Just How Trusty Is Truste?

By Paul Boutin

2:00 a.m. April 9, 2002 PDT

Enron had Arthur Andersen. Yahoo has Truste, the nonprofit privacy organization whose seal of approval is designed to assuage consumer fears about giving personal information to websites.

But Yahoo's recent announcement of sweeping changes in the way it will use

customer data collected under previous policies has many calling Truste's

seal as meaningless as an Andersen audit.

Even Esther Dyson, the high-profile technologist who played a major role in Truste's launch five years ago, says she is "disappointed in what ended up becoming of it." By its own account, Truste was conceived at Dyson's industry-leading PC Forum conference in 1996. Dyson credits others with the concept, but she pushed both publicly and privately for the establishment of the nonprofit company and adoption of its "trustmark," which certifies that online companies comply with their own stated privacy policies.

Truste makes no attempt to set privacy policies. It merely ensures that companies clearly state their own rules for handling customer data, and then adhere to them. "We thought disclosure would be enough," Dyson said.

Web surfers, her reasoning went, would read the various companies' policies themselves and make their own choices, letting companies use privacy policies as a competitive differentiator. Truste's seal would simply ensure that the policy was being followed, so that "between two sites I've never heard of, I'd rather pick the one that has the Truste logo," she explained. But over the years, a series of Truste clients have managed to violate the spirit, if not the letter, of their Truste-approved policies.

Rather than revoking seals left and right, Truste officials often seemed to be covering for their clients -- explaining, in one case, that a Real Networks media player which reported users' video selections back to Real headquarters in Seattle was "outside of the scope of Truste's current privacy seal."

Their reasoning: The program uploaded data not to Real's website, but to a nearby set of servers.

"That symbol is meaningless, because of the number of institutions it has been associated with and the things they've gotten away with," said Yahoo user Jenifer Jenkins, who claims she stopped using Yahoo mail and other services last week after learning of the company's policy changes. "If (Yahoo) wants to be the first place people go on the Internet, they need to clean up their act."

Dyson agreed that, despite being co-founded by outspoken privacy advocates the Electronic Frontier Foundation, Truste's image has slipped from consumer advocate to corporate apologist. "The board ended up being a little too corporate, and didn't have any moral courage," she said. "Clearly, if you're hostile all the time you're not very effective. But you have to have the moral courage to say, 'This is wrong, even if it's not in our contract.'"

Truste executive director Fran Maier argued that in Yahoo's case, critics don't recognize how much work her organization did to keep the megaportal in line -- not only with its own policy, but with generally acceptable behavior. "I can't tell you all the things they wanted to do, but believe me, we were there," she said.

"We reviewed a number of proposed changes, some of which were made, some weren't," she added. "It went through the highest level of oversight at Truste. Before they can launch or relaunch something with our seal on it, they have to deal with our review."

Truste sharply criticized client eBay a year ago for making similar changes to customers' marketing choices without sufficient notice. "EBay has to set the right example," a Truste spokesman said at the time. Truste's suggestions to Yahoo included increased notification to customers and press briefings before the announcement to reduce confusion, Maier said.

Unlike a financial auditing firm, Truste has fewer than 20 employees to handle its 2,000 clients. The company can make suggestions and demand documentation of compliance with contracts, but can't send an army of auditors onsite to pore over systems and records, nor does it have any direct enforcement authority.

Should a client violate its contract, Truste's options are to call in the Federal Trade Commission and file or join lawsuits against the company. That's what Truste did two years ago when sputtering dot-com Toysmart sold

its customer list despite a posted promise never to do so (a company spokesman famously declined to define the word "never" to reporters). Besides the threat of an FTC investigation, Truste contracts can also require clients to foot the bill for investigating themselves, Maier added. "We bring in auditors to determine how it happened and how to fix it," she said. "The company has to pay for that."

Security and privacy experts warn, though, that once a customer's data has been leaked beyond promised limits, it's too late -- the spread of information can't be undone. "But fundamentally there's no enforcement mechanism," said Lee Tien, an attorney with the EFF, which no longer has organizational ties to Truste. "A trustmark does more harm than good by creating an illusion of privacy where none exists," added Seth Ross, chief strategy officer of PC Guardian, a maker of computer security products in San Rafael, California. "A meaningless logo may induce people to make information disclosures that they would otherwise avoid."

On that note, Dyson doesn't think the blame lies solely at the feet of Truste or its clients. "I've also been disappointed in consumers," she said, "in that they've not been proactive in protecting their own data. You do a survey and consumers say they are very concerned about their privacy. Then you offer them a discount on a book and they'll tell you everything."

Copyright © 1994-2002 Wired Digital Inc. All rights reserved.

» Lycos Worldwide © Copyright 2002, Lycos, Inc. All Rights Reserved. Lycos® is a registered trademark of Carnegie Mellon University.

Your use of this website constitutes acceptance of the Lycos Network Privacy Policy and Terms & Conditions

From:

http://www.wired.com/news/exec/0,1370,51624,00.html