Copyright 2000 / Los Angeles Times
Los Angeles
Times
View Related Topics
December 11, 2000, Monday, Home Edition
SECTION: Business; Part C; Page 1; Financial Desk
LENGTH: 1487 words
HEADLINE:
THE CUTTING EDGE: FOCUS ON TECHNOLOGY;
WEB PRIVACY PROGRAMS ARE
SCRUTINIZED;
GOVERNMENT MAY INTERVENE AS SELF-REGULATION FALTERS
BYLINE: EDMUND SANDERS, TIMES STAFF WRITER
BODY:
They're supposed to be the Good
Housekeeping seals of approval for the Internet, telling online shoppers which
Web sites they can trust to protect their privacy and which may play fast and
loose with sensitive personal data.
But lately, privacy-certification
programs, including Truste, BBBOnLine and WebTrust, are coming under scrutiny
for failing to attract enough participants, not imposing strict enough privacy
standards and not cracking down when companies that have been awarded privacy
seals break the rules.
Though the Internet industry had once hoped that
these voluntary programs would stave off government legislation, there are
growing signs that self-regulation won't be enough:
* The Federal Trade
Commission--which 18 months ago held up seal programs as a reason new privacy
laws were not yet needed--concluded this spring that new regulation would be
needed after all.
* A review of the three U.S. seal programs--released
in September at an international privacy conference in Venice, Italy--gave none
a passing grade, raising concerns that the programs do not abide by the basic
privacy tenet that personal information should
be used only for the purpose for which it was collected.
* The recent
financial meltdown of "dot-com" retailers has highlighted the limited influence
of voluntary programs. Toysmart.com, a Truste seal holder, abandoned its privacy
promise after the company experienced financial problems and attempted to sell
its customer data for cash, despite the strong objections of Truste.
Conventional wisdom in Washington these days is that Congress will probably pass
some sort of privacy legislation next year to provide basic rights for online
consumers.
"Self-regulation just didn't do the trick," said Jay Stanley,
Internet policy analyst at Forrester Research in Cambridge, Mass. "These seal
programs haven't taken the wind out of the sails of regulation."
Stanley
predicts that legislators will probably require that Web sites, at a minimum,
disclose their privacy polices to Web surfers and offer an opportunity to opt
out of any information-sharing.
Even some large seal-program sponsors,
such as America Online and Hewlett-Packard, recently supported the idea of
government intervention.
Officials at the seal programs say they need
more time to grow and gain acceptance. They note that new Web sites are signing
up every day. And they say awareness among online consumers is growing: An
August study by Cheskin Research found 69% of Web users recognized the Truste
symbol and 55% said it increased their trust in a Web site.
"In the
early going, it takes time to build momentum," said Charles Underhill, acting
chief operating officer at BBBOnLine, which launched its privacy-seal program
last year. "It will take time, but self-regulation is going to work in this
area."
BBBOnLine has awarded 727 seals so far. Rival Truste, founded in
1997, has 2,000 licensees.
Participants pay between $ 200 and $ 7,000
for their seal and must agree to abide by a basic set of privacy practices.
These include disclosing their privacy policies, offering an opt-out, protecting
data from theft or hackers, offering dispute resolution and providing some sort
of consumer access to data about them.
In addition, the sites are
subject to audits to test whether they are living up to their promises. Truste
tests its licensees by entering fake names into the sites to see if information
is sold or used improperly. BBBOnLine will soon launch random audits of
seal-holders, conducted by a third party.
A third seal program,
WebTrust, offers a far more rigorous--and costly--privacy seal program. Created
by the American Institute of Certified Public Accountants, WebTrust relies on an
outside CPA to help a Web site develop a privacy policy and then conducts
on-site inspections to ensure compliance every 90 days. The process is similar
to the way outside accountants examine a company's financial books each quarter.
WebTrust officials wouldn't say how much the process costs, but an
affiliated seal program has cost some large participants six-figure sums. To
date, only two WebTrust privacy seals have been awarded to e-commerce sites.
Overall, participation in seal programs has been disappointing. Of the
hundreds of thousands of Web sites in operation, less than 3,000 have been
awarded privacy seals by the three leading programs.
"We're not seeing
wide enough use of these seals to allay our concerns," said David Butler,
spokesman for Consumers Union in Washington.
Participation among
e-commerce companies is particularly weak. Only about a quarter of the top 100
Internet retailers boast seals. Notable non-seal-holders include Amazon.com and
Barnesandnoble.com. Neither company would comment for this story.
"Having a seal hasn't become de rigueur yet," Stanley noted.
The
seal programs also are under attack for failing to get tough on licensees.
Critics note that none of the programs has ever revoked or suspended a seal, and
privacy violations by seal holders often are exposed by the media or by advocacy
groups rather than the seal programs.
"They've never drawn blood, yet
they claim to be an enforcement group," said Jason Catlett, president of
Junkbusters Corp., a privacy advocate in New Jersey.
In particular,
Catlett criticized Truste for not taking steps against licensees Microsoft Corp.
and RealNetworks after it was revealed that some of their software was
collecting personally identifiable information about consumers without their
knowledge.
Bob Lewin, president and chief executive at Truste, said the
seal program investigated the privacy infractions but decided to take no action
because Microsoft and RealNetworks took prompt steps to change the software and
resolve the controversy.
He said Truste would not hesitate to revoke a
seal for good cause. "But we won't do it for the wrong reason or just to prove
that we have teeth," Lewin said.
He noted that Truste went to court to
try to block Toysmart.com from selling its customer data and helped bring
national attention to the case. A bankruptcy judge is reviewing the matter.
Gary Laden, a former FTC consumer-protection attorney who now heads
BBBOnLine's privacy program, also defended the program's record.
"I
didn't spend all my years in consumer protection for the government to come here
and run some kind of toothless program," Laden said.
He said his group
has not revoked any seals because it has stringent criteria before awarding
them. Currently, about 1,400 Web sites are applying for a BBBOnLine seal but
have not yet met the standards. He noted that two of BBBOnLine's own corporate
sponsors, AOL and Microsoft, have not yet qualified for seals.
Evan
Hendricks, a privacy advocate and publisher of Privacy Times, said he is more
worried about the thousands of Web sites that continue to collect consumer
information but have made no effort to apply for a seal in the first place.
"Privacy needs to be protected comprehensively," Hendricks said. "You
can have seal programs and company policies. But it has to be backed up by the
law."
Seals of Approval Here's a look at the leading
privacy-seal programs.
Truste.com
( http://www.truste.com f7 )
Founded: 1997
Total seals: 1,900 awarded; 600 in process
E-commerce seal holders: EBay, UBid, Outpost.com, L.L. Bean, America
Online.
Seal requirements: Disclose privacy practices; offer consumer
opt-out of data-sharing; protect information; provide consumer access to its
data; offer dispute resolution; permit and fund outside audits when requested by
Truste.
Seal cost: $ 299 to $ 6,999, depending on company size.
Seals revoked: 0
Sponsors/founders: CommerceNet, Boston
Consulting Group, Electronic Frontier Foundation, AOL, Excite, Intel, Microsoft.
*
BBBOnline
( http://www.bbbonline.com f7 )
Founded: 1999
Total seals: 680 awarded; 1,400 in process
E-commerce seal holders: Dell, Fingerhut
Seal requirements:
disclose privacy policies; offer consumer opt-out of data-sharing; protect
information; offer dispute resolution; provide consumer access to their data;
agree to random third-party audits of practices.
Seal costs: $ 200 to $
6,000, depending on size
Seals revoked: 0
Sponsors/founders:
Better Business Bureau
*
WebTrust
(
http://www.webtrust.org f7 )
Founded: 2000
Seals awarded: 2
E-commerce seal holders: H.D. Vest
Seal requirements:
Development of privacy policy with an independent certified public accountant in
keeping with group's privacy principles; regular testing and verification of a
site's policies, procedures, disclosures, technology and infrastructure; dispute
resolution.
Seal costs: Varies (some sites reportedly have paid
six-figure sums for WebTrust seals)
Seals revoked: 0
Sponsors/founders: American Institute of Certified Public Accountants.
Source: Times research
GRAPHIC: PHOTO: Gary
Laden, left, heads BBBOnLine's privacy program, and Charles Underhill is its
acting chief operating officer. PHOTOGRAPHER: DENNIS DRENNER / For The Times
LOAD-DATE: December 11, 2000