TRUSTe covering for Facebook

For those of you following the ever-entertaining saga about Facebook data mining the entire human population (except for the smart ones), here's another zinger about their relationship with TRUSTe, the supposed Internet privacy and trust organization founded in 1997. First, some extracts from their mission statement and website:

" TRUSTeĀ® is an independent, nonprofit organization dedicated to enabling individuals and organizations to establish trusting relationships based on respect for personal identity and information in the evolving networked world.

Advancing privacy and trust for a networked world, we certify and monitor web site privacy and email policies, monitor practices, and resolve thousands of consumer privacy problems every year."

You've probably seen their logo on various sites you may visit, such as eBay. This 'privacy seal' is supposed to ensure that the website in question has trustworthy online privacy policies. Even though I've done a fair amount of work on the periphery of web privacy standards in Canada in the past few years, I'd never really crossed paths with TRUSTe other than noticing their seal on a few sites, and automatically assuming that the site in question cared more about privacy or protecting user data than another site which doesn't have the seal. For someone like me and the other eight people or so who actually care about user privacy on the web, it was like a warm fuzzy blanket that made me feel more comfortable visiting the site in question, and I never paid more heed to it than that.

This warm fuzzy blanket, though, turned out to be crawling with bedbugs and full of holes. Horrible analogies aside, I was advised by a few different people to carry my complaint against Facebook's privacy policies to TRUSTe, of which Facebook is a member. After reading ,TRUSTe's web seals privacy principles - which include "Giving users choice and consent over how their information is used and shared" - I knew that it was a pretty clear case against Facebook on TRUSTe's terms, since you can't get further away from "giving users choice and consent over their information" than not even allowing users to leave your service or close their account.

However, I quickly learned that TRUSTe isn't so much the "privacy watchdog" that they try to massage into their reputation,as they are an accessory to big firms who want to try and appease the more-than-semi-conscious minority of their potential clientele who concern themselves with who has access to their private data (or more specifically, what is in essence telemetry about your real and virtual identities and relationships).

Here is the sequence of correspondences (mostly excerpts to aid readability) between TRUSTe, Facebook and myself regarding 'TRUSTe Watchdog Complaint #39469' :

First step was filing the complaint on the TRUSTe website:

Name: Steven Mansour
Email: steven --at-- stevenmansour.com
URL: http://www.facebook.com
Complaint Type: Unable to close account

Description:

Facebook did not provide me an easy means to delete my account. While all other TRUSTe member sites I have used in the past made it very simple to completely close / delete my account and personal data on their services, Facebook makes this nearly impossible by forcing the usually to manually delete every piece of content ( see my post on the issue here: http://stevenmansour.com/writings/2007/jul/23/2342/2504_steps_to_closing_your_facebook_account ), one by one. If a user has been on the site for any reasonable amount of time, they may have to sit there for hours and click "delete" on thousands of pieces of content, just to get their account properly closed.

Seeking:

While I went through the enormous hassle of getting my account closed, the best resolution for Facebook members who wish to leave would be for Facebook to offer a simple mechanism for people to close - not just 'deactivate' their accounts completely. This, I thought, is something that is supposed to be guaranteed in the TRUSTe privacy certification.

Simple and straightforward enough, right? I was further encouraged when I received their (probably form letter) response:

Thank you for submitting your privacy complaint through the TRUSTe Watchdog Dispute Resolution program. The TRUSTe Compliance Team has reviewed the details of your complaint and we have determined that it is a valid privacy complaint. We have contacted www.facebook.com on your behalf and have outlined the steps necessary for proper resolution.

I started to think that maybe they were actually going to look into it and, you know, enforce the standards that they claim to hold their partner organizations to.

The next email was a surprise at the time, but in retrospect it makes total sense considering Facebook's complete and total lack of transparency . It came not from TRUSTe, but from "Simon" at Facebook:

Hi Steven,

We have confirmed that your account has been deleted. We apologize for any inconvenience this has caused. Please let me know if you have additional questions or concerns.

Simon
Facebook

Umm, no offense Simon, but wtf? What emails have you been reading? I closed my account in, like, July. Here's an idea - how about you actually read the body of the complaint email before replying?

But then, that would make Facebook something other than an Orwellian data scraper that hides behind cryptic admin-talk and pretty pictures so that they can continue preying on the average joe who doesn't know any better. Come to think of it, there's another administration that behaves in an uncannily similar way.

Hmm... are Facebook users the web equivalent of FOX news-watching trailer republicans? If so, then Facebook groups are evangelical church gatherings. ;)

I replied to both Facebook and TRUSTe with the following message, which is still unanswered:

Hello Simon,

Thank you for your reply - however, the nature of my complaint to TRUSTe
wasn't specific to my account, but to the inability of users to choose
to remove their data from Facebook. "Deactivation" is provided in lieu
of "deletion", which is misleading to users who wish to choose how their
personal data is distributed and accessed.

As described in 'seeking' section of complaint #39469, my own account
had been deleted after I went through the enormous hassle of deleting
each piece of Facebook content, one-by-one. It took me several hours of
work to be able to get my account deleted - and I had much less content
on my Facebook account than most Facebook users have today.

The basis for complaint #39469 lies with Facebook's non-compliance with
TRUSTe's privacy principles, especially:

"Giving users choice and consent over how their information is used and
shared"

http://www.truste.org/businesses/web_privacy_seal.php

The only acceptable resolution to this complaint would be for Facebook
to offer users who wish to delete their accounts a means to do so
quickly, clearly and easily. If this option is offered to users
alongside the current "deactivation in anticipation of reactivation at a
later date" functionality, that is also acceptable.

As things currently stand, however, Facebook does not 'give users choice
and consent over how their information is used and shared'.

- Steven Mansour

The oblivious folks at TRUSTe obviously didn't bother reading any of this, and just assumed by Simon's copy-paste response that 'Facebook complied', in this letter dated a few days after Simon from Facebook sent his non-response:

Dear Steven Mansour:

Thank you for the recent Watchdog you submitted against www.facebook.com. The Web site has cooperated with TRUSTe and has responded to your complaint below.

We are therefore closing this Watchdog. If you feel that this matter should not be closed because there is still an unresolved issue within the scope of TRUSTe's program and you would like to appeal our decision, please submit your appeal via email to appeals@truste.org. Note: please use the subject line on this message to ensure your request can be processed properly. To learn more about the appeals process please visit http://truste.org/consumers/compliance.php

You ever get the feeling that you're surrounded by androids who are utterly unable to act natural outside of a certain predefined framework? Yeah, me too... me too. I felt the need to reprogram this android to try and teach it some new tricks:

Dear TRUSTe compliance team,

Regrettably, this issue has not been resolved and Facebook has not
cooperated.

I've just confirmed with a colleague who is still a Facebook member that
he cannot close his Facebook account, because there is still no
mechanism to do so on the Facebook site.

The resolution to this complaint would be for Facebook.com to allow
users to close their accounts themselves.

Facebook.com has shown in the past that it has the functionality and
technical ability to do so, but so far refuses to allow Facebook.com
members to leave. This is in clear violation of the core tenets of the
TRUSTe statement.

Please advise as to what the next steps in this process are.

Steven Mansour

To which the TRUSTe automatic teller machine answered:

Dear Steven Mansour,

Thank you for contacting appeals@truste.org regarding your privacy complaint against www.facebook.com. We are reopening this Watchdog complaint so we can look into the matter further.

Gee, thanks. That was the most painless appeals process I've ever gone through! Let me tell you about the time when I was on trial for...

Anyways, it's radio silence for five days, followed by a sunny picture of Facebook and TRUSTe frolicking naked in the dandelions:

Dear Steven Mansour:

Thank you for the recent Watchdog complaint you submitted against www.facebook.com. We sympathize about the inconvenience that the lack of a one-shot delete mechanism may have for a user who has posted a lot of content over their time on Facebook. In researching your appeal, however, it is our determination that Facebook is not violating its privacy policy or TRUSTe's program requirements by not providing a one-shot mechanism to delete all content that a user has posted when the user closes their account.

Although we encourage licensees to provide convenient mechanisms for this, we do not require it. I have notified our Policy team about this issue so they can evaluate it when we next revisit our program requirements.

We will keep this Watchdog complaint open until Dec 27, 2007, to allow you a chance to respond. When responding, please include information about the specific TRUSTe program requirement or Facebook privacy policy provision that you believe this violates.

Sincerely,

TRUSTe Compliance Team

Well, that just sucks don't it? Too bad you never really addressed my complaint (or likely even read it for that matter). I wasn't talking about a 'one-shot deletion mechanism', but rather that Facebook users are unable to close their account, period. How's that for privacy policy and building trust between organizations and consumers? :)

Dear TRUSTe compliance team,

This is very disappointing news. Many users such as myself have been
frustrated by the Draconian practices used by Facebook with regards to
their private information, and saw filing a complaint with TRUSTe as the
logical next step in getting their voices heard.

It's not only about a "one-shot delete mechanism" as you put it, but
about Facebook not being upfront about how they handle our private data.
My complaint was clearly worded, valid, and demonstrated a vivid lack of
compliance with not only the spirit, but also the letter of so-called
TRUSTe policies.

Without even needing to delve deeper into any specific TRUSTe
requirement, just looking at the overview here:
( http://www.truste.org/businesses/web_privacy_seal.php ) states that a
core principle is, verbatim, as follows: "Giving users choice and
consent over how their information is used and shared".

I don't think it's difficult to see how not allowing users to choose
where and how their private information is stored and distributed - and,
at the very least, being upfront about it - is in direct opposition to
the above mentioned tenet that you claim to uphold on your own website.

This issue seems to me - and most other users - as pretty black and
white, and it won't just go away. What more information do you need to
see that Facebook is in direct contravention to your stated policies and
objectives?

If TRUSTe is so unwilling or unable - whether through lack of resources
or of moral fibre - to go after its members when they fall out of line,
perhaps it's time for users to stop being fooled into trusting a site
blindly just because they see a TRUSTe seal on it.

I really do hope that you don't turn your back on the millions of users
who needed an organization like yours to stand up for their privacy
rights on the Internet, whether it's on Facebook or elsewhere.

Regards,

Steven Mansour

And that was that. I'm glad I'm not alone or even new in realizing the TRUSTe is really just a reach-around firm for big web firms to convey a sense of trust to users with their little green logo. It's an empty husk with some pretty lichen on it.

Just one look at their blog and how they keep dropping that they're 'working' with Facebook makes it pretty clear where their priorities are.

So while nothing new was learned about how Facebook operates or about their policies here, I did get some insight into why exactly TRUSTe - both as a non-profit encouraging trust between web companies and individuals, and as a privacy watchdog - is all but irrelevant now. Here's to hoping that 2008 brings some positive change to the web privacy scene.

Comments

Add new comment