TrustE Fails to Justify Its Role as Privacy ArbiterThis is part one of a two-part series.
Both TrustE and BBBOnline, two of the online privacy seal programs, offer privacy dispute resolution for consumer complaints about violations of privacy in the online environment. These programs have been around for a while, so it is time to look at how they and the organizations that sponsor them work.
My conclusions are based on what I found on the Web sites of the two organizations at the end of August. First, I consider TrustE.
Dispute resolution programs are especially important because of the critical role they play under the European Union's safe harbor agreement with the U.S. Department of Commerce. One of the biggest sticking points in reaching that agreement was enforcement. How would American companies in the safe harbor be held accountable and provide effective remedies to consumers? That question held up the agreement for many months.
One solution accepted by the EU was to recognize that self-regulatory mechanisms backed by federal agency review would be sufficient. It is an open question whether federal agencies such as the Federal Trade Commission would really pay attention to complaints arising from private Internet dispute resolution mechanisms. The FTC's track record on privacy is highly limited. Other agencies with similar responsibilities in other areas, such as the Department of Transportation, have no track record on privacy at all. Before we get to the secondary enforcers, however, we need to know whether the primary privacy dispute resolution mechanisms have any substance, credibility and utility.
TrustE does not make it easy to review its dispute resolution program. The TrustE Web site offers no statistics, formal decisions or rules. It is unclear who is making decisions on disputes. The process and the results are mostly hidden from public view. Reports of some "investigations" are publicly posted, but they are hard to evaluate because so little is available. Some, but not all, of the public investigation reports have numbers (e.g., Watchdog #1847), and that suggests that many complaints have been received. What were the other complaints about, and what happened to them? We do not know. TrustE does not even offer a summary.
Is the TrustE dispute process fair or valuable to companies or to consumers? I cannot tell. Did the companies that support TrustE put pressure on the organization to hide any potentially embarrassing problems that are uncovered as a result of disputes? Is TrustE trying to keep from the public eye a dispute process that does not work or provide any meaningful remedies for consumers? Maybe TrustE just doesn't care or doesn't think anyone else will.
TrustE's lack of interest in public accountability is troubling and undermines the credibility of the program. It would be easy to make more information about the dispute resolution process available on a Web site.
TrustE has taken a lot of flak from privacy and Internet people because of its inability to address some privacy violations by its seal holders. TrustE's defense was that the violations did not relate to Web site activities covered by the privacy seal. The response may have been correct, but it only underscored the limitations of seal programs generally and the shortcomings of self-regulation. Regardless, the appearance was awful. It looked to many as if TrustE was exonerating the companies that fund TrustE's operations. It did not help that big, bad Microsoft was one of the companies that TrustE let off the hook. TrustE's one-line comment that Microsoft's actions did "compromise consumer trust and privacy" was too little, too late.
TrustE was embarrassed again when an Internet security firm revealed that the TrustE Web site was using cookies and Web bugs to track visitors to its Web site. TrustE quickly stopped these practices and blamed a third-party company hired to count Web site visitors. But the episode only displayed the sloppiness of TrustE. If you develop rules of conduct for privacy on the Internet and sit in judgment of others, then you have to follow your own rules with great precision.
If TrustE does not pay attention to what is happening on its own Web site, who will believe that it really oversees the operations of others?
Even worse, TrustE said it thought the company was only collecting nonpersonally identifiable IP addresses. The trouble with that defense is that some IP addresses are potentially identifiable. So is TrustE just being sloppy again, or does it fail to understand Internet technology?
With this last episode, TrustE may have exhausted any welcome that it had on the Internet. It is hard to point to anything that TrustE has done to justify any confidence in itself or its mission. TrustE is becoming a symbol of what is wrong with Internet self-regulation. The EU has accepted TrustE dispute resolution for purposes of safe harbor, but I have to wonder if it really looked at what TrustE is doing.
At present, I cannot find a good reason to advise a consumer with a privacy complaint against a TrustE seal holder to bother filing a complaint with TrustE.
The consumer might do better looking for one of the many hungry trial lawyers who are searching for new class-action privacy suits. n
Next week: BBBOnline does a better job than TrustE, but that isn't saying much.
Robert Gellman is a Washington-based privacy and information policy consultant and former chief counsel to the House subcommittee on information, justice, transportation and agriculture.