Privacy Seals and Privacy Snake Oil

One of the constant problems of privacy is knowing who to trust with your data. Laws, policies, technical controls and trustworthy brands go a long way to building consumer confidence in an organisation’s data handling, but it’s only a matter of time before some bright spark suggests “maybe we could have a privacy seal to prove we’re trustworthy?” After all, on the face of it, this seems like a good idea: a trust mark to demonstrated that an organisation handles personal data in accordance with a defined set of good practices.
The problem is, it just doesn’t work.
There are a number of privacy seal schemes out there, but the majority are US-centric, with key players including TRUSTe, BBBonline, EuroPriSe and WebSeal*. Each organisation offers its members a set of standards, a self-assessment method, and a logo they can use in customer-facing materials.
Advocates argue that the strength of a privacy seal scheme is that it provides its members with a common standard for personal data management. In an environment that is law-rich but standards-weak, the scheme provides confidence that the members are working from an ‘approved’ starting point. Individuals are assured that participating organisations will deliver against these standards, and that they can complain to the scheme in the event of a problem. Members hopefully maintain good practices in the management of personal information because they wish to maintain their certification, and in all likelihood their staff will improve their practices through greater awareness of personal data maangement.
A privacy seal scheme also provides a basic confidence that an organisation has a degree of commitment to good privacy practices, otherwise why would it bother to engage in the first place? The process of joining a scheme will most likely raise awareness, and result in improved practices.
Unfortunately, there are some significant potential downsides to privacy seals as well. Firstly, the scheme can only be as good as its underlying standards, and there are a range of standards used by the schemes. Consumers may assume that all schemes are equal, thereby obtaining a false sense of assurance that the weaker schemes are in fact respecting their personal data.
Secondly, the schemes use different approaches to certification. EuroPriSe and WebSeal are both independently assessed by experts to ensure that members comply with standards, whereas the entry point for many other schemes is self-certification. That means we have a broad spectrum of possible privacy outcomes for consumers dealing with seal schemes, since organisations can gain entry to a scheme relatively easily.
Thirdly, and perhaps the most difficult of all, is the ability of schemes to monitor and police their members. If you are a scheme operator, dependent upon your members for your income, then the last thing you want to do is to suspend a high-profile member because they’ve failed to submit an annual recertification; or to strike off a member for proven poor privacy practices. You’ll have to do so very publicly for the scheme to maintain its credibility, otherwise the other members, and the public, may accuse you of opaque practices. You’ll need to inspect those members, in response to consumer complaints, to be sure they’re doing what they claim, and those inspections aren’t going to be cheap. And you’ll have to ensure that your members correctly represent the nature and trustworthiness of your scheme, otherwise they might abuse it for their own purposes.
Unfortunately, this last point appears to have been at the heart of a failure for TRUSTe, which is predominantly US-based, and has many thousands of members who use the TRUSTe seal to assure their customers that their data handling practices are up to scratch. TRUSTe has had to enter into an agreement with the US Federal Trade Commission, which has levied a US$200,000 fine, for falling short of a pledge “to hold companies accountable for protecting consumer privacy.” TRUSTe is alleged to have failed to conduct annual recertifications of its privacy seals in at least 1,000 incidents over a five-year period; and to fail to ensure that its members correctly described TRUSTe as a for-profit entity. The FTC takes this stuff seriously, and has enforcement powers beyond the UK ICO’s wildest dreams, so in all likelihood the agreement offered by the FTC was preferable to going to a full regulatory punishment. TRUSTe has responded to assure members that the problem was remedied long before the fine was levied.
TRUSTe’s woes are not necessarily indicative of problems unique to TRUSTe, but of the fundamental challenge for a privacy seal: how do you stay on top of the practices of all the members, all of the time? Full audits are too expensive for all but a handful of potential members, self-certification is open to abuse, and unless the seal provider can stay on top of that abuse, the credibility of the scheme (and all similar schemes) becomes doubtful.
The UK ICO consulted on the topic a few months back, with a view to whether it should support commercial privacy seals in future, and I argued some of the reasons why that’s not a good idea. I would imagine that they’re having a long, hard think about whether they want to support privacy seals now.
If you want to find out more about trust marks and privacy seals, do check out Gilad Rosner’s definitive paper on the subject here:
* (Apparently a key requirement for being a privacy seal provider is a shameful abuse of proper capitalisation)