FTC To ControlScan: Your Web Site Security Seals Are Lies
Written by Evan SchumanThe U.S. Federal Trade Commission (FTC) on Thursday (Feb. 25) screamed “the Emperor has no clothes” by reporting to consumers that one of the largest firms issuing “Verified Secure Breach Protection” seals doesn’t really verify much at all. The practical impact of the ruling for E-Commerce sites is unclear, both because the FTC has little authority to enforce its rulings and because consumers have typically been impressively apathetic about security and privacy issues.
The settlement against five-year-old ControlScan said that “contrary to the statements” ControlScan made to retailers, the company “in many instances conducted little or no verification of the privacy and/or security protections for consumer information provided by companies displaying its Business Background Reviewed, Registered Member, Privacy Protected and Privacy Reviewed seals. Instead, in many instances, ControlScan provided the Registered Member seal to a company that failed to qualify for the Verified Secure seal because an electronic scan of its Web site identified an actual or potential severe vulnerability on the Web site and permitted the company to display the seal indefinitely while taking no action to assess whether the company was working to resolve any vulnerability identified by the Web site scan.”
That last charge is particularly significant because it moves these accusations beyond mere neglect (they never bothered to check) to true, all-American lying (they checked, found bad stuff and gave them the seal anyway, as long as they paid their bill).
But there were also accusations—in this settlement that ControlScan has now agreed to—of neglect. The filing said that ControlScan “provided the Privacy Protected seal to a company that posted a privacy policy on its Web site, with no review of the company’s underlying privacy or information security practices and provided the Privacy Reviewed seal to a company that failed to qualify for the Privacy Protected seal because it failed to post a privacy policy on its Web site.”
Also, the verified dates posted on the seals—to give consumers confidence of ongoing security verification—were bogus, the filing said. “Contrary to the current date displayed in each seal’s date stamp, ControlScan did not review a company’s practices on a daily basis. Instead, in many instances, ControlScan, for a company displaying the Business Background Reviewed, Privacy Protected and Privacy Reviewed seals, conducted no ongoing review of the company’s fitness to display the seals. And for a company displaying the Verified Secure seal, conducted only a weekly Web site scan of the company’s Web site and for a company displaying the Registered Member seal, conducted a weekly Web site scan but imposed no requirement that the company take steps to resolve any actual or potential severe vulnerability identified by the scan.”
ControlScan’s E-Commerce sites appear to be mostly smaller merchants. But the potential damage to consumers’ faith in E-Commerce could extend far beyond ControlScan’s customers. Fortunately for E-Commerce sites, there is little credible evidence that consumers ever believed—or even noticed—the seals in the first place. Like a corruption charge against a politician widely believed to have been corrupt for decades, it’s likely to cause little change in that politician’s reputation.
But ControlScan does get mucho chutzpa points for prominently listing on its Web site 42 retailers that had displayed the seals when they hadn’t paid for them, as opposed to retailers that displayed the seals when they didn’t deserve them. As long as they paid, everything was fine. (Speaking of fine, ControlScan and its founder owe the government $750,000 as part of the settlement.)
-Marc
March 17th, 2010 at 3:31 pm
It really is a shame that security seals are receiving such a bad rap, because in the hands of a stellar e-security company they really CAN make a difference. I work in this space (as an online evangelist for VeriSign) and see a lot of various trust seals on the market that do a host of different things, but not all are worth their salt, and separating the wheat from the chaff is no easy task. Seeking out testimonials from trusted consumers is an important step in the trust seal purchasing process, as is visiting sites that are protected by the seal — if you then encounter an issue the seal is supposed to address, it’s safe to assume the seal vendor is not doing what it promised to do.
It’s just like taking your car to the mechanic–people don’t actually sit and watch their car get worked on, but if the problem persists, you can assume the mechanic didn’t fix it. This is why people take their cars to reputable shops with stringent processes and many years of experience. But if a mechanic fails to fix your car because they didn’t do something properly, it’s not fair to assume that all mechanics are crooks or poor at their job, and trust seals are no different — they’re only as good as the company that issues them.