How do I know that Web site is practicing good security?
Jim Reavis
Network World on Security, 10/18/99
In the world of bricks and mortar, there are regulations or standard practices to provide consumer assurances for businesses in nearly every industry.
As we attempt to translate everything we know into the Internet, what assurances do we have that the company standing behind the Web site is committed to protecting your privacy and securing your transactions?
Advertisement: |
Although Web-based companies are supposedly obligated to follow our decidedly noncyber laws, many of them seem to be fairly good at staying three steps ahead of enforcement. How can we separate the good from the bad in real time? There are organizations that seek to bestow a seal of trust upon companies doing business on the Internet. Are they adequate and do they give you a feeling of comfort while you surf?
The three major Web site "seal of trust" programs are BBBOnline, TRUSTe and WebTrust. These programs have different legacies and areas of emphasis.
BBBOnline is a wholly owned subsidiary of the Council of Better Business Bureaus, an organization which for over 80 years has sought to instill consumer confidence and promote ethical business practices.
BBBOnline awards seals for two different programs, BBBOnLine Reliability and BBBOnLine Privacy. BBBOnLine Reliability, launched in 1997, is mostly a set of offline requirements for the applicant. They must be a member of the Better Business Bureau, have been in business for at least one year and must be visited by a BBB representative to confirm that they are complying with BBB requirements. Among these requirements are truth in advertising standards and adherence to BBB's dispute resolution process.
BBBOnLine Privacy, launched earlier this year, defines online information management practices to safeguard consumer privacy, including notice to consumer, disclosure, choice and consent, access, and security. In the case of a consumer dispute, the customer and the business must work together directly to resolve the conflict under the review of the BBB staff. If the dispute cannot be resolved directly, the BBB staff convenes an independent panel to make a judgment. BBBOnline currently counts approximately 3,000 businesses with their Reliability seal.
WebTrust is an audit program developed by the American Institute of Certified Public Accountants. The WebTrust seal is bestowed upon a site based on quarterly audits by a CPA certified for WebTrust reviews. The CPA examines WebTrust's business practices, transaction integrity, privacy and security capabilities.
Although the WebTrust program was released with great fanfare and has fairly decent technical criteria, it has clearly not caught on. The WebTrust Online Site index shows just 18 current seals in effect. To be fair, it should be pointed out that WebTrust requires a much higher commitment from the prospective applicant than BBBOnline. While BBBOnLine Reliability costs $1,000 and renews automatically, the cost of quarterly WebTrust audits is much higher. Still, we must question the value of a seal that is used by such a tiny fraction of Web sites.
TRUSTe is the "seal of trust" program provider without a legacy in the bricks and mortar world. It was the brainchild of Lori Fena, Executive Director of the Electronic Frontier Foundation (EFF), and Charles Jennings, founder and CEO of Portland Software in 1996.
TRUSTe is focused more closely on the issue of privacy, and does not cover the offline business practices of the company behind the Web site. TRUSTe should be considered to be a complementary seal to the former certifications when dealing with e-commerce Web sites. TRUSTe is more concerned about assuring you that the site will not disclose your credit card or home address, rather than assuring you that the product you ordered will ever arrive.
TRUSTe recently was in the headlines after Microsoft engaged TRUSTe to contract the audit of the recent Hotmail privacy vulnerability. (Microsoft is a corporate sponsor of TRUSTe and BBBOnline.) You can draw your own conclusions of TRUSTe's effectiveness in resolving that issue. TRUSTe lists approximately 800 Web sites with their seal.
Trustmarks are like any technical standard, adoption is as important as the technical merit of each proposal. The trustmarks mentioned here all base their success on your faith in the underlying organizations, none of them offer a financial guarantee of their certification of members who might not live up to the standards.
With only a handful of Web sites out of millions claiming one of the substantial seals, the onus is still on the consumer to do the research of the sites they visit before committing any personal or financial information. Do they have a privacy policy on the site? Are they encrypting sensitive data? Do they use strong encryption? Do you know where their brick and mortar offices are?
Encouraging businesses to adopt one or more "seal of trust" certifications is not only a good way to instill consumer confidence, but long term provides a more flexible alternative to government regulation.
RELATED LINKS
Center for Democracy and Technology's review of privacy "seals of trust"
(Adobe Acrobat reader required.)
Study finds many don't trust privacy on Web
Network World, 08/19/99
FTC says 'Net privacy legislation not needed - yet
Network World, 07/13/99
Archive of Network World on Security newsletters
Network World Security Alert will keep you up to date on the latest security holes and patches, with daily updates from key vendors, security organizations and Network World reporters. See the latest dispatches from the security here.
