FTC To ControlScan: Your Web Site Security Seals Are Lies

Tools

The U.S. Federal Trade Commission (FTC) on Thursday (Feb. 25) screamed "the Emperor has no clothes" by reporting to consumers that one of the largest firms issuing "Verified Secure Breach Protection" seals doesn’t really verify much at all. The practical impact of the ruling for E-Commerce sites is unclear, both because the FTC has little authority to enforce its rulings and because consumers have typically been impressively apathetic about security and privacy issues.

The settlement against five-year-old ControlScan said that "contrary to the statements" ControlScan made to retailers, the company "in many instances conducted little or no verification of the privacy and/or security protections for consumer information provided by companies displaying its Business Background Reviewed, Registered Member, Privacy Protected and Privacy Reviewed seals. Instead, in many instances, ControlScan provided the Registered Member seal to a company that failed to qualify for the Verified Secure seal because an electronic scan of its Web site identified an actual or potential severe vulnerability on the Web site and permitted the company to display the seal indefinitely while taking no action to assess whether the company was working to resolve any vulnerability identified by the Web site scan."

That last charge is particularly significant because it moves these accusations beyond mere neglect (they never bothered to check) to true, all-American lying (they checked, found bad stuff and gave them the seal anyway, as long as they paid their bill).

But there were also accusations—in this settlement that ControlScan has now agreed to—of neglect. The filing said that ControlScan "provided the Privacy Protected seal to a company that posted a privacy policy on its Web site, with no review of the company’s underlying privacy or information security practices and provided the Privacy Reviewed seal to a company that failed to qualify for the Privacy Protected seal because it failed to post a privacy policy on its Web site."

Also, the verified dates posted on the seals—to give consumers confidence of ongoing security verification—were bogus, the filing said. "Contrary to the current date displayed in each seal’s date stamp, ControlScan did not review a company’s practices on a daily basis. Instead, in many instances, ControlScan, for a company displaying the Business Background Reviewed, Privacy Protected and Privacy Reviewed seals, conducted no ongoing review of the company’s fitness to display the seals. And for a company displaying the Verified Secure seal, conducted only a weekly Web site scan of the company’s Web site and for a company displaying the Registered Member seal, conducted a weekly Web site scan but imposed no requirement that the company take steps to resolve any actual or potential severe vulnerability identified by the scan."

ControlScan's E-Commerce sites appear to be mostly smaller merchants. But the potential damage to consumers' faith in E-Commerce could extend far beyond ControlScan's customers. Fortunately for E-Commerce sites, there is little credible evidence that consumers ever believed—or even noticed—the seals in the first place. Like a corruption charge against a politician widely believed to have been corrupt for decades, it's likely to cause little change in that politician's reputation.

But ControlScan does get mucho chutzpa points for prominently listing on its Web site 42 retailers that had displayed the seals when they hadn't paid for them, as opposed to retailers that displayed the seals when they didn't deserve them. As long as they paid, everything was fine. (Speaking of fine, ControlScan and its founder owe the government $750,000 as part of the settlement.) But ControlScan does get mucho chutzpa points for prominently listing on its Web site 42 retailers that had displayed the seals when they hadn't paid for them, as opposed to retailers that displayed the seals when they didn't deserve them. As long as they paid, everything was fine. (Speaking of fine, ControlScan and its founder owe the government $750,000 as part of the settlement.)

"ControlScan customers using the Verified Secure trust seal have earned the right to display these seals on their Web sites by following the necessary requirements set forth by ControlScan. These requirements have been put in place to help merchants provide a safer shopping experience to their online customers," the site said. "Unfortunately, there are businesses in the marketplace that attempt to mislead potential customers by misusing copies of ControlScan’s Verified Secure seal. Most often, these businesses display counterfeit copies of ControlScan’s seals on their Web sites without authorization." For good measure, the site offered people a link to rat out other sites that hadn't paid.

Since the earliest days of the Web, the idea behind E-Commerce sites posting security seals was to provide third-party assurances to consumers that privacy and data—and especially payment—security procedures were being followed. For those seals, retailers spent anywhere from about $130 to $1,300 a year, to cover the cost of a third-party verifying that information, in some cases daily.

But the zero-liability program from major card brands has made consumers impressively cavalier about the sites they give their credit card information to; they're confident that they will be covered for any losses. Placing trust in Bob's House Of Stuffed Animals becomes irrelevant as long as consumers trust Visa, MasterCard or their bank. The lack of any significant customer defections from TJX and Hannaford—or, for that matter, the dozens of other retailers impacted in various major breaches in the last couple of years—makes that consumers’ apathy clear.

Then again, as the percent of transactions being handled as debit increases and takes market share away from credit, a site's reputation may slowly start to become much more important to consumers, making these types of seal programs potentially relevant.

And the FTC's lack of enforcement teeth makes such settlements more annoying than devastating. ControlScan will have to send a letter to customers asking them to take down the bogus seals. But it's unclear whether the FTC will be able to verify that ControlScan actually sends the letter to all of the affected customers. Even the $750,000 fine was suspended because ControlScan said it didn't have the money to pay. (Just try using that line on a federal judge, in either a criminal or a civil case.)

The FTC order, for example, instructs ControlScan to not misrepresent any more. I covered courts for years, and I can't quite envision a burglar admitting to various felonies and being told by the judge, "No jail time for you because I don't have that authority. And no fine because you're broke, which is probably why you were breaking into houses in the first place. So I am now ordering you to not break into any more houses. But you have to write a letter to the owners of the houses you broke into. It had better be handwritten. Defendant is released. Next case."