Privacy Law and Policy Reporter
This is a column in Roger Clarke’s series on privacy-invasive and privacy-enhancing technologies. This column, including hotlinks, is available at <www.anu.edu.au/people/Roger.Clarke/DV/MetaBrands.html>.
The resources page for the series is at <www.anu.edu.au/people/Roger.Clarke/DV/PITsPETsRes.html>.
A ‘brand’ was once a piece of burning wood. Then it became a mark made on the hides of animals and convicts by a piece of hot wood or iron. Marketers use the term (without apparent appreciation of the negative aspects of its origins) to refer to the ineffable name or symbol that consumers associate with a particular product.
A brand is used as a signifier for reputation. For example, Coca-Cola (reputed at various times to be the world’s most valuable trademark) is claimed to be trustworthy in countries where the water isn’t; and Southcorp has successfully spawned a succession of sub-brands for its wines, based on the much respected Penfolds label.
A brand is also used as a proxy for reputation, by which I mean that corporations spend very substantial sums of money on inducing targeted consumers to associate particular qualities with the symbol, whether or not there is much of substance behind the imagery.
Brands can sometimes be used as a means of inculcating an image of privacy-sensitivity. For example, banks make claims that they take especial care with personal data, and that they are subject to special laws, in order to encourage the public to perceive them as being an appropriate repository for personal data. American Express stresses that its customers have a relationship with them. Co-operatives like credit unions and road service organisations claim that their members trust them more than they trust corporations.
This article considers a further aspect of the ‘brand’ phenomenon.
During the 1980s and 1990s, countries in our reference group were swept by an enthusiastic wave commonly called ‘the quality movement’. Corporations and governments imposed on small businesses the requirement that they comply with a set of standards referred to as the ISO 9000 series. These required that a business commit to audits, training and documentational activities which were intended to increase the quality of the goods and services that they produced.
To distinguish ‘ISO 9001-accredited’ enterprises, a trademarked logo was made available, which was meant to convey to the business’ customers that a higher degree of trust was warranted. Such a ‘seal of approval’ is meant to be a signifier for reputation which is intended to be transferred onto the qualifying business names and their brandnames. I use the term ‘meta-brand’ in order to convey the second level nature of such seals.
A series of meta-brands has been launched in the internet arena, some of them addressing consumer rights issues, but most endeavouring to make up for the dismal performance of internet businesses in relation to privacy.
The first of these was TRUSTe. This is a not-for-profit organisation, established by the Electronic Frontier Foundation and CommerceNet in 1996, and sponsored by electronic commerce technology providers. The meta-brand was intended to engender trust by consumers in the marketers that they deal with. It gave up on its original 1997 trademark of a trusty dog, and now conveys its mission as being ‘Building a web you can believe in’ (words that it believes are so powerful that it trademarked them).
The US Better Business Bureau Privacy Seal Program similarly urges its registrants to ‘say what you do, do what you say and have it verified’. Another lookalike entrant, WebTrust, looks more like an attempt to capture the business of site evaluation for chartered accountants than a genuine measure to address privacy concerns. [Editor — see also the review of TrustE and BBB Online by Bob Gellman in 7(6) PLPR 118 and 7(7) PLPR 145.]
In mid-February 2001, seven other privacy meta-brands were catalogued by Looksmart and Yahoo. One of them, PrivacySecure, has the refreshing honesty to state on its home page ‘It’s all about image’.
The aspirations of these organisations have not been high. For example:
The principles behind TRUSTe are disclosure and informed consent: when consumers visit a site, they will be informed of what information the site is gathering about them, what the site is doing with that information, and with whom that information is being shared.
This addresses only a small proportion of the full set of privacy rights.
Moreover, TRUSTe and its ilk embody distinctly privacy hostile features. They are based on the principles that transactions need to be identified, that sellers will collect and use personal data, and that all that’s necessary is that the consumers be informed. The starting point for a genuinely privacy enhancing scheme has to be quite different from those precepts: electronic transactions should be like conventional ones — that is, anonymous except where anonymity won’t work; then preferably pseudonymous; and only identified if there’s genuine justification.
Most critically, these seals have no teeth, and hence can’t eat even little fish, let alone big ones. Self-regulation (which means the absence of legislative sanctions) is an empty vessel. There is a significant imbalance of power between large organisations and small consumers, and steps are necessary to address that imbalance. In the terms that economists like us to use, market failure exists, and hence intervention is not only warranted, but essential.
During 1999-2000, the Ontario and Australian Privacy Commissioners conducted a project on behalf of the association of Commissioners, and published the results as ‘Web seals: a review of online privacy programs’ (September 2000). Key project objectives were to ‘assess the privacy, dispute resolution and compliance standards of the major web seals [and] engage in open discussions with the seal programs to identify ways in which to enhance their overall privacy framework’.
The project focused on BBBOnline, TRUSTe and WebTrust, and concluded that:
at the time of our review, each of the three seals addressed privacy protection, dispute resolution and compliance to varying degrees, although none of them completely satisfactorily. ... [I]t is clear that none of the seals required their participants to meet all of the OECD principles. This is a point of concern. Nonetheless, seals are playing a valuable educational role in promoting privacy awareness in the minds of both consumers and businesses alike. This educational role is, in our view, both positive and beneficial. ... The future role that web seals might play in e-commerce is unclear.
Even with that less than ringing endorsement, the Commissioners were being polite. The credibility of seals is extremely low. It is unfortunate that the Commissioners felt it was premature to assess their actual track record, because these meta-brands seldom, if ever, take any significant action against organisations that breach the terms of their seal. TRUSTe’s complaint investigations in 1999 (against Deja News, Microsoft and Hotmail) concluded variously that clear breaches of privacy were not breaches of the terms of the seal, and that a breach is no longer a breach once it’s been fixed.
There are serious legal limitations on the actions that these organisations could take anyway. The most serious sanctions available to TRUSTe are to revoke its seal or ‘trustmark’; and, if an egregious or malicious breach has occurred, the site may be referred to an appropriate law enforcement agency (from the organisation’s FAQ question 1).
Revocation means nothing unless most of the organisation’s competitors have the seal and are able use it to convey to their customers that they are distinctively different; and the seal issuers are competitors who are scrapping for market share, rather than regulatory bodies, or public interest advocates. Fraudulent misrepresentation can be reported to watchdog agencies, and investigated by them, whether TRUSTe or any other meta-brand exists or not. Moreover, it’s arguable that anyone who has evidence that ‘an egregious or malicious breach has occurred’ is actually obliged to report it, rather than merely able to report it.
It is the role of parliaments to impose regulation and sanctions, and of appropriately resourced government agencies to enforce them. Associations have available to them only contractual terms (which are limited by anti-trust, monopolies and trade practices laws) and moral suasion. TRUSTe conducts trademark lawsuits against companies that display the seal without having made appropriate arrangements to do so, but has not conducted lawsuits against members that actually infringe people’s privacy.
Meta-brands like TRUSTe do not represent PETs, but rather are pseudo-protections. They fail to encourage trust by consumers in their use of the web. To date they have nonetheless succeeded in their other objective of holding off generic privacy regulation of the American private sector. It would be nice to think that the Australian political scene won’t be so naive as to permit meta-brands of this kind to be accorded any kind of credibility.
Roger Clarke is principal of Xamax Consultancy Pty Ltd, Canberra, Visiting Fellow, Department of Computer Science, Australian National University, and a member of the PLPR Editorial Board.
Ed: Australia now has its very own privacy seal program, launched by the Australian Privacy Compliance Centre, an offshoot of the Customer Service Institute of Australia general e-Tick program — see <www.privacycompliance.org> and <www.etick.com> . A future column in this series will consider this program in light of the criticisms of meta-brands made above.
 Ontario and Australian Privacy Commissioners (2000) ‘Web seals: a review of online privacy programs’, September 2000, at <www.privacy.gov.au/publications/pg2pubs.html#28.2> .