home
about
downloads
support
forums
|
Self-policing of Your Privacy Isn't Sufficient
John M. Grohol, Psy.D.
March 23, 1999
Headline from C-Net (March 22, 1999):
Privacy group Truste cleared Microsoft of violating its
contract, but on a technicality.
Microsoft's practice of collecting hardware serial numbers while
registering software "compromises consumer trust and privacy,"
Truste ruled in response to a consumer complaint. Microsoft
admitted it has collected such data, but said it has stopped.
Since the violation did not involve the Microsoft.com Web site,
however, the group says it does not have jurisdiction. Truste, which
has licenses about 500 Web site to use its privacy logo, certifies
that a Web site has a posted privacy policy, but does not indicate
what the policy states.
This illustrates two points nicely: Truste
is a ludicrous organization with little to no power. While taking a nice stab
at privacy issues online, it has simply failed to deliver. Five-hundred Web
sites is such a tiny percentage of the total amount of
Web sites online today, it's practically meaningless.
There are well over 5 million Web sites online today. That
means a paltry 0.01% of the Web sites online have taken
up Truste's offer for a "privacy audit". That's
not broad-based support; that's non-existent support.
(Even if we were to agree that only a small
percentage of those Web sites collect or track
user information [such as cookies], say
500,000, we're still left with the unimpressive
0.1% coverage).
Second, it shows that when the rubber meets the road,
Truste cannot be trusted. Truste whitewashed Microsoft's
invasion of consumers' privacy and the violation of their
trust through this software "bug". In 1998,
Truste member Geocities violated their users privacy
by sharing their information with third
parties, without the users' knowledge or consent.
Where's the Beef?
Truste's Web site is notoriously lacking any information
about its members' practices, or about the complaints
which have been filed. There is no archive of such
complaints (are we to believe no complaints have been
filed against any of its member sites in the 2 years
its been in business, except Microsoft's?). Looking for
older press releases which may shed light on some of
these issues? Sorry, those only go back to early 1998.
You would think an organization devoted to the
plain publishing of privacy information would
be chock full of such information on their own
Web site. Where is the list of members' status?
When did a particular member join the initiative?
How much did they pay to join? How many organizations
or businesses applied, but were rejected?
All of this is important, valuable information
if we are to trust the truster.
As it is now, there is little reason to believe
that Truste is anything more than an industry
mouthpiece.
Regulatory Authority
Even if Truste did live up to its potential and signed-up
100% of the Web sites which track users via cookies, or
store user information on their sites, what power of
enforcement does Truste have? If an organization doesn't
like Truste, they can simply leave the organization.
It has no regulatory teeth and no enforcement power.
Relying on "bad press" doesn't exactly
seem like the ideal policing mechanism.
Where Truste is fearful of treading, however, the U.S. Federal
Trade Commission has no such fears. In 1998, it
investigated Geocities practices, charging them
with distributing personal data about its 2 million members
to marketers after promising not to disclose the information
in its written privacy policy. In response, Geocities
stock dropped by as much as 22%, costing the
company
millions of dollars for their failure
to protect their members' privacy online.
Where was Truste in this mess? Geocities was
a member of Truste in May, 1998. Were their
current or past privacy policies even examined?
It's unclear that they were. There is not a single
mention of this on the Truste Web site.
Moving On...
Truste was a good attempt at an industry-sponsored initiative
to protect online users' privacy. It has simply failed
to do so. It is not large enough to be effective and
publishes little information about its members'
sites and their "report cards" on how well
they are doing. Their agreement with their members
appears to be ineffective. If they can't protect
us against a monolith like Microsoft invading our
privacy, then what use are they? If they willingly
accept Geocities as a member after the site shares
your personal information with
advertisers without your consent, how stringent
are their membership criteria then?
I'm not sure I'm for expanding the U.S. Federal government's
power in this area, but as the FTC illustrated, it already
has the jurisdiction and ability to act on privacy complaints.
The question then becomes, is an organization like Truste
even useful? Does it add something to this issue? Warm fuzzies
from seeing that "trustmark" on a Web site?
I don't think it's worth it.
Without more openness on Truste's part, Truste is a doomed
initiative. Without closely re-examining their membership
qualifications and licensing agreement, to broaden their
scope to readily include such breaches as the Microsoft
"bug", and publishing more information
about the organization and its own practices, it will die
an eventual, federal-regulated death.
|
|
|
|
|