Galexia
             home
       about us
        services
        projects
       research
          contact
» home » research » assets » trustmarks struggle 20080926  

Subscribe to Galexia news and announcements.
More information »

Identity Management and Authentication - Strategic Consulting: Galexia’s expertise on identity management includes consideration of the policy context as well as technical design issues, legal compliance, political considerations and community attitudes. Our background in law, technology and public relations makes Galexia uniquely suited to delivering strategic advice on identity management. Find out more »

[2015 EU Cybersecurity Dashboard]

2015 EU Cybersecurity Dashboard
Find out more »

Trustmark Schemes Struggle to Protect Privacy (2008)

[« previous] [next »] [title page] [full contents]

5. Timing issues

The level of protection offered by a web trustmark depends on the time of a transaction and/or the time of making a complaint. Protection will only be available for the period where the organisation is certified. There may also be other time limits on lodging a complaint.

The biggest timing problem is the volatile nature of membership of trustmark schemes. Memberships often lapse for non-payment. Typically these are quickly renewed but consumers lose their rights (or become confused about their rights) during the intervening period.[53] In the Gratis case (discussed above) the membership status of the company changed almost daily as TRUSTe issued multiple press releases and clarifications.[54] Privacy legislation is far more static by contrast.

Timing issues were also a concern in the GeoCities case, where it appeared that TRUSTe maintained the certification of GeoCities even as they were negotiating a substantial privacy law settlement with the Federal Trade Commission:

In June 1998, the FTC announced - to everyone's surprise - that it and GeoCities had come to a settlement regarding violations of consumer privacy. Everyone was surprised because this was the first anyone had heard of it. Where was TRUSTe? Caught flat-footed, TRUSTe scrambled for a few days, then made its own announcement. It pointed out that GeoCities had begun the alleged privacy violations before applying to become a member (in April) and being accepted (in May). Therefore, TRUSTe claimed, the violations were technically not under the scope of their investigation. But turn that around and put it another way - it was able to become a TRUSTe member even while under investigation by the FTC, and TRUSTe said nothing. [55]

If trustmark schemes will not provide basic information and warnings to consumers because of ‘timing issues’ their value as a privacy protection is significantly diminished.

TRUSTe isn’t the only trustmark scheme that has allowed timing issues to become a barrier to privacy protection. PrivacyBot offers a ‘provisional’ trustmark – a seal that looks exactly the same to the consumer as the regular PrivacyBot seal:

Use our 6 Step Wizard to create a Privacy Policy in about 10 minutes. Your Privacy Policy & Trustmark will be delivered promptly online. Display the Trustmark today on a provisional basis.[56]

A consumer who provided personal information to the site during this ‘provisional’ period receives no protection and cannot use the PrivacyBot complaints service if any problems occur prior to full certification. Provisional periods can be as long as six months. This odd approach displays the high value that trustmarks place on business convenience, and the low value placed on privacy protection.

Also, consumers may lose some rights under trustmark schemes if they don’t complain quickly. Consumers lose their rights under the Guardian privacy seal if they don’t complain of a breach within 25 days of the original transaction.[57] This compares poorly with the time periods used in general privacy and consumer protection law. It also compares poorly with best practice advice for consumers from Privacy Commissioners – for example the Australian Privacy Commissioner encourages people to complain within 12 months of becoming aware of a the breach (not the date of the original transaction).[58]

[53] See for example the consumer discussion regarding a lapse in membership of the online retail giant newegg: <http://digg.com/security/Newegg.com_pulling_a_fast_one_>. Also, see the debate regarding the membership of me.dium <http://blogme.dium.com/content/2008/04/just-the-facts-maam/>.

[54] Kahney L, FreeiPods.com Sold Private Data – Despite Promising Not to, 16 March 2006, <http://cultofmac.com/freeipodscom-sold-private-data-despite-promising-not-to/248>.

[55] Slashdot, TRUSTe Decides Its Own Fate Today, 8 November 1999, <http://yro.slashdot.org/article.pl?sid=99/11/05/1021214>.

[56] <http://www.privacybot.com/>

[57] <http://www.guardianecommerce.net/guardlegal.htm>

[58] <http://www.privacy.gov.au/privacy_rights/complaints/index.html>

[« previous] [next »] [title page] [full contents]

[view all] [download PDF version]

[up to research]

 

Search for:

HERE

PrintVersionprint this page

Sitemapsitemap

Subcribe to RSS newsrss news feed

Manage email subscriptionsmanage email subscriptions

Latest News

September 2019
Register of Public Galexia PIAs. Read more »

September 2019
Updates to Galexia Website. Read more »

September 2019
PM&C / Office of the National Data Commissioner (ONDC) releases Discussion Paper and accepts recommendations from Galexia’s PIA on the proposed Data Sharing and Release legislative framework. Read more »

August 2019
Galexia providing privacy advice and an independent public Privacy Impact Assessment (PIA) on 2021 Census for ABS. Read more »

June 2019
Galexia completes privacy advice and an independent Privacy Impact Assessment (PIA) on the Naval Shipbuilding College Workforce Register. Read more »

view all news items »

[Home] [Sitemap] [Print this page] [Privacy statement]

© Galexia Pty Ltd
Telephone: +61 (02) 9660 1111
Email: [email protected]