After reading some new research from Carnegie Mellon University CyLab, discussed previously on this blog, I e-mailed TRUSTe to ask them to respond to the concerns that the report had raised about their certifying sites that had erroneous, missing, or what might appear to be fraudulent compact policies that would essentially weaken privacy protections in IE.
Fran Maier, President of TRUSTe, responded by posting a statement on their site’s blog. They respond, in part:
We take privacy matters of any scope very seriously here and we have opened an investigation into the issues brought forward by these researchers. We’re reaching out to our clients identified in the report and seeking further information about their use of P3P technology.
The remainder of their statement, which I encourage everyone to read in its entirety, addresses why so few sites use P3P. Without arguing their assessment of the reasons for lack of adoption, it seems to me that if a company claims to be using P3P, it should be implementing it correctly. As in medicine, perhaps the first rule should be, “Do no harm.”
Lorrie Cranor, one of the investigators and authors of the report (and an author of the P3P standard) sent this statement to PogoWasRight.org after reviewing TRUSTe’s statement:
I’m glad to hear that TRUSTe is looking into this, and I wouldn’t expect them to comment further until they’ve taken the time to investigate. I personally was surprised at our finding that, as they put it, the “error rate among TRUSTe-certified, P3P-using sites is virtually identical to what the researchers found in the field at large.” I had expected TRUSTe-certified cites to be doing better than the field at large.
Thanks to TRUSTe for their timely response and for their commitment to assist their clients in providing compact policies that are consistent with their written policies.
Update 2: following the exchange of comments below, TRUSTe added another entry to their blog discussing P3P. You can read their post here.