Secondary Screening

Archives
By Date
April 2006
March 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
By Category
Airline Security Measures
Bicycles
Book Reviews
Congress
Data Mining
Department of Homeland Security
Freedom of Information
Government Secrecy
Miscellany
Other People's Writing
Privacy
Security Measures
The Courts
The New Web
Threat Level
Recent Entries
Change of Address
Privatized Registered Traveler On Track
Software Bug Shuts Down Nation's Busiest Airport
HostGator Rocks
But some butter is more butter than other butter
TSA Picks Privacy Player
AT&T Loses A Customer Over NSA Lawsuit
Jetsons Video Phone? Deaf Say Yes!
AT&T *69s EFF
Narus Not in the Know
Published articles
Wired News Articles
Links
Wired News
DefenseTech
Practical Nomad
BeSpacific
DHS Privacy Office
Memory Hole Blog
Electronic Privacy Information Center
Privacy Digest
Electronic Frontier Foundation
Homeland Security Institute
Secrecy News
Emergent Chaos
EPIC West's Chris Hoofnagle
Prawfs Blog with Daniel Solove
Ann Harrison
Reuter's Andy Sullivan
Schneier on Security
Talk Left
Reason's Hit & Run
W. David Stephenson
Phillip Carter's Intel Dump
Project on Government Oversight
Technology Liberation Front
Edward Felten's Freedom to Tinker
Contact
Email me
415.375.3150
Subscribe
Feed: Your Reader
Atom
RSS 1.0
RSS 2.0
RSD
About Ryan Singel
I'm a San Francisco-based freelance journalist who covers antiterrorism programs, civil liberties, the Internet and privacy.
« V for I Want My Money Back | Main | More DOJ Subpoenas »
March 28, 2006 | TRUSTe Trusty? A quick case study

As some of you may know, New York Attorney General Eliot Spitzer is suing Gratis Internet, the company behind the freeipods.com and Freepay sites, for violating their privacy policy and renting/selling their 7.2 million customer database to three companies, which used the list to send upwards of 200 million spam messages.

I've been following this pathetic little story for a while and was particularly interested in how TRUSTe, a non-profit organization that certifies privacy policies, would react to seeing one of their former seal holders being sued. The idea behind TRUSTe is that internet users can see the sign and know that a company's privacy policy actually means something.

If the allegations in Spitzer's lawsuit are true (and given that the lawsuit is detailed and includes email quotations, I'd be putting money on his side in this case), then I think netizens should not trust TRUSTe's little logo at all.

Here's a quick little timetable that includes the allegations in Spitzer's suit along with information from my own attempt to get TRUSTe to investigate Gratis.


  • June 2004 -- TRUSTe-certified Gratis rents out database including the names, home addresses, IP addresses and email addresses of 7.2 million customers to Datran Media, despite Gratis's promises never to sell or share this info. Datran Media employee notices the privacy policy and asks Gratis to change it. (Spitzer lawsuit allegation)

  • August 5, 2004 -- Gratis employee Rani Nagpal told TRUSTe employee Heidi Berger: "I think there was some miscommunication about our email list: we just started renting it out to one company." One assumes from this quote that TRUSTe was already getting complaints about spam originating from Gratis. (Spitzer lawsuit allegation)

  • September 15, 2004 -- Filed complaint with TRUSTe about spam arriving from third parties to address given to Gratis.

  • September 24, 2004 Gratis Co-founders Robert Jewell and Peter Martin tell my Wired News colleague Leander Kahney they have never "sold" their email lists but would stop sending email marketing messages.

  • October 5, 2004 -- TRUSTe responds by forwarding me an email from Gratis founder Rob Jewell who says I'm full of it and that "At www.FreeiPods.com and Gratis Internet, we respect the privacy concerns you have addressed in this matter. Please know that we do not share your personal information and in the future will not share this information." Having the proof in my inbox, I ask TRUSTe to actually look at it themselves.

  • October 7, 2004 -- TRUSTe responds saying they actually did do an investigation: "The results of our investigation indicate that Gratis Internet did not violate their privacy policy. [...] Unfortunately, you will have to contact the individual companies that are sending you spam in order to be removed from their lists."

    I make fun of TRUSTe here on the blog, WITHOUT even knowing that, as Spitzer alleges, that TRUSTe already knew that Gratis had violated their privacy policy.

  • December 10, 2005 -- Gratis co-founder Peter Martin writes me in an email: "Privacy is of the utmost importance to us as well. We have never sold any email address to any third party and never will."

  • December 24, 2004 -- Gratis sells JDR Media "access to the email addresses and other personal information on approximately 7,572,425 consumers." (Spitzer allegation)

  • February 9, 2005 -- TRUSTe revokes Gratis's privacy seal for not complying with some required changes. It's not clear what these changes are, but news accounts at the time suggest Gratis employees didn't take a required privacy class. No press accounts suggested that Gratis would have been required to notify all 7 million customers that the contract with them had been broken or that Gratis would be forced to make a public statement attesting to their actions.

  • February 11, 2005 -- TRUSTe and Gratis announce they have come to an agreement on how Gratis can get the seal back. TRUSTe still won't tell public what happened.

  • March 22, 2005 -- Gratis "sold email marketer Jumpstart Technologies access to approximately 1,880,382 names, Hotmail and MSN email addresses and IP addresses it had collected." (Spitzer lawsuit allegation)

  • Week of March 21, 2006 -- Attorney General Eliot Spitzer sues Gratis Internet, seeking damages that could easily put the company out of business. For its part, TRUSTe says almost nothing, except to avoid phone calls, cite "confidentiality agreements" and issue a press release re-iterating that it pulled Gratis's privacy seal.

That, in a time line, is how TRUSTe works for you.

So the next time you go to a website certified by TRUSTe, rest assured that TRUSTe will totally investigate any breaches of a privacy policy and find no evidence, even if they might have been informed months before that the breach happened, and that if it gets really bad, they will pull the seal but offer to reinstate if the company says sorry (in private, to TRUSTe).

Yup, TRUSTe seal or not, the old rules still apply. Don't give out real addresses to companies online, don't trust that market-based compliance programs mean anything, and don't click on the unsubscribe button.

Oh yeah, and there's STILL no such thing as a free lunch, a free iPod or a free privacy compliance program that works in your interest instead of the company that is paying for it.


Technorati Tags: , , , , , , , ,

Posted by Ryan Singel at March 28, 2006 01:10 PM

 Trackback Pings

TrackBack URL for this entry:
http://www.secondaryscreening.net/cgi-bin/mt-tb.cgi/274
Powered by
Movable Type 3.2