Is TRUSTe Trustworthy?

By Jamie McCarthy jamie@mccarthy.org

This email is sent to Susan Scott, Executive Director of TRUSTe; to geoprivacy@geocities.com; and Cc'd to the fight-censorship mailing list. Fight-censorship is a list for speech and privacy concerns, which had some discussion of this topic last week. Please Cc replies to this mailing list. Thank you.

It is now one week after the first press reports of the FTC agreement with GeoCities. According to the press of the FTC report, GeoCities had:

misrepresented the purposes for which it was collecting personal identifying information from children and adults...

or, according to one FTC attorney:

We are not trying to tell them what their privacy policies ought to be. They just have to disclose those policies.

Says the New York Times:

the new [GeoCities] privacy statement, reached from a tiny link on the company's home page, now says:

"For those who elect to receive promotional materials from GeoCities or third parties, and who indicate that they do in their profile, we do release personally identifiable information" including "name, street address, e-mail address, interests, GeoCities neighborhood, and the broader personal information (e.g., level of education, occupation and marital status)."

Previously, the [Federal Trade Commission] said, the site's registration page said, "We will not share this information without your permission," though the company did release it, even without permission.

According to GeoCities' spokespeople, however,

The company has denied the allegations contained in the FTC's complaint and believes that it has acted fairly with its customers.

This discrepancy remains unresolved. GeoCities has noted on its home page that they "recently settled a privacy issue with the FTC. For more info, see our privacy statement." There are at least two things identified on the linked pages as being privacy statements, but it seems what is meant is the Privacy Statement from the GeoCities founder which reads in part:

To confirm the adequacy of our disclosure practices in the area of information collection and use, GeoCities has submitted our privacy statement to TRUSTe, an industry self-regulation group. For more information on TRUSTe, see:

https://www.truste.org

TRUSTe has certified the GeoCities privacy statement as an accurate representation to consumers of GeoCities' information collection practices.

To recap what is known so far: the FTC -- after a three-month investigation -- still has serious concerns over GeoCities' policies and believes that GeoCities is still playing fast and loose with users' privacy. However, the FTC will be satisfied with GeoCities' properly _notifying_ its users of exactly what compromises are being made with their privacy.

Meanwhile, TRUSTe has not breathed a word about the subject either way. They continue to certify GeoCities as trustworthy. Furthermore -- according to GeoCities in the above quote -- TRUSTe has "certified" that the GeoCities statement on privacy is an "accurate representation" of what is actually going on behind the scenes.

Which is exactly the opposite conclusion reached by the FTC's three-month investigation. Furthermore, GeoCities seems to now be saying that they _will_ share personally identifiable information with third parties -- exactly as they were doing before, except now they will not be lying about it to websurfers.

Is it TRUSTe's purpose to certify that a website is "trust"worthy in that it will not share personal information with third parties? Or does it only certify that a website is "trust"worthy in that it will not _lie_ about its privacy (or lack thereof) policies?

Either way, if there is any truth at all to the FTC reports, then TRUSTe dropped the ball over the last three months and owes its real clients -- by that I mean its millions of nonpaying clients who see its logo every day -- an explanation.

TRUSTe's silence is not helping matters. For it to regain our trust, it is time -- it is past time -- to start talking about what problems there were with GeoCities, what the FTC found that TRUSTe did not, what TRUSTe learned through its own investigations, and why TRUSTe remained silent until the FTC went public.

TRUSTe describes its review program as follows:

To ensure that privacy principles and disclosed practices are met, our program is backed by a multi-faceted assurance process consisting of:

Initial and periodic reviews of the site by TRUSTe

"Seeding": We submit personal user information ourselves to ensure that the site isn't violating its stated privacy policies

Conformance reviews by TRUSTe's official auditors, Coopers & Lybrand and KPMG Peat Marwick

Complaints and feedback from users

and:

Initial and Periodic Reviews

After a Web site has completed a formal application to become a TRUSTe licensee, a TRUSTe account representative advises the site on how to build privacy statements that comply with TRUSTe principles. The TRUSTe representative conducts an initial and periodic reviews of each site to ensure consistency, adherence to program principles, and whether privacy statements disclose what type of information is being gathered, how it will be used, and with whom it will be shared.

[...] Enforcement

If a Web site fails a conformance review or of TRUSTe suspects a site of being in non-conformance to their stated privacy practices, TRUSTe will conduct an escalating investigation against the site. Depending on the severity of the breach, the investigation could result in penalties, an on-site conformance review, or revocation of the participant's trustmark license. After exhausting all escalation efforts, extreme violations will be referred to the Federal Trade Commission (FTC) for fraud and/or deceptive practices prosecution; or TRUSTe may pursue breach of contract or trademark infringement litigation against the site.

The immediate question that comes to mind for GeoCities is:

Exactly what changes have been made since the beginning of the FTC's investigation, if any?

The questions that come to mind for TRUSTe are:

1) What did the initial review of GeoCities consist of? (Who conducted it, what was the methodology, during what time period did it take place, etc.)

2) Did subsequent periodic reviews of GeoCities take place? If so, when and what did they consist of?

3) Was TRUSTe aware of the FTC's investigation before June, when GeoCities made that information public?

3a) If so, why was nothing said, or e.g. why was GeoCities' validation (applied-for in April, announced in May) not temporarily removed until the matter was cleared up? And, what actions were taken as a result of knowing of the ongoing investigation?

3b) If not, then given that TRUSTe is supposed to be the private sector watchdog that will eliminate the _need_ for government agencies like the FTC from investigating privacy concerns, how does TRUSTe justify its existence?

4) GeoCities and the FTC each deny the other's reports. Which side does TRUSTe say is correct? Why?

5) Why is it nowhere pointed out on TRUSTe's or GeoCities' site that GeoCities and Engage Technologies are both subsidiaries of the same parent company (CMG Industries) and that Engage Technologies is a sponsor of TRUSTe? Is this not a conflict of interest, especially given the fact that GeoCities held its IPO just a few days before the FTC report was released, and thus that millions of dollars of the sponsor's money were at stake?

6) If it turns out that TRUSTe's investigation of GeoCities seems to be less than thorough -- and given that absolutely nothing has been said publicly to date, this must be the null hypothesis -- how can TRUSTe assure its users that the sponsoring relationship with Engage has not affected the client relationship with GeoCities?

These questions all are ways of getting at one thing, which would be: is TRUSTe's confirmation of the trustworthiness of GeoCities, and its other paying clients as well, merely a rubber stamp of approval, or does TRUSTe make a serious effort to uncover and reveal information to its more important, nonpaying clients -- its users?

Since TRUSTe is in a precarious position between being an advocate for user rights and a paid client of industry, it is in the organization's best interest to be open and forthright about these sorts of queries. So I hope that this email will be taken in the spirit which it was intended. That is, inviting TRUSTe to give us assurance that, although it earns its money in the short term from large corporations, and although GeoCities is a related company to one of its sponsors, TRUSTe realizes that its long-term survival depends on one thing and one thing only: its credibility. Or, if you will, its TRUSTworthiness. And thus, its willingness and determination to perform intensive investigations when necessary, and then to justify its actions in the public sphere.

Thank you.

http://www.news.com/News/Item/0,4,25258,00.html
http://www.nytimes.com/library/tech/98/08/biztech/articles/14geocities.html
http://www.nytimes.com/library/tech/98/08/biztech/articles/16data.html
http://www.geocities.com/main/info/company/privacy.html
http://www.truste.org/validate/346
http://www.truste.org/users/program.html
http://www.truste.org/users/assurance.html


Jamie McCarthy lives in Michigan. He is the Webmaster of http://www.holocaust-history.org/ and a founding member of The Censorware Project, http://censorware.net/