Slashdot Mirror
TRUSTe and RealNetworks Wrap-Up
First, the week's news in brief. There has been a class-action lawsuit filed against RealNetworks. Then there were two lawsuits - no, make that three lawsuits. Their stock faltered, then rallied, and is now about 40% above the day the privacy news broke.
Strangely, TRUSTe removed its press release "TRUSTe and Real Networks Announce A Pilot Software Privacy Program" from its News page on Saturday, along with one other, replacing them with an older one. There's no indication this has anything to do with the bad press of the last week.
Dave Steer had written a rebuttal to last week's story, but it is unfortunately still not available. If and when the rebuttal is published, we'll update this story with a link to it.
Now for the issues at hand. In our conversation, Dave wanted to make two key points. The first is that TRUSTe is not a "consumer advocacy group," the phrase I've been using. The second is that their press release regarding RealNetworks was a landmark decision, a culmination of six months' worth of their realizing that they have to move in a new direction.
If TRUSTe is not a consumer advocacy group, that raises the question of what it is. I didn't get a very clear answer from Dave on this. Its website says:
"The TRUSTe program was designed expressly to ensure that your privacy is protected through open disclosure and to empower you to make informed choices."
The "you" and "your" means you - the consumer. TRUSTe claims it was designed to empower and protect you.
But it's not going to do this by punishing corporations for privacy transgressions. TRUSTe is all carrot and no stick. The carrot is that, after a corporation has been caught breaking the rules, it can restore its damaged reputation by cooperating with TRUSTe: issuing a press release, taking some simple steps to improve the situation, etc.
This is a fault that's built into the way TRUSTe was set up: a design problem. There are some questions of poor implementation as well. After the March 1999 revelation of Microsoft's secret GUIDs (user-tracking technology that can lead the cops to your door), TRUSTe went to them and asked for action. Not punishment of any kind - all they asked for was an audit.
And according to Dave, "Microsoft said no."
How could Microsoft make TRUSTe back down? The poor implementation is that TRUSTe's contract with Microsoft, and with RealNetworks, and presumably with all its 750+ licensees, makes a distinction between privacy violations that take place over the web, and others. Companies that steal consumers' privacy through non-web-related technology are not covered under paragraph 5A of the TRUSTe License Agreement.
Paragraph 5C, however, allows TRUSTe to break the agreement and void the trustmark, for any reason. If it had wanted to pressure Microsoft, this would have been the threat to make: terminating the contract, and going public with a condemnation.
But that wasn't TRUSTe's goal. Although it claims:
"...licensees agree to cooperate with all TRUSTe reviews and inquiries. If we cannot reach a satisfactory resolution ... [this] could result in a Web site compliance review by a CPA firm, revocation of the trustmark, termination from the TRUSTe program, breach of contract proceedings, or referral to the appropriate federal authority."
...it will never take these steps. Microsoft refused to cooperate because the carrot wasn't big enough - so TRUSTe offered them a bigger carrot. RealNetworks scanned its users' hard drives for private personal data, uploaded it to their servers, and blatantly lied about it. Short of actually stealing our credit card numbers and running up a tab at the Sharper Image, it is hard to imagine a more serious violation of privacy. Yet TRUSTe went to them hat in hand, asking to be allowed to collaborate.
Those contracts that give TRUSTe no authority over non-web privacy violations? That's not a bug - that's a feature. Even when it has the right to take serious action, a right TRUSTe grants itself in paragraph 5C, it chooses not to use it. Design problem.
Corporate invasion of personal privacy is not a win-win situation. This is a war in which TRUSTe will often have to take sides. Learning that it backed down from Microsoft and had to haggle over even the audit it wanted to impose was an eye-opener. Chris Larsen, the CEO of E-Loan who revealed the behind-the-scenes haggling, described his company as "very concerned" about TRUSTe's inability to address the issue.
In fact, I never would have heard about that if not for the Slashdot comment where Seth Finkelstein called attention to it. It's not confidence-inspiring that TRUSTe has refused to allow any negative information on its homepage, in its press releases, or in its statements of findings. The constant comforting message leaves me uncomfortable.
Dave's second point was that this collaboration - on a new program which will cover non-web as well as web violations of privacy - heralds an important new direction in TRUSTe's history. Now that they have enough licensees to pay the bills, they are not beholden to any of their sponsors, and can start to take a harder line. And they can renegotiate their contracts to fix the web/non-web distinction.
I'd like to believe that's true. But the heads of TRUSTe surely know that, if they ever started condemning corporations' privacy violations instead of collaborating with them, renewals on their contracts would dry up. Corporations love to enter agreements with organizations which give them good press. Organizations that give bad press get ignored at best.
TRUSTe's reputation for lax enforcement is surely part of the reason they now have 750 licensees. It would be a very different story if the carrot ever got replaced by the stick.
I could be wrong. But TRUSTe's actions support this view even if its words don't. RealNetworks needed to be slapped, hard - but now it's up to the lawsuits to give the company a reality check.
Sure, TRUSTe may have helped RealNetworks figure out the proper reaction in this case. But it has 750 other licensees that all got the message loud and clear: whatever you do, TRUSTe will not chastise you. There is no incentive to do the right thing. By its actions, TRUSTe encourages corporations to violate privacy when they think they can get away with it. This will happen again - and it will be the same story each time.
And it may happen sooner rather than later. The most frightening thing I've heard all week was Dave Steer's offhand comment that programs like RealJukebox are probably more common than we think. That makes it all the more ironic that TRUSTe is unwilling to put consumers' interests first.
If I'm currect in this, then we're in serious trouble. If you feed an animal, what are the odds of it wandering off and finding it's own food? Ok, so translate that into the computer industry...
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Lets assume TRUSTe did pull the trustmark (nice word!) from Microsoft. Does anyone here think it hurts Microsoft more that it hurst TRUSTe?
-137
It already has been said on Slashdot and I'll say it again: TRUSTe has no credibility left whatsoever. They may have had good intentions at the beginning, but right now the whole thing degenerated into a fig leaf for whatever the corporations want to do. TRUSTe right now is actually doing harm, since it provides the corporations with a convenient cover allowing them to state (with a straight face) that their privacy policies are OK, are being followed, and Joe Q. Random has nothing to worry about.
I think that this is about time everybody with privacy concerns and some decency left start to distance themselves from TRUSTe as quickly as possible (simple translation: run in the opposite direction. Fast.) The whole affair starts to generate a very ugly taste and more and more looks like TRUSTe was selling PR cover for money while pretending to be on the lookout for consumers' interests.
IMHO the best solution for this mess is for TRUSTe to die, quicky. I don't insist on the death being painful.
Kaa
Kaa
Kaa's Law: In any sufficiently large group of people most are idiots.
Teeth and independence are not enough. They need to be structured so that they gain by revealing privacy violations, and loose by concealing them. Even that probably wouldn't be enough for long. Regulatory committees regularly become captive of the industries that they are supposed to regulate. This is because even if the organization gains by honest regulation, the people that the organization is composed of may gain by being friendly with those whom they regulate. What does the ex-chairman of the Fed do? He works for a bank. etc.
This is a real problem in system design, and I haven't yet encountered a pattern that can be used to solve it.
Once you solve this one, you need to keep it sufficiently balanced that the committee doesn't start inventing crimes to blame on those that it regulates. That has happened in various times during history also. A fine balencing act.
I think we've pushed this "anyone can grow up to be president" thing too far.
To my mind, Truste doesn't have any credibility any more. If your credit card company was as lax as this about credit violations you wouldn't sign up to them.
They have become another mindless piece of web page logo that should be ignored.
If they had wanted to get credibilty with the public they would have used the stick with the first transgressor, (a stick the size of a giant redwood preferably) and they used this as an example of what would happen in future. In corporate terms its easier to use a threat than use the stick, but for threats to work, people need to know you'll use the stick.
Time after time Truste has been shown violations and time after time nothing much ahs been done about it. If they had hit the first transgressor hard, Microsoft may not have said "No" so easily.
Today if you are a software manufacturer with a trustmark and your software copies off all documents marked "business futures" and emails them back for you to use in the stock market, Truste will come after you.
You'll look at the history, you'll see Realnetworks, you'll see microsoft, etc, where really nothing happened, and you'll follow thier line and say "No"
Its time that Truste was disbanded, because to the public that know its history it has no credibility, and to the software industry it has no power.
Seriously, if TrustE is not going to be biting the hands that feed them, then why are we listening to them? Because they spent much of their money building "brand recognition" on the web (making them the "most visible symbol on the internet"?)
What we need is a real consumer-privacy watchdog. Not one that says "we make sure that if companies violate you privacy, they tell you first", but one that conducts active research -- if I can catch violations of a privacy statement by using a Hotmail account created solely for online registrations, so can an advocacy group.
I'm talking about the online-privacy equivalent of the Web Standards Project. They publish a credo of "thou shalt nots" and rate everything an "internet business" does.
For example:
If they have a website that requires registration, what do they do with that information?
If they produce "internet-enabled" products, what exactly does the product transmit over the network? How is that information used? (Yet another good reason reverse engineering needs to remain legal, and not just for "interoperability".)
In the case of GUIDs, do their products create any kind of identifier that can trace a created file or document back to the originating product?
If any kind of authentication is used to allow users access to the product (like a personal-finances program), how easy is it to circumvent the authentication? Is the information accessible without authentication?
This group should also put some work into informing people as to what their rights should be online, and helping them fight for it. ("If you use RealNetworks products, write to them at this address and tell them how you feel about the GUID issue"...)
Jay (=
(The question is, who pays the bills for a group like this?)
TrustE's dependeancy on amiable relationships and paychecks from the companies they are supposed to monitor makes it impossible for them to do what they are supposed to be doing, protecting consumer privacy rights. It's akin to calling up the police because some Mafia guy is beating on you, and it turns out the police won't show up because they are on the take!
To have an effective watchdog of on-line privacy, it must be a non-profit organization or a government agency. I much prefer the forme to the latter of these. Perhaps the EFF, EPIC, or the ACLU, could start up a program of certification like TrustE. Certification of a site or application would be rigorous and free. I'd be happy to write any of these organizations a check if they did this!
---
This sig has been temporarily disconnected or is no longer in service
Over on the Consumer Reports site they are running a thing about e-commerce. Well, one of the things they mention is that the consumers should be looking for the trust-e logo. Apparently they are under the mistaken assumption that Trust-e means anything.
I have been wanting to write them a letter as soon as I read this small article, but apparently only members of the CR website can send them email - otherwise you have to send them snail mail.
Now, this leads me to a question - a few months ago someplace somewhere someone put up a note or newsitem or something that talked about somebody and their policy on their website. The trust-e logo was showing up on www.thewebsite.com but they were violating the privacy over on blah.thewebsite.com. Trust-e's response, if I remember correctly was "well, www.thewebsite.com is the site that is licensed, so we don't care about blah.thewebsite.com" or something to that effect. Now I can't find this story or whatever it was. Anyone elese remember this or did I dream it?
This is not really new. It's the same problem the Better Business Bureau has had for all of its existence - they will never apply meaningful pressure against anyone who is a member, because that would be biting the hand that feeds them.
What results is a sham that's only a little better than an outright protection racket. The inherent conflict of interest prevent even gross violations of guidelines from showing up on the records of those willing to pay for the protection. Sad but true. Os how is it big news that this problem has found its way to the net.
Why don't we talk about something important like stamping out spam?
"The future's good and the present is nothing to sneeze at." - Roblimo's last
Okay, I sent CU my comments. Here they are if anyone is interested:
1 214
4 210&mode=thread
:)
Thank you for your article about e-commerce. It was very insightful and helpful!
However, there is a glaring problem with it. In the article, you mention that consumers should look for the Trust-e symbol.
Based on Trust-e's track record, consumers should do nothing of the sort. They should instead chuckle and giggle at the web site operators who paid them money for the symbol. The symbol does not even hold as much clout as the Better Homes and Gardens symbol which, if I remember correctly, your organization had fun with about 10 years ago in the pages of CR.
Here are two links to articles which are currently appearing on Slashdot.org:
http://slashdot.org/article.pl?sid=99/11/05/102
http://slashdot.org/article.pl?sid=99/11/12/114
I could point you towards more articles, however I think your network would get overloaded.
At any rate, I hope you will find these two articles informative and will be moved towards changing the article to remove the Trust-e comment from it. I think to have it there otherwise just leads consumers who do value their privacy into a dark and murky world of actually having it invaded.
Thank you for your time.
Randy Rathbun
> A slightly clearer picture of TRUSTe's role emerged,
> but few of my concerns were allayed.
I had to laugh when I saw the phrase "clearer picture of TRUSTe's role". For me, it's because I've gotten a clearer picture of TRUSTe real role that I'm concerned in the furst place.
Notandi Sunt Tibi Mores: By your actions shall you be judged.
TRUSTe's role is simple: Take money in from companies with a vested interest in violating your privacy, then turn out a false illusion of security to suckers^H^H^H^H^H^H^Hcustomers that their information won't be shared. Trusting folks like that is like sending your name to a spammer's remove list.
The TRUSTe mark is a mark of untrustworthiness - as others have pointed out, it's flawed by design - all it can mean is one of two things.
Either:
I will sell your name to the highest bidder, but I buried the policy that says so in a font of microscopic size twelve levels down in my site, but the policy is available, and by God, we are following it, selling your name just as we promised. TRUSTe has verified that we follow our policies.
Or:
I will install trojans on your hard drive, but as long as they don't communicate their information back to me through port 80, we're off the hook. If it ain't that, we're paying TRUSTe good money to help us find another technicality that'll allow us to keep the mark up there for the rubes^H^H^H^H^Hcustomers who are still deluded enough to think we're ethical.
Some have called for TRUSTe to die and be replaced by something else. By what, pray tell? No monolitic "seal of approval" organization can have de facto trustworthiness - it's not in the nature of the 'net to place its trust in centralized institutions.
It is, however, in the nature of the 'net to sniff out BS, and expose it wherever it may lie. That sniffing has caught M$ out with umpteen egregious violations, the EBay spamming fiasco, the RealTrojans, and countless other folks, be they TRUSTe members or not.
Caveat Emptor. I know which companies I still trust. I know which companies I don't. And I know which companies I never will. Ironically, the ones I trust, more often than not, don't have the TRUSTe logo on them. And over the past year, I have to admit that the more "clear a picture I have of TRUSTe's role" I get, the less I trust the sites which bear it.
When I see a TRUSTe logo, I immediately think "Your reputation was so shoddy you had to pay these weasels for good PR insurance in the event that you get caught with your hand in the privacy cookie jar? Puh-leeze!" Can I possibly be the only one who thinks this way?
Final word:
If you have pull at your company, consider withdrawing from the TRUSTe program. Declare your privacy policy up front and stand by it. Why would you want to dilute the trust you've built up by associating with a group whose sole function it is to defend egregious violators of customers' privacy.
You are, of course, entitled to your own opinion. There are some of us who feel that the casual passing around of data that we consider private to be an issue. If you don't feel it's an issue, you're welcome to feel that way. We'll just have to agree to disagree.
...phil
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
If I may interject a fact into the feeding frenzy, GUID's are not "user tracking technology" as jamie states.
A GUID is a "Global Unique IDentifier" produced on demand by Microsoft dev products when the developer needs a name for a new COM service, ActiveX widget, or other application element that is guaranteed to be unique. This GUID is used to index the service/widget/whatever against a "local server" string in the registry, which identifies the path to the local machine's copy of that widget/service/whatever.
If we did not have GUIDs, there would exist a possibility of duplication and systemic failures for no good reason other than lack or originality. You can easily imagine hundreds of widgets shipping with the "unique and clever" names "foo" or "myId" or "37337". Get two of those widgets on the same machine and things break.
The GUID is generated by a satellite app to MS Dev products, but anybody can generate one. The most reliable means is to take the hardware id of the local Ethernet card (supposedly already unique) and add some random cruft on either end. This makes it probabalistically guaranteed that you will never see the same GUID twice, and hence guarantee that your program will encounter no conflicts. Very slick.
Now certainly a GUID could be used to track a person or a machine, just as it can be used to uniquely identify an ActiveX control. However, that is not their primary function. When Microsoft used GUID's, it did so during the Windows registration process so that the client machine itself could save them the trouble of inventing a unique key to reference the registered information. This was the easy way out of a problem, but clearly somebody didn't consider the privacy ramifications. Or, if you choose to be conspiratorial, the evil MS employees knew it all along.
The misuse of GUIDs does not deprecate their extreme usefulness when applied responsibly.
-konstant
-konstant
Yes! We are all individuals! I'm not!
It wasn't worth paying few hundred dollars to TRUSTe to try to go through with it, but it was a very tempting idea :-).