Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
An Open Letter to TRUSTe's Lori Fena

By rusty in News
Mon May 22, 2000 at 10:19:00 AM EST
Tags: Freedom (all tags)
Freedom

Lori Fena is the former* Chairman of the Board of Directors at the Electronic Frontier Foundation, and is now the chairman of TRUSTe, an organization devoted to web privacy. Thus it was a great surprise to see her name show up on the list of members of DoubleClick's new "Consumer Privacy Advocacy Board". As many of you know, DoubleClick has drawn much wrath for its invasive practices and widespread collection of personal user information.

Prompted by this, and by our recent brush with TRUSTe's apparent lack of concern for actual privacy, as exposed by eBAY's "No Privacy for You" policy (discussed in this story), I wrote an open letter to Ms. Fena expressing my dismay at the potential consequences of TRUSTe's lax approach to certification, and my general feeling that industry self-regulation with respect to privacy is simply not working. The text of that letter appears below, changed only in that links that were included in the email in text (URL) form have been embedded in the HTML here.

* Update [2000-5-22 11:36:53 by rusty]: michael from Slashdot informs me that she is no longer the EFF chairman, or even on the Board there, as this article originally stated. My mistake.


ADVERTISEMENT
Sponsor: rusty
This space intentionally left blank
...because it's waiting for your ad. So why are you still reading this? Come on, get going. Read the story, and then get an ad. Alright stop it. I'm not going to say anything else. Now you're just being silly. STOP LOOKING AT ME! I'm done!
comments (24)
active | buy ad
ADVERTISEMENT
Ms. Fena,

I'm writing to you partly as the webmaster of kuro5hin.org, where this letter will be submitted for publication, but mostly as an individual who spends quite a lot of time online, and conducts a lot of personal business through the internet, and is therefore very concerned about online privacy issues.

The internet industry in general has been adamant in its claims that industry self-regulation will be sufficient to safeguard the privacy of internet users. TRUSTe has often been held up as the flagship initiative in online privacy protection, and has been very successful in building a brand recognition among internet users. To many, the sight of the TRUSTe "trustmark" is sufficient to assure them that a website can be relied upon to protect their private information.

As stated in "The TRUSTe Story," your organization was founded on a recognition of "the need for branded symbols of trust on the Internet similar to UL Labs," a need which I wholeheartedly agree does exist.

Unfortunately, this need is not being met by TRUSTe, and in fact, I believe your organization may be doing more harm than good to the cause of online privacy protection.

You make the comparison to Underwriter's Laboratories, and their famous "UL Listing Mark." The essential value of Underwriter's Laboratories is this: if I buy, for example, a toaster, and that toaster bears the UL mark, I know that an independent third-party organization has tested this toaster, and determined that it will operate as expected, and will not randomly catch fire. As explained on the UL website: "The UL Listing Mark on a product is the manufacturer's representation that samples of that complete product have been tested by UL to nationally recognized Safety Standards and found to be free from reasonably foreseeable risk of fire, electric shock and related hazards."

So, I might reasonably expect, from TRUSTe's comparison, that if a website bears the TRUSTe "trustmark," then the privacy policy of that website has been inspected, and found to meet some recognized standard of actual privacy protection. This is unfortunately not the case.

Take, for example, the privacy statement of eBay, which reads, in part, "Therefore, although we use industry standard practices to protect your privacy, we do not promise, and you should not expect, that your personally identifiable information or private communications will remain private." This policy, which states openly that users have no assurance that their private information will remain private, is certified by TRUSTe.

What the TRUSTe "trustmark" certifies, in fact, is simply that a website has stated what its privacy policies are, and will comply with that statement, whatever it may be. Oh yes, it also certifies that the owners of the website have paid a license fee to TRUSTe, for use of the "trustmark".

The result of this is that internet users now have the *impression* that their privacy is being safeguarded, without any actual standards of privacy protection being in place, or being enforced. This, to me, is worse than having no oversight at all. Rather than actually make an effort to protect the privacy of internet users, TRUSTe has instead made an effort to collect licensing fees for the use of a graphic with no underlying meaning. A large amount of HTML about "raising awareness" and "educating users" aside, TRUSTe is collecting fees while doing nothing to ensure privacy.

Now I read that you have joined the "Privacy Advisory Board" of DoubleClick, long-notorious as one of the worst offenders in the pantheon of online snooping. This only further lowers my opinion of the integrity of TRUSTe, and further convinces me that self-regulation will never work in an industry that appears to be utterly bereft of ethics.

Unless and until TRUSTe and other online "privacy" watchdogs begin to safeguard the actual privacy of internet users, I will continue to regard the TRUSTe "trustmark" as merely a sign that the website in question is trying to lull me into complacency, in order to perpetrate some gross violation of my privacy, as this seems to be the specialty of policies certified by your company.

If you wish to respond to this letter, you may email me at rusty@kuro5hin.org, or you may participate in the online forum that will accompany this letter, if it is approved for publication, at http://www.kuro5hin.org/. Thank you for your time.

Sincerely,
Rusty Foster, kuro5hin.org

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o Slashdot
o Kuro5hin
o *
o Electronic Frontier Foundation
o TRUSTe
o Consumer Privacy Advocacy Board
o eBAY's "No Privacy for You" policy
o this story
o The TRUSTe Story
o UL website
o privacy statement of eBay
o certified by TRUSTe
o paid a license fee
o Privacy Advisory Board
o Also by rusty


Display: Sort:
An Open Letter to TRUSTe's Lori Fena | 34 comments (34 topical, editorial, 0 hidden)
This is good stuff. TRUSTe needs to... (3.00 / 1) (#1)
by raph on Mon May 22, 2000 at 06:16:52 AM EST

raph voted 1 on this story.

This is good stuff. TRUSTe needs to come clean about whether they're just a "brand for sale" or whether they deserve any actual trust from consumers.

Go git 'em, Rusty!... (1.00 / 1) (#3)
by genehack on Mon May 22, 2000 at 07:51:29 AM EST

genehack voted 1 on this story.

Go git 'em, Rusty!

This needs to be posted, if only fo... (1.00 / 1) (#4)
by Frigorific on Mon May 22, 2000 at 08:39:18 AM EST

Frigorific voted 1 on this story.

This needs to be posted, if only for the discussion that will follow...
Who is John Galt? Rather, who is Vasilios Hoffman?

"What the TRUSTe "trustmark" certif... (3.00 / 1) (#2)
by Commienst on Mon May 22, 2000 at 10:07:44 AM EST

Commienst voted 1 on this story.

"What the TRUSTe "trustmark" certifies, in fact, is simply that a website has stated what its privacy policies are, and will comply with that statement, whatever it may be. Oh yes, it also certifies that the owners of the website have paid a license fee to TRUSTe, for use of the "trustmark". "

There you just stated the situation perfectly. They are not a non profit group motivated by money. When ebay(or any other website for that matter) swings its big bucks under their noses they would be fools to not take it. TrustE is really just selling brand name recongnition for privacy (their little TrustE logo). What we need is a non profit volunteer organization to certify sites for meeting privacy standards.

Re: (4.00 / 1) (#5)
by rusty on Mon May 22, 2000 at 10:34:37 AM EST

Actually, from their FAQ:
TRUSTe is an independent, non-profit privacy organizations whose mission is to build users' trust and confidence on the Internet and, in doing so, accelerate growth of the Internet industry.
How independent and non-profit they are, however, is still open to interpretation.

____
Not the real rusty
[ Parent ]
Thats funny (3.50 / 2) (#6)
by Commienst on Mon May 22, 2000 at 10:49:33 AM EST

Hey guess who their corporate sponsors are: AOL, Excite, Intel and Microsoft

When Microsoft asked ebay to stop users from reselling their software TrustE did not care they have been "infiltrated" by Microsoft already.

When was the last time you heard of a non profit organization charging a license fee to use their logo. I guess you can say that on the internet and get away with it since it is largely unpolicied. If it where then slashdot would no loger be able use its .org domain name.

[ Parent ]

Re: Thats funny (4.00 / 1) (#12)
by jwsh on Mon May 22, 2000 at 11:46:06 AM EST

Non profit entities can charge for services. That's not at all the point of a non-profit. Day care centers, for example, are non-profit. You still have to pay to send your kid there, but the money you pay just goes into paying teachers, and buying blocks - not the owner's pocket. That's what makes it a non-profit organization.

[ Parent ]
Re: Thats funny (3.00 / 2) (#16)
by rusty on Mon May 22, 2000 at 12:01:22 PM EST

And, considering TRUSTe doesn't sell a (manufactured, "real") product, it makes perfect sense for them to be a non-profit. They don't need the company to make a profit, they just need to distribute money to the employees. Many people mistake "non-profit" to mean "socially responsible do-gooder org", which really isn't the case. Many, many non-profits are that way simply because it makes more sense given the relevant tax laws.

____
Not the real rusty
[ Parent ]
Re: (4.00 / 1) (#24)
by BlaisePascal on Mon May 22, 2000 at 02:56:47 PM EST

OK, so where is TRUSTe violating that mission statement? Their stated goal is to "build users' trust and confidence on the Internet", and to "accelerate growth of the Internet industry."

Their stated goal is not "to ensure minimum standards of privacy on the internet" or "to protect users' rights", or anything similar. Their statements make them a friend of industry, not a consumer advocacy or rights group.

After all, "Smilin' Pete's Used Cars (would this man lie to you?)" also wishes to build car buyers trust and confidence in the used car business and to accellerate growth of used car sales. He is quite proud of the "Star Quality" certification given to him for having a quality policy (his famous 30-mile, 30-minute warrantee) by the Quality Used Car Association. But would you believe him? Would you trust the QUCA?

The comparison with UL is instructive, in that by following the money, you can clearly see where their priorities and interests lie. UL was founded to support the efforts of the insurance industry (underwriters), who were experiencing losses caused by unsafe equipment. The insurers gave UL some practical muscle by saying "we won't pay off on our policies unless the equipment used has been certified by our lab". As a result, we are all safer because the insurers used their clout to cut -their- losses and push for higher safety standards. UL is funded by organisations which have a vested interest in consumer safety.

In contrast, TRUSTe stated mission is to promote the so-called "Internet industry". Of it's three "founding institutions", one is EFF and the other two (CommerceNet and the Boston Consulting Group) are internet commerce associations. Their "sponsors" list include AOL, Excite, Microsoft, Intel (as "premier corporate sponsors"), three networking firms, a baby bell, and two advertising agencies. The only organisation listed at all which I recognise that has a stated goal of support of privacy or user/consumer advocacy is the EFF -- and now EFF is trying to distance themselves from TRUSTe.

So is it any surprise that TRUSTe pushes the appearance of privacy in order to enhance the goals of its sponsors and founders?


[ Parent ]
Very trustworthy (2.00 / 1) (#7)
by HiQ on Mon May 22, 2000 at 10:55:13 AM EST

You see this happen time and time again with 'consumer organizations' like this. You place a stupid logo on your webpage and suddenly everybody should trust you? If you click on this logo, you receive a secure document, stating that you can trust this site; now we all know how difficult it is to copy logo's and sending false secure documents. The only thing that can give this trick away is the URL, but does anyone really pay any attention to that?
How to make a sig
without having an idea
just made a HiQ
Re: Very trustworthy (4.00 / 1) (#8)
by rusty on Mon May 22, 2000 at 11:01:02 AM EST

I think you've rather missed the point though. My point is not that it's easy to fake the certification, but that the *unfaked* certification in fact has no teeth behind it. I'm assuming that all trust-e certs are real, and arguing that in fact they still don't mean anything. Not the way trust-e works now.

____
Not the real rusty
[ Parent ]
Re: Very trustworthy (3.00 / 1) (#9)
by HiQ on Mon May 22, 2000 at 11:09:59 AM EST

Oops, I should have pointed out in my reply that I agree with you on the fact that this certification is 'empty' and really doesn't mean a thing. I should have said that apart from the fact that the certification is meaningless, it's also easy to fake.
How to make a sig
without having an idea
just made a HiQ
[ Parent ]
EFF? (4.00 / 2) (#10)
by eann on Mon May 22, 2000 at 11:26:45 AM EST

What's initially surprising is that someone so closely affiliated with the EFF, an organization many of us have come to respect, would even be a part of schemes like TRUSTe and DoubleClick.

But, then, let's think about this before we condemn them. I do understand how an independent evaluation that a company will follow their own policies is an important part of the trust process. In fact, it's necessary, and perhaps more important than the wording of the policy (it really doesn't matter what you say if you don't stick to it). The problem is that most users don't know what the mark really means--that is, they still have to read the privacy policy--and we stand very little chance of educating them. TRUSTe should probably be doing more to help in this regard.

In some regards, though, I even see how this might be the practical limit of service that TRUSTe can provide. By providing only a link to a policy and a certification that it's solid, that leaves them out of the business of determining what each of us deems an appropriate use of our personal and/or demographic data. I'm fairly guarded about my personal email address, but I'll share my area code or ZIP code with anyone, because it doesn't tell them anything about me (except that I live in an area where they probably have very few advertisers). Others may feel differently.

Maybe I'm just old, I do remember when non-profits liked the connotations that came with a .org address, though, and TRUSTe seems to feel .com is more appropriate. I have to wonder if they've simply been the victim of squatting or if there's more to it than that.

Anyway, I don't know what her intentions are for DoubleClick. This is a company that has taken quite a bit of bad press about their apparent lack of concern for customer privacy, and they could be making an effort to improve things before they get laughed off the 'net. If so, having a name like Lori Fena on the board is the only way they'll convince the people who know enough to care that they're taking a step in the right direction.

It's hard to improve the Internet by permanently blacklisting people or organizations (except maybe Sanford Wallace). In that light, I don't see it as my job to go around telling people what's right or wrong like some digital Moral Majority; I simply vote with my wallet and encourage others to carefully evaluate the issues and do the same. And I do have a tendency to be forgiving--when I stop using a particular service, I usually try to tell the provider why--there's always a chance they can fix things.

Our scientific power has outrun our spiritual power. We have guided missiles and misguided men. —MLK

$email =~ s/0/o/; # The K5 cabal is out to get you.


Re: EFF? (5.00 / 2) (#13)
by rusty on Mon May 22, 2000 at 11:51:19 AM EST

What's initially surprising is that someone so closely affiliated with the EFF, an organization many of us have come to respect, would even be a part of schemes like TRUSTe and DoubleClick.

My mistake. As noted in the update, she is no longer part of the EFF. She was apparently "purged" due to ideological differences.

I do understand how an independent evaluation that a company will follow their own policies is an important part of the trust process.

Absolutely. I do too. However, my argument is that *by itself* this is useless. To continue with the UL comparison: if UL worked this way, then it would be pretty easy to imagine a company producing a toaster, and printing really small on the bottom of the box "Warning, this toaster may explode for no reason." If the UL were in the business of feel-good validation of whatever the toaster company wanted to say, then they would verify that the toaster did indeed occasionally explode, and then go right ahead and stamp the seal on that sucker. After all, it conforms to the manufacturer's stated "operational policy", right?

I think my point is obvious. No one wants a world where that kind of thing happens. I don't think there is a situation in which it would be OK for appliances to behave this way. Just as I don't think that there are *no* hard and fast rules for how a company may use my personal information. At the very least, the most basic required rule ought to be: "We will not use your info without your prior express consent." Can you think of a reason why some sites would need to break this rule? I can't. To say that there can be no basic immutable rules is just a cop-out, and one that TRUSTe is making a living exploiting.

Maybe I'm just old, I do remember when non-profits liked the connotations that came with a .org address, though, and TRUSTe seems to feel .com is more appropriate. I have to wonder if they've simply been the victim of squatting or if there's more to it than that.

They have .com and .org. Take your pick.

It's hard to improve the Internet by permanently blacklisting people or organizations (except maybe Sanford Wallace). In that light, I don't see it as my job to go around telling people what's right or wrong like some digital Moral Majority; I simply vote with my wallet and encourage others to carefully evaluate the issues and do the same. And I do have a tendency to be forgiving--when I stop using a particular service, I usually try to tell the provider why--there's always a chance they can fix things.

But what happens when you don't have any choice? It is simply not in the best interests of most companies to protect our information, if they can get away with not doing it. The longer we allow people to believe that they are protected with such things as TRUSTe, the more entrenched those beliefs become. If the majority of users believe they're being protected, then there will be no motivation for companies to change their ways. To put it most simply, yes, vote with your wallet, but at some point someone's gotta complain publically, or your only choice will be to never buy anything online.

____
Not the real rusty
[ Parent ]

Re: EFF? (3.00 / 1) (#17)
by analog on Mon May 22, 2000 at 12:08:18 PM EST

It is simply not in the best interests of most companies to protect our information, if they can get away with not doing it.

Only if you define 'best interests' in terms of short term profit. Yes, I realize that this is how most businesses define it these days, but I'm not at all willing to believe that it matches up very well with reality. I think one of the real problems we're having right now is that the only measure of a company's worth is the short term stock price; anyone who follows the market even cursorily will know that this is basically meaningless.

At some point, people have come to believe that the end justifies the means when it comes to profits and (especially) stock price. I'm sure that this has been true for some segment of the business population all along, but the average man on the street seems much more willing to accept it now than when I was younger. As long as this attitude persists, you will continue to see big business abuse their customers with impunity.

[ Parent ]

Re: EFF? (none / 0) (#19)
by rusty on Mon May 22, 2000 at 12:20:59 PM EST

Only if you define 'best interests' in terms of short term profit. Yes, I realize that this is how most businesses define it these days, but I'm not at all willing to believe that it matches up very well with reality.

Sorry, you're right. My unstated assumption was, "In the current business climate of ecommerce." Thank you for clarifying.

____
Not the real rusty
[ Parent ]

Economic realities? (3.00 / 1) (#21)
by Noel on Mon May 22, 2000 at 01:27:52 PM EST

It is simply not in the best interests of most companies to protect our information, if they can get away with not doing it.

Only if you define 'best interests' in terms of short term profit. Yes, I realize that this is how most businesses define it these days, but I'm not at all willing to believe that it matches up very well with reality.

Call me a cynic, but that depends completely on which view of reality you take. I think the reason that most businesses are only concerned about the short-term profit is because there's very little incentive in long-term profit any more. Why should a company worry about long-term success, when they can milk the short-term profits and then move on if/when the company buys the farm? Why should an investor worry about the long-term viability of a company when they can make a bundle and then bail out before the nose dive? Why should a company worry about making quality products, as long as they can catch the customer's eye (and wallet) for a brief period of time?

Sad to say, but fewer and fewer people seem to be investing or buying products based on a long-term view...

I really hope I'm just being too cynical, but this sure seems like today's reality to me...[groan]

[ Parent ]

Re: Economic realities? (3.00 / 1) (#22)
by analog on Mon May 22, 2000 at 02:20:05 PM EST

Why should a company worry about long-term success, when they can milk the short-term profits and then move on if/when the company buys the farm?

Because it's an excellent way to ensure that the company will buy the farm.

Why should an investor worry about the long-term viability of a company when they can make a bundle and then bail out before the nose dive?

Because the majority of investors who take this approach will time it wrong and lose their shirts.

Why should a company worry about making quality products, as long as they can catch the customer's eye (and wallet) for a brief period of time?

Again, a company taking this approach will tend not to be around long.

Your arguments all rest on the idea that businesses exist to make as much money as possible as quickly as possible (by sticking it to the consumer if necessary), then bailing. I happen to think that many 'new economy' businesses are following exactly this model, but it doesn't make for a healthy economy; quite the opposite.

Sad to say, but fewer and fewer people seem to be investing or buying products based on a long-term view...

Gotta agree with you here. I also think that you're probably being a realist more than a cynic, but there is one thing to keep in mind. These behaviors will bite the businesses that engage in them. Have you checked the stock market lately? If a business isn't worried about being around in five years, then perhaps throwing ethics to the wind is reasonable from an economic point of view. If a business wants to be around for the long haul, they should probably worry a little less about the short term and a little more about not ticking off their customers.

[ Parent ]

Re: EFF? (4.00 / 1) (#20)
by eann on Mon May 22, 2000 at 12:44:40 PM EST

The fact that Ms. Fena separated with the EFF over ideological differences says a whole lot, both about what TRUSTe and DoubleClick may be up to, and about how willing I was to believe that "EFF" is a trustmark (to borrow a word). In some fairness to me, my original post should be read with that in mind. I still respect the EFF, but I (obviously) need to be more careful about letting that respect carry through to the people involved, in case things like this happen again. :)

I do have a really hard time relying on the "users should know better" defence (at least in part because it's what M$ hides behind whenever anyone points out the security holes in their software). Mostly because I know the users don't know better. But I had to mention it and give it some weight, because it's the kind of attitude we have to deal with when we're discussing this kind of thing with the people who are making the "policies". I'm reminded of the Jane Curtin/Dan Aykroyd skits on SNL where she tries to point out that all his toys are dangerous. TRUSTe is the net's very own "Bag o' Glass".

Really, what can we do? Call for a general boycott of all "trustmarked" sites until they change? Yeah, that'll work. We have to think about their argument, because taking it seriously is the only way we'll make a logical rebuttal.

The most obvious graceful way out: convince TRUSTe (the established brand) to offer a second level of certification, one that does it right, and make them stick to it. That's a whole lot easier said than done.

The other alternative is to get some funding and compete. Ideologically, it's sound. It'd surprise me if there's not already someone doing this (I'm just too lazy to go look). But, like you pointed out, merchants have no incentive to work with an agency like this when they can pay their fee and get their "trustmark" and be done with the whole matter.

They have .com and .org. Take your pick.

My bad. I was going to their original address, which was etrust.com (but not .org). They have since added truste.com and .org, and I didn't check those before I posted.

To put it most simply, yes, vote with your wallet, but at some point someone's gotta complain publically, or your only choice will be to never buy anything online.

That's what the "encourage others" part was about. :)

So how about it? Are there any orgs who do "real" privacy certification? Can we get the EFF (or some similarly high-profice group) to start a letter-writing campaign to TRUSTe's customers to tell them we're all switching to their competitors because we don't like their privacy policies?

Our scientific power has outrun our spiritual power. We have guided missiles and misguided men. —MLK

$email =~ s/0/o/; # The K5 cabal is out to get you.


[ Parent ]
Re: EFF? (3.00 / 1) (#14)
by analog on Mon May 22, 2000 at 11:52:07 AM EST

You make a lot of sense, but I would like to point out a couple of things.

One is that TRUSTe member organizations have been caught violating their own privacy policies; in every case, TRUSTe responded with some reason why it didn't invalidate the certification, usually by defining what the certification meant extremely narrowly (and IIRC, basically saying in one case that all it meant was that the site involved had a privacy policy). What it basically comes down to is that if you pay the fee, you're certified.

From TRUSTe's web site:

The trustmark is awarded only to sites that adhere to our established privacy principles of disclosure, choice, access and security.

As you see, they're implying that the cert does mean that your data is being protected, when in fact nothing of the sort is happening. This is (IMNSHO) intentionally misleading. There are only two ways I can see of looking at this: they have no established privacy principles, or they ignore them when awarding certification. Either way, they are deceiving the public.

While you are correct that it is difficult to define what level of disclosure the 'average' 'net user would find acceptable, this is no barrier to defining a good privacy certification. It could be as simple as saying that "this site doesn't collect any personally identifiable information; that site does". Having a few different levels of privacy protection would also work well; level one could be doesn't collect any info at all, level five collects all they can get and sells to the highest bidder. At least a program such as this would make it clear what was and wasn't being certified, which is most definitely not the case now.

[ Parent ]

Consumer Misconception, Perhaps (3.70 / 3) (#11)
by jwsh on Mon May 22, 2000 at 11:40:21 AM EST

I was under the impression that having the TRUSTe 'trustmark' on your webpage ment that you:
A) Have a privacy policy posted on your website.
B) Have agreed to follow that policy.
C) Have agreed to arbitration, in the case that you violate it.
D) Have paid some sort of fee.

Now, granted the average consumer may see the logo, and assume that it means that "TRUSTe has read and approved of their privacy policy, so I don't have to." However, that's NOT what it means, and TRUSTe does infact tell you that! If eBay's privacy policy says "We will give out the color of your underwear to anyone who asks" then as long as they do that, then they're OK. I don't think that TRUSTe WANTS to do anything more than that. All TRUSTe wants to do in ensure Disclosure and Honesty (trust). If you actually click through on the link to TRUSTe, they clearly tell you what their mark signifies. If anything, the only problem is consumer ignorance. Here's what it actually says if you click-through from eBay: https://www.truste.org/validate/398

As a side note, I can't say I have ever actually looked for the UL logo on a product, let alone the TRUSTe logo.

Re: Consumer Misconception, Perhaps (4.00 / 1) (#15)
by rusty on Mon May 22, 2000 at 11:57:53 AM EST

I'm not accusing TRUSTe or anyone else of not doing what they say they are trying to do. What I'm saying is that what they're doing (what they intend to do) is not enough, and is harmful in it's insufficiency. What good is TRUSTe when all they really certify is that we have to watch our own asses? The point of UL is that their certification says they're watching our asses for us. And though you may not have looked for the UL seal, I can almost guarantee you it's on every appliance you own, because stores simply don't sell appliances that haven't been approved. Why not have an internet where no one goes to sites that don't have a policy that actually protects your privacy, as opposed to a stated intention to violate it?

Besides all that, have you tried to read a privacy policy lately? Even one certified by TRUSTe? Check out Yahoo's for example. Eleven sections of legalese, with holes big enough to drive tanker trucks through. Something has got to be done about this.

____
Not the real rusty
[ Parent ]

Re: Consumer Misconception, Perhaps (4.00 / 1) (#23)
by jwsh on Mon May 22, 2000 at 02:21:17 PM EST

OK, I think we're on the same page here. I'd agree that it would be nice if we had a EFF approved" (or whatever) sticker to put on people's webpages. I guess I was just trying to point out that I didn't think TRUSTe ever INTENDED to do what you're asking them to do. And yes, I think someone like the EFF should try to do that. (I am aware that the EFF atleast had a partial hand in the creation of TRUSTe, though I admit I am woefully ignorant to what degree, and what their intent was)

Hell, I'd take it one step further. I think it would be nice if an organization were to begin digitally signing people's webpages. Optimally, they could provide a simple description of what the privacy terms were for this site, and you could have your browser warn you when you went to a site which was either unsigned, or fell below your 'privacy threshold' (somewhat like when you transition from an encrypted site to a non-encrypted site).

[ Parent ]

More relevant links (4.50 / 2) (#18)
by rusty on Mon May 22, 2000 at 12:13:25 PM EST

From a letter to the FTC from EFF, which basically concludes that TRUSTe succeeded in getting people to think about online privacy, but has since proven to be a failure:
We now must move out of this awareness-raising mode and into an action mode where real protection can be achieved. Legislation is needed in order to achieve that goal. TRUSTe wouldn't have been successful without the help of government. Without the real threat of government regulation and enforcement, it is very unlikely that there would have been any impetus for companies to devise any plan to protect consumer privacy on their own. It was only when companies were threatened with the specter of governmental regulation that caused them to embrace seal programs like TRUSTe and then BBB Online. This is one reason why we think it is time to move away from a strict self-regulation approach to protecting privacy online.
Clarification on the above from Stanton McCandlish of the EFF, as posted to the fight-censorship mailing list (search the page for "From: mech@eff.org (Stanton McCandlish)", it's the second message):
Our stance has basically been that industry self-reg would be worth trying, but might or might not be enough. We did the "proof of concept" ourselves, by launching and spinning off TRUSTe. But TRUSTe was intended to be and is a separate, independent entity, and was created as an experiment. The experiment is in many ways a failure, and so now we observe and openly state that it is not enough.
Again, more thanks to michael from /. Those YRO monkeys are quick with the links. :-)

____
Not the real rusty
TRUSTe Alternatives.... (none / 0) (#25)
by Anonymous Hero on Tue May 23, 2000 at 07:19:10 PM EST

Since TRUSTe doesn't seem too forthcoming with their own privacy policies..... Check out the BBB OnLine program. Privacy and security policies that will take some work to implement, but they serve as a good guideline for e businesses... http://www.bbbonline.org/

TRUSTe isn't. (none / 0) (#26)
by Anonymous Hero on Tue May 23, 2000 at 10:33:35 PM EST

It appears that TRUSTe has no interest in the spirit of privacy protection, although they provide a fig leaf for companies who collect data and are at least honest enough to say they do. (I just read the eBay page - Maker, help us!!!)

What has to be done is for those in the community who care to call TRUSTe out and tell them AND the public that the TRUSTe mark is not a guarantor of privacy, but is only about providing data collectors some semblance of legitimacy.

Get the word out about what TRUSTe isn't. And get people mad. That's how change happens.



Re: TRUSTe isn't. (none / 0) (#27)
by rusty on Tue May 23, 2000 at 11:40:17 PM EST

Doin' the best I can over here. :-)

I agree with you. I give TRUSTe credit for their original intention, which was to draw attention to the fact that there's a lot of behind the scenes stuff going on with this technology that people wouldn't even know was possible if no one told them. But people generally do know, now, and TRUSTe hasn't gone the next step, into addressing actual privacy needs. But unfortunately, they also haven't corrected the idea that they "protect you" -- quite the opposite, they've promoted that idea, when they of course do no such thing. So, tell everyone you know. Until the general mass of web users call for change, it won't happen. "Industry self-regulation". Humbug.

____
Not the real rusty
[ Parent ]

Re: TRUSTe isn't. (none / 0) (#28)
by analog on Wed May 24, 2000 at 01:15:43 AM EST

"Industry self-regulation". Humbug.

As you can see here, you're not alone in that feeling.

All I can say is that they had their chance. I'm certain we're about to hear no end of whining about how it will kill the internet, but I've no sympathy. It was pretty clear what was expected, and they ignored it.

I would imagine that a goodly stream of dot com venture capital is about to start making its way into GW's campaign coffers...

[ Parent ]

Bad reporting here (none / 0) (#29)
by Anonymous Hero on Thu May 25, 2000 at 10:40:16 AM EST

Taking a portion of the eBay privacy statement out of context to support an attack was truly bad form. The surrounding text of your quote points to the fact that information may be intercepted, or forwarded to law enforcement agencies if eBay suspects illegal activity or if compelled to by the courts. Full paragraph from eBay below: Unfortunately, due to the existing regulatory environment, we cannot ensure that all of your private communications and other personally identifiable information will never be disclosed in ways not otherwise described in this Privacy Policy. By way of example (without limiting the foregoing), we may be forced to disclose information to the government or third parties under certain circumstances, or third parties may unlawfully intercept or access transmissions or private communications. We can (and you authorize us to) disclose any information about you to law enforcement or other government officials as we, in our sole discretion, believe necessary or appropriate, in connection with an investigation of fraud, intellectual property infringements, or other activity that is illegal or may expose us to legal liability. Further, we can (and you authorize us to) disclose you UserID, name, street address, city, state, zip code, country, phone number, email, and company to eBay VeRO Program participants as we in our sole discretion believe necessary or appropriate in connection with an investigation of fraud, intellectual property infringement, piracy, or other unlawful activity. Therefore, although we use industry standard practices to protect your privacy, we do not promise, and you should not expect, that your personally identifiable information or private communications will remain private.

Re: Bad reporting here (none / 0) (#30)
by rusty on Thu May 25, 2000 at 01:08:53 PM EST

I think my use of the quote stands. Yes, they say that it may be in connection with fraud investigations, but they also have a nasty little policy of sending your name and address off to any of their "VeRO partners" who accuse you of wrongdoing. Not prove or demonstrate wrongdoing, there are no subpeonas involved here-- all they have to do is accuse you. So they can sue your ass. I think the context of the quote fully supports my assertion that eBay's privacy policy basically states that you have none.

____
Not the real rusty
[ Parent ]
Re: Bad reporting here (none / 0) (#32)
by Anonymous Hero on Fri May 26, 2000 at 09:33:03 AM EST

The VeRO program is there to help people to help track down potentially illegal activities on eBay. Before this thread gets dragged down into a discussion of eBay's policies, let me say that I agree with you that the TRUSTe logo can give users a false sense of security.

However, I'm not sure I agree with you that a UL-type of stamp of approval for privacy is a good thing since there's no real way of ensuring privacy on the net unless you never give away any personal information to *anyone*. Not until the US comes to its senses and passes a privacy law similar to those in Europe. (Except France, their lawmakers suck.)

[ Parent ]

I'd trust her (none / 0) (#31)
by Anonymous Hero on Thu May 25, 2000 at 03:45:57 PM EST

She's cute :)
Lori Fena

More TRUSTe info (none / 0) (#33)
by Anonymous Hero on Mon May 29, 2000 at 06:11:33 PM EST

Jamie wrote an excellent article on /. about TRUSTe's lack of credibility. It was posted back in November, you can read it here.

Who's influencing who? (none / 0) (#34)
by Anonymous Hero on Thu Jun 01, 2000 at 06:01:02 PM EST

First, I'm kind of shocked by the negative reaction to Ms. Fena, an Internet savvy person for over *12* years (according to her bio), 2 years longer than I've been aware of the Internet, and probably much longer than the team at DoubleClick. So when Fena, strongly affiliated with TRUSTe (which I have no strong opinions about yet, btw), joins the privacy-discussion board at DoubleClick, it appears as a coup for DoubleClick! What's this? Are male egos cringing at the fear that a woman has the balls to whip privacy-infringing business into shape? Why assume the Faustian bargain scenario, and not the heroism of Isis? Second, I'm truly shocked by the ho-hum response to FTC regulation of Internet privacy. Wasn't it our government that tried to enact the infamous "Know your customer" laws, requiring banks to fully disclose (to the government, of course) nearly every transaction their customers make? Wasn't it "private by law" Census data which enabled our government in WWII to track down and imprison Japanese Americans? Wasn't it the Social Security Admisnistration that opened Pandora's box by first granting a mandatory universal ID to every worker and then refusing to enforce the SSN privacy policy? Wasn't it the antitrust/Sherman Railroad acts which forced railroad business owners to "open their books" so that every dime of profit could be looted by the government-mandated unions? And we expect the government to protect our privacy? History is a harsh mistress, no?

An Open Letter to TRUSTe's Lori Fena | 34 comments (34 topical, 0 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!