Security Company Sets Crosshairs on TRUSTe

Interhack Corp. a Web security tools company, this week accused Internet
privacy organization TRUSTe of violating
its own privacy policy, because of its use of a third-party visitor counter
from Corp.‘s

The allegations center around the technology used by, a free
service from parent company, that allows Web sites to determine how many people are using
their sites and learn information about these visitors’ computer systems and
settings. To do that, uses a cookie, which is set when a
person visits a site, and is present until the user closes the browser.

Interhack raises questions about what could be happening with this
information, even though it admits it doesn’t know that the data is being
misused. “None of this is a big deal, but when considering the bewildering
number of possible combinations, this means that a good deal of information
about the client and its user are being directed to,”
Interhack’s report reads.

The controversy is reminiscent of the one that erupted over the Office of National Drug Control
‘s use of DoubleClick
‘s technology on its Freevibe Web
. The ONDCP’s advertising agency was using the cookies to track the
effectiveness of its banner ads.

After Interhack raised the issue, TRUSTe promptly disabled
system, although the privacy organization didn’t admit to any wrongdoing.

“Privacy is as much about perception as it is about technicalities,” said
Dave Steer, a spokesperson for TRUSTe. “Interhack came out with a report
making a bunch of allegations that are not based on fact. They are based on
possibilities of what could be happening.”

For its part, said that the information was only being used to
provide information to help Web sites get basic information about their users, so
they could develop Web pages accordingly.

“We are doing nothing with the data other than providing a count,” said Gus
Venditto, editor in chief of “We have always placed high
importance on protecting the privacy of individual users and have been
scrupulous in making sure there is no possibility of tracking individual
users. Interhack raised a number of concerns that are groundless.”

Richard Smith, the chief technology officer of the Privacy Foundation who has been
responsible for catching some high-profile privacy bugs, says there’s no
cause for alarm.

“Unless you have a permanent cookie, you’re not tracking people. I think
that’s a pretty important distinction to make here,” said Smith.

“If you’re a Webmaster, you want to get an idea in general about what kind
of browsers people are running, so you can design your pages around the most
popular screen sizes and things like that. That’s why the data is gathered.
That’s clearly not a big deal, and Web sites do this all the time on their
own, as well as hiring out these third party services.”

Still, Interhack contends that TRUSTe, because it didn’t explicitly
acknowledge its use of or its cookies, violated its covenant
with its users.

“TRUSTe is in the business of building a Web that people can believe in,”
said Matt Curtin, of Interhack. “What that means is that they need to make
sure that their own house is in order. It is not excusable for TRUSTe to say
that somebody else they were using is responsible for collecting all this
information or for using it a way that they’re not happy with. The fact of
the matter is that the TRUSTe people had to approve the presence of

.com’s code on their site, and that means that they were bound by
the terms and conditions of its use.”

TRUSTe’s Steer believes Interhack had ulterior motives for targeting the

“Nothing was going on except for TRUSTe wanting to know a little more about
what pages people were looking at on our site,” said Steer. “Always look at
the source. This company needs to promote themselves. If they can get a lot
of publicity for this, more power to them.”

News Around the Web