 |
 |
|
|
| |
|
TOP
5 STORIES OF THE MONTH
|
|
|
Leading
Edge
Ari Schwartz of the Center for Democracy and Technology
on the growing concern over "spyware" -- whatever
that means. »Learn
More
Knowledge
You Need
According to Beth Givens of the Privacy Rights Clearinghouse, preventing identity theft starts in the workplace.
»Learn
More
TRUSTe
News
TRUSTe takes a stand on wireless privacy, launching the first wireless guidelines. »Learn
More
Privacy
Resource
Submit your comment on the CAN-SPAM rulemaking to the FTC. »Learn
More
New
Member Benefit
Increase the value of your TRUSTe seal: Donate your remnant ad inventory. »Learn
More
Stay
Current!
Upcoming privacy and security events around the nation.
»Learn
More
TRUSTe
Tech Tip
What to expect from TRUSTe License Agreement 9.0. »Learn
More
Welcome
New Members
The newest Web sites to display the TRUSTe seal. »Learn
More
|
|
 |
 |
| |
Spyware and Privacy
by Ari Schwartz
Over
the last several years, a loosely defined collection
of computer software known as "spyware" has
become the subject of growing public alarm. Computer
users are increasingly finding programs on their computers
that they did not know were installed and that they
cannot uninstall. These programs create privacy problems
and open security holes, can hurt the performance and
stability of users' systems, and can lead users to mistakenly
believe that these problems are the fault of another
application or their Internet provider.
Personally,
I don't like the term "spyware." It has been
applied to everything from keystroke loggers to Web
cookies, advertising applications that track users'
Web browsing, and programs designed to help provide
security patches directly to users. As widely applied
as the term now is, "spyware" means very little
more than an invasive piece of software. That said,
the term has caught the public's attention, and we are
probably stuck with it.
More
recently, particular attention has been paid to a variety
of applications that piggyback on peer-to-peer file-sharing
software and other free downloads as a way to gain access
to people's computers. This subset of so-called adware
and other, similar applications have increasingly been
the focus of legislative and regulatory proposals.
Many
of these applications do represent a significant privacy
threat, but the larger concerns raised by such programs
are transparency and user control, problems sometimes
overlooked in discussions about the issue of "spyware"
and to a certain extent obscured by the term itself.
Combating
the most invasive of these technologies will require
a combination of legislation, anti-spyware tools, and
self-regulatory policies. However, it will be very difficult
to draft legislation that defines the spyware problem
with sufficient specificity to tackle it in isolation
from the more general issues surrounding online privacy.
For
more information on this subject, please read the Center
for Democracy and Technology's report "Ghosts
in Our Machines: Background and Policy Proposals on
the 'Spyware' Problem."
Ari
Schwartz is associate director of the Center
for Democracy and Technology in Washington,
D.C.
|
|
|
 |
|
| |
Prevent Identity Theft with Responsible Information-Handling
Practices in the Workplace
By Beth Givens
Most
articles on preventing identity theft focus on steps
consumers can take, such as shredding their trash and
protecting their Social Security number (SSN). Realistically,
however, while these steps reduce the odds of becoming
a victim, there is little individuals can do to actually
prevent identity theft.
True
prevention resides in two arenas -- the credit industry
and the workplace. Experts in identity theft report
that an increasing number of cases can be traced back
to dishonest employees in the workplace who obtain the
sensitive personal information of employees and customers
and disclose it to identity thieves.
One
of the keys to preventing identity theft, therefore,
is to safeguard personal information within the workplace,
whether it's a business, government agency, or nonprofit.
Targets for identity thieves include SSNs, driver's
license numbers, financial account numbers, cash-card
PINs, passcodes, and dates of birth.
Here
are some steps your company can take to prevent identity
theft:
- Store
sensitive personal data in secure computer systems.
Likewise, store physical documents in secure spaces
such as locked file cabinets. Such data should only
be available to qualified staff.
- Dispose
of documents properly, including shredding paper with
a cross-cut shredder, "wiping" electronic
files, and destroying computer diskettes and CD-ROMs.
Make sure dumpsters are locked and inaccessible to
the public.
- Conduct
regular staff training for all new employees, temporary
employees, and contractors.
- Conduct
privacy "walk-throughs" and make spot checks.
Reward employees and departments for maintaining privacy
best practices.
- Put
limits on data collection. For example, is a consumer's
SSN really required? Is complete date of birth needed,
or would year and month be sufficient?
- Put
limits on data display and disclosure of SSN. Do not
print full SSNs on paychecks, parking permits, staff
badges, time sheets, training program rosters, monthly
account statements, or customer reports. Do not use
the SSN as customer number, employee ID number, or
health insurance ID number.
- Restrict
data access to staff with legitimate need to know.
Implement electronic audit trail procedures to monitor
who is accessing what. Enforce strict penalties for
illegitimate browsing and access.
- Conduct
employee background checks, especially for individuals
who have access to sensitive personal information.
Don't forget to screen cleaning services, temp services,
and contractors.
- Safeguard
mobile computers, such as laptops and PDAs, that contain
files with sensitive personal data. These are a favorite
target of theft.
- Notify
customers and employees of computer security breaches
involving sensitive personal information in compliance
with California law (Civil Code 1798.29 and 1798.82-1798.84).
Last
but not least, adopt a comprehensive privacy policy
that includes responsible information-handling practices.
Appoint an individual or department to be responsible
for the privacy policy, and notify employees and contacts
whom they can contact with questions and complaints.
And be sure to prepare an identity theft response plan
so you are ready in case the worst happens.
In summary, everyone -- from the mail clerk to the CEO
-- must make it their business to handle personal information
responsibly. Don't let the workplace be a breeding ground
for identity theft.
Beth
Givens is director of the Privacy
Rights Clearinghouse.
|
|
|
 |
|
| |
TRUSTe's
Wireless Advisory Committee Announces First Wireless
Privacy Standards
As
wireless innovation has grown, so have the potential
privacy issues affecting consumers. In response to growing
concerns over what constitutes wireless privacy, on
February 18, 2004, TRUSTe announced the launch of its
Wireless
Privacy Principles and Implementation Guidelines,which
provide vendors serving the mobile market with practical
guidelines for protecting consumer privacy. Key principles
within the guidelines include the following:
Notice.
Wireless service providers should provide a full privacy
statement to the consumer prior to or during the collection
of personally identifiable information or upon first
use of a service.
Third-party
sharing. Wireless service providers should
not disclose the consumer's personally identifiable
information to a third party for uses unrelated to the
provision of service (such as the marketing of new products
and services) unless the consumer has provided opt-in
consent prior to such use. Consumers should have the
opportunity to change this preference at any time.
Use
of location-based information. Wireless service
providers may only use location information for services
other than those related to placing and receiving voice
calls if consumers opt in. Wireless service providers
should disclose the fact that they retain location information
beyond the time reasonably needed to provide the requested
service.
As
part of this program, TRUSTe, along with leading partners
AT&T Wireless and Microsoft, have formed a Wireless
Advisory Committee that includes HP, Kivera, the Mobile
Marketing Association, the Center for Democracy and
Technology, PricewaterhouseCoopers, and Verizon Wireless.
The committee promotes privacy standards in order to
increase consumer use of advanced wireless features
and applications.
TRUSTe
is now moving forward with developing a seal program
for companies that adhere to the wireless guidelines.
To find out more about joining the Wireless Advisory
Committee, call Michelle Hines at (415) 520-3402.
|
|
|
 |
|
| |
As we mentioned in the December
issue of the TRUSTe Advocate, the
FTC is announcing public rulemaking regarding the CAN-SPAM
Act, which went into effect January 1, 2004.
Add
your voice to the discussion: The FTC
Web site now gives full instructions on how
members of the public can submit comment on the rulemaking.
You can also file your comment electronically through
the federal government's rulemaking Web site, www.regulations.gov.
The due dates for submitting public comment are March
31, 2004, and April 12, 2004, depending on the portion
of the rulemaking; see the Web site for more details.
|
|
|
 |
|
| |
"Make Privacy Your Choice" Advertising Campaign
One
critical component of the TRUSTe program is expanding
consumer awareness of the TRUSTe seal and what it stands
for. With the help of our advertising agency, Godfrey
Q Partners, TRUSTe has completed a series
of banner ads to increase your customers' awareness
of the value of the seal program. You can view a sample
ad below. Some versions are suitable for general-purpose
advertising and will be featured in public-service announcement
rotation on our member ad network, BURST! Media. Some
of the banners are reserved exclusively for TRUSTe sealholders.
If you would like to display these ads on your site
or in remnant inventory, please contact Carolyn
Hodge, director of marketing.
|
|
|
 |
|
| |
-- Don't forget to join
us! --
IAPP-TRUSTe
KnowledgeNet Luncheons
Join
TRUSTe and IAPP management, board members, and
staff for the first series of local KnowledgeNet
meetings. An opportunity to informally gather,
share notes, make acquaintances, and network with
your peers, each meeting will begin with a short
presentation by a privacy expert on a timely topic,
followed by a networking lunch. This is an exclusive,
free benefit for TRUSTe and IAPP members only.
TRUSTe Board chair Christine Varney will join
the Capitol luncheon, and Fran Maier will host
Boston and New York. Members from Fidelity Investments,
Digital Impact, Amica Mutual Insurance, Watchfire,
Iron Mountain, Goldman Sachs, IBM, American Express,
and many other companies have already confirmed
their attendance.
March
24 -- Boston
March 25 -- New York
March 31 -- Washington, DC (McLean, VA location)
April 7 -- San Francisco
April 28 -- Seattle
TRUSTe
sealholders in San Francisco and Seattle should
look forward to receiving an email invitation
in the coming weeks. If for some reason you do
not receive an invitation and wish to attend,
contact Erin Bley of the IAPP at (207) 351-1519.
-- Speakers announced! --
IAPP-TRUSTe
Symposium: Privacy
Futures
Dates:
June 9-11, 2004
Location:
Palace Hotel, San Francisco
Overview: TRUSTe and IAPP have joined together
to bring you the first conference where privacy,
marketing and IT professionals can explore the
edges of privacy. The San Francisco Bay Area is
home to privacy innovators in technology, policy,
and consumer advocacy, and "Privacy Futures"
is leveraging its Pacific Rim location to bring
you speakers from leading companies and organizations:
Keynote
Speakers
- Brian
Arbogast,
Corporate Vice President of Communications, Platform and Services Group, Microsoft Executive Sponsor of Privacy, Microsoft Corporation
- Thornton
May, Futurist, World Bank
- John
Patrick, CEO, Attitude LLC
Special
Features
- "Kids
on privacy" session
- Privacy-enhancing
and privacy-sensitive technologies
- RFID
demonstration
- California
legislators panel with Debra Bowen, Liz Figueroa,
Joe Simitian, and Jackie Speier
- AccountableNet
panel led by Lori Fena, Aspen Institute Fellow
Additional
Speakers and Panelists From...
Oracle, Yahoo!, P&G, Intel, Microsoft, Ponemon
Institute, Watchfire, ScanAlert, Marriott, Verisign,
Stanford University, General Motors, Seibel
Systems, and many more companies.
Don't
miss this professional development and networking
opportunity for you and your privacy team. For
further information on speakers, reduced-fee advance
registration, and sponsorship opportunities, please
visit the conference Web
site, which will be updated periodically,
or contact Carolyn Hodge, TRUSTe's director of
marketing, at chodge@truste.org.
|
|
|
|
 |
|
| |
Tip: TRUSTe License Agreement 9.0 streamlines your
renewal process and introduces new requirements as a result
of CAN-SPAM.
On
March 1, 2004, TRUSTe introduced License Agreement 9.0,
a form-fillable
self-assessment and significantly streamlined
certification and renewal process. From now on, if you
are a member of TRUSTe's general privacy seal program,
in most cases you will only
be required to submit a full self-assessment form every
three years unless you make changes to your privacy
practices or are the subject of an escalated investigation.
EU Safe Harbor or Children's Seal program members must
continue to reapply for certification and submit new
self-assessment forms annually per the requirements
set by the appropriate federal regulatory agencies.
You
are not required to sign License Agreement 9.0 until
your current agreement expires. At that point, your
next renewal will consist of signing an addendum to
your existing license agreement rather than signing
an entirely new one.
License
Agreement 9.0 also includes certain changes in our program
requirements. For example, in response to the CAN-SPAM
Act TRUSTe has established basic requirements for email.
Members who sign LA 9.0 must include a postal address
and a functional unsubscribe mechanism in all email
newsletters and promotional messages other than administrative
or customer service-related emails and communications
a customer has agreed to receive as a condition of using
a member's service (for example, by signing up for a
free email account).
Our
efforts to streamline the self-assessment and to simplify
the renewal process are the direct result of your feedback.
We hope these upgrades will make membership in TRUSTe
more relevant to your privacy program needs. For further
details on LA 9.0 and the new program requirements,
refer to the FAQs on the TRUSTe Web site at http://truste.org/bus/pub_faqs.html.
If you have any further questions, call George Mamashiani
at (415) 618-3403.
--
Rebecca Richards, director of policy
|
|
|
 |
|
| |
TRUSTe would like to congratulate
the following new members on successfully completing
our certification process:
Booyah Enterprises, Clickprecision, Code Baby Corp., Giftfox, iHerb, It's the Content Inc., Laser Therapeutic Technology, Paper-Check, Raindance Communications, RazorGator, RightPlaceRightTime, Spinny Wind Studio, Surebridge, TireSavings, Trusted Computing Group, UnSubCentral, Viocard.
|
|
|
 |
|
| |
Got Feedback?
We would like to hear what you
think of the TRUSTe
Advocate. Send an email with your
comments and suggestions to newsletter@truste.org.
TRUSTe
is an independent, nonprofit organization that administers
the Internet's first and largest privacy seal program.
685
Market Street, Suite 560
San Francisco, CA 94105
(415) 618-3400
Email: privacyseals@truste.org
Web: www.truste.org
|
|
|
 |
|
 |
|
