Roger Clarke's Web-Site
© Xamax Consultancy Pty Ltd, 1995-2018
|Identity Matters||Other Topics||Waltzing Matilda||What's New|
Principal, Xamax Consultancy Pty Ltd, Canberra
Visiting Fellow, Department of Computer Science, Australian National University
Version of 13 July 2001
This document was prepared for publication in Privacy Law & Policy Reporter 7, 11 (May 2001). The accompanying resource-page provides access to all papers in the series, and to many additional sources of information
© Xamax Consultancy Pty Ltd, 2001
Available under an AEShareNet licence
This document is at http://www.rogerclarke.com/DV/MetaBrands.html
This is a column in Roger Clarke's series on Privacy-Invasive and Privacy-Enhancing Technologies. The introductory article for the series appeared in PLPR 7, 9 (March 2001), and the most recent article was on 'P3P' in PLPR 7, 10 (April 2001). This column, including hot-links, is available at http://www.rogerclarke.com/DV/MetaBrands.html.
The resources page for the series is at http://www.rogerclarke.com/DV/PITsPETsRes.html.
A 'brand' was once a piece of burning wood. Then it became a mark made on the hides of animals and convicts by a piece of hot wood or iron. Marketers use the term (without apparent appreciation of the negative aspects of its origins) to refer to the ineffable name or symbol that consumers associate with a particular product.
A brand is used as a signifier for reputation. For example, Coca-Cola (reputed at various times to be the world's most valuable trademark) is claimed to be trustworthy in countries where the water isn't; and Southcorp has successfully spawned a succession of sub-brands for its wines, based on the much-respected Penfolds label.
A brand is also used as a proxy for reputation, by which I mean that corporations spend very substantial sums of money on inducing targeted consumers to associate particular qualities with the symbol, whether or not there is much of substance behind the imagery.
Brands can sometimes be used as a means of inculcating an image of privacy-sensitivity. For example, banks make claims that they take especial care with personal data, and that they are subject to special laws, in order to encourage the public to perceive them as being an appropriate repository for personal data. American Express stresses that its customers have a relationship with them. Cooperatives like credit unions and road service organisations claim that their members trust them more than they trust corporations.
This article considers a further aspect of the 'brand' phenomenon.
During the 1980s and 1990s, countries in our reference group were swept by an enthusuastic wave commonly called 'the quality movement'. Corporations and governments imposed on small businesses the requirement that they comply with a set of standards commonly referred to as 'the ISO 9000 series'. These required that a business commit to a set of reviews, and training and documentational activities, which were intended to increase the quality of the goods and services that they produced.
To distinguish 'ISO 9001-accredited' enterprises, a trademarked logo was made available, which was meant to convey to the business's customers that a higher degree of trust was warranted. Such a 'seal of approval' is meant to be a signifier for reputation, which is intended to be transferred onto the qualifying business names and their brandnames. I use the term 'meta-brand' in order to convey the second-level nature of such seals.
A series of meta-brands has been launched in the Internet arena, some of them addressing consumer rights issues, but most endeavouring to make up for the dismal performance of Internet businesses in relation to privacy.
The first of these was TRUSTe. This is a not-for-profit organisation, established by the Electronic Frontier Foundation and CommerceNet in 1996, and sponsored by electronic commerce technology providers. The meta-brand was intended to engender trust by consumers in the marketers that they deal with. It gave up on its original 1997 trademark of a trusty dog, and now conveys its mission as being "Building a Web you can believe in" (words that it believes are so powerful that it trademarked them).
The U.S. Better Business Bureau Privacy Seal Program similarly urges its registrants to "say what you do, do what you say and have it verified". Another look-alike entrant, WebTrust, looks more like an attempt to capture the business of site-evaluation for chartered accountants than a genuine attempt to address privacy concerns.
In mid-February 2001, seven other privacy meta-brands were catalogued by Looksmart (7) and Yahoo (6). They were the International Council of Online Professionals, PrivacyBot.com, PWC's BetterWeb, PrivacySecure (which has the refreshing honesty to state on its home-page "It's all about image"), Quality Testing Labs, The Safety Search, and SecureAssure.
The aspirations of these organisations were not high. For example, "The principles behind TRUSTe are disclosure and informed consent: when consumers visit a site, they will be informed of what information the site is gathering about them, what the site is doing with that information, and with whom that information is being shared". This addresses only a small proportion of the full set of privacy rights.
Moreover, TRUSTe and its ilk embody distinctly privacy-hostile features. It was and is based on the principles that transactions need to be identified, that sellers will collect and use personal data, and that all that's necessary is that the consumers be informed. The starting point for a genuinely privacy-enhancing scheme has to be quite different from those precepts: electronic transactions should be like conventional ones, i.e. anonymous except where anonymity won't work; then preferably pseudonymous; and only identified if there's genuine justification.
Most critically, these seals have no teeth, and hence can't eat even little fish, let alone big ones. Self-regulation, which means the absence of legislative sanctions, is an empty vessel. There is a significant imbalance of power between large organisations and small consumers, and steps are necessary to address that imbalance. In the terms that economists like us to use, market failure exists, and hence intervention is not only warranted, but essential.
During 1999-2000, the Ontario and Australian Privacy Commissioners conducted a project on behalf of the association of Commissioners, and published the results as 'Web Seals: A Review of Online Privacy Programs' (September 2000). Key project objectives were to "assess the privacy, dispute resolution and compliance standards of the major Web seals [and] engage in open discussions with the seal programs to identify ways in which to enhance their overall privacy framework".
The project focussed on BBBOnline, TRUSTe and WebTrust, and concluded that "at the time of our review, each of the three seals addressed privacy protection, dispute resolution and compliance to varying degrees, although none of them completely satisfactorily. ... [I]t is clear that none of the seals required their participants to meet all of the OECD principles. This is a point of concern. Nonetheless, seals are playing a valuable educational role in promoting privacy awareness in the minds of both consumers and businesses alike. This educational role is, in our view, both positive and beneficial. ... The future role that Web seals might play in e-commerce is unclear".
Even with that less than ringing endorsement, the Commissioners were being polite. The credibility of seals is extremely low. It is unfortunate that the Commissioners felt it was premature to assess their actual track-record, because these meta-brands seldom if ever take any significant action against organisations that breach the terms of their seal. TRUSTe's complaint investigations in 1999 (against Deja News, Microsoft and Hotmail) concluded variously that clear breaches of privacy were not breaches of the terms of the seal, and that a breach is no longer a breach once it's been fixed.
There are serious legal limitations on the actions that these organisations could take anyway. The most serious sanctions available to TRUSTe are to "revoke its seal or 'trustmark'; and, if an egregious or malicious breach has occurred, the site may be referred to an appropriate law enforcement agency" (from the organisation's FAQ Question 1).
Revocation means nothing unless most of the organisation's competitors have the seal and are able use it to convey to their customers that they are distinctively different; and the seal-issuers are competitors who are scrapping for market-share, rather than regulatory bodies, or public interest advocates. And fraudulent misrepresentation can be reported to watchdog agencies, and investigated by them, whether TRUSTe or any other meta-brand exists or not. Moreover, it's arguable that anyone who has evidence that "an egregious or malicious breach has occurred" is actually obliged to report it, rather than merely "can" report it.
After the passage of the Commonwealth Government's anti-privacy legislation in December 2000, a new organisation was launched called the Australian Privacy Compliance Centre. It uses the same abbreviation, APCC, as the Australian Privacy Charter Council, which was formed 9 years earlier.
The new organisation has appointed as Chairman a sometime Chief Justice of N.S.W. It appears to be an outgrowth of a would-be seal called eTick, which was established in mid-2000 by a fledgling Australian industry association, but wants to conquer the world. The privacy initiative was launched in April 2001, and claims to be establishing a national standard, and audit procedures.
A possibly significant difference between the meta-brands discussed above and this initiative is that, with effect from the end of 2001, a proportion of the Australian private sector will be subject to a limited, complex and highly uncertain privacy law. Whether, within that context, a metabrand can contribute any more than the review and audit functions already available from specialist consultants (including myself and the editors of this periodical), and whether this particular metabrand will deliver the goods, will need to be examined once the venture has had the opportunity to establish itself.
It is the role of parliaments to impose regulation and sanctions, and of appropriately resourced government agencies to enforce them. Associations have available to them only contractual terms (which are limited by anti-trust / monopolies / trade practices laws) and moral suasion. TRUSTe conducts trademark lawsuits against companies that display the seal without having made appropriate arrangements to do so; but it has not conducted lawsuits against members that actually infringe people's privacy.
Meta-brands like TRUSTe do not represent PETs, but rather are pseudo-protections. They fail to encourage trust by consumers in their use of the web. To date they have nonetheless succeeded in their other objective of holding off generic privacy regulation of the American private sector. It would be nice to think that the Australian political scene won't be so naive as to permit meta-brands to be accorded credibility that they don't deserve.
This series is supplemented by a resource-page that will be maintained on an ongoing basis. PLPR readers are invited, and actively encouraged, to contribute sources and suggestions for enhancement to Roger.Clarke@xamax.com.au, and to bookmark the page for their own use and for communication to others.
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.
From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.
Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916
Created: 19 February 2001 - Last Amended: 13 July 2001; addition of FfE licence 5 March 2004 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/DV/MetaBrands.html