Consumer privacy firm TRUSTe is under fire from spyware researchers over its handling of a recent rogue download incident, and the fallout is leading those connected with the case to publicly question the firm's credibility.
The controversy stems from the way TRUSTe handled reports that web traffic analysis firm comScore was installing its tracking software.
The software, known as RelevantKnowledge, is used to gather information on a user's internet behaviour such as website traffic and purchasing patterns. It normally requires direct consent from the user before installation.
Until recently, RelevantKnowledge had been listed on a beta version of TRUSTe's Trusted Download Program under which distributors are required to meet certain criteria in regards to how software is installed or removed, and how users are notified of installations.
The aim of the initiative, according to TRUSTe, is to create a 'white list' to help guide advertisers towards vendors that use ethical practices to distribute products.
Earlier this year, two researchers discovered that a comScore affiliate was using security exploits to install RelevantKnowledge without user consent.
The two researchers, Eric Howes of Sunbelt Software and Ben Edelman, a Harvard Business School assistant professor and long-time spyware researcher, brought their findings to TRUSTe.
TRUSTe claimed in a company blog that comScore responded by immediately terminating the distributor and remotely instructing all RelevantKnowledge downloads originating from the distributor to disable and uninstall.
ComScore agreed to implement a number of new measures in order to prevent further incidents.
TRUSTe then decided that it would suspend RelevantKnowledge from the Trusted Download Program for 90 days, after which comScore would be allowed to reapply.
The decision angered Howes and Edelman, who cited a conference earlier this year at which Colin O'Malley, director of product management at TRUSTe, said that installing software through an exploit was "not an activity that is acceptable by any level of notice, and so they're terminated immediately".
"TRUSTe promised complete accountability and irreversible sanctions for violations. Instead, they are offering a response that is slower and more lenient," Edelman told vnunet.com.
"ComScore will make some efforts to prevent further violations, but the credibility of TRUSTe is called into question."
Howes gave an equally scathing response in a follow-up to a company blog posting.
"The case was significant in that it was the first big public test of how well TRUSTe would perform when called to defend the standards that allegedly undergird the Trusted Download Program," he wrote.
"When push came to shove, though, TRUSTe demonstrated itself to be lacking the backbone to deliver on its word."
A TRUSTe spokesperson told vnunet.com that the company was happy with its decision to suspend comScore.
"Colin [O'Malley]'s remarks were specifically about a company that is directly responsible," the spokesperson explained. "In this case, it was the affiliate that was exploiting the flaw."
The spokesperson said that the decision for the suspension was also influenced by comScore's swift reaction, and stressed that RelevantKnowledge will not automatically be reinstated in the Trusted Download Program once the 90 days are over.
The use of third-party affiliates has long been an issue of contention between software vendors and anti-spyware researchers, who say that the use of third parties allows vendors to prosper from shady practices while claiming to be entirely legitimate.
ComScore did not return a request for comment.