FTC To ControlScan: Your Web Site Security Seals Are LiesWritten by Evan Schuman
The U.S. Federal Trade Commission (FTC) on Thursday (Feb. 25) screamed “the Emperor has no clothes” by reporting to consumers that one of the largest firms issuing “Verified Secure Breach Protection” seals doesn’t really verify much at all. The practical impact of the ruling for E-Commerce sites is unclear, both because the FTC has little authority to enforce its rulings and because consumers have typically been impressively apathetic about security and privacy issues.
The settlement against five-year-old ControlScan said that “contrary to the statements” ControlScan made to retailers, the company “in many instances conducted little or no verification of the privacy and/or security protections for consumer information provided by companies displaying its Business Background Reviewed, Registered Member, Privacy Protected and Privacy Reviewed seals. Instead, in many instances, ControlScan provided the Registered Member seal to a company that failed to qualify for the Verified Secure seal because an electronic scan of its Web site identified an actual or potential severe vulnerability on the Web site and permitted the company to display the seal indefinitely while taking no action to assess whether the company was working to resolve any vulnerability identified by the Web site scan.”
That last charge is particularly significant because it moves these accusations beyond mere neglect (they never bothered to check) to true, all-American lying (they checked, found bad stuff and gave them the seal anyway, as long as they paid their bill).
Also, the verified dates posted on the seals—to give consumers confidence of ongoing security verification—were bogus, the filing said. “Contrary to the current date displayed in each seal’s date stamp, ControlScan did not review a company’s practices on a daily basis. Instead, in many instances, ControlScan, for a company displaying the Business Background Reviewed, Privacy Protected and Privacy Reviewed seals, conducted no ongoing review of the company’s fitness to display the seals. And for a company displaying the Verified Secure seal, conducted only a weekly Web site scan of the company’s Web site and for a company displaying the Registered Member seal, conducted a weekly Web site scan but imposed no requirement that the company take steps to resolve any actual or potential severe vulnerability identified by the scan.”
ControlScan’s E-Commerce sites appear to be mostly smaller merchants. But the potential damage to consumers’ faith in E-Commerce could extend far beyond ControlScan’s customers. Fortunately for E-Commerce sites, there is little credible evidence that consumers ever believed—or even noticed—the seals in the first place. Like a corruption charge against a politician widely believed to have been corrupt for decades, it’s likely to cause little change in that politician’s reputation.
But ControlScan does get mucho chutzpa points for prominently listing on its Web site 42 retailers that had displayed the seals when they hadn’t paid for them, as opposed to retailers that displayed the seals when they didn’t deserve them. As long as they paid, everything was fine. (Speaking of fine, ControlScan and its founder owe the government $750,000 as part of the settlement.)