Security Company Sets Crosshairs on TRUSTe

Interhack Corp. a Web security tools company, this week accused Internet privacy organization TRUSTe of violating its own privacy policy, because of its use of a third-party visitor counter from Corp.‘s

The allegations center around the technology used by, a free service from parent company, , that allows Web sites to determine how many people are using their sites and learn information about these visitors’ computer systems and settings. To do that, uses a cookie, which is set when a person visits a site, and is present until the user closes the browser.

Interhack raises questions about what could be happening with this information, even though it admits it doesn’t know that the data is being misused. “None of this is a big deal, but when considering the bewildering number of possible combinations, this means that a good deal of information about the client and its user are being directed to,” Interhack’s report reads.

The controversy is reminiscent of the one that erupted over the Office of National Drug Control Policy‘s use of DoubleClick Inc.‘s technology on its Freevibe Web site. The ONDCP’s advertising agency was using the cookies to track the effectiveness of its banner ads.

After Interhack raised the issue, TRUSTe promptly disabled system, although the privacy organization didn’t admit to any wrongdoing.

“Privacy is as much about perception as it is about technicalities,” said Dave Steer, a spokesperson for TRUSTe. “Interhack came out with a report making a bunch of allegations that are not based on fact. They are based on possibilities of what could be happening.”

For its part, said that the information was only being used to help Web sites get data about their users, so they could develop Web pages accordingly.

“We are doing nothing with the data other than providing a count,” said Gus Venditto, editor in chief of “We have always placed high importance on protecting the privacy of individual users and have been scrupulous in making sure there is no possibility of tracking individual users. Interhack raised a number of concerns that are groundless.”

Richard Smith, the chief technology officer of the Privacy Foundation who has been responsible for catching some high-profile privacy bugs, says there’s no cause for alarm.

“Unless you have a permanent cookie, you’re not tracking people. I think that’s a pretty important distinction to make here,” said Smith.

“If you’re a Webmaster, you want to get an idea in general about what kind of browsers people are running, so you can design your pages around the most popular screen sizes and things like that. That’s why the data is gathered. That’s clearly not a big deal, and Web sites do this all the time on their own, as well as hiring out these third party services.”

Still, Interhack contends that TRUSTe, because it didn’t explicitly acknowledge its use of or its cookies, violated its covenant with its users.

“TRUSTe is in the business of building a Web that people can believe in,” said Matt Curtin, of Interhack. “What that means is that they need to make sure that their own house is in order. It is not excusable for TRUSTe to say that somebody else they were using is responsible for collecting all this information or for using it a way that they’re not happy with. The fact of the matter is that the TRUSTe people had to approve the presence of’s code on their site, and that means that they were bound by

the terms and conditions of its use.”

TRUSTe’s Steer believes Interhack had ulterior motives for targeting the organization.

“Nothing was going on except for TRUSTe wanting to know a little more about what pages people were looking at on our site,” said Steer. “Always look at the source. This company needs to promote themselves. If they can get a lot of publicity for this, more power to them.”

News Around the Web