Why seals don't always perform

The US Federal Trade Commission has just found so-called privacy and security certification service ControlScan guilty of failing to monitor the practices of its certified sites. In their settlement agreement, they state that “founder and former Chief Executive Officer has entered into a separate settlement that requires him to give up $102,000 in ill-gotten gains.”

ControlScan offered a variety of privacy and security seals for display on Web sites. Consumers could click on the seals to discover exactly what assurances each seal conveyed. For example, the company’s Business Background Reviewed, Registered Member, and Privacy Protected seals conveyed that ControlScan had verified a Web site’s information-security practices. However, the FTC alleges that ControlScan provided these seals to a Web sites with “little or no verification” of their security protections. Similarly, the FTC alleges that the company provided its Privacy Protected and Privacy Reviewed seals to a Web sites with “little or no verification” of their privacy protections.

The FTC also charged that although ControlScan’s seals displayed a current date stamp, the company did not review any of the seal sites on a daily basis. In some instances, Web sites were reviewed only weekly, and in other instances, ControlScan did no ongoing review of a company’s fitness to continue displaying seals. The FTC charged that the defendants’ deceptive acts violated federal law.

Stern words indeed, and the sort of thing one would expect to hear from a heavily empowered regulator (the UK Information Commissioner simply doesn’t have this sort of clout, particularly since the government gave up on plans to increase penalties before the election). Any company that makes a commercial offer in the US and then doesn’t do what it said can face that level of wrath from the FTC.

As for privacy and security seals: well, I’ve never been much of a fan. There are some excellent programmes out there, but for a seal to be meaningful it has, to my mind, to be backed by an independent ombudsman who can award meaningful damages when an organisation in possession of a seal fails to protect data. Even then, for victims it is almost impossible to prove the source of a data breach unless it’s very specific indeed; in most cases, the accused organisation could wriggle out of liability by claiming that the individual must have lost the data elsewhere, or had inadequate protection on their own machine.

In their policy document Reversing the rise of the surveillance state, the Conservatives state that they will task the Information Commissioner to carry out a consultation with the private sector, with a view to establishing guidance on data security, including examining the viability of introducing an industry-wide kite mark system of best practice. Unfortunately I doubt that will result in anything meaningful if such a kitemark is created, and there are better places on which to focus resources: rigorously-applied security and privacy standards for public sector; a properly-funded police that can investigate e-crime; an empowered ICO that deals sternly with public authorities and private companies alike; and above all a fresh way to properly value personal information so that it is protected in accordance with the expectations of the data subject, not the convenience of the data controller. Tomorrow the ICO will publish its report on valuing personal information – with a bit of luck, that will be the first step towards a revitalised approach to information security.