One of the goals of the NPO is to ensure that each NSTIC pilot project upholds and advances the NSTIC guiding principles. Of particular importance to the NPO is the principle of Privacy Enhancement and Voluntary Participation. To address concerns related to end-user privacy, GTRI formed a dedicated Privacy Team, comprising individuals with deep privacy experience, to address questions related to trustmarks and privacy.
How Trustmarks Can Advance End-User Privacy
The fundamental purpose of trustmarks is to provide trusted, 3rd-party attestation that a Trustmark Recipient (TR) upholds a specific set of characteristics that are important to a Trustmark Relying Party (TRP). This makes the trustmark concept a very powerful tool for advancing end-user privacy. Here’s an example that shows how.
Suppose that a group of privacy advocates get together and decide to develop a new trustmark containing a set of requirements related to privacy, e.g., prohibition of activity tracking, limits on data retention, restrictions on dissemination of user data, etc. These advocates are acting in the role of a Trustmark Defining Organization (TDO). Suppose also that a Service Provider (SP) wants to attain the privacy trustmark and present it to end-users as proof that it respects its users’ privacy. In this context, the SP is a TR, and the end-users are the TRPs. The trustmark attests not only that the SP upholds the privacy requirements defined by the trustmark, but also that a trusted 3rd party – a Trustmark Provider (TP) – has performed an audit of the SP‘s privacy policies and, where possible, validated its privacy behaviors, in accordance with the trustmark’s assessment and issuance criteria.