Trustmark Schemes Struggle to Protect Privacy (2008)

8. Independence

There have been numerous concerns expressed about the independence of trustmark schemes, as their revenue comes from fees paid by members and sponsorship (typically from large members).[71]

Trustmark schemes deny that sponsorship or membership fees have any influence on decisions, but this defence is weakened by the poor enforcement history of trustmark schemes when faced with significant privacy breaches by their members.

In particular TRUSTe has failed to take action in a number of high profile cases involving its biggest (‘premier’) sponsors – Microsoft and AOL. It is unclear why TRUSTe accepts sponsorship from organisations that it is supposed to certify and regulate.[72]

Although data on enforcement is not available for most schemes other than TRUSTe, there was some limited analysis of the BBB Online Privacy Seal in 2000. This analysis expressed concern about the small number of enforcements, and highlighted a case where BBB Online appeared to change a decision following a threat by the member to withdraw from the scheme:

The appearance here is that eBay threatened to drop BBB Online so BBB gave in to eBay’s demands. Vacating a decision may be appropriate sometimes, but withdrawing it from public view once posted is a terrible precedent. It undermines the integrity of BBB’s reporting system.[73]

There have also been questions about industry links with the trustmark schemes. For example, the Board of TRUSTe has included Directors from members who have been involved in significant cases, such as Microsoft, Real and AOL. It has also included Directors from Doubleclick, and conversely the Chair of TRUSTe sat on a privacy advisory board for Doubleclick, despite their membership of TRUSTe at the time.[74] The perception of bias in these situations is high, and TRUSTe makes very little attempt to appear independent.

TRUSTe has also published joint press releases with industry members under investigation – such as Microsoft, Geocities, RealNetworks and Facebook. To an observer of privacy regulation this behaviour is unprecedented, and provides little confidence in the independence of TRUSTe.

On July 15 2008 TRUSTe changed its status from non-profit to for-profit and accepted investment (from Accel – part-owners of Facebook).[75] The current Board of Directors for TRUSTe is being reformed and consists only of their new investors. Depending on the makeup of the new Board, this may reduce perceptions of conflict of interest, although it does raise some perception issues regarding Facebook (a TRUSTe member).

Obviously this is a recent change, but the majority of TRUSTe members still retain the standard (old) TRUSTe wording in their privacy policies:

XYZ is a licensee of the TRUSTe Web Privacy Seal Program. TRUSTe is an independent, non-profit organization whose mission is to build user’s trust and confidence...

This misleading information should be corrected.

A very small number of sites have changed their description of TRUSTe since the change in status. For example, AOL now describes TRUSTe as “an independent organization whose mission is to advance privacy and trust in the networked world”.[76] If organisations are going to tell consumers that TRUSTe is “independent” then greater care should be taken regarding independence and conflicts of interest. AOL remains a premier sponsor of TRUSTe – this is not disclosed in the AOL privacy policy.

Possibly the low point of TRUSTe’s approach to independence occurred on 30 May 2008, when they issued a press release titled ‘Does Google Care About Privacy and Trust?’.

It was a critique of Google’s failure to provide a link to its privacy policy on the Google home page, and by TRUSTe standards was very strongly worded:

It is inevitable that [Google] draw fire regarding their lagging privacy commitment... If Google applied today for the TRUSTe privacy seal of approval, we would require them to post a link on their homepage. All TRUSTe certified search engines AOL, Yahoo, Microsoft and Lycos follow this practice... As one of the most pervasive collectors of internet data and information of all types, Google should step up to meet best practices as have the 1500 companies who proudly display the TRUSTe seal.[77]

This attack on Google comes from an organisation which has never once in 11 years issued a criticism of an existing TRUSTe member stronger than a mild ‘concern’. But of course, Google is not a member. Indeed, if Google were to join TRUSTe (including their many affiliate sites such as Flickr and YouTube) it would provide hundreds of thousands of dollars in new revenue for TRUSTe. The attack on Google’s ‘lagging privacy commitment’ contrasts with glowing press releases issued by TRUSTe regarding members such as Microsoft[78] and Facebook.[79]

The TRUSTe attack on Google was, clearly, a serious mistake. It adds fuel to the perception that TRUSTe is biased towards organisations that pay large membership fees and provide corporate sponsorship to TRUSTe. The complete lack of objectivity in their contrasting media releases on competitors Google and Microsoft is in stark contrast to the independence and professionalism required of regulators.

[71] Rotenberg M, Hoofnagle C, In the Matter of Microsoft Consent Order, Electronic Privacy Information Center, 9 September 2002, <>.

[72] Molander J, Trust For Sale: TRUSTe Certifies the Web’s Dreck, 25 September 2006, <>.

[73] Gellman R, Online privacy dispute resolution: BBBOnline, Privacy Law and Policy Reporter Volume 7 No. 7, December 2000, <>.

[74] Raven K, TRUSTe, DoubleClick, Privacy, and a Possible Conflict of Interest, 30 May 2000, <>.

[75] Bonanos P, Accel invests in former non-profit TrustE, Tech Confidential , 15 July 2008, <>.

[76] <>

[77] TRUSTe, Does Google Care about Privacy and Trust, 30 May 2008, <>.

[78] TRUSTe, IE8: Browsing ‘In Private’ Features Take User Privacy to Center Stage, 25 August 2008, <>.

[79] TRUSTe, Facebook Helps Keep Your Work, Family, Friends Separate, 20 March 2008, <>.