TRUSTe- Fourteen Questions…Lots of Them Actually

TRUSTe says to bring on the questions, and I admire them for that- so here they are. In fairness some of these can take some time, so I have alloted at least twenty-four hours for Carolyn to answer in a return .doc.
If there are extenuating circumstances she can please feel free to contact me if she needs more time I believe she has my telephone numbers and e-mail now.

Note: Carloyn reports she and staff will tackle questions over the weekend. So expect replies early next week. Fixed some spacing issues for readability.

Here we go….

1) When TRUSTe learns of a company with outrageously bad practices — like Webhancer becoming installed without users’ consent — why not just terminate the company’s certification right then? Why wait months or years?

2) In a comment on MaineToday.com you claim “TRUSTe has been decertifying adware and trackware from our program for some time.” But http://www.truste.org/about/fact_sheet.php specifically says “Number of companies terminated: 2.”

a) Exactly how many companies did TRUSTe decertify for being adware or trackware, or for violating their privacy policies?

3) Is there any public list of “decertified” programs and companies?

a) How does this decertification work? Does it occur as soon as TRUSTe learns of a site’s bad practices?

b) Or only at the end of a sealholder’s prepaid seal period?

4) How did it happen that seven IAC/Ask.com sites were listed on the TRUSTe member list for 17+ months, without TRUSTe noticing?

a) Does TRUSTe feel people can be confident that the page is really accurate?

b) Are TRUSTe’s procedures and internal “housekeeping” up to snuff for the task TRUSTe has decided to attempt?

5) Specific examples of long-certified problematic sites:

a) Webhancer: January 2003 to this very day — Nearly 4 years.

b) Hotbar: January 2002 through June 2005 — 3.5 years.

c) Direct Revenue: April 2005 (or earlier) to January 2006 (or later) — 8+ months

d) Maxmoolah (recalling from Ben’s SiteAdvisor paper: 485+ emails/week): February 2005 (or earlier) to March 2006 (or later) — 14+ months

e) eZula: November 2004 to April 2005 — 6 months

f) IAC/Ask’s Cursormania, Funbuddyicons, FunWebProducts, Historyswatter, Mymailstationery, Smileycentral, Popularscreensavers — listed from May 2005 (or earlier) through September 12, 2006 (or later), but apparently never actually certified by TRUSTe — 17+ months

g) Why the lengthy delays?

6) What is the size and security / privacy knowledge qualifications of the TRUSTe certification and compliance staff?

7) Is there a possible disconnect between what the TRUSTe seal is really certifying and public perception of what the seal means? That is…

a) Does TRUSTe even factor into their certification approval process the distribution methods, EULA presence at install, informed consent at install, etc of their potential partners who use software applications?

b) Will TRUSTe certify a partner as long as they have an accurate Privacy Policy on a web site, regardless of what type of information is collected via the software or how that information is used? Does TRUSTe consider the ability (or inability) of the end user to access such a Privacy Policy through the software or how obvious (apparent) any such access may be for the consumer?

Have TRUSTe’s standards kept up with evolving practices and technology used on the Internet related to consumer data collection? For example, AdOnNetwork (formerly MyGeek) is TRUSTe certified. They do have a written Privacy Policy on the AdOnNetwork web site. However, a large part of their business is focused on supplying ads to numerous adware/spyware/malware applications through their CPV (cost per view) program. This is just one company on the TRUSTe list, but the following questions would apply to other companies listed as well.

a) Does the TRUSTe certification only apply for consumers who voluntarily access the AdOnNetwork web site? Do they also apply the data that may be collected and tracking that may occur for unknowing consumers during AdOnNetworks ad displays through the various adware/malware applications from AdOnNetworks ad serving domain?

b) Is AdOnNetwork expected to comply with TRUSTe standards for certification through the domain which serves their ads and the consumers who “access” the site via the ad display in adware?

c) Does TRUSTe test and monitor what information maybe tracked and collected through the various adware partners of AdOnNetwork? This can vary with the software technology partnering with AdOnNetowrk.

9) Does TRUSTe feel that the value of their to reputable, brand-conscious merchants is diminished in any way when the seal is also present on sites with very public online consumer dissatisfaction? Even though the consumer dissatisfaction may not relate directly to TRUSTe published standards.

10) Webhancer- anyone who has tested DollarRevenue recently has seen Webhancer dropped without user consent. Suzi Turner, ZDNET Spyware Confidential has see this in action. The Facetime Security Labs team has seen this in action, Kellie Stevens from AffiliateFairPlay has seen this in action and I am sure Ben Edelman has too.

I have personally witnessed this, and I am not without some security credentials, extensive experience, and a MSFT Security MVP designation, meaning I am qualified to spot a non-consensual instattion. This TRUSTe member is getting installed without clear consent on numerous occasions.

a) Have you or TRUSTe seen this behavior?

b) If so what is the delay?

c) If you have not- why not?

d) Does TRUSTe feel the use of exploits, worms or malware to be justification for immediate revocation?

11)What, in your opinion, has TRUSTe done really well and why?

12) Where or at what, in your opinion, has TRUSTe performed poorly and why?

13) Given the evidence from many security analysts, would you personally tell a family member, or someone you care about, that a site displaying a TRUSTe seal is probably trustworthy?

14) This is the end of the questions. Did you, or TRUSTe staff, find this Q&A useful, thought provoking, or helpful in any way?

I, and many other merchants and security vendors (who I have contacted) eagerly look forward to your public reply and I do appreciate your willingness to tackle tough questions- please take your time so that you can make answers in a meaningful way. If you need more time there is no problem with this, just let me know.

Comments are off. Trackbacks are on.

I may post addendums to articles or blogs (both pro or con) of value commenting on the questions. I will send over a copy of this so you may answer in bold below the questions and we can repost as a “Completed Interview”. Thanks for your time and tackling these tough questions.