Truste, a non-profit privacy compliance organization, directed information about its site visitors to a third party in violation of its own privacy policy, a report released Thursday by online security firm Interhack alleges.
According to Interhack’s report, Truste’s use of Counter.com, a Web statistics program, inadvertently caused the San Jose-based organization to transmit information to the program’s creator, Internet.com Corp.
Upon being alerted to Interhack’s concerns, Truste immediately had its information systems manager remove the Counter.com feature from its site. But, says Truste spokesman Dave Steer, “There is no verifiable evidence that [Internet.com is] taking non-identifiable data and linking it with personally identifiable information, but as soon as we learned of the possibility that it was happening that was enough to take the action that we did and advise the Web community of what was happening.”
Truste is in the process of setting up a meeting with Internet.com and getting Internet.com’s detailed comments on the Interhack report. “Their take is that there are a lot of allegations that were raised and few, if any, are based on fact,” said Steer.
Interhack’s report raised a series of questions in a public forum regarding Truste’s use of the counter.com service without contacting Internet.com for answers, according to Internet.com Corp.’s editor in chief Gus Venditto.
Counter.com provides a service for webmasters that don’t have access to Web site statistics. Information transmitted includes basic visitor statistics such as IP address, browser type, screen resolution, language preference, and whether or not the computer is Java enabled, says Internet.com’s chief technology officer Mark Berns.
The real issue, said Berns, is Truste’s use of a third-party counter given their privacy policy and their position on privacy.
Matt Curtin, founder of Columbus, OH-based Interhack, discovered the data transmission from Truste’s site while following up on a previous investigation. Lucy.com had previously been cited by Interhack for providing data to a third party, had issued a statement affirming their commitment to privacy, causing Curtin to revisit the site.
Lucy.com’s site features a link back to Truste’s site (http://www.truste.org). When Curtin clicked on it, a filtering program his computer runs alerted him that the counter.com feature was setting a non-persistent cookie (one that remains only until the user quits out of the Web browser) on his machine.
Curtin draws the distinction that the data being transmitted back to counter.com from Truste is “pseudonymous,” that is, it does not contain individually identifiable details such as names, social security numbers, or telephone numbers. The problem, he says, is when there is either enough analysis done, or a security leak, which allows such data to become “verinmous,” or traceable back to an individual.
Early in August Interhack charged that Toysrus.com, Babiesrus.com and online apparel retailers Lucy.com and Fusion.com were providing data to online analytics firm Coremetrics in violation of their stated privacy policies. Toys R Us has since severed its relationship with San Diego, CA-based Coremetrics.
Coremetrics subsequently called Interhack’s allegation “highly speculative and misleading,” and pointed out that has a privacy statement and opt-out mechanism on its site, and that that it follows the guidelines set by the Online Privacy Alliance, the Direct Marketing Association, and the Children’s Online Privacy Protection Act.