re:The real solution

[sjames]

The plug-in would match the URL with a (regualarly updated) database stored on your computer and display the rating on the title bar or status bar. It could also provide a link that you could click on that would bring up a pop up window giving details.

That's a good idea. As an option, it could also be handled by a proxy (for NCs, set tops, and platforms/browsers that are not yet supported.

Re:The real solution

[Black+Parrot]

> The hard issue is that corporations want pure reward, with no responsibility or risk.

It seems that those sponsors who are behaving would resent the devaluation of their rating by those which aren't.

Couldn't the original system work if TRUSTe focused on those who would withdraw if they didn't play hardball, rather those who would withdraw if they did play hardball? Let the cheaters keep their money and lose their certifications -- wouldn't that make the value of the remaining certifications go up?

Or are all of the companies playing it crooked?

--
It's October 6th. Where's W2K? Over the horizon again, eh?

Superbly written article IMO

[Stormbringer]

Save this one to disk as a model for Slashdot reporting!

Scared little children...

[Psarchasm]

Why is it I hear the whining of scared little children calling to their mommies and daddies to help them feel safe again?

Truste didn't work? Fine, so be it. This doesn't mean I need mommy and daddy to make me feel safe again in this cold cruel world. Grow up! If privacy is a concern to you, change your habits. Truste failed? Then it will pay. It will become more and more meaningless to people. It will wither and die. From its compost something new will arise which may work better, thus evolution continues.

If there is a market for internet privacy authentication services then it will be filled.
Uncle scam can keep his privacy laws and efforts where they are needed, the regulating of himself.

Odd

Isn't it odd that they're now choosing to, at least potentially, take action agains Real Networks? Would Microsoft have made more of a splash? Who sells software that competes with Real Networks? Hmmm....

It's not that I like getting raped by corporations, it just makes me wonder.

Re:Odd

[Robert+S+Gormley]

Well, actually both Real and MS were both sponsors, though MS was a "Premium Corporate" and Real just a "Corportate"...

Microsoft REFUSED audit by TRUSTe

[Seth+Finkelstein]

Check out these comments by E-loan CEO Chris Larsen: Taking self-regulation to task

Earlier this year, TRUSTe received a complaint about Microsoft (MSFT: news, msgs), another member, that the software company was collecting consumers' unique personal IDs over the Internet without disclosing it to consumers. TRUSTe requested an audit of Microsoft's privacy procedures, and Microsoft refused.

TRUSTe eventually took the position that it had no authority to enforce an audit, Larsen said -- an action that shook his company's faith in self-regulation and convinced him that such voluntary initiatives were self-serving to private industry.

"(TRUSTe) took no action whatsoever to protect and reassure consumers," he said. "That was a major sign to us."
...
But according to Larsen, self-regulation may become self-defeating.

"The real goal of self-regulation has been to protect the industry from regulations," he said. But by continuing to fail consumers, he added, they have "increased the probability that regulation will happen."

Seriously .. do you actually look at the logo's?

[shri]

I for one hardly ever look at the logo's on various websites. Perhaps I am a tad bit cynical about this, but from what I can see, a company pays a certain amount of dollars and gets a logo. Besides I have an fundamental problem with any company that puts an "e" or an "i" anywhere in their name.. they're just going after the hype.

Having said that the first time I noticed TrustE was when the Real Networks hoopla was revealed. Dunno .. perhaps I would be more comfortable if one of the better known non-profit groups took over the role of safeguarding privacy.. the EFF or *shock* ACLU?

Nothing Wrong with the Goal

[A+Big+Gnu+Thrush]

There's nothing wrong with a certification that simply states that a company has a privacy policy, and that they adhere to their privacy policy. Many companies have clear privacy policies which can be understood by any intelligent reader. Apple's privacy policy isn't great, but it's clear and understandable, and it's linked from their home page. TRUSTe, if they were at all interested in privacy, could audit these statements for clarity, push for changes toward an ideal policy, and revoke status if the policy is violated.

TRUSTe is not interested in privacy, but that doesn't mean that we should give in to regulation. The government will just be a bigger version of TRUSTe. The membership fees ( bribes | contributions ) will be stiffer, and the process more byzantine and slow, but the end result will be the same.

Re:Nothing Wrong with the Goal

[reptilian]

I agree, nothing wrong with the goal.. but there is something wrong when the goal is mis-stated. TRUSTe is not interested in privacy. We know that, now. Just last night, I went to a site with the little TRUSTe seal, and thought, good, I'm safe with this site. A bit naive, I admit, but undoubtedly a common response among most netizens.

The problem is not with TRUSTe's goal, but their appearant goal to consumers. Most consumers see them as a privacy watchdog group, who won't give their seal out to sites which will violate their privacy. They don't think of them as a "policy enforcement agency" or some such. That's rather counter-intuitive to begin with.

In fact, even on their website, they don't state that as their goal. They really don't state a specific goal at all, other than "Building a web you can believe in (tm)." How general is that?

Man's unique agony as a species consists in his perpetual conflict between the desire to stand out and the need to blend in.

Gee... I'm Stunned. /sarcasm

[Kid+Zero]

Really. Wow. Another Corporation gives up its ideals for a good bottom line. Don't mess with the paying customers. I'll bet they let Real.com off easy. I don't wonder that people think the government can do a better job, after all, they don't care about bottom line.

And I don't like Gibson.

TRUSTe Watchdog Complaint #2363 (Microsoft/Spam)

[nocleverhandle]

I'm still waiting to hear from TRUSTe or Microsoft about my "TRUSTe Watchdog Complaint" filed on Oct. 14.

Earlier in the year I had requested that Microsoft not send email address in question. It took several tries before the email (newswire messages) finally stopped. Months later Microsoft's Y2K message arrived.

This appears to violate Microsoft's stated privacy policy , specifically principle #2 - Consent:

If you decide to register, you will be able to select the kinds of information you want to receive from microsoft.com by subscribing to various services, like our electronic newsletters. If you do not want microsoft.com to communicate with you about other offers regarding Microsoft products, programs, events, or services by e-mail, postal mail, or telephone, you may select the option stating that you do not wish to receive marketing messages from microsoft.com.

The text of the email itself seemed to contradict the policy, stating:

Important Customer Notification: We've sent this message to inform all Microsoft customers of critical information relating to year 2000 issues and our products. If you are subscribed to newsletters from microsoft.com, they will still be delivered. If you don't have any newsletter subscriptions, or have requested not to receive e-mail, be assured that critical notifications such as this are sent infrequently, and only as a customer service.

In other words, they reserve the right to send important messages even if you have requested not to receive them. Doesn't exactly mesh with the privacy policy, does it?

I have corresponded with TRUSTe about this issue and have had a complaint # (2363) assigned. I have not received any kind of final response, and have had no response from Microsoft.

Great Article

[mochaone]

Kudos to Jamie McCarthy. This article was well writen and researched. A touch above the usual fare served on slashdot.

Re:Great Article

[Seth+Finkelstein]

Agreed. It makes me wish I ran a mailing list, so I could forward it.

Was it libel?

[rjh]

First off, that's not a threat. If it had been a threat, it would have come from an attorney. When I read that, I see someone giving you warning that, in his opinion, you're coming dangerously close to crossing a line you can't uncross. Instead of being angry at him, I'd be thankful.

Secondly, McCandlish asserted that "[y]ou are knowingly or negligiently making provably false statements about TRUSTe with intent to harm their reputation. That's libel." Well, guess what: if that's what you were doing, that is libel, and it's wrong.

Truth is the penultimate defense in libel lawsuits; if what you write is true, then even if it's written with malice it's not libel. If you're acting in good faith, then even if you write is untrue, it's not libel. But if what you write is untrue and you're not acting in good faith, then, brother, you are in trouble and there's no way anyone's going to come to your defense.

Why is it you cited only a few excerpts from McCandlish's EMail, without citing any of your own statements to demonstrate that what you were saying wasn't untrue? The words "provably false" are, if McCandlish is correct in that they are provably false, important in that they demonstrate that what you were saying is false. The words "you are knowingly or negligiently" are, again if McCandlish is correct and you were knowingly or negligiently making these assertions, important in that it shows you don't have a good-faith defense.

You expect a public apology from a man who believes that you were acting libelously? And you expect Slashdot to rally behind you in a "damn the man!" frenzy? It's not going to happen. If you want to demonstrate that what you were saying wasn't false, or that it was based on good-faith information you possessed, then fine -- do it -- then I'll believe that McCandlish was off his rocker.

But until then, brother, all you're doing is getting ticked off because someone told you, "You're screwing up, and TRUSTe could take you to court over this and win".

Wise men pay attention when other people tell them they're screwing up. Fools cling to a tenacious belief that everything they do is right.

Warning: I am not a lawyer, and nothing in here is legal advice.

Re:Was it libel?

[Seth+Finkelstein]

Remember, EFF started TRUSTe, so it was coming from someone connected to TRUSTe's attorneys.

You can go read it all in the fight-censorship archives. It wasn't even close to libel, a REAL LAWYER (tm) spoke up and confirmed that. That wasn't e-mail, it was a public posting. The discussion said roughly what is going on right now. I didn't write a treatise, because it would be too long. Anything else?

Check me if I'm wrong, Sandy, but...

[jht]

I thought "This website works best with Microsoft Internet Explorer" was the most common symbol on the Internet. Or am I just bitter and cynical?

TRUSTe has been all but ignored since they came into existence as far as I can tell. It would be nice to see a privacy stamp with credibility - but it's not theirs. Too many 'gotchas" under their watch.

- -Josh Turiel

Elitism Vs. Egalitarians

[acaben]

I disagree. I'm tired of dealing with egalitarians. I went through 13 years in the egalitarian public school system where I was constantly thrown in groups with dumb people. Tracking? It's old fashioned and unfair. I was told that it would hurt others feelings if I went at a faster pace. Enough already. We're not all created equal. Deal with it.

If people want privacy, they'll figure out how to get it. If they can't figure it out, tough shit. It's survival of the fittest, and if you can't cut it, then you're not entitled to it. So, let's stop pretending like we're all the same.

While Gibson may be Dystopian to some, his future is at least exciting. I'd much rather live in the setting of Gibson's future than in the world of Vonnegut's Harrison Bergeron.

Junk

[leonids]

It isn't the trust of the users to blame, but that the companies abused the trust given by their customers. We download software from the net because we think it is useful and we trust that it will do something useful. Even if it does shit, we trust it does it's shit without violating that trust. But no. Stupid companies abuse the fact that more and more people are now connected to the net through a personal computer. Personal information are stored there, and these twits greedily collect the information without even asking. Why? No asking needed! Programs can do stuff without alerting us. Stuff can flow out of our modems without us realising what exactly is sent. And of course we trust that good information is being sent. These dumbheads are not only creating privacy problems, they are degrading the mutual trust we created amongst humans. Of course it all points to the readily-available internet access. What can we do about it? We can't thrash the net and thrash years of work. We can't always create new techniques to counter such retarded programs. Having layers and layers of protection will only slow down our work, and create a bunch of paranoid users. Let's openly bash these violators and show them our trust is not to be taken for granted. (I know this doesn't have to do with TRUSTe but its all boils down to our privacy isn't it)

crap stupid html formatting

[leonids]

aw fuck stupid html format sorry about the unsightly mess/rant

BBB online.

[guardian-ct]

BBB Online

The BBB privacy seal looks like it's slightly better than the Truste one, but not by much. They mention a requirement to get consent prior to transferring information for a particular use, but only if that use is NOT mentioned in the privacy policy as a possible use of individually identifiable info. There are also requirements to allow optout from 3rd party transfers, and some other good requirements. It still seems to be mainly a "enforce your privacy policy" requirement.

They've got a BBB child privacy seal, which is basically the same as the adult one, with the addition of requiring a parental consent when acquiring/transferring/using information about a child.

So, it looks like the BBB privacy seal is nearly the same as the truste one. As someone else mentioned, follow the revenue stream to the source, and you'll probably be able to figure out how strong the enforcement procedures are.

In the above "how strong" info, a "respondent" is a business.
As of June 30, 1999, there were 4 complaints, 3 were ineligible for various reasons, and 1 was resolved after the "complainant" contacted the BBB. No cases had been "decided".

The strangest one that was ineligible, was declared ineligible because the business's web-site did not have a privacy policy.

So far, none of the industry-funded "privacy" initiatives seems to have any likelihood to protect consumer privacy. They're still in the "enforce your privacy policy" stage.

There's got to be a consumer-funded privacy initiative somewhere.

Argh, damn enter key.

[greerga]

Anyway, the list is missing an alternative.

CPA WebTrust

You get audited quarterly and have to pay for the audit. CPA's are expensive.

Sammie's interested... TRUSTme

[Nehemiah+S.]

Before you call UNcle Sam disinterested, recognize that if a government has the power to ensure privacy, it has the power to take it away.

The first law of bureaucracy states that bureaucratic entities expand their powers to the maximum carrying capacity of the organization they control. By stating this law in the form of a single proposition and applying it to the government of a society by a bureaucratic government, and then taking the limit to infinity, we easily see that entrusting the government with any power eventually results in conceding to them complete power- and thus complete forfeiture of individual control. Thus if you concede to the government the power to protect privacy, you will eventually lose ALL privacy. It may take generations, or at least many years, but it will happen.

I value my privacy, and I am sure that you do as well. Because of this, I think it is safe to assume that this is not a solution any of us would like to see implemented. What, then, is to be done about gross offenders such as Intel and Real Audio? If we don't enact stifling restrictions like the EU 'privacy' laws, who will protect us from these wild beasts, the darker side of capitalism?

I say we can protect ourselves. We are in control here- no matter what the fool propagandists tell you, it is the individual consumers who make the leviathans like Intel able to put id's on their chips. Without a continuous revenue stream, corporations die. No matter how large, no matter how entrenched. The one thing corporations value is your dollar bills. The solution is so incredibly simple... Because capitalism works. Because if Real Audio is really afraid that people will take issue with their inclusion of monitoring software, there is no way in hell that they will include it- unless they receive more net profit through the addition than without it.

I will never buy an Intel processor. I will never own a copy of any Real Networks software. I have already taken steps to ensure that no one at my location will have Real Networks software installed (3000+ seats) because of the security concerns involved; hopefully we will be buying Athlon processors with our future workstations as well. If a few million other people do the same, then every future PHB who looks at a software algorithm for approval will shudder at the thought of infringing upon my privacy and yours.

Scudder

Re:Sammie's interested... TRUSTme

[jd]

Imagine a company, a large company. Say one worth a few hundred billion dollars. Now, let's say that they put a billion or so of that into a high-yield investment fund, say giving them 10% interest.

That gives them 100 million dollars -interest-, as play-money, per year. Easily enough to keep said company afloat, even if they never sold another product to the consumer.

Now, let's say that consumers rebelled, and refused to buy any products from that company. It is STILL making money, though, off it's interest alone, and still makes a lot of money, selling to OEM's.

In the end, if NOBODY on the face of the planet ever used a product from that company, ever again, it could STILL afford to sneer in your face, and STILL have the money to control what software and hardware is produced by who.

Face it. We are peons. Nothings. Insignificant specks of dust, to Microsoft. And even if you gathered all those specks of dust into one place, you'd STILL have nothing more than specks of dust. No great "almighty" power, no Goliath, wielding a +5 Credit Card of Destruction. Bill Gates and Microsoft can affoed to weld the gates to Redmond shut, and Microsoft would still grow faster than any other company in America.

The golden rule of capitalism is that whoever has the gold makes the rules. And Microsoft has all the gold there is. Capitalism cannot fight Capitalism, any more than a fire can put out a fire.

Re:Sammie's interested... TRUSTme

>The golden rule of capitalism is that whoever has the gold makes the
>rules. And Microsoft has all the gold there is. Capitalism cannot fight
>Capitalism, any more than a fire can put out a fire.

Hey, I can get into dystopic gloom and doom rage against the machine as much as anyone, but it is a telling point that your final analogy is incorrect - firefighters use cross- and counter-burning as primary weapons when battling forest fires. Fire (well-placed and managed) can put out fire!

Re:Stanton McCandlish, TRUSTe, libel lawsuit threa

That sounds more like a warning than a threat.

Frankly I don't care...

[0xA]

This whole Real Networks thing bothers the hell out of me. I really don't like what they're doing but to be honest I'm not really worried about it.

I looked long and hard and frankly the amount of information they could get off of my machine is minimal. They could get my name, my address and maybe my phone number.

What exactly are they going to do with this? Sell it to other companies? Who cares?

No, I don't like spam. I get all sorts of crap, but its' more of a problem with my regular old mail than it is with my e-mail. I haven't subscribed to a magazine in years just because of this.

If you have information you don't want someone to have access to, don't put it in a place they can get it. I have a cable modem, I'm always connected, so that machine is a public node as far as I'm concerned. I make a point of keeping anything I consider sensitive (don't want people knowing how boring I am) off of that machine. This is the same reason most really sensitive military computers are supposed to be isolated from the public network.

As far a Real Networks goes, this is just one more reason not to install their bloated, crappy software. Yippee!

How about DoSing registration servers?

One could write a programm that registers 50 users/sec. consisting of sense-making random data. If "some" of the privacy-aware users in the world would run it, they would probably have problems.

We lost the war years ago.

[RISCy+Business]

TRUSTe is about as trustworthy as any corporate-owned scumbag lawyer.

TRUSTe does not act in ways that would benefit consumers because that would cost it it's funding. TRUSTe knows this. The EFF knows this. TRUSTe is a dismal failure. Self-regulation in a corporate-driven world is impossible, period. Why?

Because why the hell would you want to give up your biggest source of additional revenue? In today's world, information has a value - especially customer information. If they can send you junkmail till the cows come home that might land them a few extra dollars in business, then you better believe they'll do it. Conversely, they don't want to waste a couple thousand dollars mailing people who don't care either way about their products and will probably just throw it out.

Privacy on the internet? Bah - once you sign up with an untrustworthy ISP, you're already screwed. My ISP back home has very strict policies reguarding privacy. Namely - you get it. They have never sold customer information, they keep minimal customer information, they track no browsing, and send all spammers requesting email lists straight to hell.

A hype-driven company with a couple billion in market cap and no real revenue can't do that. They need money. So they sell out their first customers. So it's just a few at first. But then more and more sign up, and they're getting more and more for customer information. Hey, look, a nice secondary source of revenue. Screw the customer's privacy - we need the operating costs covered.

So, so what if you haven't given a company your personal infromation? You can still be tracked. Cookies. Static IPs. Intel's PSN which really cannot be turned off (independent tests have revealed that the pIII Personal Serial Number can *NOT* be turned off, either by Intel's software or 3rd party software. I recommend NOT buying a pIII.) and is easily obtained and tracked over the web. Gee, Intel's empowering the Internet to watch you and make money off your time. Where's my cut? Oh, wait, I don't get a cut! I'm supposed to just let these people make as much as *$3* *PER* *CUSTOMER* *RECORD* because they're providing me with some service of some sort. Uh. Right.

Of course this is different for every company, yadda yadda, YMMV. But that's how it is, and that's how it's going to stay. The government is driven by interest groups, who's interests lie in making money any way they can generally. It's not in their best interests to protect our privacy. The government doesn't want to protect our privacy - just look at Mosaic[1] - because they don't want "dangerous" people running around. Right. So the government can determine that I'm dangerous because I listen to a lot of industrial and techno.

Privacy was a thing of the past, maybe. Either way, it's a pipe dream. Echelon is real - Iran Contra, Nixon, Jimmy Hoffa, Waco, CIA, NSA, FBI, DOJ! - and privacy simply isn't. And we'll never see real privacy. Why? Because nobody except the end-users want it, and since when have end-users actually gotten what they wanted?

I say we just give up the regulation fight, and start getting hostile. Screw the sites that collect information and resell it. Screw the companies that do the same. Get the laws on our side - violation of privacy is illegal afterall - and take out these scumbags the hard way. That's the only way anything'll ever get done. But rest assured the government will intervene and say that it's perfectly legal, or rush through some legislation that makes it legal... *sigh* nice world we live in, huh? Maybe I should just go back to bed.

[1] Am I the only person on Earth who realizes that Mosaic is a trademark, originally owned by Spry - who was purchased by Compuserve - who was purchased by AOL, and is more than likely still valid? (The trademark was filed in the late 80's or early 90's more than likely, and definitely has been enforced since it's filing.) Of course, this is going off my memory, it's only 10:30, and I didn't get much sleep last night. But my memory generally serves correctly. Somebody wanna pester AOL so we can shaft these 'find the troubled kids' punks?

Re:We lost the war years ago.

"Violation of privacy is illegal"? Show me the law! In the US, the supreme court read an implicit right to privacy into our Constitution, but that's only useful against infringement by the government.

Re:TRUSTe Watchdog Complaint #2363 (Microsoft/Spam

[Kintanon]

I have corresponded with TRUSTe about this issue and have had a complaint # (2363) assigned. I have not received any kind of final response, and have had no response from Microsoft.



You may be interested in joining a class action suit against microsoft. If so then e-mail Sleffer@home.com
At this moment I have one of the most succesful Class action lawyers in the country looking into my options for a class action against MS, feel free to e-mail me if you wish to join.

Kintanon

If you're going to be pedantic about numbers

[Another+MacHack]

Secondly, negative zero is the same as positive zero, is the same as zero squared, is the same as zero multiplied by infiniy. I understand the point being made, but if a point's worth making, it's worth making without being dressed up to look more than it really is.

"infinity" isn't a number in any system in which people who aren't at least senior math majors do arithmetic, so "zero multiplied by infinity" doesn't have any real meaning unless you specify the number system you're using as one that includes infinity. lim(x->inf) 0*x = 0, sure, but that's not quite what you said. So, if you're going to call someone else on it...

I'm 70 yo, earn $40millions/year and am a woman,

[Nicolas+MONNET]

live in Zimbabwe (bottommost choice, pure chance!), am interested in fishing, football, knotting, and cooking, and my email address is fuck@you.
At least that what I claim everytime I have to register to some website.
Let's all be REGISTRATION denizens!

Privacy: No value==No protection

[ElitistWhiner]

I have been intimately involved in privacy wrt: US Banking and Voting online. There is no business case to protect privacy in the corporate view. People of their own free will exchange privacy for access, discounts, rewards and membership. Most of these transactions serve only the legal requirement of acquiescence and are of little economic value. There are no successful business models which prove people will *pay* for privacy. Contrary to popular myth the Constitution does not grant a right to privacy.

Truste is what people expect, albeit insufficient and the same value as a GreenStamp.

Exposing the Why behind this debacle

[Effugas]

The RealNetworks incident is bringing up the need for legislation. Such legislation arguably already exists(I'm sure RN's behavior can qualify as a form of Wire Fraud), but it's not really necessary.

The industry can police itself, if it's willing to do so. It merely needs what the government has traditionally provided: Cost.

In economic terms, TrustE could have been predicted to be irrelevant. Consider: Online organizations are almost always desperate for new lines of revenue, due to their ridiculously overstated stock valuations. (In the criminology world, that's called motive.) They're also tied to the hip to advertisers, who are often their primary source of income. (In walks Opportunity.) Aggregation of mass quantities of identifiable information, continually up to date and temporarily difficult to obtain elsewhere, proposes an attractive source of money for companies like RealNetworks.

However, the lack of a direct money trail doesn't immediately, necessarily, or even probably exonerate RealNetworks. It is more than likely that more than a few large media companies agreed to work with RealNetworks in return for "under the table" statistics on the spread(and contraction) of MP3s per Server per State/College/User. Situations like this are perfect for creating plausable deniability, and considering the strength of the Microsoft threat against RealNetworks(nothing short of total annihilation!), it wouldn't be surprising at all if RealNetworks felt blackmailed into violating their customers in such an obscene manner.

But then, Blackmail usually implies risk v. risk calculations--in other words, RealNetworks had to feel that they'd experience some tremendous loss by favoring their corporate partners above the trust of their customers. Thus the genius of sponsoring TrustE. TrustE was practically made-to-order for corporations--whatever the privacy policy happened to say was OK by them, and since they were dependant on the very companies they were supposed to attack for their very existence, the organization was forced to bend over backwards to avoid conflict with their sponsors.

As I argued in this post, privacy policies can be twisted to say anything, and not obviously at that. Truly an ideal situation for companies like RealNetworks.

Add in the fact that the same companies who would demand privacy violations are those same companies who could get glowing stories of new privacy protections being quickly implemented, which of course had a nice +25% impact on stock price(ooh, even more ridiculous stock valuation!) when it finally happened, took what should have been a blackmail situation and converted it into a beautiful example of a Win/Win, with the public absorbing the cost.

But why? In the covert war against MP3, intelligence and co-option is everything. RealNetworks placing itself as the source for (much lower quality 96kbps) MP3s gives them the ability to control who encodes what, using which standard, and reporting back the ever valuable percentage of the population complying.

After all, knowing when to lower the boom on non-compliant MP3s, mainly by releasing players that suddenly refuse to play the finally-rare noncompliant MP3, is completely tied to knowing how many people are in violation.

So the strategy is exposed. The question is, what could have been done in advance to prevent such a situation? Legislation isn't necessarily the answer; laws aren't really that much more than a societally enforced contract with the government. Weak laws(which we already have in abundance) wouldn't have prevented this plan from going into effect.

The simple answer is that TrustE needs to make money for busting violators. Possibly that means a bounty system, paid by a FTC fund. However it works, right now TrustE makes money by pleasing its sponsors.

That not only has to change--it's going to.

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

Re:TRUSTe Watchdog Complaint #2363 (Microsoft/Spam

[Mr.+Slippery]

Earlier in the year I had requested that Microsoft not send email address in question. It took several tries before the email (newswire messages) finally stopped. Months later Microsoft's Y2K message arrived.

This appears to violate Microsoft's stated privacy policy , specifically principle #2 - Consent:...

IANAL, but I have to wonder if this isn't actionable in some way. Sounds like it would be breach of contract, or false advertising.

While it wouldn't be worthwhile for an individual to sue, maybe class-action suits against sites that violate their own privacy statements would serve to inject some cluefulness into these corporate behemoths.

You missed one: TrustE and eBay.

[seebs]

eBay posted a "we will never spam you or share your address with third parties" privacy policy.

They gave a list of "inactive" customers to a third party, and spammed them all with a "look how cool our site is" message.

TrustE has not yanked their logo.

(More details available upon request, or read discussion in news.admin.net-abuse.email.)

Privacy vs Anonymity

[SlydeRule]

the privacy in the cyberpunk world is completely in the hands of the individual. Basically, if you care enough about anonymity and have sufficient skills, you will make yourself anonymous.

Privacy and anonymity are two different things. You can have both, neither, or either without the other.

Your medical records are not anonymous, but they are private.

A /. posting by an AC is anonymous, but not private. In this case, the lack of privacy is voluntary (and desired).

Spam-mail is one example of your privacy being invaded by someone who doesn't know (and doesn't even care) who you are.

Your personal privacy can even be violated publically by someone else while retaining your anonymity intact. An example of this is the growing trade in hidden-camera and upskirt videos. See, for example, this article in Salon Magazine.

Relying on anonymity is a poor second-best to having your privacy respected.

Money + Internet == EVIL

Need I say more? Ok... I want to see real networks burn. The only way to stop these companies, is to litigate one of them into oblivion. They fear nothing else and have no moral perogative whatsoever. Burn real networks into oblivion and watch how quickly the rest of these motherfuckers fall into line. There is no other way. Attacks on privacy have gone unhindered and has left these co's feeling invincible. It's time to shatter this illusion. Lets start with Real Networks. I won't miss them. And then as an added bonus, maybe a non-raping audio standard will fill the smoking hole RN has left. Lets not tolerate this anymore! If we all scream bloody murder for long enough, Real Networks will burn. Companies bully us around because we never show backbone. Like a neihborhood bully who tormented you right up to the day you planted your foot up his ass. We *have muscle*. It's time to show it..It's time to kick some ass and show these corporate fuckers what happens when they let the genie out of the bottle. I'm fucking pissed!

Re:Money + Internet == EVIL

Our only "muscle" is our influence with our friends and cow-orkers, and since Real is targeting Joe Sixpack more than J.Random Suit, that'll be even less effective than usual. What else can we do that'll make Real cut this out? Are you advocating terrorism or something?

You are mistaken

It seems to me that privacy is a pretty desirable thing among most Internet users.

If it was, Real, Microcrap, and others would feel the bite of consumer boycott, no AAA needed. Consumers are cattle who deserve what they get.

Yep. Dead. Right up with ASE cert for auto repair.

Every autoshop that ever ripped me off has ASE cert for all their mechanics. I logged complaints. Nothing chaned. No one's cert was pulled. What's the point of a certification body if no one enforces the rules?

First Amendment + Miranda Case = Right to Privacy

[The+Other+White+Meat]

> "Contrary to popular myth the Constitution does not grant a right to privacy."

Actually, Constitutional Law combined with Case Law (Miranda case) makes a strong argument for the right to privacy.

The First Amendment grants people the freedom of speech.

The Miranda Case grants people the right to remain silent.

It seems to me that:

The right to speak with those you wish to speak
+ The right to remain silent with those you do not wish to speak
= Right to Privacy

I'll start embedding your userid into my Word docs

And when the police come to your door and use the userid as "proof" that you authored the macrovirus I wrote (tee hee!) as sufficient cause to arrest you, I guess you'll have no problem with that, right?

The problem with deliberately building any sort of tracking ability into software is that anyone can easily manipulate it to implicate anyone else. And if it's this broken from day one, then relying on it for any sort of legal action is pure fallacy and utterly ludicrous. It creates more problems than it solves.

Here's a quick fix to solve Real's snooping

[root]

$ whois real.com

Registrant:
Progressive Networks, Inc (REAL7-DOM)
[...]

$ whois "progressive networks"@arin.net

PROGRESSIVE NETWORKS (NETBLK-CW-204-71-154) CW-204-71-154 204.71.154.0 - 204.71.154.255
PROGRESSIVE NETWORKS (NETBLK-CW-208-147-88) CW-208-147-88 208.147.88.0 - 208.147.88.255
PROGRESSIVE NETWORKS (NETBLK-CW-208-147-89) CW-208-147-89 208.147.89.0 - 208.147.95.255
Progressive Networks (ASN-PROGNET) PROGNET 5054 Progressive Networks, Inc (REAL7-DOM) (NETBLK-ABOVE-REAL) ABOVE-REAL 209.66.98.16 - 209.66.98.23
[...]

$ ipchains -A output -d 204.71.154.0/24 -j DENY
$ ipchains -A output -d 208.147.88.0/24 -j DENY
$ ipchains -A output -d 208.147.89.0/24 -j DENY
$ ipchains -A output -d 209.66.98.16/255.255.255.232 -j DENY

$ echo All is well.

This quietly blocks all packets bound for any of Real's IP subnets. Snooped info about you being fired off to Real's servers is quietly dropped on the floor. No error message. No explicit packet rejections to scare the Real Player. The software will assume simple internet problems are the cause. Although, I assume it wouldn't report an error to the user anyway. I mean, what's it gonna say? "Alert! Unable to spy on you. [RETRY NOW] [TRY AGAIN LATER]"? Yeah, right. If you want to see the snoop attempts show up in /var/log/messages, append a -l to the above commands. This also disables the annoying "you need to upgrade your player now!" messages since it can no longer check. This works for my linux box and for the Win98 machine (since it gateways through the linux box).

Re:Trust-e selling demographic info? Hmm?

ACE has to protect it's bottom line, which is to make money. I imagine, consumer protection was
dropped entirely from the equation a long time
ago.

Look at United Way. United way, the "charity" with multimillionaire management. I imagine helping
the poor was dropped from the equation a long
time ago.

TRUST-e. Now brags about their "page impressions"
and could care less about any privacy issues that
interferes with the cash stream flowing in from
privacy-attacking companies. Privacy was dropped
from the equation entirely.


See a trend? Can we ever trust for-profit advocacy groups? Any that I've ever seen have eventually
joined sides with whatever dark-force they were
supposed to be protecting people against.
Trust-e is simply another bait and switch in
the "protection" industry, whose sole purpose
is to make lots and lots of money and nothing
else.
Someone please tell me Trust-e has sold
demogrphic info. That would seal this issue
once and for all.

Sorry about the formatting. What I type in this
box never looks like what ends up on the page.
I suspect there's some hidden formatting tags that are getting moved around.
I can't see them... so *shrug*.

Who needs Truste?

[Tutskcerrub]

Truste definitely doesn't work to well, but I'm still vehemently opposed to someone bringing in federal regulation. It's very easy to preserve your privacy online, as long as you pay attention.

First of all, if you are asked for a required address, and you're not ordering a product to be mailed to you, your adress is "123 FakeAddress Dr."

If, on the other hand, you are ordering something online, read the freakin' privacy agreement. I've read them, and they aren't that hard to understand. Also, the parts about selling your personal information are almost always clearly labeled.

The simple fact of the matter is that asking the government to step in simply because you are lazy is hypocritical and unfair to others. Government regulation is designed for lazy people, so if you want freedom online, you have to work for it. You can't have your cake and eat it too. Personally, I'm willing to spend an extra five minutes of my time reading an agreement if it means keeping the government out of the one remaining bastion of free speech and capitalism in the world.

Lobbyocracy

Damnit, I was going to cut and paste some of your
text but the formatting got fscked after getting
digested by this little box.

Anyway, one thing you have missed is that
deep-pocket organizations are the government .

The Lobby makes the laws. The Lobby is what
runs this country. whose in the lobby? Guess
who! (*hint* it's not me and you.)

Corporations trade members of our governemt
like Pokeman cards. He who has the most money, gets the "rares".

What to do? Seperate the two just like church
and State. If this doesn't happen, all is lost.

Re:Lobbyocracy

One more thing...DMV sells information without consent to whoever is paying.

Press release is out... Guess what they said?

[ratchet69]

There is a press release, dated November 8, 1999 (today) at http://www.truste.org/about/about_s oftware.html

Here's a quote:
"After an initial inquiry, TRUSTe found that because the transmission of user data through RealNetworks' RealJukebox program did not involve collection of data on the RealNetworks Web site, the privacy incident was outside of the scope of TRUSTe's current privacy seal program," said Lori Fena, TRUSTe's Chairman.

I'm kinda gettin a case of Deja-Vu...

Ok, time to defend M$ for a change

[jmorris42]

I don't really see a problem with the described incident. I see a Y2K warning as on a par with a Product Recall Notice or similar "Important Notice" that a good argument can be made for disiminating as widely as possible to every customer on file. If for no other reason than self defense against the lawsuits likely to let fly next year.

Not a lot of pure Black & White in the real world, and this is one of those grey areas. Now if I had dropped a subscription to their mailing lists and got a pitch for W2K I'd be pissed.

Damn, I feel icky after defending M$... better go take another shower now.

Re:Ok, time to defend M$ for a change

[seebs]

Doesn't matter what it is, it's spam, and they sent it to people who had told them never to send *any* email to them again.

Sorry, but:

1. You always get to say "go away", and mean it.

2. You never, ever, get to send bulk unsolicited messages.

MS was wrong on two counts, and the first one was a violation of their privacy policy.

Press Release: TRUSTe and RealNetworks Collaborate

[DocJohn]

From http://www.truste.org/about/about_software.html:

For Immediate Release

Contact Information:

Dave Steer
Director of Communications
TRUSTe
408/342-1943
415.260.9669 (mobile)

TRUSTe & REALNETWORKS COLLABORATE TO CLOSE PRIVACY GAP

Pilot Privacy Seal Program for Software Applications Initiated

Cupertino, CA, November 8, 1999 - TRUSTe, the leading online privacy seal program, today announced that it is expanding its commitment to supporting consumer trust and confidence in a networked environment. The recent incident involving RealNetworks prompted a broad set of solutions for addressing consumer concerns about personally identifiable information.

Today's announcement follows reports that RealNetworks' RealJukebox product transmitted globally unique identifiers (GUID) to RealNetworks via the Internet. In response, TRUSTe immediately sought to uncover the nature of the reported data collection practice and gauge the scope of the RealNetworks situation.

"After an initial inquiry, TRUSTe found that because the transmission of user data through RealNetworks' RealJukebox program did not involve collection of data on the RealNetworks Web site, the privacy incident was outside of the scope of TRUSTe's current privacy seal program," said Lori Fena, TRUSTe's Chairman. "However, because consumer trust is more important than legal technicalities for both TRUSTe and RealNetworks, we have worked together to find a series of appropriate solutions."

"RealNetworks recognizes the importance of protecting consumer privacy, and apologized to its customers for not being clear enough about the data being transmitted by the use of RealJukebox. Issues associated with use of GUIDs in consumer software products should be of concern to the entire Web community," added Bob Lewin, Executive Director of TRUSTe. "That said, TRUSTe recommended a 5-point program to RealNetworks for restoring the trust and confidence of its customers."

RealNetworks, working closely with TRUSTe, will implement a series of changes to its current privacy practices. Beginning immediately, RealNetworks will:

Conduct Third Party Audit - RealNetworks has agreed to conduct an outside audit of its privacy practices to ensure that privacy issues raised regarding RealJukebox have been resolved. In particular, the audit will verify that RealJukebox GUIDs have been disabled and are no longer associated with email or other registration data. TRUSTe and one of the major auditing firms familiar with the fair information requirements of TRUSTe's program will conduct the audit. A report will be issued upon the conclusion of the audit process.
Privacy Statement - The Web privacy statement that has been certified by TRUSTe will be modified to inform consumers that the audit described above is underway.
Opt-In - RealNetworks has already announced that it has disabled GUIDs in RealJukebox, and beginning with today's release of RealPlayer 7, RealNetworks will anonymize GUIDs and require consumers to opt-in to enable the use of this feature.
Privacy Officer - RealNetworks will identify a key privacy officer who is responsible for handling the company's privacy practices and policies, customer privacy complaints, and who will serve as a liaison to TRUSTe.
Consumer Education - RealNetworks will collaborate with TRUSTe to identify consumer education programs relating to Internet privacy. These programs include educational forums, Web sites, and other communications activities aimed at educating consumers about privacy issues on the Internet.
Rob Glaser, Chairman and CEO of RealNetworks, said, "Our customers care a great deal about privacy issues. We want to demonstrate that we value the trust of our customers by playing a leadership role in moving the software industry to the next level of privacy protection for consumers. What we found through this process is that it is imperative for senior management of a company to be active in communicating the importance of consumer privacy and trust through the design and development of their products and services. We are committed to working with TRUSTe to demonstrate a new standard for personal information practices in software applications."

Beginning immediately, RealNetworks will work with TRUSTe to verify the application of fair information practices in its consumer software products that transmit GUIDs and other data via the Internet. Under the direction of TRUSTe, RealNetworks will establish the first-ever software privacy statement, clearly disclosing what personally identifiable information is collected and how that information is used. TRUSTe will also establish a working group comprised of experts from within and outside of the software and Internet industry to advise the organization on how to best extend its privacy seal program.

"As the line between data collected on Web sites and the rest of network software applications has become blurred, TRUSTe recognizes the need to expand its program to the greater network," said Lewin. "Just as we did more than two years ago with our Web site privacy seal program, TRUSTe will begin working to establish a seal program with oversight on software privacy practices that utilize personal data."

About TRUSTe

TRUSTe, the leading privacy seal program, is an independent organization dedicated to building consumer trust and confidence in individual data practices. The TRUSTe network of participating companies include: America Online, Compaq, Ernst & Young, Excite, IBM, Intel, Microsoft, and Novell.

Founded in 1997, TRUSTe is the premier privacy seal program worldwide. The TRUSTe seal is currently displayed on all the Internet's portal sites, 15 of the top 20 sites and approximately half of the top 100 sites. TRUSTe was recently rated the most visible symbol on the Internet by Nielsen//NetRatings.

TRUSTe is based in Cupertino, CA, with an office in Washington, D.C. For more information, please visit the organization's Web site at www.truste.org.

If you really want privacy regulation

[stang]

If you really want privacy regulation, start attaching the online privacy of selected government officials.

Remeber the Thomas hearings? Someone went and dug up his old video store rental records. *Very* shortly after that, it became a crime to release/publish video store records.

How long do you think it would take to get some reasonable privacy regulation if the community started posting the personal e-mail accounts, surfing habits (via some DoubleClick info, perhaps?), and online purchasing history of every member of Congress? And their family?

Re:If you really want privacy regulation

[stang]

start attaching the online privacy

Uh, make that attacking

Remeber the Thomas hearings

Remember, as in "Remember to spell-check those posts!"

Re:If you really want privacy regulation

Oh boy...Can you imagine how
valuable a target these politicians would make
for the tracking companies? Wonder how often
they sell the dirt to the press.

Monday: Highly visible congressman visits his
favorite porn sites, afterwords his son dl's
some mp3's and warez.

Tuesday: Double-Click and Barnes/Noble do a routine trade of demographic info to reconstruct a complete profile of their users, linking the
information to personal names, adresses, phone numbers, income, sites visited, etc.

Wednesday: While our congressman eats his breakfast, 100+ pages of detailed personal information, which includes but is not limited to:

-prescription purchases made online

-Highly controversial "anonymous" comments he'd posted to discussion boards,

-his wife's complete surfing history investigating her inorgasmia

-his "secret" chat session with *cough*..that special someone

-credit card number

....cirulates it's way around the globe, being
purchased by *anybody* who has the cash.


Later that month...

Congressman's terribly sensitive info is now in possesion by well
over a thousand unknown entities. It takes
just one of them to recognize the congressman's
name amidst the rest of the poor SOB's and then...

This is happening to *everybody*. Nobody is excluded. The hurt, damage, humiliation is universal. The only reason it's gone on so long, is that most are cluesless to what has been going on behind their backs. I've been telling people this until blue in the face for *years* but nobody cares. It's tragic on how utterly stupid and passive people have been over this problem.

Things like this make me question the intelligence of the human race. Seeing mass stupidity on such a scale is frightening. Do we have much more time left? Onward naive surfers!


note to the Cmdr:

this editor...well I think it needs a little work.
It's making everyones posts look rough and sloppy.
I'm guessing you have developed the editing page
with a much larger monitor than you users.

Roadkill...

Is often found in the center of the road.
Fence sitting is a technique mastered by those
whose motivations aren't the issues themselves.
Of course, sitting in the middle doubles one's
sample size when looking for the deepest pockets
too. Also why our political parties in the
US seem to agree on the the same stuff during
election time.
Your idea is basically a petri dish for
corruption.

Self Regulation... Of What?

[sklein]

So this self regulation experiment failed. But what was regulating itself? Was the internet regulating itself? As I understand it, no. Business was (failing to) regulate itself. This isn't surprising. Witness MS vs DOJ. The involvment of the net isn't significant.

In short, this is just another case requiring government action to force business to treat citizens decently.

sklein

There are legal issues

[the+red+pen]

You are correct that whining about the world being a cruel place is childish, but that's not the point.

TRUSTe certifications are backed by accountant's signatures on opinions (there are technical teams that work for these accountants to validate the opinion). If an accountant signs a fraudulent opinion they are guilty of the same crime that a doctor commits if he or she performs the wrong operation: malpractice. That's why "Big 5 accounting firms" are involved in TRUSTe -- because their statements give TRUSTe the weight of authority.

Doctors are certified to perform medicine, lawyers are certified to give opinions and accountants are certified to attest to things. If the quality of these certifications are not legally enforced, then they are pointless. Competant lawyers and accountants are not just filling a "market need", they provide needed infrastructure for the world net junkies like you have come to rely on.

What a load of tripe!

[Captain+Sarcastic]

"After an initial inquiry, TRUSTe found that because the transmission of user data through RealNetworks' RealJukebox program did not involve collection of data on the RealNetworks Web site, the privacy incident was outside of the scope of TRUSTe's current privacy seal program"...

This is first-rate B.S.! TRUSTe has just defaulted on its commitment to privacy!

It doesn't matter.

[bumbobway]

If everyone fills out their realnetworks registration like I do they won't get raped by the realnetworks spam. First Name: Bob Last Name: Johnson email: Bob@Johnson.com X : send me crappy email on from the losers at Real networks. Plus it really won't matter in 2 years, when realaudio format is totally replaced by better mpeg encoding.

Bzzt. Wrong

[Robert+S+Gormley]

It's Pamela Anderson!

With or without Tommy *shiver*

TRUSTe and the Big Lie

[chip+rosenthal]

Folks familiar with the history Jamie recounted knew that TRUSTe was going to weasel out on this one. Still, their audacity is shocking.

TRUSTe declared the privacy violation "did not involve collection of data on the RealNetworks Web site" and so washed their hands of the whole sordid deal. Well, not so fast there, buster. TRUSTe is correct that the GUID -- a unique identifying number -- was transmitted by application software. The most intrusive danger, however, is that Real would correlate the GUID against user registration information. And user registration information is gathered -- you guessed it! -- on the RealNetworks Web site.

TRUSTe cannot be trusted to safeguard our privacy. In fact, TRUSTe may be the largest barrier the industry has created in the fight for consumer privacy.

Never heard of them

[Pariah]

I've never heard of TRUSTe, and judging from what I read here, I haven't missed anything. Even the most blantant, outright abuses go unpunished. Not that I expect TRUSTe to have the power to punish a company, but at least remove the TRUSTe seal from their web page. As it is now, I truly wonder if there's ANYTHING a company could do to convince TRUSTe to refuse them a TRUSTe mark. So far, nothing. It's a meaningless rubber stamp, present on any web page which wants it, with no bearing at all on privacy.

Caring about something != terrorism

Terrorism? Fuck no. Email your representatives, speak about these issues on public forums. Make yourself heard.

application for Trust-e seal

[harhar]

Dear Trust-e,

I respectfully request the address of the payola point. With said address, I can send you a large donation & gain your little privacy seal without really giving the marks any privacy at all.

If we get caught, I believe that the amount paid to you should be enough that you really would not do anything to the company at all. Agreed?

"Got off on a technicality"

[Black+Parrot]

> (Update: 11/08 02:55: Real got off on a technicality: "because the transmission of user data ... did not involve collection of data on the RealNetworks Web site, the privacy incident was outside of the scope of TRUSTe's current privacy seal program.")

Technically correct, but indicative of how worthless the badge is in practice.

We need to start putting a parody badge on our own web pages, TRUSTMe.

--
It's October 6th. Where's W2K? Over the horizon again, eh?

Re:TRUSTe has paved the way for gov't privacy mand

[bnenning]

This would be the same Uncle Sam that created Echelon, the most secretive, wide ranging, illegal, and unconstitutional surveillance scheme in history? At least RealPlayer was free; the NSA takes our money and uses it to spy on us. Between a corrupt corporation and a corrupt government, I'll take my chances with the corporation.

TRUSTe Irrelevant; Full Disclosure For All Progs

[hanway]

While I'm disappointed that TRUSTe has defined their scope to be very narrowly focused on web pages, that's all they've ever claimed to be. What we really need isn't validation of web sites, it's validation of any software application, especially ones that don't obviously have anything to do with the web.

We're now at the point where internet connections are common enough and alternative payment methods like banner ads in non-browser software are starting to catch on, and that means that every software application really needs to come with a full disclosure of what conditions, if any, will cause it to establish a network connection, what data will be sent, and what will be done with the data after it is uploaded. As much as I normally loathe regulation, this is one that should be enforced by law. For 95% of the software out there, the disclosure would be pretty simple: none. For most of the remainder, the answer is still pretty simple, e.g. "FooMail sends and receives email messages at periodic intervals under control of the user". The remainder is what we need to watch out for, e.g. "InnocentJukeBox scans your hard drive for new, non-copy-protected MP3 files and sends a list of new additions to www.riaa.com every time an internet connection is established."

The disclosure could even be vague, like "Word2002 periodically uploads personal data and usage patterns to microsoft.com" but who in their right mind would consent to use an application like that?

Unfortunately, I doubt that enough people give a damn. Real Networks stock seems to be up following a new web site launch, now that the privacy issue has exceeded the attention span of the media.

Re:First Amendment + Miranda Case Privacy right

Maybe, just maybe the fourth amendment (right against unreasonable search & seizure), but that only applies to the government, sorta. The Supreme Court has been gutting the fourth amendment since they put the conservatives on it, can't let criminals get away with privacy in their own car or let homosexuals get away with privacy in their own house if they were foolish enough to leave the curtains parted .5" in a state that outlaws gay sex, to cite two relatively recent decisions. Now their's talk on the Hill to pass legislation saying that the police no longer have to read you your Maranda rights! One of the kickers is a Senator's comment that, "Everyone's seen cops on TV read the Maranda rights so there's no need to require them to do it." Yeah, having some difficulty separating reality from fantasy Senator?

Excellent idea!!

I, for one, am going to do that right now!!

Atguard ?

[Suit]

I would like to know this as well !

Atguard may have done the job, http://www.atguard.com , but has just been bought by Symantec.

Can anyone help with this ?

Cheers

Re:Yep. Dead. Right up with ASE cert for auto repa

I thought ASE certified that a mechanic is competent, not honest.

Re:I'll start embedding your userid into my Word d

[Fastolfe]

And when the police come to your door and use the userid as "proof" that you authored the macrovirus I wrote (tee hee!) as sufficient cause to arrest you, I guess you'll have no problem with that, right?

I don't believe this was cause to arrest. I think they questioned him and he confessed to writing the virus.

Information like this wouldn't be classified as hard evidence for precisely the reasons you state, but it DOES help to point law enforcement in the right direction. If it ends up being forged, law enforcement loses nothing except a bit of time following a bad lead.

Re:I'll start embedding your userid into my Word d

[Fastolfe]

And when the police come to your door and use the userid as "proof" that you authored the macrovirus I wrote (tee hee!) as sufficient cause to arrest you, I guess you'll have no problem with that, right?

I don't believe this was cause to arrest. I think they questioned him and he confessed to writing the virus.

Information like this wouldn't be classified as hard evidence for precisely the reasons you state, but it DOES help to point law enforcement in the right direction. If it ends up being forged, law enforcement loses nothing except a bit of time following a bad lead.

Consumer Reports Magazine

[Andrew+Dvorak]

Consumer Reports purchases products and "grades" them, unbiased. They are funded ONLY by consumer subscriptions and do not allow advertisements to be sold in their magazine. They accept no product donations and purchase the products they review themselves. This is the example any such consumer rights organization should follow.