November 9, 1999
Web posted at: 5:04 p.m. EST (2204 GMT)

By D. Ian Hopper
CNN Interactive Technology Editor

(CNN) -- RealNetworks has been all apologies in response to the furor caused by a computer consultant's revelation that the company's RealJukebox software surreptitiously transmits user data.

That anger has also been directed toward TRUSTe, an industry-funded privacy organization tasked with advising and overseeing Internet companies.

Computer programmer and privacy bloodhound Richard Smith announced last week that he discovered that, with the assistance of a packet sniffer, RealJukebox transmitted a unique identifying number -- known as a GUID -- along with the playlist of the currently inserted CD to RealNetworks. It was feared that this information was being collected for marketing purposes without users' knowledge.

	ALSO
Commerce Chief Issues Privacy Warning for Web Firms
	MESSAGE BOARD
Online privacy
	QUICKVOTE
Did Truste let RealNetworks off too easy? Yes No View Results

RealNetworks was quick to provide a patch for the software -- as well as RealPlayer, which also transmits a GUID -- on its Web site. The patch can also be downloaded with the RealJukebox auto-update feature.

On the Linux-centric news and discussion site Slashdot, users lambasted both RealNetworks and TRUSTe, saying they had let down the public.

One Slashdot author, Jamie McCarthy, posted a detailed timeline of TRUSTe-related mishaps, most notably their lack of strong action against Microsoft when it was discovered that mailboxes on the free e-mail service Hotmail were wide open to Internet users. McCarthy attempted to note a pattern of TRUSTe failing to punish companies that clearly violated TRUSTe guidelines.

TRUSTe made an agreement with RealNetworks Monday that asked the company to appoint a privacy officer, submit to an external audit, post a privacy statement and make its GUID an opt-in process.

This failed to satisfy McCarthy, especially since last week TRUSTe Director of Communications Dave Steer was quoted as suggesting much harsher sentences, such as a suit against RealNetworks or dragging the company in front of the Federal Trade Commission to answer for its actions.

McCarthy also doesn't trust the privacy initiative because of its relationship with companies, which fund its existence. If TRUSTe did more against RealNetworks, he said, "those sponsorships will dry up."

Nevertheless, McCarthy thinks TRUSTe had an obligation to users to take a hard line.

"At a minimum, [TRUSTe] should have broken their contract with RealNetworks, voided their TRUSTe seal, and used their money and contacts to hurt RealNetworks' reputation as much as they possibly could. Launching a fraud lawsuit would have been optional but recommended," McCarthy said.

RealNetworks, like many other companies that bear the TRUSTe privacy logo, signed a contract with TRUSTe to respect the privacy of its customers. Both RealNetworks and TRUSTe representatives said that the contract, however, only specifically designated Web sites as bound by the contract. RealJukebox is a software application.

TRUSTe defended its decision, while at the same time admonishing RealNetworks.

"They did break the spirit of the contract. But they have demonstrated the high level of commitment from the CEO directly, not only to repair the trust between Real and its customers, but to set a new standard," Steer said. "They are disabling GUIDs and saying that if you're a consumer and want to use it, you have to opt in to it. And, no other company has drafted a software privacy statement. So yes, they have broken the spirit of the agreement. But in the past week they've done more than any other company."

Steer said TRUSTe didn't take harder measures because it saw the case as a jumping-off point to turn TRUSTe into a broader privacy initiative, rather than Web-centric. TRUSTe has launched a pilot project to enter the software arena.

"Kicking RealNetworks out of the program would not have solved the greater problem," Steer said. "In an increasingly networked world data is collected from consumers without them knowing it, and not just from Web sites. Software is just the tip of the iceberg. For the Internet to continue to grow as a trusting environment, full disclosure is a must."

However, this was not the first time that TRUSTe was faced with a company bearing the TRUSTe logo using GUIDs in a way that could track users.

In March, it was exposed that documents created with programs in the Microsoft Office suite were emblazoned with a GUID that identified the user's computer. This mark was actually used -- again, by Richard Smith -- to track the suspected author of the Melissa virus.

After a TRUSTe investigation into the issue, the group let Microsoft off on the same technicality. TRUSTe concluded that since the issue involved Microsoft software and not its Web site, TRUSTe had no jurisdiction in the matter.

Meanwhile, RealNetworks maintains that the information was never used for marketing, and wasn't even kept by the company.

"We did not ever log that GUID on our servers, nor did we, I believe, log the table of contents," said Keela Robinson, product manager in RealNetworks' consumer division and newly dubbed privacy officer.

"[The GUID] happens to be a very convenient tool. To the server it signifies an anonymous unique hit. There was never any intention or capability to associate individual usage with somebody's personal information. In the past we could have, but we did indicate that there was no intention to do this."

RealNetworks did in fact have the ability to put such a database together, however. Not only was the GUID transmitted during the CD track lookup process when a CD was in the tray, but RealJukebox linked the GUID to the user's e-mail address during the initial registration process for the product, Robinson said.

The patch changes the GUID to all zeroes, essentially disabling the process.

RealNetworks Director of Systems Marketing Peter Zaballos said that the features were "built out by an aggressive development team that was not yet married to business policies."

"We failed to inform our users of what we were doing. Targeted marketing and helping present different sources of information are good for users that choose and make a well-informed decision and allow that to take place," he said. "But a segment of the marketplace will choose not to have that. That is where we failed."

Zaballos stressed that privacy is important to CEO Rob Glaser and the company as a whole.

"The single most valuable asset we have is the trust of our customers. We're not going to do anything that undermines that and TRUSTe ultimately sends a strong signal to our customers that we are abiding by sensible, fair and objective guidelines."

It seems a sure bet that RealNetworks will be forgiven for their transgressions, especially since their RealPlayer software is almost synonymous with streaming media and their track record is among the cleanest in the industry.

Commerce Secretary Richard Daley's recently stated that if the industry does not successfully police itself to monitor online profiling and protect user privacy, the government may step in and take the job. That's a fate that no one in the industry wants, and there are few initiatives that stand in the way.

Note: Pages will open in a new browser window

External sites are not endorsed by CNN Interactive.