Stars in Our Eyes
Ah, the good old days! Back in 1996 the web was young, and we were innocent.
We were creating something quite different from the societies in which we
had grown up. We argued that since no party could use physical force, and
information was free, there was no need for external regulation. The
Internet could police itself without assistance from the world of force,
laws and contested national borders.
Anarchy worked. The regulators and the regulated were one and the same. And
despite the neo-hippy underpinnings of this mindset, we managed to convince
large numbers of people around the world, and even a few legislators, that
the Internet was different, that it could function without external
regulation of what was proper conduct.
We were wrong.
Not completely wrong, of course. The Internet allows an intellectual freedom
simply not possible in a physical medium, but the need for external
regulation in some circumstances can be clearly seen in the failure of
Truste was formed in 1998 as an independent industry watchdog to stave off
US government regulations to protect consumer privacy. Companies that agreed
to Truste's terms could display the Truste seal on their websites, and
consumers would know that their personal data was safe.
It seemed like a good idea, and the terms were straightforward. Internet
companies could collect and use consumer data in any way they saw fit as
long as users were informed and were allowed to opt out. Companies suspected
of violating the terms would be subject to an external audit and have the
right to display the Truste seal revoked if they did not come back into
compliance. We hailed this as a model of self-regulation.
Salt in Our Wounds
On March 3, 1999 privacy advocates discovered that Microsoft, a Truste
sponsor and customer, was secretly collecting user information over the
Internet during Windows98 registration. Furthermore, it was storing that
information so it could potentially be used to identify a specific user when
they visited Microsoft's website. They collected this data without the
users' knowledge or consent; a clear violation of Truste's privacy policies.
Public outrage forced Microsoft to promise to allow users to opt out while
Truste looked the other way. On March 22, Truste stated that since the user
data was not actually input at Microsoft's website, there was no violation
of the Truste license terms, no external audit was required, and Microsoft
would remain a Truste customer in good standing.
A single incident might be written off as bad judgment, but nine months
later Microsoft once again found itself in the privacy hotseat. In September
a bug was discovered in Microsoft's Hotmail which permitted malicious users
to read the email of any user they wished. In the face of such a grievous
breach of privacy, Truste once again sprang into action claiming that it had
no jurisdiction over the incident. After discussing the matter with
Microsoft, however, Truste changed their minds and recommended that
Microsoft hire an outside auditor to determine the extent of the damage and
to verify that the problems had been fixed. Microsoft agreed, and a few
weeks later Microsoft and Truste sent out press releases saying that the
problems had been resolved and hailing the incident as proof the
Of course, neither party has seen fit to release any information about this
external audit. Exactly what was investigated, the actual findings, and even
the identify of the third party organization has been kept secret. All we
have been told is that whatever is was, it cleared Microsoft of all charges.
Privacy advocates find this less than reassuring.
Furthermore, Truste's hands-off approach cannot be attributed to Microsoft's
clout. In early November, The New York Times reported that RealNetwork,
another Truste sponsor, was keeping a record of the songs users listened to
and building profiles based on listing habits. Users did not know this was
happening and could not opt out of the system. Once again, Truste shrugged
its shoulders and said there was nothing they could do. They did not call
for an audit or even for disclosure of exactly what information was gathered
and how it was used.
Mud on Our Faces
Admit it. We've been had. Self-regulation of privacy rights means no
regulation. Don't get me wrong. The folks at Truste may have the best of
intentions, but the model they are using is fundamentally flawed. Let's
examine this kind of "regulation" for what it really is,
business-to-business e-commerce. Simply put, Truste's business is generating
consumer trust and then selling that trust to companies unable to generate
it on their own.
The most efficient model for such a company would be one based on serving
the customers and deceiving consumers. This efficient company would promote
itself as an aggressive consumer advocate to the general public, while
assisting their clients in public relations when privacy violations are
discovered. Part of such services would be recommending, but never
requiring, a few minimal steps clients could take to regain public trust.
Enforceable penalties or legally binding promises would make such services
very hard to sell and would therefore have to be avoided. Likewise,
requiring a client to remove the trust logo would be very foolish. It would
reduce both income and market share. Most importantly, such a company would
never speak ill of their clients no matter how brazen or egregious their
violations may be.
While Truste may not be a perfect fit, they are certainly moving in this
direction. Its worth noting that Truste has never asked a company to remove
the Truste logo for privacy violations. Further casting doubt on Truste's
position as a consumer advocate is the fact that in all clear and well
publicized privacy cases, it has been Truste, not the offending company,
scrambling to explain why no Truste investigation is needed.
I think neither Truste nor this flavor of self-regulation are long for this
world. No company can be expected to destroy itself by trying to serve the
public interest in a way that alienates their own clients. Likewise, it is
only a matter of time before consumers wise up to the scam and start viewing
such logos as just another banner ad.
I suppose we should have known that capitalism is not really the best
foundation for a regulatory body. The only way our privacy rights will be
protected is if we protect them ourselves through our elected
representatives. It seems there is still some utility left in the brick and
mortar world after all.