Microsoft's practice of collecting hardware serial numbers while registering software "compromises consumer trust and privacy," Truste ruled in response to a consumer complaint. Microsoft admitted it has collected such data, but said it has stopped.
"Truste begins and ends at the Web site," said Susan Scott, Truste's executive director, who conceded there may be a need to go farther to look at internal corporate practices.
"While it did not happen on the Web site, there was a breach of consumer trust. That was a big breach," she said.
But Jason Catlett, who last week lodged the privacy complaint with Truste, has now asked the Federal Trade Commission to investigate the issue. Catlett said Truste's ruling illustrates the shortcomings of a self-regulation as a way to protect consumer privacy.
Other privacy advocates seconded the notion that the decision demonstrates the ineffectiveness of self-regulation by U.S. companies--the main approach favored by the Clinton administration to protect privacy. The United States, in negotiations with the European Union about privacy practices, is pushing to have self-regulation deemed an adequate way to protect consumer privacy.
The privacy flap concerns what Microsoft calls a "bug" that it is fixing. When some users registered Windows 98, an identifier of the user's hardware was transmitted, even if the user opted not to provide that information. Microsoft spokesman Tom Pilla said any data that was collected is being purged.
"While we regret any incident and don't want them to happen, we moved pretty quickly to remedy and correct the process," Pilla said.
Catlett, president of Junkbusters, repeated his call for an outside audit of Microsoft's privacy practices, which may occur if the FTC pursues his complaint. Pilla had no comment about Microsoft's position on an outside audit.
"It's an illustration of the typical failure mode of self-regulation," Catlett said, saying self-regulation has built-in shortcomings that cannot be remedied. "Truste executed well, but the procedures they were executing was not designed to deliver real privacy protection."
He added: "Imagine trying to get the average person to understand how [Microsoft's practice] falls outside the warm and fuzzy feeling they get from the Truste seal on a Web site."
FTC spokeswoman Victoria Streitfeld said the FTC is aware of Catlett's letter, will give serious consideration to the issues it raises, and will review the matter with all parties involved.
Privacy advocates also have asked the FTC to investigate privacy issues around the latest version of Intel's Pentium III chip, which has features that could compromise user privacy. "At the FTC, they are real regulators, not self regulators," said Catlett, whose criticism of Truste's findings was shared by other privacy advocates.
"This was Truste's first opportunity to show that industry self-regulation and privacy policies could make a marked difference and they fled from that opportunity," David Banisar, policy director at the Electronic Privacy Information Center in Washington, told Reuters.
Deirdre Mulligan, staff counsel at the Center for Democracy and Technology, agreed that industry efforts were falling short and new laws were needed to protect privacy.
"Can you expect that users are going to say that this policy only applies here and not here," Mulligan said. "There's some difficulty if information handled in one way is treated differently than the same information handled another way."
Reuters contributed to this report.