After reading some new research from Carnegie Mellon University CyLab, discussed previously on this blog, I e-mailed TRUSTe to ask them to respond to the concerns that the report had raised about their certifying sites that had erroneous, missing, or what might appear to be fraudulent compact policies that would essentially weaken privacy protections in IE.
Fran Maier, President of TRUSTe, responded by posting a statement on their site’s blog. They respond, in part:
We take privacy matters of any scope very seriously here and we have opened an investigation into the issues brought forward by these researchers. We’re reaching out to our clients identified in the report and seeking further information about their use of P3P technology.
As part of TRUSTe’s program requirements we obligate websites we certify that have P3P statements to self-attest to their P3P statement’s consistency with their standard web privacy policy. A website’s privacy policy is the core focus of TRUSTe privacy certification as it is the resource consumers look to most frequently when making privacy decisions online. If we find that any of these sites we certify have P3P policies that do not align with their standard web privacy policy, we will assist our clients to ensure that consistency is maintained.
I commend TRUSTe for their intention to follow up, but am somewhat disappointed to hear that their certification has been relying on self-report. When consumers see the TRUSTe seal, should we think, “TRUSTe is certifying that this is what they have been told about the site’s privacy policy?” Wouldn’t we feel more confident if knew that “TRUSTe is certifying that this is what they looked for and found?” [Update: see TRUSTe’s clarification on their methods in the Comments below this blog entry.]
The remainder of their statement, which I encourage everyone to read in its entirety, addresses why so few sites use P3P. Without arguing their assessment of the reasons for lack of adoption, it seems to me that if a company claims to be using P3P, it should be implementing it correctly. As in medicine, perhaps the first rule should be, “Do no harm.”
Lorrie Cranor, one of the investigators and authors of the report (and an author of the P3P standard) sent this statement to PogoWasRight.org after reviewing TRUSTe’s statement:
I’m glad to hear that TRUSTe is looking into this, and I wouldn’t expect them to comment further until they’ve taken the time to investigate. I personally was surprised at our finding that, as they put it, the “error rate among TRUSTe-certified, P3P-using sites is virtually identical to what the researchers found in the field at large.” I had expected TRUSTe-certified cites to be doing better than the field at large.
Thanks to TRUSTe for their timely response and for their commitment to assist their clients in providing compact policies that are consistent with their written policies.
Update 2: following the exchange of comments below, TRUSTe added another entry to their blog discussing P3P. You can read their post here.
Thanks for covering this issue as the future of privacy statements is an important one to discuss.
I’d like to clarify that while TRUSTe doesn’t check the P3P policies of our clients for the reasons that we outlined, we do check though both our certification team and automated scanning a number of elements reflected in the site’s privacy statement as well as their practices. For example, we look at the site to understand what features/functionality are on the site as well as to understand the business model which gives us insight into the company’s motivation for collecting PII. Our certification team reviews all forms to see what info is collected and choice options provided at the point of collection. We review whether or not the site is collecting sensitive information or information from children.
Our automated scanning engine scans for tracking technologies including third-party cookies, web beacons, third party scripts, presence of downloadable programs. We look for SSL and other security markers. Most often the scan results alert the human certification team of items to probe more deeply regarding the privacy practices of the site.
All of this provides us with a basis to review the privacy policy ensuring that it is transparent about the practices and meets TRUSTe’s program requirements. Nearly all companies find that they must make some changes to meet TRUSTe’s requirements. Somewhere between 10 and 15% do not make the needed changes and fail to earn certification.
Thanks so much for clarifying. I get the impression from what you’ve said that TRUSTe does not currently automatically scan for the presence of full machine-readable policies or CPs, nor does it conduct any automated or human analysis to compare a CP to the full written policy. Does TRUSTe’s automated scanning specifically include scanning full policies and/or CPs and attempt to validate them against each other or the written policy that the user sees? You’ve told us a lot of useful stuff that TRUSTe does, but if such scanning or assessment is not currently in the assessment protocols, do you think TRUSTe might add them at some point?
I understood what you assert about P3P but think that if a site has a CP, then a certifying assessor should check it against the full policy (and make sure that there is one) and either help the client make it accurate or have the client remove it altogether so that there’s no risk that the CP will subvert the user’s privacy settings. Would you agree with that?
Let me reiterate that we are investigating the issues raised in the report with our clients. We do not expect to change our process to routinely review P3P configurations, for the reasons outlined earlier, but will continue to expect that TRUSTe seal holders have consistent privacy notices. Additionally we hope to help the industry come up with more scalable and wide-deployed solutions to increase consumer transparency, choice and accountability.