Edited to fix typographical errors
The news is out - TRUSTe is now a for-profit, instead of a not-for profit.
As I am sure all of you have noticed, I have been silent about TRUSTe since I started working with them on 16 July 2008. But now, I think, the time has come to speak.
The number one question being asked of me in my tiny corner of the world, now that the world at large knows that TRUSTe is no longer a not-for-profit, is "Sandi, did you know this was going to happen?"
The answer to the question is yes, I did know that this change was coming. TRUSTe have been completely open and honest with me about their plans. They understood that by associating my name with theirs I was also associating my hard-won good reputation with their reputation, and they wanted to be sure I walked in with my eyes open.
The next question that is asked of me is "Why did you agree to work with TRUSTe?". In personal emails one of my correspondents even described TRUSTe as a scam, and I have been told, more than once, that my own reputation would be harmed by being associated with TRUSTe, and I can understand why they felt such concern. For example, people such as Ben Edelman and Eric Howes have been, and continue to be, very critical of TRUSTe (Eric's comment to Alex Eckelberry's blog entry at Sunbelt about the change from not-for-profit is an excellent example of some of the more negative opinions that are held).
Anyway, the short answer is that I agreed to work with TRUSTe because TRUSTe and I have some of the same goals, and because TRUSTe (and I) saw within TRUSTe a real need that I can fill. Let me try to explain.
I have been doing this ("this" being fighting malware and associated misbehaviors on the Internet in its many forms) for many years - since early 2000. In fact, this October I am up for my 10th Microsoft MVP Award in a row. My world - my sphere of concern, of interest, and of influence - encompasses not only the end user but also the anti-virus and anti-spyware community, and businesses and persons who earn a living from "the Internet". I have had to face up to, and settle within myself to the best of my ability, the inevitable conflicts of interest that arise when I consider the wants and needs of all of those different parties and I cannot pretend that it has not been a challenge.
Just one facet of my struggle has been reconciling the needs and wants of the end user with the needs and wants of the businesses that service them. Over the years, and especially during recent times, I have corresponded with, and spoken in person to, several "bad actors" (aka adware purveyors) who have been working to improve their software's behavior, and one message has come through loud and clear, which is that they often encounter, and are discouraged by, what they perceive as a lack of forgiveness on the part of some members of the security/antispyware community. The strongest impression that I am left with is that the attitude they face is one of "once a sinner, always a sinner" - calls are not returned, emails are not acknowledged, attempts at explanation are rejected, and attempts to get improvements acknowledged and, when justified, changes made to antivirus/antispyware software to stop it from flagging and removing the software that has changed its behavior have been discouragingly difficult to achieve.
My personal opinion is that the "once a sinner, always a sinner" attitude is wrong. To treat "bad actors" as evil personified or not worthy of forgiveness or redemption when they are trying to change their ways, is discouraging at best, and at worst may lead them to throw up their hands and say "why bother trying to change if I'm going to be stuck on the blacklist forever anyway". If that happens, what good have we, the champions for the end user, really done?
Another thing that has been communicated to me over the years is that, sometimes, the demands of the security community may directly harm a business's right to protect itself from piracy or misuse/abuse of its software.
For example, let's look at trial software. If such software leaves behind a registry key, or a hidden file, that is used to prevent the reinstallation of time-limited software, and that key or file has a deliberately obscure name, is that necessarily wrong? Should the fact that a registry key or file being left behind on uninstall be disclosed to the user, even if it means that such disclosure will make it easier for the user to bypass anti-piracy protection? This is just one of the problems I have been confronted by, and have had to devote a lot of time and thought to. What do I put first? The right of the end user to be able to easily find everything related to a particular piece of software (and potentially use that knowledge to 'play the system') or do I give priority to a business's right to avoid piracy of their software?
Some demand that every file, every folder, every registry key, be removed when software is uninstalled and will accept no reasoning nor excuse for its remaining, even if this means that any protection against misuse of trial software is lost. Is this right? In short, no. We have to find a balance - a sustainable balance between the needs of the end user, and the needs of the business that services them.
Then there is the question of advertising and adware. To some, all adware is bad. To others, adware is acceptable with full disclosure, but at the same time long spiels of disclosure text are not acceptable. So, how much disclosure is enough, and how should it be communicated? The greater the disclosure, the more the user has to read and acknowledge, and the greater the risk of confusion. For what its worth, my personal opinion is that the traditional requirement that an EULA be displayed and acknowledged should be discarded. Instead, a succinct list of important points should be displayed, with further detail (aka the full EULA) to be made available on clicking a link. Or, the most important words in an EULA should be highlighted in bold font to draw the eye.
How does all of the above tie in with why I decided to work with TRUSTe? I'm getting to that :)
After many years of watching and talking - of thinking and listening - of agonizing and beating of my breast (ok, I admit it, that last one was deliberately over the top) here are the beliefs on which I stand. I admit that over the years my stance has changed - in the past I have held extremist (and dare I say unrealistic) views about software and software behavior, but so be it. As far as I am concerned, the ability to stand up and say "yeah, I was wrong" is just as important as being right:
Adware is not all bad. I have said several times over the years that I believe that every (wo)man deserves their wage, and I do not have a problem with software authors earning an income from adware. That being said, I also believe that users of software are entitled to know exactly what the adware is, what it will do, and what effect it will have on their computers and their privacy and they *must* be given a clear opportunity to decline the adware if they so desire. I also believe that those who offer software for download have the right to refuse to supply us with their wares, or limit its functionality, if we are not willing to accept adware or pay for the software. I do NOT believe that anybody has the right to try and get around such requirements. We do not have a God-given right get stuff for free, or to play the system, just because we found it on the Internet (yeah yeah, just so you know I don't download movies off the Internet, or burn copies of CDs or DVDs or use pirated software - sucks to be me, but I put my money where my mouth is - do as I do, not just as I say).
Advertising is not all bad. Once again, I believe that every (wo)man deserves their wage. Reality is that it costs money to build and maintain a web site, and make it available to the masses. The alternative to advertising is for web sites to move to a user pays, access by registration only, model, and that is something I do NOT want to see. I do not use ad blockers and only recommend that web page advertising be blocked when the web site in question is displaying malvertizing, and that web site has refused to address the problem after being warned - safety must come first).
"The Internet", as the average user understands it, can not survive on philanthropy.
Good Internet behavior should be acknowledged and encouraged.
Work to rehabilitate and then forgive. Without a chance at redemption we eventually succumb to exhaustion and the temptation to continue down the path we have been treading. It is wrong to be so unwaveringly hard on somebody that they despair of forgiveness.
After many emails and phone calls I can say that I honestly believe that my beliefs and stance, and the beliefs and stance of those who work under the TRUSTe banner, can walk in tandem. And I do not easily lay my reputation on the line. It was hard fought for, and hard won. I am very aware that my readers' trust has been hard gained and can be easily lost but I truly believe that TRUSTe are not the "public relations front for privacy abusive online companies" that some believe them to be. TRUSTe have lofty goals, and the best of intentions, and deserve my support.
My personal opinion is that an important piece of the TRUSTe message and mission is missing from the public perception. A lot of people have focused on who TRUSTe has certified (and that certified party's pre-existing reputation), and TRUSTe's failures and missteps over the years, but how many have sat down and deeply considered the question of, or had a substantial one-on-one heart-to-heart with somebody at TRUSTe about, *WHY* TRUSTe does what it does and what its end goal is? Well, I did just that, and after all the talking and all the listening I believe that a primary goal of TRUSTe, in my own words, is to acknowledge and encourage good behavior; to rehabilitate, support and guide companies in the transition from bad netizen to good netizen, and to offer a chance at redemption and forgiveness, while at the same time maintaining a framework to discipline offenders. TRUSTe aims to encourage best practice, to encourage businesses to continue working toward a lofty standard, and they offer bad actors the chance of redemption. That is why I agreed to work with them, even though that means putting my own reputation on the line. Of course, by doing all of this TRUSTe put their own (and my) reputation on the line every time that they certify (even provisionally) an ex-bad actor, but that is the risk that they (and I) must take.
I don't want to be the unforgiving disciplinarian who is always wielding the big stick, and always hitting my correspondent over the head with the fact that they did bad things in the past, and I don't want TRUSTe to be that either. I see no long term benefit.
I will end with a commentary about the change from not-for-profit to for-profit. I recently spent a week at TRUSTe's office in San Francisco, working with the team behind the Trusted Download Program, and I was there when the change from not-to-profit to for-profit was in its final stages - I was in the room when the announcement was made to all staff and I have spoken in person with Fran Maier as well as TRUSTe management and employees about their dreams and goals and plans for TRUSTe and the effect that the change will have on day to day operations. It saddens me to see anybody allege that now that TRUSTe is a 'for-profit' that TRUSTe (and by association the people behind it) are only in it for the money, because I have seen no sign that such an allegation is true.
I have had far more time to consider this change, to talk to TRUSTe, to ask the hard questions and consider the responses I have received - by phone, by email and in one-on-one conversations where I can look them in the eye and watch them as they respond - than have most, if not all, commentators on this change. I see an opportunity for TRUSTe to improve and grow, not only to offer more services to clients but also, most importantly from my perspective, improve compliance monitoring. After all, that is why they brought me on board. And I can tell you this - every time I have brought an issue to TRUSTe's attention they have acted on the information I have supplied, and I have been happy with the steps that they have taken. Every...single...time.
"What issues?" I hear you say. Sadly, I am not in a position to share specifics - you will have to take my word on trust (no pun intended). I can only hope that I have, over the years, proven myself to be trustworthy in your eyes, and that you will give me, and TRUSTe, the benefit of the doubt.
For now, I need some rest.
Sandi.