TRUSTe.org, a nonprofit organization that sells “privacy seals” to Web sites that prominently post their data-acquisition policies, says its seals mark “companies that adhere to TRUSTe’s strict privacy principles.”
But a respected antispyware researcher has published an analysis that disputes the trustworthiness of sites that bear the TRUSTe seal. “TRUSTe-certified sites are more than twice as likely to be untrustworthy as uncertified sites,” writes the analyst, Harvard Law School graduate Ben Edelman.
Who’s telling the truth?
Analyzing the TRUSTe Logo Users
For example, writer Ryan Singel reported in Wired News on Mar. 16, 2006, that TRUSTe (pronounced “trusty”) had certified Gratis Internet, a marketing company known for offering free iPods to consumers who sign up for various Web promotions. The group, it turns out, had sold 7.2 million Americans’ e-mail addresses, phone numbers, and home addresses to a firm named Datran Media, which paid a $1.1 million fine in 2006 for buying the data in violation of Gratis’s privacy policies, according to a settlement with New York State. [Update: A previous version of this article stated that Gratis itself had settled the lawsuit, but the firm maintains its innocence and has not settled.]
Rather than rely merely on journalists’ anecdotal reports, however, Edelman conducted his analysis by examining a huge selection of Web sites — more than half a million, by the researcher’s calculations. Here’s what he found:
• Locating the most popular sites.Edelman composed a list of some 515,000 Web sites with the greatest amount of traffic, based on statistics gleaned from an Internet service provider.
• Looking for bad behavior. The rankings of these sites for “good” and “bad” behavior was obtained from SiteAdvisor.com, a white-hat company that uses software bots to test Web sites for the presence of spyware downloads and the generation of spam. (I first wrote about SiteAdvisor on Feb. 14, 2006. Since then, it’s been acquired by the security firm McAfee Inc. Edelman serves on a SiteAdvisor advisory board, a fact that he prominently discloses in his writings.)
• Calculating the bottom line.Of the 515,000 sites in his study, SiteAdvisor rates 2.5 percent of them as engaging in “bad” behavior. But of the 874 sites that bear a TRUSTe logo, 5.4 percent are rated as “bad,” Edelman says.
Some of the “bad” sites that Edelman found to have TRUSTe seals when his January 2006 scan was performed have since been decertified by the nonprofit group. A major example is Direct-Revenue.com, which downloaded to consumers’ PCs some hard-to-remove software that tracked users Web visits.
But Edelman cites in a Sept. 25 blog entrymany other alleged offenders that TRUSTe still certifies with its privacy seal. He names Focalex.com, which SiteAdvisor says generates as many as 320 e-mails per week to hapless visitors who enter their e-mail addresses, and FreeCreditReport.com, which charges $12.95 a month to consumers who don’t cancel their “free” accounts, sparking FTC litigation.
In his analysis, Edelman speculates that independent certification bodies such as TRUSTe are “captured” — in other words, beholden to the companies that pay them. Pressure on questionable Web sites to strengthen their privacy policies, Edelman says, “would harm the authority’s profits by discouraging renewals and future applications.”
In an analysis of the Better Business Bureau’s online assurance program, however, Edelman finds evidence of a strong certification ethic. The logo of the BBBOnline Privacy Seal Program, which costs $225 to $5,000 per year based on the applicant’s annual revenue, was displayed by 284 Web sites in Edelman’s study. Only 3 of the sites (1.1 percent) were rated “bad” by SiteAdvisor. He attributes this excellent track record to “BBB’s detailed evaluation of applicants, including requiring membership in a local BBB chapter.”
TRUSTe Responds to the Study
When I contacted TRUSTe officials for comment about Edelman’s research findings, marketing director Carolyn Hodge e-mailed me a written statement. “TRUSTe works to improve industry standards for Internet privacy,” the statement says. “We do this by highlighting the responsible practices of trustworthy companies and by working with companies to improve their performance on this issue. In order to obtain TRUSTe sealholder certification, 100% of prospective sealholders have to change their privacy standards in some way.
“It is difficult for oversight and industry standards to keep pace with technological innovation but TRUSTe continues to tackle emerging privacy issues,” the statement continues. “The launch of TRUSTe’s new Trusted Download Program is imminent. The Trusted Download Program addresses the problems of adware and spyware and we feel we can’t launch it fast enough.”
TRUSTe’s Web site goes much farther than this in criticizing Edelman’s work. An unsigned entry posted Sept. 25 on TRUSTe’s official blog states: “TRUSTe views Site Advisor as a potentially useful monitoring tool, but not an accreditation program or an authority on privacy.” A subsequent post on Sept. 28continues this line of reasoning, dismissing SiteAdvisor because it does not rate sites for possible phishing behavior.
SiteAdvisor itself has entered the fray, focusing in its own Sept. 28 blog post on its work in analyzing sites for spyware and spamminess. Defending the lack of phishing detection in SiteAdvisor’s rating system, the firm points out that the McAfee Internet Security Suite is a related product that defends users in real time against phishing sites. (As I pointed out in my July 18column, phishing sites have an average lifetime of only 5 days. This makes phishing detection appropriate for a real-time database but not a broad, automated Web scan such as SiteAdvisor’s.)
Perhaps the most intriguing view comes from a comment posted to TRUSTe’s Sept. 25 blog entry by a commenter who identifies himself or herself only as “Lampie.” This poster points out that the Trusted Download Program was announced 11 months ago but still isn’t in operation. (The TRUSTe site says the program is in an alpha test stage.)
Citing several controversies in which RealNetworks, Microsoft, and Apple retained TRUSTe certification despite widely criticized privacy gaffes, Lampie quotes company officials saying, “TRUSTe does not handle cases involving software applications,” an exception that the commenter notes is explained nowhere on TRUSTe’s site.
Internet wags have said that the TRUSTe logo should really say “Just TRUSTme.” Many Web sites that have elaborate privacy policies, unfortunately, use those policies to take away users’ privacy expectations rather than strengthening them. Too many sites that TRUSTe certifies can be criticized for distributing intrusive downloads and condoning spam.
Independent certification bodies face a problem Edelman calls “adverse selection.” This is an economist’s term that means, “Questionable sites that want to look good have the money to pay for privacy seals, while truly trustworthy sites may not be able to afford them.”
The BBBOnline program appears to offer a better assurance to consumers that a site bearing the BBB’s seal is genuinely legitimate. But the BBB isn’t a panacea and doesn’t appear to scale well to large numbers of sites. Perhaps because of the BBB’s labor-intensive review process, the BBBOnline logo appears at only 600 to 700 sites, whereas the TRUSTe logo is posted by more than 2,400, according to the companies.
One thing that you can be certain the TRUSTe logo conveys is that a site bearing its seal has money and wants to look respectable. That’s true for TRUSTe’s largest customers, from Microsoft to Oracle to Intuit, to its smallest, such as FreeCreditReport.com. Other than that, what the TRUSTe logo truly guarantees is up to you to guess.
For a description of Edelman’s study, see his Web site’s executive summary and his 35-page PDF report.
For more information on TRUSTe, see its Web site. The Better Business Bureau’s certification program is described at BBBOnline. For a comparison of these and four other certification programs, see Perfectly Private, an independent privacy resource.