The organisation has close ties to advertising companies and download Websites that subsist on advertisements (through both adware and Website advertising) for their income, which raises some questions as to their integrity. They do, however, have a very comprehensive list of specific policies that the software must abide by (and be subject to audits on), and the penalties are reasonable (consisting of being removed from the program, possibly with public advertisement). They also have particularly strict requirements for EULAs and consent, with requirements that on installation, the software displays a primary notice of functionality that could impact the user, and that an End User License Agreement (or opt-out mechanism) is ``insufficient for providing such notice or obtaining consent'' [TRUSTe, 2008b]. These are, for the most part, excellent policies, however, looking at the published ``whitelist'' [TRUSTe, 2008a], there are a large number of questionable pieces of software, especially the advertising and tracking software listed, which includes some software with particularly questionable activities. One such example is the software WhenU Save/SaveNow, which is listed as generally unwanted adware by many anti-malware programs [Healan, 2005], and which is often packaged as a third party piece of software along with other ``free'' software, such as the aforementioned screensavers or movie players. Perhaps its for-profit status, and reliance on companies to pay subscription fees to display the certification seals, means that it needs to form working relationships with these companies in order to work out any potential difficulties rather than simply offering the service as a simple ``tick or cross'' system. According to Hansell (2008), TRUSTe has a record of questionable toughness on its clients: ``...it does not always tell the public if it discovers violations of its principles, even if the violations are so egregious that it kicks a site out of its program. Last year, it ejected three of the 1500 companies in its certification program, and three more chose not to continue because their business models no longer complied... The organisation declined [...] to name those six companies, saying it only makes public cases of `blatant violations with probable consumer harm'.'' [Hansell, 2008] It also encountered image problems with its approval seal for certified Websites targeted in cross-site scripting attacks, allowing spamming Websites to illegally display the image in order to lull the consumer with false confidence about its activities, and worse, with the TRUSTe server tricked into thinking that the Website is legitimate, thus misleadingly approving it when the user checks the credentials of the site. This was worse than a simple re-using of the seal image to instil a false sense of security in users, because it returned results that said the use of the seal was legitimate, rather than to the error page that the simpler misuse would return [Wagstaff, 2004]. This problem undermined the system for TRUSTe, and although they fixed the underlying issue, it was damaging to their image as a trusted third party. A similar issue occurred when the lists of TRUSTe certified Websites was correlated with McAfee's SiteAdvisor, a service that tracks Websites that have viruses or other problematic exploits, and there was a number of TRUSTe certified sites on the SiteAdvisor list. This, too, was problematic for TRUSTe's image, since its aim is to certify a Website as free of these sorts of exploits and viruses [Leyden, 2006]. While these sorts of problems are not unique to a service like TRUSTe, the fact that their auditing process was clearly flawed is of particular note, since it would seem obvious that a Website operator could set up a site that conforms to the TRUSTe guidelines, then, using the respectability that comes with the TRUSTe label, gain trust of its own. The operator could then start to take advantage of that by suddenly introducing viruses or exploits on the site, taking as much advantage of it as possible before TRUSTe investigated (at which point it would be too late, no doubt, and many users would be infected with malware).
This sort of approach is particularly attractive to a certain market of software companies: those who are engaged in creating and promoting software that requires more credibility than usual: makers of advertising software or software that includes some other feature which may be considered unwanted or violating major expectations of a user, such as a keylogger or a client for a remote access server. These sorts of applications already have a certain stigma associated with them; a service such as TRUSTe's is one way to gain some amount of respectability. Thus it seems that it is unlikely that this sort of approach will eventually encourage a critical mass of software manufacturers, since many, like Google, like to at least claim to ``keep good company'' [Google, Inc., 2006], and not taint their brand with association with these companies and their software.
This is not to say that all third party certification is a bad thing: becoming certified as conforming to ISO standards or HACCP standards for food safety, for example, is widely regarded amongst the industries that use them as a notable achievement. TRUSTe, unfortunately, does not have the reputation of these standards organisations. Ultimately some sort of reputable third party standards organisation can help immensely with the reputation of software, but until standards are developed that are well-balanced and focus on identifying values and setting up frameworks for dealing with user and company expectations, this remains a difficult task. The guidelines discussed in this thesis could well be used to develop such a framework for independent third party standards assessment, and could be used as the ethical basis for a legal regulatory framework that would support such a standards organisation.