Security and privacy issues can induce rage in the average Web user at privacy infringers, spammers and spyware purveyors. What’s more surprising, perhaps, is the vitriol that can arise within the small online security community itself. The latest insider spat erupted following the release of an academic paper using data from McAfee’s Web site security-rating application SiteAdvisor to determine TRUSTe certification is less than legit.
In his paper published last Monday, author and spyware researcher Ben Edelman purported out of a sampling of over 500,000 top sites, 5.4 percent of TRUSTe-certified sites are actually untrustworthy, compared with 2.5 percent of all sites in the test group. “So,” he writes, “TRUSTe-certified sites are more than twice as likely to be untrustworthy.”
Edelman singles out sites he believes should not have been awarded the TRUSTe privacy seal, some of which still remain approved, including Direct Revenue, eZula, Hotbar, Maxmoolah.com and Webhancer. He also criticizes the ability of Better Business Bureau seal programs and major search engines to shield users from potential dangers of visiting or interacting with certain sites.
In the paper’s aftermath, TRUSTe has been Edelman’s main target as well as the focus of online chatter surrounding his conclusions. TRUSTe privacy-related certification programs don’t necessarily cover practices that result from downloading applications provided by a company, even if that company’s site has been labeled with a privacy seal. The [TRUSTe] seal doesn’t OK all activities on those sites,” affirmed TRUSTe Marketing Director Carolyn Hodge.
Edelman is on the technical advisory board for McAfee’s SiteAdvisor application, a relationship some argue doesn’t pass the smell test either, since he uses data collected by the software to scrutinize TRUSTe.
SiteAdvisor uses Web bots to download executable files in order to assess potential damage of visiting or providing information to particular Web sites. The free software checks for automatic software downloads, excessive e-mails, outbound links to dangerous sites and security breaches, and attributes a green, yellow or red browser icon to sites when users click to them.
Ari Schwartz, deputy director of the Center for Democracy and Technology (CDT), argued SiteAdvisor and TRUSTe aren’t necessarily comparable because their methodologies are different. “TRUSTe works directly with the company and SiteAdvisor critiques the company from the outside,” he said. Schwartz has reservations about the validity of TRUSTe’s programs, but believes the organization has improved since earlier days. He added, “There’s a lot more work involved for TRUSTe, [and]… TRUSTe does bring an added sense to the table of improving the practices of the companies they work with.” CDT has been on two TRUSTe advisory boards.
Alan Chapell, president of privacy consulting outfit Chappell and Associates, has used the SiteAdvisor tool, but opined, “A research tool it is not.” He argued TRUSTe’s certification methodology is valuable because “to my knowledge, every time TRUSTe puts out a program, they put out standards that are publicly vetted.” Chapell’s firm has done consulting work for the privacy watchdog.
Shane Keats, Market Strategist for McAfee, would not comment specifically about Edelman’s report; however, he told ClickZ News, “Web security is a big problem and benefits from lots of approaches.”
TRUSTe’s most recent approach is a certification program for consumer downloadable software applications. In development for about a year, the Trusted Download program is intended to separate harmful spyware from adware and other applications.
Though Hodge admitted, “We do have gaps in the identification and testing of software,” she lamented, “What’s most disappointing about the report is that Ben conveniently is not mentioning the Trusted Download program.” Indeed, Edelman confirmed he actually advised TRUSTe on keeping untrustworthy sites and programs out of the Trusted Download Program. The program, which is set to launch soon, will provide a public whitelist of certified applications for consumers once it is active.
According to Hodge, the organization halted acceptance of applications from companies offering downloadable software last year. In addition, she noted any software firms providing adware or trackware must be certified by The Trusted Download Program before they’re made eligible for TRUSTe’s other certification programs.
Edelman implied in his paper that TRUSTe is in the certification business for ulterior motives, namely money. In a discussion with ClickZ News Edelman declared, “The core problem is [TRUSTe] only makes money if they issue certifications.”
The organization sets privacy seal certification payments according to a sliding scale based on company revenues. Annual charges run from a minimum of $649 for the seal plus $250 for each additional URL for companies with revenues below $1 million. Firms earning revenues of $2 billion or more pay a maximum annual fee of $12,999 for a seal plus $3,250 for each added URL.
Hodge protested, “Profits are not part of the conversation here [at TRUSTe].” On the flipside, she and others wonder whether Edelman has a bias or stands to gain from touting SiteAdvisor over TRUSTe.
The question remains, will squabbles among industry insiders affect the relevance of TRUSTe certification? It could have an impact on the more clued-in consumer, concluded CDT’s Schwartz, adding, “It depends on who the consumer is.”