Posts filed under 'Bravo'
Earlier this month, after notification by several sources, TRUSTe undertook an investigation of a distributor installing comScore’s RelevantKnowledge on consumer machines through a security exploit. TRUSTe immediately launched an investigation, and with the help of Eric Howes and the team at SunBelt Software, and with the cooperation of comScore, was able to locate the exploit.
Understanding that installation via exploit is a prohibited activity in the Trusted Download Program, TRUSTe removed RelevantKnowledge from the TDP white list for three months. This action reflects the seriousness of the offense perpetuated by a distributor within the RelevantKnowledge distribution network, and provides comScore with time to implement and demonstrate the effectiveness of further controls
A Rogue Distributor Exploits Security Flaws:
The RelevantKnowledge application was observed being installed via a security exploit amongst several other applications. The following describes the series of events observed:
- The user visited an unauthorized distribution web site.
- A series of hidden frames were loaded containing links to dozens of other websites, including sites containing code designed to test and trigger security exploits on the user’s machine.
- by way of these exploits, a cascade of maliciously installed software was downloaded/installed onto the user’s machine without any form of consent. This software included RelevantKnowledge.
The application which ultimately installed RelevantKnowledge contained a code which identified it as belonging to an authorized comScore distribution partner. This distributor was authorized to offer RelevantKnowledge as part of a software bundle available at a website that had been reviewed and tested by both TRUSTe and comScore, and confirmed to obtain positive user consent. Unfortunately, it appears that the distributor ‘went rogue’ by facilitating the installation of RelevantKnowledge on one or more unauthorized distribution sites, and by using unauthorized installers which circumvented consent mechanisms required by comScore and by the TDP Program Requirements.
While the course of events described contains several potential violations of TDP Program Requirements, it should be noted that the observed activity on the malicious sites was not directly tied to actions by comScore, and took place on web sites that were not controlled or associated with comScore. The malicious activity observed took advantage of exploits in the RelevantKnowledge distribution model in order to make it appear to comScore that a consensual installation had taken place.
comScore Took Decisive Action:
As soon as it was informed of the offense, comScore took immediate action which it promptly communicated to TRUSTe. Within 24 hours, comScore:
- Terminated the distributor.
- Disabled all installations associated with the distributor.
- Activated a self-delete switch in the RelevantKnowledge software, that will automatically uninstall the software at the next reboot opportunity.
- Began developing changes to its methods of distributor monitoring and control to correct weaknesses that allowed this exploit to take place.
In order to achieve tighter security in its distribution process, comScore implemented additional verification measures, including a review of distribution urls to check for authorized distribution points and a validation check for an authorized distribution installer “footprint”.
Re-Attaining Trusted Download Status:
TRUSTe and comScore will continue to work together through this period, and comScore will attempt to re-emerge with a substantially more robust anti-fraud systems. Over the next 90 days, TRUSTe is requiring comScore to roll out additional changes, and comScore has agreed to make whatever changes might be necessary. These changes will, at a minimum, include:
- Termination of install unless the installation was initiated from a verified source (by url or installer).
- Termination of the install in the event that it is detected that the install is triggered via a security exploit.
- Move to a consent model directly controlled by comScore.
- Improve consumer feedback/complaint channel.
- Improve auditing process.
comScore will be subject to additional TRUSTe monitoring.
Community Cooperation on Standards and Policing
Without the cooperation of the anti-spyware community, the damage inflicted on users by this rogue affiliate could have been much greater. It is an admittedly difficult task to monitor the behavior of each and every distributor and affiliate by any single entity. Vigilance, cooperation, and mutual assistance by the entire online community — anti-spyware companies, third-party certification entities, government enforcement, consumer-complaint mechanisms, and self-policing by “good players” all have roles to play in making the internet a safer place for everyone.
Posted by Colin O’Malley
July 20th, 2007
You may have seen the TRUSTe Privacy Seal on many of your favorite Web sites such as Apple, eBay, Facebook, Monster.com and The New York Times. This ubiquitous seal marks 2,400+ Web sites that are dedicated to protecting your privacy. On June 11, TRUSTe will commemorate its 10th anniversary by introducing a modernized version of its former logo, retaining the TRUSTe name and its familiar green and black colors.
TRUSTe’s Web Privacy Seal means that a Web site keeps its promises to protect your privacy, and allows you to have a choice about the use and sharing of your personal information.
Subjecting Web sites to tough standards and rigorous testing since 1997, TRUSTe has been:
1) Making sure that Web sites treat your identity and email address with respect and transparency. Any Web site with the TRUSTe seal will give you the right to access your information, delete your information, and give you a choice to keep it private. Not every Web site can meet TRUSTe’s tough standards. The privacy statement and TRUSTe approval can be validated by clicking on the seal or visiting the TRUSTe Web site.
2) Monitoring any changes to a sealholder’s Web site or promises. The TRUSTe seal on a Web site means that the site can be trusted to keep the promises it makes in its privacy statement. TRUSTe regularly monitors Web sites’ adherence to their privacy statements and has the power to enforce compliance with its program. In 2006, TRUSTe conducted 24 investigations of sealholders and revoked the seal in a number of those cases.
3) Resolving your individual privacy-related complaints. If you believe your privacy has been violated on a Web site displaying the TRUSTe seal, contact TRUSTe directly by registering a complaint on TRUSTe’s Watchdog complaint form at http://www.truste.org/watchdog. This is a unique service to help you guard and protect your individual personal information.
Look for the TRUSTe seal and ask your favorite Web sites to make sure they are protecting your privacy by joining TRUSTe.
For more information on TRUSTe and its new look, visit www.truste.org.
June 11th, 2007
No company has been certified so far in the Trusted Download Program without making changes to their software, particularly in the areas of notice and control.
WhenU Case Study on Primary Notice
WhenU’s primary notice prior to certification was already above the then industry standards, especially in how it described key software functionality, and provided prominent notice of the types of advertising that would be displayed. WhenU used direct and clear terminology, such as: “ads slide or pop up in front or behind the browser…”
Affirmative Consent
The Trusted Download Program does not allow pre-selected option consent for advertising or tracking software. The intent is to ensure that users do not end up with advertising or tracking software on their computer as a result of moving through consent screens by hitting enter repeatedly, without taking the affirmative action of selecting a button to download when presented with material information.
WhenU Primary Notice Before 
TRUSTe reviewed all instances of WhenU Primary Notices. A number of associated Primary Notices were either opt-out or the consent option (“Next” or “I Accept”) was highlighted by default.
TRUSTe guidance during the certification process required WhenU to provide an affirmative consent for Save/SaveNow, and for the acceptance and decline options to be featured with equal promininence universally throughout the WhenU distribution network. WhenU understood and agreed with our requirements, and acted quickly to make the required changes.
TRUSTe’s subsequent review of Save/SaveNow Primary Consent screens were verified to offer the required consent mechanism.
Timing of Ads
TRUSTe Guidance during the certification process also advised that advertising software is required to give a level of specificity on when the advertising will be displayed. For example, will ads appear when the user is browsing the internet or at any time? In this case WhenU added the disclosure that advertising would be served “While you are browsing online, our software will show you pop-up advertisements…related to Web-browsing activity.” This provides sufficient specificity to set user expectations and equips the user to make an informed decision about the value exchange they are agreeing to.
WhenU Primary Notice After
Posted by: Colin O’Malley, Director of Product Development
February 15th, 2007
Today’s AP story, Privacy Options limited for Net services, highlights TRUSTe as an advocate for consumer choice, and mentions one exemplary sealholder, E-LOAN as offering exceptional choice when it comes to personal privacy. TRUSTe has reviewed tens of thousands of privacy policies, and E-LOAN’s is simply one of the best. One reason why they won our award for being a Most Trusted Company for Privacy this year.
Transparency, ensures that consumers are informed of the bargain. Accurate disclosure of practices also empowers consumers to encourage service providers to change thier practices. Facebook, another TRUSTe sealholder, is an excellent example of the importance of good disclosure and responsiveness to privacy issues. They handled customer concerns quickly and responsively – that’s also building trust.
- Posted by Carolyn Hodge
October 13th, 2006
As a result of investigating the HP Board pretexting scandal, CNET reporter/blogger David Berlind suggests to powers that be, that CNET/ZDNet should disclose outbound clear .gif tracking in thier email newsletters. And guess what, they agreed!
“So, sometime this week, once we’ve had a chance to adjust our newsletter templates, you will begin to see a text disclosure (probably at the bottom) that mentions the usage of trackable elements in the HTML versions of the daily and weekly editions of Tech Update.”
Bravo! We’ll be interested to see if subscribers, notice or comment on the disclosure.
October 2nd, 2006
Next Posts