Galexia

Trustmark Schemes Struggle to Protect Privacy (2008)

6. Trustmark scams

In addition to the many concerns regarding legitimate trustmarks, there are numerous instances of trustmarks being used in online scams. The most common example is that a site will claim to be certified and display the seal on their website or on their privacy policy. This is now so common that the major trustmark schemes publish lists of known fake sites. The TRUSTe list of known fakes includes 125 entries.[59]

Where trustmark certifications have expired, there appears to be little that can be done to have the seal removed. Unless the consumer clicks on the seal to check, they will not know that the seal is worthless. This appears to be a widespread problem with some of the small trustmark schemes. For example, the majority of PrivacyBot seals examined during research for this article had expired.

PrivacyBot also does not publish a registry of current members or a list of fake sites, making it almost impossible to check a claim in a privacy policy if they do not display the seal properly (as the seal is supposed to include a deep link to the registry entry).

For example, a Google search for ‘we have registered with privacybot.com’ or ‘privacybot trustmark’ on 10 September 2008 returned 22 relevant results. These are the standard words used in PrivacyBot privacy policies. Of the 22 sites, 13 had expired, 5 provided no links to a registry entry (making it impossible to check their status) and one still had a ‘provisional’ status, five months after their application.

Despite all 22 sites claiming that they were members of PrivacyBot, only 3 sites were able to be confirmed as active members of PrivacyBot. If a consumer had believed the privacy policy and not checked the status themselves, their chance of privacy protection was a dismal 13%.

Search Rank

Site

Status

1

http://www.iso9000simplified.com/

Provisional

2

http://sitestats.com/privacy/policy.php

Expired

3

http://www.heartof.com/privacy.php

Expired

4

http://sitestats.com/privacy/policy.php

Expired

5

http://www.e-file-tax-returns.org/privacy.html

Active

6

http://www.tricktape.com/privacystatement.aspx

Expired

7

http://www.activewin.com/terms/privacy.shtml

No registry link

8

http://www.onlinecomputerservicenetwork.com/privacy.html

Expired

9

http://www.usemybank.com/

Active

10

http://www.quantumbooks.com/

No registry link

11

http://www.ugogrl.com/

Expired

12

http://www.3crm.com/help.php?section=business

Expired

13

http://www.computerservicenetwork.org/

Expired

14

http://www.audaciousarts.com/privacy.html

Expired

15

http://www.cst-consulting.com/privacy.htm

No registry link

16

http://www.thetascongroup.com/privacy_policy.html

No registry link

17

http://www.wtiq.com/privacy/policy.php

Expired

18

http://www.pcpro.co.uk/html/Privacy_Policy.html

No registry link

19

http://www.addressender.com/index.php

Expired

20

http://mardirect.com/privacy.htm

Expired

21

http://truevine.net/privacypolicy1.html

Expired

22

http://free.1040now.net/

Active

 

There are numerous other trustmark products which are unlikely to deliver any privacy protection and are, in reality, scams. For example, the Verified Privacy WBK Certified Seal is sold as part of the Website Booster Kit.[60] It costs just $49 and the site claims to have sold over 40,000 kits. For a one-off payment you can use the seal forever without any checks or other requirements. The kit does include a template privacy policy, but the text for the 3-point privacy policy is just clumsily copied from the Trust Guard site with one or two words changed (although at point 2 it still accidentally mentions Trust Guard).[61]

In addition to the prevalence of fake, useless and expired trustmarks displayed on websites, other scams have been reported. The TRUSTe name and domain were used as part of an escrow payment scam.[62] Both TRUSTe[63] and BBB Online[64] have also been targets of sophisticated phishing scams. In some cases even the verification pages have been recreated by fraudsters.[65]

Although these scams are not the fault of the trustmark schemes, they still have a negative impact on the usefulness of trustmarks as a privacy protection:

One can't help but wonder whether verification services like TRUSTe may at some point cause more problems than they solve. If the appearance of an official looking seal on a website lulls the user into a false sense of security, then what good is it? [66]

[59] <http://www.truste.org/consumers/web_seal_violators.php>

[60] <http://www.websiteboosterkit.com/tool3.html>

[61] <http://www.websiteboosterkit.com/verifiedprivacy.html>

[62] Scam using TRUSTe.org?, 12-13 December 2007, <http://www.fraudwatchers.org/forums/archive/index.php/t-12447.html>.

[63] Wagstaff J, TRUSTe’s Own Phishing Hole, Loose Wire Blog, 10 November 2004, <http://www.loosewireblog.com/2004/11/trustes_own_phi.html>.

[64] Currie E, Better Business Bureau – Don’t Fall for the Bbb Internet Scam, 16 August 2007, <http://www.articlesbase.com/internet-articles/better-business-bureau-dont-fall-for-the-bbb-internet-scam-199591.html>.

[65] Ong GM, Latest, Coolest Gizmos at a Malware Near You, 2 July 2007, <http://www.avertlabs.com/research/blog/index.php/2007/07/02/latest-coolest-gizmos-at-a-malware-near-you/>.

[66] Wagstaff J, TRUSTe’s Own Phishing Hole, Loose Wire Blog, 10 November 2004, <http://www.loosewireblog.com/2004/11/trustes_own_phi.html>.