Trustmark Schemes Struggle to Protect Privacy (2008)
12. Conclusion
This article has examined the track-record of English-language trustmarks to date. Clearly this record is poor. With the demise of the BBB Online Privacy Seal there is now a strong focus on TRUSTe – the only remaining large-scale privacy trustmark.
However, the reputation of TRUSTe is low, and it is difficult to see what relevance TRUSTe now has a privacy protection tool:
It's long been apparent to many in the privacy and security community that TRUSTe was not to be trusted, that their standards were worthless, and that their true sympathies and interests lay with the very companies they were supposed to be policing. TRUSTe was never more than a cleverly run public relations front for privacy abusive online companies. [98]
TRUSTe has already been described by one of its founding organisations (the Electronic Frontiers Foundation) as a failed experiment:
The creation of TRUSTe and its seal program was one such early innovation of EFF. TRUSTe was successful in several areas. ... We now must move out of this awareness-raising mode and into an action mode where real protection can be achieved. Legislation is needed in order to achieve that goal. ... we think it is time to move away from a strict self-regulation approach to protecting privacy online... Our stance has basically been that industry self-regulation would be worth trying, but might or might not be enough. We did the 'proof of concept' ourselves, by launching and spinning off TRUSTe. But TRUSTe was intended to be and is a separate, independent entity, and was created as an experiment. The experiment is in many ways a failure.[99]
It is widely recognised that self-regulation has a legitimate role to play in consumer protection, but that where self-regulation fails, alternative forms of regulation, including legislation should be pursued.[100]
Like many other organisations, EFF now supports privacy legislation, and it is easy to see why. The following table compares privacy trustmarks with privacy legislation:
Issue |
Trustmark |
Privacy Legislation |
Standards |
Lowest possible standards on privacy – further lowered by broad disclaimers. |
High standards and improving all the time. |
Assessment |
Some up-front assessment in most schemes and ongoing assessment in a minority of schemes. |
Limited assessment – reliance is on complaints. |
Enforcement |
Poor to non existent. |
Patchy, but strong examples in EU (e.g. SWIFT) and Asia-Pacific.[101] |
Transience |
Serious concern – many trustmarks have disappeared. |
Permanent. |
Timing issues |
Privacy protection depends on timing membership (e.g. Gratis), time of transaction (especially for expired seals due to non payment) and even the time of complaint (e.g. Guardian). |
Not time sensitive – lengthy period for complaints, based on knowledge of breach not date of transaction. All organisations covered all of the time. |
Scams |
Common – more fake trustmark logos in circulation than real ones. Also growing number of phishing scams. |
Some limited phishing attacks but not prevalent. |
Coverage |
Non website privacy breaches are claimed to be outside jurisdiction – very confusing for consumers and only covers a fraction of personal data collected by companies. |
Universal coverage of all personal information. |
Independence |
Major conflicts and perception of conflicts –source of poor reputation for long history of poor enforcement by trustmark schemes against large members. |
Independent and impartial. No conflicts of interest. |
Penetration |
Penetration is miniscule and is falling rapidly (note demise of BBB Online Privacy which had 700 members). |
Penetration is universal in jurisdictions with privacy legislation. Strong coverage now in EU and the Asia-Pacific region. |
Consumer understanding |
Studies show consumers believe trustmark schemes endorse the products and services on offer (not true). Also significant consumer confusion with large number of trustmarks in use. |
Privacy regulators do not ‘endorse’ businesses so no confusion arises. |
A major problem with the issues identified in this table is that some of the issues are structural – they can not be resolved by improvements in the day-to-day operation of trustmark schemes or by improved governance of trustmark schemes. Issues that are structural and cannot be resolved include transience, timing issues and scams.
Other issues, such as standards, enforcement, coverage, penetration and consumer protection, could not be resolved without significant global investment. It is unlikely that any jurisdiction would invest significant sums in trustmark schemes, rather than directing efforts towards privacy legislation.
Despite these issues, trustmark schemes do have their supporters. TRUSTe in particular is vigorous in defending itself against criticism and stresses that their role is to work with members to achieve gradual improvements. Another common form of support is to point out that ‘it's better than nothing’.[102] This may be true in some cases, but there is a question mark over whether the existence of trustmark schemes has hindered or slowed the development of privacy legislation in jurisdictions such as the United States.
In December 2000 Robert Gellman stated that he could not think of a single reason to advise a consumer to make a complaint under a trustmark scheme.[103] In 2008, trustmark schemes appear even less relevant.
[98] Howes E., No Guarantee of Privacy, 2002, <http://www.spywarewarrior.com/uiuc/priv-pol.htm#no-guarantee>.
[99] Slashdot, TRUSTe Decides Its Own Fate Today, 8 November 1999, <http://yro.slashdot.org/article.pl?sid=99/11/05/1021214>.
[100] See for example: Braithwaite, J, Responsive Regulation for Australia, Business regulation and Australia's future, 1993 <http://www.aic.gov.au/publications/lcj/business/chap06.html>.
[101] Connolly C, Lim YF, et al, Privacy breach sanctions in the Asia-Pacific region, July 2007, <http://www.galexia.com/public/research/articles/research_articles-art52.html>.
[102] Lawrence Öqvist K, TRUSTe Privacy Seals, 25 July 2007, <http://mysecuritybox.blogspot.com/2007/07/etrust-privacy-seals.html>.
[103] Gellman R, TRUSTe fails to justify its role as privacy arbiter, Privacy Law and Policy Reporter Volume 7 No. 6, December 2000, <http://www.austlii.edu.au/au/journals/PLPR/2000/53.html>.