Ben Edelman has published a paper on Adverse Selection in Online "Trust" Authorities in which he makes the claim that sites certified by 'trust authority' TRUSTe are more than twice as likely to be untrustworthy - which is to say that they may send spam or install malware - as uncertified sites. TRUSTe denies this vigorously, of course, but Edelman's methodology looks sound.
The whole notion of trust is central to the future of the Internet. It's worth noting that some of the most effective defences against spam are essentially trust-based: when you use a blacklist to filter spam, you are trusting the blacklist maintainers to tell you which netblocks or advertised websites can be trusted. These trust-based tests are effective: spammers can permute their message almost indefinitely to try to get it past content-based filters, but it's a lot harder for them to duck the consequences of a bad reputation. The risk of false positives is also lower and the use of trust-based measures is an important incentive in keeping ISPs and other providers honest. The temptation to let a few spammers sneak into - or stay in - your netblocks is a lot smaller if it could cost you your reputation, and reputation could soon become one of the most valuable assets a business has on the Internet.
So, should the news that a TRUSTe certification is apparently not worth the electrons it's printed on send ripples through the online world? Not really. Speaking for myself, I've never really seen the TRUSTe badge as anything more than a little green-and-black decorative element. I have never looked at a site sporting a TRUSTe badge and thought "Oh, that's OK, they're certified.". To be honest, I haven't thought much about TRUSTe at all, but when I do the sight of that little green-and-black badge actually tends to arouse a mild suspicion: "Methinks the lady doth protest too much". Actually, to me the TRUSTe badge doesn't say 'trusted' or 'untrusted' as much as it says 'rube'. My reaction on seeing it is to think that the 'wearer' hasn't noticed that - by and large - knowledgeable users don't take TRUSTe terribly seriously.
It's instructive to look at who doesn't sport the TRUSTe badge. Amazon doesn't, Google doesn't, CNN doesn't, and eBay doesn't (but Paypal does). The lesson here is that Amazon doesn't have to tell the world that they're TRUSTe-certified. They're Amazon. They've created their own reputation, which is bigger and better than TRUSTe's. Having a green-and-black badge can't improve their reputation in the eyes of most users. That reputation is based on a combination of their public record and personal experience: I trust Amazon because they've always delivered the goods I bought from them, they repaid me promptly when I was gypped by one of their marketplace sellers and they've never spammed me (although that's just my experience: I know some people who refer to them as Spamazon and say that they have been spammed).
Trust is a personal thing. I trust people I know (mostly) and I trust the people and things that they trust (slightly less). Other kinds of trust are built up through personal experience, thus my trust in Amazon has been built up over the course of a series of interactions. The problem with TRUSTe is that this personal element is lacking. They came along and said "We're TRUSTe. You should trust us, and trust us to tell you who to trust.". And the world answered "Why?" If there's no personal basis to trust, then a good reputation has to be earned by actions and Edelman's study appears to confirm what many people had suspected - that TRUSTe wasn't defending their reputation by their actions as vigorously as they should have been.
The other kind of trust is what you might call trust by inspection. You look at something and decide if it's worth trusting or not, using your own instincts - honed over many years of dealing with tricky human beings - and reasoning ability. 99.99% of all spam ought to fail this test instantly. It's visibly, instantly suspect. The fact that spammers make any money at all suggests that a good many people lack this critical ability. Conversely, I trust Edelman - who I never heard of before today - because of the way he presents himself and his findings. When I read his page, I have the impression that he is honest and meticulous, and that - using the information in his paper - I could reproduce his findings. In short, Edelman has convinced me in a way that TRUSTe never did.
All this may seem like something of a tangent but I think notions of trust are crucially bound up with the whole spam problem. Part of the goal of this site is to diminish public trust in spammers and organizations that use spam. If someone sends spam, I want to put the facts out there. I want to say "Look, X has been dishonest in this way, please consider carefully before trusting them in other ways." My lists aim to serve a double purpose: they should act as a disincentive to send spam, and they should provide information to help people make better decisions.
But I've got a trust problem of my own. Why on earth should you trust me? This site is run anonymously (for reasons explained in my first blog post). If you read a statement here that says "X spams" (actually, for legal reasons I usually write "X appears to spam"), how do you know that I'm not X's jilted lover or devious competitor or frustrated customer or just some angry nutball? The answer is: you don't.
The anonymity is a side issue. I could put up a name, a photograph and an email address and it wouldn't - or shouldn't - convince you that this site is inherently trustworthy. (It might get me mailbombed by angry spammers, though, which is why I don't do it). So what I ask you to do is to read what I've written, read the information presented, and come to your own conclusions about whether you should trust this site or not. If you do, that's great. If you don't, that's good too. At least you thought about it.
If you trust this site or any site, let it be because you thought about it and - using your own experience, knowledge and intelligence - decided that it was worth trusting. Not just because it had some little green-and-black badge on it.