Report: TrustE Sites Twice As Likely to Be Bad Actors

Ben
Edelman, a researcher working on his Ph.D. in economics at Harvard, has posted a study showing that sites certified through Truste are twice as likely as similar, but uncertified sites to deliver spyware, adware and spam.

Edelman compared nearly 1,000 Truste-certified sites to more than 500,000 sites as reported by a major ISP. Using MacAfee's automated SiteAdvisor tool which visits site automatically, downloads software and subscribes using single-use email accounts, Edelman found (.pdf) that 5.4% of Trust-E sites were untrustworthy, while only 2.5% of the baseline sites were.

Edelman attributes these results to Truste's reliance on customer complaints, its willingness to allow companies to violate their policies and then fix them later, its reluctance to strip certification and its economic incentive to keep sites as customers.

In comparison, Edelman found that sites in the Better Business Bureau OnLineøs Privacy Seal Program have substantially higher trustworthiness than the base level sites, which he attributes to the program's stringent requirements.

Regulators should hesitate to assume self-regulatory bodies will assess would-be members correctly; self-regulators' incentives diverge substantially from a reasonable social utility function. Users should also be wary of supposed certifications; sophisticated users ought to question why sites proclaim their certification and what those certifications really mean. Finally, certification authorities might rightly reconsider their practices ø realizing that their credibility is on the line and that, in the long run, users will come to disbelieve certifications that are granted too easily.

Truste has already responded in a blog entry:

The study does not present a full or accurate review of TRUSTe's program requirements, monitoring processes and enforcement tools. The TRUSTe Web Seal Program Requirements represent a leading edge of privacy practices requiring disclosure of the uses of personal data, informed choice (as well as specifics for third-party sharing), and commitment to the Watchdog Dispute Resolution program. TRUSTe uses a number of tools, from user complaints to email seeding, to ensure continued compliance with our standards for informed notice and choice. Consumer generated Watchdog complaints have resulted in severe sanctions against licensees, including TRUSTe's public termination of Gratis Internet - a company that the New York Attorney General has sued subsequent to TRUSTe's actions.

Truste's mention of Gratis Internet is deliciously ironic spin, since its 'investigation' of the company behind the FreeIpods.com craze was instigated in part by an inquiry from Wired News.

Truste found nothing wrong:

"The results of our investigation indicate that Gratis Internet did not violate their privacy policy," Truste investigator Alexander Yap wrote in an October 2004 e-mail. "Truste did, however, work with them to strengthen and clarify their privacy statement."

Gratis Internet is currently being sued by New York Attorney General Elliot Spitzer for allegedly violating its privacy policy and renting/selling their 7.2 million customer database to three companies, which used the list to send upwards of 200 million spam messages.

That lawsuit also alleges that Gratis Internet employee Rani Nagpal told TRUSTe employee Heidi Berger on August 5, 2004, "I think there was some miscommunication about our email list: we just started renting it out to one company." That was months before Truste could not find any violation of the company's no-spam policy.

Truste finally revoked the seal in January 2005, but never publicly said it pulled the certificate because Gratis was spamming its users. Gratis Internet said the certificate was pulled because Truste wanted it to pay thousands of dollars for compliance classes.

Edelman did find one very interesting conclusion. The top natural search results (not paid results), especially from Yahoo, are very good indicators of sites' reliability.