Posts Tagged ‘TRUSTe’

Rubicon and YuMe step up on opt-outs

September 21, 2009

In prior posts I’ve mentioned both YuMe, a video ad network, and The Rubicon Project, one of the new intermediary firms that optimizes website ad revenue by selecting the highest yielding ad from across multiple ad networks or exchanges. After wondering out loud about YuMe’s lack of an opt-out and Rubicon’s lack of any privacy statement for consumers, it looks both have taken steps in the right direction in the last few days.

YuMe revised their privacy policy for consumers and added an opt-out cookie process. The disclosures are clear and the process is smooth. Opt-out is now mentioned on YuMe’s homepage (although not prominently).

Rubicon took a different approach, adding a “Transparency” page linked from their homepage (“Privacy” still takes you to B2B disclosures). Here a consumer can opt-out of tracking by Rubicon, and also see what interests Rubicon has associated with their profile.

Although I visited half a dozen websites where Rubicon is installed, including auto, sports and baby sites, I couldn’t get any interests to register on the Transparency page. This piece may not yet be operational, or there may be a lag, but once it is, it will put Rubicon in company with BlueKai, Google and a few others who not only provide preference choices, but also provide the consumer with the contents of their online profile.

This is worthy of praise, but Rubicon’s implementation needs improvement. Suggestions:

  1. Consumers who come to Rubicon’s homepage will be looking for information about “privacy” and will end up in the wrong place. Putting the opt-out process below a label like “Transparency” won’t compute for consumers, and renders the exercise largely useless.
  2. Showing interests and providing an opt-out are good steps, but they don’t substitute for an actual privacy policy that also addresses questions like data retention, sharing of information with third parties, and method of data collection (cookies, Flash cookies, IP addresses?). The TRUSTe seal appears at the bottom of the Transparency page, implying that the disclosure is covered by TRUSTe’s certification (although it seems rather thin to have qualified).
  3. After pressing the opt-out button (with the unnecessary radio button choice), there’s no cue that confirms that the opt-out has been effective, even though a cookie has been written. Also, it isn’t clear whether, by opting out, any affinity profile information that has previously been created will be deleted.
  4. There’s no explanation of how the opt-out cookie may be lost if cookies are deleted, nor a link to browser add-ons that can set the cookie permanently (such as those provided by Google, TACO or privacychoice).

It’s good to see more networks beefing up privacy disclosures and making opt-outs available. But for Rubicon and many other tracking companies, the implementation of consumer privacy disclosure and choice still seems half-hearted.

Advertisements

How do the most trusted companies enable third-party tracking?

September 17, 2009

According to a survey sponsored by TRUSTe, here are the top ten brands most trusted by consumers when it comes to privacy. Just for grins, here are links to the privacychoice profiles for their websites (where we have them already). This lets you see how the most trusted brands enable third-party tracking, a practice largely invisible to consumers.

eBay
Verizon
USPS
WebMD
IBM
Procter & Gamble
Nationwide
Intuit
Yahoo!
Facebook

Some of these companies have pretty long lists of third party trackers on their sites, with some serious holes in their privacy practices (concerns highlighted in our new interface).

As TRUSTe notes, 8 out of 10 are TRUSTe certified, at least as to their own privacy policies. What does TRUSTe certify about the practices of trackers enabled on these trusted sites?

OthersOnline + Rubicon: no consumer policies required?

September 15, 2009

Ad optimizer Rubicon announced acquired OthersOnline, which is “an “affinity scoring” service that determines how strongly a person is interested in particular brands, products or topics.” Business Week frames this as part of an inevitable consolidation of sources of behavioral targeting data. It sounds like a good occasion to dig into their privacy practices.

Rubicon has been a puzzle for the privacychoice classifications, since like a number of companies in this field, they have no consumer-facing privacy policy. The policy linked from their homepage literally applies only to their customers and visitors to their website. Rubicon’s policy is certified by TRUSTe, which might lead a consumer to think the certification also covers their practices relative to the general public. In this case, TRUSTe certification may mean that Rubicon does not collect any user information, even though consumer browsers interact with Rubicon servers when visiting websites where Rubicon is installed.

OthersOnline doesn’t link to any privacy statement from their homepage, but with some searching you can find a blog post about privacy from February 2007. It includes assurances that personal information is never shared, but no mention of whether or how anonymous information or profiles may be shared, whether sensitive information is collected or what policies apply to deletion, assuming those concepts apply to how their service operates.

We will keep an eye out for any changes to the Rubicon privacy policy. Transactions of this sort often provide a good opportunity for some housecleaning. Even if Rubicon collects no consumer information, a statement to that effect in the privacy policy would be helpful.

UPDATE: Since this post, Rubicon has shored up its disclosures. See my post here.

TRUSTe and Haute Secure: Business is business (and there’s nothing wrong with that)

April 21, 2009

I’ve been very interested in TRUSTe’s acquisition of Haute Secure, which provided a much loved browser add-on to warn users of potential malware and other risks as they travel to websites.  So today’s post on the TRUSTe blog got my attention:

Haute Secure does a marvelous job protecting the user from malicious content out on the Internet – of that there is no doubt – but the toolbar was only able to protect the end user if they downloaded and installed software on their computer, and that put a finite limit on its effectiveness. By focusing its efforts on its offering for web sites that are at risk of being used as an avenue to infect computers, Haute Secure will be able protect *every single visitor* to any web site that chooses to take advantage of TRUSTE’s new security scanning, reputation services and anti-malware protection offerings without the end user having to do anything to get the benefit of that protection.

via TRUSTe Blog » Reflections of a HauteSecure Toolbar Early Adopter.

In other words, no more toolbar — consumers are only protected from malware on sites that subscribe through TRUSTe.

I don’t disagree with the business decision that was made here — after all, TRUSTe’s business model is to sell to websites, not necessarily to provide free services to consumers. Maintaining a consumer facing service is expensive, so a rational business-person would need to conclude that the ROI of the consumer toolbar is sufficient when it comes to sales of monitoring to websites. Apparently, the numbers just didn’t add up (and we’re in a recession, after all).

What I would expect from TRUSTe is perhaps a clearer acknowledgment that, with TRUSTe’s transition from non-profit dot-org to venture-backed, for-profit company, they will be making business decisions like this.  The idea expressed in the post, that the decision was about how to protect people best, strikes me as disingenuous.  The fact is, the worst malware providers won’t be TRUSTe customers and protection from those will now be lost.

Make no mistake — I’m excited about TRUSTe’s for-profit transition because I like to think that for-profit enterprises can often help solve public problems. But there’s no reason we can’t be transparent about motivations.

PS What’s up with not allowing comments on the TRUSTe blog? 

How relevant is TRUSTe to behavioral targeting?

April 16, 2009

TRUSTe has established itself as the leading independent organization certifying the privacy practices of online providers. This list of companies that have obtained TRUSTe certification is indeed large, 2,400+ according to their site, and includes heavyweights like Yahoo! and Microsoft/MSN. TRUSTe certification is said to be something like the Good Housekeeping seal for consumer privacy.  In TRUSTe’s own words:

The TRUSTe seal means that the company whose Web site you are visiting takes your privacy seriously. We monitor the compliance of member businesses, provide an arena for you to file privacy violation complaints, and make sure these complaints are heard.

So, if behavioral targeting is a frontier for consumer privacy, you would expect ad networks and other BT companies to see TRUSTe certification as an important badge of honor, and also be prepared to submit to some oversight.

As it turns out, in our research on over 70 different tracking networks, far fewer than I expected have actually gone to the trouble to step up for TRUSTe certification. Among the larger players, Yahoo! and Microsoft appear to be certified by TRUSTe as to their ad network activities. Although AOL is TRUSTe certified as to the aol.com service, they maintain separate policies for their several ad networks, like advertising.com, Platform-A and Quigo, and there’s no mention of TRUSTe in those brands (other than Tacoda). Recent heavyweight entrant to behavioral targeting, Akamai, has not been certified, nor has Quantcast (which is amassing quite a footprint across its network).  (By the way, among other tracking research companies, Omniture and Coremetrics have been certified, while Nielsen appears not to be.)

And among the smaller ad network players, only a handful (including among others AudienceScience, Fetchback, Nextag, RealMedia.com and Media6degrees) are TRUSTe certified. Notable uncertified small players:  BlueKai, Collective Media, Adify, Fox Interactive Media, Turn and dozens of others.

Of course, the elephant in the room is (always) Google (including the massive DoubleClick and AdSense ad networks). Interestingly we found no mention of TRUSTe certification mentioned in their privacy policies or on TRUSTe’s list. Speaking cynically, I guess you wouldn’t expect behemoth Google to humble itself to a pesky third-party watchdog, even though Yahoo and Microsoft were willing to do so. 

For privacychoice 2.0, we’re still planning to allow users to opt-out only from networks that are not TRUSTe certified, since for many consumers, it’s good enough to now that a watchdog is involved. Unfortunately, it looks like that opt-out list will be a pretty big.  

For an industry claiming to be able to regulate itself, this doesn’t exactly inspire confidence.