When can you trust web services to handle your data?
Posted on 15 January 2014.
A new report by the EUís cyber security agency ENISA analyses the conditions under which online security and privacy seals help users to evaluate the trustworthiness of a web service. The report underlines the need for clear icons, standards, assessment and evaluation methodology.

Furthermore, a second report addresses the framework, methodology and evaluation for security certification and provides a qualitative analysis of certification practices in the EU.

Numerous policy documents identify marks, seals, logos, icons (collectively referred to as ďsealsĒ). These help users to judge the trustworthiness of services offered on the web. But there are many obstacles for users to use these seals, as it is not clear how the seals are granted to the services. ENISA analyses the current situation and identifies key challenges, solutions, and recommendations for online seals.

The two reports deal with (1) how users can use seals to base their trust in a service, and (2) what we can learn from other certification initiatives to improve these seals. Some of the key challenges and corresponding recommendations are:

Users suffer from information overload. Therefore, web designers need to develop clearer privacy icons, which are based on research, including cultural and legal differences.

Users are not sufficiently aware of what seals mean. Educational material should be provided to spread knowledge of the existence and meaning of seals.

Seals are not checked by the user. Service providers and web developers need to provide and implement seals that can be automatically checked.

Transparency. Policy makers should demand reliable statistics on certification and seals. The bodies issuing certificates/seals should keep updated, public records on certificates/seals that they have issued.

Reduction of burden. Standardization bodies and responsible stakeholders should develop best practices and standards merging the requirements for security and data protection in order to reduce burden.

Enforcement. The national policy makers should ensure enforcement of such requirements for genuine compliance, for instance by applying sanctions and/or ad-hoc assessments carried on by third parties.

The Executive Director of ENISA, Professor Udo Helmbrecht remarked: ďThe effectiveness of trust signals must be improved. Regulatory bodies at the EU and national level should set incentives for service providers to obtain better online security and privacy protectionĒ.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th