We’re in a new era where transparency is becoming the currency of trust. From its founding, TRUSTe has consistently championed transparency to consumers regarding their privacy practices. Our trustmark is a beacon to consumers to give them confidence that their personal information is being used responsibly and to provide them with the choices and redress options they deserve.
The coalition of IAB, DMA, ANA, and the 4A’s reached consensus on behavioral advertising principles that we hope will result in meaningful choices for consumers. The Federal Trade Commission paved the way for this consensus and other industry efforts by issuing thoughtful and pragmatic guidelines earlier this year encouraging expanded notice of advertising practices in addition to several other guidelines.
Starting from our position as the online privacy leader, TRUSTe is launching its program for publishers engaged in behavioral advertising later this year. Our program will focus on delivering notice and choices to consumers outside the privacy statement through the well-understood TRUSTe icon. In addition, we will deliver easy accessible opt-out options for consumer choice, leverage our well established consumer complaint process, and our leading scanning and monitoring technology to ensure compliance and enforcement. We expect that sealholders who meet our rigorous standards will easily be in compliance with the principles issued today with the additional benefits of 3rd party review and a comprehensive compliance and enforcement program.
– Fran Maier, CEO
July 1st, 2009
Social Networking has amplified online privacy issues in every way. Facebook, a TRUSTe sealholder, announced today their new publishing and privacy program that opens users posts to the general public. This broadcast option is clearly a rational response to Twitter and its open publishing platform. From a privacy standpoint, Facebook has made a strong effort to put privacy first. In rolling out these new publishing settings, they’re giving their users control to decide if they want to broadcast to a bigger audience or maintain their status quo (which could be limited to friends or even individuals). Facebook is also taking the time to educate their users about their choices. And they’re making the privacy choices simpler and more accessible.
The TRUSTe team has reviewed the new Facebook program and we commend them - they’ve covered all the basis of transparency and choice, continuing to provide granular privacy options. Importantly, Facebook is subject to TRUSTe’s compliance and enforcement program. We stand by, through our advanced compaint and dispute resolutions services, to ensure that as Facebook rolls this out they live up to their commitments.
– Fran Maier, CEO
July 1st, 2009
Web sites are increasingly asking consumers to allow access to their address books to send invitations to their friends on the consumer’s behalf. A common technique to increase the site subscriptions, and benefits for the user by bringing their friends into the service.
A recent article in the New York Times highlights the complexities of implementing an address book import feature. Done well, such a mechanism provides clear notice to consumers to ensure that they understand what will happen to the addresses in their address book, so the consumer has a meaningful opportunity to consent. Implemented poorly, it can leave consumers distressed and even mortified to find their personal and professional contacts getting messages demanding to know why they aren’t on the latest social networking site.
In TRUSTe’s experience of certifying the online privacy practices of thousands of web sites, the use of address book contacts import features is rising. Here are some general “best practices” recommendations for helping web sites make their “Contacts import” features live up to consumer expectations.
1. Ability to Skip using the Import Contacts feature
If you invite consumers to let you import their email address books, make sure they can opt out or skip that step. Make the Skip option equally prominent compared to the Submit button, so the consumer is provided a clear choice around using the feature.
2. Messages Sent on Behalf of the Consumer
If you send messages to the consumer’s contacts, place “on behalf of” in the From line. This will alert recipients that the message is not actually from the consumer’s e-mail address. Offer consumers a preview of the message to be sent that includes header and body text.
3. Use of the Contact Information Supplied
Notify consumers at the Point of Collection and in your Privacy Statement about how you will use the imported contact information. Explicitly state whether you will be sending a one-time invite or a reminder email in addition to the original invite. TRUSTe also recommends stating that the imported contact information will not be used for other purposes beyond sending the requested invite or reminder messages.
4. Requesting Login Information for Other Accounts
When asking consumers to supply login information they use for other services such as an email account to import their address book, provide clear and conspicuous notice about how your site will use this information. This will help avoid surprising users who think they are choosing the same login information to register with your own site.
5. Additional Checks if Providing Incentives to Import Contact Information
If you are providing an incentive, such as a contest entry or rewards points, for consumers to import contacts, additional CAN SPAM requirements may apply. Be sure to provide an opt-out from receiving additional email messages. Additionally, some recipients ask for a global opt-out mechanism if they want to receive no further such e-mailed invites through the web site’s servers, regardless of who subsequently imports the recipient’s address as part of their Contacts. A site should make sure they have a way to block further such invites to e-mail recipients upon request, even if resulting from actions by the user’s contacts.
Informed Consent is the Key to Protecting Consumer Good Will
The guidelines above should help ensure that consumers get an opportunity to provide informed consent. Address book import can be a powerful feature to help a site expand its reach and can make use of the site much more convenient for the user, provided the feature is implemented carefully and respects the consumer’s consent.
June 24th, 2009
TRUSTe’s Approach to Behavioral Advertising
Last week’s Commerce Committee hearings on Behavioral Advertising underscored consumer discomfort, the efforts that companies and groups are implementing to improve consumer confidence, and the gap that legislators are trying to close.
As TRUSTe sealholders know, they have long been required to provide users with details of how cookies and other tracking technologies are used on their sites in their privacy policies. We have polled users about their opinions and expectations around Behavioral Advertising. In January, we provided a detailed guide intended to help companies better understand the technologies and business models involved and to lay out the key legal risks. In response to the FTC Staff report on behavioral advertising, we held a webinar to help our sealholders understand the new expectations. We recently joined in an effort by the Future of Privacy Forum to research and test the best behavioral ad notices.
Importantly, of course, we looked at our Web Privacy Seal Program requirements that thousands of sealholders already meet and asked ourselves what changes will need to be made for our sealholders to be compliant with the FTC Guidelines. The good news is that the TRUSTe Web Privacy Seal program requirements are generally consistent with the FTC guidelines. And we believe we can effectively provide our sealholders with the tools to help them close the gap - deliver notice, choice, and dispute resolution outside of the privacy statement.
TRUSTe is in a unique position to help sealholders meet the FTC guidelines:
- TRUSTe already provides guidance to thousands of companies on robust notice and choice
- The TRUSTe brand and icon are highly recognized and trusted by consumers to help protect their personal information
- Our technology platform can scan for 3rd party ads, identify behavioral advertising activities, and monitor a range of compliance issues
- Our advanced dispute resolution services can assist consumers with issues of an opt out, privacy disclosures, and more.
TRUSTe aims to give sealholders confidence that their Behavioral Advertising activities are consistent with the FTC and emerging guidelines. We’ve already met with several dozen stakeholders – from sealholders to advocates and regulators – and the response has been very positive. We also hope to complement other industry efforts to advance best practices in Behavioral Advertising. By working together we can meet the regulatory challenge as well as the expectations of consumers.
Now, its your turn to give us feedback. On Tuesday, June 30 (11am PDT/2pm EDT) we’ll be holding a webinar to provide an overview of our approach. Later in the Summer we will distribute a draft for comment with key elements of the program outlined in more detail. We are also hoping some of you will join in an effort to finalize the program and its requirements.
If you would like to provide additional feedback or attend the webinar, please rsvp for at webinar@truste.com.
Fran Maier, CEO, TRUSTe
June 22nd, 2009
I’ve been watching with great interest the machinations at Craig’s List in response to the “Craig’s List Killer.” And I heartily applaud Craigs List for deciding to review all the personal and erotic ads. In the mid 90’s, when I was running Match.com, we decided early on that we had to review the ads - it was the responsible thing to do, the potential harm was too high.
Saturday’s “The Perils of Self Policing” points out that there is little incentive for some participants in this kind of community to police themselves. At Match.com, and now at TRUSTe, I whole-heartedly value the community input - it is often users who do uncover the criminal, the unsavory, the bad. At TRUSTe, the Watchdog consumer dispute resolution uncovers a high number of privacy issues - from the glitch to the serious abuse. Yet, I also believe that the authoritative approach - the professional review - of personal ads or privacy practices - also has its place. I believe that the combination is the most powerful and protective of online users.
Posted by: Fran Maier, CEO
May 17th, 2009
I’m really pleased to welcome Iain Mulholland today as our new CTO along with his team from Haute Secure, Frank Swiderski and Rob Vucic. TRUSTe has been seeking a top-notch technology team to expand our capabilities in privacy certification and monitoring. HauteSecure brings a ready-made innovative scanning and malware detection tool that will help us establish, build and protect the reputation of trustworthy TRUSTe sealholders and hundreds of millions of their users.
Building trust is a complex task for websites, and our 3,000+ customers are demanding more solutions to help them build, protect and maintain their investments in privacy and trust. At the same time cyber threats are emerging to undermine terrific brands that are embracing web 2.0. The acquisition of Haute Secure team and technology will enable us to expand our privacy scanning, compliance monitoring and reputation management for our customers. Ultimately, this is about giving people a sense of safety—that they can trust the web site, and by extension, the company behind it. We are excited to be the undisputed leader in this space–watch out as TRUSTe to begin shaping a new conversation around trust, privacy and confidence online.
Read the press release
Learn more about HauteSecure
Iain’s bio
- Fran Maier, CEO
April 16th, 2009
I first encountered Haute Secure back in June of 2007 when I was given an Alpha build of their toolbar to play with – in fact, I was the first non-Haute Secure person to be allowed to try out the x64 version of the toolbar.
I remember that I thought the toolbar was a fantastic idea and wished it every success, most especially because of Haute Secure’s decision to focus on the emerging risks introduced by user generated content (aka Web 2.0) that were infiltrating social networking sites, blogs, search engines, widgets, banner ads and whatnot.
So you can imagine how pleased I was when I was told that TRUSTe and Haute Secure were joining forces; it is a coming together of two great goals in my life, which are:
- to acknowledge and encourage good behavior; to rehabilitate, support and guide companies in the transition from bad netizen to good netizen, and to offer a chance at redemption and forgiveness, while at the same time maintaining a framework to discipline offenders
- to protect the end user from the bad guys by stopping the bad guys from being able to get to potential victims in the first place (instead of always cleaning up computers after the bad guys have had their way)
I admit that I was saddened by the fact that Haute Secure has discontinued the Beta trial of the Haute Secure Toolbar and will end support for the toolbar in the next 60 days. I even felt, for a while, like we were abandoning the end user by taking the toolbar away from them and I suspect that some of you out there may be feeling the same way.
Haute Secure does a marvelous job protecting the user from malicious content out on the Internet – of that there is no doubt – but the toolbar was only able to protect the end user if they downloaded and installed software on their computer, and that put a finite limit on its effectiveness. By focusing its efforts on its offering for web sites that are at risk of being used as an avenue to infect computers, Haute Secure will be able protect *every single visitor* to any web site that chooses to take advantage of TRUSTE’s new security scanning, reputation services and anti-malware protection offerings without the end user having to do anything to get the benefit of that protection. Bearing in mind the fact that TRUSTe currently certifies over 3,000 web sites, I don’t think it is an exaggeration to say that we could end up protecting millions of people from malicious content on the internet.
So, even though I mourn the demise of the Haute Secure toolbar, I am very excited about the good that TRUSTe and Haute Secure can do together. It is critically important that all Internet users protect themselves as well as they can by installing, and regularly updating, reputable antivirus and antispyware software, and by making sure that all of the software on their computers is fully patched, but I also believe that the the owners of Web sites should do all that they can to protect their visitors from danger. Social engineering can bypass the protection offered by even the best antivirus and antispyware software, and it doesn’t matter how well patched a computer is if its operator is tricked into installing something. We need to do all that we can to ensure that people are not exposed to danger in the first place.
April 16th, 2009
-Sandi Hardmeier, TRUSTe Online Compliance Researcher
Back when I first started helping the victims of unwanted adware and spyware around the Year 2000, I focused all of my attention on cleaning computers after they had been infected. Then, as fighting adware and spyware became a cause célèbre, as more and more very skilled people joined the fight, and as various dedicated web sites and forums came to life, I realized that the needs of the victim (insofar as cleaning their computers was concerned) were being well met, so I moved on to going after the adware and spyware itself, and trying to change the modus operandi of the advertising supported software that was being used as a conduit to infect computers with unwanted toolbars, home pages, search engines and the like.
Over the years some “bad actors” who installed adware and spyware on to computers without giving the computer owner sufficient choice or information about what the software is that is being installed have disappeared, and others have made a concerted effort to clean up their act. Disclosure practices have improved (and continue to improve) and users are being given an opportunity to say “no thank you” to bundled software.
As some risks have faded away, others have inevitably taken their place. Professional criminals have realized that there is a lot of money to be made from the millions of potential victims reachable via popular websites.
The rise of the professional cyber criminal has caused a fundamental change to the online threat landscape – the end-user is not the only victim anymore. Web sites and advertising networks are discovering that they are unwilling hosts to malvertizing (malicious advertising), fake video codecs that are really Trojans designed to steal financially sensitive information or turn your computer into a spam-bot or install fake security software, comments with malicious links and the like.
Nowadays it is not enough to simply detect and clean infections on a computer (much damage can be done between an infection occurring, and being detectable), and we won’t prevent infection simply by blocking email attachments and scanning for known viruses and Trojans. Reality is that new variants are being created so fast, and in such high volumes, that is impossible for any anti-virus product to be able to detect every malicious file that is in circulation. So, in an attempt to avoid as much undetectable bad stuff as possible, we have started to block access to known “bad” web sites, hacked web sites, and domains that are being used as distribution points. Several services have come into being that allow the internet community as a whole to “rate” web sites as good, or bad, or neutral, based on the site’s content and the downloads on offer as a way of warning other internet users.
As the use of web reputation services, black lists and block lists has become more common so has the problem how to get off a list once the original problem has been resolved, and what to do about false positives. I have seen for myself the frustration that owners of web sites feel when they try, sometimes without success, to get their web sites delisted. Sometimes they are only able to get their site delisted after an inordinate period of time has passed. The negative impact on a business can be substantial.
Haute Secure is very aware of the problems that web site owners have faced when trying to get their sites delisted and has put into place a comprehensive dispute resolution process. Also, in a step that may be unique to its service, Haute Secure ages out blacklisted URLs after a certain number of days (assuming no further malicious behaviour is detected).
As Haute Secure integrates with TRUSTe I will provide additional information on our dispute resolution process as it pertains to malware detection and URL blocking.
April 14th, 2009
TRUSTe and TNS 2nd annual Behavioral Advertising Attitudes Survey release today reports ’09 results fairly consistent with ’08 results. Consumers very aware of tracking by third parties and they want content and advertising to be more relevant. While about half of consumers remain concerned about tracking, we show a statistically relevant increase in comfort of 6 percentage points.
Now is the time for publishers to act. Consumers expect brands they know to protect their privacy. And companies already experimenting with proactive notice and control features report very low opt-out rates.
Don’t bring up the rear guard of the industry. Consumers know they’re being tracked and in the absence of straightforward dialogue, doubt and suspicion take over.
March 4th, 2009
TRUSTe has its fair share of Facebook addicts, including our CEO Fran Maier, who are probably more familiar with the privacy policy and the user controls available than the average person. We are constantly seeing unprecedented firsts when it comes to user privacy controls and today definitely heralded a first. It is certainly the first time in our 11 year history , we have ever seen a company open its terms of service and policies up for public comment, and we have worked with thousands of companies. While Facebook has consistently introduced new features and models that are innovative and disruptive [Remember how people reacted to Newsfeed?] they have also reacted in a transparent and responsive manner. This is another example of innovating not just in technology but in giving users control over their information. Is this a direction of user privacy to come for other industries too or is it unique to social networks and Facebook specifically?
Here are some links to the Facebook Principles and and Statement of Rights. We’ll also post the Documents themselves for readers who are not Facebook members.
Press release. (public)
February 26th, 2009
Previous Posts
