Visitors to TRUSTe's Web Site Tracked by a Third Party

Interhack Corporation announces a new technical report from its Internet Privacy Project which reveals that visitors to the TRUSTe website were unknowingly having pseudonymous information about them being directed to a third party,, apparently in violation of its privacy policy.

TRUSTe Privacy Policy Makes No Mention of Third Party

The Privacy Policy statement on TRUSTe's web site, mentions that IP addresses and browser types will be recorded but says nothing about this information being collected by a third party or being made available to a third party. Asserts Joint Ownership Of Collected Data

Not only is information about TRUSTe site visitors being made available to, but asserts joint ownership of the data. In the Terms and Conditions of use, states:

12. We both own the data regarding visitors to your Web site that we collect. You can use the data we provide for any legal purposes. We will use the data in compliance with our privacy policy. Can Engage in Profiling can engage in detailed profiling in the short term through the use of cookies that will stay active until the browser is restarted. In the longer term, profiling appears to be possible through a Web cache trick known as Meantime.

TRUSTe Removes Web Bugs

At approximately 5 p.m. EDT, we discovered that TRUSTe has removed the web bugs from its site. Perhaps we'll see TRUSTe investigate itself and publish the results so we can understand just how TRUSTe came to allow such a violation of its visitors' privacy.

Complete details of the discovery, including code snippets that show the tracking code as it existed on August 23, 2000, and discussion of the implications can be found in the technical report A Failure to Communicate: When a Privacy Seal Doesn't Help.

About the Internet Privacy Project

Interhack Corporation established the Internet Privacy Project to study how systems deployed on the Internet affect the privacy of web users. The project advocates building systems where privacy is a design requirement from the beginning. Studies include documentation of systems that fail to provide privacy so system designers can better understand how these systems fail to provide adequate privacy protection, hopefully to learn from their mistakes.

corporate | research | news | people | projects | publications | services | feedback | legal

Matt Curtin
Last modified: Fri Aug 25 08:56:00 EDT 2000