TRUSTe Answers The Challenge and Asks Mr. Edelman To Do The Same…

As per my previous open challenge to TRUSTe, Carolyn Hodge, Marketing Director for TRUSTe, accepted the question challenge to the many questions posed. Find below the answers transcribed from a read-only Word File sent per Carolyn- with a request of her own which I shall kick off in a new blog entry. Comments off, trackbacks on as per rules of engagement. Time permitting, I will post interesting links or entries in an addendum be they pro or con. As a mediator I will not interject any commentary.

Porter’s Interview With TRUSTe

Carolyn Hodge: Thank you for the opportunity to answer these questions. TRUSTe is always willing and eager to get expertise and answers from a variety of sources.

I don’t want anyone to have the impression that website privacy isn’t important, or that the TRUSTe privacy seal program doesn’t do its job well when it comes to our core program requirements and processes surrounding personal information collection and use on websites. We enable privacy, as we define it in our program, very well. For online publishers and merchants not engaged in software publishing or distribution, privacy seals, are the best way to reassure customers about your investments in these ‘back-office” practices and policies.

Anti-spyware and internet crime fighters have to act first and ask questions later. TRUSTe’s job is to present incentives to businesses to adopt higher standards for privacy, permission email, and software.

Wayne Porter: 1) When TRUSTe learns of a company with outrageously bad practices — like Webhancer becoming installed without users’ consent — why not just terminate the company’s certification right then? Why wait months or years?

Carolyn Hodge: First, I’d like to disabuse everyone of the idea that it is profit motive that keeps TRUSTe from terminating companies. We have turned away more than fifty sites with software since 2005, we don’t certify upwards of 12% of applicant sites, and in many cases very large potential sealholders are not able to complete certification because of our requirements or our legal agreements.

There is an argument to be made for terminating immediately – and yes, this would punish a company for alleged bad behavior. There is also an argument to be made for executing our mission – to increase trust between businesses and consumer. To accomplish that mission, TRUSTe changes business practices for the benefit of consumers, and there are some limiting factors that keep this from occurring immediately:

1) TRUSTe must investigate independently
2) Contractually, we can only certify to, and enforce standards within our program requirements,
so we need to develop new standards to handle emerging issues
3) TRUSTe can require these companies to be responsive to consumer complaints if we still have them under contract.

In the case of Webhancer and other software, TRUSTe recognized in early 2005, when we participated in the Anti-Spyware Coalition events, that we did not have the internal capability to test software, or reasonable standards to offer software publishers. TRUSTe has built the Trusted Download Program to address that gap, and have built the process and policies to test downloadable software, in cooperation with AppLabs, our testing lab partner.

Wayne Porter: 2)

You claim “TRUSTe has been decertifying adware and trackware from our program for some time.” But specifically says “Number of companies terminated: 2.”

Exactly how many companies did TRUSTe decertify for being adware or trackware, or for violating their privacy policies?

Carolyn Hodge: TRUSTe cannot terminate any companies for being adware or trackware. We terminate companies based on violations of our policies and non-cooperation. 79 companies have failed or been terminated since October 2005, alone.

Since early 2005, TRUSTe has turned away on average four sites per month with adware or trackware, and requiring those websites to wait for our Trusted Download program to submit applications for certification.

Wayne Porter: 3) Is there any public list of “decertified” programs and companies?

a) How does this decertification work? Does it occur as soon as TRUSTe learns of a site’s bad practices?

b) Or only at the end of a sealholder’s prepaid seal period?

Carolyn Hodge: No. Our customer list is constantly changing with new companies getting certified, and companies which are not renewed or terminated. TRUSTe does not maintain a blacklist – that is a job better accomplished by others.

Wayne Porter: 4) How did it happen that seven IAC/ sites were listed on the TRUSTe member list for 17+ months, without TRUSTe noticing?

Carolyn Hodge: I don’t have a good enough reason for this, it is database design and hierarchy issue – and relates to our moratorium on sites with software downloads. No consumer ever encountered a TRUSTe seal on those websites, and that is how consumers know a company is certified.

Wayne Porter: a) Does TRUSTe feel people can be confident that the page is really accurate?

Carolyn Hodge: Yes. Also, if anyone else noticed 17+ months ago or even 4 months ago that this was listed but not certified, why not just tell us? Further, the primary point of interaction of a consumer with TRUSTe isn’t the webpage’s list, it is the seal and the verification pages.

Wayne Porter: b) Are TRUSTe’s procedures and internal “housekeeping” up to snuff for the task TRUSTe has decided to attempt?

Carolyn Hodge: Yes. TRUSTe doesn’t claim to be infallible, and we are a learning organization. We recently received Privacy Professional certifications for a number of our staff. Further, we have hired some strong experts in the privacy field to increase our bench strength. Trust isn’t a destination it’s a journey.

Wayne Porter: 5) Specific examples of long-certified problematic sites:

a) Webhancer: January 2003 to this very day — Nearly 4 years.

b) Hotbar: January 2002 through June 2005 — 3.5 years.

c) Direct Revenue: April 2005 (or earlier) to January 2006 (or later) — 8+ months

d) Maxmoolah (recalling from Ben’s SiteAdvisor paper: 485+ emails/week): February 2005 (or earlier) to March
2006 (or later) — 14+ months

e) eZula: November 2004 to April 2005 — 6 months

f) IAC/Ask’s Cursormania, Funbuddyicons, FunWebProducts, Historyswatter, Mymailstationery, Smileycentral, Popularscreensavers — listed from May 2005 (or earlier) through September 12, 2006 (or later), but apparently never actually certified by TRUSTe — 17+ months

Carolyn Hodge: (see answer above)

Wayne Porter: Why the lengthy delays?

Carolyn Hodge: Webhancer will be required to submit their software applications to Trusted Download program in order to be re-certified in the privacy seal program.

Wayne Porter: 6)What is the size and security / privacy knowledge qualifications of the TRUSTe certification and compliance staff?

Carolyn Hodge: TRUSTe has two of the premier privacy attorneys in the country managing the policy and compliance functions. John Tomaszewski was the Chief Privacy Officer for CheckFree and Martha Landesberg spent many years at the FTC where she helped draft the rules around children’s privacy. Half of our certification and compliance staff is CIPP certified by the International Association of Privacy Professionals.

With the launch of Trusted Download program, we are partnering with AppLabs to augment our security and technical capabilities with regard to software testing and monitoring. This is the first time TRUSTe will be utilizing an outside party to conduct portions of its certification process.

Wayne Porter: 7) Is there a possible disconnect between what the TRUSTe seal is really certifying and public perception of what the seal means? That is…

a) Does TRUSTe even factor into their certification approval process the distribution methods, EULA presence at install, informed consent at install, etc of their potential partners who use adware/malware?

b) Will TRUSTe certify a partner as long as they have an accurate Privacy Policy on a web site, regardless of what type of information is collected via the software or how that information is used? Does TRUSTe consider the ability (or inability) of the end user to access such a Privacy Policy through the software or how obvious (apparent) any such access may be for the consumer.

Carolyn Hodge: TRUSTe’s main goal is to provide consumers with informed consent for use of their personal information, and in the case of software for download, information collection, and uninstall. This is exactly what the Trusted Download program does. There are specific requirements with regard to information collection in the web seal program including limitations regarding what the site owner can and cannot do with data collected through the site. TRUSTe’s program requirements are based on the OECD guidelines and as such there are some prohibited practices.

It is not sufficient to just have a privacy policy. With regard to software, the Trusted Download requires informed consent, and easy access to information on policies, how to download, and operation of software.

Wayne Porter: 8) Have TRUSTe’s standards kept up with evolving practices and technology used on the Internet related to consumer data collection? For example, AdOnNetwork (formerly MyGeek) is TRUSTe certified. They do have a written Privacy Policy on the AdOnNetwork web site. However, a large part of their business is focused on supplying ads to numerous adware/spyware/malware applications through their CPV (cost per view) program. This is just one company on the TRUSTe list, but the following questions would apply to other companies listed as well.

a) Does the TRUSTe certification only apply for consumers who voluntarily access the AdOnNetwork web site? Do they also apply the data that may be collected and tracking that may occur for unknowing consumers during AdOnNetworks ad displays through the various adware/malware applications from AdOnNetworks ad serving domain?

b) Is AdOnNetwork expected to comply with TRUSTe standards for certification through the domain which serves their ads and the consumers who “access” the site via the ad display in adware?

c) Does TRUSTe test and monitor what information maybe tracked and collected through the various adware partners of AdOnNetwork? This can vary with the software technology partnering with AdOnNetowrk.

Carolyn Hodge: You bring up some interesting questions about advertising networks. With regard to AdOnNetwork and any advertising network that is part of the TRUSTe privacy seal program, we are not certifying the network.

TDP will be testing and monitoring behavior of applications that come through the program. TRUSTe will be encouraging AdOnNetworks and others, to choose to only work with software that has come through our program. We unfortunately do not have the infrastructure to go out and test every application that an ad network partners with.

Trusted Download will provide an opportunity for Advertisers to only appear in trustworthy applications. We expect this will change how advertising networks operate in the long term.

Wayne Porter: 9) Does TRUSTe feel that the value of their to reputable, brand-conscious merchants is diminished in any way when the seal is also present on sites with very public online consumer dissatisfaction? Even though the consumer dissatisfaction may not relate directly to TRUSTe published standards.

Carolyn Hodge: Yes, having potential bad actors in our program is an issue we take very seriously. But it doesn’t diminish the need for merchants to step up to better privacy practices, and to try to ensure their partners and service providers are following similar standards.

Merchants can also trust that our investigation and enforcement processes are going to treat them fairly when their practices are questioned. TRUSTe’s first response to any potential issues is optimistically, to change behavior, not immediately punish.

Wayne Porter: 10) Webhancer- anyone who has tested DollarRevenue recently has seen Webhancer dropped without user consent. Suzi Turner, ZDNET Spyware Confidential has see this in action. The Facetime Security Labs team has seen this in action, Kellie Stevens from AffiliateFairPlay has seen this in action and I am sure Ben Edelman has too.

I have personally witnessed this, and I am not without some security credentials, experience, and a MSFT Security MVP designation, meaning I am qualified to spot a non-consensual instattion. This TRUSTe member is getting installed without clear consent on numerous occasions.

a) Have you or TRUSTe seen this behavior?

b) If so what is the delay?

c) If you have not- why not?

d) Does TRUSTe feel the use of exploits, worms or malware to be justification for immediate revocation?

Carolyn Hodge: No we have not seen this behavior. We were previously not in the business of testing distribution methods of downloadable software, nor we were installing software as part of our certification practices. We encourage complaints, from those who do testing, about any companies via our Watchdog system .

Wayne Porter: 11) What, in your opinion, has TRUSTe done really well and why?

Carolyn Hodge: TRUSTe is celebrating its 10th year anniversary in 2007. If you think about the state of e-commerce and online privacy in 1997 and the differences now, TRUSTe has played an enormous role in several areas.

1) Making the privacy statement ubiquitous online, an accomplishment that is lagging offline.

2) Increasing practices for permission marketing on websites and in email

3) With the launch of Trusted Download program TRUSTe will be eliminating any excuses for intrusive behavior from software publishers, and introducing accountability into online advertising.
This has all been accomplished by being a trustworthy partner to businesses, while changing practices to benefit consumers.

Wayne Porter: 12) Where or at what, in your opinion, has TRUSTe performed poorly and why?

Carolyn Hodge: In addition to changing industry practices, TRUSTe has been asked to undertake consumer education around privacy. Anyone who has tried to educate consumers on privacy or security knows this is easier said than done. The best message we can get out to consumers is to let companies know how important privacy is, and give feedback on privacy practices.

Wayne Porter: 13) Given the evidence from many security analysts, would you personally tell a family member, or someone you care about, that a site displaying a TRUSTe seal is probably trustworthy.

Carolyn Hodge: Yes, unequivocally, consumers should take TRUSTe as one factor in determining a site’s trustworthiness. But our top ten tips for consumer include anti-spyware, and anti-virus protections, reading the privacy statement and terms of service, and other protective behaviors.

Even when a company is under investigation by TRUSTe, consumer information and data benefits from third party oversight than when a company is not under contract with us. There is no silver bullet, and some companies, and some of our sealholders are likely to be among them, will encounter challenges in privacy. To be corny, privacy and trust aren’t a destination, they are a journey.

There is also place for respectful websites, downloadable software and marketing promotions that offer a clear value proposition for consumers, and require informed consent. Our goal is to make that happen.

Wayne Porter: 14) This is the end of the questions. Did you, or TRUSTe staff, find it useful, thought provoking, or helpful in any way?

Carolyn Hodge: Yes. Thank you for the opportunity to elaborate on what we do, and where we are going with Trusted Download.

Summary: In closing I think this is excellent thought provoking material for discussion as merchants, networks, and privacy and security vendors- as well as everyday people- afterall that is who we all seek to serve.

As turn about is fair play Carolyn asked me to pose a few questions for Ben Edelman to answer. In all fairness I think this a reasonable request given his critique and to continue the conversation. I shall post the questions in the next blog entry for Ben Edelman to choose to answer or decline- all or in part and give him adequate time to reply. Same rules apply- comments off, trackbacks on, addendum to any link in particular (pro or con), time permitting.

About Wayne Porter

Wayne Porter is one of the original founders of, and served as the CEO and founder of XBlock Systems a specialized research firm on greynets and malware research before being acquired by unified communications security leader, Factime Security Labs. His work includes serving as a panlist at the Federal Trade Commission to shape legislation on software and the creation of two patent-pending technologies for corporate networks. Wayne is a frequent speaker at e-commerce & business events including CJU, ASW and RSA and frequently cited in the press. He has been designated a Microsoft Security MVP three times and is recognized on Google’s Responsible Security Disclosure page- in addition to receiving the first Summit Legend Award. Wayne currently works as a Security Consultant on Social Media and operates a consultancy on digital worlds. His hobbies include reading science fiction, playing chess, fishing, writing, collecting shiny digital gadgets, playing racquetball and studying memetic engineering. He maintains a personal weblog at detailing his explorations in security, web 2.0, and virtual worlds.
You can follow Wayne on Twitter: @wporter.

Comments are closed.