This report analyses the conditions under which online security and privacy seals (OSPS) can be deployed to support users to make an informed trust decision about Web services and their providers with respect to the provided security and privacy. This report is motivated by the numerous policy documents, that mention marks, seals, logos, icons, (collectively referred as OSPS) as a mean enabling users to judge on the trustworthiness of services offered on the Web.
The field of OSPSs has also developed in maturity. Therefore, we aim at analysing the current situation and identified key challenges for online signals in practise. Based on these challenges, this report identifies possible solutions and corresponding recommendations and next steps that ENISA and other stakeholders should follow for enabling users in judging on the trustworthiness of services offered on the Web.
The key challenges and corresponding recommendations of this report are:
Lack of awareness. Many users are not aware of the existence of OSPSs at all. Furthermore, they are not aware on which signals they can and should base their decision on as there are many including a few which are not trustworthy. Partners from the Safer Internet Programme, working groups on awareness raising from different institutions should provide educational material to spread knowledge of the existence and meaning of OSPS.
Lack of standards. As a result of different design requirements and business models a broad range of seals is available today. This variety makes it difficult for users to decide whether one seal provides stronger protection than another. Standardisation of OSPS will be important to make them easily recognisable and correctly understood. Standardisation bodies should also define standards for trustworthy OSPSs. This will also improve user experience as they do not need to remember as many OSPS providers as they need today.
Lack of validity checks. Most of those who are aware do not check the validity of the online signals; even worse some signals are merely images on the web page and as such very hard to check. Hence, forgeries are possible and easy. Service providers need to provide users with OSPSs that can be automatically checked (for example, in the form of cryptographic certificates). Web browser developers need to implement these automatic checks. However, pure market forces are not very likely to lead to this ideal situation. Thus, policy makers (at EU level and national level) should investigate the enforcement of corresponding standardized mechanisms for Web browsers. Furthermore, they should investigate strategies in case promises made regarding seals are not met.
Lack of usability. Given the intrinsic complexity of Web services it is very likely that the result of an evaluation by an OSPS issuer is not just ‘pass’ or ‘fail’ but multi-dimensional. As there is neither space nor are users generally willing to read long explanations, researchers and web designers need to develop corresponding icons communicating the results. These icons could be based on research on privacy icons. Note, designers need to take care of cultural and legal differences.
Lack of presence. The effectiveness of trust signals needs to be improved, and this is likely to occur when a more mature market with well-known players (online service providers) is achieved; and also when users attain a more precise understanding of their meaning of a trust seal in a web page. Regulatory bodies at EU and national level should set incentives for service providers to obtain online security and privacy seals.
Heraklion: ENISA , 2013. , 28 p.