The privacy police?

TRUSTe CEO Bob Lewin explains how even sites selling personal data can get the nonprofit's privacy seal of approval.

Published March 13, 2000 5:00PM (EST)

When TRUSTe launched in 1996, the nonprofit promised to help the Internet industry regulate itself with regard to protecting surfers' privacy. Over the past three years, it has vetted the privacy policies of over 1,300 sites, and its black-and-green logo, which signals to visitors that a site actually abides by its policies, can be found on most major e-commerce sites. But what kind of teeth does the organization really have?

TRUSTe didn't look so trusty last year when a security expert found that its licensee RealNetworks had been collecting user information on the
Instead of reprimanding the company, the nonprofit argued that because RealNetworks' privacy violations took place via its RealJukebox software, not its Web site, the incident was outside the purview of TRUSTe. More recently, it's been other privacy advocacy groups like JunkBusters that have alerted the public to privacy violations such as Intel's decision to include an identifier in its Pentium III chip; JunkBusters also started a campaign against DoubleClick's acquistion of Abacus when it was announced last June.

But Bob Lewin, executive director and CEO of TRUSTe, says the group's privacy seal program plays an important role in enforcing privacy policies. Previously, Lewin was vice president of marketing at networking software company ISOCOR and before that at the open systems consortium X/Open Company. Now he heads up this nonprofit that charges between $300 and $4,999 to certify an e-commcerce site's privacy practices.

What's the basic message you're giving to consumers when they see the
TRUSTe symbol? Is it that the site isn't going to sell my data?

The bottom line is that this site adheres to the fair information practices -- that they are disclosing what information they're collecting, why and if they're sharing that information with somebody. No 2: that they're giving the visitor the choice -- whether to allow that to happen; 3) that once the information is collected, they will use reasonable security to protect that information; 4) that they allow the consumer reasonable access to that information to modify it.

So if I were collecting consumers' e-mail addresses and then selling them to a direct-marketing company, would I still be able to get the TRUSTe symbol?

Only if you stated that to the consumer in your privacy statement. If somebody came to us and said, "Here's our privacy statement. We will collect the e-mail addresses, and it's our intent to sell or share this information with these third parties, and we are giving you the option to say yes or no to this." Then that site could become a TRUSTe licensee.

What percentage of sites get rejected?

It's not a large percentage -- I'd guess 1 to 2 percent.

What's the major reason sites get rejected?

Once they start through the process, they can't or will not meet the requirements of the program. Say they'd like to be able to share info with a subsidiary, and we say, "That's to a third party, you have to disclose that." Well, they may voluntarily decide they're not going to proceed. Also, we don't apply our mark to gambling sites, since it's illegal in some states. The other reason that it happens, frankly, is that 85 percent of our sites are very small -- $10 million and below --- and as the process starts, the company goes out of business.

If DoubleClick had been a TRUSTe member, would its decision to combine its database of anonymous surfing habits with an acquired database of personal information have set off red flags for you?

There would be some issues. That's why we formed a third-party ad server committee, to get all the technical and legal issues out on the table.

They would have had to inform us before they changed their policy, and we would have had some discussions.

Once it has the TRUSTe seal, have you ever kicked out a site for doing something?

No, we've come very close, but we haven't had to do it. The escalation process is as follows: We get a complaint from a consumer about a licensee, and once we are assured that the consumer had previously contacted the Web site to try and get it resolved -- because a lot of these are just misunderstandings -- we then contact the Web site and investigate and find out indeed if there's a real issue here. Now, the resolution to this may result in a change in the privacy policy, the business model, or what have you.

Shouldn't you have caught that kind of stuff when you reviewed the policy in the first place?

Well yes, but the nature of the beast is that all of this is software. What is generally the case is that there's been some unplanned feature in the software. Something will happen -- not that somebody wanted to do it, but the software allowed them to do it. So, when it happens, you point it out, it gets fixed and it's over.

But that shouldn't mean they need to change their privacy policy, should it?

It could be just a software change, but it could be a policy change. Let's say you implement software that shares information, or decide to collect more info than you originally stated -- perhaps you're collecting IP addresses, or disseminating cookies. So you have to change your policy. This whole thing is not a static field. We do constant monitoring, but many of our licensees will communicate with us, and in fact one-third of our efforts is focused on working with them. As their Web sites evolve, we've got to ensure that the privacy statement evolves. It's an ongoing process.

Would it be incumbent on the company to notify all the users who had seen the previous privacy policy?

If they start collecting new information, then at that point in time, they have to communicate to users from this point forward, "We are also doing this." So that has to be stated clearly in the privacy statement. It would not impact people from beforehand because that information was not being collected.

But what if the people from beforehand come back and then they don't read the privacy policy? Is there anything in the TRUSTe program that says if you are instituting a new privacy policy, you have to let all the consumers from before know that?

Well, we can't force consumers to read privacy statements, but in all our consumer outreach programs, we tell people: Even if you've visited this site before -- because things change -- the first thing to do is go to the privacy statement and review it to make sure there have been no changes. And we encourage licensees to put any changes up at the front. This is easier said than done -- none of us like to read pages and pages of text.

Have you ever blown the whistle on a company?

Yes, there are instances -- most of the problems are not with malice aforethought. The major monitoring is by consumers themselves, but we have people who look at the sites every quarter, to see if there've been any changes on the site. We also enter in names that we make up, opt-in in some cases and opt-out in others, so if we get communication to a name then we know where it came from.

What role should the government have in enforcing online privacy?

They play a very important role now, because they conduct studies on whether improvement has occurred within the industry -- the number of privacy statements, the quality of privacy statements. I think the government has clearly stated that certainly in the health-care and financial area, they feel the need to have some kind of legislation. They also did that for children --the Children's Online Privacy
Protection Act.
They've said that because this is super-sensitive information, you should have some guidelines.

Now, the question becomes, what vehicle do you use to enforce that legislation, which is equally important. We feel that seal programs -- and in particular, TRUSTe -- play a very important part there. COPPA is going into law April 21, and our contract will contain the elements for Web sites to adhere to COPPA requirements.

But it seems like a lot for any one company to keep up with. With all these violations going on, it seems like there needs to be a more watchful eye.

I would say that there is a watchful eye, if people look at the facts versus hype from some advocacy groups. It's all very well to run around screaming and yelling, "The sky is falling, the sky is falling," but the fact is, many of these issues that have come up are evolutions that occur in business models on the site. I would argue that the industry has demonstrated very quick response when those problems come up.

Take RealNetworks. The issue there occurred outside the scope of the current TRUSTe program. Yes, Real Networks is a TRUSTe licensee, but this particular issue had nothing to do with the collection of personal information on the Web site; it had to do with the collection of user information using software servers. Now, within a week, even though it was outside the program, we announced the formation of a pilot to evolve our program to handle those situations. I defy any government agency to do that.

But customers aren't thinking, when they see the TRUSTe symbol, that it only covers the Web site. Maybe from the technical view it's different, but the consumer isn't going to make the distinction. Does the TRUSTe program cover both now?

Yes, we need to do a better job so the consumer intuitively knows what the TRUSTe logo stands for. Ultimately, it would be great -- as we lay out the software privacy program -- to blend the two programs together. Or there may be a TRUSTe symbol for sites and one for software.

What privacy issues are you trying to anticipate?

One thing we're looking at is the wireless world, where we start talking about palm-held things and hand-held things and phones. I think there are some issues there we haven't fully addressed yet. We need to add more meat to the term "reasonable security." Today, that's the best term people have, because it can vary so much depending on the application and the technology. As we put more and more of these things into people's hands, we have to worry about how we prove that the person holding it is indeed the proper owner.

By Lydia Lee

Lydia Lee is a San Francisco writer


Related Topics ------------------------------------------