I read with interest an article from The Register yesterday, "Malware Lurks Behind Safety Seal" that looked at some research done by Ben Edelman for his PhD at Harvard.
Within his report he stated, "I find that TRUSTe-certified sites are more than twice as likely to be untrustworthy as uncertified sites, a difference which remains statistically and economically significant when restricted to “complex” commercial sites." He also determined through his research of cross-referencing 500,000 websites that of the ones with TRUSTe certification, 5.4% were linked to either spamming or spywire, compared to 2.5% of the sites with no TRUSTe certification.
TRUSTe disputed the findings. They indicate that some of the sites Edelman reported as having the TRUSTe seal either did not actually have it, or had the seal revoked.
The research report and TRUSTe rebuttal are interesting reads.
Bottom line, consumers must realize that web seals typically only represent the "certification" of that site at one point in time. Security and trustworthiness of a site will change as site updates are made, staff changes are made, and other business changes occur. A web seal can show the site was considered, by a certification vendor, as being trustworthy on the date indicated on the seal, but always take that seal with a grain of salt knowing that since the seal was put on the site it may no longer be as trustworthy.
If you aren’t sure about doing business with a site, besides just looking at the seal, among other things also look at their posted privacy policy (if they don’t have one, that’s a red flag for you), see if they use SSL for collecting personal and sensitive information, see if they use cookies in an acceptable way (very simplistically meaning they do not collect clear text meaningful or personal data within cookies), they don’t use web bugs on their site, and they have not been involved in any litigation or had adverse audit findings about their site security.
Yes, I know that is a lot of checking to do before you make that purchase that you really, really wanted. You may decide to take the risk. But just keep in mind that the less checks you perform before doing business with a site, the more likely it will be that you will experience some adverse consequences.
Technorati Tags
information security
IT compliance
policies and procedures
web bugs
trust seals
TRUSTe
awareness and training
privacy