Reflections on trusting TRUSTe


Categories: Spam

So, there’s this thing, called TRUSTe. They “certify” privacy. What’s that mean? Well, it means about the same thing for privacy that a diploma mill does for education. It’s not that a TRUSTe logo tells you nothing; it’s that it is a good indication that you are dealing with someone who could not otherwise hope to convince anyone that they would be safe.

My own experience is that, out of the half-dozen or so TRUSTe customers (they are paid by the sites they “certify”) that have my email address, I believe every single one, without exceptions, has spammed me. Companies that do not have TRUSTe logos sometimes spam me, but not nearly as often.

But when it comes to big-time spammers, such as RealNetworks, TRUSTe is there. Certifying them. When eBay unilaterally changed their privacy policy, spammed customers before the new policy had even taken effect, and issued multiple mutually exclusive statements about what just happened, do you think there was any enforcement? I’ll give you a hint: There wasn’t.

The problem is immediately obvious. Since TRUSTe’s customers are the companies whose policies they “certify”, to confirm that there was a problem would require TRUSTe to hurt their own bottom line. That isn’t likely to happen. The excuses offered are many and varied. But the fact remains; only bad actors have the incentive to try to buy a logo that says they’re trustworthy. Honest companies don’t need to worry, because they don’t have the rumors of their spam efforts haunting them.

All of this has been known for years. What’s news about it now is that it’s been verified (PDF file, sorry). Real data, real analysis, and a confirmation that this isn’t just a confirmation bias:

I find that TRUSTe-certified sites are more than twice as likely to be untrustworthy as uncertified sites, a difference which remains statistically and economically significant when restricted to “complex” sites.

This result is not surprising. What is marginally surprising is that there are still people out there who will tell you to check for a TRUSTe logo, as though anything would happen if you got spammed (and you will!) and reported it. To the best of my knowledge, I have never even gotten so much as a single human response from TRUSTe over complaints; once I established they weren’t interested, I stopped wasting time.

But you can, it turns out, use the TRUSTe logo as a marker to help you determine when it will be safe to give someone your information. If they have one, it is probably unsafe.