ReveNews
Ben Edelman Responds to Questions from TRUSTe
Carolyn Hodge: Please explain your relationship with SiteAdvisor, how your expert reviewer status impacts ratings, and any financial benefit associated with being on the SiteAdvisor advisory board.
Ben Edelman: I’m on the SiteAdvisor advisory board. I think I’ve done a good job of disclosing that early and often.
SiteAdvisor’s web site includes a “reviewer” system by which interested Internet users can comment on any site SiteAdvisor has rated (and, for that matter, even on sites it hasn’t rated!). SiteAdvisor’s Reviewers page explains how the system works, in general terms. As you say, the system includes several "levels" of reviewers. But ultimately all the reviews go to the same place — on the SiteAdvisor web site, with "expert" or "experienced" in remarkably small type. (If anything, SiteAdvisor’s presentation arguably does too little to emphasize whose reviews are most weighty, versus who’s a new kid on the block. So the merit of a review has to speak for itself — with hard-hitting facts and analysis, not merely resting on a reviewer’s reputation.)
SiteAdvisor’s Reviewers page indicates that "expert" reviewers have extra weight on changing sites’ ratings, while "experienced" (mid-range) reviewers get a smaller additional influence. Frankly that hasn’t been my experience, though. My experience has always been that a meritorious review gets the response it calls for, no matter who submits it.
SiteAdvisor provided me with stock options when I started my advisory relationship with them. When McAfee purchased SiteAdvisor, those options were converted into current and delayed payments.
Carolyn Hodge: Has TRUSTe ever approached you to learn about your techniques and get your feedback, help with adware and trackware companies? What would be an appropriate way for the anti-spyware community to cooperate with TRUSTe for the benefit of consumers?
Ben Edelman: TRUSTe has sought my assistance from time to time. I’ve generally responded to these requests with some skepticism. On one hand, I credit the good intentions of TRUSTe, and I’d genuinely like to see TRUSTe succeed. But I’ve been troubled to see TRUSTE, time and time again, issue certificates to sites I regard as bandits — sites that trick users and ultimately cause users substantial harm. That’s alarming, and it’s at the core of my uncertainty about TRUSTe.
In some instances I’ve worked productively with TRUSTe. For example, last summer I noticed Hotbar certified by TRUSTe, prominently showing TRUSTe’s logo as it tried to induce users to install Hotbar’s advertising software. I brought this issue to TRUSTe’s attention, and Hotbar’s certification was revoked remarkably quickly. Details on my site, including analysis of the specific violations I observed.
But in other instances, problems have dragged on. For example, in June 2005 I remarked on Direct Revenue, eZula, and Webhancer all being TRUSTe members. Webhancer still is; eZula remained through at least December 2005; and Direct Revenue through at least January 2006. (Plus Direct Revenue’s site still includes at least one TRUSTe logo to this day, months after they stopped being certified!) Similarly, the well-known Spyware Warrior blog in May 2005 flagged sixteen different sites that it described as "all documented adware/spyware related companies or their associates." I see no sign that TRUSTe took any action in response to this report either.
I think TRUSTe faces a real challenge in working with the anti-spyware community. To those who clean up users’ computers, it’s little solace to say (as you do in your interview response) "we can only certify to, and enforce standards within our program requirements." Wayne, I, and so many others have all seen Webhancer install without consent on so many occasions. Yet you tell Wayne and ReveNews readers that we have to wait for Trusted Download before anything can be done about the company’s practices. That puts form before substance. And, in substance, it’s galling. Webhancer’s software tracks users’ surfing in excruciating detail, and it transmits this information to Webhancer’s servers. To think such software can have a TRUSTe "privacy" certification — while simultaneously burrowing onto users’ PCs without permission — is an insult to the users whose privacy Webhancer violates.
If and when TRUSTe cleans up its member list, such that TRUSTe counts no spyware purveyors among its members, I suspect TRUSTe will find security researchers far more friendly. Further goodwill could be built through clear, timely actions that show whose side TRUSTe really is on — that show that TRUSTe puts users’ safety before its own bottom line and before even the PR benefits of its members (if it does).
One specific improvement I’d recommend to TRUSTe: A complaint form that posts all complaints to the web, immediately, for full public review. SiteAdvisor’s Review system works exactly in that way — anyone can post a comment about a site, and the comment is instantly visible. In contrast, submissions to TRUSTe’s "watchdog" system lack this immediacy, and I always worry that TRUSTe might sweep a particularly tough comment under the rug, rather than investigate and respond appropriately. My concerns about the watchdog system are particularly pronounced because the watchdog system seems so haphazardly implemented. For example, even as I write this, TRUSTe’s August 2006 Watchdog page says "July 2004" in its page title. (So do many other watchdog pages.) Plus, as I mention in footnote 3 of my paper, TRUSTe inexplicably failed to update its Watchdog Reports page from June 2004 through spring 2006 (when I circulated an initial draft of this paper, bearing this critique). All these facts make TRUSTe’s Watchdog system look like an afterthought — hardly an inviting place to submit research.
Carolyn Hodge: SiteAdvisor, the basis for your comparison of TRUSTe sites, was recently taken to task for not detecting phishing websites, and stated that phishing detection was out of its scope. Don’t you think that consumers care about phishing, and isnt that a serious fault in the SiteAdvisor methodology?
Ben Edelman: I agree that users rightly care about phishing. Originally I wanted to see SiteAdvisor include anti-phishing functionality. But as SiteAdvisor’s site and blog explain, that’s not a feature SiteAdvisor has taken on. Too many others already doing a good job of this.
I think SiteAdvisor could helpfully redouble its efforts to make sure each and every one of its users knows SiteAdvisor doesn’t give them phishing protection.
But I’m not sure where this leaves us. What’s important, for my critique of TRUSTe’s member list, is that when TRUSTe and SiteAdvisor disagree about a site’s trustworthiness, most users are likely to side with SiteAdvisor. I think that’s a valid claim: TRUSTe may say Webhancer is trustworthy, but SiteAdvisor is right to criticize Webhancer’s installation and operation practices. TRUSTe may say focalex.com is trustworthy, but no one disputes SiteAdvisor’s finding that a single registration there can yield 320+ emails per week. And so on. SiteAdvisor may not catch phishing sites, but it catches plenty of serious bad behaviors among TRUSTe members, including among current TRUSTe members. It’s these findings that are the core of my critique of TRUSTe’s members.
Carolyn Hodge: If a website or software publisher makes positive changes to address consumer notice, choice, consent and control, do you view this as a positive step? Can you list the occasions where you praised a company for changing its practices as you described?
Ben Edelman: It’s not often that I praise the companies I write about. I figure they have ample PR departments to toot their own horns.
When I do praise companies’ improvements, it’s often in the context of pointing out their other problems. For example, in October 2005 I applauded Claria’s termination of certain dubious installation practices — but then I went on to show Claria helping to fund other vendors’ spyware installed without consent.
Often companies change their practices after I write about them. But sometimes they don’t change as much as they claim. For example, last year I revealed an Ask.com toolbar installing without consent. (At least seven Ask toolbar distribution sites have been listed on TRUSTe’s member list for as long as 17 months. But per your subsequent comments, apparently this was all a mistake, and the sites were never actually certified by TRUSTe, despite their listing on TRUSTe’s member list among other certified sites.) In response to my piece, Ask.com made some specific, noteworthy claims of changing their practices. Did they really do what they promised? Not quite. Details forthcoming!
Clearly steps in the right direction are a good thing. But where a company with terrible practices takes a tiny step in the right direction, what exactly should users say? "They’re still terrible, but they’re better than they used to be"? That’s laughable. So long as the company still needs significant improvement, I’ll save my words for explaining what’s left to be done, and why it’s important to do it.
Carolyn Hodge: List the companies which have changed thier practices as a result of your work.
Ben Edelman: I don’t know how to answer this question.
I think I’ve played a useful role in transforming the practices of a fair number of companies. In particular: I made the first video showing nonconsensual installation of "adware" through a security exploit — a video that changed the way security researchers chronicle what they’ve found, and that brought new levels of accountability to all companies that pay for installations of their software. I wrote the first software for automated probing of "adware" vendors’ ads — letting users better see what advertisers are funding their infections, and bringing new accountability to the advertising side of this business. I posted the first annotated packet log demonstrating how spyware vendors steal affiliate commissions. I made what I believe to be the first video record of click fraud.
These articles have had widespread impact — perhaps doing my part to push Claria out of the "adware" business; driving any number of advertisers away from dubious adware advertising; getting numerous bad-actor affiliates kicked out of affiate networks; and (I hope) inspiring fear among pay-per-click syndicators who think click fraud is a sure-fire way to make money at advertisers’ expense.
A further concrete example: In September 2005 I showed Expedia advertising through the then-"big three": 180solutions, Direct Revenue, and eXact Advertising. Mere weeks later, Expedia had terminated all these campaigns. I’ve seen no more spyware advertising from Expedia since that time. More generally, I have systematically revealed other "adware" advertisers — those using Claria (then Gator), 180solutions, Direct Revenue, and eXact Advertising. Lots of big names, many of whom have subsequently improved their practices.
But make a list of all the companies I influenced? I don’t know how I’d do that, since I don’t have any clear way to track who reads my work.
Carolyn Hodge: Describe your familiarity with the TRUSTe certification process, its rigor, and any specific qualifications that make you an expert on thier processes? Have you ever spoken with a TRUSTe sealholder about the certification process? What did they report to you about that?
Ben Edelman: I don’t claim any special expertise on TRUSTe’s internal processes. But the proof is in the results, or lack thereof. It’s hard to have a favorable view of a process that yields (or has yielded) the endorsement of Direct Revenue, eZula, Freecreditreport, Gratis Internet, Hotbar, Maxmoolah, and Webhancer, among so many others.
On the subject of Gratis, Wired’s Ryan Singel recently directed my attention to a seemingly-explosive document on the NYAG’s site. In August 2004, TRUSTe staff received specific knowledge of Gratis’s violation of its privacy policy. See NYAG litigation documents, page 14, quoting an email from Gratis to TRUSTe, admitting "we just started renting it [our email list] out" (contrary to Gratis’s then-privacy policy, which specifically promised no such renting would occur).
Yet TRUSTe’s own site indicates that TRUSTe didn’t get around to terminating Gratis until February 2005. In the interim — for 7 months! — Gratis remained TRUSTe-certified, despite TRUSTe’s specific notice that Gratis was violating its privacy policy.
What exactly happened during those seven months? Why did TRUSTe let Gratis stay certified, while knowing that users couldn’t actually count on Gratis to do what its privacy policy promised? Is there any point at which TRUSTe must declare "enough is enough" and revoke a seal? Here, Gratis had promised that it would "not sell, rent, or loan any personally identifiable information regarding our customers to any third party." It’s hard to imagine a more clear-cut violation of a privacy policy or of a TRUSTe-certified site’s duties to its members and to TRUSTe. Yet even here TRUSTe took seven months to act.
Users and analysts need not know anything about TRUSTe’s internal procedures to know this just isn’t right. If TRUSTe knew about a privacy policy violation in August 2004 (as the email indicates all too clearly) but took no public action until February 2005 (again quite clear), users will doubt TRUSTe’s effectiveness, no matter how TRUSTe organizes itself internally.
.
Addendum:Questions and Answers response from Mr. Edelman transcribed by Wayne Porter 10.03.2006 per e-mailed response.
Absolute spot on rebuttal to some seriously loaded questions. Makes me content on my first analysis of Truste, when asked if it was worth it by some ecommerce clients. My reply was Truste was a PR smoke & mirrors operation, only needed by those doing nefarious deeds from their web sites.
My take is it’s like having the UN “blue hats” policing hot fire zones, or their past performance on enforcing UN security counsel resolutions. Hard to applaud their noble efforts saving a handful of people from raping, pillaging and murder, when right in front of their noses hundreds of thousands get whacked. Someone/somewhere once said …Those who do no evil need no stinkin’ badges …those who do require them as shields.
Truste need to be an effective barrier to consumer exploitation and not some meaningless enity shielding the Adwhores of all flavors.
Who Can You TRUSTe?
From Cloudeight’s "InfoAve Premium Newsletter"
September 10, 2004
While looking through some forums the other night we came
across some interesting entries. There were people writing posts
that said that this program or that program were not spyware
because they had the TRUSTe seal.
So, we decided to check it our for ourselves to see exactly
how much we could trust TRUSTe. The first place we went was to
"Hotbar" (a TRUSTe licensee).
I’m sure many of you who’ve been reading our newsletters for
very long know how we feel about "Hotbar". And, some of you are
aware that "Hotbar" has threatened legal action against us. Just
to be "fair and balanced" we did a search on Google for "Hotbar
and we found 39 pages of search results. At the end of this
article we a link to the search results. Feel free to check them
out or do your own search.
"Hotbar" says they are not spyware. Their 4400+ word "Hotbar"
EULA is an magnificent masterpiece of ambiguity. A lawyer’s
dream. Anyway, we wanted to see what TRUSTe had to say about
spyware. So we visited their bustling little hive of a Web site
and sure enough we find that TRUSTe is firmly entrenched in the
war on spyware! They quote an entire anti-spyware article from
GetNetWise
http://www.getnetwise.com. You can see it for yourself on
the TRUSTe Web site:
http://www.truste.org/articles/preventing_spyware.php .
"Hotbar" is an TRUSTe seal holder. That means they meet
TRUSTe standards for protecting your privacy. Yet hundreds,
perhaps thousands of technical, anti-spyware, government,
college, and educational sites say that "Hotbar" is spyware.
TRUSTe is against spyware. Are you starting to see something
wrong with this picture? Here’s what TRUSTe says about
"Hotbar":
"This confirms that Hotbar.com, Inc. ("Hotbar") is a licensee
of the TRUSTe Privacy Program.
TRUSTe is an independent, non-profit organization whose
mission is to build users’ trust and confidence in the Internet
by promoting the principles of fair information practices.
Because "Hotbar" is committed to respecting and protecting your
privacy, we have agreed to disclose our information practices
and have our privacy practices reviewed and audited for
compliance by a third-party auditor at the direction of TRUSTe.
These TRUSTe principles apply to personally identifiable
information gathered on "Hotbar" Web site. This privacy
statement will inform all visitors to our Web site regarding:
1. What personally identifiable information we collect/use
about you on this Web site
2. What we do with personally identifiable information we
collect/use on this Web site
3. Whether any of your personally identifiable information
will be shared with any third party
"Questions regarding this statement should be directed to the
Hotbar site coordinator at Hotbar.privacy@Hotbar.com or TRUSTe
at
http://www.truste.org/users/users_watchdog.html for
clarification."
We think it’s a shame when companies like TRUSTe, who are in
the business of trust and purporting to protect consumers,
bestow their seal on companies like "Hotbar". These companies
then hide behind that seal of trust. In our opinion, "Hotbar"
uses the TRUSTe seal to lure innocent and unsuspecting consumers
into a tangled Web of questionable an ever-expanding list of
"free" products. We have personally seen the problems "Hotbar"
can cause.
If you can’t trust TRUSTe who can you trust? Sorry TRUSTe,
you have lost our trust….and respect.
Note: This article was written on September 10, 2004. Since
then, thanks to Ben Edelman’s efforts, Hotbar has been delisted
by TRUSTe. Recently, Hotbar joined with adware giant
"180Solutions" to form Zango. See
http://thundercloud.net/infoave/zango-tango.htm .
Who Can You TRUSTe?
From Cloudeight’s “InfoAve Premium Newsletter”
September 10, 2004
While looking through some forums the other night we came across some interesting entries. There were people writing posts that said that this program or that program were not spyware because they had the TRUSTe seal.
So, we decided to check it our for ourselves to see exactly how much we could trust TRUSTe. The first place we went was to “Hotbar” (a TRUSTe licensee).
I’m sure many of you who’ve been reading our newsletters for very long know how we feel about “Hotbar”. And, some of you are aware that “Hotbar” has threatened legal action against us. Just to be “fair and balanced” we did a search on Google for “Hotbar and we found 39 pages of search results. At the end of this article we a link to the search results. Feel free to check them out or do your own search.
“Hotbar” says they are not spyware. Their 4400+ word “Hotbar” EULA is an magnificent masterpiece of ambiguity. A lawyer’s dream. Anyway, we wanted to see what TRUSTe had to say about spyware. So we visited their bustling little hive of a Web site and sure enough we find that TRUSTe is firmly entrenched in the war on spyware! They quote an entire anti-spyware article from GetNetWise http://www.getnetwise.com. You can see it for yourself on the TRUSTe Web site: http://www.truste.org/articles/preventing_spyware.php .
“Hotbar” is an TRUSTe seal holder. That means they meet TRUSTe standards for protecting your privacy. Yet hundreds, perhaps thousands of technical, anti-spyware, government, college, and educational sites say that “Hotbar” is spyware. TRUSTe is against spyware. Are you starting to see something wrong with this picture? Here’s what TRUSTe says about “Hotbar”:
This confirms that Hotbar.com, Inc. (”Hotbar”) is a licensee of the TRUSTe Privacy Program.
TRUSTe is an independent, non-profit organization whose mission is to build users’ trust and confidence in the Internet by promoting the principles of fair information practices. Because “Hotbar” is committed to respecting and protecting your privacy, we have agreed to disclose our information practices and have our privacy practices reviewed and audited for compliance by a third-party auditor at the direction of TRUSTe. These TRUSTe principles apply to personally identifiable information gathered on “Hotbar” Web site. This privacy statement will inform all visitors to our Web site regarding:
1. What personally identifiable information we collect/use about you on this Web site
2. What we do with personally identifiable information we collect/use on this Web site
3. Whether any of your personally identifiable information will be shared with any third party
“Questions regarding this statement should be directed to the Hotbar site coordinator at Hotbar.privacy@Hotbar.com or TRUSTe at http://www.truste.org/users/users_watchdog.html for clarification.”
We think it’s a shame when companies like TRUSTe, who are in the business of trust and purporting to protect consumers, bestow their seal on companies like “Hotbar”. These companies then hide behind that seal of trust. In our opinion, “Hotbar” uses the TRUSTe seal to lure innocent and unsuspecting consumers into a tangled Web of questionable an ever-expanding list of “free” products. We have personally seen the problems “Hotbar” can cause.
If you can’t trust TRUSTe who can you trust? Sorry TRUSTe, you have lost our trust….and respect.
Note: This article was written on September 10, 2004. Since then, thanks to Ben Edelman’s efforts, Hotbar has been delisted by TRUSTe. Recently, Hotbar joined with adware giant “180Solutions” to form Zango. See http://thundercloud.net/infoave/zango-tango.htm .
Excellent work as usual Ben, keep it up.
I’m an old marketing guy and their logo is supposed to mean something to the average consumer. It is supposed to mean that this web site is clean and has been vetted. It is safe to download, purchase, and more importantly you can TRUST this company because it has the Truste seal.
They are not living up to their brand promise, and you are doing good because you are alerting the public. I really don’t care about all the nuances about why they are unable to do what their brand promises. Perhaps it is profit, perhaps it is incompetence, perhaps it is ignorance, or ambivalence. It does not matter.
If they are admitting that there are many companies that display the seal may have bad practices, then their brand means nothing. Go get em. Your response is accurate but the tone is a little defensive which was their intent. Don’t be on the defensive, stay on the offense.
Typical arrogant post from Ben, in his now familar “aw shucks, just-reporting-the-facts here” tone of pseudo-objectivity. TRUSTe, as flawed as it is, at least tries to make ecommerce more vital and reliable. It’s not a perfect system, but SiteAdvisor is no replacement for it. Since Ben stands to gain financially through the success of SiteAdvisor, he has a clear interest in criticizing TrustE.
What also bridles about Ben is his tone of relentless criticism–much like a graduate student whose expertise begins and ends with poking holes in the systems and arguments of others. If your aim is to further the spread of ecommerce and online advertising (which one would assume of readers of revenews), this shrill tone of constant detraction has limited usefulness.
Typical irritating post from Ben, in his now familar “gosh, just-reporting-the-facts here” tone of pseudo-objectivity. TRUSTe, as flawed as it is, at least tries to make ecommerce more vital and reliable. It’s not a perfect system, but SiteAdvisor is no replacement for it. Since Ben stands to gain financially through the success of SiteAdvisor, he has a clear interest in criticizing TrustE.
What also bridles about Ben is his tone of relentless criticism–much like a graduate student whose expertise begins and ends with poking holes in the systems and arguments of others. If your aim is to further the spread of ecommerce and online advertising (which one would assume of readers of revenews), this shrill tone of constant detraction has limited usefulness.
Typical irritating post from Ben, in his now familar “gosh,
just-reporting-the-facts here” tone of pseudo-objectivity. TRUSTe, as
flawed as it is, at least tries to make ecommerce more vital and
reliable. It’s not a perfect system, but SiteAdvisor is no replacement
for it. Since Ben stands to gain financially through the success of
SiteAdvisor, he has a clear interest in criticizing TrustE. Why doesn’t
this bother more people?
What also bridles about Ben is his tone of relentless criticism–much
like a graduate student whose expertise begins and ends with poking
holes in the systems and arguments of others. If your aim is to further
the spread of ecommerce and online advertising (which one would assume
of readers of revenews), this shrill tone of constant detraction has
limited usefulness.
Stuart Frankel’s (who runs an affiliate network, BTW) rant on Ben has its own set of financial motivations.
Why doesn’t Ben’s bias bother people? Because he’s not only fighting the good fight but doing so with facts that cannot be refuted. The facts that Ben points to are relevant. Things like his knowledge of how TRUSTe inner-workings, how many times he’s said nice things about his company, etc. are irrelevant.
TRUSTe knew about serious problems and ignored them… put them off until later at best.
Let’s get real — we all have financial interests. Even Stuart Frankel. With whom and how we align them is what counts in the grand scheme of life.