ReveNews
TRUSTe or not to TRUSTe… That is the Question- Porter on Edelman
In my last entry to CPC or not to CPC That is the Question… I talked with Steve Denton, President of Linkshare about cookie methodology. I took a break because last week was quite a week for me- chasing the Pipeline Worm and on its heels the Heart Worm.a- one that makes your head spin and top that off with a speaker’s acknowledgment for RSA 2007 and the next Affiliate Summit and well…I went looking for a something more simple to grapple with- trust. To TRUSTe or not to TRUSTe that is the question…sounds simple. Make the grade for a seal and you are a-ok.
So let’s talk about TRUSTe certifications. From what I gather TRUSTe is a non-profit internet privacy organization dedicated to preserving customer privacy and assisting commercial e-commerce with customer privacy concerns. It approves websites based on the privacy policy of the site. It resolves customer complaints about the privacy of approved sites.
Sounds great, but does it measure up?
Ben Edelman didn’t think so and he published his results based on a paper he wrote: Adverse Selection in Online “Trust” Authorities [File Format: PDF].. Interestingly enough TRUSTe didn’t seem to like the results of his results and I pointed that out to Ben after our first round of interview questions:
To quote from the TRUSTe blog: “In a recent study, the efficacy of our program and our standards has been called into question. TRUSTe disagrees with the study and its conclusion that TRUSTe certified websites are less trustworthy than non-certified web sites. TRUSTe requires its sealholders to adhere to a strict set of standards for consumer privacy based on informed choice for the use of personal information.”
Disagreement is good. Disagreement means something needs to be changed or called attention too. Did I mention I like disagreement? In this case I see a clear reason to have some disagreements.
As I type two things are true about Webhancer and known to other parties:
1) They are getting installed by notorious spyware and adware, including Dollar Revenue, including getting installed through exploits and otherwise without notice or consent.
2) They are certified by TRUSTe.
TRUSTe could sweep this under the rug, as if it’s not a big deal. Perhaps TRUSTe members are informed enough to know that while Webhancer may have a TRUSTe seal, they’re actually up to something shady. But when users see the TRUSTe sticker, so familiar from its appearance on other sites users actually do trust, some users inevitably get tricked. I have learned there’s no sweeping the problem under the rug when it’s YOUR computer that suffers, when it’s YOUR private web browsing that is transmitted in glorious detail to Webhancer’s servers. In short when people get owned- they remember who enabled it.
So I went to Ben to ask him about his study and if he had any comments at the end with TRUSTe’s blog in mind and this is what he had to say.
Porter: OK- you published an article and paper on TRUSTe- What did you find?
Edelman: Sites certified by TRUSTe are less safe than other sites (similar in complexity, popularity, and other characteristics). So when a user sees a TRUSTe seal, the user should not conclude that the site is especially likely to be safe. Quite the contrary!
Porter: How did you reach these conclusions?
Edelman: I used SiteAdvisor data to assess web site safety. SiteAdvisor data isn’t perfect, but when SIteAdvisor’s robots say there’s something wrong with a site, there’s generally good reason for users to be concerned. For example, SiteAdvisor’s email robots might have gotten huge volumes of spam after providing an email address to a site, like TRUSTe member maxmoolah.com. (400+ emails per week!) Or SiteAdvisor’s program downloaders might have found programs that users generally call spyware or adware. I cross-check this web site rating data against TRUSTe’s member list, both current and historic, and I find that TRUSTe’s certified sites are more likely to be unsafe than other similar sites.
Porter: So why does anyone believe TRUSTe anyway? Shouldn’t users learn that TRUSTe certification doesn’t mean a site is really any safer?
Edelman: TRUSTe’s early members and its most prominent members are distinguished, well-respected companies that, whatever their faults, most users tend to trust. Think eBay, Microsoft, Intuit. Users remember that they’ve seen the TRUSTe seal at those trustworthy sites. Then they’re at risk of getting tricked when they see and recognize the seal on less reputable sites.
TRUSTe’s seals aren’t particularly expensive in the scheme of things. So even if a seal makes only a small difference — encourages only a few extra users to sign up or to download — the seal could still pay for itself. My paper includes an algebraic model showing a site’s decision-making in deciding whether to get certified — comparing the costs of getting certified to the benefits of doing so.
Porter: How about a solution? How can this problem be fixed or can it?
Edelman: Calling attention to the problem is a good start. Since I posted the first draft of this paper, several notorious TRUSTe-certified sites have dropped off TRUSTe’s list.
My background in law and economics always makes me think about legal regimes to create optimal behavior. The first thing a law & ec person thinks about, on these facts, is an optimal liability rule. What if users could sue a certification authority if they relied on an improperly-issued seal? I don’t think that’s a great fit here, but surely it reflects a nugget of insight: That certification issuers would be more careful who they certified if they faced real penalties for certifications issued improperly.
Porter: I agree with that. Any other specific examples of surprising companies TRUSTe has certified? I know I have my own, but what do you see?
Edelman: Sure. Hotbar and Direct Revenue, both of which make advertising software that track users’ behavior and show annoying pop-up ads. Webhancer, which tracks users’ behaviors in exceptional detail, yet widely installs without consent. Several Ask.com toolbar distributors, like funwebproducts and smileycentral. These toolbars mislead users into running searches when they mean to conduct direct navigations, and these toolbars advertise through other vendors’ spyware.
Gratis Internet, which the NYAG says sold 7.2 million users’ names, email addresses, street addresses, and phone numbers, despite privacy policy promises to the contrary; yet a 2004 TRUSTe investigation specifically gave Gratis a clean bill of health. (Readers can find details at: Wired. )
Porter: And any response regarding their blog?
Edelman: TRUSTe makes it sound like the other spyware vendors they have certified are somehow ancient history. Not so. When I retrieved TRUSTe’s member list on January 1 2006, it included all the vendors I listed. They still certified Direct Revenue as of January 1, 2006! After all you, I, and others had reported about Direct Revenue’s massive, widespread nonconsensual installations and other notorious practices.
Porter: Yes I am sadly quite familiar with Direct Revenue and the antics in that camp- anything else off the top of your head?
Edelman: TRUSTe tries to dispose of funwebproducts as if it were some brief error. But when Suzi Turner made an observation on May 30, 2005, TRUSTe’s member list included funwebproducts. Funwebproducts was still on TRUSTe’s site on January 1, 2006 — 7 months later. That’s at least a 7-month-long mistake — hardly trivial. Finally, her blog shows several other notorious sites TRUSTe has certified.
End of Interview.
On that note i will add that Ben has posted some more interesting pieces to his article since the conversation and TRUSTe brings up this point in their blog:
“As an accreditation program TRUSTe will err on the side of rating companies as trustworthy, conversely SiteAdvisor has been shown in some cases to err on the side of untrustworthy.”
I have had my own unique problem with SiteAdvisor (and it was rapidly dealt with) but in today’s world I still advise people- shoot first- ask questions later. In short- I would trust (ironically) someone who errs on the side of untrustworthy first. Your computer, your privacy, your financials, etc.- these are too important to leave to a timid approach.
I also note that TRUSTe will have be offering a trusted download service soon. This will prove interesting. I wonder if I or member’s of my team will bump into them on some of the rough patches of Internet or if they will have their own botnet diving team?
Jeff Molander at ThoughtShapers weighs in on the issue with Edelman as well- talking about failed industry self-regulation.
The bottom line is this- the only penalty imposed on TRUSTe rule breakers is losing a pretty seal. Trust me (no pun intended) some of these outfits could care less. In some parts of the Net you had better carry a ballbat around and be prepared to enforce what you claim to certify or it has little weight.
Esther Dyson I feel the need for yet another conference coming on!
TRUSTe encourages complaints against our sealholders from consumers via our Watchdog, and from experts as well.
When we learn of issues in trust we follow a process for requiring companies to change. The strength of this process is also its weakness - optimism that companies can change for the benefit of consumers, trust in our sealholders and thier commitment to thier customers, and an impartial process to obtain buy-in and make it happen.
Ben’s job is to weed out the bad guys - our job is to make companies change their practices. TRUSTe is constantly working on feedback we get from many sources. Case in point, because of feedback from the anti-spyware community we will be issuing new requirements for software that go beyond our current webseal requirements. Some of the companies Ben pointed out in his paper are no longer part of the TRUSTe program. Because of investigations we terminated Gratis Internet last year, and the New York AG sued them.
TRUSTe doesn’t kick out companies based on opinion, or on previous bad behavior, or because it makes us look better. We don’t accomplish our mission if companies don’t meet our standards for notice and choice. Sometimes it take some time to effect real change, or for standards to emerge in business practices.
Appears like any web surfers best wear “mouse rubbers” when landing on a Truste certified site. Best brand of “mouse rubbers”, distributed free of charge to challenge Truste’s marketing and certification practices is offered at http://www.siteadvisor.com. Must have tool for your favorite browser. Seems funny the companies mentioned in this and other articles & bloggs so easily convinced Truste the case of Adwhore herpes is curable. Trust me the boils are harmless.
Carolyn,
Ignore Mike’s crude comments please.
Sincere thanks for taking the time to respond and partipate in the conversation. i am glad you really do that and not just pay it lip service.
To your comment:
“When we learn of issues in trust we follow a process for requiring companies to change. The strength of this process is also its weakness - optimism that companies can change for the benefit of consumers, trust in our sealholders and thier commitment to thier customers, and an impartial process to obtain buy-in and make it happen.”
Call me jaded but I think your optimism is the achilles heel- that is probably having been on the side of seeing PCs wrecked from some of the apps you certified. When I look for trust- I’d like to see it enforced. When you see repeat violations of trust- you need a crowbar to change them. Again what is the real penalty for testing the trust?
Carolyn said “TRUSTe doesn’t kick out companies based on opinion, or on previous bad behavior, or because it makes us look better. We don’t accomplish our mission if companies don’t meet our standards for notice and choice. Sometimes it take some time to effect real change, or for standards to emerge in business practices. ”
That is very noble Carolyn, but what shall I tell users whose PCs are smoking piles of rubble? Who take them back to hardware vendors because of your slow and gentle process- who leave the net alltogether having being owned by sleazy adware? Sometimes it takes some real force to enact change, otherwise your seal starts to look rather watery. What is the real penalty for getting kicked out? You lose your seal?
I have a lot of interesting questions I’d like to ask, and some other privacy analysts would too, and since Revenews reaches a big chunk of your audience- Paying Merchants- are you and/or someone from TRUSTe willing to step into the Q&A Ring? It isn’t hostile- it’s just some in-depth questions.
Very simple- A series of questions on this blog, or SPG blog (or if you prefer your own blog) but prefer here.
To retard flaming I turn comments off (I do leave trackbacks on to promote well thought out responses and may add links to them in an addendum.) and you answer them honestly and openly…and have right to decline any question on the list.
Fair enough- do you trust me enough to abide by those rules of engagement?
Wayne you’ve fought this Adware/Spyware infestation game long enough to realize the greed driven perps, running the BHO’s, will make childs play of skirting Truste’s liberal feelgood policies. Until someone there has the balls to PUBLICALLY OUT on their site those who got a Truste seal of approval and blatently violated the terms. Their loyalities have to be with the shoppers … not the IAB/DMA membership.
They need to learn the meaning of my tagline… What have you done today to put real values at the end of a click … from a shoppers viewpoint.
Good to see that I am not the only one with long posts here at RN hehe. Beth’s “flunked” recently (I hope this comment draws her out
) who also tended to details.
Interesting post. I learned a few years back that certification does not make the certifier liable for anything although some give some financial guarantee I think. I have Verisign in mind but might mix it up with their SSL Key Guarantee.
Anyhow, it would be a leap forward if the issuer of such critical and specific certification can be held responsible by the deceived and harmed consumer, at least to some extend.
As you said already, that would make the issuer check twice rather than once or only 3/4 and would reinforce the value of those certificates.
Actually a win win situation. If I would be a security certification service and believe in my own certification and test procedures, I would offer voluntarily a limited guarantee and liability.
I am responsible to some degree, if I made an error and issued a certificate where it should not have been issued …IMO.
Okay, may be only if I am applying common sense and not specific laws that would fit the issue, but hey, consumers are not lawyers either… well at least not the majority.
This would strengthen my brand and service, because it shows people that I am standing behind it and believe in it myself.