Security Company Sets Crosshairs on TRUSTe

Interhack Corp., a Web security tools company, this week accused Internet
privacy organization TRUSTe of
violating its own privacy policy, because of its use of a third-party
visitor counter from

The allegations center around the technology used by, a
free service from parent company, that allows Web sites to determine how many people are
using their sites and learn information about these visitors’ computer
systems and settings. To do that, uses a cookie, which is
set when a person visits a site, and is present until the user closes
the browser.

Interhack raises questions about what could be happening with this
information, even though it admits it doesn’t know that the data is
being misused. “None of this is a big deal, but when considering the
bewildering number of possible combinations, this means that a good deal
of information about the client and its user are being directed to,” Interhack’s report reads.

The controversy is reminiscent of the one that erupted over the Office of National Drug
Control Policy
‘s use of DoubleClick Inc.‘s technology on
its Freevibe Web site. The ONDCP’s
advertising agency was using the cookies to track the effectiveness of
its banner ads.

After Interhack raised the issue, TRUSTe promptly disabled system, although the privacy organization didn’t admit to
any wrongdoing.

“Privacy is as much about perception as it is about technicalities,”
said Dave Steer, a spokesperson for TRUSTe. “Interhack came out with a
report making a bunch of allegations that are not based on fact. They
are based on possibilities of what could be happening.”

For its part, said that the information was only being used
to provide information to help Web sites get basic information about their
users, so they could develop Web pages accordingly.

“We are doing nothing with the data other than providing a count,” said
Gus Venditto, editor in chief of “We have always placed
high importance on protecting the privacy of individual users and have
been scrupulous in making sure there is no possibility of tracking
individual users. Interhack raised a number of concerns that are

Richard Smith, the chief technology officer of the Privacy Foundation who has
been responsible for catching some high-profile privacy bugs, says
there’s no cause for alarm.

“Unless you have a permanent cookie, you’re not tracking people. I think
that’s a pretty important distinction to make here,” said Smith.

“If you’re a Webmaster, you want to get an idea in general about what
kind of browsers people are running, so you can design your pages around
the most popular screen sizes and things like that. That’s why the data
is gathered. That’s clearly not a big deal, and Web sites do this all
the time on their own, as well as hiring out these third party

Still, Interhack contends that TRUSTe, because it didn’t explicitly
acknowledge its use of or its cookies, violated its
covenant with its users.

“TRUSTe is in the business of building a Web that people can believe
in,” said Matt Curtin, of Interhack. “What that means is that they need
to make sure that their own house is in order. It is not excusable for
TRUSTe to say that somebody else they were using is responsible for
collecting all this information or for using it a way that they’re not
happy with. The fact of the matter is that

the TRUSTe people had to
approve the presence of’s code on their site, and that
means that they were bound by the terms and conditions of its use.”

TRUSTe’s Steer believes Interhack had ulterior motives for targeting the

“Nothing was going on except for TRUSTe wanting to know a little more
about what pages people were looking at on our site,” said Steer.
“Always look at the source. This company needs to promote themselves. If
they can get a lot of publicity for this, more power to them.”

News Around the Web