Emerging tech Toolkit

Can you trust TRUSTe?

Tags:
Privacy,
RealNetworks,
TRUSTe,
Internet

Robert Lemos, ZDNet.com ZDNet US

Published: 03 Nov 1999 10:38 GMT

With three licensees in six months under fire for privacy violations, nonprofit privacy initiative TRUSTe is facing doubts about its ability to protect consumers' privacy online.

TRUSTe and other privacy services "come in after the fact and say what the company did was bad, but they don't do anything to solve the problems," said Richard Smith, an independent Internet consultant who has uncovered several of the worst incidences of online privacy infringement. "Companies fall back on the seals a lot, though. They will say to me, 'We are a member of TRUSTe.' But what does that mean?"

At stake for TRUSTe and other seal programs, such as that offered by the Better Business Bureau, is credibility. Sites qualify for the seals by agreeing to post their privacy policies online, and allowing seal providers to audit their operations to ensure they're adhering to the policy.

The latest flap was sparked on Sunday, when Smith posted evidence on his Web site that Real Networks' RealJukebox digital music player secretly gathered information on what music users played on their PCs, sending it back to the company. In addition, Smith charged that RealJukebox also sends back a daily "status report" to RealNetworks, revealing details about the music stored on a user's PC. RealNetworks is a TRUSTe licensee.

On Monday, RealNetworks admitted to and apologised for violating the privacy of the nearly 13 million users of its RealJukebox product. The company released a 67KB patch that it claims disables the two data collection functions of its software.

Still, TRUSTe's credibility has at least been undermined, as has that of sites that rely on the logo mark to show that they do indeed follow certain privacy guidelines.

"These programs are great for public relations, because the companies can say they have a privacy policy, but they are a disaster for privacy protection," said Marc Rotenberg, director of online privacy watchdog Electronic Privacy Information Center. "The privacy seal organizations have been really reluctant to go after their members."

The problem is compounded by repeated offenses: RealNetworks is only the latest TRUSTe licensee to get caught crossing the blurry line of online privacy. In the past six months, at least two of its other licensees have been reported to the Federal Trade Commission, the agency charged with handling online privacy issues.

In August, a security hole in Microsoft Hotmail service allowed anyone on the Internet to access a user's e-mail account just by knowing the person's login name.

Prior to that, in April, Smith discovered that Deja News' search engine had been scooping up the e-mail addresses of the people using its system for over a year, giving the company a record of who was e-mailing whom.

Last year, yet another TRUSTe licensee -- Geocities, now owned by Yahoo -- settled with the FTC after being cited for improperly collecting data from children under 13.

TRUSTe has not yet decided what steps it will take in the Real Networks case, said David Steer, a spokesman for the organization.

"This is a very different situation than we had with Hotmail and Geocities," he said. "I would not look at how we responded in past cases to find and indication of what we are going to do here."

Some observers say action would be a good thing, since it has done very little in the past.

"Rules only have credibility if there is a stick behind them. TRUSTe only has a big, soft sponge," said Jason Catlett, president of pro-privacy firm Junkbusters and one of the more rabid advocates of consumer privacy rights. "Suppose they decide that Real has crossed the line. What can they do? The worst is to revoke Real's license to use their seal."

TRUSTe's Steer said it could revoke the logo, but could also react more strongly. "We could take the company to court for breach of contract, since they do have an agreement with us. Or, we can forward the case to the FTC," Steer said. The FTC has already pledged to fast-track complaints referred to it from privacy seal programs, such as TRUSTe.

Steer also said that if TRUSTe decides that RealNetworks can no longer use its seal, the fallout for the media software company could be devastating.

"I guarantee that the damage to the reputation of the first company that we do that to will be big," he said.

EPIC's Rotenberg doubts that a potential public relations backlash will stop privacy violations. He thinks some sort of regulatory legislation is necessary.

"It can work if there is a legal framework underneath," he said. "It helps to have some compliance organizations. But you have these free-standing certification authorities that are basically not certifying anything."

TRUSTe's Steer, perhaps surprisingly, agreed. "To think that we oppose laws and regulations is wrong," Steer said. "We just oppose the wrong law. Our program is only part of a solution."

Steer promised that TRUSTe would have an answer to the Real Networks' dilemma by the end of this week.