In a world where online security has become an important element of our lives, it is becoming more difficult to trust information, even if they present a trust and/or security seals. A new report by the EU’s cyber security agency ENISA analyses the conditions under which online security and privacy seals help users to evaluate the trustworthiness of a web service. The report underlines the need for clear icons, standards, assessment and evaluation methodology. Furthermore, a second report addresses the framework, methodology and evaluation for security certification and provides a qualitative analysis of certification practices in the EU.
Numerous policy documents identify marks, seals, logos, icons (collectively referred to as “seals”). These help users to judge the trustworthiness of services offered on the web. But there are many obstacles for users to use these seals, as it is not clear how the seals are granted to the services. ENISA analyses the current situation and identifies key challenges, solutions, and recommendations for online seals.
The two reports deal with (1) how users can use seals to base their trust in a service, and (2) what we can learn from other certification initiatives to improve these seals. Some of the key challenges and corresponding recommendations are:
- Users suffer from information overload. Therefore, web designers need to develop clearer privacy icons, which are based on research, including cultural and legal differences.
- Users are not sufficiently aware of what seals mean. Educational material should be provided to spread knowledge of the existence and meaning of seals.
- Seals are not checked by the user. Service providers and web developers need to provide and implement seals that can be automatically checked.
- Transparency. Policy makers should demand reliable statistics on certification and seals. The bodies issuing certificates/seals should keep updated, public records on certificates/seals that they have issued.
- Reduction of burden. Standardization bodies and responsible stakeholders should develop best practices and standards merging the requirements for security and data protection in order to reduce burden.
- Enforcement. The national policy makers should ensure enforcement of such requirements for genuine compliance, for instance by applying sanctions and/or ad-hoc assessments carried on by third parties.
In fact, I have seen dodgy websites with clearly made-up security seals. Perhaps we should give up on seals altogether.