TRUSTe Learns a Privacy Lesson the Hard Way

The TRUSTe "trustmark" logo visible on a Web site tells surfers that their personal information is safe because the site follows TRUSTe's code of privacy conduct. While TRUSTe's logo at the top of its own Web page is always in plain view, tracking software discovered by a security expert on TRUSTe's site was invisible to visitors. Use of the tracking software violated TRUSTe's own privacy policy and the policies it certifies 1000 other Web sites to follow.

"I appreciate the irony," said Dave Steer, a TRUSTe spokesman, calling the incident an example of the complexity of high-tech privacy issues. "As ironic as this is for us, it happens to other sites. Most privacy incidents are accidents and aren't willfully intended. As soon as we found out about it, it was off of our site in a half an hour."

TRUSTe site administrators had wanted to know which pages received the most visitors, according to Steer. "We're a nonprofit [organisation], and we didn't have the resources to engineer a solution in-house," he said.

TheCounter.com's software gives Web masters a weekly tally of the number of hits a page gets, along with the type of browsers used and the percentage of which are Java-enabled. "We had actually considered using other services and didn't like them," Steer said. "From what we understood, the only thing that was being sent was personally unidentifiable IP [Internet Protocol] addresses."

In order to get that information, a GIF (graphics interchange format) file appears on the page which must be downloaded from TheCounter.com's servers. When a visitor's browser requests the image, it also sends the server the desired information, along with the IP address of the computer requested. Counter images routinely appear at the bottom of pages -- little boxes, sometimes with the current hit count on them.

However, in TRUSTe's case, the organisation chose to use a GIF file as small as possible, one pixel by one pixel, said Internet.com Chief Technology Officer Mark Burnes. In effect, TRUSTe chose to install a "Web bug" version on its Web page -- an invisible image used to track site hits that also holds a malevolent potential for tracking and profiling Web surfers without their permission, without their knowledge and without using a cookie.

Steer denied that GIF file was intentionally made invisible.

A Web bug, or any image uploaded from a server other than the one producing a site's Web page, opens the door for a tracking trick called the "Meantime exploit," said Matt Curtin, president of security group Interhack. A Meantime tracker notes the exact time a Web bug is downloaded, effectively tagging the page it's on. When a visitor returns to a site and refreshes the page, the tracker learns the last time the Web bug was refreshed and thus, the last time that particular browser had been there, according to Curtin.

When combined with cookies, knowledge of IP addresses or personal information gathered elsewhere, Web bugs can secretly track users all over the Internet, and can even be planted in bulk e-mail to let spammers learn who reads their messages. Web bugs can defeat users who simply turn off cookies on their browsers.

Internet.com officials said repeatedly that they don't track surfers. "We don't have a database with clients' data. We don't charge anyone to use the counter. We don't have any business selling data here," said Alan Meckler, chairman and chief executive officer of Internet.com. Data collected by TheCounter.com is held just long enough to compile the tracking report, then sent by e-mail to the participating site, he added.

That's not the issue for Interhack's Curtin, who said after talking to Internet.com officials that he believes no tracking took place, despite finding that TheCounter.com software code could potentially use time-date tracking. "I have no reason not to believe them," he said.

But Internet.com could track surfers if it wanted, Curtin added, and that's his problem with TRUSTe's security. There's no way TRUSTe could know Internet.com isn't tracking surfers short of dissecting TheCounter.com's servers. TheCounter.com is capable of compiling a profile of a user by comparing Web bugs potentially placed on any of the 900,000 Web sites operated by the tracking company's clients, Curtin added.

According to item 12 of the terms and conditions for using TheCounter.com software, both TheCounter.com and the counter-equipped site own the data collected regarding visitors to Web sites. "You can use the data we provide for any legal purposes," a statement issued by TheCounter.com said. "We will use the data in compliance with our privacy policy."

TRUSTe has not certified Internet.com's privacy policy, nor TheCounter.com's. No one from TRUSTe had contacted Internet.com prior to the issue emerging in press reports, Burnes at Internet.com said.

TRUSTe's privacy policy states that users would be notified if any of their personal information was to be used. Knowing if one's browser is Java-enabled may not seem like personal information, but it went beyond the reporting and tracking needs of TRUSTe, Curtin said.

Security professionals make evaluations based on capabilities and potential, not intent, Curtin explained. "For Web designers, if an application does what it's supposed to do, great, and if it does more, then it's an added victory," he said. "For security guys, if it does no more than what it's supposed to do, that's a victory, and anything more it can do is a loss."

Conceding the possibility that the tracking service "may be engaging in other techniques to track Web site visitors and that the possibility exists that Internet.com may be gathering Web site visitors' personally identifiable information," TRUSTe removed the tracking software from its site, TRUSTe said in a statement posted on its site. TRUSTe chose the service "solely on the belief that Internet.com was not collecting any personally identifiable information on visitors to the TRUSTe Web site," the statement said.

"I want to emphasise that, at this point, there is no verifiable evidence that any personally identifiable information was gathered by Internet.com. But, as we advise other Web sites, the best practice in a case like this is to immediately eliminate the possibility that any information is being improperly transferred," said Bob Lewin, CEO and executive director of TRUSTe, in the statement.

"I wouldn't be surprised if they just installed the software and weren't planning any dastardly activities and didn't know the implications of running this software," said Internet privacy advocate Ray Everett-Church. "I would much rather believe that it was just a dumb mistake," he added.

"What this points out, what this highlights is just how complicated the privacy issue is for even very savvy, well-intentioned organisations." Everett-Church said. "You can have the best privacy policy on Earth and still be subject to the problems of technology."

Pulling the software immediately, and informing visitors of the potential breach are the first two steps a Web site operator should perform if a problem is discovered, said TRUSTe's Steer. Evaluating the privacy problem and determining the next course of action as TRUSTe is doing is the last step, he added.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?