I wasn’t too surprised to see the recent news that TRUSTe had settled with FTC for failure to reevaluate sites yearly for compliance.
Over the past couple of years I’ve filed several complaints with TRUSTe against sites that were subject to COPPA but not using SSL to protect the transfer of children’s personal information and the usernames, passwords and session identifiers for the accounts. I got some surprising responses.
TRUSTe’s children’s privacy program requirements state that web services in the program must:
Use reasonable encryption methods such as Secure Socket Layer for transmission and storage of information if the inappropriate use or disclosure of that information could cause financial, physical, or reputational harm to an Individual.
Let’s start with reputational harm. If an intruder gets usernames and passwords, or session IDs, the intruder can impersonate students or teachers in the service’s forums. It’s not hard to see how that could lead to reputational harm. Many educational and kids sites hold information about a child’s address or school, and pictures of the child. Physical access can lead to physical harm. Enough said there
As you’ll see in the responses below, TRUSTe has a children’s privacy program that does not consider children’s personal information to be sensitive data worthy of encryption. What? They also say that they don’t require SSL for things like passwords that are commonly sent unencrypted in emails. One bad practice does not excuse another. It’s like saying there’s no point in putting a fence around a pool because people often forget to close the gate.
These are actual quotes from TRUSTe’s responses:
Here they state that children’s PII is not considered sensitive information under their Children’s Privacy Program.
“We require encryption in transit for information we consider sensitive
under our program. Examples would include social security number,
credit card information, and medical laboratory results.
We do not require encryption for information we do not consider
sensitive under our program, or for passwords in transit if they
control access to only information that is not sensitive.
Based on the categories of information the site is
collecting, which do not qualify as sensitive under our program, we do
not have authority to require the change you reference regarding HTTPS
Here, they reason that SSL is not needed to protect info that might be sent unsecurely by other means, and state again that encrypting children’s personal info or the things that control access to it are not a requirement of their program
“we do not consider that we have authority under our program requirements to require the service to use encryption to encrypt web traffic in transit for categories of information that are commonly sent unencrypted via e-mail to the account holder, or for passwords/cookies etc. used to access only this category of information, even though we understand that a technology-capable eavesdropper sitting in a coffee shop who chooses to violate federal and potentially other laws could possibly intercept unencrypted information sent unencrypted such as over HTTP or e-mail.
Additionally, just because information contains personally identifiable
information pertaining to a child under 13 years old does not
necessasrily require HTTPS encryption in transit under TRUSTe‘s
program (or under COPPA).
Therefore, based on the categories of information the service is
collecting, we do not have authority to require the service to encrypt
1) the login form; or
2) after login, session cookies and data which include
or control access to children’s personal infromation.”
Here, another response where they state that encryption is not required for personal information of kids under 13.
“COPPA does not require that the service have site-wide HTTPS encryption.TRUSTe‘s program requires encryption where disclosure “could cause financial, physical, or reputational harm to an individual.” TRUSTe‘s current program requirements do not require site-wide encryption simply because the information being exchanged includes information about children under 13. However,TRUSTe strongly encourages the use of site-wide encryption even in situations where the nature of the information does not rise to this level.”