Tangled Webs

    Of Privacy and Electrons
Issue 4.16
Dec 20, 1999

Stars in Our Eyes

Ah, the good old days! Back in 1996 the web was young, and we were innocent. We were creating something quite different from the societies in which we had grown up. We argued that since no party could use physical force, and information was free, there was no need for external regulation. The Internet could police itself without assistance from the world of force, laws and contested national borders.

Anarchy worked. The regulators and the regulated were one and the same. And despite the neo-hippy underpinnings of this mindset, we managed to convince large numbers of people around the world, and even a few legislators, that the Internet was different, that it could function without external regulation of what was proper conduct.

We were wrong.

Not completely wrong, of course. The Internet allows an intellectual freedom simply not possible in a physical medium, but the need for external regulation in some circumstances can be clearly seen in the failure of Truste.

Truste was formed in 1998 as an independent industry watchdog to stave off US government regulations to protect consumer privacy. Companies that agreed to Truste's terms could display the Truste seal on their websites, and consumers would know that their personal data was safe.

It seemed like a good idea, and the terms were straightforward. Internet companies could collect and use consumer data in any way they saw fit as long as users were informed and were allowed to opt out. Companies suspected of violating the terms would be subject to an external audit and have the right to display the Truste seal revoked if they did not come back into compliance. We hailed this as a model of self-regulation.

Salt in Our Wounds

On March 3, 1999 privacy advocates discovered that Microsoft, a Truste sponsor and customer, was secretly collecting user information over the Internet during Windows98 registration. Furthermore, it was storing that information so it could potentially be used to identify a specific user when they visited Microsoft's website. They collected this data without the users' knowledge or consent; a clear violation of Truste's privacy policies.

Public outrage forced Microsoft to promise to allow users to opt out while Truste looked the other way. On March 22, Truste stated that since the user data was not actually input at Microsoft's website, there was no violation of the Truste license terms, no external audit was required, and Microsoft would remain a Truste customer in good standing.

A single incident might be written off as bad judgment, but nine months later Microsoft once again found itself in the privacy hotseat. In September a bug was discovered in Microsoft's Hotmail which permitted malicious users to read the email of any user they wished. In the face of such a grievous breach of privacy, Truste once again sprang into action claiming that it had no jurisdiction over the incident. After discussing the matter with Microsoft, however, Truste changed their minds and recommended that Microsoft hire an outside auditor to determine the extent of the damage and to verify that the problems had been fixed. Microsoft agreed, and a few weeks later Microsoft and Truste sent out press releases saying that the problems had been resolved and hailing the incident as proof the self-regulation works.

Of course, neither party has seen fit to release any information about this external audit. Exactly what was investigated, the actual findings, and even the identify of the third party organization has been kept secret. All we have been told is that whatever is was, it cleared Microsoft of all charges. Privacy advocates find this less than reassuring.

Furthermore, Truste's hands-off approach cannot be attributed to Microsoft's clout. In early November, The New York Times reported that RealNetwork, another Truste sponsor, was keeping a record of the songs users listened to and building profiles based on listing habits. Users did not know this was happening and could not opt out of the system. Once again, Truste shrugged its shoulders and said there was nothing they could do. They did not call for an audit or even for disclosure of exactly what information was gathered and how it was used.

Mud on Our Faces

Admit it. We've been had. Self-regulation of privacy rights means no regulation. Don't get me wrong. The folks at Truste may have the best of intentions, but the model they are using is fundamentally flawed. Let's examine this kind of "regulation" for what it really is, business-to-business e-commerce. Simply put, Truste's business is generating consumer trust and then selling that trust to companies unable to generate it on their own.

The most efficient model for such a company would be one based on serving the customers and deceiving consumers. This efficient company would promote itself as an aggressive consumer advocate to the general public, while assisting their clients in public relations when privacy violations are discovered. Part of such services would be recommending, but never requiring, a few minimal steps clients could take to regain public trust.

Enforceable penalties or legally binding promises would make such services very hard to sell and would therefore have to be avoided. Likewise, requiring a client to remove the trust logo would be very foolish. It would reduce both income and market share. Most importantly, such a company would never speak ill of their clients no matter how brazen or egregious their violations may be.

While Truste may not be a perfect fit, they are certainly moving in this direction. Its worth noting that Truste has never asked a company to remove the Truste logo for privacy violations. Further casting doubt on Truste's position as a consumer advocate is the fact that in all clear and well publicized privacy cases, it has been Truste, not the offending company, scrambling to explain why no Truste investigation is needed.

I think neither Truste nor this flavor of self-regulation are long for this world. No company can be expected to destroy itself by trying to serve the public interest in a way that alienates their own clients. Likewise, it is only a matter of time before consumers wise up to the scam and start viewing such logos as just another banner ad.

I suppose we should have known that capitalism is not really the best foundation for a regulatory body. The only way our privacy rights will be protected is if we protect them ourselves through our elected representatives. It seems there is still some utility left in the brick and mortar world after all.

[ Home Page] [ Back to Index ] [ Previous Issue ] [ Next Issue ]

© Copyright 1999, Tim Romero, t3@vgkk.co.jp
This article fist appeared in the Dec 22, 1999 edition of The Japan Times.
Tangled Webs may be distributed freely provided this copyright notice is included.
The Tangled Webs Archive is located at http://www.vanguardjp.com/t3/tangledwebs/index.shtml