software online privacyHeadline from C-Net (March 22, 1999):

Privacy group Truste cleared Microsoft of violating its contract, but on a technicality.

Microsoft’s practice of collecting hardware serial numbers while registering software “compromises consumer trust and privacy,” Truste ruled in response to a consumer complaint. Microsoft admitted it has collected such data, but said it has stopped.

Since the violation did not involve the Microsoft.com Web site, however, the group says it does not have jurisdiction. Truste, which has licenses about 500 Web sites to use its privacy logo, certifies that a Web site has a posted privacy policy, but does not indicate what the policy states.

This illustrates two points nicely: Truste is a ludicrous organization with little to no power. While taking a nice stab at privacy issues online, it has simply failed to deliver. Five hundred Web sites is such a tiny percentage of the total amount of Web sites online today, it’s practically meaningless. There are well over five million Web sites online today. That means a paltry 0.01 percent of the Web sites online have taken up Truste’s offer for a “privacy audit.” That’s not broad-based support; that’s non-existent support. (Even if we were to agree that only a small percentage of those Web sites collect or track user information [such as cookies], say 500,000, we’re still left with the unimpressive 0.1 percent coverage).

Second, it shows that when the rubber meets the road, Truste cannot be trusted. Truste whitewashed Microsoft’s invasion of consumers’ privacy and the violation of their trust through this software “bug.” In 1998, Truste member Geocities violated their users’ privacy by sharing their information with third parties, without the users’ knowledge or consent.

Where’s the Beef?

Truste’s Web site is notoriously lacking any information about its members’ practices, or about the complaints which have been filed. There is no archive of such complaints (are we to believe no complaints have been filed against any of its member sites in the two years its been in business, except Microsoft’s?). Looking for older press releases which may shed light on some of these issues? Sorry, those only go back to early 1998.

You would think an organization devoted to the plain publishing of privacy information would be chock full of such information on their own Web site. Where is the list of members’ status? When did a particular member join the initiative? How much did they pay to join? How many organizations or businesses applied, but were rejected? All of this is important, valuable information if we are to trust the truster. As it is now, there is little reason to believe that Truste is anything more than an industry mouthpiece.

Regulatory Authority

Even if Truste did live up to its potential and signed up 100 percent of the Web sites which track users via cookies, or store user information on their sites, what power of enforcement does Truste have? If an organization doesn’t like Truste, they can simply leave the organization. It has no regulatory teeth and no enforcement power. Relying on “bad press” doesn’t exactly seem like the ideal policing mechanism.

Where Truste is fearful of treading, however, the U.S. Federal Trade Commission has no such fears. In 1998, it investigated Geocities’ practices, charging them with distributing personal data about its two million members to marketers after promising not to disclose the information in its written privacy policy. In response, Geocities stock dropped by as much as 22 percent, costing the company millions of dollars for their failure to protect their members’ privacy online. Where was Truste in this mess? Geocities was a member of Truste in May 1998. Were their current or past privacy policies even examined? It’s unclear that they were. There is not a single mention of this on the Truste Web site.

Moving On…

Truste was a good attempt at an industry-sponsored initiative to protect online users’ privacy. It has simply failed to do so. It is not large enough to be effective and publishes little information about its members’ sites and their “report cards” on how well they are doing. Their agreement with their members appears to be ineffective. If they can’t protect us against a monolith like Microsoft invading our privacy, then what use are they? If they willingly accept Geocities as a member after the site shares your personal information with advertisers without your consent, how stringent are their membership criteria then?

I’m not sure I’m for expanding the U.S. Federal government’s power in this area, but as the FTC illustrated, it already has the jurisdiction and ability to act on privacy complaints. The question then becomes, is an organization like Truste even useful? Does it add something to this issue? Warm fuzzies from seeing that “trustmark” on a Web site? I don’t think it’s worth it.

Without more openness on Truste’s part, Truste is a doomed initiative. Without closely re-examining their membership qualifications and licensing agreement, to broaden their scope to readily include such breaches as the Microsoft “bug,” and publishing more information about the organization and its own practices, it will die an eventual, federal-regulated death.